-
-
[原创]看雪CTF 2018 团队赛 第五题 交响曲WP(多解)
-
发表于: 2018-12-10 13:08 2908
-
1.在手机上安装app运行并测试下,然后将apk拖入jeb中
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | private void a() { int v0 = 2131427370; try { this.c(); if(this.j != 0 && this.i != 0 && this.h != 0) { this.d(); this.a(this.e() + this.f() + this.g() + this.h()); return; } this.n.setText(this.getString(v0)); } catch(Exception ) { this.n.setText(this.getString(v0)); } } |
这个方法为主逻辑,其中c()方法会进行值的校验,并对j,i,h进行赋值,如果不合法赋值为0,程序退出,合法则调用d()方法,d方法也是进行值的判断,然后给g,f,e赋值,最后调a(int)方法,进行结果校验,参数为e(),f(),g,(),h()方法的返回值的和
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | private void a() { int v0 = 2131427370; try { this.c(); if(this.j != 0 && this.i != 0 && this.h != 0) { this.d(); this.a(this.e() + this.f() + this.g() + this.h()); return; } this.n.setText(this.getString(v0)); } catch(Exception ) { this.n.setText(this.getString(v0)); } } |
这个方法为主逻辑,其中c()方法会进行值的校验,并对j,i,h进行赋值,如果不合法赋值为0,程序退出,合法则调用d()方法,d方法也是进行值的判断,然后给g,f,e赋值,最后调a(int)方法,进行结果校验,参数为e(),f(),g,(),h()方法的返回值的和
2.接下来分析a(int)方法
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | private void a(int arg8) { int v0 = 2131427370; int v1 = 34; if(arg8 <= v1) { if(arg8 < v1) { } else { try { this.n.setText(String.format("%s%s", this.getString(2131427369), this.l[arg8])); this.findViewById(2131165273).setEnabled(false); return; label_23: this.n.setText(this.getString(v0)); } catch(Exception ) { this.n.setText(this.getString(v0)); } return; } } goto label_23; } |
其中arg8只有等于34时就会执行成功逻辑,因此根据以上分析,便可以开始编写计算的代码了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | private void a(int arg8) { int v0 = 2131427370; int v1 = 34; if(arg8 <= v1) { if(arg8 < v1) { } else { try { this.n.setText(String.format("%s%s", this.getString(2131427369), this.l[arg8])); this.findViewById(2131165273).setEnabled(false); return; label_23: this.n.setText(this.getString(v0)); } catch(Exception ) { this.n.setText(this.getString(v0)); } return; } } goto label_23; } |
其中arg8只有等于34时就会执行成功逻辑,因此根据以上分析,便可以开始编写计算的代码了
3.计算代码如下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 | public static void kanxueTest_c(int jj, int ii, int hh) { String userInput; try { if (ii < 10) { userInput = String.valueOf(jj) + "0" + String.valueOf(ii) + String.valueOf(hh) + "9"; } else { userInput = String.valueOf(jj) + "0" + String.valueOf(ii) + String.valueOf(hh) + "9"; } int j = 0; int i = 0; int h = 0; int v3 = 4; String v2 = userInput.length() > v3 ? userInput.substring(0, v3) : userInput; //System.out.println("v2 = " + v2); j = Integer.parseInt(v2); //System.out.println("j = " + j); if(j > 0 && j < 189) {// j <= 0 || j >= 189 j = 0; } if(j <= 1983 || j >= 2007) {// 1983 < j < 2007 j = 0; } //j = 4 位 值在1983-2007范围内,不包括 1982和2007 int v4 = 6; v2 = userInput.length() > v4 ? userInput.substring(v3, v4) : userInput; //System.out.println("v2 = " + v2); i = Integer.parseInt(v2); //System.out.println("i = " + i); if(i < 1 || i > 12) { i = 0; } //i = 2 位 值在1-12之间,包括1和12 int v5 = 8; if(userInput.length() > v5) { userInput = userInput.substring(v4, v5); //System.out.println("userInput = " + userInput); } h = Integer.parseInt(userInput); //System.out.println("h = " + h); if(h >= 1 && h <= 31) { //System.out.println("i = " + i + "j = " + j + "h = " + h); // return; } //h = 2 位 值在1-31之间,包括1和31 //h = 0; //System.out.println("i = " + i + "j = " + j + "h = " + h); //用户输入 1984-2006 1-12 1-31 xxx 组合 //d() if(j == 1989 || j == 2004) { // h = 31 越界 j不等于 1989 和 2004 h = 31; } //用户输入 //0-4位 1984-2006 不包含 1989 2004 //5-6位 1-12 //7-8位 1-31 //大于8位的数 xxx if(i == 1 || i == 4 || i == 5 || i == 7 || i == 10 || i == 11 || i == 12) { //i 等于这些值 j 等于 1999 j = 1999; } if(j <= 1994 && (i == 2 || i == 6 || i == 8)) { i = 3; } if(j >= 1996 && (i == 2 || i == 6 || i == 8)) { i = 9; } if(j == 1995 && (h > i + 2 || i == h)) { i = 6; } g = j;//1999 f = i;//1 e = h;//22 int resE = getE(); int resG = getG(); int resF = getF(); int resH =0;// getH(userInput); int result = (resE + resF + resG + resH); if (result == 34) { System.out.println("find : j = " + j + ", i = " + i + ", h = " + h + ", resH = " + resH); } } catch(Exception e) { //n.setText(this.getString(2131427370)); } } public static int g; public static int f; public static int e; public static int getE() { int []d = new int[]{ 7, 7, 9, 12, 8, 7, 13, 5, 14, 5, 9, 17, 5, 7, 12, 8, 8, 6, 19, 6, 8, 16, 10, 6, 12, 9, 6, 7, 12, 5, 9, 8, 7, 8, 15, 9, 16, 8, 8, 19, 12, 6, 8, 7, 5, 15, 6, 16, 15, 7, 9, 12, 10, 7, 15, 6, 5, 14, 14, 9 }; return d[(g - 1900) % 60];//19 } public static int getG() { int []b = new int[]{5, 10, 8, 15, 16, 15, 8, 16, 8, 16, 9, 17, 8, 17, 10, 8, 9, 18, 5, 15, 10, 9, 8, 9, 15, 18, 7, 8, 16, 6}; return b[e - 1];//7 } public static int getF() { int [] c = new int[]{6, 7, 18, 9, 5, 16, 9, 15, 18, 8, 9, 5}; return c[f - 1];//18 }public static void main (String[]args){ //用户输入 //0-4位 1984-2006 不包含 1989 2004 //5-6位 1-12 //7-8位 1-31 //任意数 xxx,这里我填的9 ///测试看雪ctf第5题 for (int jj = 1984; jj <=2006; jj++) { if (jj == 1989 || jj == 2004) { continue; } for (int ii = 1; ii <= 12; ii++) { for (int hh = 1; hh <= 31; hh++) { kanxueTest_c(jj, ii, hh); } } } } |
4.log输出(部分)其中log中存在重复组合
==============j 表示 0-4位数, i表示5-6位数(小于10则加0),h表示7-8位数,resH为0,输入的组合最后一位加一个数字9即可,可能的组合如下:=========================
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 | public static void kanxueTest_c(int jj, int ii, int hh) { String userInput; try { if (ii < 10) { userInput = String.valueOf(jj) + "0" + String.valueOf(ii) + String.valueOf(hh) + "9"; } else { userInput = String.valueOf(jj) + "0" + String.valueOf(ii) + String.valueOf(hh) + "9"; } int j = 0; int i = 0; int h = 0; int v3 = 4; String v2 = userInput.length() > v3 ? userInput.substring(0, v3) : userInput; //System.out.println("v2 = " + v2); j = Integer.parseInt(v2); //System.out.println("j = " + j); if(j > 0 && j < 189) {// j <= 0 || j >= 189 j = 0; } if(j <= 1983 || j >= 2007) {// 1983 < j < 2007 j = 0; } //j = 4 位 值在1983-2007范围内,不包括 1982和2007 int v4 = 6; v2 = userInput.length() > v4 ? userInput.substring(v3, v4) : userInput; //System.out.println("v2 = " + v2); i = Integer.parseInt(v2); //System.out.println("i = " + i); if(i < 1 || i > 12) { i = 0; } //i = 2 位 值在1-12之间,包括1和12 int v5 = 8; if(userInput.length() > v5) { userInput = userInput.substring(v4, v5); //System.out.println("userInput = " + userInput); } h = Integer.parseInt(userInput); //System.out.println("h = " + h); if(h >= 1 && h <= 31) { //System.out.println("i = " + i + "j = " + j + "h = " + h); // return; } //h = 2 位 值在1-31之间,包括1和31 //h = 0; //System.out.println("i = " + i + "j = " + j + "h = " + h); //用户输入 1984-2006 1-12 1-31 xxx 组合 //d() if(j == 1989 || j == 2004) { // h = 31 越界 j不等于 1989 和 2004 h = 31; } //用户输入 //0-4位 1984-2006 不包含 1989 2004 //5-6位 1-12 //7-8位 1-31 //大于8位的数 xxx if(i == 1 || i == 4 || i == 5 || i == 7 || i == 10 || i == 11 || i == 12) { //i 等于这些值 j 等于 1999 j = 1999; } if(j <= 1994 && (i == 2 || i == 6 || i == 8)) { i = 3; } if(j >= 1996 && (i == 2 || i == 6 || i == 8)) { i = 9; } if(j == 1995 && (h > i + 2 || i == h)) { i = 6; } g = j;//1999 f = i;//1 e = h;//22 int resE = getE(); int resG = getG(); int resF = getF(); int resH =0;// getH(userInput); int result = (resE + resF + resG + resH); if (result == 34) { System.out.println("find : j = " + j + ", i = " + i + ", h = " + h + ", resH = " + resH); } } catch(Exception e) { //n.setText(this.getString(2131427370)); } } public static int g; public static int f; public static int e; public static int getE() { int []d = new int[]{ 7, 7, 9, 12, 8, 7, 13, 5, 14, 5, 9, 17, 5, 7, 12, 8, 8, 6, 19, 6, 8, 16, 10, 6, 12, 9, 6, 7, 12, 5, 9, 8, 7, 8, 15, 9, 16, 8, 8, 19, 12, 6, 8, 7, 5, 15, 6, 16, 15, 7, 9, 12, 10, 7, 15, 6, 5, 14, 14, 9 }; return d[(g - 1900) % 60];//19 } public static int getG() { int []b = new int[]{5, 10, 8, 15, 16, 15, 8, 16, 8, 16, 9, 17, 8, 17, 10, 8, 9, 18, 5, 15, 10, 9, 8, 9, 15, 18, 7, 8, 16, 6}; return b[e - 1];//7 } public static int getF() { int [] c = new int[]{6, 7, 18, 9, 5, 16, 9, 15, 18, 8, 9, 5}; return c[f - 1];//18 }public static void main (String[]args){ //用户输入 //0-4位 1984-2006 不包含 1989 2004 //5-6位 1-12 //7-8位 1-31 //任意数 xxx,这里我填的9 ///测试看雪ctf第5题 for (int jj = 1984; jj <=2006; jj++) { if (jj == 1989 || jj == 2004) { continue; } for (int ii = 1; ii <= 12; ii++) { for (int hh = 1; hh <= 31; hh++) { kanxueTest_c(jj, ii, hh); } } } } |
4.log输出(部分)其中log中存在重复组合
==============j 表示 0-4位数, i表示5-6位数(小于10则加0),h表示7-8位数,resH为0,输入的组合最后一位加一个数字9即可,可能的组合如下:=========================
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | find : j = 1999, i = 1, h = 11, resH = 0 例如:1999 01 11 9find : j = 1999, i = 1, h = 17, resH = 0 例如:1999 01 17 9find : j = 1999, i = 1, h = 22, resH = 0find : j = 1999, i = 1, h = 24, resH = 0find : j = 1999, i = 4, h = 30, resH = 0find : j = 1999, i = 5, h = 15, resH = 0find : j = 1999, i = 5, h = 21, resH = 0find : j = 1999, i = 7, h = 30, resH = 0find : j = 1999, i = 1, h = 11, resH = 0find : j = 1999, i = 1, h = 17, resH = 0find : j = 1999, i = 1, h = 11, resH = 0find : j = 1999, i = 1, h = 11, resH = 0find : j = 1999, i = 1, h = 11, resH = 0find : j = 1999, i = 1, h = 11, resH = 0find : j = 1999, i = 1, h = 11, resH = 0find : j = 1999, i = 1, h = 11, resH = 0find : j = 1999, i = 1, h = 11, resH = 0find : j = 1999, i = 1, h = 11, resH = 0find : j = 1999, i = 1, h = 11, resH = 0find : j = 1999, i = 1, h = 11, resH = 0find : j = 1999, i = 1, h = 22, resH = 0find : j = 1999, i = 1, h = 24, resH = 0find : j = 1999, i = 1, h = 22, resH = 0 |
5.根据log输出进行组合key,验证结果如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | find : j = 1999, i = 1, h = 11, resH = 0 例如:1999 01 11 9find : j = 1999, i = 1, h = 17, resH = 0 例如:1999 01 17 9find : j = 1999, i = 1, h = 22, resH = 0find : j = 1999, i = 1, h = 24, resH = 0find : j = 1999, i = 4, h = 30, resH = 0find : j = 1999, i = 5, h = 15, resH = 0find : j = 1999, i = 5, h = 21, resH = 0find : j = 1999, i = 7, h = 30, resH = 0find : j = 1999, i = 1, h = 11, resH = 0find : j = 1999, i = 1, h = 17, resH = 0find : j = 1999, i = 1, h = 11, resH = 0find : j = 1999, i = 1, h = 11, resH = 0find : j = 1999, i = 1, h = 11, resH = 0find : j = 1999, i = 1, h = 11, resH = 0find : j = 1999, i = 1, h = 11, resH = 0find : j = 1999, i = 1, h = 11, resH = 0find : j = 1999, i = 1, h = 11, resH = 0find : j = 1999, i = 1, h = 11, resH = 0find : j = 1999, i = 1, h = 11, resH = 0find : j = 1999, i = 1, h = 11, resH = 0find : j = 1999, i = 1, h = 22, resH = 0find : j = 1999, i = 1, h = 24, resH = 0find : j = 1999, i = 1, h = 22, resH = 0 |
5.根据log输出进行组合key,验证结果如下:
最后于 2018-12-10 13:15
被fzyspark编辑
,原因:
赞赏
|
|
|---|---|
|
|
赞赏
雪币:
留言:
