-
-
[原创]CTF 2018 第五题 交响曲
-
2018-12-11 08:22
-
https://ctf.pediy.com/game-team_fight-77.htm
最后方法是 遍历所有可能性.
dex2jar,后拖入jd查看源码
根据按钮事件找到函数a
将字符串分割后转成int
后面直接判断范围,可以得出j,i,h的值,后面也看不出什么,就全部遍历
一开始给l数组的34的位置给了一个id值,结合a函数可以得出,只要a函数的paramInt是34就行,可以看看哪了调用a(int)函数
这里是调用a函数的,传入的paramInt是e,f,g,h的值
里面返回的是,首先调用了d()函数,给gfe都给了值,给的方式是根据j,i,h的值的
直接把源码拉到Eclipse,反正j,i,h的值是知道范围的,但那个h函数里面是用到输入字符串的substring(8,到长度),但看里面循环的逻辑,他也是和String[] m里的东西对比的,所有可能是m里的一个
修了修复制来的代码,解码代码,但是可以很多结果,而且都可以成功,但是提交时不行,可能只有一个,但是全部结果里只有一个是‘第三个值’(看代码)不是0,的那个提交了就行,可以看到最后是1995 2 3 05to07 ,就是,但是是parseInt函数的,所有2前面加个0, 1995020305to07
这是在Eclipse里的代码,其中h()函数里的循环被解成了if,改成for就行, 就是遍历m的那个
代码
public class CTF {
public static void main(String[] args) {
// TODO Auto-generated method stub
new CTF().run();
}
int[] a = { 16, 6, 7, 10, 9, 16, 10, 8, 8, 9, 6, 6 };
int[] b = { 5, 10, 8, 15, 16, 15, 8, 16, 8, 16, 9, 17, 8, 17, 10, 8, 9, 18, 5, 15, 10, 9, 8, 9, 15, 18, 7, 8, 16, 6 };
int[] c = { 6, 7, 18, 9, 5, 16, 9, 15, 18, 8, 9, 5 };
int[] d = { 7, 7, 9, 12, 8, 7, 13, 5, 14, 5, 9, 17, 5, 7, 12, 8, 8, 6, 19, 6, 8, 16, 10, 6, 12, 9, 6, 7, 12, 5, 9, 8, 7, 8, 15, 9, 16, 8, 8, 19, 12, 6, 8, 7, 5, 15, 6, 16, 15, 7, 9, 12, 10, 7, 15, 6, 5, 14, 14, 9 };
int e;
int f;
int g;
int h;
int i;
int j;
int k;
String[] l = new String[73];
String[] m = { "23to01", "01to03", "03to05", "05to07", "07to09", "09to11", "11to13", "13to15", "15to17", "17to19", "19to21", "21to23" };
private void run() {
// TODO Auto-generated method stub
//j的范围 j>1983 and j < 2007
//i的范围i>=1 and i <=12
//h的范围h>=1 and h <=31
int result_len = 0;
for(int a1 = 1983;a1<2007;a1+=1){
for(int a2 = 1;a2<=12;a2+=1)
{
for(int a3 = 1;a3<=31;a3+=1){
for(String item :m)
{
//调用d设置efg,手动设置str
this.j = a1;
this.i = a2;
this.h = a3;
str = item;
d();
int re_e = e();
int re_f = f();
int re_g = g();
int re_h = h();
//System.out.println(re_e);
if(re_e+re_f+re_g+re_h==34)
{
//这里第三个值除了一个其他都是0,加个判断不是0,就输出一个,但是不加,输出的其他答案也是可以的
if(re_g==0)
{
//取消注释可以跑出可以提交的答案
//continue;
}
System.out.println(re_e+" "+" "+re_f+" "+re_g+" "+re_h);
System.out.println(a1+" "+" "+a2+" "+a3+" "+item);
result_len +=1;
}
}
}
}
}
System.out.println("数量:"+result_len);
}
//函数d设置g,f,e的值
private void d()
{
try
{
if ((this.j == 1989) || (this.j == 2004)) {
this.h = 31;
}
if ((this.i == 1) || (this.i == 4) || (this.i == 5) || (this.i == 7) || (this.i == 10) || (this.i == 11) || (this.i == 12)) {
this.j = 1999;
}
if ((this.j <= 1994) && ((this.i == 2) || (this.i == 6) || (this.i == 8))) {
this.i = 3;
}
if ((this.j >= 1996) && ((this.i == 2) || (this.i == 6) || (this.i == 8))) {
this.i = 9;
}
if ((this.j == 1995) && ((this.h > this.i + 2) || (this.i == this.h))) {
this.i = 6;
}
this.g = this.j;
this.f = this.i;
this.e = this.h;
return;
}
catch (Exception localException)
{
for (;;) {}
}
// this.n.setText(getString(2131427370));
}
private int e()
{
try
{
int i1 = this.g;
i1 = this.d[((i1 - 1900) % 60)];
return i1;
}
catch (Exception localException)
{
localException.printStackTrace();
// for (;;) {}
}
//this.n.setText(getString(2131427370));
return 0;
}
private int f()
{
try
{
int i1 = this.f;
i1 = this.c[(i1 - 1)];
return i1;
}
catch (Exception localException)
{
// for (;;) {}
}
// this.n.setText(getString(2131427370));
return 0;
}
private int g()
{
try
{
int i1 = this.e;
i1 = this.b[(i1 - 1)];
return i1;
}
catch (Exception localException)
{
// for (;;) {}
}
// this.n.setText(getString(2131427370));
return 0;
}
//表示8位后
String str;
//这个str是获取输入框的,8位后的,因为看后面可以看出,他和m数组比较,所有把m代进去
private int h()
{
// try
// {
// str = ((EditText)findViewById(2131165227)).getText().toString();
// str = str.substring(8, str.length());
int i2 = this.f;
// i1 = 0;
// }
// catch (Exception localException)
// {
// for (;;)
// {
// String str;
// int i2;
// continue;
// i1 += 1;
// continue;
// int i1 = 0;
// }
// }
//if (i1 < this.m.length)
//这里是个循环
for(int i1=0;i1<this.m.length;i1+=1)
{
if (str.equals(this.m[i1]))
{
if ((i2 == 2) && (str.equals(this.m[6]))) {
return 63;
}
this.k = this.a[i1];
i1 = 1;
if (i1 == 0) {
// this.n.setText(getString(2131427370));
}
i1 = this.k;
return i1;
//this.n.setText(getString(2131427370));
// return 0;
}
}
return i2;
}
}
跑出来的其他的结果,也能输出成功。。。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
