-
-
[原创]看雪CTF.TSRC 2018 团队赛第五题交响曲WP
-
发表于: 2018-12-11 10:03
-
本题是一个android apk文件。
1、解压缩apk文件,发现没有lib文件夹。只有java层代码,相对简单些了。
2、使用jeb和android killer分别打开apk文件,找到入口类:<activity android:name="cn.kwaiching.crackme.CrackMe">
从onCreate开始分析
protected void onCreate(Bundle arg2) {
super.onCreate(arg2);
this.setContentView(2131296284);
this.b(); //初始化字串,最终的正确结果显示
this.n = this.findViewById(2131165242);
this.findViewById(2131165273).setOnClickListener(new View$OnClickListener() {
public void onClick(View arg3) {
try {
CrackMe.a(this.a); //检测函数
}
catch(Exception ) {
this.a.n.setText(this.a.getString(2131427370));
}
}
});
}
}
1)b()函数
private void b() {
int v0;
for(v0 = 0; v0 <= 72; ++v0) {
this.l[v0] = v0 != 34 ? this.getResources().getString(2131427374) : this.getResources().getString(2131427375);
}
}success00:I = 0x7f0b002e
success34:I = 0x7f0b002f
初始化的字串
2) CrackMe.a()函数
this.a = new int[]{16, 6, 7, 10, 9, 16, 10, 8, 8, 9, 6, 6};
this.b = new int[]{5, 10, 8, 15, 16, 15, 8, 16, 8, 16, 9, 17, 8, 17, 10, 8, 9, 18, 5, 15, 10, 9, 8, 9, 15, 18, 7, 8, 16, 6};
this.c = new int[]{6, 7, 18, 9, 5, 16, 9, 15, 18, 8, 9, 5};
this.d = new int[]{7, 7, 9, 12, 8, 7, 13, 5, 14, 5, 9, 17, 5, 7, 12, 8, 8, 6, 19, 6, 8, 16, 10, 6, 12, 9, 6, 7, 12, 5, 9, 8, 7, 8, 15, 9, 16, 8, 8, 19, 12, 6, 8, 7, 5, 15, 6, 16, 15, 7, 9, 12, 10, 7, 15, 6, 5, 14, 14, 9};
this.l = new String[73];
this.m = new String[]{"23to01", "01to03", "03to05", "05to07", "07to09", "09to11", "11to13", "13to15", "15to17", "17to19", "19to21", "21to23"};
private void a() {
int v0 = 2131427370;
try {
this.c();
if(this.j != 0 && this.i != 0 && this.h != 0) {
this.d();
this.a(this.e() + this.f() + this.g() + this.h());
return;
}
this.n.setText(this.getString(v0));
}
catch(Exception ) {
this.n.setText(this.getString(v0));
}
}此函数中的c(),d()函数分别对输入进行限制,转换。输入应该是年月日的字串(yyyy--mm-dd),并对年有限制((this.j <= 1983 || this.j >= 2007))可以考虑穷举爆破,继续分析。程序比较明了,code不贴了。
e(),f(),g(),h()函数分别从数组取值,如下:
return this.d[(this.g - 1900) % 60]; ---e()函数从数组d中取值 return this.c[this.f - 1]; ---f()函数从数组c中取值 return this.b[this.e - 1]; ---g()函数从数组b中取值 this.k = this.a[v4]; ---h()根据输入的字串与数组m中比对得到的索引,从数组a中取出相应的值
从以上分析可知,输入字串的格式年月日+数组m中的某个字串。yyyy--mm-dd+str
3、判定结果
private void a(int arg8) {
int v0 = 2131427370;
int v1 = 34;
if(arg8 <= v1)
{
if(arg8 < v1)
{
}
else {
try {
this.n.setText(String.format("%s%s", this.getString(2131427369), this.l[arg8]));
this.findViewById(2131165273).setEnabled(false);
return;
label_23:
this.n.setText(this.getString(v0));
}
catch(Exception ) {
this.n.setText(this.getString(v0));
}
return;
}
}
goto label_23;
}arg8 = this.e() + this.f() + this.g() + this.h()
从程序可以看出arg8 = 34返回正确结果。
4、暴力破解,根据上面的分析,模拟程序逻辑,爆破
void ctf5(void)
{
int a[12] = { 16, 6, 7, 10, 9, 16, 10, 8, 8, 9, 6, 6 };
int b[30] = { 5, 10, 8, 15, 16, 15, 8, 16, 8, 16, 9, 17, 8, 17, 10, 8, 9, 18, 5, 15, 10, 9, 8, 9, 15, 18, 7, 8, 16, 6 };
int c[12] = { 6, 7, 18, 9, 5, 16, 9, 15, 18, 8, 9, 5 };
int d[60] = { 7, 7, 9, 12, 8, 7, 13, 5, 14, 5, 9, 17, 5, 7, 12, 8, 8, 6, 19, 6, 8, 16, 10, 6, 12, 9, 6, 7, 12, 5, 9, 8, 7, 8, 15, 9, 16, 8, 8, 19, 12, 6, 8, 7, 5, 15, 6, 16, 15, 7, 9, 12, 10, 7, 15, 6, 5, 14, 14, 9 };
int j = 0; //1983 < j< 2007
int i = 0 // i = 1 - 12
int h = 0; // h 1 - 31
int k = 0; //k不等于6
int jj;
int ii, hh;
for (jj = 1984; jj < 2007; jj++)
for (ii = 1; ii < 12; ii++)
for (hh = 1; hh <= 31; hh++)
for (k = 0; k < 12; k++)
{
j = jj;
i = ii;
h = hh;
if (j == 1989 || j == 2004)
{
h = 31;
}
if (i == 1 || i == 4 || i == 5 || i == 7 || i == 10 || i == 11 || i == 12)
{
j = 1999;
}
int v2 = 8;
int v3 = 6;
int v4 = 2;
if (j <= 1994 && (i == v4 || i == v3 || i == v2))
{
i = 3;
}
if (j >= 1996 && (i == v4 || i == v3 || i == v2))
{
i = 9;
}
if (j == 1995 && (h > i + v4 || i == h))
{
i = v3;
}
int g = j;
int f = i;
int e = h;
int dd = d[(g - 1900) % 60];
int cc = c[f - 1];
int bb = b[e - 1];
int kk = a[k];
OutputDebugPrintf("j =%d\n", jj);
int value =dd + cc+bb+kk;
OutputDebugPrintf("value=%d\n", value);
if (value == 34)
{
OutputDebugPrintf("ii = %d, jj= %d,h=%d,k=%d\n", ii, jj, hh, k); //找到了
}
}
}
flag:1995020305to07
protected void onCreate(Bundle arg2) {
super.onCreate(arg2);
this.setContentView(2131296284);
this.b(); //初始化字串,最终的正确结果显示
this.n = this.findViewById(2131165242);
this.findViewById(2131165273).setOnClickListener(new View$OnClickListener() {
public void onClick(View arg3) {
try {
CrackMe.a(this.a); //检测函数
}
catch(Exception ) {
this.a.n.setText(this.a.getString(2131427370));
}
}
});
}
}
1)b()函数
private void b() {
int v0;
for(v0 = 0; v0 <= 72; ++v0) {
this.l[v0] = v0 != 34 ? this.getResources().getString(2131427374) : this.getResources().getString(2131427375);
}
}success00:I = 0x7f0b002e
success34:I = 0x7f0b002f
private void b() {
int v0;
for(v0 = 0; v0 <= 72; ++v0) {
this.l[v0] = v0 != 34 ? this.getResources().getString(2131427374) : this.getResources().getString(2131427375);
}
}success00:I = 0x7f0b002e
success34:I = 0x7f0b002f
success00:I = 0x7f0b002e
success34:I = 0x7f0b002f
初始化的字串
2) CrackMe.a()函数
this.a = new int[]{16, 6, 7, 10, 9, 16, 10, 8, 8, 9, 6, 6};
this.b = new int[]{5, 10, 8, 15, 16, 15, 8, 16, 8, 16, 9, 17, 8, 17, 10, 8, 9, 18, 5, 15, 10, 9, 8, 9, 15, 18, 7, 8, 16, 6};
this.c = new int[]{6, 7, 18, 9, 5, 16, 9, 15, 18, 8, 9, 5};
this.d = new int[]{7, 7, 9, 12, 8, 7, 13, 5, 14, 5, 9, 17, 5, 7, 12, 8, 8, 6, 19, 6, 8, 16, 10, 6, 12, 9, 6, 7, 12, 5, 9, 8, 7, 8, 15, 9, 16, 8, 8, 19, 12, 6, 8, 7, 5, 15, 6, 16, 15, 7, 9, 12, 10, 7, 15, 6, 5, 14, 14, 9};
this.l = new String[73];
this.m = new String[]{"23to01", "01to03", "03to05", "05to07", "07to09", "09to11", "11to13", "13to15", "15to17", "17to19", "19to21", "21to23"};
private void a() {
int v0 = 2131427370;
try {
this.c();
if(this.j != 0 && this.i != 0 && this.h != 0) {
this.d();
this.a(this.e() + this.f() + this.g() + this.h());
return;
}
this.n.setText(this.getString(v0));
}
catch(Exception ) {
this.n.setText(this.getString(v0));
}
}此函数中的c(),d()函数分别对输入进行限制,转换。输入应该是年月日的字串(yyyy--mm-dd),并对年有限制((this.j <= 1983 || this.j >= 2007))可以考虑穷举爆破,继续分析。程序比较明了,code不贴了。
this.a = new int[]{16, 6, 7, 10, 9, 16, 10, 8, 8, 9, 6, 6};
this.b = new int[]{5, 10, 8, 15, 16, 15, 8, 16, 8, 16, 9, 17, 8, 17, 10, 8, 9, 18, 5, 15, 10, 9, 8, 9, 15, 18, 7, 8, 16, 6};
this.c = new int[]{6, 7, 18, 9, 5, 16, 9, 15, 18, 8, 9, 5};
this.d = new int[]{7, 7, 9, 12, 8, 7, 13, 5, 14, 5, 9, 17, 5, 7, 12, 8, 8, 6, 19, 6, 8, 16, 10, 6, 12, 9, 6, 7, 12, 5, 9, 8, 7, 8, 15, 9, 16, 8, 8, 19, 12, 6, 8, 7, 5, 15, 6, 16, 15, 7, 9, 12, 10, 7, 15, 6, 5, 14, 14, 9};
this.l = new String[73];
this.m = new String[]{"23to01", "01to03", "03to05", "05to07", "07to09", "09to11", "11to13", "13to15", "15to17", "17to19", "19to21", "21to23"};
private void a() {
int v0 = 2131427370;
try {
this.c();
if(this.j != 0 && this.i != 0 && this.h != 0) {
this.d();
this.a(this.e() + this.f() + this.g() + this.h());
return;
}
this.n.setText(this.getString(v0));
}
catch(Exception ) {
this.n.setText(this.getString(v0));
}
}此函数中的c(),d()函数分别对输入进行限制,转换。输入应该是年月日的字串(yyyy--mm-dd),并对年有限制((this.j <= 1983 || this.j >= 2007))可以考虑穷举爆破,继续分析。程序比较明了,code不贴了。
e(),f(),g(),h()函数分别从数组取值,如下:
return this.d[(this.g - 1900) % 60]; ---e()函数从数组d中取值 return this.c[this.f - 1]; ---f()函数从数组c中取值 return this.b[this.e - 1]; ---g()函数从数组b中取值 this.k = this.a[v4]; ---h()根据输入的字串与数组m中比对得到的索引,从数组a中取出相应的值
return this.d[(this.g - 1900) % 60]; ---e()函数从数组d中取值 return this.c[this.f - 1]; ---f()函数从数组c中取值 return this.b[this.e - 1]; ---g()函数从数组b中取值 this.k = this.a[v4]; ---h()根据输入的字串与数组m中比对得到的索引,从数组a中取出相应的值
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
|
|
|
|
|
|
|
|
我用的是 jeb v2.0.6 |
|
|
|
scpczc
