-
-
看雪CTF2019Q1-第2题
-
发表于: 2019-3-18 21:38 3237
-
1. apk
so里判断密码是否正确, 正确则解密flag, 需要提交的是密码, 因此直接看so
package com.zhuotong.crackme;
public class MainActivity extends AppCompiatActivity;
package android.support.v7.app;
public class AppCompiatActivity extends AppCompatActivity {
static {
System.loadLibrary("oo000oo");
}
protected native boolean eq(String arg1);
protected void onStart() {
...
this.login.setOnClickListener(new View$OnClickListener() {
public void onClick(View arg5) {
...
if(AppCompiatActivity.this.eq(AppCompiatActivity.this.mPassword)) {
byte[] v5 = AppCompiatActivity.this.mPassword.getBytes();
int v3 = 24;
if(v5.length != v3) {
byte[] v2 = new byte[v3];
while(v1 < v2.length) {
byte v3_1 = v1 < v5.length ? v5[v1] : ((byte)v1);
v2[v1] = v3_1;
++v1;
}
v5 = v2;
}
v5 = AppCompiatActivity.dec(v5, "2ggdrsLgM7iPNYPQrD58Rg==".getBytes());
AppCompiatActivity v1_1 = AppCompiatActivity.this;
StringBuilder v2_1 = new StringBuilder();
v2_1.append("flag{");
v2_1.append(new String(v5));
v2_1.append("}");
Toast.makeText(((Context)v1_1), v2_1.toString(), 1).show();
}
...
}
});
this.name = this.findViewById(2131165265);
this.name.setEnabled(false);
this.password = this.findViewById(2131165277);
}
}2. liboo000oo.so
解密用到的字符串
.init_array:00003E78 DCD .datadiv_decode5009363700628197108+1
注册native函数android.support.v7.app.AppCompiatActivity.eq
int __fastcall JNI_OnLoad(JavaVM *a1)
{
env = 0;
if ( !(*a1)->GetEnv(a1, &env, 65540) )
goto LABEL_4;
LABEL_2:
result = -1;
while ( _stack_chk_guard != v5 )
{
LABEL_4:
v2 = env;
v3 = (*env)->FindClass(env, off_4010);
dword_4110 = (*v2)->NewGlobalRef(v2, v3);
if ( !v3 || (*v2)->RegisterNatives(v2, v3, &stru_4014, 1) <= -1 )
goto LABEL_2;
result = 65542;
}
return result;
}
.data:00004014 stru_4014 JNINativeMethod <aEq, aLjavaLangStrin, x_eq+1>x_eq函数功能
字符串: 650f909c-7217-3647-9331-c82df8b98e98
去掉字符'-': 650f909c721736479331c82df8b98e98
package com.zhuotong.crackme;
public class MainActivity extends AppCompiatActivity;
package android.support.v7.app;
public class AppCompiatActivity extends AppCompatActivity {
static {
System.loadLibrary("oo000oo");
}
protected native boolean eq(String arg1);
protected void onStart() {
...
this.login.setOnClickListener(new View$OnClickListener() {
public void onClick(View arg5) {
...
if(AppCompiatActivity.this.eq(AppCompiatActivity.this.mPassword)) {
byte[] v5 = AppCompiatActivity.this.mPassword.getBytes();
int v3 = 24;
if(v5.length != v3) {
byte[] v2 = new byte[v3];
while(v1 < v2.length) {
byte v3_1 = v1 < v5.length ? v5[v1] : ((byte)v1);
v2[v1] = v3_1;
++v1;
}
v5 = v2;
}
v5 = AppCompiatActivity.dec(v5, "2ggdrsLgM7iPNYPQrD58Rg==".getBytes());
AppCompiatActivity v1_1 = AppCompiatActivity.this;
StringBuilder v2_1 = new StringBuilder();
v2_1.append("flag{");
v2_1.append(new String(v5));
v2_1.append("}");
Toast.makeText(((Context)v1_1), v2_1.toString(), 1).show();
}
...
}
});
this.name = this.findViewById(2131165265);
this.name.setEnabled(false);
this.password = this.findViewById(2131165277);
}
}package com.zhuotong.crackme;
public class MainActivity extends AppCompiatActivity;
package android.support.v7.app;
public class AppCompiatActivity extends AppCompatActivity {
static {
System.loadLibrary("oo000oo");
}
protected native boolean eq(String arg1);
protected void onStart() {
...
this.login.setOnClickListener(new View$OnClickListener() {
public void onClick(View arg5) {
...
if(AppCompiatActivity.this.eq(AppCompiatActivity.this.mPassword)) {
byte[] v5 = AppCompiatActivity.this.mPassword.getBytes();
int v3 = 24;
if(v5.length != v3) {
byte[] v2 = new byte[v3];
while(v1 < v2.length) {
byte v3_1 = v1 < v5.length ? v5[v1] : ((byte)v1);
v2[v1] = v3_1;
++v1;
}
v5 = v2;
}
v5 = AppCompiatActivity.dec(v5, "2ggdrsLgM7iPNYPQrD58Rg==".getBytes());
AppCompiatActivity v1_1 = AppCompiatActivity.this;
StringBuilder v2_1 = new StringBuilder();
v2_1.append("flag{");
v2_1.append(new String(v5));
v2_1.append("}");
Toast.makeText(((Context)v1_1), v2_1.toString(), 1).show();
}
...
}
});
this.name = this.findViewById(2131165265);
this.name.setEnabled(false);
this.password = this.findViewById(2131165277);
}
}package com.zhuotong.crackme;
public class MainActivity extends AppCompiatActivity;
package android.support.v7.app;
public class AppCompiatActivity extends AppCompatActivity {
static {
System.loadLibrary("oo000oo");
}
protected native boolean eq(String arg1);
protected void onStart() {
...
this.login.setOnClickListener(new View$OnClickListener() {
public void onClick(View arg5) {
...
if(AppCompiatActivity.this.eq(AppCompiatActivity.this.mPassword)) {
byte[] v5 = AppCompiatActivity.this.mPassword.getBytes();
int v3 = 24;
if(v5.length != v3) {
byte[] v2 = new byte[v3];
while(v1 < v2.length) {
byte v3_1 = v1 < v5.length ? v5[v1] : ((byte)v1);
v2[v1] = v3_1;
++v1;
}
v5 = v2;
}
v5 = AppCompiatActivity.dec(v5, "2ggdrsLgM7iPNYPQrD58Rg==".getBytes());
AppCompiatActivity v1_1 = AppCompiatActivity.this;
StringBuilder v2_1 = new StringBuilder();
v2_1.append("flag{");
v2_1.append(new String(v5));
v2_1.append("}");
Toast.makeText(((Context)v1_1), v2_1.toString(), 1).show();
}
...
}
});
this.name = this.findViewById(2131165265);
this.name.setEnabled(false);
this.password = this.findViewById(2131165277);
}
}2. liboo000oo.so
解密用到的字符串
.init_array:00003E78 DCD .datadiv_decode5009363700628197108+1
注册native函数android.support.v7.app.AppCompiatActivity.eq
int __fastcall JNI_OnLoad(JavaVM *a1)
{
env = 0;
if ( !(*a1)->GetEnv(a1, &env, 65540) )
goto LABEL_4;
LABEL_2:
result = -1;
while ( _stack_chk_guard != v5 )
{
LABEL_4:
v2 = env;
v3 = (*env)->FindClass(env, off_4010);
dword_4110 = (*v2)->NewGlobalRef(v2, v3);
if ( !v3 || (*v2)->RegisterNatives(v2, v3, &stru_4014, 1) <= -1 )
goto LABEL_2;
result = 65542;
}
return result;
}
.data:00004014 stru_4014 JNINativeMethod <aEq, aLjavaLangStrin, x_eq+1>解密用到的字符串
.init_array:00003E78 DCD .datadiv_decode5009363700628197108+1
.init_array:00003E78 DCD .datadiv_decode5009363700628197108+1
注册native函数android.support.v7.app.AppCompiatActivity.eq
int __fastcall JNI_OnLoad(JavaVM *a1)
{
env = 0;
if ( !(*a1)->GetEnv(a1, &env, 65540) )
goto LABEL_4;
LABEL_2:
result = -1;
while ( _stack_chk_guard != v5 )
{
LABEL_4:
v2 = env;
v3 = (*env)->FindClass(env, off_4010);
dword_4110 = (*v2)->NewGlobalRef(v2, v3);
if ( !v3 || (*v2)->RegisterNatives(v2, v3, &stru_4014, 1) <= -1 )
goto LABEL_2;
result = 65542;
}
return result;
}
.data:00004014 stru_4014 JNINativeMethod <aEq, aLjavaLangStrin, x_eq+1>int __fastcall JNI_OnLoad(JavaVM *a1)
{
env = 0;
if ( !(*a1)->GetEnv(a1, &env, 65540) )
goto LABEL_4;
LABEL_2:
result = -1;
while ( _stack_chk_guard != v5 )
{
LABEL_4:
v2 = env;
v3 = (*env)->FindClass(env, off_4010);
dword_4110 = (*v2)->NewGlobalRef(v2, v3);
if ( !v3 || (*v2)->RegisterNatives(v2, v3, &stru_4014, 1) <= -1 )
goto LABEL_2;
result = 65542;
}
return result;
}
.data:00004014 stru_4014 JNINativeMethod <aEq, aLjavaLangStrin, x_eq+1>x_eq函数功能
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
|
|
|---|---|
|
|
他的文章
- KCTF2022春季赛 第三题 石像病毒 8823
- KCTF2022春季赛 第二题 末日邀请 16155
- KCTF2021秋季赛 第二题 迷失丛林 18764
- KCTF2020秋季赛 第十题 终焉之战 8815
- KCTF2020秋季赛 第九题 命悬一线 6441
赞赏
雪币:
留言:
