首页
社区
课程
招聘
[原创]强网拟态线上mobile的两道wp
发表于: 2021-10-28 22:44 22215

[原创]强网拟态线上mobile的两道wp

2021-10-28 22:44
22215

找到关键代码在mainactivity中.

输入处理:

关键比较:

需要a类中的字符串数组C要等同于a方法对v7_1处理的结果.

查看A类a方法, 可以看到是根据a.b[v6]进行hash加密, 任选了一个进行爆破, 爆不出来. 仔细翻了翻了, 前面的welcomeactivity类更改了a密钥byte数组和b数组.

对密钥进行MD5.

当b数组的值<8时, 不使用密钥, hash加密的方式不同, b数组>=8时, 相同的hash加密HmacSha512, 不同密钥.

这样就直接开始爆破, 8组数据, 范围为4个0-0x7f字节.直接抄程序反编译代码去爆破

HmacSha512: 将密钥和密文对应就行

无密钥hash: 将hash方法和密文对应

这里我没有再去考虑大于7F的输入, 我直接分析flag的输出:

这里可以看到, 如果使用了HmacSha512, 需要反序.

最后爆破了半天得到flag.

输入处理:

输入为32字节, 然后依次查询a类的a数组再输入中的位置, 将位置+32后转化为2进制去掉首位保存字符串.

保存的范围就是00000 - 11111, 一共是16个.

查看a类的a数组, 可以编写脚本处理发现只有32种. 要求的是每个数都再输入中能找到, 不能重复.

之后就是2进制连起来, 依次取8位, 转化为byte数组.

密文的生成直接抄反编译代码, 然后调试可以发现, 是圆周率. 长度是360位.

校验:

要求的是依次取圆周率字符串2位, 视为10进制数和5位2进制数生成的byte数组一一比较, 一共180次.

这里不妨算一下, a数组的长度为288位, 转化出来的2进制长度为288 5 == 1440, 密文长度是180 8 == 1440, 刚好对应.

加上flag{}就ok.

附件中的HAHAHAHA我重新打包过

 
byte[] v7_1 = a.c(v1_1[v6]);
....
 while(v9 < v7_1.length) {
                v10 = v10 << 1 | (v7_1[v9] & 0x80) >>> v2;
                v7_1[v9] = ((byte)(v7_1[v9] & 0x7F));
                ++v9;
            }
byte[] v7_1 = a.c(v1_1[v6]);
....
 while(v9 < v7_1.length) {
                v10 = v10 << 1 | (v7_1[v9] & 0x80) >>> v2;
                v7_1[v9] = ((byte)(v7_1[v9] & 0x7F));
                ++v9;
            }
String v9_1 = a.a(v10, v7_1);
           if(v9_1 != null && (v9_1.equals(a.a(a.b[v6], v7_1)))) {
               if(!v9_1.equals(a.c[v6])) {
               }
               else {
                   ++v6;
                   continue;
               }
           }
String v9_1 = a.a(v10, v7_1);
           if(v9_1 != null && (v9_1.equals(a.a(a.b[v6], v7_1)))) {
               if(!v9_1.equals(a.c[v6])) {
               }
               else {
                   ++v6;
                   continue;
               }
           }
 
for(v0 = 0; true; ++v0) {
            int[] v1 = a.b;
            if(v0 >= v1.length) {
                break;
            }
 
            v1[v0] ^= 0xAB;
        }
....
while(v4 < a.a.length) {
            try {
                v0_1 = MessageDigest.getInstance("MD5");
            }
            catch(NoSuchAlgorithmException v1_1) {
                v1_1.printStackTrace();
            }
 
            v0_1.update(a.a[v4]);
            a.a[v4] = v0_1.digest();
            ++v4;
        }
for(v0 = 0; true; ++v0) {
            int[] v1 = a.b;
            if(v0 >= v1.length) {
                break;
            }
 
            v1[v0] ^= 0xAB;
        }
....
while(v4 < a.a.length) {
            try {
                v0_1 = MessageDigest.getInstance("MD5");
            }
            catch(NoSuchAlgorithmException v1_1) {
                v1_1.printStackTrace();
            }
 
            v0_1.update(a.a[v4]);
            a.a[v4] = v0_1.digest();
            ++v4;
        }
 
 
 
import java.nio.charset.StandardCharsets;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
 
public class demo {
    public static final String v0 = "HmacSha512";
    public static void main(String[] args) {
        MessageDigest v0_1 = null;
        StringBuilder v1_2;
        byte[] miwen = new byte[4];
        String v6_1 = "%02x";
        try {
            for (int i=0x0; i<=0x7e; i++) {
                miwen[0] = (byte)i;
                for (int j = 0x0; j <= 0x7e; j++) {
                    miwen[1] = (byte)j;
                    for (int k = 0x0; k <= 0x7e; k++) {
                        miwen[2] = (byte)k;
                        for (int l = 0x0; l <= 0x7e; l++) {
                            miwen[3] = (byte)l;
                            try {
                                v0_1 = MessageDigest.getInstance("MD5");
                            }
                            catch(NoSuchAlgorithmException v1_1) {
                                v1_1.printStackTrace();
                            }
                            byte[] tmp = "ALFjcgztxnUaC89v".getBytes();
                            v0_1.update(tmp);
                            byte[] miwen2 = v0_1.digest();
                            SecretKeySpec v1 = new SecretKeySpec(miwen2, v0);
                            Mac v3 = Mac.getInstance(v0);
                            v3.init(((Key)v1));
                            v3.update(miwen);
                            String v2_2;
                            String s = "78b0be39e63b6837";
                            for(v2_2 = new BigInteger(1, v3.doFinal()).toString(16); v2_2.length() < 0x20; v2_2 = "0" + v2_2) {
                            }
                            if (v2_2.substring(0,16).equals(s)) {
                                System.out.printf("%x ", i);
                                System.out.printf("%x ", j);
                                System.out.printf("%x ", k);
                                System.out.printf("%x ", l);
                                System.out.printf("%n");
                                return;
                            }
                        }
                    }
                }
            }
        }
        catch(InvalidKeyException | NoSuchAlgorithmException v2) {
            return;
        }
    }
}
import java.nio.charset.StandardCharsets;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
 
public class demo {
    public static final String v0 = "HmacSha512";
    public static void main(String[] args) {
        MessageDigest v0_1 = null;
        StringBuilder v1_2;
        byte[] miwen = new byte[4];
        String v6_1 = "%02x";
        try {
            for (int i=0x0; i<=0x7e; i++) {
                miwen[0] = (byte)i;
                for (int j = 0x0; j <= 0x7e; j++) {
                    miwen[1] = (byte)j;
                    for (int k = 0x0; k <= 0x7e; k++) {
                        miwen[2] = (byte)k;
                        for (int l = 0x0; l <= 0x7e; l++) {
                            miwen[3] = (byte)l;
                            try {
                                v0_1 = MessageDigest.getInstance("MD5");
                            }
                            catch(NoSuchAlgorithmException v1_1) {
                                v1_1.printStackTrace();
                            }
                            byte[] tmp = "ALFjcgztxnUaC89v".getBytes();
                            v0_1.update(tmp);
                            byte[] miwen2 = v0_1.digest();
                            SecretKeySpec v1 = new SecretKeySpec(miwen2, v0);
                            Mac v3 = Mac.getInstance(v0);
                            v3.init(((Key)v1));
                            v3.update(miwen);
                            String v2_2;
                            String s = "78b0be39e63b6837";
                            for(v2_2 = new BigInteger(1, v3.doFinal()).toString(16); v2_2.length() < 0x20; v2_2 = "0" + v2_2) {
                            }
                            if (v2_2.substring(0,16).equals(s)) {
                                System.out.printf("%x ", i);
                                System.out.printf("%x ", j);
                                System.out.printf("%x ", k);
                                System.out.printf("%x ", l);
                                System.out.printf("%n");
                                return;
                            }
                        }
                    }
                }
            }
        }
        catch(InvalidKeyException | NoSuchAlgorithmException v2) {
            return;
        }
    }
}
import java.nio.charset.StandardCharsets;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
 
public class demo5 {
    public static final String v0 = "HmacSha512";
    public static void main(String[] args) {
        MessageDigest v1_11;
        byte[] miwen2;
        byte[] miwen = new byte[4];
        String v6_1 = "%02x";
        StringBuilder v1_2;
        for (int i=0x0; i<=0x7e; i++) {
            miwen[0] = (byte)i;
            for (int j = 0x0; j <= 0x7e; j++) {
                miwen[1] = (byte)j;
                for (int k = 0x0; k <= 0x7e; k++) {
                    miwen[2] = (byte)k;
                    for (int l = 0x0; l <= 0x7e; l++) {
                        miwen[3] = (byte)l;
                        String s = "f2dda5fc021fe2bf";
                        try {
                            v1_11 = MessageDigest.getInstance("SHA-384"
                            );
                            v1_11.update(miwen);
                            miwen2 = v1_11.digest();
                            v1_2 = new StringBuilder();
                            for(int v4 = 0; v4 < miwen2.length; ++v4) {
                                v1_2.append(String.format(v6_1, Byte.valueOf(miwen2[v4])));
                            }
                            String tmp = v1_2.toString().substring(0,16);
                            if (tmp.equals(s)){
                                System.out.printf("%x ", i);
                                System.out.printf("%x ", j);
                                System.out.printf("%x ", k);
                                System.out.printf("%x ", l);
                                System.out.printf("%n");
                                return;
                            }
 
                        }
                        catch(NoSuchAlgorithmException v0_2) {
                            v0_2.printStackTrace();
                        }
                    }
                }
            }
        }
    }
}
import java.nio.charset.StandardCharsets;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.Key;

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

最后于 2021-10-29 20:55 被margina1编辑 ,原因:
上传的附件:
收藏
免费 2
支持
分享
最新回复 (1)
雪    币:
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
2
真棒
2021-11-2 10:51
0
游客
登录 | 注册 方可回帖
返回
//