-
-
[原创]强网拟态线上mobile的两道wp
-
发表于: 2021-10-28 22:44 22214
-
找到关键代码在mainactivity中.
输入处理:
关键比较:
需要a类中的字符串数组C要等同于a方法对v7_1处理的结果.
查看A类a方法, 可以看到是根据a.b[v6]进行hash加密, 任选了一个进行爆破, 爆不出来. 仔细翻了翻了, 前面的welcomeactivity类更改了a密钥byte数组和b数组.
对密钥进行MD5.
当b数组的值<8时, 不使用密钥, hash加密的方式不同, b数组>=8时, 相同的hash加密HmacSha512, 不同密钥.
这样就直接开始爆破, 8组数据, 范围为4个0-0x7f字节.直接抄程序反编译代码去爆破
HmacSha512: 将密钥和密文对应就行
无密钥hash: 将hash方法和密文对应
这里我没有再去考虑大于7F的输入, 我直接分析flag的输出:
这里可以看到, 如果使用了HmacSha512, 需要反序.
最后爆破了半天得到flag.
输入处理:
输入为32字节, 然后依次查询a类的a数组再输入中的位置, 将位置+32后转化为2进制去掉首位保存字符串.
保存的范围就是00000 - 11111, 一共是16个.
查看a类的a数组, 可以编写脚本处理发现只有32种. 要求的是每个数都再输入中能找到, 不能重复.
之后就是2进制连起来, 依次取8位, 转化为byte数组.
密文的生成直接抄反编译代码, 然后调试可以发现, 是圆周率. 长度是360位.
校验:
要求的是依次取圆周率字符串2位, 视为10进制数和5位2进制数生成的byte数组一一比较, 一共180次.
这里不妨算一下, a数组的长度为288位, 转化出来的2进制长度为288 5 == 1440, 密文长度是180 8 == 1440, 刚好对应.
加上flag{}就ok.
附件中的HAHAHAHA我重新打包过
byte[] v7_1
=
a.c(v1_1[v6]);
....
while
(v9 < v7_1.length) {
v10
=
v10 <<
1
| (v7_1[v9] &
0x80
) >>> v2;
v7_1[v9]
=
((byte)(v7_1[v9] &
0x7F
));
+
+
v9;
}
byte[] v7_1
=
a.c(v1_1[v6]);
....
while
(v9 < v7_1.length) {
v10
=
v10 <<
1
| (v7_1[v9] &
0x80
) >>> v2;
v7_1[v9]
=
((byte)(v7_1[v9] &
0x7F
));
+
+
v9;
}
String v9_1
=
a.a(v10, v7_1);
if
(v9_1 !
=
null && (v9_1.equals(a.a(a.b[v6], v7_1)))) {
if
(!v9_1.equals(a.c[v6])) {
}
else
{
+
+
v6;
continue
;
}
}
String v9_1
=
a.a(v10, v7_1);
if
(v9_1 !
=
null && (v9_1.equals(a.a(a.b[v6], v7_1)))) {
if
(!v9_1.equals(a.c[v6])) {
}
else
{
+
+
v6;
continue
;
}
}
for
(v0
=
0
; true;
+
+
v0) {
int
[] v1
=
a.b;
if
(v0 >
=
v1.length) {
break
;
}
v1[v0] ^
=
0xAB
;
}
....
while
(v4 < a.a.length) {
try
{
v0_1
=
MessageDigest.getInstance(
"MD5"
);
}
catch(NoSuchAlgorithmException v1_1) {
v1_1.printStackTrace();
}
v0_1.update(a.a[v4]);
a.a[v4]
=
v0_1.digest();
+
+
v4;
}
for
(v0
=
0
; true;
+
+
v0) {
int
[] v1
=
a.b;
if
(v0 >
=
v1.length) {
break
;
}
v1[v0] ^
=
0xAB
;
}
....
while
(v4 < a.a.length) {
try
{
v0_1
=
MessageDigest.getInstance(
"MD5"
);
}
catch(NoSuchAlgorithmException v1_1) {
v1_1.printStackTrace();
}
v0_1.update(a.a[v4]);
a.a[v4]
=
v0_1.digest();
+
+
v4;
}
import
java.nio.charset.StandardCharsets;
import
java.math.BigInteger;
import
java.security.GeneralSecurityException;
import
java.security.InvalidKeyException;
import
java.security.Key;
import
java.security.MessageDigest;
import
java.security.NoSuchAlgorithmException;
import
javax.crypto.Mac;
import
javax.crypto.spec.SecretKeySpec;
public
class
demo {
public static final String v0
=
"HmacSha512"
;
public static void main(String[] args) {
MessageDigest v0_1
=
null;
StringBuilder v1_2;
byte[] miwen
=
new byte[
4
];
String v6_1
=
"%02x"
;
try
{
for
(
int
i
=
0x0
; i<
=
0x7e
; i
+
+
) {
miwen[
0
]
=
(byte)i;
for
(
int
j
=
0x0
; j <
=
0x7e
; j
+
+
) {
miwen[
1
]
=
(byte)j;
for
(
int
k
=
0x0
; k <
=
0x7e
; k
+
+
) {
miwen[
2
]
=
(byte)k;
for
(
int
l
=
0x0
; l <
=
0x7e
; l
+
+
) {
miwen[
3
]
=
(byte)l;
try
{
v0_1
=
MessageDigest.getInstance(
"MD5"
);
}
catch(NoSuchAlgorithmException v1_1) {
v1_1.printStackTrace();
}
byte[] tmp
=
"ALFjcgztxnUaC89v"
.getBytes();
v0_1.update(tmp);
byte[] miwen2
=
v0_1.digest();
SecretKeySpec v1
=
new SecretKeySpec(miwen2, v0);
Mac v3
=
Mac.getInstance(v0);
v3.init(((Key)v1));
v3.update(miwen);
String v2_2;
String s
=
"78b0be39e63b6837"
;
for
(v2_2
=
new BigInteger(
1
, v3.doFinal()).toString(
16
); v2_2.length() <
0x20
; v2_2
=
"0"
+
v2_2) {
}
if
(v2_2.substring(
0
,
16
).equals(s)) {
System.out.printf(
"%x "
, i);
System.out.printf(
"%x "
, j);
System.out.printf(
"%x "
, k);
System.out.printf(
"%x "
, l);
System.out.printf(
"%n"
);
return
;
}
}
}
}
}
}
catch(InvalidKeyException | NoSuchAlgorithmException v2) {
return
;
}
}
}
import
java.nio.charset.StandardCharsets;
import
java.math.BigInteger;
import
java.security.GeneralSecurityException;
import
java.security.InvalidKeyException;
import
java.security.Key;
import
java.security.MessageDigest;
import
java.security.NoSuchAlgorithmException;
import
javax.crypto.Mac;
import
javax.crypto.spec.SecretKeySpec;
public
class
demo {
public static final String v0
=
"HmacSha512"
;
public static void main(String[] args) {
MessageDigest v0_1
=
null;
StringBuilder v1_2;
byte[] miwen
=
new byte[
4
];
String v6_1
=
"%02x"
;
try
{
for
(
int
i
=
0x0
; i<
=
0x7e
; i
+
+
) {
miwen[
0
]
=
(byte)i;
for
(
int
j
=
0x0
; j <
=
0x7e
; j
+
+
) {
miwen[
1
]
=
(byte)j;
for
(
int
k
=
0x0
; k <
=
0x7e
; k
+
+
) {
miwen[
2
]
=
(byte)k;
for
(
int
l
=
0x0
; l <
=
0x7e
; l
+
+
) {
miwen[
3
]
=
(byte)l;
try
{
v0_1
=
MessageDigest.getInstance(
"MD5"
);
}
catch(NoSuchAlgorithmException v1_1) {
v1_1.printStackTrace();
}
byte[] tmp
=
"ALFjcgztxnUaC89v"
.getBytes();
v0_1.update(tmp);
byte[] miwen2
=
v0_1.digest();
SecretKeySpec v1
=
new SecretKeySpec(miwen2, v0);
Mac v3
=
Mac.getInstance(v0);
v3.init(((Key)v1));
v3.update(miwen);
String v2_2;
String s
=
"78b0be39e63b6837"
;
for
(v2_2
=
new BigInteger(
1
, v3.doFinal()).toString(
16
); v2_2.length() <
0x20
; v2_2
=
"0"
+
v2_2) {
}
if
(v2_2.substring(
0
,
16
).equals(s)) {
System.out.printf(
"%x "
, i);
System.out.printf(
"%x "
, j);
System.out.printf(
"%x "
, k);
System.out.printf(
"%x "
, l);
System.out.printf(
"%n"
);
return
;
}
}
}
}
}
}
catch(InvalidKeyException | NoSuchAlgorithmException v2) {
return
;
}
}
}
import
java.nio.charset.StandardCharsets;
import
java.math.BigInteger;
import
java.security.GeneralSecurityException;
import
java.security.InvalidKeyException;
import
java.security.Key;
import
java.security.MessageDigest;
import
java.security.NoSuchAlgorithmException;
import
javax.crypto.Mac;
import
javax.crypto.spec.SecretKeySpec;
public
class
demo5 {
public static final String v0
=
"HmacSha512"
;
public static void main(String[] args) {
MessageDigest v1_11;
byte[] miwen2;
byte[] miwen
=
new byte[
4
];
String v6_1
=
"%02x"
;
StringBuilder v1_2;
for
(
int
i
=
0x0
; i<
=
0x7e
; i
+
+
) {
miwen[
0
]
=
(byte)i;
for
(
int
j
=
0x0
; j <
=
0x7e
; j
+
+
) {
miwen[
1
]
=
(byte)j;
for
(
int
k
=
0x0
; k <
=
0x7e
; k
+
+
) {
miwen[
2
]
=
(byte)k;
for
(
int
l
=
0x0
; l <
=
0x7e
; l
+
+
) {
miwen[
3
]
=
(byte)l;
String s
=
"f2dda5fc021fe2bf"
;
try
{
v1_11
=
MessageDigest.getInstance(
"SHA-384"
);
v1_11.update(miwen);
miwen2
=
v1_11.digest();
v1_2
=
new StringBuilder();
for
(
int
v4
=
0
; v4 < miwen2.length;
+
+
v4) {
v1_2.append(String.
format
(v6_1, Byte.valueOf(miwen2[v4])));
}
String tmp
=
v1_2.toString().substring(
0
,
16
);
if
(tmp.equals(s)){
System.out.printf(
"%x "
, i);
System.out.printf(
"%x "
, j);
System.out.printf(
"%x "
, k);
System.out.printf(
"%x "
, l);
System.out.printf(
"%n"
);
return
;
}
}
catch(NoSuchAlgorithmException v0_2) {
v0_2.printStackTrace();
}
}
}
}
}
}
}
import
java.nio.charset.StandardCharsets;
import
java.math.BigInteger;
import
java.security.GeneralSecurityException;
import
java.security.InvalidKeyException;
import
java.security.Key;
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
- [原创]SCTF low_re出题思路 14333
- [原创]l3hctf两道re的wp 8964
- [原创]强网拟态线上mobile的两道wp 22215
- [原创]android JNI静态注册和动态注册 9455
- [原创]inctf-noodes 9770