-
-
[原创]CTF新手合集:Flag算法分析
-
发表于: 2023-12-14 23:12 10181
-
为什么是新手合集呢?主要是以下的CTF项目难度都不大,仅限于java层。接下来,我们将详细分析和算法还原下。
这题主要在于算法的还原,代码逻辑是比较清晰的,MainActivity.this.check()为真,.check()函数内字符串满足条件则完成flag.
接下来对算法进行还原:
从代码分析来看,只要循环内满足 :this.s[i] = (chars[i] ^ 23) 我们用python 来还原这个逻辑:
flag{It_1S_@N_3asY_@nDr0)I)1|d}
这一题的利用到数学里面的二元一次方程来求解。
满足 a.a(editText.getText().toString()) 为真则成功,那么a()函数里面满足这个条件则成功。a[i2] != (b[i2] * iArr[i2] * iArr[i2]) + (c[i2] * iArr[i2]) + d[i2] || a[i2 + 1] != (b[i2] * iArr[i2 + 1] * iArr[i2 + 1]) + (c[i2] * iArr[i2 + 1]) + d[i2]。这个函数 我拆开来开 就是满足:
a[i2]-d[i2] = (b[i2] * iArr[i2] * iArr[i2]) + (c[i2] * iArr[i2])
类似: y = x^2+x,就是一个【一元二次方程】 已知 y 求 x ,再把 x的值拼接起来,就是我们输入的字符串。
算法还原:
flag{MAth_i&_GOOd_DON7_90V_7hInK?
这题对于之前2个来说稍微复杂点。核心思想就是字符MD5加密与给定的字符的比较。不过它难就难在你知道MD5加密的结果,反向推算字符串,但是MD5又是不可逆的,怎么反推回去呢?挺有意思是不,接下来我们分析看看。
要想成功,必需满足红框内的条件为真。接着我们到a()方法中:
输入的字符长度"flag{this_is_a_fake_flag_ahhhhh}"长度相同,满足e().a的条件:
满足 b.a(a(str, str2).toString().substring(0, 4), "utf8").equals(this.a) 以此类推。求解str的值,根据代码逻辑,a(str, str2)字符换算转换后调用b.a()完成MD5加密返回值 等于 a、b、c等。
通过代码分析,我们还得验证我们的分析结果,万一里面的MD5加密是魔改的,搞了半天不就是很尴尬。
通过hook 验证了我们的分析。通过 a(String str, String str2) 的到的字符串,在切成8段,每段四个字符 MD5 得到的结果就是 a、b、c、d、e、f、g、h字符串。
既然如此 我们就暴力破解,组成相应的字符,进行加密 一一比对就好了。
得到结果:bd1d6ba7f1d3f5a13ebb0a75844cccfa
s
=
[
113
,
123
,
118
,
112
,
108
,
94
,
99
,
72
,
38
,
68
,
72
,
87
,
89
,
72
,
36
,
118
,
100
,
78
,
72
,
87
,
121
,
83
,
101
,
39
,
62
,
94
,
62
,
38
,
107
,
115
,
106
]
ss
=
[]
for
one
in
s:
b
=
one ^
23
ss.append(b)
ss_b
=
bytes(ss)
print
(ss_b.decode(
'utf-8'
))
# flag{It_1S_@N_3asY_@nDr0)I)1|d}
s
=
[
113
,
123
,
118
,
112
,
108
,
94
,
99
,
72
,
38
,
68
,
72
,
87
,
89
,
72
,
36
,
118
,
100
,
78
,
72
,
87
,
121
,
83
,
101
,
39
,
62
,
94
,
62
,
38
,
107
,
115
,
106
]
ss
=
[]
for
one
in
s:
b
=
one ^
23
ss.append(b)
ss_b
=
bytes(ss)
print
(ss_b.decode(
'utf-8'
))
# flag{It_1S_@N_3asY_@nDr0)I)1|d}
from
sympy
import
symbols, Eq, solve
a
=
[
0
,
146527998
,
205327308
,
94243885
,
138810487
,
408218567
,
77866117
,
71548549
,
563255818
,
559010506
,
449018203
,
576200653
,
307283021
,
467607947
,
314806739
,
341420795
,
341420795
,
469998524
,
417733494
,
342206934
,
392460324
,
382290309
,
185532945
,
364788505
,
210058699
,
198137551
,
360748557
,
440064477
,
319861317
,
676258995
,
389214123
,
829768461
,
534844356
,
427514172
,
864054312
]
b
=
[
13710
,
46393
,
49151
,
36900
,
59564
,
35883
,
3517
,
52957
,
1509
,
61207
,
63274
,
27694
,
20932
,
37997
,
22069
,
8438
,
33995
,
53298
,
16908
,
30902
,
64602
,
64028
,
29629
,
26537
,
12026
,
31610
,
48639
,
19968
,
45654
,
51972
,
64956
,
45293
,
64752
,
37108
]
c
=
[
38129
,
57355
,
22538
,
47767
,
8940
,
4975
,
27050
,
56102
,
21796
,
41174
,
63445
,
53454
,
28762
,
59215
,
16407
,
64340
,
37644
,
59896
,
41276
,
25896
,
27501
,
38944
,
37039
,
38213
,
61842
,
43497
,
9221
,
9879
,
14436
,
60468
,
19926
,
47198
,
8406
,
64666
]
d
=
[
0
,
-
341994984
,
-
370404060
,
-
257581614
,
-
494024809
,
-
135267265
,
54930974
,
-
155841406
,
540422378
,
-
107286502
,
-
128056922
,
265261633
,
275964257
,
119059597
,
202392013
,
283676377
,
126284124
,
-
68971076
,
261217574
,
197555158
,
-
12893337
,
-
10293675
,
93868075
,
121661845
,
167461231
,
123220255
,
221507
,
258914772
,
180963987
,
107841171
,
41609001
,
276531381
,
169983906
,
276158562
]
def
solve_quadratic_equation(a, b, c):
# 定义符号变量
x
=
symbols(
'x'
)
# 定义方程
equation
=
Eq(a
*
x
*
*
2
+
b
*
x
+
c,
0
)
# 解方程
solutions
=
solve(equation, x)
return
solutions
print
(
"len(a) "
,
len
(a),
"len(c) "
,
len
(c))
my_string
=
"adksisjhewadksisjhewadksisjhewwwert"
ascii_values
=
[
ord
(char)
for
char
in
my_string]
iArr
=
ascii_values
print
(iArr)
i
=
0
iArr_new
=
[]
while
i <
len
(c):
a1
=
a[i]
a2
=
a[i
+
1
]
print
(
"a1 :"
, a1,
" a2 :"
, a2)
# a1 = (b[i] * iArr[i] * iArr[i]) + (c[i] * iArr[i]) + d[i]
# a2 = (b[i] * iArr[i + 1] * iArr[i + 1]) + (c[i] * iArr[i + 1]) + d[i]
solutions
=
solve_quadratic_equation(b[i], c[i], d[i]
-
a1)
sign_v
=
solutions
print
(
"sign_v : "
, sign_v)
iArr_new.append(sign_v)
i
=
i
+
1
iArr_new_str
=
bytes(iArr_new)
print
(
"iArr_new_str : "
, iArr_new_str)
结果 :
[
0
,
102
,
108
,
97
,
103
,
123
,
77
,
65
,
116
,
104
,
95
,
105
,
38
,
95
,
71
,
79
,
79
,
100
,
95
,
68
,
79
,
78
,
55
,
95
,
57
,
48
,
86
,
95
,
55
,
104
,
73
,
110
,
75
,
63
]
iArr_new_str : b
'\x00flag{MAth_i&_GOOd_DON7_90V_7hInK?'
from
sympy
import
symbols, Eq, solve
a
=
[
0
,
146527998
,
205327308
,
94243885
,
138810487
,
408218567
,
77866117
,
71548549
,
563255818
,
559010506
,
449018203
,
576200653
,
307283021
,
467607947
,
314806739
,
341420795
,
341420795
,
469998524
,
417733494
,
342206934
,
392460324
,
382290309
,
185532945
,
364788505
,
210058699
,
198137551
,
360748557
,
440064477
,
319861317
,
676258995
,
389214123
,
829768461
,
534844356
,
427514172
,
864054312
]
b
=
[
13710
,
46393
,
49151
,
36900
,
59564
,
35883
,
3517
,
52957
,
1509
,
61207
,
63274
,
27694
,
20932
,
37997
,
22069
,
8438
,
33995
,
53298
,
16908
,
30902
,
64602
,
64028
,
29629
,
26537
,
12026
,
31610
,
48639
,
19968
,
45654
,
51972
,
64956
,
45293
,
64752
,
37108
]
c
=
[
38129
,
57355
,
22538
,
47767
,
8940
,
4975
,
27050
,
56102
,
21796
,
41174
,
63445
,
53454
,
28762
,
59215
,
16407
,
64340
,
37644
,
59896
,
41276
,
25896
,
27501
,
38944
,
37039
,
38213
,
61842
,
43497
,
9221
,
9879
,
14436
,
60468
,
19926
,
47198
,
8406
,
64666
]
d
=
[
0
,
-
341994984
,
-
370404060
,
-
257581614
,
-
494024809
,
-
135267265
,
54930974
,
-
155841406
,
540422378
,
-
107286502
,
-
128056922
,
265261633
,
275964257
,
119059597
,
202392013
,
283676377
,
126284124
,
-
68971076
,
261217574
,
197555158
,
-
12893337
,
-
10293675
,
93868075
,
121661845
,
167461231
,
123220255
,
221507
,
258914772
,
180963987
,
107841171
,
41609001
,
276531381
,
169983906
,
276158562
]
def
solve_quadratic_equation(a, b, c):
# 定义符号变量
x
=
symbols(
'x'
)
# 定义方程
equation
=
Eq(a
*
x
*
*
2
+
b
*
x
+
c,
0
)
# 解方程
solutions
=
solve(equation, x)
return
solutions
print
(
"len(a) "
,
len
(a),
"len(c) "
,
len
(c))
my_string
=
"adksisjhewadksisjhewadksisjhewwwert"
ascii_values
=
[
ord
(char)
for
char
in
my_string]
iArr
=
ascii_values
print
(iArr)
i
=
0
iArr_new
=
[]
while
i <
len
(c):
a1
=
a[i]
a2
=
a[i
+
1
]
print
(
"a1 :"
, a1,
" a2 :"
, a2)
# a1 = (b[i] * iArr[i] * iArr[i]) + (c[i] * iArr[i]) + d[i]
# a2 = (b[i] * iArr[i + 1] * iArr[i + 1]) + (c[i] * iArr[i + 1]) + d[i]
solutions
=
solve_quadratic_equation(b[i], c[i], d[i]
-
a1)
sign_v
=
solutions
print
(
"sign_v : "
, sign_v)
iArr_new.append(sign_v)
i
=
i
+
1
iArr_new_str
=
bytes(iArr_new)
print
(
"iArr_new_str : "
, iArr_new_str)
结果 :
[
0
,
102
,
108
,
97
,
103
,
123
,
77
,
65
,
116
,
104
,
95
,
105
,
38
,
95
,
71
,
79
,
79
,
100
,
95
,
68
,
79
,
78
,
55
,
95
,
57
,
48
,
86
,
95
,
55
,
104
,
73
,
110
,
75
,
63
]
iArr_new_str : b
'\x00flag{MAth_i&_GOOd_DON7_90V_7hInK?'
function hook_so() {
Java.perform(function () {
var e
=
Java.use(
"com.he.tian.easymix.e"
);
e[
"a"
].overload(
'java.lang.String'
,
'java.lang.String'
).implementation
=
function (
str
, str2) {
console.log(
'a is called'
+
', '
+
'str: '
+
str
+
', '
+
'str2: '
+
str2);
var ret
=
this.a(
str
, str2);
console.log(
'a ret value is '
, ret);
return
ret;
};
var b
=
Java.use(
"com.he.tian.easymix.b"
);
b[
"a"
].overload(
'java.lang.String'
,
'java.lang.String'
).implementation
=
function (
str
, str2) {
console.log(
'a is called'
+
', '
+
'str: '
+
str
+
', '
+
'str2: '
+
str2);
var ret
=
this.a(
str
, str2);
console.log(
'a ret value is '
+
ret);
return
ret;
};
})
}
function hook_so() {
Java.perform(function () {
var e
=
Java.use(
"com.he.tian.easymix.e"
);
e[
"a"
].overload(
'java.lang.String'
,
'java.lang.String'
).implementation
=
function (
str
, str2) {
console.log(
'a is called'
+
', '
+
'str: '
+
str
+
', '
+
'str2: '
+
str2);
var ret
=
this.a(
str
, str2);
console.log(
'a ret value is '
, ret);
return
ret;
};
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课