首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. CTF对抗
    3. 发新帖
bugku CTF 安卓逆向题目First_Mobile(xman)
发表于: 2024-2-8 21:28 13883

bugku CTF 安卓逆向题目First_Mobile(xman)

zhenwo 活跃值
1
2024-2-8 21:28
13883

题目来自bugku的First_Mobile(xman)

JADX 反编译apk。

gcc 用来编写还原算法。

拿到题目,看后缀是安卓APP,直接甩到夜神里看看啥样子。

将APK拖入JADX工具,获取到MainActivity代码。

双击enocode的check函数,直接跳转到encode类的实现页面。

可以看到算法如下

逻辑整理得:

((input[i] + b[i]) % 61) * 2 -i = input[i]

设:input[i] = x

运行代码获取str

测试如下

根据题目得到flag

XMAN{LOHILMNMLKHILKHI}

public class MainActivity extends AppCompatActivity {
    private Button button;
    private EditText editText;
 
    /* JADX INFO: Access modifiers changed from: protected */
    @Override // android.support.v7.app.AppCompatActivity, android.support.v4.app.FragmentActivity, android.support.v4.app.BaseFragmentActivityGingerbread, android.app.Activity
    public void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
        final EditText editText = (EditText) findViewById(R.id.editText);
        Button button = (Button) findViewById(R.id.button);
        button.setOnClickListener(new View.OnClickListener() { // from class: com.example.xman.easymobile.MainActivity.1
            @Override // android.view.View.OnClickListener
            public void onClick(View view) {
                new encode();
                if (encode.check(editText.getText().toString())) {
                    Toast.makeText(MainActivity.this.getApplicationContext(), "correct", 1).show();
                } else {
                    Toast.makeText(MainActivity.this.getApplicationContext(), "failed", 1).show();
                }
            }
        });
    }
}
public class MainActivity extends AppCompatActivity {
    private Button button;
    private EditText editText;
 
    /* JADX INFO: Access modifiers changed from: protected */
    @Override // android.support.v7.app.AppCompatActivity, android.support.v4.app.FragmentActivity, android.support.v4.app.BaseFragmentActivityGingerbread, android.app.Activity
    public void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
        final EditText editText = (EditText) findViewById(R.id.editText);
        Button button = (Button) findViewById(R.id.button);
        button.setOnClickListener(new View.OnClickListener() { // from class: com.example.xman.easymobile.MainActivity.1
            @Override // android.view.View.OnClickListener
            public void onClick(View view) {
                new encode();
                if (encode.check(editText.getText().toString())) {
                    Toast.makeText(MainActivity.this.getApplicationContext(), "correct", 1).show();
                } else {
                    Toast.makeText(MainActivity.this.getApplicationContext(), "failed", 1).show();
                }
            }
        });
    }
}
/* loaded from: classes.dex */
public class encode {
    private static byte[] b = {23, 22, 26, 26, 25, 25, 25, 26, 27, 28, 30, 30, 29, 30, 32, 32};
 
    public static boolean check(String str) {
        byte[] input = str.getBytes();
        byte[] temp = new byte[16];
        for (int i = 0; i < 16; i++) {
            temp[i] = (byte) ((input[i] + b[i]) % 61);
        }
        for (int i2 = 0; i2 < 16; i2++) {
            temp[i2] = (byte) ((temp[i2] * 2) - i2);
        }
        String key = new String(temp);
        return key.equals(str);
    }
}
/* loaded from: classes.dex */
public class encode {
    private static byte[] b = {23, 22, 26, 26, 25, 25, 25, 26, 27, 28, 30, 30, 29, 30, 32, 32};
 
    public static boolean check(String str) {
        byte[] input = str.getBytes();
        byte[] temp = new byte[16];
        for (int i = 0; i < 16; i++) {
            temp[i] = (byte) ((input[i] + b[i]) % 61);
        }
        for (int i2 = 0; i2 < 16; i2++) {
            temp[i2] = (byte) ((temp[i2] * 2) - i2);
        }
        String key = new String(temp);
        return key.equals(str);
    }
}
((input[i] + b[i]) % 61) * 2 -i = input[i]
 
=> (x % 61) * 2 + (b[i] % 61) * 2 = x
 
=> (b[i] % 61) * 2 - i = x - (x % 61) * 2
((input[i] + b[i]) % 61) * 2 -i = input[i]
 
=> (x % 61) * 2 + (b[i] % 61) * 2 = x
 
=> (b[i] % 61) * 2 - i = x - (x % 61) * 2
#include <stdio.h>
#include <stdlib.h>
 
void main()
{
    unsigned char b[] = {23, 22, 26, 26, 25, 25, 25, 26, 27, 28, 30, 30, 29, 30, 32, 32};
    char input[20] = {0};
    char c;
    for (int i = 0; i < 16; i++)
    {
        c = (b[i] % 61) * 2 - i;
        printf(" b[i] %% 61 * 2 - i = x - x %% 61 * 2  => x - x %% 61 * 2 = %d\n", c);
        for (int j = c; j < 255; j++)
        {
            if ( (j - (j % 61) * 2) == c)
            {
                input[i] = j;
                printf("input[%d]=%c(%d)\n",i,j,j);
                break;
            }       
        }  
    }
    printf(input);
}
#include <stdio.h>

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

上传的附件:
收藏
免费 4
支持
分享
最新回复 (3)
秋狝
雪    币: 2787
活跃值: (30801)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
感谢分享
2024-2-8 22:33
1
教教我吧~
雪    币: 158
活跃值: (1071)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
3

这个地方的推导不成立:(a + b) % c ≠ a % c + b % c(此处求余无法逆向推导吧, 我不是很理解,难道有更好的理解,求分析)




我用的方式是爆破


最后于 2024-3-1 20:24 被教教我吧~编辑 ,原因:
2024-3-1 20:21
0
zhenwo
雪    币: 1555
活跃值: (3103)
能力值: ( LV11,RANK:180 )
在线值:
发帖
回帖
粉丝
私信
4
教教我吧~ 这个地方的推导不成立:(a + b) % c ≠ a % c + b % c(此处求余无法逆向推导吧, 我不是很理解,难道有更好的理解,求分析)我用的方式是爆破
b[i] 的值是确定的,最后变成了 n = x - (x % 0x61)* 2 
所以 将for(x = n ; ;x++) {if( n == x - (x % 0x61)* 2 ) break;} 就行。
有一些小爆破。
2024-3-2 13:01
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//