-
-
bugku CTF 安卓逆向题目First_Mobile(xman)
-
发表于: 2024-2-8 21:28
-
题目来自bugku的First_Mobile(xman)
JADX 反编译apk。
gcc 用来编写还原算法。
拿到题目,看后缀是安卓APP,直接甩到夜神里看看啥样子。
将APK拖入JADX工具,获取到MainActivity代码。
双击enocode的check函数,直接跳转到encode类的实现页面。
可以看到算法如下
逻辑整理得:
((input[i] + b[i]) % 61) * 2 -i = input[i]
设:input[i] = x
运行代码获取str
测试如下
根据题目得到flag
XMAN{LOHILMNMLKHILKHI}
public class MainActivity extends AppCompatActivity {
private Button button;
private EditText editText;
/* JADX INFO: Access modifiers changed from: protected */
@Override // android.support.v7.app.AppCompatActivity, android.support.v4.app.FragmentActivity, android.support.v4.app.BaseFragmentActivityGingerbread, android.app.Activity
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
final EditText editText = (EditText) findViewById(R.id.editText);
Button button = (Button) findViewById(R.id.button);
button.setOnClickListener(new View.OnClickListener() { // from class: com.example.xman.easymobile.MainActivity.1
@Override // android.view.View.OnClickListener
public void onClick(View view) {
new encode();
if (encode.check(editText.getText().toString())) {
Toast.makeText(MainActivity.this.getApplicationContext(), "correct", 1).show();
} else {
Toast.makeText(MainActivity.this.getApplicationContext(), "failed", 1).show();
}
}
});
}
}public class MainActivity extends AppCompatActivity {
private Button button;
private EditText editText;
/* JADX INFO: Access modifiers changed from: protected */
@Override // android.support.v7.app.AppCompatActivity, android.support.v4.app.FragmentActivity, android.support.v4.app.BaseFragmentActivityGingerbread, android.app.Activity
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
final EditText editText = (EditText) findViewById(R.id.editText);
Button button = (Button) findViewById(R.id.button);
button.setOnClickListener(new View.OnClickListener() { // from class: com.example.xman.easymobile.MainActivity.1
@Override // android.view.View.OnClickListener
public void onClick(View view) {
new encode();
if (encode.check(editText.getText().toString())) {
Toast.makeText(MainActivity.this.getApplicationContext(), "correct", 1).show();
} else {
Toast.makeText(MainActivity.this.getApplicationContext(), "failed", 1).show();
}
}
});
}
}/* loaded from: classes.dex */public class encode {
private static byte[] b = {23, 22, 26, 26, 25, 25, 25, 26, 27, 28, 30, 30, 29, 30, 32, 32};
public static boolean check(String str) {
byte[] input = str.getBytes();
byte[] temp = new byte[16];
for (int i = 0; i < 16; i++) {
temp[i] = (byte) ((input[i] + b[i]) % 61);
}
for (int i2 = 0; i2 < 16; i2++) {
temp[i2] = (byte) ((temp[i2] * 2) - i2);
}
String key = new String(temp);
return key.equals(str);
}
}/* loaded from: classes.dex */public class encode {
private static byte[] b = {23, 22, 26, 26, 25, 25, 25, 26, 27, 28, 30, 30, 29, 30, 32, 32};
public static boolean check(String str) {
byte[] input = str.getBytes();
byte[] temp = new byte[16];
for (int i = 0; i < 16; i++) {
temp[i] = (byte) ((input[i] + b[i]) % 61);
}
for (int i2 = 0; i2 < 16; i2++) {
temp[i2] = (byte) ((temp[i2] * 2) - i2);
}
String key = new String(temp);
return key.equals(str);
}
}((input[i] + b[i]) % 61) * 2 -i = input[i]
=> (x % 61) * 2 + (b[i] % 61) * 2 = x
=> (b[i] % 61) * 2 - i = x - (x % 61) * 2
((input[i] + b[i]) % 61) * 2 -i = input[i]
=> (x % 61) * 2 + (b[i] % 61) * 2 = x
=> (b[i] % 61) * 2 - i = x - (x % 61) * 2
#include <stdio.h>#include <stdlib.h>void main()
{ unsigned char b[] = {23, 22, 26, 26, 25, 25, 25, 26, 27, 28, 30, 30, 29, 30, 32, 32};
char input[20] = {0};
char c;
for (int i = 0; i < 16; i++)
{
c = (b[i] % 61) * 2 - i;
printf(" b[i] %% 61 * 2 - i = x - x %% 61 * 2 => x - x %% 61 * 2 = %d\n", c);
for (int j = c; j < 255; j++)
{
if ( (j - (j % 61) * 2) == c)
{
input[i] = j;
printf("input[%d]=%c(%d)\n",i,j,j);
break;
}
}
}
printf(input);
}#include <stdio.h>[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
|
|
|
这个地方的推导不成立:(a + b) % c ≠ a % c + b % c(此处求余无法逆向推导吧, 我不是很理解,难道有更好的理解,求分析) 我用的方式是爆破
最后于 2024-3-1 20:24
被教教我吧~编辑
,原因:
|
|
|
b[i] 的值是确定的,最后变成了 n = x - (x % 0x61)* 2 所以 将for(x = n ; ;x++) {if( n == x - (x % 0x61)* 2 ) break;} 就行。 有一些小爆破。 |
