某个神秘的比赛部分writeup - ZhouYetao

某个神秘的比赛部分writeup

pwn
1
这个pwn题就是最基础的,后门都给了,而且防护就开了一个NX的,所以就直接做就可以了,这里省略yi'xia
android
这次这个比赛有两个android的逆向,这两个题目都不是很难,而且在java层就可以得到答案,
1

package com.example.test.myapplication;

import android.os.Bundle;
import android.support.v7.app.AppCompatActivity;
import android.view.View$OnClickListener;
import android.view.View;
import android.widget.Toast;
import java.util.Arrays;

public class MainActivity extends AppCompatActivity {
    public MainActivity() {
        super();
    }

    protected void onCreate(Bundle arg2) {
        super.onCreate(arg2);
        this.setContentView(0x7F09001C);
        this.findViewById(0x7F070022).setOnClickListener(new View$OnClickListener() {
            public void onClick(View arg6) {
                String v6 = MainActivity.this.findViewById(0x7F070036).getText().toString();
                byte[] v0 = v6.getBytes();
                int v1;
                for(v1 = 0; v1 < v6.length(); ++v1) {
                    v0[v1] = ((byte)(v0[v1] ^ (((byte)v1))));
                    v0[v1] = ((byte)(v0[v1] + 1));
                }

                if(Arrays.equals(v0, new byte[]{103, 110, 100, 101, -128, 103, 55, 101, 108, 58, 0x6F, 110, 105, 108, 0x70, 107, 0x77, 36, 34, 37, 37, 0x71, 35, 0x74, 46, 0x30, 46, 43, 46, 45, 42, 43, 71, 69, 18, 24, 30, 89})) {
                    Toast.makeText(MainActivity.this, "you are right~!", 1).show();
                }
                else {
                    Toast.makeText(MainActivity.this, "wrong!", 1).show();
                }
            }
        });
    }
}

这是用jeb逆向出来得到的源码,这个接下来就是代码的阅读,可以看到,在对输入的字符串进行了异或之后,然后加1的操作之后,再和字码集中的进行比较,加密的过程和比较的过程都很简单,但是这里的字码集中的数字却值得推敲,有正数,也有负数,还有比255大的数,这个表面上就不是ascii了,所以我们得对这些数字进行部分的操作,首先想到的就是与256进行取余操作,然后emmm就对了,出flag了:

a = [103, 110, 100, 101, -128, 103, 55, 101, 108, 58, 0x6F, 110, 105, 108, 0x70, 107, 0x77, 36, 34, 37, 37, 0x71, 35, 0x74, 46, 0x30, 46, 43, 46, 45, 42, 43, 71, 69, 18, 24, 30, 89]
flag = ""
for i in range(len(a)):
    a[i] = a[i] % 256
for i in range(len(a)):
    flag += chr((a[i]-1) ^ i)
print flag

2
首先放出逆向出来的源码

package com.example.test.myapplication;

import android.os.Bundle;
import android.support.design.widget.Snackbar;
import android.support.v7.app.AppCompatActivity;
import android.view.Menu;
import android.view.MenuItem;
import android.view.View$OnClickListener;
import android.view.View;
import android.widget.Toast;
import java.math.BigInteger;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;

public class MainActivity extends AppCompatActivity {
    public MainActivity() {
        super();
    }

    public static String md5(String arg3) {
        byte[] v3;
        try {
            MessageDigest v0 = MessageDigest.getInstance("MD5");
            v0.update(arg3.getBytes());
            v3 = v0.digest();
        }
        catch(NoSuchAlgorithmException ) {
            throw new RuntimeException("xx2");
        }

        arg3 = new BigInteger(1, v3).toString(16);
        int v0_1;
        for(v0_1 = 0; v0_1 < 0x20 - arg3.length(); ++v0_1) {
            arg3 = "0" + arg3;
        }

        return arg3;
    }

    protected void onCreate(Bundle arg2) {
        super.onCreate(arg2);
        this.setContentView(0x7F0B001C);
        this.setSupportActionBar(this.findViewById(0x7F0800BA));
        this.findViewById(0x7F080047).setOnClickListener(new View$OnClickListener() {
            public void onClick(View arg3) {
                Snackbar.make(arg3, "Replace with your own action", 0).setAction("Action", null).show();
            }
        });
        this.findViewById(0x7F080024).setOnClickListener(new View$OnClickListener() {
            public void onClick(View arg14) {
                String v14 = MainActivity.this.findViewById(0x7F08003F).getText().toString();
                String[] v0 = v14.split("_");
                if(v0.length == 4) {
                    if(v14.length() != 19) {
                    }
                    else {
                        long v3 = Long.parseLong(MainActivity.xx1(v0[0]), 16);
                        long v5 = Long.parseLong(MainActivity.xx1(v0[1]), 16);
                        long v7 = Long.parseLong(MainActivity.xx1(v0[2]), 16);
                        if(v3 + v5 - v7 == 1029402697 && v3 * v5 == 0x10BA6064C72741E8L) {
                            if(v7 - v5 != 0xFE606FF) {
                            }
                            else if(!MainActivity.md5(v0[3]).equals("d5e73fe9e4bb789f389401f9339acdee")) {
                            }
                            else {
                                Toast.makeText(MainActivity.this, "right!", 1).show();
                                return;
                            }
                        }
                    }
                }

                Toast.makeText(MainActivity.this, "wrong!", 1).show();
            }
        });
    }

    public boolean onCreateOptionsMenu(Menu arg3) {
        this.getMenuInflater().inflate(0x7F0C0000, arg3);
        return 1;
    }

    public boolean onOptionsItemSelected(MenuItem arg3) {
        if(arg3.getItemId() == 0x7F080016) {
            return 1;
        }

        return super.onOptionsItemSelected(arg3);
    }

    public static String xx1(String arg4) {
        char[] v0 = "0123456789ABCDEF".toCharArray();
        StringBuilder v1 = new StringBuilder("");
        byte[] v4 = arg4.getBytes();
        int v2;
        for(v2 = 0; v2 < v4.length; ++v2) {
            v1.append(v0[(v4[v2] & 0xF0) >> 4]);
            v1.append(v0[v4[v2] & 15]);
        }

        return v1.toString().trim();
    }
}

这个看上去是比第一个要复杂一点,所以来看看关键处的代码,这边可以看到

String[] v0 = v14.split("_");
                if(v0.length == 4) {
                    if(v14.length() != 19) {
                    }
                    else {
                        long v3 = Long.parseLong(MainActivity.xx1(v0[0]), 16);
                        long v5 = Long.parseLong(MainActivity.xx1(v0[1]), 16);
                        long v7 = Long.parseLong(MainActivity.xx1(v0[2]), 16);
                        if(v3 + v5 - v7 == 1029402697 && v3 * v5 == 0x10BA6064C72741E8L) {
                            if(v7 - v5 != 0xFE606FF) {
                            }
                            else if(!MainActivity.md5(v0[3]).equals("d5e73fe9e4bb789f389401f9339acdee")) //hnFY {
                            }
                            else {
                                Toast.makeText(MainActivity.this, "right!", 1).show();
                                return;
                            }
                        }
                    }

其实核心代码是这一段,所以通过阅读可以发现,是将输入的值通过对_进行分割,然后转化成16进制进行计算,给出exp:

from sympy import solve
from sympy.abc import x, y ,z

solve([x+y-z-1029402697,x * y -0x10BA6064C72741E8,z - y - 0xFE606FF],[x,y,z])

x = "4d417748".strip().decode("hex")
y = "376e6235".strip().decode("hex")
z = "47546934".strip().decode("hex")

print "flag{" + x + "_" + y + "_" + z +"_hnFY}"

#flag{MAwH_7nb5_GTi4_hnFY}

Leave a Comment

@author:ZhouYetao
© 2020 Copyright.  | Power by Mijiu                                                                                               
本站已安全运行 700 天