平台

jactf

androideasy

upload successful

jadx打开,查看主页面

upload successful

可以直接看到程序通过得到editText的内容和23异或和代码定义的s进行对比

exp

upload successful

app1

upload successful

jadx打开,查看主页面

upload successful

upload successful

通过输入和VERSION_NAME ^ VERSION_CODE相比

exp

upload successful

simplecheck

upload successful

JEB

package com.a.simplecheck;

import android.content.Context;
import android.os.Bundle;
import android.support.v7.app.c;
import android.view.View$OnClickListener;
import android.view.View;
import android.widget.Toast;

public class MainActivity extends c {
    public MainActivity() {
        super();
    }

    protected void onCreate(Bundle arg4) {
        super.onCreate(arg4);
        this.setContentView(0x7F04001B);
        this.findViewById(0x7F0B005F).setOnClickListener(new View$OnClickListener(this.findViewById(0x7F0B005E), ((Context)this)) {
            public void onClick(View arg4) {
                if(a.a(this.a.getText().toString())) {
                    Toast.makeText(this.b, "You get it~", 1).show();
                }
                else {
                    Toast.makeText(this.b, "Sorry its wrong", 1).show();
                }
            }
        });
    }
}

主页得到输入内容调用a类的a方法

package com.a.simplecheck;

public class a {
    private static int[] a;
    private static int[] b;
    private static int[] c;
    private static int[] d;

    static {
        a.a = new int[]{0, 0x8BBD6FE, 205327308, 0x59E0C2D, 138810487, 408218567, 0x4A42485, 0x443BE85, 0x21929A0A, 559010506, 449018203, 576200653, 307283021, 0x1BDF218B, 314806739, 0x1459AAFB, 0x1459AAFB, 0x1C039BBC, 0x18E61B76, 342206934, 392460324, 382290309, 0xB0F0211, 364788505, 210058699, 0xBCF56CF, 0x1580960D, 440064477, 0x1310B245, 0x284EE4B3, 0x1732EFAB, 0x3175430D, 0x1FE113C4, 0x197B593C, 0x33806C28};
        a.b = new int[]{13710, 0xB539, 0xBFFF, 36900, 0xE8AC, 0x8C2B, 0xDBD, 0xCEDD, 1509, 0xEF17, 0xF72A, 0x6C2E, 20932, 0x946D, 22069, 0x20F6, 0x84CB, 0xD032, 0x420C, 30902, 0xFC5A, 0xFA1C, 0x73BD, 0x67A9, 0x2EFA, 31610, 0xBDFF, 0x4E00, 0xB256, 0xCB04, 0xFDBC, 0xB0ED, 0xFCF0, 0x90F4};
        a.c = new int[]{0x94F1, 0xE00B, 0x580A, 0xBA97, 8940, 0x136F, 27050, 56102, 0x5524, 0xA0D6, 0xF7D5, 0xD0CE, 0x705A, 0xE74F, 0x4017, 0xFB54, 0x930C, 0xE9F8, 0xA13C, 0x6528, 27501, 0x9820, 0x90AF, 0x9545, 0xF192, 0xA9E9, 0x2405, 9879, 0x3864, 60468, 0x4DD6, 0xB85E, 8406, 0xFC9A};
        a.d = new int[]{0, 0xEB9D9218, -370404060, 0xF0A59DD2, -494024809, 0xF7EFFC3F, 54930974, 0xF6B60C82, 0x203630EA, 0xF99AF01A, 0xF85E01A6, 0xFCF9241, 0x1072E161, 119059597, 202392013, 0x10E88ED9, 0x786F15C, -68971076, 0xF91DD26, 0xBC673D6, 0xFF3B4367, -10293675, 0x598502B, 0x7406995, 0x9FB416F, 0x758311F, 221507, 0xF6EB9D4, 180963987, 107841171, 41609001, 0x107B88B5, 0xA21BFA2, 0x1075D862};
    }

    public static boolean a(String arg8) {
        boolean v1 = false;
        if(arg8.length() == a.b.length) {
            int[] v4 = new int[a.a.length];
            v4[0] = 0;
            byte[] v5 = arg8.getBytes();
            int v6 = v5.length;
            int v0 = 0;
            int v3 = 1;
            while(v0 < v6) {
                v4[v3] = v5[v0];
                ++v3;
                ++v0;
            }

            v0 = 0;
            while(true) {
                if(v0 >= a.c.length) {
                    break;
                }
                else if(a.a[v0] == a.b[v0] * v4[v0] * v4[v0] + a.c[v0] * v4[v0] + a.d[v0] && a.a[v0 + 1] == a.b[v0] * v4[v0 + 1] * v4[v0 + 1] + a.c[v0] * v4[v0 + 1] + a.d[v0]) {
                    ++v0;
                    continue;
                }

                return v1;
            }

            v1 = true;
        }

        return v1;
    }
}

a.b[v0] v4[v0] v4[v0] + a.c[v0] v4[v0] + a.d[v0] && a.a[v0 + 1] == a.b[v0] v4[v0 + 1] v4[v0 + 1] + a.c[v0] v4[v0 + 1] + a.d[v0] 可以将这句话改进一下进行爆破

exp

a = [0, 146527998, 205327308, 94243885, 138810487, 408218567, 77866117, 71548549, 563255818, 559010506, 449018203, 576200653, 307283021, 467607947, 314806739, 341420795, 341420795, 469998524, 417733494, 342206934, 392460324, 382290309, 185532945, 364788505, 210058699, 198137551, 360748557, 440064477, 319861317, 676258995, 389214123, 829768461, 534844356, 427514172, 864054312]
b = [13710, 46393, 49151, 36900, 59564, 35883, 3517, 52957, 1509, 61207, 63274, 27694, 20932, 37997, 22069, 8438, 33995, 53298, 16908, 30902, 64602, 64028, 29629, 26537, 12026, 31610, 48639, 19968, 45654, 51972, 64956, 45293, 64752, 37108]
c = [38129, 57355, 22538, 47767, 8940, 4975, 27050, 56102, 21796, 41174, 63445, 53454, 28762, 59215, 16407, 64340, 37644, 59896, 41276, 25896, 27501, 38944, 37039, 38213, 61842, 43497, 9221, 9879, 14436, 60468, 19926, 47198, 8406, 64666]
d = [0, -341994984, -370404060, -257581614, -494024809, -135267265, 54930974, -155841406, 540422378, -107286502, -128056922, 265261633, 275964257, 119059597, 202392013, 283676377, 126284124, -68971076, 261217574, 197555158, -12893337, -10293675, 93868075, 121661845, 167461231, 123220255, 221507, 258914772, 180963987, 107841171, 41609001, 276531381, 169983906, 276158562]


s = ''
for v0 in range(1,len(c)):
    for i in range(0,255):
        if a[v0] == b[v0] * i * i + c[v0] * i + d[v0] and a[v0] == b[v0-1] * i * i + c[v0-1] * i +d[v0-1]:
            s += chr(i)
print s

#a[v0] == b[v0] * v4[v0] * v4[v0] + c[v0] * v4[v0] + d[v0]
#a[v0] == b[v0-1] * v4[v0] * v4[v0] + c[v0-1] * v4[v0] +d[v0-1]

## flag{MAth_i&_GOOd_DON7_90V_7hInK?}

DDCTF-Easy

upload successful

jadx定位关键代码

upload successful

输入的字符与i()函数返回的字符串相比较

exp

m = "com.didi_ctf.flagapp.FlagActivity"
p = [-40, -62, 107, 66, -126, 103, -56, 77, 122, -107, -24, -127, 72, -63, -98, 64, -24, -5, -49, -26, 79, -70, -26, -81, 120, 25, 111, -100, -23, -9, 122, -35, 66, -50, -116, 3, -72, 102, -45, -85, 0, 126, -34, 62, 83, -34, 48, -111, 61, -9, -51, 114, 20, 81, -126, -18, 27, -115, -76, -116, -48, -118, -10, -102, -106, 113, -104, 98, -109, 74, 48, 47, -100, -88, 121, 22, -63, -32, -20, -41, -27, -20, -118, 100, -76, 70, -49, -39, -27, -106, -13, -108, 115, -87, -1, -22, -53, 21, -100, 124, -95, -40, 62, -69, 29, 56, -53, 85, -48, 25, 37, -78, 11, -110, -24, -120, -82, 6, -94, -101]
q = [-57, -90, 53, -71, -117, 98, 62, 98, 101, -96, 36, 110, 77, -83, -121, 2, -48, 94, -106, -56, -49, -80, -1, 83, 75, 66, -44, 74, 2, -36, -42, -103, 6, -115, -40, 69, -107, 85, -78, -49, 54, 78, -26, 15, 98, -70, 8, -90, 94, -61, -84, 64, 112, 51, -29, -34, 126, -21, -126, -71, -31, -24, -60, -2, -81, 66, -84, 85, -91, 10, 84, 70, -8, -63, 26, 126, -76, -104, -123, -71, -126, -62, -23, 11, -39, 70, 14, 59, -101, -39, -124, 91, -109, 102, -49, 21, 105, 0, 37,-127, -57, 117, 110, -115, -86, 56, 25, -46, -55, 7, -125, 109, 76, 104, -15, 82, -53, 18, -28, -24]

bArr = [i for i in range(0,len(p))]
for i in range(0,len(bArr)):
    bArr[i] = p[i] ^ q[i]
b = bArr[0]
i2 = 0
while bArr[b+i2] != 0:
    i2 += 1
bArr2 = [i for i in range(0,i2)]
for j in range(0,i2):
    bArr2[j] = bArr[b+j]
print ''.join(chr(i) for i in bArr2)

flag:[email protected]

app2

upload successful

jadx

upload successful

这题是有脑洞的,之前做过所以很快定位到了需要解密的字符串

upload successful

upload successful

AES_128_ECB_PKCS5Padding_Decrypt加密,密钥为thisisatestkey==

解密

upload successful

总结

总体来说不算太难,除了最后第一是个坑之外,基本没涉及到so层的概念,是些入门很好的题目,感谢平台提供的练习机会



android      android

本博客所有文章除特别声明外,均采用 CC BY-SA 3.0协议 。转载请注明出处!