<menu id="guoca"></menu>
<nav id="guoca"></nav><xmp id="guoca">
  • <xmp id="guoca">
  • <nav id="guoca"><code id="guoca"></code></nav>
  • <nav id="guoca"><code id="guoca"></code></nav>
    2019SCTF-Writeup
    展開或關閉
    web
    math-is-fun math-is-fun2 flag shop easy-web babyEoP
    crypto
    babygame warmup
    re
    Who is he Creakme babyre strange apk
    pwn
    匯總

    strange apk

    2019SCTF-Writeup /

    前12個chr

                localObject2 = new StringBuilder();
            ((StringBuilder)localObject2).append(paramAnonymousView);
            ((StringBuilder)localObject2).append(str.charAt(i));
            paramAnonymousView = ((StringBuilder)localObject2).toString();
            i++;

if (((String)localObject2).equals("c2N0ZntXM2xjMG1l"))
    >>> base64.b64decode("c2N0ZntXM2xjMG1l")
'sctf{W3lc0me'

    有個data加密后的,直接虛擬機打開存著解密后的apk,拖下來直接分析。

    后18個chr:

    這里先用intent啟動了其他class:

                localObject1 = new Intent();
            ((Intent)localObject1).putExtra("data_return", paramAnonymousView);
            s.this.setResult(-1, (Intent)localObject1);
            s.this.finish();

    最后一段關鍵比較:

    if (f.encode(paramIntent.getStringExtra("data_return"), (String)localObject1).equals("~8t808_8A8n848r808i8d8-8w808r8l8d8}8"))
     try
      {
        Object localObject2 = MessageDigest.getInstance("MD5");
        ((MessageDigest)localObject2).update("syclover".getBytes());
        BigInteger localBigInteger = new java/math/BigInteger;
        localBigInteger.<init>(1, ((MessageDigest)localObject2).digest());
        localObject2 = localBigInteger.toString(16);
        localObject1 = localObject2;
      }
      catch (Exception localException)
      {
        localException.printStackTrace();
      }

    照著寫函數

      public static void genMd5(){
    String plaintext = "syclover";
    try{
      MessageDigest m = MessageDigest.getInstance("MD5");
      m.reset();
      m.update(plaintext.getBytes());
      byte[] digest = m.digest();
      BigInteger bigInt = new BigInteger(1,digest);
      String hashtext = bigInt.toString(16);
      System.out.print(hashtext);
    }
    catch (Exception localException)
    {
      localException.printStackTrace();
    }
  }

    得到8bfc8af07bca146c937f283b8ec768d4

    那個關鍵比較有個encode函數:

    public static String encode(String paramString1, String paramString2)
  {
    int i = paramString1.length();
    int j = paramString2.length();
    StringBuilder localStringBuilder = new StringBuilder();
    for (int k = 0; k < i; k++)
    {
      localStringBuilder.append(paramString1.charAt(k));
      localStringBuilder.append(paramString2.charAt(k / j));
    }
    return localStringBuilder.toString();
  }

    出題人好像把取整跟取余搞混了。應該是k % j

    這樣的話,直接在flag里插入8得到字符串:~8t808_8A8n848r808i8d8-8w808r8l8d8}8

    所以后半段flag:~t0_An4r0id-w0rld}

    所以整個flag: sctf{W3lc0me~t0_An4r0id-w0rld}

    本文章首發在 網安wangan.com 網站上。

    上一篇 下一篇
    GQQQy
    資深作者 200 聲望
    老年二進制選手,副業虛擬機
    討論數量: 0
    只看當前版本


    暫無話題~
    ? 2021 WANGAN.COM 幫助網安從業者成長;關注產業發展,做網絡安全忠誠衛士!
    亚洲 欧美 自拍 唯美 另类