whaleCTF-30days-逆向【第一期】-安卓加密-writeup
阿新 • • 發佈:2019-02-17
CTF小白,剛入坑,記錄一下做題的方法,寫的比較詳細,大牛請輕噴。
題目:
這是個用來儲存祕密的app,但是好像暴露了密碼演算法,你能找到密碼嗎?答案格式whaleCTF{xxxx}
下載檔案後,首先在模擬器中開啟執行一下,需要輸入通關密碼,隨便輸入一段提示“錯誤”
接下來使用jeb開啟檔案,進行反編譯,檢視MainActivity函式。
在程式碼中發現關鍵呼叫了check2函式,所以對check2函式進行分析:
MainActivity.this.check2(MainActivity.this.editText.getText().toString());
check2函式如下:
public void check2(String arg15) { String v5; int v4 = 0; int[] v7 = new int[16]; int v3 = 16; int v1 = 5; v7[2] = 3; v7[7] = 4; v7[3] = 8; v7[1] = 10; v7[10] = 11; v7[0] = 15; v7[11] = 20; v7[6] = 20; v7[8] = 21; v7[15] = 24; v7[12] = 30; v7[13] = v3; v7[4] = 3; v7[14] = v3; v7[9] = 3; v7[5] = 89; if(arg15.length() != 16) { throw new RuntimeException(); } try { v5 = this.getKey(); } catch(Exception v0) { v5 = this.getKey(); System.arraycopy(v5, 0, arg15, v1, v1); } while(v4 < arg15.length()) { if((v7[v4] & 255) != ((arg15.charAt(v4) ^ v5.charAt(v4 % v5.length())) & 255)) { throw new RuntimeException(); } ++v4; } }
從 arg15.length() != 16 這裡可以確定要求輸入的字串長度為16位。然後對v5進行了賦值,賦值為“foodluck”。
關鍵是while迴圈,對輸入的字串進行異或判斷,於是使用python進行計算即可得到正確的字串,payload如下:
# coding=utf-8 v4 = 0 v7 = [0]*16 v3 = 16 v1 = 5 v7[2] = 3 v7[7] = 4 v7[3] = 8 v7[1] = 10 v7[10] = 11 v7[0] = 15 v7[11] = 20 v7[6] = 20 v7[8] = 21 v7[15] = 24 v7[12] = 30 v7[13] = v3 v7[4] = 3 v7[14] = v3 v7[9] = 3 v7[5] = 89 v5 = 'goodluck' flag = '' while v4 < 16: flag += (chr(v7[v4] ^ ord(v5[v4 % len(v5)]))) v4 += 1 print flag
執行即可得到flag:
hello,worldpress