BUGKU-逆向(reverse)-writeup (6)

BUGKU-逆向(reverse)-writeup

SafeBox(NJCTF)

首先下载发现是apk,安装运行下。就一个输入框,其他的按不了。
用jadx-gui反编译下,双击MainActivity查看。

package com.geekerchina.hi; import android.os.Bundle; import android.support.v7.app.AppCompatActivity; import android.view.Menu; import android.view.MenuItem; import android.view.View; import android.view.View.OnClickListener; import android.widget.Button; import android.widget.EditText; public class MainActivity extends AppCompatActivity { protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView((int) R.layout.activity_main); final EditText Et1 = (EditText) findViewById(R.id.editText); ((Button) findViewById(R.id.button)).setOnClickListener(new OnClickListener() { public void onClick(View v) { String strTmp = "NJCTF{"; int i = Integer.parseInt(Et1.getText().toString()); if (i > 10000000 && i < 99999999) { int t = 1; int t1 = 10000000; int flag = 1; if (Math.abs(((i / 1000) % 100) - 36) == 3 && (i % 1000) % 584 == 0) { for (int j = 0; j < 4; j++) { if ((i / t) % 10 != (i / t1) % 10) { flag = 0; break; } t *= 10; t1 /= 10; } if (flag == 1) { char c2 = (char) ((i / 10000) % 100); char c3 = (char) ((i / 100) % 100); Et1.setText(strTmp + ((char) (i / 1000000)) + c2 + c3 + "f4n}"); } } } } }); } public boolean onCreateOptionsMenu(Menu menu) { getMenuInflater().inflate(R.menu.menu_main, menu); return true; } public boolean onOptionsItemSelected(MenuItem item) { if (item.getItemId() == R.id.action_settings) { return true; } return super.onOptionsItemSelected(item); } }

看到onCreate方法关键位置18行-37行,输入一个8位数满足条件后,将其变换后与NJCTF{和f4n}拼接。

用python脚本来爆破

#!usr/bin/env python #!coding=utf-8 __author__ = 'zhengjim' import math for i in range(10000000, 99999999): t = 1 t1 =10000000 flag = 1 if (abs(((i / 1000) % 100) - 36) == 3 and (i % 1000) % 584 == 0): for j in range(4): if ((i / t) % 10 != (i / t1) % 10): flag = 0 break t *= 10 t1 /= 10 if(flag ==1): print i c2 = chr((i / 10000) % 100) c3 = chr((i / 100) % 100) print('NJCTF{'+chr(i / 1000000)+c2+c3+'f4n}')

得到i应该为48533584 ,flag为NJCTF{05#f4n},但提交却发现错误了。看了好几遍发现没错。再看目录发现了类androidTest。

package com.geekerchina.hi; import android.os.Bundle; import android.support.v7.app.AppCompatActivity; import android.view.Menu; import android.view.MenuItem; import android.view.View; import android.view.View.OnClickListener; import android.widget.Button; import android.widget.EditText; public class androidTest extends AppCompatActivity { protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView((int) R.layout.build); final EditText Et1 = (EditText) findViewById(R.id.editText); ((Button) findViewById(R.id.button)).setOnClickListener(new OnClickListener() { public void onClick(View v) { String strTmp = "NJCTF{have"; int i = Integer.parseInt(Et1.getText().toString()); if (i > 10000000 && i < 99999999) { int t = 1; int t1 = 10000000; int flag = 1; if (Math.abs(((i / 1000) % 100) - 36) == 3 && (i % 1000) % 584 == 0) { for (int j = 0; j < 3; j++) { if ((i / t) % 10 != (i / t1) % 10) { flag = 0; break; } t *= 10; t1 /= 10; } if (flag == 1) { char c2 = (char) ((i / 10000) % 100); char c3 = (char) (((i / 100) % 100) + 10); Et1.setText(strTmp + ((char) (i / 1000000)) + c2 + c3 + "f4n}"); } } } } }); } public boolean onCreateOptionsMenu(Menu menu) { getMenuInflater().inflate(R.menu.menu_main, menu); return true; } public boolean onOptionsItemSelected(MenuItem item) { if (item.getItemId() == R.id.action_settings) { return true; } return super.onOptionsItemSelected(item); } }

和MainActivity很像,但有细微不同:

第27行的String strTmp = "NJCTF{have";

第27行的for (int j = 0; j < 3; j++) {

第39行的char c3 = (char) (((i / 100) % 100) + 10);

python脚本爆破

#!usr/bin/env python #!coding=utf-8 __author__ = 'zhengjim' import math for i in range(10000000, 99999999): t = 1 t1 = 10000000 flag = 1 if (abs(((i / 1000) % 100) - 36) == 3 and (i % 1000) % 584 == 0): for j in range(3): if ((i / t) % 10 != (i / t1) % 10): flag = 0 break t *= 10 t1 /= 10 if (flag == 1): print i c2 = chr((i / 10000) % 100) c3 = chr((i / 100) % 100 + 10) print('NJCTF{have' + chr(i / 1000000) + c2 + c3 + 'f4n}')

得到两组答案。

i为48533584 ,flag为NJCTF{have05-f4n}

i为48539584 ,flag为NJCTF{have05if4n}
均提交试试发现第二组为正确。

Mountain climbing

下载后运行,发现要输入最大数字,乱输后跳出error。

BUGKU-逆向(reverse)-writeup

用PEID 查看下 发现有 UPX的壳。

BUGKU-逆向(reverse)-writeup

直接用52pojie的脱UPX工具进行脱壳。成功

BUGKU-逆向(reverse)-writeup

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/wpfypp.html