鹤城杯 2021 AreYouRich

runwu2204 Lv6
  2023-06-07 16:41:30 2023-06-07 16:41:30 创建   2023-06-07 17:45:19 2023-06-07 17:45:19 更新    

首先分析androidmanif.xml

有两个activity组件

1
2
3
4
5
6
7
8
9
10
11
12
13
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android" android:versionCode="1" android:versionName="1.0" android:compileSdkVersion="30" android:compileSdkVersionCodename="11" package="com.test.areyourich" platformBuildVersionCode="30" platformBuildVersionName="11">
    <uses-sdk android:minSdkVersion="21" android:targetSdkVersion="30"/>
    <application android:theme="@style/Theme.AreYouRich" android:label="@string/app_name" android:icon="@mipmap/ic_launcher" android:allowBackup="true" android:supportsRtl="true" android:roundIcon="@mipmap/ic_launcher_round" android:appComponentFactory="androidx.core.app.CoreComponentFactory">
        <activity android:name="com.test.areyourich.MainActivity">
            <intent-filter>
                <action android:name="android.intent.action.MAIN"/>
                <category android:name="android.intent.category.LAUNCHER"/>
            </intent-filter>
        </activity>
        <activity android:name="com.test.areyourich.UserActivity"/>
    </application>
</manifest>

MainActivity在启动时进行了如下操作

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
public void onCreate(Bundle bundle) {
        super.onCreate(bundle);
        setContentView(R.layout.activity_main);
        b.c.a.a.f896a = "5FQ5AaBGbqLGfYwjaRAuWGdDvyjbX5nH";//修改了下面f896a的值
        this.o = (EditText) findViewById(R.id.name_et);
        this.p = (EditText) findViewById(R.id.pass_et);
        findViewById(R.id.login_btn).setOnClickListener(new a());//相当于新建了一个按钮事件
    }
/************************************************************/
package b.c.a;

/* loaded from: classes.dex */
public class a {

    /* renamed from: a */
    public static String f896a = "secretsecretsecretsecretsecretsecret";

    /* renamed from: b */
    public static byte[] f897b = {81, -13, 84, -110, 72, 77, -96, 77, 32, -115, -75, -38, -97, 69, -64, 49, 8, -27, 56, 114, -68, -82, 76, -106, -34};
}//不知道有什么用

a类是一个内部类

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
public class a implements View.OnClickListener {
    public a() {
    }

    @Override // android.view.View.OnClickListener
    public void onClick(View view) {
        Toast makeText;
        String obj = MainActivity.this.o.getText().toString();
        String obj2 = MainActivity.this.p.getText().toString();
        if (obj.length() == 0 || obj2.length() == 0) {
            makeText = Toast.makeText(MainActivity.this, "username or password empty, retry please!", 0);
        } else if (obj.length() == 10) {
            byte[] bArr = {64, 48, 48, 49};
            byte[] bytes = obj.getBytes();
            for (int i = 0; i < bytes.length; i++) {
                bytes[i] = (byte) (bytes[i] ^ 34);
            }
            if (!obj2.equals(new String(bytes) + new String(bArr))) {
                Toast.makeText(MainActivity.this, "username or password wrong, retry please!", 0).show();
                return;
            }
            MainActivity mainActivity = MainActivity.this;
            Toast.makeText(mainActivity, "Welcome " + obj + " !", 0).show();
            Intent intent = new Intent(MainActivity.this.getApplicationContext(), UserActivity.class);
            intent.putExtra("TOKEN", obj + "_" + obj2 + "_" + System.currentTimeMillis());
            MainActivity.this.startActivity(intent);//intent可以用来传输信息,相当于开启了UserActivity.class这个类型的对象
            return;
        } else {
            makeText = Toast.makeText(MainActivity.this, "username or password wrong, retry please!", 0);
        }
        makeText.show();
    }
}

UserActivity

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
package com.test.areyourich;

import a.b.c.h;
import android.os.Bundle;
import android.view.View;
import android.widget.TextView;
import android.widget.Toast;
import java.util.concurrent.ThreadLocalRandom;

/* loaded from: classes.dex */
public class UserActivity extends h {
    public TextView o;
    public TextView p;

    /* loaded from: classes.dex */
    public class a implements View.OnClickListener {

        /* renamed from: b  reason: collision with root package name */
        public final /* synthetic */ int[] f947b;
        public final /* synthetic */ String c;

        public a(int[] iArr, String str) {
            this.f947b = iArr;
            this.c = str;
        }

        @Override // android.view.View.OnClickListener
        public void onClick(View view) {
            String str;
            if (this.f947b[0] <= 499999999) {
                Toast.makeText(UserActivity.this, "sorry, money not enough!", 0).show();
                return;
            }
            Toast.makeText(UserActivity.this, "buy success, eojoy it!", 0).show();
            byte[] bArr = {102, 108, 97, 103, 123};
            byte[] bArr2 = {125};
            byte[] bArr3 = {15, 70, 3, 41, 1, 48, 35, 64, 58, 50, 0, 101, 100, 99, 11, 123, 52, 8, 60, 119, 62, 115, 73, 17, 16};
            byte[] bytes = this.c.getBytes();
            if (25 > bytes.length) {
                str = "";
            } else {
                for (int i = 0; i < 25; i++) {
                    bArr3[i] = (byte) (bArr3[i] ^ bytes[i]);
                }
                str = new String(bArr) + new String(bArr3) + new String(bArr2);
            }
            UserActivity.this.p.setText(str);
            int[] iArr = this.f947b;
            iArr[0] = iArr[0] - 499999999;
            StringBuilder e = b.a.a.a.a.e("Balance: ¥ ");
            e.append(this.f947b[0]);
            UserActivity.this.o.setText(e.toString());
        }
    }
/*****************************************上面的代码屁用没有********************************************************/
/****************************************通过看wp才晓得这下面的是提示***********************************************/   
    @Override // a.b.c.h, a.k.a.e, androidx.activity.ComponentActivity, a.h.b.g, android.app.Activity
    public void onCreate(Bundle bundle) {
        super.onCreate(bundle);
        setContentView(R.layout.activity_user);
        this.o = (TextView) findViewById(R.id.money_tv);
        TextView textView = (TextView) findViewById(R.id.flag_tv);
        this.p = (TextView) findViewById(R.id.showflag_tv);
        String string = getIntent().getExtras().getString("TOKEN");
        int[] iArr = new int[1];
        byte[] bArr = b.c.a.a.f897b;//密文[51 F3 54 92 48 4D A0 4D 20 8D B5 DA 9F 45 C0 31 08 E5 38 72 BC AE 4C 96 DE]
        byte[] bytes = string.getBytes();
        ThreadLocalRandom current = ThreadLocalRandom.current();
        byte[] bytes2 = b.c.a.a.f896a.getBytes();//key 5FQ5AaBGbqLGfYwjaRAuWGdDvyjbX5nH
        byte[] bArr2 = new byte[256];
/****************************************下面是rc4算法*************************************************************/ 
        for (int i = 0; i < 256; i++) {
            bArr2[i] = (byte) i;
        }
        if (bytes2.length == 0) {
            bArr2 = null;
        } else {
            int i2 = 0;
            int i3 = 0;
            for (int i4 = 0; i4 < 256; i4++) {
                i3 = ((bytes2[i2] & 255) + (bArr2[i4] & 255) + i3) & 255;
                byte b2 = bArr2[i4];
                bArr2[i4] = bArr2[i3];
                bArr2[i3] = b2;
                i2 = (i2 + 1) % bytes2.length;
            }
        }
        int min = Math.min(bytes.length, bArr.length);
        int i5 = 16;
        int i6 = 0;
        int i7 = 0;
        for (int i8 = 0; i8 < min; i8++) {
            i6 = (i6 + 1) & 255;
            i7 = ((bArr2[i6] & 255) + i7) & 255;
            byte b3 = bArr2[i6];
            bArr2[i6] = bArr2[i7];
            bArr2[i7] = b3;
            i5 = ((byte) (bArr2[((bArr2[i6] & 255) + (bArr2[i7] & 255)) & 255] ^ bytes[i8])) == bArr[i8] ? i5 * 2 : current.nextInt(10) + i5;
        }
        iArr[0] = i5;
        StringBuilder e = b.a.a.a.a.e("Balance: ¥ ");
        e.append(iArr[0]);
        this.o.setText(e.toString());
        findViewById(R.id.buy_btn).setOnClickListener(new a(iArr, string));
    }
}

image-20230607174040767

进行异或的key=vvvvipuser_TTTTKRWQGP@001

1
2
//异或的密文
bArr3 = {15, 70, 3, 41, 1, 48, 35, 64, 58, 50, 0, 101, 100, 99, 11, 123, 52, 8, 60, 119, 62, 115, 73, 17, 16};
1
2
3
4
5
6
7
8
9
10
In [30]: b='vvvvipuser_TTTTKRWQGP@001'

In [31]: a=[15, 70, 3, 41, 1, 48, 35, 64, 58, 50, 0, 101, 100, 99, 11, 123, 52, 8, 60, 119, 62, 115, 73, 17, 16]

In [32]: for i in range(25):
    ...:     a[i]^=ord(b[i])
    ...:

In [33]: bytes(a).decode()
Out[33]: 'y0u_h@V3_@_107_0f_m0n3y!!'

y0u_h@V3_@_107_0f_m0n3y!!就是flag。。。。。。。。。。。。

  • 标题: 鹤城杯 2021 AreYouRich
  • 作者: runwu2204
  • 创建于 : 2023-06-07 16:41:30
  • 更新于 : 2023-06-07 17:45:19
  • 链接: https://runwu2204.github.io/2023/06/07/CTF WP/Re/安卓/鹤城杯 2021 AreYouRich/
  • 版权声明: 本文章采用 CC BY-NC-SA 4.0 进行许可。
评论
目录
鹤城杯 2021 AreYouRich