攻防世界-easyjava

runwu2204 Lv6
  2023-08-10 01:30:21 2023-08-10 01:30:21 创建   2023-08-10 01:57:28 2023-08-10 01:57:28 更新    

查看xml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android" android:versionCode="1" android:versionName="1.0" package="com.a.easyjava" platformBuildVersionCode="27" platformBuildVersionName="8.1.0">
    <uses-sdk android:minSdkVersion="19" android:targetSdkVersion="26"/>
    <application android:theme="@style/AppTheme" android:label="@string/app_name" android:icon="@mipmap/ic_launcher" android:allowBackup="true" android:supportsRtl="true" android:roundIcon="@mipmap/ic_launcher_round">
        <activity android:name="com.p027a.easyjava.MainActivity">
            <intent-filter>
                <action android:name="android.intent.action.MAIN"/>
                <category android:name="android.intent.category.LAUNCHER"/>
            </intent-filter>
        </activity>
        <meta-data android:name="android.support.VERSION" android:value="26.1.0"/>
        <meta-data android:name="android.arch.lifecycle.VERSION" android:value="27.0.0-SNAPSHOT"/>
    </application>
</manifest>

只有一个activity

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
package com.p027a.easyjava;

import android.os.Bundle;
import android.support.p021v7.app.ActivityC0435c;
import android.view.View;
import android.widget.EditText;
import android.widget.Toast;
import java.util.Timer;
import java.util.TimerTask;

/* renamed from: com.a.easyjava.MainActivity */
/* loaded from: classes.dex */
public class MainActivity extends ActivityC0435c {
    /* renamed from: a */
    private static char m6a(String str, C0680b c0680b, C0679a c0679a) {
        return c0679a.m3a(c0680b.m1a(str));
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* renamed from: b */
    public static Boolean m5b(String str) {
        if (str.startsWith("flag{") && str.endsWith("}")) {
            String substring = str.substring(5, str.length() - 1);
            C0680b c0680b = new C0680b(2);
            C0679a c0679a = new C0679a(3);
            StringBuilder sb = new StringBuilder();
            int i = 0;
            for (int i2 = 0; i2 < substring.length(); i2++) {
                sb.append(m6a(substring.charAt(i2) + "", c0680b, c0679a));
                Integer valueOf = Integer.valueOf(c0680b.m0b().intValue() / 25);
                if (valueOf.intValue() > i && valueOf.intValue() >= 1) {
                    i++;
                }
            }
            return Boolean.valueOf(sb.toString().equals("wigwrkaugala"));
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // android.support.p021v7.app.ActivityC0435c, android.support.p007v4.p008a.ActivityC0114i, android.support.p007v4.p008a.ActivityC0094aa, android.app.Activity
    public void onCreate(Bundle bundle) {
        super.onCreate(bundle);
        setContentView(R.layout.activity_main);
        findViewById(R.id.button).setOnClickListener(new View.OnClickListener() { // from class: com.a.easyjava.MainActivity.1
            @Override // android.view.View.OnClickListener
            public void onClick(View view) {
                if (MainActivity.m5b(((EditText) ((MainActivity) this).findViewById(R.id.edit)).getText().toString()).booleanValue()) {
                    Toast.makeText(this, "You are right!", 1).show();
                    return;
                }
                Toast.makeText(this, "You are wrong! Bye~", 1).show();
                new Timer().schedule(new TimerTask() { // from class: com.a.easyjava.MainActivity.1.1
                    @Override // java.util.TimerTask, java.lang.Runnable
                    public void run() {
                        System.exit(1);
                    }
                }, 2000L);
            }
        });
    }
}

基本的验证如下

验证加密后的结果是否等于wigwrkaugala

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
    private static char m6a(String str, C0680b c0680b, C0679a c0679a) {
        return c0679a.m3a(c0680b.m1a(str));
    }

public static Boolean m5b(String str) {
        if (str.startsWith("flag{") && str.endsWith("}")) {
            String substring = str.substring(5, str.length() - 1);
            C0680b c0680b = new C0680b(2);
            C0679a c0679a = new C0679a(3);
            StringBuilder sb = new StringBuilder();
            int i = 0;
            for (int i2 = 0; i2 < substring.length(); i2++) {
                sb.append(m6a(substring.charAt(i2) + "", c0680b, c0679a));
                Integer valueOf = Integer.valueOf(c0680b.m0b().intValue() / 25);
                if (valueOf.intValue() > i && valueOf.intValue() >= 1) {
                    i++;
                }
            }
            return Boolean.valueOf(sb.toString().equals("wigwrkaugala"));
        }
        return false;
    }

其第一个调用的是c0680b.m1a(str)第二个调用的是c0679a.m3a,逆算法先从最后一个开始逆起

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
>package com.p027a.easyjava;

>import java.util.ArrayList;

>/* renamed from: com.a.easyjava.a */
>/* loaded from: classes.dex */
>public class C0679a {

   /* renamed from: a */
   public static ArrayList<Integer> f2482a = new ArrayList<>();

   /* renamed from: b */
   static String f2483b = "abcdefghijklmnopqrstuvwxyz";

   /* renamed from: d */
   static Integer f2484d = 0;

   Integer[] f2485c = {7, 14, 16, 21, 4, 24, 25, 20, 5, 15, 9, 17, 6, 13, 3, 18, 12, 10, 19, 0, 22, 2, 11, 23, 1, 8};

   public C0679a(Integer num) {
       for (int intValue = num.intValue(); intValue < this.f2485c.length; intValue++) {
           f2482a.add(this.f2485c[intValue]);
       }
       for (int i = 0; i < num.intValue(); i++) {
           f2482a.add(this.f2485c[i]); // [21, 4, 24, 25, 20, 5, 15, 9, 17, 6, 13, 3, 18, 12, 10, 19, 0, 22, 2, 11, 23, 1, 8, 7 , 14 , 16]
       }
   }

   //这个方法只有在数据长度大于等于25的时候才有用所以省略掉
   public static void m4a() {
   }

   /* renamed from: a */
   public char m3a(Integer num) {
       Integer num2 = 0;
       if (num.intValue() == -10) {//因为最后的验证结果中没有" "所以可以直接跳过这个if语句
           m4a();
           return " ".charAt(0);
       }
       for (int i = 0; i < f2482a.size() - 1; i++) {
           if (f2482a.get(i) == num) {
               num2 = Integer.valueOf(i);
           }
       }
       m4a();
       return f2483b.charAt(num2.intValue());
   }
>}

m3a这个方法基本上就可以逆向算了,最后的返回结果就是f2483b[f2485c.indexof(num)]在python方法中逆回去就是

f2485c[f2483b.find(ret)]

c0680b.m1a(char)方法如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
>package com.p027a.easyjava;

>import java.util.ArrayList;

>/* renamed from: com.a.easyjava.b */
>/* loaded from: classes.dex */
>public class C0680b {

   /* renamed from: a */
   public static ArrayList<Integer> f2486a = new ArrayList<>();

   /* renamed from: b */
   static String f2487b = "abcdefghijklmnopqrstuvwxyz";

   /* renamed from: d */
   static Integer f2488d = 0;

   /* renamed from: c */
   Integer[] f2489c = {8, 25, 17, 23, 7, 22, 1, 16, 6, 9, 21, 0, 15, 5, 10, 18, 2, 24, 4, 11, 3, 14, 19, 12, 20, 13};

   public C0680b(Integer num) {
       for (int intValue = num.intValue(); intValue < this.f2489c.length; intValue++) {
           f2486a.add(this.f2489c[intValue]);
       }
       for (int i = 0; i < num.intValue(); i++) {
           f2486a.add(this.f2489c[i]); // 传入的num为2 所以f2489c第一次运行的情况下是[17, 23, 7, 22, 1, 16, 6, 9, 21, 0, 15, 5, 10, 18, 2, 24, 4, 11, 3, 14, 19, 12, 20, 13,8,25]
       }
   }

   /* renamed from: a */
   public static void m2a() {//这个每运行一步都会改变f2489c,f2487b
       int intValue = f2486a.get(0).intValue();
       f2486a.remove(0);
       f2486a.add(Integer.valueOf(intValue));
       f2487b += "" + f2487b.charAt(0);
       f2487b = f2487b.substring(1, 27);
       Integer num = f2488d;
       f2488d = Integer.valueOf(f2488d.intValue() + 1);
   }

   /* renamed from: a */
   public Integer m1a(String str) {
       int i = 0;
       if (f2487b.contains(str.toLowerCase())) {
           Integer valueOf = Integer.valueOf(f2487b.indexOf(str));
           for (int i2 = 0; i2 < f2486a.size() - 1; i2++) {
               if (f2486a.get(i2) == valueOf) {
                   i = Integer.valueOf(i2);
               }
           }
       } else {
           i = str.contains(" ") ? -10 : -1;
       }
       m2a();
       return i;
   }

   /* renamed from: b */
   public Integer m0b() {
       return f2488d;
   }
>}

此处可以建议概括返回值为f2486a.indexOf(f2487b.indexOf(str)),所以python中可以逆解为f2487b[f2486a[ret]]

exp:

1
2
3
4
5
6
7
8
9
10
11
f2487b = "abcdefghijklmnopqrstuvwxyz"
f2489c = [17, 23, 7, 22, 1, 16, 6, 9, 21, 0, 15, 5, 10, 18, 2, 24, 4, 11, 3, 14, 19, 12, 20, 13,8,25]
f2483b = "abcdefghijklmnopqrstuvwxyz"
f2485c = [21, 4, 24, 25, 20, 5, 15, 9, 17, 6, 13, 3, 18, 12, 10, 19, 0, 22, 2, 11, 23, 1, 8, 7,14,16]
str1='flag{'
tmp1='wigwrkaugala'
for i in tmp1:
    str1+=f2487b[f2489c[f2485c[(f2483b.find(i))]]]
    f2487b=f2487b[1:]+f2487b[0]
    f2489c=f2489c[1:]+f2489c[:1]
print(str1+'}')

得到了flag

image-20230810015715953

  • 标题: 攻防世界-easyjava
  • 作者: runwu2204
  • 创建于 : 2023-08-10 01:30:21
  • 更新于 : 2023-08-10 01:57:28
  • 链接: https://runwu2204.github.io/2023/08/10/CTF WP/Re/安卓/攻防世界-easyjava/
  • 版权声明: 本文章采用 CC BY-NC-SA 4.0 进行许可。
评论
目录
攻防世界-easyjava