Reverse

Rev me bro

拿到手的APK，然而没法直接jadx，发cla单独拎出class2.dex可以.

if (new doer().doer("yourMessage").equals("[IITO{LHZPb_EUNRTIHfXE_IVNe0:}")) {
                    Toast.makeText(MainActivity.this.getApplicationContext(), "you got it", 1).show();
                } else {
                    Toast.makeText(MainActivity.this.getApplicationContext(), "better lock next time", 1).show();
                }

算法在doer

 public class doer {
     public String doer(String messAGE) {
         char[] array = messAGE.toCharArray();
         int[] randoms = new int[6];
         Random rand = new Random();
         for (int i = 0; i < 5; i++) {
             randoms[i] = rand.nextInt(9);
         }
         int j = 0;
         for (char b : array) {
             array[j] = (char) (randoms[j % 6] + b);
             j++;
         }
         for (int i2 = 0; i2 < array.length; i2++) {
             if (i2 % 2 == 0) {
                 array[i2] = (char) (array[i2] ^ 2);
             }
         }
         for (int i3 = 0; i3 < array.length; i3++) {
             if (i3 % 5 == 0) {
                 array[i3] = (char) ((array[i3] + 255) - 255);
             }
             if (i3 % 3 == 0) {
                 array[i3] = (char) ((array[i3] + 282) - 282);
             }
         }
         StringBuilder stringBuilder = new StringBuilder();
         for (char ch : array) {
             stringBuilder.append(ch);
         }
         return stringBuilder.toString();
     }
 }

做了一些简单的异或和增减

元素数为6，随机5位0~9

 public void rev(String messAGE) {
         for (int i = 0; i < 9; i++) {
             for (int j = 0; j < 9; j++) {
                 for (int k = 0; k < 9; k++) {
                     for (int l = 0; l < 9; l++) {
                         for (int m = 0; m < 9; m++) {
                             int[] randoms = {i,j,k,l,m,0};
                             char[] array = messAGE.toCharArray();
                             for (int i3 = 0; i3 < array.length; i3++) {
                                 if (i3 % 5 == 0) {
                                     array[i3] = (char) ((array[i3] + 255) - 255);
                                 }
                                 if (i3 % 3 == 0) {
                                     array[i3] = (char) ((array[i3] + 282) - 282);
                                 }
                             }
 
                             for (int i2 = 0; i2 < array.length; i2++) {
                                 if (i2 % 2 == 0) {
                                     array[i2] = (char) (array[i2] ^ 2);
                                 }
                             }
 
                             int n = 0;
                             for (char b : array) {
                                 array[n] = (char) (b - randoms[n % 6]);
 //                                array[n] = (char) (randoms[n % 6] + b);
                                 n++;
                             }
 
                             StringBuilder stringBuilder = new StringBuilder();
                             for (char ch : array) {
                                 stringBuilder.append(ch);
                             }
                             System.out.println(stringBuilder.toString());
 
                         }
                     }
                 }
             }
         }
     }
 public class Main {
     public static void main(String[] args) {
        doer a = new doer();
        a.rev("[IITO{LHZPb_EUNRTIHfXE_IVNe0:}");
     }
 }

将近6w的结果，盲搜CTF

https://cdn.shi1011.cn/2021/07/660a449a754e0790258bc7119adb11df.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

Batman Safe

一个elf64

名字包含字母B

https://cdn.shi1011.cn/2021/07/3ade697fa5fe9eec3d5d169c5dd887e3.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

一堆的字符比对

https://cdn.shi1011.cn/2021/07/1a654dacf06436c500db87aa0c08d98f.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

整成一个数组

https://cdn.shi1011.cn/2021/07/6004bfc198ddfc746e9931f4f987e3b9.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

拼成字符串输入

https://cdn.shi1011.cn/2021/07/ef33f545d2cf6df5a43ed2275945a4ae.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

Forensics

Secret Document

docx文件，其实是wireshark流量

找到关键FTP，追踪一下

https://cdn.shi1011.cn/2021/07/a88a986292aafa18d2f4eb66bd40f37b.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

看到上传过pdf，那就把pdf，dump下来

#  peer0_x 来自wireshark C_Array 转换
with open("out.pdf", "wb") as f:
    f.write(bytearray(peer0_0))
    f.write(bytearray(peer0_1))
    f.write(bytearray(peer0_2))
    f.write(bytearray(peer0_3))
    f.write(bytearray(peer0_4))
    f.write(bytearray(peer0_5))
    f.write(bytearray(peer0_6))

打开

LOKI 2021 CTF

Reverse

Rev me bro

Batman Safe

Forensics

Secret Document

Mas0n

文章作者

推荐文章

发表回复取消回复

LOKI 2021 CTF

Reverse

Rev me bro

Batman Safe

Forensics

Secret Document

Mas0n

文章作者

推荐文章

发表回复 取消回复

发表回复取消回复