Mas0n
mailto:MasonShi@88.com
翻车鱼

LOKI 2021 CTF

LOKI 2021 CTF

Reverse

Rev me bro

拿到手的APK,然而没法直接jadx,发cla单独拎出class2.dex可以.

if (new doer().doer("yourMessage").equals("[IITO{LHZPb_EUNRTIHfXE_IVNe0:}")) {
                    Toast.makeText(MainActivity.this.getApplicationContext(), "you got it", 1).show();
                } else {
                    Toast.makeText(MainActivity.this.getApplicationContext(), "better lock next time", 1).show();
                } 

算法在doer

 public class doer {
     public String doer(String messAGE) {
         char[] array = messAGE.toCharArray();
         int[] randoms = new int[6];
         Random rand = new Random();
         for (int i = 0; i < 5; i++) {
             randoms[i] = rand.nextInt(9);
         }
         int j = 0;
         for (char b : array) {
             array[j] = (char) (randoms[j % 6] + b);
             j++;
         }
         for (int i2 = 0; i2 < array.length; i2++) {
             if (i2 % 2 == 0) {
                 array[i2] = (char) (array[i2] ^ 2);
             }
         }
         for (int i3 = 0; i3 < array.length; i3++) {
             if (i3 % 5 == 0) {
                 array[i3] = (char) ((array[i3] + 255) - 255);
             }
             if (i3 % 3 == 0) {
                 array[i3] = (char) ((array[i3] + 282) - 282);
             }
         }
         StringBuilder stringBuilder = new StringBuilder();
         for (char ch : array) {
             stringBuilder.append(ch);
         }
         return stringBuilder.toString();
     }
 }

做了一些简单的异或和增减

元素数为6,随机5位0~9

 public void rev(String messAGE) {
         for (int i = 0; i < 9; i++) {
             for (int j = 0; j < 9; j++) {
                 for (int k = 0; k < 9; k++) {
                     for (int l = 0; l < 9; l++) {
                         for (int m = 0; m < 9; m++) {
                             int[] randoms = {i,j,k,l,m,0};
                             char[] array = messAGE.toCharArray();
                             for (int i3 = 0; i3 < array.length; i3++) {
                                 if (i3 % 5 == 0) {
                                     array[i3] = (char) ((array[i3] + 255) - 255);
                                 }
                                 if (i3 % 3 == 0) {
                                     array[i3] = (char) ((array[i3] + 282) - 282);
                                 }
                             }
 ​
                             for (int i2 = 0; i2 < array.length; i2++) {
                                 if (i2 % 2 == 0) {
                                     array[i2] = (char) (array[i2] ^ 2);
                                 }
                             }
 ​
                             int n = 0;
                             for (char b : array) {
                                 array[n] = (char) (b - randoms[n % 6]);
 //                                array[n] = (char) (randoms[n % 6] + b);
                                 n++;
                             }
 ​
                             StringBuilder stringBuilder = new StringBuilder();
                             for (char ch : array) {
                                 stringBuilder.append(ch);
                             }
                             System.out.println(stringBuilder.toString());
 ​
                         }
                     }
                 }
             }
         }
     }
 public class Main {
     public static void main(String[] args) {
        doer a = new doer();
        a.rev("[IITO{LHZPb_EUNRTIHfXE_IVNe0:}");
     }
 }

将近6w的结果,盲搜CTF

https://cdn.shi1011.cn/2021/07/660a449a754e0790258bc7119adb11df.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

Batman Safe

一个elf64

名字包含字母B

https://cdn.shi1011.cn/2021/07/3ade697fa5fe9eec3d5d169c5dd887e3.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

一堆的字符比对

https://cdn.shi1011.cn/2021/07/1a654dacf06436c500db87aa0c08d98f.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

整成一个数组

https://cdn.shi1011.cn/2021/07/6004bfc198ddfc746e9931f4f987e3b9.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

拼成字符串输入

https://cdn.shi1011.cn/2021/07/ef33f545d2cf6df5a43ed2275945a4ae.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

Forensics

Secret Document

docx文件,其实是wireshark流量

找到关键FTP,追踪一下

https://cdn.shi1011.cn/2021/07/a88a986292aafa18d2f4eb66bd40f37b.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

看到上传过pdf,那就把pdf,dump下来

#  peer0_x 来自wireshark C_Array 转换
with open("out.pdf", "wb") as f:
    f.write(bytearray(peer0_0))
    f.write(bytearray(peer0_1))
    f.write(bytearray(peer0_2))
    f.write(bytearray(peer0_3))
    f.write(bytearray(peer0_4))
    f.write(bytearray(peer0_5))
    f.write(bytearray(peer0_6))

打开

https://cdn.shi1011.cn/2021/07/a7968e795a59ee2a82d0bcb1c67f5935.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5
本文链接:https://blog.shi1011.cn/ctf/1498
本文采用 CC BY-NC-SA 3.0 Unported 协议进行许可

Mas0n

文章作者

发表评论

textsms
account_circle
email

翻车鱼

LOKI 2021 CTF
Reverse Rev me bro 拿到手的APK,然而没法直接jadx,发cla单独拎出class2.dex可以. if (new doer().doer("yourMessage").equals("[IITO{LHZPb_EUNRTIHfXE_IVNe0:}")) { …
扫描二维码继续阅读
2021-07-20