强网拟态线上mobile的两道wp

移动安全 2年前 (2021) admin
407 0 0

强网拟态线上mobile的两道wp

看雪论坛作者ID:margina1



HaHaHaHa


找到关键代码在mainactivity中。
 
输入处理:
byte[] v7_1 = a.c(v1_1[v6]);.... while(v9 < v7_1.length) {                v10 = v10 << 1 | (v7_1[v9] & 0x80) >>> v2;                v7_1[v9] = ((byte)(v7_1[v9] & 0x7F));                ++v9;            }

关键比较:
String v9_1 = a.a(v10, v7_1);           if(v9_1 != null && (v9_1.equals(a.a(a.b[v6], v7_1)))) {               if(!v9_1.equals(a.c[v6])) {               }               else {                   ++v6;                   continue;               }           }

需要a类中的字符串数组C要等同于a方法对v7_1处理的结果。
 
查看A类a方法,可以看到是根据a.b[v6]进行hash加密,任选了一个进行爆破,爆不出来。仔细翻了翻了,前面的welcomeactivity类更改了a密钥byte数组和b数组。
for(v0 = 0; true; ++v0) {            int[] v1 = a.b;            if(v0 >= v1.length) {                break;            }             v1[v0] ^= 0xAB;        }....while(v4 < a.a.length) {            try {                v0_1 = MessageDigest.getInstance("MD5");            }            catch(NoSuchAlgorithmException v1_1) {                v1_1.printStackTrace();            }             v0_1.update(a.a[v4]);            a.a[v4] = v0_1.digest();            ++v4;        }

对密钥进行MD5。
 
当b数组的值<8时,不使用密钥,hash加密的方式不同,b数组>=8时,相同的hash加密HmacSha512,不同密钥。
 
这样就直接开始爆破,8组数据,范围为4个0-0x7f字节。直接抄程序反编译代码去爆破。
 
HmacSha512: 将密钥和密文对应就行
import java.nio.charset.StandardCharsets;import java.math.BigInteger;import java.security.GeneralSecurityException;import java.security.InvalidKeyException;import java.security.Key;import java.security.MessageDigest;import java.security.NoSuchAlgorithmException;import javax.crypto.Mac;import javax.crypto.spec.SecretKeySpec; public class demo {    public static final String v0 = "HmacSha512";    public static void main(String[] args) {        MessageDigest v0_1 = null;        StringBuilder v1_2;        byte[] miwen = new byte[4];        String v6_1 = "%02x";        try {            for (int i=0x0; i<=0x7e; i++) {                miwen[0] = (byte)i;                for (int j = 0x0; j <= 0x7e; j++) {                    miwen[1] = (byte)j;                    for (int k = 0x0; k <= 0x7e; k++) {                        miwen[2] = (byte)k;                        for (int l = 0x0; l <= 0x7e; l++) {                            miwen[3] = (byte)l;                            try {                                v0_1 = MessageDigest.getInstance("MD5");                            }                            catch(NoSuchAlgorithmException v1_1) {                                v1_1.printStackTrace();                            }                            byte[] tmp = "ALFjcgztxnUaC89v".getBytes();                            v0_1.update(tmp);                            byte[] miwen2 = v0_1.digest();                            SecretKeySpec v1 = new SecretKeySpec(miwen2, v0);                            Mac v3 = Mac.getInstance(v0);                            v3.init(((Key)v1));                            v3.update(miwen);                            String v2_2;                            String s = "78b0be39e63b6837";                            for(v2_2 = new BigInteger(1, v3.doFinal()).toString(16); v2_2.length() < 0x20; v2_2 = "0" + v2_2) {                            }                            if (v2_2.substring(0,16).equals(s)) {                                System.out.printf("%x ", i);                                System.out.printf("%x ", j);                                System.out.printf("%x ", k);                                System.out.printf("%x ", l);                                System.out.printf("%n");                                return;                            }                        }                    }                }            }        }        catch(InvalidKeyException | NoSuchAlgorithmException v2) {            return;        }    }}

无密钥hash: 将hash方法和密文对应
import java.nio.charset.StandardCharsets;import java.math.BigInteger;import java.security.GeneralSecurityException;import java.security.InvalidKeyException;import java.security.Key;import java.security.MessageDigest;import java.security.NoSuchAlgorithmException;import javax.crypto.Mac;import javax.crypto.spec.SecretKeySpec; public class demo5 {    public static final String v0 = "HmacSha512";    public static void main(String[] args) {        MessageDigest v1_11;        byte[] miwen2;        byte[] miwen = new byte[4];        String v6_1 = "%02x";        StringBuilder v1_2;        for (int i=0x0; i<=0x7e; i++) {            miwen[0] = (byte)i;            for (int j = 0x0; j <= 0x7e; j++) {                miwen[1] = (byte)j;                for (int k = 0x0; k <= 0x7e; k++) {                    miwen[2] = (byte)k;                    for (int l = 0x0; l <= 0x7e; l++) {                        miwen[3] = (byte)l;                        String s = "f2dda5fc021fe2bf";                        try {                            v1_11 = MessageDigest.getInstance("SHA-384"                            );                            v1_11.update(miwen);                            miwen2 = v1_11.digest();                            v1_2 = new StringBuilder();                            for(int v4 = 0; v4 < miwen2.length; ++v4) {                                v1_2.append(String.format(v6_1, Byte.valueOf(miwen2[v4])));                            }                            String tmp = v1_2.toString().substring(0,16);                            if (tmp.equals(s)){                                System.out.printf("%x ", i);                                System.out.printf("%x ", j);                                System.out.printf("%x ", k);                                System.out.printf("%x ", l);                                System.out.printf("%n");                                return;                            }                         }                        catch(NoSuchAlgorithmException v0_2) {                            v0_2.printStackTrace();                        }                    }                }            }        }    }}

这里我没有再去考虑大于7F的输入,我直接分析flag的输出:
if((v10 >>> 3 & 1) == 0) {    v6_1[v10 & 7] = new String(v8_1);}else {    for(v9 = 0; v9 < v8_1.length / v5; ++v9) {        byte v11 = v8_1[v9];        v8_1[v9] = v8_1[v8_1.length - 1 - v9];        v8_1[v8_1.length - 1 - v9] = v11;    }     v6_1[v10 & 7] = new String(v8_1); // 输出顺序和加密方式有关}

这里可以看到,如果使用了HmacSha512,需要反序。
 
最后爆破了半天得到flag。
FLAG{H@5H_15_7H3_8@PP1N355_C11P}



Studydesk


输入处理:
byte[] v0 = a.a;.....if(v6 < v5) {                    v9 = in.indexOf(v0[v6]);                    if(v9 == -1) {                        v0 = ((byte[])v7);                    }                    else {                        v4.append(Integer.toBinaryString((v9 & 0x3F) + v2).substring(1));                        ++v6;                        continue;                    }                }

输入为32字节,然后依次查询a类的a数组再输入中的位置,将位置+32后转化为2进制去掉首位保存字符串。
 
保存的范围就是00000 – 11111,一共是16个。
 
查看a类的a数组,可以编写脚本处理发现只有32种。要求的是每个数都再输入中能找到,不能重复。
 
之后就是2进制连起来,依次取8位,转化为byte数组。
 
密文的生成直接抄反编译代码,然后调试可以发现,是圆周率。长度是360位。
 
校验:
while(true) {               if(v3_3 < v2_2.length()) {                   v4_1 = v3_3 + 2;                   if((((byte)(Integer.parseInt(v2_2.substring(v3_3, v4_1), 10) & 0xFF))) != v0[v3_3 / 2]) {                       v0_1 = 0;                   }                   else {                       v3_3 = v4_1;                       continue;                   }               }               else {                   break;               }                goto label_120;           }

要求的是依次取圆周率字符串2位,视为10进制数和5位2进制数生成的byte数组一一比较,一共180次。
 
这里不妨算一下,a数组的长度为288位,转化出来的2进制长度为288 5 == 1440,密文长度是180 8 == 1440,刚好对应。
c = [0x73, 0x6F, 43, 0x72, 0x74, 45, 0x30, 36, 84, 98, 89, 36, 38, 66, 38, 43, 84, 0x79, 50, 101, 101, 43, 100, 87, 69, 0x6F, 51, 66, 89, 49, 69, 51, 101, 51, 53, 0x74, 45, 98, 98, 0x72, 50, 36, 98, 50, 85, 85, 85, 107, 66, 36, 53, 51, 0x6F, 0x72, 89, 89, 66, 50, 33, 66, 0x5F, 66, 101, 0x79, 0x5F, 0x40, 33, 66, 50, 0x40, 85, 85, 45, 43, 36, 50, 0x74, 0x30, 85, 0x73, 0x5F, 0x40, 49, 0x72, 50, 101, 101, 51, 51, 43, 53, 51, 53, 51, 85, 50, 0x40, 0x79, 53, 36, 0x40, 69, 89, 98, 45, 0x6F, 101, 36, 97, 66, 100, 0x30, 0x73, 97, 0x30, 36, 0x6F, 101, 50, 0x5F, 49, 0x30, 0x40, 89, 0x74, 85, 0x30, 85, 0x73, 89, 43, 89, 97, 0x30, 89, 0x72, 97, 100, 38, 50, 0x74, 51, 98, 0x75, 0x5F, 50, 0x74, 0x73, 0x6F, 84, 98, 89, 69, 0x6F, 100, 0x30, 0x6F, 98, 89, 0x72, 0x40, 50, 36, 66, 89, 101, 0x72, 51, 84, 51, 50, 36, 38, 0x40, 0x30, 53, 51, 0x30, 49, 97, 0x74, 89, 101, 85, 97, 66, 84, 97, 45, 43, 100, 89, 45, 0x30, 0x73, 0x30, 0x40, 97, 100, 98, 51, 100, 0x6F, 0x73, 50, 53, 101, 66, 101, 0x6F, 0x75, 50, 45, 0x5F, 51, 82, 50, 89, 87, 101, 50, 89, 0x30, 89, 101, 43, 89, 36, 38, 61, 101, 0x40, 84, 89, 0x5F, 66, 0x74, 49, 0x40, 87, 97, 43, 0x5F, 0x73, 43, 0x30, 89, 45, 84, 89, 33, 89, 107, 53, 85, 0x30, 98, 98, 0x5F, 50, 107, 66, 101, 0x6F, 51, 97, 33, 66, 97, 0x75, 51, 0x74, 51, 97, 0x40, 89, 107, 98, 51, 69, 0x40, 73, 0x5F, 0x30, 85, 0x74, 0x30, 97]b = []for i in range(0x20):    b.append("{0:b}".format(i).zfill(5))a = [31,41,59,26,53,58,97,93,23,84,62,64,33,83,27,95,2,88,41,97,16,93,99,37,51,5,82,9,74,94,45,92,30,78,16,40,62,86,20,89,98,62,80,34,82,53,42,11,70,67,98,21,48, 8,65,13,28,23, 6,64,70,93,84,46, 9,55, 5,82,23,17,25,35,94, 8,12,84,81,11,74,50,28,41, 2,70,19,38,52,11, 5,55,96,44,62,29,48,95,49,30,38,19,64,42,88,10,97,56,65,93,34,46,12,84,75,64,82,33,78,67,83,16,52,71,20,19, 9,14,56,48,56,69,23,46, 3,48,61, 4,54,32,66,48,21,33,93,60,72,60,24,91,41,27,37,24,58,70, 6,60,63,15,58,81,74,88,15,20,92, 9,62,82,92,54, 9,17,15,36,43,67,89,25,90,36]d = ""for i in a:    d += "{0:b}".format(i).zfill(8)e = [0] * 32k = 0i = 0while i < 8 * 180:    for j in range(len(b)):        if d[i:i + 5] == b[j]:            e[j] = c[k]            k += 1    i += 5       for i in e:    print(chr(i), end="")

加上flag{}就ok。
 
附件中的HAHAHAHA我重新打包过。



强网拟态线上mobile的两道wp 


看雪ID:margina1

https://bbs.pediy.com/user-home-931103.htm

*本文由看雪论坛 margina1  原创,转载请注明来自看雪社区


强网拟态线上mobile的两道wp

强网拟态线上mobile的两道wp


# 往期推荐

1.某钱包转账付款算法分析篇

2.通过PsSetLoadImageNotifyRoutine学习模块监控与反模块监控

3.Kernel从0开始

4.常见的几种DLL注入技术

5.侠盗猎车 — 玩转固定码

6.Java正则表达式笔记总结



强网拟态线上mobile的两道wp


强网拟态线上mobile的两道wp

球分享

强网拟态线上mobile的两道wp

球点赞

强网拟态线上mobile的两道wp

球在看



强网拟态线上mobile的两道wp

点击“阅读原文”,了解更多!

原文始发于微信公众号(看雪学苑):强网拟态线上mobile的两道wp

版权声明:admin 发表于 2021年12月22日 上午9:59。
转载请注明:强网拟态线上mobile的两道wp | CTF导航

相关文章

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...