内部赛Re5 屏幕裂开了

admin 2022年1月5日23:13:50CTF专场评论13 views1931字阅读6分26秒阅读模式

>

### id="flarum-content">

内部赛Re5 屏幕裂开了

ThTsOd

Java层

OnCreate

部分代码

   char i = null;
   v1 = 256;
   while (i < v1) {
      this.s[i]=i;
      i++;
      i = (char)this.s;
   }
   for (i = null;i < v1;i++) {
      v3 = this.key;
      this.k[i]=v3.charAt((i%v3.length()));
   }

<init>里有this.key = "InfinityLoop";
填充了256字节
下面设置了两个按钮事件

public void MainActivity$1.onClick(View v)	//[email protected]
{
   MainActivity v4;
   this.this$0.hit_count = (this.this$0.hit_count+1);
   char i = null;
   char j = null;
   char tmp = null;
   i = null;
   v4 = 256;
   while (i < v4) {
      j = (char)(((this.this$0.s[i]+j)+this.this$0.k[i])%v4);
      tmp = this.this$0.s[i];
      this.this$0.s[i]=this.this$0.s[j];
      this.this$0.s[j]=tmp;
      i++;
      i = (char)this.this$0.s;
   }
   MainActivity.Auto_getValue(this.this$0).setText(String.valueOf(this.this$0.hit_count));
   if (this.this$0.hit_count < 0x0001869f) {
      return;
   }
   MainActivity.Auto_getValue(this.this$0).setEnabled(true);
   return;
}

这里是重复了RC4初始化算法,只有当点击次数为99999次时,check才会亮
另一个按钮是native层

native层

部分代码

  v9 = (const char *)_JNIEnv::GetStringUTFChars(a1, a4, 0);
  if ( strlen(v9) == 63 )
  {
    v8 = _JNIEnv::GetCharArrayElements(a1, a3, 0);
    for ( i = 0; i < 256; ++i )
      v13[i] = *(_WORD *)(v8 + 2 * i);
    for ( j = 0; j < 63; ++j )
    {
      v11 = (unsigned __int8)(v11 + 1);
      v10 = (unsigned __int8)(v13[v11] + v10);
      v4 = v13[v11];
      v13[v11] = v13[v10];
      v13[v10] = v4;
      if ( ((unsigned __int8)v13[((unsigned __int8)v13[v10] + (unsigned __int8)v13[v11]) % 256] ^ v9[j]) != answer[j] )
      {
        v12 = 0;
        goto LABEL_12;
      }
    }
    v12 = 1;
  }

RC4的正常加密过程,v9是输入,v13是传进来的box。

Solve

i=0
j=0
key='InfinityLoop'
flag='\xa6\x3d\x54\xb0\x74\xcc\xbd\x2a\x4a\xde\xbd\x35\xd1\x1d\x80\x32\x5f\x64\x2f\xc5\xdd\x11\x3e\x95\xcc\x17\x13\xe5\x5e\x65\xce\x42\x9e\x47\xc8\xf3\x4d\x8a\xa6\x1f\xf0\x50\x27\xa2\x28\x81\x24\xa7\xb4\x90\xfc\x93\x8a\xc1\x77\xd5\x16\x1e\xfd\x87\xc7\xbb\xb3'
s=[]
k=[]
for i in range(256):
    s.append(i)
    k.append(0)

for i in range(256):
    k[i]=ord(key[i%len(key)])

for t in range(99999):
    j=0
    for i in range(256):
        j=(j+s[i]+k[i])%256
        tmp=s[i]
        s[i]=s[j]
        s[j]=tmp

for a in range(16):
    for b in range(16):
        print('%.2x '%s[16*a+b],end='')
    print()
i=0
j=0

for k in range(len(flag)):
    i=(i+1)%256
    j=(j+s[i])%256
    tmp=s[i]
    s[i]=s[j]
    s[j]=tmp
    t=(s[i]+s[j])%256
    print(chr(ord(flag[k])^s[t]),end='')

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年1月5日23:13:50
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  内部赛Re5 屏幕裂开了 http://cn-sec.com/archives/720119.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: