>
### id="flarum-content">
内部赛Re5 屏幕裂开了
ThTsOd
Java层
OnCreate
部分代码
char i = null;
v1 = 256;
while (i < v1) {
this.s[i]=i;
i++;
i = (char)this.s;
}
for (i = null;i < v1;i++) {
v3 = this.key;
this.k[i]=v3.charAt((i%v3.length()));
}<init>里有this.key = "InfinityLoop";
填充了256字节
下面设置了两个按钮事件
public void MainActivity$1.onClick(View v) //method@3b50
{
MainActivity v4;
this.this$0.hit_count = (this.this$0.hit_count+1);
char i = null;
char j = null;
char tmp = null;
i = null;
v4 = 256;
while (i < v4) {
j = (char)(((this.this$0.s[i]+j)+this.this$0.k[i])%v4);
tmp = this.this$0.s[i];
this.this$0.s[i]=this.this$0.s[j];
this.this$0.s[j]=tmp;
i++;
i = (char)this.this$0.s;
}
MainActivity.Auto_getValue(this.this$0).setText(String.valueOf(this.this$0.hit_count));
if (this.this$0.hit_count < 0x0001869f) {
return;
}
MainActivity.Auto_getValue(this.this$0).setEnabled(true);
return;
}这里是重复了RC4初始化算法,只有当点击次数为99999次时,check才会亮
另一个按钮是native层
native层
部分代码
v9 = (const char *)_JNIEnv::GetStringUTFChars(a1, a4, 0);
if ( strlen(v9) == 63 )
{
v8 = _JNIEnv::GetCharArrayElements(a1, a3, 0);
for ( i = 0; i < 256; ++i )
v13[i] = *(_WORD *)(v8 + 2 * i);
for ( j = 0; j < 63; ++j )
{
v11 = (unsigned __int8)(v11 + 1);
v10 = (unsigned __int8)(v13[v11] + v10);
v4 = v13[v11];
v13[v11] = v13[v10];
v13[v10] = v4;
if ( ((unsigned __int8)v13[((unsigned __int8)v13[v10] + (unsigned __int8)v13[v11]) % 256] ^ v9[j]) != answer[j] )
{
v12 = 0;
goto LABEL_12;
}
}
v12 = 1;
}RC4的正常加密过程,v9是输入,v13是传进来的box。
Solve
i=0
j=0
key='InfinityLoop'
flag='\xa6\x3d\x54\xb0\x74\xcc\xbd\x2a\x4a\xde\xbd\x35\xd1\x1d\x80\x32\x5f\x64\x2f\xc5\xdd\x11\x3e\x95\xcc\x17\x13\xe5\x5e\x65\xce\x42\x9e\x47\xc8\xf3\x4d\x8a\xa6\x1f\xf0\x50\x27\xa2\x28\x81\x24\xa7\xb4\x90\xfc\x93\x8a\xc1\x77\xd5\x16\x1e\xfd\x87\xc7\xbb\xb3'
s=[]
k=[]
for i in range(256):
s.append(i)
k.append(0)
for i in range(256):
k[i]=ord(key[i%len(key)])
for t in range(99999):
j=0
for i in range(256):
j=(j+s[i]+k[i])%256
tmp=s[i]
s[i]=s[j]
s[j]=tmp
for a in range(16):
for b in range(16):
print('%.2x '%s[16*a+b],end='')
print()
i=0
j=0
for k in range(len(flag)):
i=(i+1)%256
j=(j+s[i])%256
tmp=s[i]
s[i]=s[j]
s[j]=tmp
t=(s[i]+s[j])%256
print(chr(ord(flag[k])^s[t]),end='')免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论