好友 阅读权限 30
听众 最后登录 1970-1-1
姚小宝
发表于 2019-6-24 18:38
本帖最后由 yechen123 于 2019-6-25 21:24 编辑 题目可在xctf 社区获取 strange apk [Asm] 纯文本查看 复制代码
public class c
extends Application
{
private String apkFileName;
private String libPath;
protected AssetManager mAssetManager;
protected Resources mResources;
protected Resources.Theme mTheme;
private String odexPath;
private void _(byte[] paramArrayOfByte)
throws IOException
{
paramArrayOfByte = _0_(paramArrayOfByte);
Object localObject = new File(this.apkFileName);
try
{
localObject = new FileOutputStream((File)localObject);
((FileOutputStream)localObject).write(paramArrayOfByte);
((FileOutputStream)localObject).close();
return;
}
catch (IOException paramArrayOfByte)
{
throw new RuntimeException(paramArrayOfByte);
}
}
private byte[] _0_(byte[] paramArrayOfByte)
{
int i = 0;
while (i < paramArrayOfByte.length)
{
paramArrayOfByte[i] = ((byte)("syclover".charAt(i % "syclover".length()) ^ paramArrayOfByte[i]));
i += 1;
}
return paramArrayOfByte;
}
public byte[] __(String paramString)
throws IOException
{
paramString = getResources().getAssets().open(paramString);
byte[] arrayOfByte = new byte[paramString.available()];
paramString.read(arrayOfByte);
return arrayOfByte;
}
protected void attachBaseContext(Context paramContext)
{
super.attachBaseContext(paramContext);
try
{
paramContext = getDir("sctf_odex", 0);
localObject = getDir("sctf_lib", 0);
this.odexPath = paramContext.getAbsolutePath();
this.libPath = ((File)localObject).getAbsolutePath();
localObject = new StringBuilder();
((StringBuilder)localObject).append(paramContext.getAbsolutePath());
((StringBuilder)localObject).append("/sctf.apk");
this.apkFileName = ((StringBuilder)localObject).toString();
paramContext = new File(this.apkFileName);
localObject = new StringBuilder();
((StringBuilder)localObject).append("apk size:");
((StringBuilder)localObject).append(paramContext.length());
Log.i("demo", ((StringBuilder)localObject).toString());
if (!paramContext.exists())
{
paramContext.createNewFile();
_(__("data"));
}
paramContext = s.invokeStaticMethod("android.app.ActivityThread", "currentActivityThread", new Class[0], new Object[0]);
localObject = getPackageName();
if (Build.VERSION.SDK_INT < 19) {
paramContext = (WeakReference)((HashMap)s.getFieldOjbect("android.app.ActivityThread", paramContext, "mPackages")).get(localObject);
} else {
paramContext = (WeakReference)((ArrayMap)s.getFieldOjbect("android.app.ActivityThread", paramContext, "mPackages")).get(localObject);
}
localObject = new DexClassLoader(this.apkFileName, this.odexPath, this.libPath, (ClassLoader)s.getFieldOjbect("android.app.LoadedApk", paramContext.get(), "mClassLoader"));
s.setFieldOjbect("android.app.LoadedApk", "mClassLoader", paramContext.get(), localObject);
paramContext = new StringBuilder();
paramContext.append("classloader:");
paramContext.append(localObject);
Log.i("demo", paramContext.toString());
return;
}
catch (Exception paramContext)
{
Object localObject = new StringBuilder();
((StringBuilder)localObject).append("error:");
((StringBuilder)localObject).append(Log.getStackTraceString(paramContext));
Log.i("demo", ((StringBuilder)localObject).toString());
paramContext.printStackTrace();
}
} [Asm] 纯文本查看 复制代码
i = "syclover"
f = open("data", "rb")
q = open("datas","wb")
couts = 0
c = f.read(1)
qq = 0
while (1):
uq = ord(c)^ord(i[qq%8])
if (uq<=15):
q.write(("0x0"+hex(uq)[2:])[2:])
else:
q.write((hex(uq))[2:])
couts += 1
qq += 1
if (couts%2==0 and couts%16!=0):
q.write(' ')
if (couts%16==0):
q.write('\n')
c = f.read(1)
if c==None:
break
q.close()
f.close() [Asm] 纯文本查看 复制代码
protected void onCreate(Bundle paramBundle)
{
super.onCreate(paramBundle);
setContentView(2131296285);
paramBundle = (Button)findViewById(2131165218);
findViewById(2131165322);
paramBundle.setOnClickListener(new View.OnClickListener()
{
public void onClick(View paramAnonymousView)
{
paramAnonymousView = "";
Object localObject1 = "";
int i = 0;
String str = this.val$ed.getText().toString();
if (str.length() == 30)
{
while (i < 12)
{
localObject2 = new StringBuilder();
((StringBuilder)localObject2).append(paramAnonymousView);
((StringBuilder)localObject2).append(str.charAt(i));
paramAnonymousView = ((StringBuilder)localObject2).toString();
i += 1;
}
Object localObject2 = f.sctf(paramAnonymousView);
paramAnonymousView = (View)localObject1;
while (i < 30)
{
localObject1 = new StringBuilder();
((StringBuilder)localObject1).append(paramAnonymousView);
((StringBuilder)localObject1).append(str.charAt(i));
paramAnonymousView = ((StringBuilder)localObject1).toString();
i += 1;
}
if (((String)localObject2).equals("c2N0ZntXM2xjMG1l"))
{
localObject1 = new Intent();
((Intent)localObject1).putExtra("data_return", paramAnonymousView);
s.this.setResult(-1, (Intent)localObject1);
s.this.finish();
return;
}
Toast.makeText(s.this.getApplicationContext(), "something wrong", 1).show();
return;
}
Toast.makeText(s.this.getApplicationContext(), "something wrong", 1).show();
}
});
} [Asm] 纯文本查看 复制代码
protected void onActivityResult(int paramInt1, int paramInt2, Intent paramIntent)
{
TextView localTextView = (TextView)findViewById(2131165323);
Button localButton = (Button)findViewById(2131165219);
if (paramInt1 != 1) {
return;
}
if (paramInt2 == -1)
{
Object localObject1 = "";
try
{
Object localObject2 = MessageDigest.getInstance("MD5");
((MessageDigest)localObject2).update("syclover".getBytes());
localObject2 = new BigInteger(1, ((MessageDigest)localObject2).digest()).toString(16);
localObject1 = localObject2;
}
catch (Exception localException)
{
localException.printStackTrace();
}
if (f.encode(paramIntent.getStringExtra("data_return"), (String)localObject1).equals("~8t808_8A8n848r808i8d8-8w808r8l8d8}8"))
{
localTextView.setVisibility(0);
localButton.setVisibility(4);
}
else
{
Toast.makeText(getApplicationContext(), "one more step", 1).show();
}
}} [Asm] 纯文本查看 复制代码
public static String encode(String paramString1, String paramString2)
{
int j = paramString1.length();
int k = paramString2.length();
StringBuilder localStringBuilder = new StringBuilder();
int i = 0;
while (i < j)
{
localStringBuilder.append(paramString1.charAt(i));
localStringBuilder.append(paramString2.charAt(i / k));
i += 1;
}
return localStringBuilder.toString();
} creakme IDA 阅读代码[Asm] 纯文本查看 复制代码
int sub_402540()
{
HMODULE v0; // eax
int v1; // eax
_DWORD *v2; // eax
unsigned int ser_len; // edx
_DWORD *string; // ecx
unsigned int string_len; // ebx
char *ascc; // edi
unsigned int v7; // esi
unsigned int v8; // esi
bool v9; // cf
unsigned __int8 v10; // al
unsigned __int8 v11; // al
unsigned __int8 v12; // al
signed int v13; // esi
_BYTE *v14; // ecx
_BYTE *v15; // ecx
const char *v16; // edx
int v17; // eax
void *Memory; // [esp+10h] [ebp-70h]
int v20; // [esp+20h] [ebp-60h]
unsigned int v21; // [esp+24h] [ebp-5Ch]
void *Dst; // [esp+28h] [ebp-58h]
int v23; // [esp+38h] [ebp-48h]
unsigned int v24; // [esp+3Ch] [ebp-44h]
char Src; // [esp+40h] [ebp-40h]
int v26; // [esp+7Ch] [ebp-4h]
v0 = GetModuleHandleW(0);
sub_402320(v0);
sub_4024A0();
v1 = sub_402870(std::cout, "welcome to 2019 sctf");
std::basic_ostream<char,std::char_traits<char>>::operator<<(v1, sub_402AC0);
sub_402870(std::cout, "please input your ticket:");
sub_402AF0(std::cin, &Src);
v23 = 0;
v24 = 15;
LOBYTE(Dst) = 0;
sub_401D30(&Dst, &Src, strlen(&Src));
v26 = 0;
v2 = aes(&Memory, (int)&Dst);
ser_len = strlen(aPvfqyc4ttc2uxr);
string = v2;
if ( v2[5] >= 16u )
string = (_DWORD *)*v2;
string_len = v2[4];
ascc = aPvfqyc4ttc2uxr;
v7 = v2[4];
if ( ser_len < string_len )
v7 = ser_len;
v9 = v7 < 4; // len - 4
v8 = v7 - 4;
if ( v9 )
{
LABEL_8:
if ( v8 == -4 )
goto LABEL_17;
}
else
{
while ( *string == *(_DWORD *)ascc )
{
++string; // +=4
ascc += 4;
v9 = v8 < 4;
v8 -= 4;
if ( v9 )
goto LABEL_8;
}
}
v9 = *(_BYTE *)string < (unsigned __int8)*ascc;
if ( *(_BYTE *)string != *ascc
|| v8 != -3
&& ((v10 = *((_BYTE *)string + 1), v9 = v10 < (unsigned __int8)ascc[1], v10 != ascc[1])
|| v8 != -2
&& ((v11 = *((_BYTE *)string + 2), v9 = v11 < (unsigned __int8)ascc[2], v11 != ascc[2])
|| v8 != -1 && (v12 = *((_BYTE *)string + 3), v9 = v12 < (unsigned __int8)ascc[3], v12 != ascc[3]))) )
{
v13 = -v9 | 1;
goto LABEL_18;
}
LABEL_17:
v13 = 0;
LABEL_18:
if ( !v13 ) // v13要为0
{
if ( ser_len <= string_len )
v13 = ser_len < string_len;
else
v13 = -1;
}
if ( v21 >= 0x10 )
{
v14 = Memory;
if ( v21 + 1 >= 0x1000 )
{
v14 = (_BYTE *)*((_DWORD *)Memory - 1);
if ( (unsigned int)((_BYTE *)Memory - v14 - 4) > 0x1F )
invalid_parameter_noinfo_noreturn(v14, v21 + 36);
}
frees(v14);
}
v26 = -1;
v20 = 0;
v21 = 15;
LOBYTE(Memory) = 0;
if ( v24 >= 0x10 )
{
v15 = Dst;
if ( v24 + 1 >= 0x1000 )
{
v15 = (_BYTE *)*((_DWORD *)Dst - 1);
if ( (unsigned int)((_BYTE *)Dst - v15 - 4) > 0x1F )
invalid_parameter_noinfo_noreturn(v15, v24 + 36);
}
frees(v15);
}
v16 = "Have fun!";
if ( v13 )
v16 = "A forged ticket!!";
v17 = sub_402870(std::cout, v16);
std::basic_ostream<char,std::char_traits<char>>::operator<<(v17, sub_402AC0);
system("pause");
return 0;
} [Asm] 纯文本查看 复制代码
void __thiscall sub_402320(_DWORD *this)
{
int v1; // eax
__int16 v2; // bx
const char *v3; // esi
signed int i; // edi
int v5; // eax
v1 = this[15];
v2 = *(_WORD *)((char *)this + v1 + 6);
v3 = (char *)this + v1 + 248;
for ( i = 0; i < v2; ++i ) // 判断区段
{
v5 = strcmp(v3, ".SCTF");
if ( v5 )
v5 = -(v5 < 0) | 1;
if ( !v5 )
{
DebugBreak();
return;
}
v3 += 40;
}
} [Asm] 纯文本查看 复制代码
.text:004023EF loc_4023EF: ; DATA XREF: .rdata:stru_407B58↓o
.text:004023EF mov esp, [ebp+ms_exc.old_esp]
.text:004023F2 lea eax, [ebp+pbDebuggerPresent]
.text:004023F5 push eax ; pbDebuggerPresent
.text:004023F6 call ds:GetCurrentProcess
.text:004023FC push eax ; hProcess
.text:004023FD call ds:CheckRemoteDebuggerPresent
.text:00402403 call ds:IsDebuggerPresent
.text:00402409 test eax, eax
.text:0040240B jnz short loc_4023B9
.text:0040240D cmp [ebp+pbDebuggerPresent], eax
.text:00402410 jnz short loc_4023B9
.text:00402412 mov eax, [ebp+var_24]
.text:00402415 mov edx, [eax+10h]
.text:00402418 mov ecx, [eax+0Ch]
.text:0040241B add ecx, [ebp+var_28]
.text:0040241E mov esi, [ebp+var_2C]
.text:00402421 lea edi, [esi+1]
.text:00402424
.text:00402424 loc_402424: ; CODE XREF: sub_402320+109↓j
.text:00402424 mov al, [esi] ; sycloversyclover
.text:00402426 inc esi
.text:00402427 test al, al
.text:00402429 jnz short loc_402424 ; sycloversyclover
.text:0040242B sub esi, edi
.text:0040242D push esi
.text:0040242E push ecx
.text:0040242F call sub_402450
.text:00402434 add esp, 8
.text:00402437 jmp short loc_4023B9
.text:00402439 ; ---------------------------------------------------------------------------
.text:00402439
.text:00402439 loc_402439: ; CODE XREF: sub_402320+8A↑j
.text:00402439 add esi, 28h
.text:0040243C inc edi
.text:0040243D jmp loc_402372
.text:0040243D sub_402320 endp
Bybare [Asm] 纯文本查看 复制代码
.text:00005593B1D94798 main: ; DATA XREF: start+1D↑o
.text:00005593B1D94798 ; __unwind {
.text:00005593B1D94798 push rbp
.text:00005593B1D94799 mov rbp, rsp
.text:00005593B1D9479C sub rsp, 160h
.text:00005593B1D947A3 mov rax, fs:28h
.text:00005593B1D947AC mov [rbp-8], rax
.text:00005593B1D947B0 xor eax, eax
.text:00005593B1D947B2 mov dword ptr [rbp-150h], 0
.text:00005593B1D947BC mov qword ptr [rbp-110h], 0
.text:00005593B1D947C7 mov qword ptr [rbp-108h], 0
.text:00005593B1D947D2 mov qword ptr [rbp-100h], 0
.text:00005593B1D947DD mov byte ptr [rbp-0F8h], 0
.text:00005593B1D947E4 mov qword ptr [rbp-0F0h], 0
.text:00005593B1D947EF mov qword ptr [rbp-0E8h], 0
.text:00005593B1D947FA mov qword ptr [rbp-0E0h], 0
.text:00005593B1D94805 mov byte ptr [rbp-0D8h], 0
.text:00005593B1D9480C mov qword ptr [rbp-0D0h], 0
.text:00005593B1D94817 mov qword ptr [rbp-0C8h], 0
.text:00005593B1D94822 mov qword ptr [rbp-0C0h], 0
.text:00005593B1D9482D mov qword ptr [rbp-0B8h], 0
.text:00005593B1D94838 mov qword ptr [rbp-0B0h], 0
.text:00005593B1D94843 mov qword ptr [rbp-0A8h], 0
.text:00005593B1D9484E mov word ptr [rbp-0A0h], 0
.text:00005593B1D94857 mov rax, '********'
.text:00005593B1D94861 mov rdx, '*.******'
.text:00005593B1D9486B mov [rbp-90h], rax
.text:00005593B1D94872 mov [rbp-88h], rdx
.text:00005593B1D94879 mov rax, '.s**.***'
.text:00005593B1D94883 mov rdx, '****..*.'
.text:00005593B1D9488D mov [rbp-80h], rax
.text:00005593B1D94891 mov [rbp-78h], rdx
.text:00005593B1D94895 mov rax, '.****.**'
.text:00005593B1D9489F mov rdx, '********'
.text:00005593B1D948A9 mov [rbp-70h], rax
.text:00005593B1D948AD mov [rbp-68h], rdx
.text:00005593B1D948B1 mov rax, '***..***'
.text:00005593B1D948BB mov rdx, '*#..**..'
.text:00005593B1D948C5 mov [rbp-60h], rax
.text:00005593B1D948C9 mov [rbp-58h], rdx
.text:00005593B1D948CD mov rax, '*..***..'
.text:00005593B1D948D7 mov rdx, '*****.**'
.text:00005593B1D948E1 mov [rbp-50h], rax
.text:00005593B1D948E5 mov [rbp-48h], rdx
.text:00005593B1D948E9 mov rax, '********'
.text:00005593B1D948F3 mov rdx, '.*******'
.text:00005593B1D948FD mov [rbp-40h], rax
.text:00005593B1D94901 mov [rbp-38h], rdx
.text:00005593B1D94905 mov rax, '****..**'
.text:00005593B1D9490F mov rdx, '.**..***'
.text:00005593B1D94919 mov [rbp-30h], rax
.text:00005593B1D9491D mov [rbp-28h], rdx
.text:00005593B1D94921 mov rax, '*.*..*..'
.text:00005593B1D9492B mov [rbp-20h], rax
.text:00005593B1D9492F mov dword ptr [rbp-18h], '.**.'
.text:00005593B1D94936 mov word ptr [rbp-14h], 2Ah ; '*'
.text:00005593B1D9493C mov qword ptr [rbp-130h], 0
.text:00005593B1D94947 mov qword ptr [rbp-128h], 0
.text:00005593B1D94952 mov dword ptr [rbp-120h], 0
.text:00005593B1D9495C lea rax, [rbp-90h]
.text:00005593B1D94963 add rax, 16h
.text:00005593B1D94967 mov [rbp-148h], rax
.text:00005593B1D9496E mov rax, '019_ftcs' ; sctf_019
.text:00005593B1D94978 mov [rbp-13Ah], rax
.text:00005593B1D9497F mov word ptr [rbp-132h], 32h ; '2' ; sctf_2019
.text:00005593B1D94988 xor rax, rax
.text:00005593B1D9498B jb short loc_5593B1D94990
.text:00005593B1D9498D jnb short loc_5593B1D94990
.text:00005593B1D9498D ; ---------------------------------------------------------------------------
.text:00005593B1D9498F db 0E1h
.text:00005593B1D94990 ; ---------------------------------------------------------------------------
.text:00005593B1D94990
.text:00005593B1D94990 loc_5593B1D94990: ; CODE XREF: .text:00005593B1D9498B↑j
.text:00005593B1D94990 ; .text:00005593B1D9498D↑j
.text:00005593B1D94990 lea rdi, aPlzTellMeTheSh ; "plz tell me the shortest password1:"
.text:00005593B1D94997 call _puts
.text:00005593B1D9499C lea rax, [rbp-0D0h]
.text:00005593B1D949A3 mov rsi, rax
.text:00005593B1D949A6 lea rdi, aS ; "%s"
.text:00005593B1D949AD mov eax, 0
.text:00005593B1D949B2 call _scanf
.text:00005593B1D949B7 mov dword ptr [rbp-14Ch], 1
.text:00005593B1D949C1
.text:00005593B1D949C1 loc_5593B1D949C1: ; CODE XREF: .text:00005593B1D94A9F↓j
.text:00005593B1D949C1 cmp dword ptr [rbp-14Ch], 0
.text:00005593B1D949C8 jz loc_5593B1D94AB1
.text:00005593B1D949CE mov eax, [rbp-150h]
.text:00005593B1D949D4 cdqe
.text:00005593B1D949D6
.text:00005593B1D949D6 loc_5593B1D949D6:
.text:00005593B1D949D6 lea rdx, [rbp-0D0h]
.text:00005593B1D949DD add rax, rdx
.text:00005593B1D949E0 movzx eax, byte ptr [rax]
.text:00005593B1D949E3 mov [rbp-151h], al
.text:00005593B1D949E9 cmp byte ptr [rbp-151h], 77h ; 'w'
.text:00005593B1D949F0 jnz short loc_5593B1D949FC
.text:00005593B1D949F2 sub qword ptr [rbp-148h], 5
.text:00005593B1D949FA jmp short loc_5593B1D94A66
.text:00005593B1D949FC ; ---------------------------------------------------------------------------
.text:00005593B1D949FC
.text:00005593B1D949FC loc_5593B1D949FC: ; CODE XREF: .text:00005593B1D949F0↑j
.text:00005593B1D949FC cmp byte ptr [rbp-151h], 73h ; 's'
.text:00005593B1D94A03 jnz short loc_5593B1D94A0F
.text:00005593B1D94A05 add qword ptr [rbp-148h], 5
.text:00005593B1D94A0D jmp short loc_5593B1D94A66
.text:00005593B1D94A0F ; ---------------------------------------------------------------------------
.text:00005593B1D94A0F
.text:00005593B1D94A0F loc_5593B1D94A0F: ; CODE XREF: .text:00005593B1D94A03↑j
.text:00005593B1D94A0F cmp byte ptr [rbp-151h], 64h ; 'd'
.text:00005593B1D94A16 jnz short loc_5593B1D94A22
.text:00005593B1D94A18 add qword ptr [rbp-148h], 1
.text:00005593B1D94A20 jmp short loc_5593B1D94A66
.text:00005593B1D94A22 ; ---------------------------------------------------------------------------
.text:00005593B1D94A22
.text:00005593B1D94A22 loc_5593B1D94A22: ; CODE XREF: .text:00005593B1D94A16↑j
.text:00005593B1D94A22 cmp byte ptr [rbp-151h], 61h ; 'a'
.text:00005593B1D94A29 jnz short loc_5593B1D94A35
.text:00005593B1D94A2B sub qword ptr [rbp-148h], 1
.text:00005593B1D94A33 jmp short loc_5593B1D94A66
.text:00005593B1D94A35 ; ---------------------------------------------------------------------------
.text:00005593B1D94A35
.text:00005593B1D94A35 loc_5593B1D94A35: ; CODE XREF: .text:00005593B1D94A29↑j
.text:00005593B1D94A35 cmp byte ptr [rbp-151h], 78h ; 'x'
.text:00005593B1D94A3C jnz short loc_5593B1D94A48
.text:00005593B1D94A3E add qword ptr [rbp-148h], 19h
.text:00005593B1D94A46 jmp short loc_5593B1D94A66
.text:00005593B1D94A48 ; ---------------------------------------------------------------------------
.text:00005593B1D94A48
.text:00005593B1D94A48 loc_5593B1D94A48: ; CODE XREF: .text:00005593B1D94A3C↑j
.text:00005593B1D94A48 cmp byte ptr [rbp-151h], 79h ; 'y'
.text:00005593B1D94A4F jnz short loc_5593B1D94A5B
.text:00005593B1D94A51 sub qword ptr [rbp-148h], 19h
.text:00005593B1D94A59 jmp short loc_5593B1D94A66
.text:00005593B1D94A5B ; ---------------------------------------------------------------------------
.text:00005593B1D94A5B
.text:00005593B1D94A5B loc_5593B1D94A5B: ; CODE XREF: .text:00005593B1D94A4F↑j
.text:00005593B1D94A5B mov dword ptr [rbp-14Ch], 0
.text:00005593B1D94A65 nop
.text:00005593B1D94A66
.text:00005593B1D94A66 loc_5593B1D94A66: ; CODE XREF: .text:00005593B1D949FA↑j
.text:00005593B1D94A66 ; .text:00005593B1D94A0D↑j ...
.text:00005593B1D94A66 add dword ptr [rbp-150h], 1
.text:00005593B1D94A6D mov rax, [rbp-148h]
.text:00005593B1D94A74 movzx eax, byte ptr [rax]
.text:00005593B1D94A77 cmp al, 2Eh ; '.'
.text:00005593B1D94A79 jz short loc_5593B1D94A93
.text:00005593B1D94A7B mov rax, [rbp-148h]
.text:00005593B1D94A82 movzx eax, byte ptr [rax]
.text:00005593B1D94A85 cmp al, 23h ; '#'
.text:00005593B1D94A87 jz short loc_5593B1D94A93
.text:00005593B1D94A89 mov dword ptr [rbp-14Ch], 0
.text:00005593B1D94A93
.text:00005593B1D94A93 loc_5593B1D94A93: ; CODE XREF: .text:00005593B1D94A79↑j
.text:00005593B1D94A93 ; .text:00005593B1D94A87↑j
.text:00005593B1D94A93 mov rax, [rbp-148h]
.text:00005593B1D94A9A movzx eax, byte ptr [rax]
.text:00005593B1D94A9D cmp al, 23h ; '#'
.text:00005593B1D94A9F jnz loc_5593B1D949C1
.text:00005593B1D94AA5 lea rdi, aGoodYouFindThe ; "good!you find the right way!\nBut there"...
.text:00005593B1D94AAC call _puts
.text:00005593B1D94AB1
.text:00005593B1D94AB1 loc_5593B1D94AB1: ; CODE XREF: .text:00005593B1D949C8↑j
.text:00005593B1D94AB1 cmp dword ptr [rbp-14Ch], 0
.text:00005593B1D94AB8 jnz short loc_5593B1D94AD5
.text:00005593B1D94ABA lea rdi, aSorryIsTNotARi ; "sorry,is't not a right way..."
.text:00005593B1D94AC1 mov eax, 0
.text:00005593B1D94AC6 call _printf
.text:00005593B1D94ACB mov eax, 0
.text:00005593B1D94AD0 jmp loc_5593B1D94C0C [Asm] 纯文本查看 复制代码
**************.****.**s..*..******.****.***********..***..**..#*..***..***.***** [Asm] 纯文本查看 复制代码
.text:0000000000000E11 jnb short loc_E14
.text:0000000000000E11 ; ---------------------------------------------------------------------------
.text:0000000000000E13 db 0E4h
.text:0000000000000E14 ; ---------------------------------------------------------------------------
.text:0000000000000E14
.text:0000000000000E14 loc_E14: ; CODE XREF: .text:0000000000000E0F↑j
.text:0000000000000E14 ; .text:0000000000000E11↑j
.text:0000000000000E14 mov dword ptr [rbp-244h], 0
.text:0000000000000E1E
.text:0000000000000E1E loc_E1E: ; CODE XREF: .text:0000000000000F4B↓j
.text:0000000000000E1E cmp dword ptr [rbp-238h], 0 [Asm] 纯文本查看 复制代码
unsigned __int64 __fastcall sub_C22(const char *a1, __int64 a2)
{
bool v2; // al
int v3; // eax
int v4; // eax
int v5; // eax
int v7; // [rsp+14h] [rbp-24Ch]
signed int v8; // [rsp+18h] [rbp-248h]
int v9; // [rsp+1Ch] [rbp-244h]
int v10; // [rsp+20h] [rbp-240h]
int v11; // [rsp+24h] [rbp-23Ch]
int v12; // [rsp+28h] [rbp-238h]
int v13; // [rsp+2Ch] [rbp-234h]
char *v14; // [rsp+48h] [rbp-218h]
int v15[130]; // [rsp+50h] [rbp-210h]
unsigned __int64 v16; // [rsp+258h] [rbp-8h]
v16 = __readfsqword(0x28u);
qmemcpy(v15, &off_1740, 0x200uLL);
v8 = 3;
v7 = 0;
v10 = 0;
v11 = 0;
v12 = strlen(a1);
v14 = (char *)a1;
while ( 1 )
{
v13 = 0;
if ( v10 < v12 )
break;
LABEL_13:
if ( v10 >= v12 )
goto LABEL_14;
}
do
{
if ( a1[v10] != 25 )
break;
++v10;
++v13;
}
while ( v10 < v12 );
if ( v10 != v12 )
{
if ( v12 - v10 > 1 )
{
v2 = v10 == 19 && a1[20] == 16;
a1[v2];
}
++v10;
goto LABEL_13;
}
LABEL_14:
v9 = 0;
while ( v12 > 0 )
{
v8 -= v15[*v14] == 64;
v7 = v15[*v14] & 0x3F | (v7 << 6);
if ( ++v9 == 4 )
{
v9 = 0;
if ( v8 )
{
v3 = v11++;
*(_BYTE *)(v3 + a2) = BYTE2(v7);
}
if ( v8 > 1 )
{
v4 = v11++;
*(_BYTE *)(v4 + a2) = BYTE1(v7);
}
if ( v8 > 2 )
{
v5 = v11++;
*(_BYTE *)(v5 + a2) = v7;
}
}
++v14;
--v12;
}
return __readfsqword(0x28u) ^ v16;
} [Asm] 纯文本查看 复制代码
signed __int64 __fastcall sub_5593B1D94FFA(char *a1)
{
int v1; // ST24_4
int v2; // ST28_4
int v3; // ST2C_4
signed int v5; // [rsp+18h] [rbp-158h]
signed int i; // [rsp+18h] [rbp-158h]
int cout; // [rsp+1Ch] [rbp-154h]
int v8[16]; // [rsp+30h] [rbp-140h]
int v9[16]; // [rsp+70h] [rbp-100h]
int v10[29]; // [rsp+B0h] [rbp-C0h]
unsigned int v11; // [rsp+124h] [rbp-4Ch]
unsigned __int64 v12; // [rsp+168h] [rbp-8h]
v12 = __readfsqword(0x28u);
v8[0] = 0xBE;
v8[1] = '\x04';
v8[2] = '\x06';
v8[3] = 0x80;
v8[4] = 0xC5;
v8[5] = 0xAF;
v8[6] = 0x76;
v8[7] = 0x47;
v8[8] = 0x9F;
v8[9] = 0xCC;
v8[10] = 0x40;
v8[11] = 0x1F;
v8[12] = 0xD8;
v8[13] = 0xBF;
v8[14] = 0x92;
v8[15] = 0xEF;
v1 = (a1[6] << 8) | (a1[5] << 16) | (a1[4] << 24) | a1[7];
v2 = (a1[10] << 8) | (a1[9] << 16) | (a1[8] << 24) | a1[11];
v3 = (a1[14] << 8) | (a1[13] << 16) | (a1[12] << 24) | a1[15];// 16位
cout = 0;
v5 = 4;
v10[0] = byteswap_ulong((a1[2] << 8) | (a1[1] << 16) | (*a1 << 24) | (unsigned int)a1[3]);// 颠倒过来排列
v10[1] = byteswap_ulong(v1);
v10[2] = byteswap_ulong(v2);
v10[3] = byteswap_ulong(v3);
do
{
v10[v5] = sub_5593B1D9543B(v10[cout], v10[cout + 1], v10[cout + 2], v10[cout + 3]);
++cout;
++v5;
}
while ( v5 <= 29 );
v9[0] = (unsigned int)v10[26] >> 24;
v9[1] = BYTE2(v10[26]);
v9[2] = BYTE1(v10[26]);
v9[3] = LOBYTE(v10[26]);
v9[4] = (unsigned int)v10[27] >> 24;
v9[5] = BYTE2(v10[27]);
v9[6] = BYTE1(v10[27]);
v9[7] = LOBYTE(v10[27]);
v9[8] = (unsigned int)v10[28] >> 24;
v9[9] = BYTE2(v10[28]);
v9[10] = BYTE1(v10[28]);
v9[11] = LOBYTE(v10[28]);
v9[12] = v11 >> 24;
v9[13] = BYTE2(v11);
v9[14] = BYTE1(v11);
v9[15] = (unsigned __int8)v11;
for ( i = 0; i <= 15; ++i )
{
if ( v9[i] != v8[i] )
return 0xFFFFFFFFLL;
}
return 1LL;
} [Asm] 纯文本查看 复制代码
__int64 __fastcall sub_5593B1D9543B(int a1, int a2, int a3, unsigned int a4)
{
return a1 ^ (unsigned int)sub_5593B1D95464(a2 ^ a3 ^ a4);
}
__int64 __fastcall sub_5593B1D95464(unsigned int a1)
{
int v1; // ST18_4
int v3[290]; // [rsp+20h] [rbp-490h]
unsigned __int64 v4; // [rsp+4A8h] [rbp-8h]
v4 = __readfsqword(0x28u);
qmemcpy(v3, &byte_5593B1D95940, 1152uLL);
v1 = (v3[BYTE2(a1)] << 16) | v3[(unsigned __int8)a1] | (v3[BYTE1(a1)] << 8) | (v3[a1 >> 24] << 24);
return __ROL4__(v1, 12) ^ (unsigned int)(__ROL4__(v1, 8) ^ __ROR4__(v1, 2)) ^ __ROR4__(v1, 6);
} [Asm] 纯文本查看 复制代码
i = [0xd8bf92ef,0x9fcc401f,0xc5af7647,0xbe040680]
asc = [0xD6,0x90,0xE9,0xFE,0xCC,0xE1,0x3D,0xB7,0x16,0xB6,0x14,0xC2,0x28,0xFB,0x2C,0x05,0x2B,0x67,0x9A,0x76,0x2A,0xBE,0x04,0xC3,0xAA,0x44,0x13,0x26,0x49,0x86,0x06,0x99,0x9C,0x42,0x50,0xF4,0x91,0xEF,0x98,0x7A,0x33,0x54,0x0B,0x43,0xED,0xCF,0xAC,0x62,0xE4,0xB3,0x1C,0xA9,0xC9,0x08,0xE8,0x95,0x80,0xDF,0x94,0xFA,0x75,0x8F,0x3F,0xA6,0x47,0x07,0xA7,0xFC,0xF3,0x73,0x17,0xBA,0x83,0x59,0x3C,0x19,0xE6,0x85,0x4F,0xA8,0x68,0x6B,0x81,0xB2,0x71,0x64,0xDA,0x8B,0xF8,0xEB,0x0F,0x4B,0x70,0x56,0x9D,0x35,0x1E,0x24,0x0E,0x5E,0x63,0x58,0xD1,0xA2,0x25,0x22,0x7C,0x3B,0x01,0x21,0x78,0x87,0xD4,0x00,0x46,0x57,0x9F,0xD3,0x27,0x52,0x4C,0x36,0x02,0xE7,0xA0,0xC4,0xC8,0x9E,0xEA,0xBF,0x8A,0xD2,0x40,0xC7,0x38,0xB5,0xA3,0xF7,0xF2,0xCE,0xF9,0x61,0x15,0xA1,0xE0,0xAE,0x5D,0xA4,0x9B,0x34,0x1A,0x55,0xAD,0x93,0x32,0x30,0xF5,0x8C,0xB1,0xE3,0x1D,0xF6,0xE2,0x2E,0x82,0x66,0xCA,0x60,0xC0,0x29,0x23,0xAB,0x0D,0x53,0x4E,0x6F,0xD5,0xDB,0x37,0x45,0xDE,0xFD,0x8E,0x2F,0x03,0xFF,0x6A,0x72,0x6D,0x6C,0x5B,0x51,0x8D,0x1B,0xAF,0x92,0xBB,0xDD,0xBC,0x7F,0x11,0xD9,0x5C,0x41,0x1F,0x10,0x5A,0xD8,0x0A,0xC1,0x31,0x88,0xA5,0xCD,0x7B,0xBD,0x2D,0x74,0xD0,0x12,0xB8,0xE5,0xB4,0xB0,0x89,0x69,0x97,0x4A,0x0C,0x96,0x77,0x7E,0x65,0xB9,0xF1,0x09,0xC5,0x6E,0xC6,0x84,0x18,0xF0,0x7D,0xEC,0x3A,0xDC,0x4D,0x20,0x79,0xEE,0x5F,0x3E,0xD7,0xCB,0x39,0x48,0xC6,0xBA,0xB1,0xA3,0x50,0x33,0xAA,0x56,0x97,0x91,0x7D,0x67,0xDC,0x22,0x70,0xB2]
def xors(xor_mix):
temp1 = (xor_mix >> 24)&0xff
temp2 = (xor_mix >> 16)&0xff
temp3 = (xor_mix >> 8)&0xff
temp = (xor_mix)&0xff
temp_q = asc[temp] | (asc[temp1]<<24)|(asc[temp2]<<16)|(asc[temp3]<<8)
print ("%x"%(temp_q))
temp_i = ((temp_q <<12|temp_q>>20)&0xffffffff) ^ ((temp_q <<8|temp_q>>24)&0xffffffff) ^ ((temp_q>>2|temp_q<<30)&0xffffffff)^((temp_q>>6|temp_q<<26)&0xffffffff)
return temp_i
print ("%x"%(xors(0x6011F432)))
print (len(asc))
for q in range(26):
i.append(i[q]^xors(i[q+1]^i[q+2]^i[q+3]))
print (i)
print ("%x"%(i[-1]))
print ("%x"%(i[-2]))
print ("%x"%(i[-3]))
print ("%x"%(i[-4]))
# fl4g_is_s0_ug1y!
music [Asm] 纯文本查看 复制代码
package com.example.music;
import android.content.Context;
import android.database.Cursor;
import android.database.sqlite.SQLiteDatabase;
public class q
{
private h h;
private Context mycontext;
public q(Context paramContext)
{
this.mycontext = paramContext;
}
public String get()
{
String str1 = null;
this.h = new h(this.mycontext, "sctf.db", null, 1);
Cursor localCursor = this.h.getWritableDatabase().query("SYC", null, null, null, null, null, null);
if (localCursor.moveToFirst()) {
do
{
str1 = localCursor.getString(localCursor.getColumnIndex("S1"));
String str2 = localCursor.getString(localCursor.getColumnIndex("S2"));
StringBuilder localStringBuilder = new StringBuilder();
localStringBuilder.append(str1);
localStringBuilder.append(str2);
str1 = localStringBuilder.toString();
} while (localCursor.moveToNext());
}
localCursor.close();
return str1;
}
}
[Asm] 纯文本查看 复制代码
package com.example.music;
import java.security.MessageDigest;
public class a
{
public String a(String paramString)
{
return b(paramString);
}
public String b(String paramString)
{
new p();
if (paramString != null) {
try
{
paramString = p.a(MessageDigest.getInstance("MD5").digest(paramString.getBytes()));
return paramString;
}
catch (Exception paramString)
{
paramString.printStackTrace();
}
}
return null;
}
}
[Asm] 纯文本查看 复制代码
package com.example.music;
public class p
{
public static String a(byte[] paramArrayOfByte)
{
StringBuffer localStringBuffer = new StringBuffer();
int i = 0;
while (i < paramArrayOfByte.length)
{
String str = Integer.toHexString(paramArrayOfByte[i] & 0xFF);
Object localObject = str;
if (str.length() == 1)
{
localObject = new StringBuilder();
((StringBuilder)localObject).append('0');
((StringBuilder)localObject).append(str);
localObject = ((StringBuilder)localObject).toString();
}
localStringBuffer.append(((String)localObject).toUpperCase());
i += 1;
}
return localStringBuffer.toString();
}
}
[Asm] 纯文本查看 复制代码
package com.example.music;
public class c
{
private static int m = 256;
public String a(String paramString1, String paramString2)
{
int i = m;
int[] arrayOfInt = new int[i];
byte[] arrayOfByte = new byte[i];
i = 0;
while (i < m)
{
arrayOfInt[i] = i;
arrayOfByte[i] = ((byte)paramString2.charAt(i % paramString2.length()));
i += 1;
}
i = 0;
int j = 0;
for (;;)
{
k = m;
if (i >= k - 1) {
break;
}
j = (arrayOfInt[i] + j + arrayOfByte[i]) % k;
k = arrayOfInt[i];
arrayOfInt[i] = arrayOfInt[j];
arrayOfInt[j] = k;
i += 1;
}
paramString2 = paramString1.toCharArray();
paramString1 = new char[paramString1.length()];
int k = 0;
j = 0;
i = 0;
while (i < paramString2.length)
{
int n = m;
k = (k + 1) % n;
j = (arrayOfInt[k] + j) % n;
int i1 = arrayOfInt[k];
arrayOfInt[k] = arrayOfInt[j];
arrayOfInt[j] = i1;
i1 = arrayOfInt[k];
int i2 = arrayOfInt[k];
paramString1[i] = ((char)(paramString2[i] - k ^ (char)arrayOfInt[((i1 + i2 % n) % n)]));
i += 1;
}
new p();
return p.a(new String(paramString1).getBytes());
}
}
[Asm] 纯文本查看 复制代码
public boolean g(String paramString)
{
return paramString.equals(s.this.getApplicationContext().getResources().getString(2131492904));
} [Asm] 纯文本查看 复制代码
<string name="cipher">C28BC39DC3A6C283C2B3C39DC293C289C2B8C3BAC29EC3A0C3A7C29A1654C3AF28C3A1C2B1215B53</string>
<string name="local">/data/data/com.example.music/databases/</string>
<string name="no">wrong!</string>
<string name="search_menu_title">Search</string>
<string name="song">[audio]http://www.ytmp3.cn/down/44093.mp3[/audio]</string> [Asm] 纯文本查看 复制代码
import base64
flag = "c28bc39dc3a6c283c2b3c39dc293c289c2b8c3bac29ec3a0c3a7c29a1654c3af28c3a1c2b1215b53"
flagh = []
for q in range(0,len(flag),2):
flagh.append(int(flag[q:q+2],16))
print flagh
S = []
T = []
key = "E7E64BF658BAB14A25C9D67A054CEBE5"
# C28BC39DC3A6C283C2B3C39DC293C289C2B8C3BAC29EC3A0C3A7C29A1654C3AF28C3A1C2B1215B53
# c28bc39dc3a6c283c2b3c39dc293c289c2b8c3bac29ec3a0c3a7c29a1654c3af28c3a1c2b1215b53
for i in range(256):
S.append(i)
T.append(key[i%len(key)])
#print S
#print T
j = 0
for i in range(256):
j = (j+S[i]+ord(T[i]))%256
S[i],S[j]=S[j],S[i]
i = 0
j = 0
k = []
# for r in range(len(flag)):
# i = (i+1)%256
# j = (j+S[i])%256
# S[i],S[j] = S[j],S[i]
# t = (S[i]+S[j])%256
# k.append(S[t])
#
flags = []
for r in range(len(flagh)):
i = (i+1)%256
j = (j+S[i])%256
S[i],S[j] = S[j],S[i]
t = (S[i]+S[j])%256
k.append(S[t])
flags.append((flagh[r] ^ S[(S[i] + S[i] % 256) % 256]) + i)
print flags
[Asm] 纯文本查看 复制代码
https://xz.aliyun.com/t/5478#toc-21 [Asm] 纯文本查看 复制代码
public class Notepad
{
public static void main(String[] args)
{
byte[] enctob = new byte[]{-62, -117, -61, -99, -61, -90, -62, -125, -62, -77, -61, -99, -62, -109, -62, -119, -62, -72, -61, -70, -62, -98, -61, -96, -61, -89, -62, -102, 22, 84, -61, -81, 40, -61, -95, -62, -79, 33, 91, 83};
String bs = new String(enctob);
char[] flagenc = bs.toCharArray();
char[] out = new char[bs.length()];
int[] S = new int[256];
byte[] wtf = new byte[256];
int i,j,k;
String key = "E7E64BF658BAB14A25C9D67A054CEBE5";
for (i = 0; i < 256; i++ )
{
S[i] = i;
wtf[i] = (byte)(key.charAt(i % 32));
}
i = 0;
j = 0;
for(i = 0,j = 0;i < 256; i++ )
{
j = (S[i] + j + wtf[i]) % 256;
k = S[i];
S[i] = S[j];
S[j] = k;
}
for (i = 0,j = 0,k = 0; i < bs.length(); i++ )
{
k = (k + 1) % 256;
j = (S[k] + j) % 256;
int temp = S[k];
S[k] = S[j];
S[j] = temp;
out[i] = (char)((flagenc[i] ^ S[(S[k] + S[k] % 256) % 256]) + k);
System.out.println(out);
}
}
}
查看全部评分
[复制链接]
发表于 2019-6-24 18:38
|
发表于 2019-6-25 00:03
