re
babytea
题目描述: 最简单的tea
v1为密文,sub_140001450加密函数进行分组加密
xtea,加解密可逆,delta被换了
解密脚本
#include<stdio.h>
#include<stdint.h>
void decipher(unsigned int num_rounds, uint32_t v[2], uint32_t const key[4]) {
unsigned int i;
uint32_t v0 = v[0], v1 = v[1], sum = 0, delta = 0x9E3778B9;
for (i = 0;i < num_rounds;i++) {
v0 += (((v1 << 4) ^ (v1 >> 5)) + v1) ^ v1 ^ (sum + key[sum & 3]);
sum += delta;
v1 += (((v0 << 4) ^ (v0 >> 5)) + v0) ^ v0 ^ (sum + key[(sum >> 11) & 3]);
}
v[0] = v0;v[1] = v1;
}
int main() {
uint32_t v1[10] = { 0x18C2E339 ,0xE9550982 ,0x108A30F7,0x18430DD,0xD5DE57B0,0xD43E0740,0xF42FDDE4,0x968886E8,0xE5D77B79,0x685D758F };
uint32_t const k[4] = { 1,1,2,3 };
unsigned int r = 64; //这里是加密轮数,自己设置
for (int i = 0; i < 10; i+=2)
{
decipher(r, &v1[i], k);
}
printf("%s", v1);
return 0;
}
发现一个像flag的字符串
分析一下,尝试解密
a = "}ggagllllff_fau_hisY_keF{CTSH"
a_list = list(a[::-1])
for i in range(0, len(a_list) - 1, 2):
a_list[i], a_list[i+1] = a_list[i+1], a_list[i]
a = ''.join(a_list)
print(a)
动调发现多了个!
且在第14位比较时不同,
p
修改脚本
a = "!}ggagllllff_fau_hisY_keF{CTSH"
a_list = list(a)
for i in range(0, 14):
a_list[i], a_list[-i-1] = a_list[-i-1], a_list[i]
print(a_list)
for i in range(0, len(a_list) - 1, 2):
a_list[i], a_list[i+1] = a_list[i+1], a_list[i]
a = ''.join(a_list)
print(a)
后来学习了一下,花指令
以下jz和jnz确保跳转到loc_414526+1
地址
.text:00414522 jz short near ptr loc_414526+1
.text:00414524 jnz short near ptr loc_414526+1
undefine重新p一下
Loader
跟iscc有一题有点像
动态加载dex
hook一下,输出dex二进制内容
Java.perform(function() {
// 获取目标类
var MainActivity = Java.use("com.android.loader.MainActivity");
// Hook MainActivity 的 GetData 方法
MainActivity.GetData.implementation = function(context) {
// 调用原始的 GetData 方法
var dexData = this.GetData(context);
// 打印并导出 dex 数据
console.log("Dex data captured: " + dexData);
// 将 dex 数据写入文件
return dexData;
};
});
frida -U -n 'DexLoader' -l f.js
写入文件
dex=[100,101,120,10,48,51,53,0,-82,-67,72,-120,2,-95,-10,-84,64,109,-97,59,8,-75,102,78,-114,58,92,52,-106,96,81,-127,100,5,0,0,112,0,0,0,120,86,52,18,0,0,0,0,0,0,0,0,-72,4,0,0,30,0,0,0,112,0,0,0,10,0,0,0,-24,0,0,0,11,0,0,0,16,1,0,0,1,0,0,0,-108,1,0,0,12,0,0,0,-100,1,0,0,1,0,0,0,-4,1,0,0,72,3,0,0,28,2,0,0,42,3,0,0,106,3,0,0,114,3,0,0,117,3,0,0,-127,3,0,0,-123,3,0,0,-109,3,0,0,-106,3,0,0,-102,3,0,0,-99,3,0,0,-96,3,0,0,-92,3,0,0,-87,3,0,0,-57,3,0,0,-37,3,0,0,-17,3,0,0,10,4,0,0,30,4,0,0,33,4,0,0,37,4,0,0,41,4,0,0,53,4,0,0,56,4,0,0,60,4,0,0,68,4,0,0,76,4,0,0,84,4,0,0,106,4,0,0,114,4,0,0,123,4,0,0,2,0,0,0,6,0,0,0,8,0,0,0,12,0,0,0,13,0,0,0,14,0,0,0,15,0,0,0,16,0,0,0,17,0,0,0,21,0,0,0,4,0,0,0,0,0,0,0,-4,2,0,0,6,0,0,0,1,0,0,0,0,0,0,0,7,0,0,0,1,0,0,0,-4,2,0,0,9,0,0,0,5,0,0,0,0,0,0,0,11,0,0,0,5,0,0,0,4,3,0,0,10,0,0,0,6,0,0,0,12,3,0,0,17,0,0,0,8,0,0,0,0,0,0,0,18,0,0,0,8,0,0,0,-4,2,0,0,19,0,0,0,8,0,0,0,20,3,0,0,22,0,0,0,9,0,0,0,28,3,0,0,22,0,0,0,9,0,0,0,36,3,0,0,3,0,5,0,3,0,0,0,3,0,6,0,1,0,0,0,3,0,10,0,20,0,0,0,3,0,4,0,26,0,0,0,4,0,6,0,1,0,0,0,5,0,0,0,24,0,0,0,5,0,9,0,25,0,0,0,5,0,1,0,27,0,0,0,6,0,7,0,1,0,0,0,6,0,5,0,23,0,0,0,6,0,3,0,29,0,0,0,7,0,8,0,1,0,0,0,7,0,2,0,28,0,0,0,3,0,0,0,1,0,0,0,4,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,-95,4,0,0,-98,4,0,0,4,0,1,0,1,0,0,0,-123,4,0,0,6,0,0,0,7,48,7,2,112,16,3,0,2,0,14,0,7,0,1,0,2,0,0,0,-118,4,0,0,18,0,0,0,7,96,19,4,-42,16,19,5,12,0,113,32,2,0,84,0,12,4,7,66,7,4,7,37,110,32,5,0,84,0,10,4,1,64,15,0,15,0,2,0,3,0,0,0,-111,4,0,0,63,0,0,0,1,-48,1,-31,34,8,7,0,7,-116,7,-56,7,-55,1,10,-127,-86,112,48,10,0,-87,11,7,-125,34,8,6,0,7,-116,7,-56,7,-55,1,26,112,32,7,0,-87,0,7,-124,18,8,1,-123,1,88,1,25,52,-104,9,0,7,72,110,16,9,0,8,0,12,8,7,-128,17,0,7,56,98,9,0,0,110,16,6,0,9,0,10,9,110,32,11,0,-104,0,10,8,1,-122,7,72,98,9,0,0,1,106,110,32,4,0,-87,0,10,9,110,32,8,0,-104,0,12,8,-40,5,5,1,40,-37,0,0,1,0,0,0,1,0,0,0,2,0,0,0,1,0,1,0,1,0,0,0,0,0,0,0,1,0,0,0,2,0,0,0,1,0,0,0,4,0,0,0,1,0,0,0,5,0,62,48,49,50,51,52,53,54,55,56,57,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,0,6,60,105,110,105,116,62,0,1,67,0,10,67,72,65,82,65,67,84,69,82,83,0,2,67,73,0,12,71,101,116,70,108,97,103,46,106,97,118,97,0,1,73,0,2,73,73,0,1,74,0,1,76,0,2,76,67,0,3,76,73,73,0,28,76,99,111,109,47,97,110,100,114,111,105,100,47,108,111,97,100,101,114,47,71,101,116,70,108,97,103,59,0,18,76,106,97,118,97,47,108,97,110,103,47,79,98,106,101,99,116,59,0,18,76,106,97,118,97,47,108,97,110,103,47,83,116,114,105,110,103,59,0,25,76,106,97,118,97,47,108,97,110,103,47,83,116,114,105,110,103,66,117,105,108,100,101,114,59,0,18,76,106,97,118,97,47,117,116,105,108,47,82,97,110,100,111,109,59,0,1,86,0,2,86,73,0,2,86,74,0,10,86,101,114,105,102,121,70,108,97,103,0,1,90,0,2,90,76,0,6,97,112,112,101,110,100,0,6,99,104,97,114,65,116,0,6,101,113,117,97,108,115,0,20,103,101,110,101,114,97,116,101,82,97,110,100,111,109,83,116,114,105,110,103,0,6,108,101,110,103,116,104,0,7,110,101,120,116,73,110,116,0,8,116,111,83,116,114,105,110,103,0,22,0,7,14,0,8,1,0,7,14,-91,0,13,2,0,0,7,14,-46,-90,109,115,-61,-64,0,1,23,0,1,0,3,0,0,26,0,-127,-128,4,-100,4,1,9,-72,4,1,9,-20,4,0,0,0,14,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,30,0,0,0,112,0,0,0,2,0,0,0,10,0,0,0,-24,0,0,0,3,0,0,0,11,0,0,0,16,1,0,0,4,0,0,0,1,0,0,0,-108,1,0,0,5,0,0,0,12,0,0,0,-100,1,0,0,6,0,0,0,1,0,0,0,-4,1,0,0,1,32,0,0,3,0,0,0,28,2,0,0,1,16,0,0,6,0,0,0,-4,2,0,0,2,32,0,0,30,0,0,0,42,3,0,0,3,32,0,0,3,0,0,0,-123,4,0,0,5,32,0,0,1,0,0,0,-98,4,0,0,0,32,0,0,1,0,0,0,-95,4,0,0,0,16,0,0,1,0,0,0,-72,4,0,0]
with open("1", "wb") as f:
for i in range(0, len(dex)):
dex[i] = dex[i].to_bytes(signed=1)
f.write(dex[i])
jeb反编译,连解密都没有
套上SHCTF{}
SHCTF{QdUOJ7V7Xruo}
cancanneed
题目描述: 你会frida嘛?反正我是不会
两种做法
直接hook绕过md5判断
Java.perform(function() {
var MainActivity = Java.use("com.example.test.MainActivity");
// Hook check 方法
MainActivity.check.implementation = function(v4) {
console.log("Hooked check method, input: " + v4);
return 1; // 强制返回 1
};
MainActivity.decryptAESKey.implementation = function(arg4, enc) {
// 调用原始的解密方法
var decrypted = this.decryptAESKey(arg4, enc);
console.log("DecryptAESKey called, key value: " + arg4);
// 打印解密结果
console.log("DecryptAESKey called, decrypted value: " + decrypted);
return decrypted;
};
});
或者分析源码,发现key是从Resources/raw中的xxnd读取的key
key,十六字节
直接解
web
guess_the_number
题目描述: 听说预言家之所以能预知未来,是获得了这个世界的seed
F12
import flask
import random
from flask import Flask, request, render_template, send_file
app = Flask(__name__)
@app.route('/')
def index():
return render_template('index.html', first_num = first_num)
@app.route('/s0urce')
def get_source():
file_path = "app.py"
return send_file(file_path, as_attachment=True)
@app.route('/first')
def get_first_number():
return str(first_num)
@app.route('/guess')
def verify_seed():
num = request.args.get('num')
if num == str(second_num):
with open("/flag", "r") as file:
return file.read()
return "nonono"
def init():
global seed, first_num, second_num
seed = random.randint(1000000,9999999)
random.seed(seed)
first_num = random.randint(1000000000,9999999999)
second_num = random.randint(1000000000,9999999999)
init()
app.run(debug=True)
import random
for seed in range(1000000, 9999999):
random.seed(seed)
first_num = random.randint(1000000000, 9999999999)
if first_num==6636424299:
print(seed)
入侵者禁入
题目描述: 你谁?这咋注入啊
from flask import Flask, session, request, render_template_string
app = Flask(__name__)
app.secret_key = '0day_joker'
@app.route('/')
def index():
session['role'] = {'is_admin': 0, 'flag': 'your_flag_here'}
with (open(__file__, 'r') as file):
code = file.read()
return code
@ app.route('/admin')
def admin_handler():
try:
role = session.get('role')
if not isinstance(role, dict):
raise Exception
except Exception:
return 'Without you, you are an intruder!'
if role.get('is_admin') == 1:
flag = role.get('flag') or 'admin'
message = "Oh,I believe in you! The flag is: %s" % flag
return render_template_string(message)
else:
return "Error: You don't have the power!"
if __name__ == '__main__':
app.run('0.0.0.0', port=80)
给了key,可以解session
is_admin改为1,render_template_string
存在ssti
misc
遮遮掩掩?CCRC!
题目描述: 我说今天必须爆破出来, 熊说:不可
一开始用CRC工具爆不出来,发现是三字节,结合熊曰想到大概是中文
利用Dr34nn/CRC_Cracker: 自动爆破crc32值并输出,支持中文crc32爆破 (github.com)