2015 RCTF / 攻防世界高手区 where
Where is the flag.(The flag should include RCTF{})
hint: where is body
hint2: the KEY is visible strings, -k -nosalt
1、炸弹引爆
2、dex修复
1. 炸弹引爆
2. dex修复
header : DEX 文件头,记录了一些当前文件的信息以及其他数据结构在文件中的偏移量
string_ids : 字符串的偏移量
type_ids : 类型信息的偏移量
proto_ids : 方法声明的偏移量
field_ids : 字段信息的偏移量
method_ids : 方法信息(所在类,方法声明以及方法名)的偏移量
class_def : 类信息的偏移量
data : :数据区
link_data : 静态链接数据区
1. 查看apk
openssl enc -d -aes-128-cbc -in body -out decrypted -k 'Misc@inf0#fjhx11' -nosalt
2.dex修复还原
/* access modifiers changed from: protected */
public void onCreate(Bundle bundle) {
throw new VerifyError("bad dex opcode");
}
CODE:00097390 # Source file: MainActivity.java
CODE:00097390 protected void com.example.hello.MainActivity.onCreate(
CODE:00097390 android.os.Bundle savedInstanceState)
CODE:00097390 this = v6
CODE:00097390 savedInstanceState = v7
CODE:00097390 0000 nop
CODE:00097392 .prologue_end
CODE:00097392 .line 15
CODE:00097392 0000 nop
CODE:00097394 0000 nop
CODE:00097396 0000 nop
CODE:00097398 .line 16
CODE:00097398 0000 nop
CODE:0009739A 0000 nop
CODE:0009739C 0000 nop
CODE:0009739E 0000 nop
CODE:000973A0 0000 nop
CODE:000973A2 0000 nop
CODE:000973A4 .line 17
CODE:000973A4 0000 nop
CODE:000973A6 0000 nop
CODE:000973A8 0000 nop
CODE:000973AA 0000 nop
CODE:000973AC 0000 nop
CODE:000973AE 0000 nop
CODE:000973B0 0000 nop
CODE:000973B2 .local name:'strb' type:'Ljava/lang/StringBuilder;'
CODE:000973B2 strb = v1
CODE:000973B2 .line 18
CODE:000973B2 0000 nop
CODE:000973B4 0000 nop
CODE:000973B6 0000 nop
CODE:000973B8 0000 nop
CODE:000973BA 0000 nop
CODE:000973BC 0000 nop
CODE:000973BE .line 19
CODE:000973BE 0000 nop
CODE:000973C0 0000 nop
CODE:000973C2 0000 nop
CODE:000973C4 0000 nop
CODE:000973C6 0000 nop
CODE:000973C8 0000 nop
CODE:000973CA 0000 nop
CODE:000973CC .line 20
CODE:000973CC 0000 nop
CODE:000973CE 0000 nop
CODE:000973D0 0000 nop
CODE:000973D2 0000 nop
CODE:000973D4 0000 nop
CODE:000973D6 0000 nop
CODE:000973D8 0000 nop
CODE:000973DA 0000 nop
CODE:000973DC 0000 nop
CODE:000973DE .line 21
CODE:000973DE 0000 nop
CODE:000973E0 0000 nop
CODE:000973E2 0000 nop
CODE:000973E4 0000 nop
CODE:000973E6 0000 nop
CODE:000973E8 0000 nop
CODE:000973EA 0000 nop
CODE:000973EC 0000 nop
CODE:000973EE .line 22
CODE:000973EE 0000 nop
CODE:000973F0 0000 nop
CODE:000973F2 0000 nop
CODE:000973F4 0000 nop
CODE:000973F6 .local name:'flag' type:'Ljava/lang/String;'
CODE:000973F6 flag = v0
CODE:000973F6 .line 23
CODE:000973F6 0000 nop
CODE:000973F8 0000 nop
CODE:000973FA 0000 nop
CODE:000973FC 0000 nop
CODE:000973FE 0000 nop
CODE:00097400 0000 nop
CODE:00097402 0000 nop
CODE:00097404 0000 nop
CODE:00097406 0000 nop
CODE:00097408 0000 nop
CODE:0009740A 0000 nop
CODE:0009740C 0000 nop
CODE:0009740E 0000 nop
CODE:00097410 0000 nop
CODE:00097412 0000 nop
CODE:00097414 0000 nop
CODE:00097416 0000 nop
CODE:00097418 0000 nop
CODE:0009741A 0000 nop
CODE:0009741C 0000 nop
CODE:0009741E 0000 nop
CODE:00097420 0000 nop
CODE:00097422 .line 24
CODE:00097422 0000 nop
CODE:00097422 Method End
CODE:00097422 # ---------------------------------------------------------------------------
public String seed = "m3ll0t_yetFLag";
/* access modifiers changed from: protected */
public void onCreate(Bundle bundle) {
super.onCreate(bundle);
setContentView((int) R.layout.activity_main);
StringBuilder sb = new StringBuilder(this.seed);
sb.replace(0, 1, "h");
sb.replace(5, 6, "2");
sb.replace(10, 11, "f");
sb.replace(7, 8, "G");
Toast.makeText(this, "flag is " + sb.toString(), 0).show();
}
看雪ID:neilwu
https://bbs.pediy.com/user-590753.htm
推荐文章++++
好书推荐