本文为看雪论坛优秀文章
看雪论坛作者ID:genliese
一、背景
二、定位验证代码
package com.google.ctf.sandbox;
import android.app.Activity;
import android.os.Bundle;
import android.view.View;
import android.widget.Button;
import android.widget.EditText;
import android.widget.TextView;
/* renamed from: com.google.ctf.sandbox.ő reason: contains not printable characters */
public class ActivityC0000 extends Activity {
/* renamed from: class reason: not valid java name */
long[] f0class;
/* renamed from: ő reason: contains not printable characters */
int f1;
/* renamed from: ő reason: contains not printable characters and collision with other field name */
long[] f2;
public ActivityC0000() {
try {
this.f0class = new long[]{40999019, 2789358025L, 656272715, 18374979, 3237618335L, 1762529471, 685548119, 382114257, 1436905469, 2126016673, 3318315423L, 797150821};
this.f2 = new long[12];
this.f1 = 0;
} catch (I unused) {
}
}
/* access modifiers changed from: protected */
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
final EditText editText = (EditText) findViewById(R.id.editText);
final TextView textView = (TextView) findViewById(R.id.textView);
((Button) findViewById(R.id.button)).setOnClickListener(new View.OnClickListener() {
/* class com.google.ctf.sandbox.ActivityC0000.AnonymousClass1 */
public void onClick(View v) {
ActivityC0000.this.f1 = 0;
try {
StringBuilder keyString = new StringBuilder();
for (Object chr : new Object[]{65, 112, 112, 97, 114, 101, 110, 116, 108, 121, 32, 116, 104, 105, 115, 32, 105, 115, 32, 110, 111, 116, 32, 116, 104, 101, 32, 102, 108, 97, 103, 46, 32, 87, 104, 97, 116, 39, 115, 32, 103, 111, 105, 110, 103, 32, 111, 110, 63}) {
keyString.append(((Character) chr).charValue());
}
if (editText.getText().toString().equals(keyString.toString())) {
textView.setText("验证成功");
} else {
textView.setText("验证失败");
}
} catch (J | Error | Exception unused) {
String flagString = editText.getText().toString();
if (flagString.length() != 48) {
textView.setText("验证失败");
return;
}
for (int i = 0; i < flagString.length() / 4; i++) {
ActivityC0000.this.f2[i] = (long) (flagString.charAt((i * 4) + 3) << 24);
long[] jArr = ActivityC0000.this.f2;
jArr[i] = jArr[i] | ((long) (flagString.charAt((i * 4) + 2) << 16));
long[] jArr2 = ActivityC0000.this.f2;
jArr2[i] = jArr2[i] | ((long) (flagString.charAt((i * 4) + 1) << '\b'));
long[] jArr3 = ActivityC0000.this.f2;
jArr3[i] = jArr3[i] | ((long) flagString.charAt(i * 4));
}
ActivityC0000 r6 = ActivityC0000.this;
if (((R.m0(ActivityC0000.this.f2[ActivityC0000.this.f1], 4294967296L)[0] % 4294967296L) + 4294967296L) % 4294967296L != ActivityC0000.this.f0class[ActivityC0000.this.f1]) {
textView.setText("验证失败");
return;
}
ActivityC0000.this.f1++;
if (ActivityC0000.this.f1 >= ActivityC0000.this.f2.length) {
textView.setText("验证成功");
return;
}
throw new RuntimeException();
}
}
});
}
}
三、分析验证代码
try {
StringBuilder keyString = new StringBuilder();
for (Object chr : new Object[]{65, 112, 112, 97, 114, 101, 110, 116, 108, 121, 32, 116, 104, 105, 115, 32, 105, 115, 32, 110, 111, 116, 32, 116, 104, 101, 32, 102, 108, 97, 103, 46, 32, 87, 104, 97, 116, 39, 115, 32, 103, 111, 105, 110, 103, 32, 111, 110, 63}) {
keyString.append(((Character) chr).charValue());
}
if (editText.getText().toString().equals(keyString.toString())) {
textView.setText("验证成功");
} else {
textView.setText("验证失败");
}
} catch (J | Error | Exception unused) {
......
}
String flagString = editText.getText().toString();
if (flagString.length() != 48) {
textView.setText("验证失败");
return;
}
for (int i = 0; i < flagString.length() / 4; i++) {
ActivityC0000.this.f2[i] = (long) (flagString.charAt((i * 4) + 3) << 24);
long[] jArr = ActivityC0000.this.f2;
jArr[i] = jArr[i] | ((long) (flagString.charAt((i * 4) + 2) << 16));
long[] jArr2 = ActivityC0000.this.f2;
jArr2[i] = jArr2[i] | ((long) (flagString.charAt((i * 4) + 1) << '\b'));
long[] jArr3 = ActivityC0000.this.f2;
jArr3[i] = jArr3[i] | ((long) flagString.charAt(i * 4));
}
ActivityC0000 r6 = ActivityC0000.this;
if (((R.m0(ActivityC0000.this.f2[ActivityC0000.this.f1], 4294967296L)[0] % 4294967296L) + 4294967296L) % 4294967296L != ActivityC0000.this.f0class[ActivityC0000.this.f1]) {
textView.setText("验证失败");
return;
}
ActivityC0000.this.f1++;
if (ActivityC0000.this.f1 >= ActivityC0000.this.f2.length) {
textView.setText("验证成功");
return;
}
throw new RuntimeException();
String flagString = editText.getText().toString();
if (flagString.length() != 48) {
textView.setText("验证失败");
return;
}
for (int i = 0; i < flagString.length() / 4; i++) {
ActivityC0000.this.f2[i] = (long) (flagString.charAt((i * 4) + 3) << 24);
long[] jArr = ActivityC0000.this.f2;
jArr[i] = jArr[i] | ((long) (flagString.charAt((i * 4) + 2) << 16));
long[] jArr2 = ActivityC0000.this.f2;
jArr2[i] = jArr2[i] | ((long) (flagString.charAt((i * 4) + 1) << '\b'));
long[] jArr3 = ActivityC0000.this.f2;
jArr3[i] = jArr3[i] | ((long) flagString.charAt(i * 4));
}
//等价的python实现
//'\b'<=>8
_value = (((ord(_index_3) << 24) | (ord(_index_2) << 16)) | (ord(_index_1) << 8)) | ord(_index_0)
this.f0class = new long[]{40999019, 2789358025L, 656272715, 18374979, 3237618335L, 1762529471, 685548119, 382114257, 1436905469, 2126016673, 3318315423L, 797150821};
this.f2 = new long[12];
this.f1 = 0;
if (((R.m0(ActivityC0000.this.f2[ActivityC0000.this.f1], 4294967296L)[0] % 4294967296L) + 4294967296L) % 4294967296L != ActivityC0000.this.f0class[ActivityC0000.this.f1]) {
textView.setText("验证失败");
return;
}
public static long[] m0(long a, long b) {
if (a == 0) {
return new long[]{0, 1};
}
long[] r = m0(b % a, a);
return new long[]{r[1] - ((b / a) * r[0]), r[0]};
}
ActivityC0000.this.f1++;
if (ActivityC0000.this.f1 >= ActivityC0000.this.f2.length) {
textView.setText("验证成功");
return;
}
throw new RuntimeException();
......
new-instance v8, Ljava/lang/RuntimeException;
invoke-direct {v8}, Ljava/lang/RuntimeException;-><init>()V
throw v8
:goto_2c4
return-void
nop
.array-data 8
0x1
.end array-data
:try_end_2ce
.catch Ljava/lang/Exception; {:try_start_205 .. :try_end_2ce} :catch_11
:catch_11
const/16 v2, 0x31
const/4 v3, 0x0
const/4 v4, 0x3
const/4 v5, 0x2
const/4 v6, 0x1
const/4 v7, 0x4
goto/16 :goto_205
:goto_205
:try_start_205
iget-object v3, v1, Lcom/google/ctf/sandbox/ő$1;->val$editText:Landroid/widget/EditText;
invoke-virtual {v3}, Landroid/widget/EditText;->getText()Landroid/text/Editable;
move-result-object v3
invoke-virtual {v3}, Ljava/lang/Object;->toString()Ljava/lang/String;
move-result-object v3
.line 61
.local v3, "flagString":Ljava/lang/String;
invoke-virtual {v3}, Ljava/lang/String;->length()I
move-result v5
四、flag生成算法
from itertools import permutations
import sys
import time
def m0(a, b):
if a == 0:
return [0, 1]
r = m0(b % a, a)
return [r[1] - ((b // a) * r[0]), r[0]]
def calculate(_index_3, _index_2, _index_1, _index_0):
_value = (((ord(_index_3) << 24) | (ord(_index_2) << 16)) | (ord(_index_1) << 8)) | ord(_index_0)
_value = (m0(_value, 4294967296)[0] % 4294967296 + 4294967296) % 4294967296
sys.stdout.write('[i] Trying key: {}{}{}{}\r'.format(index_0, index_1, index_2, index_3))
sys.stdout.flush()
return _value
magic = [40999019, 2789358025, 656272715, 18374979, 3237618335, 1762529471, 685548119, 382114257, 1436905469,
2126016673, 3318315423, 797150821]
solved = []
flag = ['*'] * 48
possibilities = permutations('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!?_{}', 4)
time_begin = time.time()
for p in possibilities:
index_0, index_1, index_2, index_3 = p
value = calculate(index_3, index_2, index_1, index_0)
for m in magic:
if value == m:
flag[magic.index(m) * 4: magic.index(m) * 4 + 4] = index_0, index_1, index_2, index_3
break
sys.stdout.write('[*] Flag: {} '.format(''.join(flag)))
sys.stdout.flush()
time_end = time.time()
cost_time = time_end - time_begin
print('cost time: ' + str(cost_time // 60) + 'min')
看雪ID:genliese
https://bbs.pediy.com/user-home-825187.htm
# 往期推荐
球分享
球点赞
球在看
点击“阅读原文”,了解更多!