CTF每日一题-Day8


D8 T1 app3

下下来是个.ab Android 应用备份文件

file app3.ab
app3.ab: Android Backup, version 2, Compressed, Not-Encrypted

没加密,直接用ABE解包成tar文件

java -jar abe-all.jar unpack app3.ab app3.tar

拿到base.apk

放虚拟机上跑一跑

还是一个登陆界面

JEB分析一下

先看MainActivity,onCreate函数里调用了a()

    private void a() {
        SQLiteDatabase.loadLibs(((Context)this));
        this.b = new a(((Context)this), "Demo.db", null, 1);
        ContentValues v0 = new ContentValues();
        v0.put("name", "Stranger");
        v0.put("password", Integer.valueOf(123456));
        com.example.yaphetshan.tencentwelcome.a.a v1 = new com.example.yaphetshan.tencentwelcome.a.a();
        String v2 = v1.a(v0.getAsString("name"), v0.getAsString("password"));
        this.a = this.b.getWritableDatabase(v1.a(v2 + v1.b(v2, v0.getAsString("password"))).substring(0, 7));
        this.a.insert("TencentMicrMsg", null, v0);
    }

调用了一个SQLite数据库,参数是v1.a(v2 + v1.b(v2, v0.getAsString("password"))).substring(0, 7)

关键就是要把这个参数给搞出来

a()里面还调用了a类,跟进看一下

public class a {
    private String a;

    public a() {
        super();
        this.a = "yaphetshan";
    }

    public String a(String arg4, String arg5) {
        return arg4.substring(0, 4) + arg5.substring(0, 4);
    }//取arg4,arg5前4位

    public String a(String arg3) {
        new b();
        return b.b(arg3 + this.a);
    }

    public String b(String arg2, String arg3) {
        new b();
        return b.a(arg2);
    }
}

所以v2=Stra1234

a又调用了类b

跟进看一下

public class b {
    public b() {
        super();
    }

    public static final String a(String arg9) {
        String v0_2;
        int v0 = 0;
        char[] v2 = new char[]{'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
        try {
            byte[] v1 = arg9.getBytes();
            MessageDigest v3 = MessageDigest.getInstance("MD5");
            v3.update(v1);
            byte[] v3_1 = v3.digest();
            int v4 = v3_1.length;
            char[] v5 = new char[v4 * 2];
            int v1_1 = 0;
            while(v0 < v4) {//相当于base16,也就是hex的值....
                int v6 = v3_1[v0];
                int v7 = v1_1 + 1;
                v5[v1_1] = v2[v6 >>> 4 & 15];//'>>>'无符号右移
                v1_1 = v7 + 1;
                v5[v7] = v2[v6 & 15];
                ++v0;
            }

            v0_2 = new String(v5);
        }
        catch(Exception v0_1) {
            v0_2 = null;
        }

        return v0_2;
    }

    public static final String b(String arg9) {
        String v0_2;
        int v0 = 0;
        char[] v2 = new char[]{'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
        try {
            byte[] v1 = arg9.getBytes();
            MessageDigest v3 = MessageDigest.getInstance("SHA-1");
            v3.update(v1);
            byte[] v3_1 = v3.digest();
            int v4 = v3_1.length;
            char[] v5 = new char[v4 * 2];
            int v1_1 = 0;
            while(v0 < v4) {
                int v6 = v3_1[v0];
                int v7 = v1_1 + 1;
                v5[v1_1] = v2[v6 >>> 4 & 15];
                v1_1 = v7 + 1;
                v5[v7] = v2[v6 & 15];
                ++v0;
            }

            v0_2 = new String(v5);
        }
        catch(Exception v0_1) {
            v0_2 = null;
        }

        return v0_2;
    }
}

所以整个过程相当于base16(SHA1(v2+base16(MD5(v2))+"yaphetshan"))[0:7]

v2="Stra1234"

写个python脚本

#coding=utf-8
import hashlib
import base64

def MD5(str):
    md5 = hashlib.md5()
    md5.update(str.encode())
    return md5.hexdigest()
def SHA1(str):
    sha1= hashlib.sha1()
    sha1.update(str.encode())
    return sha1.hexdigest()

def base16(str):
    return base64.b16encode(str.encode()).lower()

v2="Stra1234"
print SHA1(v2+base16(MD5(v2))+"yaphetshan")

但是有点问题好像。。。。

后来想想直接把反编译的代码扒下来就可以了

import java.security.MessageDigest;

public class b {
    public b() {
        super();
    }

    public static final String a(String arg9) {
        String v0_2;
        int v0 = 0;
        char[] v2 = new char[]{'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
        try {
            byte[] v1 = arg9.getBytes();
            MessageDigest v3 = MessageDigest.getInstance("MD5");
            v3.update(v1);
            byte[] v3_1 = v3.digest();
            int v4 = v3_1.length;
            char[] v5 = new char[v4 * 2];
            int v1_1 = 0;
            while(v0 < v4) {
                int v6 = v3_1[v0];
                int v7 = v1_1 + 1;
                v5[v1_1] = v2[v6 >>> 4 & 15];
                v1_1 = v7 + 1;
                v5[v7] = v2[v6 & 15];
                ++v0;
            }

            v0_2 = new String(v5);
        }
        catch(Exception v0_1) {
            v0_2 = null;
        }

        return v0_2;
    }

    public static final String b(String arg9) {
        String v0_2;
        int v0 = 0;
        char[] v2 = new char[]{'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
        try {
            byte[] v1 = arg9.getBytes();
            MessageDigest v3 = MessageDigest.getInstance("SHA-1");
            v3.update(v1);
            byte[] v3_1 = v3.digest();
            int v4 = v3_1.length;
            char[] v5 = new char[v4 * 2];
            int v1_1 = 0;
            while(v0 < v4) {
                int v6 = v3_1[v0];
                int v7 = v1_1 + 1;
                v5[v1_1] = v2[v6 >>> 4 & 15];
                v1_1 = v7 + 1;
                v5[v7] = v2[v6 & 15];
                ++v0;
            }

            v0_2 = new String(v5);
        }
        catch(Exception v0_1) {
            v0_2 = null;
        }

        return v0_2;
    }
}
//test.java
public class test {

    private String a;

    public test() {
        super();
        this.a = "yaphetshan";
    }

    public String a(String arg4, String arg5) {
        return arg4.substring(0, 4) + arg5.substring(0, 4);
    }

    public String a(String arg3) {
        new b();
        return b.b(arg3 + this.a);
    }

    public String b(String arg2, String arg3) {
        new b();
        return b.a(arg2);
    }

    // 
    public static void main(String args[]) { 
        Test t = new test();
        String v2 = t.a("Stranger", "123456");
        String ans = t.a(v2 + k.b(v2, "123456")).substring(0, 7);
        System.out.println(ans); 
    } 
}
[email protected]:~/codes/adworld/app3# javac test.java 
[email protected]:~/codes/adworld/app3# java test
ae56f99

拿到数据库密码

然后用SQLiteDatabaseBrowser打开数据库

F_l_a_g字段

VGN0ZntIM2xsMF9Eb19ZMHVfTG92M19UZW5jM250IX0=

base64解码拿到flag

参考资料

Android Activity的onCreate()函数:

https://blog.csdn.net/xzhang76/article/details/38439811

D8 T2 flag_universe

好久没做流量分析了,做一道看看

主要是ftp协议的数据包

分离出来三个

flag.txt universe.png new_universe.png

flag.txt里面base64解码一下

flag{This is fake flag hahaha}

universe.png和new_universe.png都看了一下

最后发现是new_universe.png的LSB

666c61677b506c61 74655f6572725f6b  flag{Pla te_err_k
6c6175735f4d6169 6c5f4c6966657d0a  laus_Mai l_Life}.
db71b91c4954aa56 a49131b6e38e3724  .q..IT.V ..1...7$

声明:Eki's Blog|版权所有,违者必究|如未注明,均为原创|本网站采用BY-NC-SA协议进行授权

转载:转载请注明原文链接 - CTF每日一题-Day8


A Dreamer Full of Dream