REVERSE-PRACTICE-JarvisOJ-1
- [61dctf]androideasy
- [61dctf]stheasy
- DD - Android Normal
- DD - Android Easy
[61dctf]androideasy
apk文件,用jadx-gui打开
主要的逻辑为,获取输入,检验输入的长度,输入异或23后与已知数组比较,验证输入
写逆异或运算脚本即可得到flag
s=[113, 123, 118, 112, 108, 94, 99, 72, 38, 68,72, 87, 89, 72, 36, 118, 100, 78, 72, 87, 121,83, 101, 39, 62, 94, 62, 38, 107, 115, 106]
flag=""
for i in s:flag+=chr(i^23)
print(flag)
#flag{It_1S_@N_3asY_@nDr0)I)1|d}
[61dctf]stheasy
elf文件,无壳,ida分析
main函数逻辑清晰,读取输入,调用sub_8048630函数验证输入,返回1验证成功,返回0验证失败
进入sub_8048630函数,验证输入的长度是否为29,while循环体验证输入中的各个字符
写脚本即可得到flag
byte_8049AE0="lk2j9Gh}AgfY4ds-a6QW1#k5ER_T[cvLbV7nOm3ZeX{CMt8SZo]U"
byte_8049B15=[0x48, 0x5D, 0x8D, 0x24, 0x84, 0x27, 0x99, 0x9F, 0x54, 0x18,0x1E, 0x69, 0x7E, 0x33, 0x15, 0x72, 0x8D, 0x33, 0x24, 0x63,0x21, 0x54, 0x0C, 0x78, 0x78, 0x78, 0x78, 0x78, 0x1B, 0x00,0x00]
flag=""
for i in range(29):flag+=byte_8049AE0[byte_8049B15[i]//3-2]
print(flag)
#kctf{YoU_hAVe-GOt-fLg_233333}
DD - Android Normal
apk文件,jadx-gui打开
在com.didictf.hellolibs.MainActivity中静态加载了hello-libs库,输入与库中stringFromJNI方法返回的字符串比较,验证输入
ida打开DDCTF-Normal->lib->armeabi-v7a->libhello-libs.so
Java_com_didictf_hellolibs_MainActivity_stringFromJNI->__aeabi_wind_cpp_pr45
byte_66C和byte_722异或,从结果数组中取出合适的值,它们转成字符串后就是stringFromJNI方法返回的字符串
写脚本即可得到flag
byte_66C=[0xD8, 0xC2, 0x6B, 0x42, 0x82, 0x67, 0xC8, 0x4D, 0x7A, 0x95,0xE8, 0x81, 0x48, 0xC1, 0x9E, 0x40, 0xE8, 0xFB, 0xCF, 0xE6,0x4F, 0xBA, 0xE6, 0xAF, 0x78, 0x19, 0x6F, 0x9C, 0xE9, 0xF7,0x7A, 0xDD, 0x42, 0xCE, 0x8C, 0x03, 0xB8, 0x66, 0xD3, 0xAB,0x00, 0x7E, 0xDE, 0x3E, 0x53, 0xDE, 0x30, 0x91, 0x3D, 0xF7,0xCD, 0x72, 0x14, 0x51, 0x82, 0xEE, 0x1B, 0x8D, 0xB4, 0x8C,0xD0, 0x8A, 0xF6, 0x9A, 0x96, 0x71, 0x98, 0x62, 0x93, 0x4A,0x30, 0x2F, 0x9C, 0xA8, 0x79, 0x16, 0xC1, 0xE0, 0xEC, 0xD7,0xE5, 0xEC, 0x8A, 0x64, 0xB4, 0x46, 0xCF, 0xD9, 0xE5, 0x96,0xF3, 0x94, 0x73, 0xA9, 0xFF, 0xEA, 0xCB, 0x15, 0x9C, 0x7C,0xA1, 0xD8, 0x3E, 0xBB, 0x1D, 0x38, 0xCB, 0x55, 0xD0, 0x19,0x25, 0xB2, 0x0B, 0x92, 0xE8, 0x88, 0xAE, 0x06, 0xA2, 0x9B,0x93, 0x64, 0x5E, 0xFB, 0x09, 0x05, 0xF6, 0x2F, 0x1F, 0x35,0xCC, 0xEF, 0x05, 0x6C, 0x19, 0x42, 0x38, 0xA5, 0x59, 0x2E,0x80, 0x0A, 0x19, 0xFC, 0x33, 0x5B, 0xBB, 0xD6, 0xEB, 0x2B,0xAC, 0xF7, 0x0E, 0xAD, 0xD8, 0x57, 0x40, 0x98, 0x71, 0x2C,0x78, 0x68, 0x91, 0x82, 0x4F, 0x5B, 0xD6, 0x40, 0x8F, 0x03,0xBD, 0x55, 0x0B, 0x47, 0x3D, 0xF4, 0x5A, 0x49, 0x5B, 0xF2,0xA2, 0x9E]
byte_722=[0xE1, 0xA1, 0x01, 0xE4, 0x82, 0x56, 0x9D, 0x70, 0xD9, 0xF5,0x08, 0x10, 0x22, 0xA7, 0x2D, 0x2B, 0x41, 0xF0, 0xBD, 0xA4,0x67, 0x3D, 0x9A, 0x20, 0xB9, 0xFB, 0x11, 0xD3, 0xAD, 0xB3,0x39, 0x89, 0x04, 0xE3, 0xBF, 0x3A, 0x8F, 0x07, 0xEA, 0x9B,0x61, 0x4D, 0xEC, 0x08, 0x64, 0xE8, 0x04, 0xA0, 0x0B, 0xC2,0xF5, 0x10, 0x76, 0x32, 0xBB, 0xD9, 0x2E, 0xBE, 0x86, 0xBA,0xE7, 0xBA, 0xC6, 0xFC, 0xA2, 0x13, 0xD8, 0x06, 0xFA, 0x2E,0x59, 0x4C, 0xF4, 0xDD, 0x01, 0x7F, 0xAF, 0x87, 0xC2, 0xB4,0x8A, 0x81, 0x8A, 0xF2, 0xB6, 0x60, 0x9A, 0x13, 0x52, 0xC0,0x6D, 0x9E, 0x5A, 0x52, 0xB5, 0x8F, 0x47, 0x5E, 0xE6, 0x41,0xAD, 0xF5, 0xBB, 0xA9, 0x7A, 0x6C, 0xA1, 0x4C, 0x38, 0x60,0xF2, 0x4B, 0x5C, 0xE8, 0x5B, 0xE5, 0xE3, 0xBA, 0x46, 0x70,0x33, 0x04, 0xA7, 0x58, 0x19, 0x10, 0x49, 0x20, 0x1D, 0x51,0x48, 0x9D, 0x78, 0xF9, 0xB4, 0x2E, 0x66, 0x58, 0x1B, 0xE8,0xEE, 0x51, 0x09, 0x21, 0x80, 0xBC, 0xC8, 0x7B, 0xF5, 0x4E,0x99, 0xFD, 0xFC, 0x9A, 0xFD, 0x65, 0x20, 0x13, 0x57, 0xD1,0x83, 0x4D, 0xF6, 0x2C, 0xAF, 0x25, 0x3C, 0x12, 0xF0, 0x7C,0x16, 0x66, 0x97, 0x7F, 0x6A, 0x02, 0xBC, 0x98, 0x52, 0xD7,0xE3, 0x56]
v8=[]
for i in range(182):v8.append(byte_66C[i]^byte_722[i])
v4=[]
v3=0
tmp=v8[(v8[0]>>1)+v3]
while tmp!=0:v4.append(tmp)v3+=1tmp = v8[(v8[0] >> 1) + v3]
print(''.join(chr(i) for i in v4))
#DDCTF-397a90a3267641658bbc975326700f4b@didichuxing.com
DD - Android Easy
apk文件,jadx-gui打开
在com.didi_ctf.flagapp.FlagActivity中,两个数组异或,从结果集中取出合适的值,转成字符串即为flag
写脚本即可得到flag
p =[-40, -62, 107, 66, -126, 103, -56, 77, 122, -107,-24, -127, 72, -63, -98, 64, -24, -5, -49, -26, 79,-70, -26, -81, 120, 25, 111, -100, -23, -9, 122, -35,66, -50, -116, 3, -72, 102, -45, -85, 0, 126, -34, 62,83, -34, 48, -111, 61, -9, -51, 114, 20, 81, -126, -18,27, -115, -76, -116, -48, -118, -10, -102, -106, 113,-104, 98, -109, 74, 48, 47, -100, -88, 121, 22, -63,-32, -20, -41, -27, -20, -118, 100, -76, 70, -49, -39,-27, -106, -13, -108, 115, -87, -1, -22, -53, 21, -100,124, -95, -40, 62, -69, 29, 56, -53, 85, -48, 25, 37,-78, 11, -110, -24, -120, -82, 6, -94, -101]
q = [-57, -90, 53, -71, -117, 98, 62, 98, 101, -96, 36,110, 77, -83, -121, 2, -48, 94, -106, -56, -49, -80,-1, 83, 75, 66, -44, 74, 2, -36, -42, -103, 6, -115,-40, 69, -107, 85, -78, -49, 54, 78, -26, 15, 98, -70,8, -90, 94, -61, -84, 64, 112, 51, -29, -34, 126, -21,-126, -71, -31, -24, -60, -2, -81, 66, -84, 85, -91, 10,84, 70, -8, -63, 26, 126, -76, -104, -123, -71, -126,-62, -23, 11, -39, 70, 14, 59, -101, -39, -124, 91,-109, 102, -49, 21, 105, 0, 37, -128, -57, 117, 110,-115, -86, 56, 25, -46, -55, 7, -125, 109, 76, 104,-15, 82, -53, 18, -28, -24]
bArr=[]
for i in range(len(p)):bArr.append(p[i]^q[i])
bArr2=[]
b=bArr[0]
i2=0
while bArr[b+i2]!=0:bArr2.append(bArr[b+i2])i2+=1
print(''.join(chr(i) for i in bArr2))
#DDCTF-3ad60811d87c4a2dba0ef651b2d93476@didichuxing.com
