CTFHub

Writeup

strange apk

发表于 分类于
Challenge | 2019 | SCTF | Reverse | strange apk

点击此处获得更好的阅读体验

解题思路

前12个chr

1
2
3
4
5
6
localObject2 = new StringBuilder();
((StringBuilder)localObject2).append(paramAnonymousView);
((StringBuilder)localObject2).append(str.charAt(i));
paramAnonymousView = ((StringBuilder)localObject2).toString();
i++;
if (((String)localObject2).equals("c2N0ZntXM2xjMG1l"))
1
2
>>> base64.b64decode("c2N0ZntXM2xjMG1l")
'sctf{W3lc0me'

有个data加密后的,直接虚拟机打开存着解密后的apk,拖下来直接分析。后18个chr:
这里先用intent启动了其他class:

1
2
3
4
localObject1 = new Intent();
((Intent)localObject1).putExtra("data_return", paramAnonymousView);
s.this.setResult(-1, (Intent)localObject1);
s.this.finish();

最后一段关键比较:

1
if (f.encode(paramIntent.getStringExtra("data_return"), (String)localObject1).equals("~8t808_8A8n848r808i8d8-8w808r8l8d8}8"))

这里生成MD5:

1
2
3
4
5
6
7
8
9
10
try {
  Object localObject2 = MessageDigest.getInstance("MD5");
  ((MessageDigest)localObject2).update("syclover".getBytes());
  BigInteger localBigInteger = new java/math/BigInteger;
  localBigInteger.<init>(1, ((MessageDigest)localObject2).digest());
  localObject2 = localBigInteger.toString(16);
  localObject1 = localObject2;
} catch (Exception localException) {
  localException.printStackTrace();
}

照着写了个函数:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
public static void genMd5(){
  String plaintext = "syclover";
  try{
    MessageDigest m = MessageDigest.getInstance("MD5");
    m.reset();
    m.update(plaintext.getBytes());
    byte[] digest = m.digest();
    BigInteger bigInt = new BigInteger(1,digest);
    String hashtext = bigInt.toString(16);
    System.out.print(hashtext);
  } catch (Exception localException) {
    localException.printStackTrace();
  }
}

得到8bfc8af07bca146c937f283b8ec768d4

那个关键比较有个encode函数:

1
2
3
4
5
6
7
8
9
10
11
public static String encode(String paramString1, String paramString2) {
  int i = paramString1.length();
  int j = paramString2.length();
  StringBuilder localStringBuilder = new StringBuilder();
  for (int k = 0; k < i; k++)
  {
    localStringBuilder.append(paramString1.charAt(k));
    localStringBuilder.append(paramString2.charAt(k / j));
  }
  return localStringBuilder.toString();
}

出题人好像把取整跟取余搞混了。应该是k % j,这样的话,直接在flag里插入8得到字符串:~8t808_8A8n848r808i8d8-8w808r8l8d8}8所以后半段flag:~t0_An4r0id-w0rld}

FLAG

1
sctf{W3lc0me~t0_An4r0id-w0rld}