|
|
本帖最后由 Breathless 于 2018-10-12 20:50 编辑
一、说明
钉钉CTF是一个网友昨晚给我的,比较简单,但是思路和AliCTF非常像,所以就放在一起了,一些坛友问工具怎么使用
其实很简单,在这也稍微加下使用说明,自己技术比较菜,全程靠猜~~~~~有什么不对的地方,还请各位师傅指点.
二、钉钉CTF
这一题比较简单,先打开app看下
随便输入
错了,但是有个welcome to flag blank!根据题目意思,尝试什么都不输入
什么??????居然就对了!!!!!
好了,开始看Ali的吧...............
算啦算啦,还是看看内部怎么实现的这么牛逼的功能的吧
- protected void onCreate(Bundle arg3) {
- super.onCreate(arg3);
- this.setContentView(2130968603);
- this.text = this.findViewById(2131427416);
- this.textView1 = this.findViewById(2131427418);
- this.button = this.findViewById(2131427415);
- this.button.setOnClickListener(new View$OnClickListener() {
- public void onClick(View arg4) {
- MainActivity.this.c = new CheckClass();
- MainActivity.this.c.a(MainActivity.this.text.getText().toString()); //先获取输入的字符串
- if(MainActivity.this.c.check()) { //关键点
- MainActivity.this.textView1.setText("flag is XMAN{" + MainActivity.this.text.getText().toString() + "}");
- }
- else {
- MainActivity.this.textView1.setText("WORING!");
- }
- }
- });
- }
onCreate方法中,先看MainActivity.this.c.a
- public void a(String arg5) {
- int v1 = 30;
- this.A = new byte[v1];
- this.B = arg5.getBytes();
- int v0;
- for(v0 = 0; v0 < arg5.length(); ++v0) {
- this.A[v0] = this.B[v0];
- }
- this.B = new byte[v1];
- }
获取输入的字符串,再看MainActivity.this.c.check()
- public boolean check() {
- boolean v9 = false;
- int[] v0 = new int[]{40, 42, 65, 67, 68, 2, 64, 70, 96, 98, 181, 7, 10, 64, 23, 17, 37, 20, 45, 91, 74, 72, 135, 33, 57, 43, 87, 99, 147, 53};
- byte[] v5 = new byte[]{52, 111, 102, 113, 52, 52, 98};
- int v2 = 0;
- int v4 = 0;
- int v7 = 0;
- int v1;
- for(v1 = 0; v1 < v0.length; ++v1) {
- int v8 = this.b(v0[v1]);
- new String();
- Log.d("now array:", String.valueOf(v8));
- switch(v8) {
- case 0: {
- this.A[v7] = ((byte)(this.A[v7] ^ v7));
- break;
- }
- case 1: {
- if(this.A[v4] != 0) {
- ++v4;
- }
- else {
- }
- break;
- }
- case 2: {
- v5[v4] = ((byte)(v5[v4] ^ v4));
- ++v4;
- break;
- }
- case 3: {
- if(v5[v7] == this.A[v7]) {
- ++v7;
- }
- else {
- }
- break;
- }
- case 4: {
- if(v7 == v4) {
- v9 = true;
- }
- return v9;
- }
- case 5: {
- if(v4 != v5.length) {
- v1 = v0.length - 3;
- }
- else {
- v4 = 0;
- }
- break;
- }
- default: {
- ++v2;
- break;
- }
- }
- }
- return v9;
- }
- public int b(int arg4) {
- int v0 = 181 & arg4;
- return (v0 & 1) + ((v0 & 4) >> 2) + ((v0 & 16) >> 4) + ((v0 & 32) >> 5) + ((v0 & 128) >> 7);
- }
此函数为关键点,看着挺复杂的,只要返回为true即可
- case 4: {
- if(v7 == v4) {
- v9 = true;
- }
- return v9;
- }
case 4里的判断执行,下面再接着分析v8 [Java] 纯文本查看 复制代码 int v8 = this.b(v0[v1]);
由于v0是固定的,所以v8也是固定的,那么switch语句就好分析了
- import java.security.InvalidKeyException;
- import java.security.NoSuchAlgorithmException;
- public class DCtf {
- private static byte[] A;
- private static byte[] B;
- public static void main(String[] args) throws InvalidKeyException, NoSuchAlgorithmException {
- a("4");
- check();
- }
-
- public static void a(String arg5) {
- int v1 = 30;
- A = new byte[v1];
- B = arg5.getBytes();
- int v0;
- for(v0 = 0; v0 < arg5.length(); ++v0) {
- A[v0] = B[v0];
- }
- B = new byte[v1];
- }
- public static int b(int arg4) {
- int v0 = 181 & arg4;
- return (v0 & 1) + ((v0 & 4) >> 2) + ((v0 & 16) >> 4) + ((v0 & 32) >> 5) + ((v0 & 128) >> 7);
- }
- public static boolean check() {
- boolean v9 = false;
- int[] v0 = new int[]{40, 42, 65, 67, 68, 2, 64, 70, 96, 98, 181, 7, 10, 64, 23, 17, 37, 20, 45, 91, 74, 72, 135, 33, 57, 43, 87, 99, 147, 53};
- byte[] v5 = new byte[]{52, 111, 102, 113, 52, 52, 98};
- int v2 = 0;
- int v4 = 0;
- int v7 = 0;
- int v1;
- for(v1 = 0; v1 < v0.length; ++v1) {
- int v8 = b(v0[v1]);
- new String();
- System.out.println("now array:" + String.valueOf(v8));
- switch(v8) {
- case 0: {
- A[v7] = ((byte)(A[v7] ^ v7));
- break;
- }
- case 1: {
- if(A[v4] != 0) {
- ++v4;
- }
- else {
- }
- break;
- }
- case 2: {
- v5[v4] = ((byte)(v5[v4] ^ v4));
- ++v4;
- break;
- }
- case 3: {
- if(v5[v7] == A[v7]) {
- System.out.println("v5[v7] "+v5[v7]+"------A[v7] "+A[v7]+" "+v7);
- ++v7;
- }
- else {
- }
- break;
- }
- case 4: {
- if(v7 == v4) {
- v9 = true;
- }
- System.out.println("v7 "+v7+"------v4 "+v4);
- return v9;
- }
- case 5: {
- if(v4 != v5.length) {
- v1 = v0.length - 3;
- }
- else {
- v4 = 0;
- }
- break;
- }
- default: {
- ++v2;
- break;
- }
-
- }
- }
- return v9;
- }
- }
运行上面的代码,可以得到v8的值分别是
- now array:1
- now array:1
- now array:1
- now array:1
- now array:1
- now array:0
- now array:0
- now array:1
- now array:1
- now array:1
- now array:5
- now array:3
- now array:4
最后执行的就是case 4,符合我们前面的分析,但是v7 == v4,能影响v7的只有case 3这个分支,看上面v8的值,知道下面的代码只执行了一次
- case 3: {
- if(v5[v7] == this.A[v7]) {
- ++v7;
- }
- else {
- }
- break;
- }
所以要想v7 == v4,v7和v4只能为1或者0,0就是什么都不输入,++v7执行之后为1,执行之前v7为就为0,所以A[v7]=52,查找ascall码表结果为4
分析到这,你就认为完了?然后并没有结束、、、、
- case 5: {
- if (v4 != v5.length) {
- v1 = v0.length - 3;
- } else {
- v4 = 0;
- }
- break;
- }
上面的分析的是v4 != v5.length结果,如果v4 = v5.length呢,继续往下分析吧,也就是输入的字符串为7位
- now array:1
- now array:1
- now array:1
- now array:1
- now array:1
- now array:0
- now array:0
- now array:1
- now array:1
- now array:1
- now array:5
- now array:2
- now array:0
- now array:0
- now array:3
- v5[v7] 52------A[v7] 52 v7 0
- now array:2
- now array:3
- now array:2
- now array:3
- now array:2
- now array:0
- now array:0
- now array:3
- now array:2
- now array:3
- now array:2
- now array:3
- now array:2
- now array:3
- now array:4
- v7 1------v4 7
控制v7的的case只有一个
- case 3: {
- if (v5[v7] == A[v7]) {
- System.out.println("v5[v7] " + v5[v7] + "------A[v7] " + A[v7] + " v7 " + v7);
- ++v7;
- } else {
- }
- break;
- }
根据上面的代码循环,可以慢慢倒推出来结果为4ndr01d,真是一波三折呀。。。
放下分析的代码
- import java.security.InvalidKeyException;
- import java.security.NoSuchAlgorithmException;
- public class ctf1 {
- private static byte[] A;
- private static byte[] B;
- public static void main(String[] args) throws InvalidKeyException, NoSuchAlgorithmException {
- a("4ndr01d");
- check();
- }
- public static void a(String arg5) {
- int v1 = 30;
- A = new byte[v1];
- B = arg5.getBytes();
- int v0;
- for (v0 = 0; v0 < arg5.length(); ++v0) {
- A[v0] = B[v0];
- }
- B = new byte[v1];
- }
- public static int b(int arg4) {
- int v0 = 181 & arg4;
- return (v0 & 1) + ((v0 & 4) >> 2) + ((v0 & 16) >> 4) + ((v0 & 32) >> 5) + ((v0 & 128) >> 7);
- }
- public static boolean check() {
- boolean v9 = false;
- int[] v0 = new int[] { 40, 42, 65, 67, 68, 2, 64, 70, 96, 98, 181, 7, 10, 64, 23, 17, 37, 20, 45, 91, 74, 72,
- 135, 33, 57, 43, 87, 99, 147, 53 };
- byte[] v5 = new byte[] { 52, 111, 102, 113, 52, 52, 98 };
- int v2 = 0;
- int v4 = 0;
- int v7 = 0;
- int v1;
- for (v1 = 0; v1 < v0.length; ++v1) {
- int v8 = b(v0[v1]);
- new String();
- System.out.println("now array:" + String.valueOf(v8));
- switch (v8) {
- case 0: {
- A[v7] = ((byte) (A[v7] ^ v7));
- break;
- }
- case 1: {
- if (A[v4] != 0) {
- ++v4;
- } else {
- }
- break;
- }
- case 2: {
- v5[v4] = ((byte) (v5[v4] ^ v4));
- ++v4;
- break;
- }
- case 3: {
- if (v5[v7] == A[v7]) {
- System.out.println("v5[v7] " + v5[v7] + "------A[v7] " + A[v7] + " v7 " + v7);
- ++v7;
- } else {
- }
- break;
- }
- case 4: {
- if (v7 == v4) {
- v9 = true;
- }
- System.out.println("v7 " + v7 + "------v4 " + v4);
- return v9;
- }
- case 5: {
- if (v4 != v5.length) {
- v1 = v0.length - 3;
- } else {
- v4 = 0;
- }
- break;
- }
- default: {
- ++v2;
- break;
- }
- }
- }
- return v9;
- }
- }
|
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有帐号?注册
x
评分
-
查看全部评分
|
粤公网安备 44522102000125 增值电信业务经营许可证 粤B2-20192173
发表于 2018-10-12 20:48:51
主题置顶卡
沉默卡
变色卡
扫一扫,关注易界动态