是个魔改xtea
#include <bits/stdc++.h>
#define NUM_ROUNDS 32
void xtea_decrypt(uint32_t v[2], uint32_t const key[4]) {
uint32_t v0 = v[0], v1 = v[1], sum = 0xC6EF3720, i;
uint32_t delta = 0x9E3779B9;
for (i = 0; i < NUM_ROUNDS; i++) {
v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0 ^ 0x396) ^ (sum + key[(sum>>11) & 3]);
sum -= delta;
v0 -= (((v1 << 4) ^ (v1 >> 5)) + v1 ^ 0x396) ^ (sum + key[sum & 3]);
}
v[0] = v0; v[1] = v1;
}
//0x3c36eb49,0x81acb0c0,0xfac269ae,0xca5bf9ec
//3c36eb4981acb0c0fac269aeca5bf9ec
int main() {
uint32_t v[] = {0x3c36eb49,0x81acb0c0,0xfac269ae,0xca5bf9ec}; // 数据块
uint32_t key[4] = {0x12345678, 0x5678ABCD, 0x89ABCDEF, 0xCDEF1234}; // 密钥
for(int i=0;i<4;i+=2){
uint32_t tmp[2]={};
tmp[0]=v[i];
tmp[1]=v[i+1];
xtea_decrypt(tmp, key);
v[i]=tmp[0];
v[i+1]=tmp[1];
}
printf("%s",v);
//NS5_R0Un6_z2_apK
return 0;
}
得到usename
#写的有点问题,还需要看看
enc='3c36eb4981acb0c0fac269aeca5bf9ec'
for i in range(len(enc)):
if i%8==0:
print()
print(enc[i],end='')
key=[305419896, 1450748877, -1985229329, -839970252]
# public static int[] encrypt(int[] iArr, int[] iArr2) {
# int i = iArr[0];
# int i2 = iArr[1];
# int i3 = 0;
# for (int i4 = 0; i4 < 32; i4++) {
# i += ((((i2 << 4) ^ (i2 >>> 5)) + i2) ^ 918) ^ (iArr2[i3 & 3] + i3);
# i3 -= 1640531527;
# i2 += ((((i << 4) ^ (i >>> 5)) + i) ^ 918) ^ (iArr2[(i3 >>> 11) & 3] + i3);
# }
# iArr[0] = i;
# iArr[1] = i2;
# return iArr;
# }
print(len(enc))
def xtea_decrypt(v,key):
i1=v[0]
i2=v[1]
i3=0
for i in range(32):
i2-=((((i << 4) ^ (i >> 5)) + i) ^ 918) ^ (key[(i3 >> 11) & 3] + i3)
i3+=1640531527
i1-=((((i2 << 4) ^ (i2 >> 5)) + i2) ^ 918) ^ (key[i3 & 3] + i3)
v[0]=i1
v[1]=i2
return v
data=[0x3c36eb49,0x81acb0c0,0xfac269ae,0xca5bf9ec]
for i in range(0,4,2):
i2=i+1
ant=[data[i],data[i2]]
print(xtea_decrypt(ant,key))
data[i]=ant[0]
data[i2]=ant[1]
print(data)
# 十六进制数
hex_number = '48656c6c6f20576f726c64' # 例如:"Hello World" 的十六进制表示
# 将十六进制数转换为字节对象,然后解码为字符串
string = bytes.fromhex(hex_number).decode('utf-8')
# 打印结果
print(string)
for i in range(4):
print(hex(data[i]),end='')
num=hex(data[i])[3::]
print(num)
#str=bytes.fromhex(num).decode('utf-8')
passwd:
好像要用这个native库
没有,在native层,将apk改成zip,找到so文件,不能动调
在D:\ctf附件\ez - 副本\lib中
找到__int64 __fastcall Java_com_example_nss_MainActivity_validatePassword(__int64 a1, __int64 a2, __int64 a3, __int64 a4)
得到密文:572e180b1a680b3e5276344b241d5b52525a043173346b1355442028
又找到加密函数:__int64 __fastcall Java_com_example_nss_MainActivity_encryptWithRC4(__int64 a1, __int64 a2, __int64 a3, __int64 a4)
if ( (v55 & 1) != 0 )
{
v16 = v56;
v17 = v57;
}
else
{
v17 = &v55 + 1;
v16 = v55 >> 1;
}
v18 = 0LL;
v19 = 0;
do
{
v24 = *(v60 + v18);
v25 = v24 + v19;
if ( (v16 | v18) >> 32 )
v20 = v18 % v16;
else
v20 = v18 % v16;
v21 = v17[v20];
v22 = v25 + v21 + 127;
v23 = v21 + v25;
if ( v23 >= 0 )
v22 = v23;
v19 = v23 - (v22 & 0xFFFFFF80);
*(v60 + v18) = *(v60 + v19);
*(v60 + v19) = v24;
++v18;
}
while ( v18 != 128 );
std::string::basic_string(&v51, dest);
if ( (v51 & 1) != 0 )
{
v28 = v54;
v29 = v53;
if ( !v53 )
goto LABEL_35;
}
else
{
v29 = v51 >> 1;
v28 = &v52;
if ( !v29 )
goto LABEL_35;
}
v26 = 0LL;
v30 = 0;
v31 = 0;
do
{
v32 = v30 + 128;
if ( v30 + 1 >= 0 )
v32 = v30 + 1;
v30 = v30 - (v32 & 0xFFFFFF80) + 1;
v33 = *(v60 + v30);
v34 = v31 + v33 < 0;
v35 = v31 + v33;
v36 = v33 + v31 + 127;
if ( !v34 )
v36 = v35;
v37 = v35 - (v36 & 0xFFFFFF80);
*(v60 + v30) = *(v60 + v37);
*(v60 + v37) = v33;
v38 = *(v60 + v30);
v39 = v38 + v33 + 127;
v40 = v38 + v33;
if ( v40 >= 0 )
v39 = v40;
v27 = v40 - (v39 & 0xFFFFFF80);
v28[v26++] ^= *(v60 + 4 * v27);
v31 = v37;
}
while ( v29 != v26 );
LABEL_35:
toHex(&v48, &v51, v26, v27, v28, v29, v44, v46, v48);
(*(*a1 + 1360LL))(a1, v47, v6);
(*(*a1 + 1360LL))(a1, v45, v7);
if ( (v48 & 1) != 0 )
v41 = v50;
else
v41 = &v49;
v42 = (*(*a1 + 1336LL))(a1, v41);
if ( (v48 & 1) != 0 )
{
operator delete(v50);
if ( (v51 & 1) == 0 )
{
LABEL_40:
if ( (v55 & 1) == 0 )
goto LABEL_41;
LABEL_46:
operator delete(v57);
if ( (dest[0] & 1) == 0 )
return v42;
goto LABEL_42;
}
}
else if ( (v51 & 1) == 0 )
{
goto LABEL_40;
}
operator delete(v54);
if ( (v55 & 1) != 0 )
goto LABEL_46;
LABEL_41:
if ( (dest[0] & 1) != 0 )
LABEL_42:
operator delete(ptr);
return v42;
}
//魔改成了128次
#ez_APK wp
def rc4(data, key):
S = list(range(128))
j = 0
out = []
for i in range(128):
j = (j + S[i] + key[i % len(key)]) % 128
S[i], S[j] = S[j], S[i]
i = j = 0
for char in data:
i = (i + 1) % 128
j = (j + S[i]) % 128
S[i], S[j] = S[j], S[i]
out.append(char ^ S[(S[i] + S[j]) % 128])
return bytes(out)
data = bytes.fromhex("572e180b1a680b3e5276344b241d5b52525a043173346b1355442028")
key = b'NS5_R0Un6_z2_apK'
decrypted = rc4(data, key)
print(decrypted)
#NSSCTF{V3ry_4z_1ib_W1th_4pk}
#include <bits/stdc++.h>
void swap(unsigned char *s, int i, int j) {
unsigned char temp = s[i];
s[i] = s[j];
s[j] = temp;
}
void rc4(unsigned char *key, unsigned char *data, unsigned long data_length) {
unsigned char S[128];
unsigned char T[128];
unsigned char *output = (unsigned char *)malloc(data_length * sizeof(unsigned char));
unsigned long i, j, k;
for (i = 0; i < 128; i++) {
S[i] = i;
T[i] = key[i % strlen((char *)key)];
}
j = 0;
for (i = 0; i < 128; i++) {
j = (j + S[i] + T[i]) % 128;
swap(S, i, j);
}
i = j = 0;
for (k = 0; k < data_length; k++) {
i = (i + 1) % 128;
j = (j + S[i]) % 128;
swap(S, i, j);
output[k] = data[k] ^ S[(S[i] + S[j]) % 128];
}
for (i = 0; i < data_length; i++) {
printf("%c", output[i]);
}
}
int main() {
unsigned char key[] = "NS5_R0Un6_z2_apK";
unsigned char encrypted_data[] = {0x57,0x2e,0x18,0x0b,0x1a,0x68,0x0b,0x3e,0x52,0x76,0x34,0x4b,0x24,0x1d,0x5b,0x52,0x52,0x5a,0x04,0x31,0x73,0x34,0x6b,0x13,0x55,0x44,0x20,0x28};
unsigned long data_length = sizeof(encrypted_data) / sizeof(encrypted_data[0]);
rc4(key, encrypted_data, data_length);
//NSSCTF{V3ry_4z_1ib_W1th_4pk}
return 0;
}