snake
pycdc查看pyc文件
运用了 key 模块
又遇到了最初的问题,必须用对应版本python解包,不然没有文件 0.0
就是一个魔改 RC4,多加了一个异或 i
HardSianin
魔改 UPX 脱壳后
可能是SMC,烦
Tls 回调函数 ,就是最开头的几个函数好像
jz jnz 和下面一条指令都要 nop 掉
BedTea
这个也是慢慢调试,就好了
Fake_Code
只能去看汇编,或者动态调试
发现了SEH
其很多代码不会被 ida 反编译
cdq
CDQ
指令的作用是将 eax
中的有符号整数扩展到 edx:eax
寄存器对中,将 eax
中的符号位(最高位)复制到 edx
中的所有位
imul eax, [rsp+0D8h+var_B4], 7Fh
有符号整数乘法
idiv ecx
IDIV
指令使用edx:eax
寄存器对中的值作为被除数,将其除以operand
所表示的操作数。- 商(结果)存储在
eax
中。 - 余数存储在
edx
中。 - 在执行
IDIV
指令前,需要确保edx:eax
中的值是正确的被除数
sar eax, 7
算术右移
将寄存器中的值按指定的位数向右移动,并在最高位(符号位)处用原来的符号位填充(有符号整数),无符号直接补0
通常用于有符号整数的除以2的幂次方的运算,即将一个数除以2的n次方。
这里ida只反编译了 v5 = (127 * v5 + 102) % 255; 后面几句没有,可能造成了异常
filter 是except 的过滤器,过滤异常
除数为0,非法内存访问,触发断点异常等等,而希望except只处理特定异常时使用
只能看汇编了
好吧,我看不出来
比较简单,可以直接写脚本
也可以通过 patch 强制跳转,执行 except 代码
enc=[ 0x1E, 0x70, 0x7A, 0x6E, 0xEA, 0x83, 0x9E, 0xEF, 0x96, 0xE2,
0xB2, 0xD5, 0x99, 0xBB, 0xBB, 0x78, 0xB9, 0x3D, 0x6E, 0x38,
0x42, 0xC2, 0x86, 0xFF, 0x63, 0xBD, 0xFA, 0x79, 0xA3, 0x6D,
0x60, 0x94, 0xB3, 0x42, 0x11, 0xC3, 0x90, 0x89, 0xBD, 0xEF,
0xD4, 0x97, 0xF8, 0x7B, 0x8B, 0x0B, 0x2D, 0x75, 0x7E, 0xDD,
0xCB]
array=[ 0xAC, 0x04, 0x58, 0xB0, 0x45, 0x96, 0x9F, 0x2E, 0x41, 0x15,
0x18, 0x29, 0xB1, 0x33, 0xAA, 0x12, 0x0D, 0x89, 0xE6, 0xFA,
0xF3, 0xC4, 0xBD, 0xE7, 0x70, 0x8A, 0x94, 0xC1, 0x85, 0x9D,
0xA3, 0xF2, 0x3F, 0x82, 0x8E, 0xD7, 0x03, 0x93, 0x3D, 0x13,
0x05, 0x6B, 0x41, 0x03, 0x96, 0x76, 0xE3, 0xB1, 0x8A, 0x4A,
0x22, 0x55, 0xC4, 0x19, 0xF5, 0x55, 0xA6, 0x1F, 0x0E, 0x61,
0x27, 0xCB, 0x1F, 0x9E, 0x5A, 0x7A, 0xE3, 0x15, 0x40, 0x94,
0x47, 0xDE, 0x00, 0x01, 0x91, 0x66, 0xB7, 0xCD, 0x22, 0x64,
0xF5, 0xA5, 0x9C, 0x68, 0xA5, 0x52, 0x86, 0xBD, 0xB0, 0xDD,
0x76, 0x28, 0xAB, 0x16, 0x95, 0xC5, 0x26, 0x2C, 0xF6, 0x39,
0xBE, 0x00, 0xA5, 0xAD, 0xE3, 0x93, 0x9E, 0xE3, 0x05, 0xA0,
0xB0, 0x1D, 0xB0, 0x16, 0x0B, 0x5B, 0x33, 0x95, 0xA4, 0x09,
0x16, 0x87, 0x56, 0x1F, 0x83, 0x4E, 0x4A, 0x3C, 0x55, 0x36,
0x6F, 0xBB, 0x4C, 0x4B, 0x9D, 0xB1, 0xAE, 0xE5, 0x8E, 0xC8,
0xFB, 0x0E, 0x29, 0x8A, 0xBB, 0xFC, 0x20, 0x62, 0x04, 0x2D,
0x80, 0x61, 0xD6, 0xC1, 0xCC, 0x3B, 0x89, 0xC5, 0x8B, 0xD5,
0x26, 0x58, 0xD6, 0xB6, 0xA0, 0x50, 0x75, 0xAB, 0x17, 0x83,
0x7F, 0x37, 0x2B, 0xA0, 0x1D, 0x2C, 0xCF, 0xC7, 0xE0, 0xE5,
0x49, 0xC9, 0xFA, 0x6B, 0xC0, 0x98, 0x66, 0x99, 0x92, 0x00,
0x02, 0xD4, 0x75, 0x46, 0x22, 0x05, 0x35, 0xD1, 0x4B, 0xC5,
0xAD, 0xE0, 0x8E, 0x45, 0x3B, 0x50, 0x15, 0xB5, 0x2E, 0x85,
0x30, 0x89, 0x54, 0x12, 0xDE, 0xF1, 0x5A, 0xF0, 0x2B, 0xA7,
0x1B, 0x4A, 0x26, 0x5D, 0x98, 0xD4, 0xA1, 0xBE, 0xD1, 0x4D,
0x7E, 0x38, 0xDE, 0x0B, 0x0A, 0x54, 0xB8, 0x73, 0x6D, 0xAD,
0x8C, 0x1E, 0xD9, 0x31, 0x5F, 0x56, 0x7E, 0xBD, 0x48, 0x32,
0x98, 0x2E, 0x3E, 0xEB, 0xA2, 0x1D]
print(len(enc))
v5=0
index=0x19
for i in range(len(enc)):
v5=(v5*0x7f+0x66)%0xff
if v5>>7==0:
index=(0x61*index+0x65)%0xe9
index^=0x29
print(chr(enc[i]^array[index]),end='')
因为只是异或,所以动调也蛮好用好像
关键处下断点,修改内存数据
修改为 enc
继续 f9 ,但每次那里都会弹窗,点51次也是有点恐怖
上面也可以用 ida python
[NISACTF 2022]tears_confusion
main里的汇编还是有一点不一样的,后面都是一样的
对了,直接执行的 main_0 函数,应该是要 main 函数执行,可以hook感觉(还不会),也可以看wp,修改程序入口
不是,我的ida assemble怎么点不动,0.0
换了个ida 可以用了,修改成mainE8 3B 01 00 00,可以了,
setle al
SETLE
指令根据最近的比较指令的结果设置目标寄存器的值。- 如果之前的比较结果表明比较的两个数的第一个数小于或等于第二个数,则将目标寄存器设置为1(true)。否则,设置为0(false)
前面都是差不多的操作,
获取每次eax值,就是flag
好像可以写个条件还是内存断点的脚本。
哈哈哈,学会了
print(hex(get_reg_value("rax")),end='')
还有这种这么长代码的函数,一般都不会太复杂了·,
esreveR
__int64 __fastcall main(int a1, char **a2, char **a3)
{
void *v3; // rsp
__int64 v4; // rax
__int64 v6; // [rsp+0h] [rbp-C0h] BYREF
int n[2]; // [rsp+8h] [rbp-B8h]
__int64 v8; // [rsp+10h] [rbp-B0h]
__int64 v9; // [rsp+18h] [rbp-A8h]
__int64 v10; // [rsp+20h] [rbp-A0h]
__int64 v11; // [rsp+28h] [rbp-98h]
__int64 v12; // [rsp+30h] [rbp-90h]
__int64 v13; // [rsp+38h] [rbp-88h]
__int64 v14; // [rsp+40h] [rbp-80h]
__int64 v15; // [rsp+48h] [rbp-78h]
__int64 v16; // [rsp+50h] [rbp-70h]
char *s; // [rsp+58h] [rbp-68h]
char v18[40]; // [rsp+60h] [rbp-60h] BYREF
unsigned __int64 v19; // [rsp+88h] [rbp-38h]
v19 = __readfsqword(0x28u);
v10 = 4584583LL;
v15 = 2374827LL;
v9 = 83468723LL;
v8 = 34783LL;
*(_QWORD *)n = 38478494LL;
v6 = 21232134LL;
v11 = 34532341LL;
v12 = 146756703LL;
v13 = 9138987LL;
v14 = 845845LL;
while ( v14 == 845845 )
{
v15 = opcode_A(v10); // 2 * a1 + 3 * (a1 ^ 0x107503DE) - a1
v10 = opcode_B(v9); // 2 * a1 + 3 * (a1 ^ 0x1ED2F67A) - a1
v9 = opcode_C(v8); // 2 * a1 + 3 * (a1 ^ 0x6ECCC525) - a1
v8 = opcode_D(n[0]); // (int)(2 * a1 + 3 * (a1 ^ 0xD031C183) - a1)
*(_QWORD *)n = opcode_E(v14); // (int)(2 * a1 + 3 * (a1 ^ 0xEE928ADA) - a1)
v14 = sub_55D179A009E9(v11);
v11 = different(v6); // (int)(2 * a1 - (a1 + 8 * (a1 ^ 0x96A92F61)))
v6 = sub_55D179A00A8B(v12);
v12 = sub_55D179A00ADE(v13);
puts("Welcome to Esrever! I hope you will \x1B[9menjoy\x1B[0mhate your stay here,");
v13 = sub_55D179A00B31(v15);
v15 = v10 + v9 - (*(_QWORD *)n + v8 + v13);
v15 = opcode_A(v10);
v10 = opcode_B(v9);
v9 = opcode_C(v8);
v8 = opcode_D(n[0]);
*(_QWORD *)n = opcode_E(v14);
puts("Here at Esrever we really do like playing games,\nSo lets play a guessing game.");
v14 = sub_55D179A009E9(v11);
v11 = different(v6);
v6 = sub_55D179A00A8B(v12);
*(_QWORD *)n = v10 + v8 + v9 - v12 + v15;
v12 = sub_55D179A00ADE(v13);
v13 = sub_55D179A00B31(v15);
v15 = opcode_A(v10);
strcpy(v18, "Make your best guess: ");
printf("%s", v18);
sub_55D179A00B7B(); // 输入可能
v10 = opcode_B(v9);
v9 = opcode_C(v8);
v8 = opcode_D(n[0]);
*(_QWORD *)n = opcode_E(v14) - 1942456670;
v14 = sub_55D179A009E9(v11) ^ 3;
v11 = different(v6) ^ 0x2B;
v6 = sub_55D179A00A8B(v12);
v12 = sub_55D179A00ADE(v13);
v13 = sub_55D179A00B31(v15);
v16 = *(_QWORD *)n - 1LL;
v3 = alloca(16 * ((*(_QWORD *)n + 15LL) / 0x10uLL));
s = (char *)&v6;
v15 = opcode_A(v10);
v10 = (unsigned __int8)opcode_B(v9);
v9 = opcode_C(v8);
fgets(s, n[0], stdin);
v8 = opcode_D(n[0]);
*(_QWORD *)n = opcode_E(v14);
if ( *(_QWORD *)n != v8 )
{
v11 = sub_55D179A009E9(4521);
if ( s != (char *)v11 )
{
v4 = sub_55D179A012D8(s, v15, v10, v9, v11, v13);
if ( v4 != v15 * ((v12 ^ v13) - *(_QWORD *)n) )
puts("Congratulations! You reversed the reversed reverse!");
}
}
v14 = sub_55D179A009E9(v11);
v11 = different(v6) | 3;
v6 = sub_55D179A00A8B(v12);
v12 = sub_55D179A00ADE(v13);
v13 = sub_55D179A00B31(v15);
}
return 0LL;
}
非常长,并且都是差不多的函数
且前面的操作不是对 input 进行的,找到 input 输入和操作,判断的地方
堆栈提取数据,就是flag
因为有一个将 input 赋给 v58,也是作为参数,所以应该被压进堆栈了吧
#! /usr/bin/env python3
FLAG = 'sdctf{a_v3ry_s3cur3_w4y_t0_st0r3_ur_FLAG}' # lol
a = lambda n: a(n-2) + a(n-1) if n >= 2 else (2 if n == 0 else 1)
# 斐波那契数列
b = lambda x: bytes.fromhex(x).decode()
#将十六进制字符串转换为字节序列然后解码为字符串
h = eval(b('7072696e74'))
# b('7072696e74')返回字符串‘print’,eval('print') 将print函数赋给h
# h()==print()
def d():
h(b('496e636f727265637420666c61672120596f75206e65656420746f206861636b206465657065722e2e2e'))
eval(b('5f5f696d706f72745f5f282273797322292e65786974283129'))
h(FLAG)
#print('Incorrect flag! You need to hack deeper...')
#eval('__import__("sys").exit(1)')
#print(FLAG)
def e(f):
h("Welcome to SDCTF's the first Reverse Engineering challenge.")
c = input("Input the correct flag: ")
if c[:6].encode().hex() != '{2}3{0}{1}{0}3{2}{1}{0}{0}{2}b'.format(*map(str, [6, 4, 7])):
d()
if c[int(chr(45) + chr(49))] != chr(125): # c[94]=='}'
d()
g = c[6:-1].encode() # SDCTF{.....} 第六个到倒数第二个
if bytes( (g[i] ^ (a(i) & 0xff) for i in range(len(g))) ) != f:
#a(i) & 0xff 是调用先前定义的斐波那契函数 a(i) 并取低8位
d()
h(b('4e696365206a6f622e20596f7520676f742074686520636f727265637420666c616721'))
#print()
if __name__ == "__main__":
#e(b'co\\7\x7f\x7f`|p\x15\x0e\x8a\x0fP\x14\x18\xfe\xa9\xf3\xe2y\xdd')
f=b'co\\7\x7f\x7f`|p\x15\x0e\x8a\x0fP\x14\x18\xfe\xa9\xf3\xe2y\xdd'
print(bytes( (f[i] ^ (a(i)&0xff) for i in range(len(f)))))
else:
eval(b('5f5f696d706f72745f5f282273797322292e65786974283029'))
input[ i ] 直接异或,把密文输进去就好了
虚拟机中搞好了,所以之前那几个题也还是差 dll
就是没说dll win11的问题还是?唉,麻烦
说明前面两个 x,y不重要应该
这个好像是找最大公约数,哦,是辗转相除法
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v3; // eax
int v5; // eax
int v6; // edx
int i_0; // [rsp+2Ch] [rbp-14h]
bool q; // [rsp+33h] [rbp-Dh]
int i; // [rsp+34h] [rbp-Ch]
int j; // [rsp+38h] [rbp-8h]
char c; // [rsp+3Fh] [rbp-1h]
char ca; // [rsp+3Fh] [rbp-1h]
_main(argc, argv, envp);
puts("Please intput two keys within 100 to encrypt the data");
x = read() % 300;
y = read() % 300;
puts("Please intput the data that you want encrypt");
for ( c = getchar(); c != '\n'; c = getchar() )
{
v3 = len++;
input[v3] = c;
}
f(x, y);
if ( !strcmp(input, Str2) )
{
puts("you get a hint,keep going!");
puts("Please intput the message you get from the array,notice that all the input should be English.");
for ( ca = getchar(); ca != 10; ca = getchar() )
{
v5 = l2++;
str[v5] = ca;
}
len_flag = 28;
j = 0;
while ( l2 <= len_flag )
{
v6 = l2++;
str[v6] = str[j++];
}
puts("Please intput your flag");
scanf("%s", flag);
for ( i = 0; i < len_flag; ++i )
num[i] = (char)(flag[i] ^ str[i]);
q = 1;
for ( i_0 = 0; i_0 < len_flag; ++i_0 )
{
if ( code[i_0] != num[i_0] )
{
q = 0;
break;
}
}
if ( q )
puts("You get the right flag");
else
puts("You are wrong,try again");
return 0;
}
else
{
puts("Try again or you can choose to solve this problem without the hint I give.");
return 0;
}
}
所以,还是需要找到那两个key与密文异或得到正确hint
def text_66(a, b):
aa = a
ba = b
if a < b:
aa, ba = ba, aa
if ba:
return text_66(ba, aa % ba)
else:
return aa
def f(k1_0, k2_0):
for i in range(len(str)):
k1_0 = (str[i] + k1_0) % 300
k2_0 = (str[i] + k2_0) % 300
str[i] ^= text_66(k1_0, k2_0)
for x in range(100):
for y in range(100):
str = [85, 105, 104, 120, 33, 104, 114, 33, 96, 33, 105, 98, 101, 117, 33, 124, 105, 106, 117, 33, 72, 33, 105,
100, 109, 113, 43, 120, 110, 116, 33, 104, 114, 43, 115, 100, 108, 104, 111, 101, 33, 120, 110, 116, 33,
117, 110, 33, 98, 73, 100, 98, 106, 33, 117, 105, 100, 33, 96, 115, 115, 96, 120, 33, 96, 111, 101, 33,
117, 105, 115, 100, 100, 33, 111, 116, 102, 99, 100, 115, 114, 33, 98, 96, 111, 33, 119, 98, 100, 118,
33, 96, 114, 33, 96, 33, 102, 115, 110, 116, 113]
f(x, y)
for i in str:
if i < 33 or i > 127:
break
else:
print(''.join(chr(j) for j in str))
#Thiy is a hcdt }hkt I help*you is*remind you to cHeck the array and three nugbers can vcew as a group
str要在两个for里面
RGB:
三个300以内的数表示一种颜色,一起表示一张图片
找了个脚本:
from PIL import Image
with open("D:\\ctf附件2\\basketball\\array.txt", 'r') as f:
data = f.readlines() # txt中所有字符串读入data
for line in data:
list = line.split(' ') # 将单个数据分隔开存好
#print(data)#相当于将txt里的字符串存在一个data数组中
#139 98 62 141 97 62 141 97 62 141 97 62 141 97 62 141 97 62 ']
#print(list)#将每一个数据单个隔开,变成单个字符或者数
#'99', '71', '142', '103', '75', '134', '95', '67', '119', '80', '52', '134', '95', '67', '121',
# print(len(list))#长度验证 1072071
# print(637 * 561 * 3)# 1072071
# 提示中也有
f.close()
x = 637 # x坐标 通过对txt里的行数进行整数分解 宽度
y = 561 # y坐标 x * y = 行数 高度
im = Image.new("RGB", (x, y)) # 创建图片
index = 0
# 在Python中,PIL(Python Imaging Library)模块提供了putpixel方法,用于在图像中设置指定位置的像素颜色
for j in range(0, y): # 通过每个rgb点生成图片
for i in range(0, x):
im.putpixel((i, j), (int(list[index]), int(list[index + 1]), int(list[index + 2]))) # 将rgb转化为像素
index += 3
im.show() # 展现图片
得到图片
str = 'I want to play basketballI w'
code = [1, 100, 52, 53, 40, 15, 4, 69, 46, 109, 47, 40, 55, 55, 92, 94, 62, 70, 23, 72, 8, 82, 29, 65, 16, 117, 117, 10]
for i in range(28):
print(chr(ord(str[i]) ^ code[i]), end='')
VartualCamera
需要序列号
package com.example.android.camera2.basic;
import android.app.AlertDialog;
import android.content.DialogInterface;
import android.content.Intent;
import android.net.Uri;
import android.os.Bundle;
import android.view.View;
import android.widget.EditText;
import android.widget.Toast;
import androidx.appcompat.app.AppCompatActivity;
import com.example.android.camera2.basic.databinding.ActivityCameraBinding;
import kotlin.Metadata;
import kotlin.UInt;
import kotlin.UIntArray;
import kotlin.jvm.internal.DefaultConstructorMarker;
import kotlin.jvm.internal.Intrinsics;
/* compiled from: CameraActivity.kt */
@Metadata(d1 = {"\u0000(\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0004\n\u0002\u0010\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0003\u0018\u0000 \u000f2\u00020\u0001:\u0001\u000fB\u0005¢\u0006\u0002\u0010\u0002J\u001d\u0010\u0005\u001a\u00020\u00062\u0006\u0010\u0007\u001a\u00020\u0006H\u0002ø\u0001\u0000ø\u0001\u0001¢\u0006\u0004\b\b\u0010\tJ\u0012\u0010\n\u001a\u00020\u000b2\b\u0010\f\u001a\u0004\u0018\u00010\rH\u0014J\b\u0010\u000e\u001a\u00020\u000bH\u0014R\u000e\u0010\u0003\u001a\u00020\u0004X\u0082.¢\u0006\u0002\n\u0000\u0082\u0002\u000b\n\u0002\b\u0019\n\u0005\b¡\u001e0\u0001¨\u0006\u0010"}, d2 = {"Lcom/example/android/camera2/basic/CameraActivity;", "Landroidx/appcompat/app/AppCompatActivity;", "()V", "activityCameraBinding", "Lcom/example/android/camera2/basic/databinding/ActivityCameraBinding;", "encrypt", "Lkotlin/UIntArray;", "enc", "encrypt-hkIa6DI", "([I)[I", "onCreate", "", "savedInstanceState", "Landroid/os/Bundle;", "onResume", "Companion", "app_release"}, k = 1, mv = {1, 5, 1}, xi = 48)
/* loaded from: classes.dex */
public final class CameraActivity extends AppCompatActivity {
public static final long ANIMATION_FAST_MILLIS = 50;
public static final long ANIMATION_SLOW_MILLIS = 100;
public static final Companion Companion = new Companion(null);
public static final int FLAGS_FULLSCREEN = 4357;
private static final long IMMERSIVE_FLAG_TIMEOUT = 500;
private ActivityCameraBinding activityCameraBinding;
/* renamed from: encrypt-hkIa6DI reason: not valid java name */
private final int[] m8encrypthkIa6DI(int[] iArr) {
int i;
int[] m175constructorimpl = UIntArray.m175constructorimpl(4);
UIntArray.m186setVXSXFK8(m175constructorimpl, 0, 2233);
UIntArray.m186setVXSXFK8(m175constructorimpl, 1, 4455);
UIntArray.m186setVXSXFK8(m175constructorimpl, 2, 6677);
UIntArray.m186setVXSXFK8(m175constructorimpl, 3, 8899);
int i2 = 0;
while (i2 < 9) {
int i3 = 0;
int i4 = 0;
do {
i3++;
i = i2 + 1;
UIntArray.m186setVXSXFK8(iArr, i2, UInt.m122constructorimpl(UIntArray.m181getpVg5ArA(iArr, i2) + UInt.m122constructorimpl(UInt.m122constructorimpl(UInt.m122constructorimpl(UIntArray.m181getpVg5ArA(m175constructorimpl, UInt.m122constructorimpl(i4 & 3)) + i4) ^ UInt.m122constructorimpl(UInt.m122constructorimpl(UInt.m122constructorimpl(UIntArray.m181getpVg5ArA(iArr, i) << 4) ^ UInt.m122constructorimpl(UIntArray.m181getpVg5ArA(iArr, i) >>> 5)) + UIntArray.m181getpVg5ArA(iArr, i))) ^ i4)));
UIntArray.m186setVXSXFK8(iArr, i, UInt.m122constructorimpl(UIntArray.m181getpVg5ArA(iArr, i) + UInt.m122constructorimpl(UInt.m122constructorimpl(UInt.m122constructorimpl(UInt.m122constructorimpl(UIntArray.m181getpVg5ArA(iArr, i2) << 4) ^ UInt.m122constructorimpl(UIntArray.m181getpVg5ArA(iArr, i2) >>> 5)) + UIntArray.m181getpVg5ArA(iArr, i2)) ^ UInt.m122constructorimpl(UIntArray.m181getpVg5ArA(m175constructorimpl, UInt.m122constructorimpl(UInt.m122constructorimpl(i4 >>> 11) & 3)) + i4))));
i4 = UInt.m122constructorimpl(i4 + 878077251);
} while (i3 <= 32);
i2 = i;
}
return iArr;
}
/* JADX INFO: Access modifiers changed from: protected */
@Override // androidx.appcompat.app.AppCompatActivity, androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity
public void onCreate(Bundle bundle) {
super.onCreate(bundle);
ActivityCameraBinding inflate = ActivityCameraBinding.inflate(getLayoutInflater());
Intrinsics.checkNotNullExpressionValue(inflate, "inflate(layoutInflater)");
this.activityCameraBinding = inflate;
if (inflate != null) {
setContentView(inflate.getRoot());
CameraActivity cameraActivity = this;
final EditText editText = new EditText(cameraActivity);
final AlertDialog create = new AlertDialog.Builder(cameraActivity).setTitle("请输入序列号").setView(editText).setNeutralButton("buy serial number", (DialogInterface.OnClickListener) null).setPositiveButton("check", (DialogInterface.OnClickListener) null).setCancelable(false).create();
create.show();
create.getButton(-1).setOnClickListener(new View.OnClickListener() { // from class: com.example.android.camera2.basic.-$$Lambda$CameraActivity$H7vbOQZH_iHcmul3P8UWGZPgvEc
@Override // android.view.View.OnClickListener
public final void onClick(View view) {
CameraActivity.m9onCreate$lambda0(editText, this, create, view);
}
});
create.getButton(-3).setOnClickListener(new View.OnClickListener() { // from class: com.example.android.camera2.basic.-$$Lambda$CameraActivity$svU5YW1WhTtdEXyl8GuRGORdsYw
@Override // android.view.View.OnClickListener
public final void onClick(View view) {
CameraActivity.m10onCreate$lambda1(CameraActivity.this, view);
}
});
return;
}
Intrinsics.throwUninitializedPropertyAccessException("activityCameraBinding");
throw null;
}
/* JADX INFO: Access modifiers changed from: private */
/* renamed from: onCreate$lambda-0 reason: not valid java name */
public static final void m9onCreate$lambda0(EditText inputsomething, CameraActivity this$0, AlertDialog alertDialog, View view) {
Intrinsics.checkNotNullParameter(inputsomething, "$inputsomething");
Intrinsics.checkNotNullParameter(this$0, "this$0");
String obj = inputsomething.getText().toString();
if (obj.length() != 40) {
Toast.makeText(this$0, "序列号不正确", 0).show();
return;
}
int[] m175constructorimpl = UIntArray.m175constructorimpl(10);
for (int i = 0; i < 40; i += 4) {
UIntArray.m186setVXSXFK8(m175constructorimpl, i / 4, UInt.m122constructorimpl(UInt.m122constructorimpl(UInt.m122constructorimpl(UInt.m122constructorimpl(obj.charAt(i)) + UInt.m122constructorimpl(obj.charAt(i + 1) << '\b')) + UInt.m122constructorimpl(obj.charAt(i + 2) << 16)) + UInt.m122constructorimpl(obj.charAt(i + 3) << 24)));
}
int[] m8encrypthkIa6DI = this$0.m8encrypthkIa6DI(m175constructorimpl);
UInt[] uIntArr = {UInt.m116boximpl(637666042), UInt.m116boximpl(457511012), UInt.m116boximpl(-2038734351), UInt.m116boximpl(578827205), UInt.m116boximpl(-245529892), UInt.m116boximpl(-1652281167), UInt.m116boximpl(435335655), UInt.m116boximpl(733644188), UInt.m116boximpl(705177885), UInt.m116boximpl(-596608744)};
int i2 = 0;
while (true) {
int i3 = i2 + 1;
if (uIntArr[i2].m173unboximpl() != UIntArray.m181getpVg5ArA(m8encrypthkIa6DI, i2)) {
Toast.makeText(this$0, "序列号不正确", 0).show();
return;
} else if (i3 > 9) {
alertDialog.dismiss();
return;
} else {
i2 = i3;
}
}
}
/* JADX INFO: Access modifiers changed from: private */
/* renamed from: onCreate$lambda-1 reason: not valid java name */
public static final void m10onCreate$lambda1(CameraActivity this$0, View view) {
Intrinsics.checkNotNullParameter(this$0, "this$0");
Intent intent = new Intent("android.intent.action.VIEW");
intent.addCategory("android.intent.category.BROWSABLE");
intent.setData(Uri.parse("https://www.google.com/search?q=%E5%AE%89%E5%8D%93%E9%80%86%E5%90%91&newwindow=1&sxsrf=ALiCzsaz5ChqTv6BNFCqfuwvl4nHRpyCtw%3A1673016303320&ei=7zO4Y8CQE5iB-AbUz4HgDA&ved=0ahUKEwiAxNmzl7P8AhWYAN4KHdRnAMwQ4dUDCA8&uact=5&oq=%E5%AE%89%E5%8D%93%E9%80%86%E5%90%91&gs_lcp=Cgxnd3Mtd2l6LXNlcnAQAzIFCAAQgAQyBQgAEIAEMgUIABCABDIFCAAQgAQyBQgAEIAEMgUIABCABDIFCAAQgAQyBQgAEIAEMgUIABCABDIFCAAQgAQ6BAgjECc6EQguEIAEELEDEIMBEMcBENEDOgsIABCABBCxAxCDAToICC4QsQMQgwE6CgguEMcBENEDEEM6CwguEIAEEMcBENEDOgUILhCABDoECAAQQzoICAAQsQMQgwE6BwgAEIAEEAw6BggAEAQQHjoJCAAQBBAeEPEEOggIABAIEAQQHjoKCAAQCBAEEB4QCjoICAAQCBAeEAw6BwgAEIAEEApKBAhBGABKBAhGGABQAFiAHmC-KmgEcAB4AYABpgWIAZwWkgELMC44LjEuMC4yLjGYAQCgAQHAAQE&sclient=gws-wiz-serp"));
this$0.startActivity(intent);
}
/* JADX INFO: Access modifiers changed from: protected */
@Override // androidx.fragment.app.FragmentActivity, android.app.Activity
public void onResume() {
super.onResume();
ActivityCameraBinding activityCameraBinding = this.activityCameraBinding;
if (activityCameraBinding != null) {
activityCameraBinding.fragmentContainer.postDelayed(new Runnable() { // from class: com.example.android.camera2.basic.-$$Lambda$CameraActivity$54f3_efRvoOQ9VbJMgP6XvXkJlA
@Override // java.lang.Runnable
public final void run() {
CameraActivity.m11onResume$lambda2(CameraActivity.this);
}
}, IMMERSIVE_FLAG_TIMEOUT);
} else {
Intrinsics.throwUninitializedPropertyAccessException("activityCameraBinding");
throw null;
}
}
/* JADX INFO: Access modifiers changed from: private */
/* renamed from: onResume$lambda-2 reason: not valid java name */
public static final void m11onResume$lambda2(CameraActivity this$0) {
Intrinsics.checkNotNullParameter(this$0, "this$0");
ActivityCameraBinding activityCameraBinding = this$0.activityCameraBinding;
if (activityCameraBinding != null) {
activityCameraBinding.fragmentContainer.setSystemUiVisibility(FLAGS_FULLSCREEN);
} else {
Intrinsics.throwUninitializedPropertyAccessException("activityCameraBinding");
throw null;
}
}
/* compiled from: CameraActivity.kt */
@Metadata(d1 = {"\u0000\u001c\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0002\b\u0002\n\u0002\u0010\t\n\u0002\b\u0002\n\u0002\u0010\b\n\u0002\b\u0002\b\u0086\u0003\u0018\u00002\u00020\u0001B\u0007\b\u0002¢\u0006\u0002\u0010\u0002R\u000e\u0010\u0003\u001a\u00020\u0004X\u0086T¢\u0006\u0002\n\u0000R\u000e\u0010\u0005\u001a\u00020\u0004X\u0086T¢\u0006\u0002\n\u0000R\u000e\u0010\u0006\u001a\u00020\u0007X\u0086T¢\u0006\u0002\n\u0000R\u000e\u0010\b\u001a\u00020\u0004X\u0082T¢\u0006\u0002\n\u0000¨\u0006\t"}, d2 = {"Lcom/example/android/camera2/basic/CameraActivity$Companion;", "", "()V", "ANIMATION_FAST_MILLIS", "", "ANIMATION_SLOW_MILLIS", "FLAGS_FULLSCREEN", "", "IMMERSIVE_FLAG_TIMEOUT", "app_release"}, k = 1, mv = {1, 5, 1}, xi = 48)
/* loaded from: classes.dex */
public static final class Companion {
public /* synthetic */ Companion(DefaultConstructorMarker defaultConstructorMarker) {
this();
}
private Companion() {
}
}
}
kotlin 写的Android程序,太丑了
看了一下 wp 好像也只能硬着头皮去看
静下心来还是可以分析出来的,魔改的 XTEA ,
#include<stdio.h>
#include<stdint.h>
#include<stdlib.h>
void decipher(unsigned int num_rounds, uint32_t v[2], uint32_t const key[4]) {
unsigned int i;
uint32_t v0 = v[0], v1 = v[1];
unsigned int delta = 878077251, sum = delta * num_rounds;
for (i = 0; i < num_rounds; i++) {
sum -= delta;
v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum >> 11) & 3]);
v0 -= ((((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3])) ^ sum;
}
v[0] = v0;
v[1] = v1;
}
int main() {
unsigned int v4[10];
v4[0] = 637666042;
v4[1] = 457511012;
v4[2] = -2038734351;
v4[3] = 578827205;
v4[4] = -245529892;
v4[5] = -1652281167;
v4[6] = 435335655;
v4[7] = 733644188;
v4[8] = 705177885;
v4[9] = -596608744;
uint32_t key[4] = { 2233,4455,6677,8899 };
for (int j = 8; j >= 0; j--) {
decipher(33, v4 + j, key);
}
printf("%s", v4);
system("pause");
return 0;
}
//hgame{d8c1d7d34573434ea8dfe5db40fbb25c0}烫
[长安杯 2021学生组]snake
ida 报了个sp错误,ghidra更丑
并且,main函数又是巨长的,elf也不好调试,
可能要用 gdb 吧,不过也没那个插件
nop掉,
这行代码的目的是通过函数指针 alarm_handler
调用一个接受 _QWORD
参数的函数,并传递 0LL
作为参数。具体函数的实现和功能取决于 alarm_handler
指向的函数的定义和实现。
这个题看完wp,觉得最重要就是要会大致猜出每一个变量的含义,以及 patch
慢慢感悟吧,还有 ida 总有点问题现在
[HGAME 2023 week3]cpp
唉,后面题。。。
c++逆向,虚函数,class类