吾爱破解2023春节解题领红包 WriteUp

wgf42421

于 2024-07-28 08:13:40 发布

阅读量224

点赞数 1

文章标签： python

本文链接：https://blog.csdn.net/wgf42421/article/details/140745838

版权

【2023春节】解题领红包之二.exe

lst = [408, 432, 388, 412, 492, 212, 200, 320, 444, 296, 420, 404, 200, 192, 200, 204, 288, 388, 448, 448, 484, 312, 404, 476, 356, 404, 388, 456, 500]
print(''.join(chr(x >> 2) for x in lst))

【2023春节】解题领红包之三.apk

方式1.jeb直接打开得到 flag

方式2. 分析代码

    key.setText(this$0.decrypt("hnci}|jwfclkczkppkcpmwckng\u007f", 2));

    public final String decrypt(String encryptTxt, int i) {
        for (char c : charArray) {
            sb.append((char) (c - i));
        }
    }

ar = "hnci}|jwfclkczkppkcpmwckng\x7f"
print(''.join(chr(ord(x) - 2) for x in ar))
# flag{zhudajiaxinniankuaile}

下面这个写法省事一点

bytearray([i - 2 for i in b"hnci}|jwfclkczkppkcpmwckng\x7f"])

【2023春节】解题领红包之四.apk

关键函数

package com.zj.wuaipojie2023_1;

/* loaded from: classes.dex */
public class B {
    public static String encode(String str) {
        int length = str.length();
        char[] cArr = new char[length];
        int i = length - 1;
        while (i >= 0) {
            int i2 = i - 1;
            cArr[i] = (char) (str.charAt(i) ^ '5');
            if (i2 < 0) {
                break;
            }
            i = i2 - 1;
            cArr[i2] = (char) (str.charAt(i2) ^ '2');
        }
        return new String(cArr);
    }
}

    public final boolean B(String str, String str2) {
        Intrinsics.checkNotNullParameter(str, "str");
        Intrinsics.checkNotNullParameter(str2, "str2");
        if (!(str.length() == 0 && str2.length() == 0) && StringsKt.startsWith$default(str2, "flag{", false, 2, (Object) null) && StringsKt.endsWith$default(str2, "}", false, 2, (Object) null)) {
            String substring = str2.substring(5, str2.length() - 1);
            Intrinsics.checkNotNullExpressionValue(substring, "this as java.lang.String…ing(startIndex, endIndex)");
            C c = C.INSTANCE;
            MD5Utils mD5Utils = MD5Utils.INSTANCE;
            Base64Utils base64Utils = Base64Utils.INSTANCE;
            String encode = B.encode(str + "Wuaipojie2023");
            Intrinsics.checkNotNullExpressionValue(encode, "encode(str3)");
            byte[] bytes = encode.getBytes(Charsets.UTF_8);
            Intrinsics.checkNotNullExpressionValue(bytes, "this as java.lang.String).getBytes(charset)");
            return Intrinsics.areEqual(substring, c.cipher(mD5Utils.MD5(base64Utils.encodeToString(bytes)), 5));
        }
        return false;
    }

直接扒出来存成Go.java

public class Go {
    public static String encode(String str) {
        int length = str.length();
        char[] cArr = new char[length];
        int i = length - 1;
        while (i >= 0) {
            int i2 = i - 1;
            cArr[i] = (char) (str.charAt(i) ^ '5');
            if (i2 < 0) {
                break;
            }
            i = i2 - 1;
            cArr[i2] = (char) (str.charAt(i2) ^ '2');
        }
        return new String(cArr);
    }

    public static void main(String[] args) {
        System.out.println(Go.encode(args[0]));
    }
}
// javac Go.java
// 使用 java Go some_str

import subprocess
from base64 import b64encode
import hashlib

uid = "176017"
payload = uid + "Wuaipojie2023"
encode = subprocess.getoutput(f'java Go {payload}')
flag = b64encode(encode.encode())
result = hashlib.md5(flag).hexdigest()
print(result)
# "4k65807686gg2k149h4k338211hi8643"

【2023春节】解题领红包之六

jadx打开 apk。

    private final void Check_Volume(double d) {
        ...
        write_img(); // 操作了 "aes.png"
    }

解压找到 aes.png 和so文件, ida加载后有 3个函数

encrypt
decrypt
get_RealKey

wgf42421

关注

1
点赞
踩
6

收藏

觉得还不错? 一键收藏
0
评论
吾爱破解2023春节解题领红包 WriteUp

解压找到 aes.png 和so文件, ida加载后有 3个函数。方式1.jeb直接打开得到 flag。直接扒出来存成Go.java。jadx打开 apk。下面这个写法省事一点。
复制链接

扫一扫