[buuctf.reverse] 109_[FlareOn6]FlareBear,110_[INSHack2018]Tricky-Part1
2024-05-01 01:00:16
109_[FlareOn6]FlareBear
java这东西看着也费劲,就没有一种一看就明白的语言吗
题目是一个apk的文件,安装到雷电上是个小游戏,有3个选项,吃、玩、铲屎
再看代码,这个danceWithFlag是结果,通过调用关系找到他的上级setMood这里边用isEcstatic()检查是否成功,检查内容是3个变量为72,30,0
public final void dance(@NotNull Drawable drawable, @NotNull Drawable drawable2) {Intrinsics.checkParameterIsNotNull(drawable, "drawable");Intrinsics.checkParameterIsNotNull(drawable2, "drawable2");this.handler.removeCallbacksAndMessages(null);((ImageView) _$_findCachedViewById(R.id.flareBearImageView)).setImageDrawable(drawable);((ImageView) _$_findCachedViewById(R.id.flareBearImageView)).setTag("ecstatic");Handler handler = new Handler();handler.postDelayed(new FlareBearActivity$dance$r$1(this, handler, drawable2, drawable), 500);}public final void danceWithFlag() {InputStream openRawResource = getResources().openRawResource(R.raw.ecstatic);Intrinsics.checkExpressionValueIsNotNull(openRawResource, "ecstaticEnc");byte[] readBytes = ByteStreamsKt.readBytes(openRawResource);InputStream openRawResource2 = getResources().openRawResource(R.raw.ecstatic2);Intrinsics.checkExpressionValueIsNotNull(openRawResource2, "ecstaticEnc2");byte[] readBytes2 = ByteStreamsKt.readBytes(openRawResource2);String password = getPassword();try {readBytes = decrypt(password, readBytes);readBytes2 = decrypt(password, readBytes2);dance(new BitmapDrawable(getResources(), BitmapFactory.decodeByteArray(readBytes, 0, readBytes.length)), new BitmapDrawable(getResources(), BitmapFactory.decodeByteArray(readBytes2, 0, readBytes2.length)));} catch (Exception unused) {}}public final void setMood() {if (isHappy()) {((ImageView) _$_findCachedViewById(R.id.flareBearImageView)).setTag("happy");if (isEcstatic()) {danceWithFlag();return;}return;}((ImageView) _$_findCachedViewById(R.id.flareBearImageView)).setTag("sad");}public final boolean isEcstatic() {int state = getState("mass", 0);int state2 = getState("happy", 0);int state3 = getState("clean", 0);if (state == 72 && state2 == 30 && state3 == 0) {return true;}return false;}
再看怎么改变这3项
public final void feed(@NotNull View view) {Intrinsics.checkParameterIsNotNull(view, "view");saveActivity("f");changeMass(10);changeHappy(2);changeClean(-1);incrementPooCount();feedUi();}public final void play(@NotNull View view) {Intrinsics.checkParameterIsNotNull(view, "view");saveActivity("p");changeMass(-2);changeHappy(4);changeClean(-1);playUi();}public final void clean(@NotNull View view) {Intrinsics.checkParameterIsNotNull(view, "view");saveActivity("c");removePoo();cleanUi();changeMass(0);changeHappy(-1);changeClean(6);setMood();}
简单列个方程计算一下,结果是吃8次玩4次铲屎2次
from z3 import *
x,y,z = Ints('x y z')
s = Solver()
s.add([10*x - 2*y == 72, 2*x+4*y-z==30, z*6-x-y==0])
s.check()
d = s.model()
print(d)
#[z = 2, y = 4, x = 8]
#flag{th4t_was_be4rly_a_chall3nge@flare-on.com}
110_[INSHack2018]Tricky-Part1
这个比较入门了
直接在main里输入然后就检查
int __cdecl main(int argc, const char **argv, const char **envp)
{int v3; // ebxchar v4; // bl__int64 v5; // raxchar v7[16]; // [rsp+0h] [rbp-30h] BYREFchar v8[32]; // [rsp+10h] [rbp-20h] BYREFif ( ptrace(PTRACE_TRACEME, 0LL, 1LL, 0LL) >= 0 ){std::string::string((std::string *)v7);std::operator<<<std::char_traits<char>>(&std::cout, "Enter your flag : ");std::operator>><char>(&std::cin, v7);stack_check();v4 = std::operator==<char>(v7, v8);std::string::~string(v8);if ( v4 )v5 = std::operator<<<std::char_traits<char>>(&std::cout,"Correct but this is just the first one\nValidate with the flag");elsev5 = std::operator<<<std::char_traits<char>>(&std::cout, "Sooo bad. Are you trying to trick me ?");std::ostream::operator<<(v5, &std::endl<char,std::char_traits<char>>);v3 = 0;std::string::~string(v7);}else{std::operator<<<std::char_traits<char>>(&std::cout, "Oh no, don't debug me plz\n");return 42;}return v3;
}stack_check()负责将存的数据加密(与GDB异或)
std::string *__fastcall stack_check(std::string *a1)
{unsigned __int64 v1; // rbxunsigned __int64 v2; // rax_BYTE *v3; // raxunsigned __int64 v4; // rbxchar v6; // [rsp+1Bh] [rbp-25h] BYREFint i; // [rsp+1Ch] [rbp-24h]char v8[32]; // [rsp+20h] [rbp-20h] BYREFstd::allocator<char>::allocator(&v6);std::string::string(v8, &unk_4011D8, &v6);std::allocator<char>::~allocator(&v6);for ( i = 0; ; ++i ){v4 = i;if ( v4 >= std::string::size((std::string *)&base) )break;v1 = i;v2 = std::string::size((std::string *)v8);LOBYTE(v1) = *(_BYTE *)std::string::operator[](v8, v1 % v2);v3 = (_BYTE *)std::string::operator[](&base, i);*v3 ^= v1;}std::string::string(a1, (const std::string *)&base);std::string::~string(v8);return a1;
}只是这个base的值在哪还不清楚,于是找引用发现变动之处,它是直接复制的unk_401278的值
int __fastcall __static_initialization_and_destruction_0(int a1, int a2)
{int result; // eaxchar v3[17]; // [rsp+1Fh] [rbp-11h] BYREFif ( a1 == 1 && a2 == 0xFFFF ){std::ios_base::Init::Init((std::ios_base::Init *)&std::__ioinit);__cxa_atexit(std::ios_base::Init::~Init, &std::__ioinit, &_dso_handle);std::allocator<char>::allocator(v3);std::string::string(&base, &unk_401278, v3);std::allocator<char>::~allocator(v3);return __cxa_atexit(std::string::~string, &base, &_dso_handle);}return result;
}写脚本处理一下
a = bytes.fromhex('0E0A11063F011F1C1D76371D2F7030237730182272351B3133703676271D732A762B75313E371D302C71291B26742637202371351B2473752E3439')
b = b'GDB'
print(bytes([a[i]^b[i%3] for i in range(len(a))]))
#INSA{CXX_1s_h4rd3r_f0r_st4t1c_4n4l1sys_wh3n_d3bugg3r_f41ls}
#flag{CXX_1s_h4rd3r_f0r_st4t1c_4n4l1sys_wh3n_d3bugg3r_f41ls}[buuctf.reverse] 109_[FlareOn6]FlareBear,110_[INSHack2018]Tricky-Part1相关推荐
- BUUCTF reverse题解汇总
本文是BUUCTF平台reverse题解的汇总 题解均来自本人博客 目录 Page1 Page2 Page3 Page4 Page1 easyre reverse1 reverse2 内涵的软件 新年 ...
- BUUCTF Reverse/findKey
BUUCTF Reverse/findKey 先看文件信息:32位程序,没有加壳 打开看看,标题为find flag,也没啥有用的信息 IDA32位打开,找到start函数,看到有个main,跟随跳转 ...
- BUUCTF Reverse helloword、findit
BUUCTF Reverse helloword.findit helloword findit 一天一道CTF题目,能多不能少 记录一下这两道题,这两道题是安卓逆向的题目~ 第一次接触安卓逆向的题目 ...
- BUUCTF Reverse/Ultimate Minesweeper
BUUCTF Reverse/Ultimate Minesweeper 先看文件信息,没有加壳,且为net编写的程序 运行是一个扫雷游戏,只要点错一个就会自动退出(左上角显示的是雷的数目,一共有897 ...
- BUUCTF Reverse xor
题目:BUUCTF Reverse xor 一些犯傻后学到了新东西的记录 查壳,没壳,IDA打开 main函数很好理解,输入一个长度为33的字符串,1-32位与前一位异或后与global相等,则判定f ...
- BUUCTF Reverse/[网鼎杯 2020 青龙组]jocker
BUUCTF Reverse/[网鼎杯 2020 青龙组]jocker 先看下文件信息,没有加壳,32位程序 运行一下,又是一道字符串比较的题目 用IDA32位打开,分析一下 // positive ...
- BUUCTF Reverse/[GWCTF 2019]pyre
BUUCTF Reverse/[GWCTF 2019]pyre 下载得到一个pyc文件,用这个在线反编译pyc,pyo反汇编出代码 print 'Welcome to Re World!' print ...
- BUUCTF Reverse(helloworld)
BUUCTF Reverse(helloworld) 题目附件下载下来之后,是.apk后缀,所以可能是安卓逆向. 这里我用的工具是Android Killer,下载地址:https://xiazai. ...
- BUUCTF Reverse/[WUSTCTF2020]Cr0ssfun
BUUCTF Reverse/[WUSTCTF2020]Cr0ssfun 先看文件信息, IDA64位打开,很简单的题目,只要一个个输入就行 都是返回的这种元素 _BOOL8 __fastcall i ...
最新文章
- 中国最齐全的主要电子商务网站(B2C)
- turnitin时间
- linux查看文件和文件夹大小
- tgp饥荒 服务器无响应,tgp饥荒联机版缺少fmod_event.dll文件怎么办?具体解决方法介绍...
- python安装scipy出现红字_windows下安装numpy,scipy遇到的问题总结
- python考试题库程序改错_求助,程序改错
- C++——如何重载*(指针)操作符
- 怎么抽象mysql数据库_一个用于mysql的数据库抽象层函数库
- [TimLinux] JavaScript AJAX接收到的数据转换为JSON格式
- Android ssl 异常,SSL握手异常,同时通过https连接使用Android中的自签名证书Nougat
- 【笔记】mac上如何用命令行编译jni
- Tomcat8正确配置环境变量详细方法
- IDEA配置maven本地仓库
- Unity入门之路0-Unity下载安装以及版本选择
- 火狐浏览器自动安装xpi扩展
- system.gc()和-XX:+DisableExplicitGC启动参数,以及DirectByteBuffer的内存释放
- Arduino应用开发——手机APP控制LED
- untracked files prevent merge
- fbx模型加载到html,three.js演示如何用FBXLoader来加载fbx模型
- wireshark常用筛选命令
热门文章
- kubectl常规命令操作,超级全
- 2022年湖南省广播电视播音员主持人(广播电视基础知识)模拟题及答案
- (提词器)它的作用与运用
- matlab三相电路基波图形,毕业设计基于matlab的三相交流调压电路的设计与仿真.doc...
- android 设备最大像素,设备像素比devicePixelRatio简单介绍
- NextCloud 最新官方源代码安装包及客户端下载
- 3名中学生脚踹流浪老人还发视频炫耀:没教养的人,有多可怕?
- mysql注入找路径_MySQL注入(示例代码)
- 蓝叠android5.0模拟器,至今用过最爽的安卓模拟器:BlueStacks 5
- 电源空间辐射CDN余量低_请教一个EMI问题:CE传导辐射在射频工作频点超标,求解决。...