0x00
题目链接:https://pan.baidu.com/s/1FLIaSN6EOe34qQNO_8yi-g
提取码:phou
0x01
native层分析
根据提示程序用了O-LLVM混淆,IDA分析ANativeActivity_onCreate函数,分析此处
1 v24 = flg((int)v67, &v89); 2 j___android_log_print(4, "an-activity", "The flag is:njctf{%s}", v24); 3 v4 = -681054051; 4 v25 = v2; 5 v66 = v2; 6 goto LABEL_214;
可看出flag与flg函数有关。
0x02
分析flg层函数。
1 char *__fastcall flg(int a1, char *a2) 2 { 3 int v2; // ST0C_4 4 int v3; // r4 5 int v4; // r0 6 char v5; // ST08_1 7 int v6; // ST10_4 8 int v7; // r0 9 int v8; // r2 10 int v9; // r0 11 int v10; // r3 12 int v11; // r0 13 14 v2 = a1; 15 v3 = a1; 16 v4 = a1 % 10; 17 v5 = v4; 18 *a2 = 20 * v4; 19 v6 = v3 / 100 % 10; 20 v7 = 19 * v6 + 20 * v4; 21 a2[1] = v7; 22 a2[2] = v7 - 4; 23 v8 = v3 / 10 % 10; 24 a2[3] = v3 / 1000000 % 10 + 11 * v8; 25 v9 = v3 / 10000 % 10; 26 v10 = v3 / 1000 % 10; 27 a2[4] = 20 * v10 - v9; 28 a2[5] = (v8 + v5) * v10; 29 a2[6] = v8 * v10 * v9; 30 v11 = v2 / 100000 % 10; 31 a2[7] = 20 * v11 - v6; 32 a2[8] = 10 * v10 | 1; 33 a2[9] = (v8 + v5) * v11 - 1; 34 a2[10] = v5 * v8 * v6 * v6 - 4; 35 *(_WORD *)(a2 + 11) = (unsigned __int8)((v6 + v8) * v11 - 5); 36 return a2; 37 }
发现有/1000000,说明输入的数大于1000000,可以进行爆破。
0x03
写脚本进行爆破,从1000000到10000000。
cpp脚本
1 #include<iostream> 2 void check(int num); 3 int ok(char); 4 int main(void) 5 { 6 for(int i = 1000000; i < 10000000; i++) 7 { 8 check(i); 9 } 10 return 0; 11 } 12 void check(int num) 13 { 14 int m = 1; 15 16 char flag[13]; 17 int v4 = num % 10; 18 flag[0] = 20 * v4; 19 int v6 = num / 100 % 10; 20 int v7 = 19 * v6 + 20 * v4; 21 flag[1] = v7; 22 flag[2] = v7 - 4; 23 int v8 = num/10%10; 24 flag[3] = num / 1000000 % 10 + 11 * v8; 25 int v9 = num / 10000 % 10; 26 int v10 = num / 1000 % 10; 27 flag[4] = 20* v10 - v9; 28 flag[5] = (v8 + v4) * v10; 29 flag[6] = v8 * v10 * v9; 30 int v11 = num / 100000 % 10; 31 flag[7] = 20 * v11 - v6; 32 flag[8] = 10 * v10 | 1; 33 flag[9] = (v8 + v4) * v11 - 1; 34 flag[10] = v4 * v8 * v6 * v6 - 4; 35 flag[11] = (v6 + v8) * v11 - 5; 36 flag[12] = ‘\0‘; 37 38 for(int i = 0; i < 12; i++) 39 { 40 if(!((flag[i] >= ‘A‘ && flag[i] <= ‘Z‘) || (flag[i] >= ‘a‘ && flag[i] <= ‘z‘) || (flag[i] >= ‘0‘ && flag[i] <= ‘9‘) )) 41 { 42 m = 0; 43 } 44 } 45 if(m == 1) 46 printf("%s\n",flag); 47 }
python脚本
1 def check1(num): 2 flag = [0] * 12 3 v4 = num % 10 4 flag[0] = 20 * v4 5 v6 = num / 100 % 10 6 v7 = 19 * v6 + 20 * v4 7 flag[1] = v7 8 flag[2] = v7 - 4 9 v8 = num / 10 % 10 10 flag[3] = num / 1000000 % 10 + 11 * v8 11 v9 = num / 10000 % 10 12 v10 = num / 1000 % 10 13 flag[4] = 20 * v10 - v9 14 flag[5] = (v8 + v4) * v10 15 flag[6] = v8 * v10 * v9 16 v11 = num / 100000 % 10 17 flag[7] = 20 * v11 - v6 18 flag[8] = 10 * v10 | 1 19 flag[9] = (v8 + v4) * v11 - 1 20 flag[10] = v4 * v8 * v6 * v6 - 4 21 flag[11] = (v6 + v8) * v11 - 5 22 m = 1 23 for i in flag: 24 if(check2(i)): 25 m = 0 26 if (m == 1): 27 str = ‘‘ 28 for i in flag: 29 str += chr(i) 30 print str 31 32 33 def check2(num): 34 if ((num >= ord(‘A‘)) & (num <= ord(‘Z‘))): 35 return 0 36 if ((num >= ord(‘a‘)) & (num <= ord(‘z‘))): 37 return 0 38 if ((num >= ord(‘0‘)) & (num <= ord(‘9‘))): 39 return 0 40 return 1 41 42 43 for i in range(1000000,10000000): 44 check1(i)
python跑得会比较慢,在输出结果中有一个即是flag。
原文地址:https://www.cnblogs.com/Fingerprint/p/9744619.html
时间: 2024-10-08 07:19:16