easyre
hap文件改成zip格式然后解壓去反編譯abc文件即可拿到源碼
這里推薦一個網站.abcD
蠻好用的
下載反編譯結果,解壓后用vscode打開分析。
這里可以看到一些目錄結構,我們先看看flag目錄
x_2_2.count位1000000的時候就會輸出flag那么大概率是一個點擊程序可以用DevEco Studio里面的模擬器安裝一下這個程序。
點擊到100萬次不太可能,我們還是看代碼邏輯
這是flag的生成方式
router_.getParams().hint1 + x_2_2.getH2(x_2_2.magic)
第二部分flag
這里我們看到getH2的邏輯,實際上就是decodeToString函數
我們去到coder里面看它的邏輯
里面的話調了兩個函數
x_1_8是標準的base解碼
而x_1_7是反轉
x_1_7 = function convertToString(p1) {let r10, r19, r32, r33;// 將輸入參數 p1 賦值給 r10r10 = p1;// 如果 p1 是 ArrayBuffer(原始二進制數據),轉換為 Uint8Array 后再調用 x_1_1(可能是解碼函數)if (p1 instanceof globalThis.ArrayBuffer) {const r5 = new globalThis.Uint8Array(p1); // 轉為字節數組r10 = x_1_1(r5); // 調用自定義函數 x_1_1 處理}// 再次賦值 r10 給 r19r19 = r10;// 如果 r10 是 Uint8Array 類型,再調用一次 x_1_1 處理if (r10 instanceof globalThis.Uint8Array) {r19 = x_1_1(r10);}// 如果處理后的 r19 不是字符串,拋出異常if (typeof r19 != 'string') {throw Error('Unsupported type');} else {// 倒序構造字符串r32 = r19.length - 1; // 從最后一個字符開始r33 = ''; // 用于保存倒序結果while (true) {if (r32 < 0) {return r33; // 倒序完成,返回結果} else {r32 = r32 - 1;r33 = r33 + r19[r32 + 1]; // 注意此處 r32 先減再加回,所以還是訪問從尾到頭的字符}}}
};
我們根據這個邏輯去解一下magic就能拿到第二部分flag
part2:38bad98fa3074dd6adc8cc434f22c48b4d4
第一部分flag
第一部分邏輯在index
密文
自解密部分,這塊實際上就是首先+上自己的長度,然后反轉,逐字符-i在反轉
拿密文正向跑這個程序即可
hint1 = 'tlfr`llakodZbjW_aR'r10 = ''.join([chr(ord(c) + len(hint1)) for c in hint1])r10_rev = r10[::-1]r43 = ''.join([chr(ord(c) - i) for i, c in enumerate(r10_rev)])final_hint1 = r43[::-1]
print(final_hint1)
part1:universityofoxford
arkts
這題還是蠻簡單的
這里用jadx-dev-all去反編譯,因為上面的那個網站反編譯不完全。
將hap改成zip后解壓,把abc文件直接拖到工具里即可
這里可以看到加密順序先經過rc4然后再base64再rsa加密一下
這里rc4和base64都不是標準的
這里是密文數組和一個假的key
調用onPageShow的時候會把key替換
所以key是OHCTF2026
我們先去看看rc4
魔改點在sbox和加密的地方
生成sbox只用了一個i
加密的地方把異或變成了+
解rc4
我們去看看base64
很明顯的換表邏輯
解base64
最后我們去看rsa
e是7
N是75067
N很小直接拿yafu去分了
得到p = 271 q=277
那么私鑰d也就能求了
完整解密腳本
from Crypto.Util.number import *
import base64enc = ["ndG5nZa=", "nte3ndK=", "nJy2nJi=", "mtK0mJG=", "nde5mZK=", "mtiWnda=", "ntq1nZm=", "mZG0mJq=", "nJe4ma==", "nJG4mW==", "mJa0mZG=", "mty1mte=", "mtu3odq=", "nJyZmJy=", "nJeWody=", "mJy1ntm=", "ntaWody=", "ma==", "ntqYodK=", "ndK2nJm=", "nJyZndq=", "ntaWody=", "ndGYndi=", "nJG4mW==", "mJu5mG==", "mtiYmda=", "mZmWnde=", "mteXndC=", "ndqXndm=", "mte1mZi=", "mJy5ntq=", "mZC4mtC=", "mJe4nW==", "nJC3odu=", "ndyXmdK=", "ndG5nZa=", "ndaZnZa=", "mtK0nJa="]def custom_base64_decode(custom_b64_str):custom_chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/"standard_chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"trans_table = str.maketrans(custom_chars, standard_chars)standard_b64_str = custom_b64_str.translate(trans_table)decoded_bytes = base64.b64decode(standard_b64_str)return decoded_bytesdef DeRsa(num):c=numn = 75067p = 271q = 277e = 7phi = (p - 1) * (q - 1)d = inverse(e, phi)result = pow(c, d, n)return resultdef rc4_decrypt(key, data):S = list(range(256))j = 0key_length = len(key)for i in range(256):j = (j + S[j] + key[j % key_length]) % 256S[i], S[j] = S[j], S[i]i = j = 0out = []for b in data:i = (i + 1) % 256j = (j + S[i]) % 256S[i], S[j] = S[j], S[i]K = S[(S[i] + S[j]) % 256]val = (b - K) % 256out.append(val)return bytes(out)
key = "OHCTF2026"
key = [ord(i) for i in key]decoded_numbers = [int(custom_base64_decode(i).decode()) for i in enc]
decoded_numbers = [DeRsa(i) for i in decoded_numbers]
plain = rc4_decrypt(key, decoded_numbers)
print(plain)
Secret
這題還是蠻新穎的,解手勢鎖,然后解魔改sm4,上傳解出來的圖片得到flag
要先解手勢鎖
這里我還是用上面那個網站反編譯的代碼,雖然有部分代碼反編譯不完全,但不影響分析
直接來看lock
有個默認密碼,但是那個沒有用,因為后面驗證的密文不是這個
很明顯的check邏輯
從@normalized:Y&&&libsecret.so&.mjs加載的。我們去看libsecret.so
交叉引用過去下面有個函數
很明顯的check邏輯
看看init_proc
unsigned __int64 __fastcall init_proc_(unsigned int *a1)
{unsigned int v1; // eaxunsigned int v2; // r15dunsigned int v3; // r8dunsigned int v4; // ebxunsigned int v5; // r9dunsigned int v6; // ebpunsigned int v7; // r14dunsigned int v8; // ecxunsigned int v9; // r11dint v10; // edxunsigned int v11; // ebx__int64 v12; // r14int v13; // r12dint v14; // ecxunsigned int v15; // ediunsigned int v17; // [rsp+8h] [rbp-80h]unsigned int v18; // [rsp+18h] [rbp-70h]unsigned int v20; // [rsp+28h] [rbp-60h]__int128 v21; // [rsp+40h] [rbp-48h]unsigned __int64 v22; // [rsp+50h] [rbp-38h]v22 = __readfsqword(0x28u);v21 = what;v1 = a1[8];v2 = *a1;v3 = a1[1];v4 = a1[4];v17 = a1[5];v5 = a1[6];v6 = a1[2];v7 = a1[3];v8 = a1[7];v9 = -1640531527;v10 = -11;do{v18 = v4;v11 = v7;v20 = v8;v12 = (v9 >> 2) & 3;v13 = *((_DWORD *)&v21 + v12);v2 += (((v1 >> 5) ^ (4 * v3)) + ((v3 >> 3) ^ (16 * v1))) ^ ((v9 ^ v3) + (v13 ^ v1));v3 += (((v2 >> 5) ^ (4 * v6)) + ((v6 >> 3) ^ (16 * v2))) ^ ((v9 ^ v6)+ (v2 ^ *((_DWORD *)&v21 + ((v9 >> 2) & 3 ^ 1))));v6 += (((v3 >> 5) ^ (4 * v11)) + ((v11 >> 3) ^ (16 * v3))) ^ ((v9 ^ v11)+ (v3 ^ *((_DWORD *)&v21 + ((v9 >> 2) & 3 ^ 2))));v14 = *((_DWORD *)&v21 + ((unsigned int)v12 ^ 3));v7 = v11 + ((((v6 >> 5) ^ (4 * v18)) + ((v18 >> 3) ^ (16 * v6))) ^ ((v9 ^ v18) + (v6 ^ v14)));v4 = v18 + ((((v7 >> 5) ^ (4 * v17)) + ((v17 >> 3) ^ (16 * v7))) ^ ((v9 ^ v17) + (v7 ^ v13)));v15 = (((((((v4 >> 5) ^ (4 * v5)) + ((v5 >> 3) ^ (16 * v4))) ^ ((v9 ^ v5)+ (v4 ^ *((_DWORD *)&v21 + ((v9 >> 2) & 3 ^ 1)))))+ v17) >> 5) ^ (4 * v20))+ ((v20 >> 3) ^ (16* (((((v4 >> 5) ^ (4 * v5)) + ((v5 >> 3) ^ (16 * v4))) ^ ((v9 ^ v5)+ (v4 ^ *((_DWORD *)&v21+ ((v9 >> 2) & 3 ^ 1)))))+ v17)));v17 += (((v4 >> 5) ^ (4 * v5)) + ((v5 >> 3) ^ (16 * v4))) ^ ((v9 ^ v5)+ (v4 ^ *((_DWORD *)&v21 + ((v9 >> 2) & 3 ^ 1))));v5 += v15 ^ ((v9 ^ v20) + (v17 ^ *((_DWORD *)&v21 + ((v9 >> 2) & 3 ^ 2))));v8 = v20 + ((((v5 >> 5) ^ (4 * v1)) + ((v1 >> 3) ^ (16 * v5))) ^ ((v9 ^ v1) + (v5 ^ v14)));v1 += (((v8 >> 5) ^ (4 * v2)) + ((v2 >> 3) ^ (16 * v8))) ^ ((v9 ^ v2) + (v8 ^ v13));v9 -= 1640531527;++v10;}while ( v10 );a1[1] = v3;*a1 = v2;a1[2] = v6;a1[3] = v7;a1[4] = v4;a1[5] = v17;a1[7] = v8;a1[6] = v5;a1[8] = v1;return __readfsqword(0x28u);
}xxtea加密
key是what
密文是is
注意小端,建議用ida get_wide_dword()去提取
#include <stdint.h>
#include <stdio.h>void f(uint32_t* a, int n, uint32_t k[4]) {if (n < 2) return;uint32_t d = 0x9E3779B9;int r = 6 + 52 / n;uint32_t s = r * d;uint32_t x, y, z, e;int i;x = a[0];while (r--) {e = (s >> 2) & 3;for (i = n - 1; i > 0; i--) {z = a[i - 1];uint32_t t1 = (z >> 5) ^ (x << 2);uint32_t t2 = (x >> 3) ^ (z << 4);uint32_t t3 = s ^ x;uint32_t t4 = k[(i & 3) ^ e] ^ z;a[i] -= (t1 + t2) ^ (t3 + t4);x = a[i];}z = a[n - 1];uint32_t t1 = (z >> 5) ^ (x << 2);uint32_t t2 = (x >> 3) ^ (z << 4);uint32_t t3 = s ^ x;uint32_t t4 = k[e] ^ z;a[0] -= (t1 + t2) ^ (t3 + t4);x = a[0];s -= d;}
}int main() {uint32_t k[4] = { 0xB, 0x2D, 0xE, 0x1BF52 };uint32_t a[9] = {0xeb159b69, 0x71efca1b, 0x91c9c6c6, 0x957af873, 0xd3deab9, 0x27894343, 0x61d6415b, 0x1f80fed8, 0xdf62f1d9};f(a, 9, k);for (int i = 0; i < 9; i++) printf("[%d] 0x%08X\n", i, a[i]);for (int i = 0; i < 9; i++) {uint8_t* b = (uint8_t*)&a[i];for (int j = 0; j < 4; j++) printf("%c", b[j]);}printf("\n");return 0;
}
134507286
要我上傳一個圖片,我在資源文件里看到了個enc文件,應該是要解這個
獲取上傳的內容,base64編碼后傳給bb.txt
從資源文件種加載enc給x_4_1
和enc check
我們去看一下這個ValidateCiphertext
看它下面的這個函數
sm4輪密鑰生成
sm4 32輪迭代
最后再base64
所以這就是enc的加密邏輯
其中sm4有魔改 多異或了一個tea的delta常量
解下來編寫解密代碼,首先先解base64
我沒有寫文件io去解這個文件,而是手動填密文進去
轉換一下格式
enc ="""填密文"""
enc = enc.split("\n")
print(len(enc))
print(len(enc)/4)
for i in range(len(enc)):print("0x"+enc[i],end=",")然后寫個sm4解密腳本
密文填到這里面即可
再解一層base64
很明顯的圖片文件 我們保存一下
傳到程序里
得到flag
解sm4腳本
#define _CRT_SECURE_NO_WARNINGS 1
#include <stdio.h>
#include <stdint.h>typedef uint32_t u32;
typedef uint8_t u8;u8 Sbox[256] = {0xD6, 0x90, 0xE9, 0xFE, 0xCC, 0xE1, 0x3D, 0xB7, 0x16, 0xB6,0x14, 0xC2, 0x28, 0xFB, 0x2C, 0x05, 0x2B, 0x67, 0x9A, 0x76,0x2A, 0xBE, 0x04, 0xC3, 0xAA, 0x44, 0x13, 0x26, 0x49, 0x86,0x06, 0x99, 0x9C, 0x42, 0x50, 0xF4, 0x91, 0xEF, 0x98, 0x7A,0x33, 0x54, 0x0B, 0x43, 0xED, 0xCF, 0xAC, 0x62, 0xE4, 0xB3,0x1C, 0xA9, 0xC9, 0x08, 0xE8, 0x95, 0x80, 0xDF, 0x94, 0xFA,0x75, 0x8F, 0x3F, 0xA6, 0x47, 0x07, 0xA7, 0xFC, 0xF3, 0x73,0x17, 0xBA, 0x83, 0x59, 0x3C, 0x19, 0xE6, 0x85, 0x4F, 0xA8,0x68, 0x6B, 0x81, 0xB2, 0x71, 0x64, 0xDA, 0x8B, 0xF8, 0xEB,0x0F, 0x4B, 0x70, 0x56, 0x9D, 0x35, 0x1E, 0x24, 0x0E, 0x5E,0x63, 0x58, 0xD1, 0xA2, 0x25, 0x22, 0x7C, 0x3B, 0x01, 0x21,0x78, 0x87, 0xD4, 0x00, 0x46, 0x57, 0x9F, 0xD3, 0x27, 0x52,0x4C, 0x36, 0x02, 0xE7, 0xA0, 0xC4, 0xC8, 0x9E, 0xEA, 0xBF,0x8A, 0xD2, 0x40, 0xC7, 0x38, 0xB5, 0xA3, 0xF7, 0xF2, 0xCE,0xF9, 0x61, 0x15, 0xA1, 0xE0, 0xAE, 0x5D, 0xA4, 0x9B, 0x34,0x1A, 0x55, 0xAD, 0x93, 0x32, 0x30, 0xF5, 0x8C, 0xB1, 0xE3,0x1D, 0xF6, 0xE2, 0x2E, 0x82, 0x66, 0xCA, 0x60, 0xC0, 0x29,0x23, 0xAB, 0x0D, 0x53, 0x4E, 0x6F, 0xD5, 0xDB, 0x37, 0x45,0xDE, 0xFD, 0x8E, 0x2F, 0x03, 0xFF, 0x6A, 0x72, 0x6D, 0x6C,0x5B, 0x51, 0x8D, 0x1B, 0xAF, 0x92, 0xBB, 0xDD, 0xBC, 0x7F,0x11, 0xD9, 0x5C, 0x41, 0x1F, 0x10, 0x5A, 0xD8, 0x0A, 0xC1,0x31, 0x88, 0xA5, 0xCD, 0x7B, 0xBD, 0x2D, 0x74, 0xD0, 0x12,0xB8, 0xE5, 0xB4, 0xB0, 0x89, 0x69, 0x97, 0x4A, 0x0C, 0x96,0x77, 0x7E, 0x65, 0xB9, 0xF1, 0x09, 0xC5, 0x6E, 0xC6, 0x84,0x18, 0xF0, 0x7D, 0xEC, 0x3A, 0xDC, 0x4D, 0x20, 0x79, 0xEE,0x5F, 0x3E, 0xD7, 0xCB, 0x39, 0x48
};u32 FK[4] = { 0xA3B1BAC6, 0x56AA3350, 0x677D9197, 0xB27022DC }; // 固定參數FK
u32 CK[32] = {0x00070e15, 0x1c232a31, 0x383f464d, 0x545b6269,0x70777e85, 0x8c939aa1, 0xa8afb6bd, 0xc4cbd2d9,0xe0e7eef5, 0xfc030a11, 0x181f262d, 0x343b4249,0x50575e65, 0x6c737a81, 0x888f969d, 0xa4abb2b9,0xc0c7ced5, 0xdce3eaf1, 0xf8ff060d, 0x141b2229,0x30373e45, 0x4c535a61, 0x686f767d, 0x848b9299,0xa0a7aeb5, 0xbcc3cad1, 0xd8dfe6ed, 0xf4fb0209,0x10171e25, 0x2c333a41, 0x484f565d, 0x646b7279
};u32 functionB(u32 b) {u8 a[4];a[0] = (b >> 24) & 0xFF;a[1] = (b >> 16) & 0xFF;a[2] = (b >> 8) & 0xFF;a[3] = b & 0xFF;return (Sbox[a[0]] << 24) | (Sbox[a[1]] << 16) | (Sbox[a[2]] << 8) | Sbox[a[3]];
}u32 loopLeft(u32 a, short length) {length = length % 32;return (a << length) | (a >> (32 - length));
}u32 functionL1(u32 a) {return a ^ loopLeft(a, 2) ^ loopLeft(a, 10) ^ loopLeft(a, 18) ^ loopLeft(a, 24);
}u32 functionL2(u32 a) {return a ^ loopLeft(a, 13) ^ loopLeft(a, 23);
}u32 functionT(u32 a, short mode) {if (mode == 1)return functionL1(functionB(a));elsereturn functionL2(functionB(a));
}void extendFirst(u32 MK[], u32 K[]) {for (int i = 0; i < 4; i++) {K[i] = MK[i] ^ FK[i];}
}void extendSecond(u32 RK[], u32 K[]) {for (int i = 0; i < 32; i++) {K[(i + 4) % 4] = K[i % 4] ^ functionT(K[(i + 1) % 4] ^ K[(i + 2) % 4] ^ K[(i + 3) % 4] ^ CK[i], 2);RK[i] = K[(i + 4) % 4];}
}void getRK(u32 MK[], u32 K[], u32 RK[]) {extendFirst(MK, K);extendSecond(RK, K);
}void iterate32(u32 X[], u32 RK[]) {for (int i = 0; i < 32; i++) {u32 tmp = functionT(X[(i + 1) % 4] ^ X[(i + 2) % 4] ^ X[(i + 3) % 4] ^ RK[i], 1);X[(i + 4) % 4] = X[i % 4] ^ tmp ^ 0x9E3779B9;}
}void reverse(u32 X[], u32 Y[]) {for (int i = 0; i < 4; i++) {Y[i] = X[3 - i];}
}void encryptSM4(u32 X[], u32 RK[], u32 Y[]) {iterate32(X, RK);reverse(X, Y);
}void decryptSM4(u32 X[], u32 RK[], u32 Y[]) {u32 reverseRK[32];for (int i = 0; i < 32; i++) {reverseRK[i] = RK[31 - i];}iterate32(X, reverseRK);reverse(X, Y);
}int main(void) {u32 enc[11316] = { 0 };u32 X[4] = { 0 };u32 Y[11316] = { 0 };u32 MK[4] = { 0xE52BCC34, 0x1F1B5B18, 0x5F1ED75A, 0xF108FE7F };u32 K[4] = { 0 };u32 RK[32];getRK(MK, K, RK);int i = 0;for (i; i < 2829; i++) {decryptSM4(&enc[i * 4], RK, &Y[i * 4]);}for (int i = 0; i < 11316; i++) {u8* p = (u8*)&Y[i];for (int j = 3; j >= 0; j--) {putchar(p[j]);}}printf("\n");return 0;
}
)
-------找出第 n 個丑數(Ugly Number))
)
