s = '6enp6enp6enp6enp6enp6enp6enp6eml6urq6unq6erp6urq6urq6urq6enp6unq6enp6unq6erp6enq6enp6unp6erp6erq6urq6urq6urq6urp6unp6enq6erq6unp6enp6unq6enp6unp6enp6unq6erq6urq6unp6urq6erq6unp6erp6unp6enp6erp6enp6enp6enp6enq6urp6urq6urq6urq6urq6erqsunp6unp6erp6unp6enp6enp6enq6enp6erq6unq6erq6urq6urq6urq6urp6enp6enp6enp6enp6enp6enp6enp6ek='
import base64
a = base64.b64decode(s)
b = bytes([c ^ 0xCA for c in a]).decode()
l = [b[i*22:(i+1)*22] for i in range(11)]
l = '\n'.join(l)
print(l)
###################### # # # # ## # # ### # # ### ### ## # ## # ### # # ##### # ### #### # # # ## # ## # # ###### ########### # # # x# # ### # ########## ### # # # o ## ###################### DDDDDDRRUUURRDRRRRRDDLLLDDRRRRRRRRRRRUURR
~/Envs/Reverse/week9/droid/Sol.java
Use jasmin
to compile .dis
file
Decompile it to .java
Rewrite to python
from z3 import *
s = Solver()
x1 = Int('x1')
x2 = Int('x2')
x3 = Int('x3')
s.add(x1 * 5 + x2 * 4 + x3 * 4 == 11)
s.add(x1 * 4 + x2 * 5 + x3 * 4 == 8)
s.add(x1 * 4 + x2 * 4 + x3 * 5 == 7)
print(s.check())
m = s.model()
print(m[x1], m[x2], m[x3])
s = 'bpoctifh_t{tmkh_smowsllsfoe_smia_amsart_h\'i?ti_in}'
f = bytes(range(48, len(s) + 48))
print(f)
s = 'bpoctifh_t{tmkh_smowsllsfoe_smia_amsart_h\'i?ti_in}'
r = b'12A34=57?;6M8C<:09GJD@SFOBIE>HRPNLQYUV\\WK[T`_X]^Za'
r = [c - 48 for c in r]
res = [0 for _ in range(len(r))]
for (a, b) in zip(r, s):
res[a] = b
print(''.join(res))
Extract https://github.com/extremecoders-re/pyinstxtractor
Decompyle pyinstaller.pyc
import os
flag = b'(d=\x01eq\x0c8V1\x10\x03!\x0f 6c\x19fgS\x0f8*?<=%1rfa\x00\x0f\x11;'
res = b''
c = 0
# text = input('Insert flag to continue playing:\n').encode()
flagd = b'SPbCTF'
for i in flag:
res += bytes([i ^ flagd[(c % 6)]])
c += 1
print(flagd + res)
flag = '35x005x026x034x045x064x0b7x023x056x013x053x053x063x073x073x046x053x083x023x043x056x083x053x056x066x043x013x003x093x043x016x056x036x073x016x083x033x046x036x0d7x0'
def check(text):
global flag
res = ''
for i in text:
res += hex(int.from_bytes(i.encode(), 'big'))[::-1]
else:
print(res)
return flag == res
def dec():
return ''.join([chr(int(flag[i*4:(i + 1)*4][::-1][2:], 16)) for i in range(len(flag) // 4)])
if __name__ == '__main__':
# flagin = input('Enter your flag: \n')
# if check(flagin):
# print('[+] You win!')
# else:
# print('[-] You lose!')
print(dec())
~/Envs/Reverse/week9/Javatask/Main.java
import base64
flag = b'==Qf==QT==AN==gU==QO==AM==gU==AU==wX==AT==AN==Qb==gU==AM==gT==wX==AN==wX==wM==wS==QM==AT==wX==wN==wU==QV==gS==wX==wd==AM==wV==we==gR==AV==wQ==gY==AU==wU'
res = b''
text = input('Please enter the flag:\n')
for i in text:
res += base64.b64encode(i.encode())
else:
if flag == res[::-1]:
print('Flag is corect')
else:
print('Flag is incorect')
import base64
flag = b'==Qf==QT==AN==gU==QO==AM==gU==AU==wX==AT==AN==Qb==gU==AM==gT==wX==AN==wX==wM==wS==QM==AT==wX==wN==wU==QV==gS==wX==wd==AM==wV==we==gR==AV==wQ==gY==AU==wU'
print(b''.join(base64.b64decode(flag[::-1][i*4:(i+1)*4]) for i in range(len(flag)//4)))
key = [
"06fa567b72d78b7e3ea746973fbbd1d5",
"142ba1ee3860caecc3f86d7a03b5b175",
"54229abfcfa5649e7003b83dd4755294",
"8d2b901035fbd2df68a3b02940ff5196",
"727999d580f3708378e3d903ddfa246d",
"ea8a1a99f6c94c275a58dcd78f418c1f",
"c51ce410c124a10e0db5e4b97fc2af39",
"a5bfc9e07964f8dddeb95fc584cd965d"
]
from hashlib import md5
res = b''
for k in key:
f = False
for a in [b'0', b'1', b'2', b'3', b'4', b'5', b'6', b'7', b'8', b'9', b'A', b'B', b'C', b'D', b'E', b'F']:
for b in [b'0', b'1', b'2', b'3', b'4', b'5', b'6', b'7', b'8', b'9', b'A', b'B', b'C', b'D', b'E', b'F']:
if md5(a + b).hexdigest() == k:
f = True
res += a
res += b
break
if f:
break
print(res)
While fighting, only power is not enough
package com.hackbattle.task;
import android.content.Context;
import android.os.Bundle;
import android.support.v7.app.AppCompatActivity;
import android.util.Base64;
import android.view.View;
import android.widget.EditText;
import android.widget.Toast;
import java.io.BufferedOutputStream;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
public class MainActivity extends AppCompatActivity {
private Class asd;
private Object qwe;
private Method zxc;
private static String b64e(String paramString) {
int i = 0;
byte[] arrayOfByte = Base64.decode(paramString, 0);
while (i < arrayOfByte.length) {
arrayOfByte[i] = (byte)(arrayOfByte[i] ^ 0xFF);
i++;
}
return new String(arrayOfByte);
}
public void checkPassword(View paramView) {
String str = ((EditText)findViewById(2131230774)).getText().toString();
try {
// Toast.makeText(getApplicationContext(), (String)this.zxc.invoke(this.qwe, new Object[] { str }), 1).show();
Toast.makeText(getApplicationContext(), this.qwe.b(new Object[] { str }), 1).show();
return;
} catch (IllegalAccessException illegalAccessException) {
illegalAccessException.printStackTrace();
return;
} catch (IllegalArgumentException illegalArgumentException) {
illegalArgumentException.printStackTrace();
return;
} catch (InvocationTargetException invocationTargetException) {
invocationTargetException.printStackTrace();
return;
}
}
protected void onCreate(Bundle paramBundle) {
super.onCreate(paramBundle);
setContentView(2131361820);
try {
// Decrypting jar
// InputStream inputStream = getAssets().open('file.bin');
// byte[] arrayOfByte = new byte[inputStream.available()];
// inputStream.read(arrayOfByte);
// for (int i = 0; i < arrayOfByte.length; i++)
// arrayOfByte[i] = (byte)(arrayOfByte[i] ^ 0xED);
// inputStream.close();
// File file = new File(getFilesDir(), 'file.jar');
// BufferedOutputStream bufferedOutputStream = new BufferedOutputStream(new FileOutputStream(file));
// bufferedOutputStream.write(arrayOfByte);
// bufferedOutputStream.close();
// Class<?> clazz = Class.forName('dalvik.system.DexClassLoader');
// Constructor<?> constructor = clazz.getConstructor(new Class[] { String.class, String.class, String.class, ClassLoader.class });
// Object[] arrayOfObject = new Object[4];
// arrayOfObject[0] = file.getCanonicalPath();
// arrayOfObject[1] = getCacheDir().getCanonicalPath();
// arrayOfObject[3] = ClassLoader.getSystemClassLoader();
// file = (File)constructor.newInstance(arrayOfObject);
// this.asd = (Class)clazz.getMethod('loadClass', new Class[] { String.class }).invoke(file, new Object[] { 'com.example.password.C' });
this.asd = com.example.password.C.class;
// this.qwe = this.asd.newInstance();
this.qwe = new com.example.password.C;
// this.zxc = this.asd.getMethod("a", new Class[] { Context.class, int.class, int.class });
// this.zxc.invoke(this.qwe, new Object[] { getApplicationContext(), Integer.valueOf(2130837504), Integer.valueOf(2130837505) });
this.qwe.a(new Object[] { getApplicationContext(), Integer.valueOf(2130837504), Integer.valueOf(2130837505) })
// this.zxc = this.asd.getMethod("b", new Class[] { String.class });
this.zxc = com.example.password.C.b; // method
return;
} catch (IOException iOException) {
iOException.printStackTrace();
return;
} catch (ClassNotFoundException classNotFoundException) {
classNotFoundException.printStackTrace();
return;
} catch (NoSuchMethodException noSuchMethodException) {
noSuchMethodException.printStackTrace();
return;
} catch (IllegalAccessException illegalAccessException) {
illegalAccessException.printStackTrace();
return;
} catch (IllegalArgumentException illegalArgumentException) {
illegalArgumentException.printStackTrace();
return;
} catch (InvocationTargetException invocationTargetException) {
invocationTargetException.printStackTrace();
return;
} catch (InstantiationException instantiationException) {
instantiationException.printStackTrace();
return;
}
}
}
Call a
in C
instance then check using b
package com.example.password;
import android.content.Context;
public class C {
private A aa;
private String bb;
public void a(Context paramContext, int paramInt1 /* 2130837504 - Kappa */, int paramInt2 /* 2130837505 - Kek */) {
this.aa = new A();
this.aa.a(paramContext.getResources());
this.bb = "Android sup3r Green";
}
public String b(String paramString) {
return paramString.equals(this.bb) ? "Correct!" : "Wrong!";
}
}
public class A {
private Resources z;
public void a(Resources paramResources) {
this.z = paramResources;
}
public String[] b(int paramInt) {
return this.z.getStringArray(paramInt);
}
public int[] c(int paramInt) {
return this.z.getIntArray(paramInt);
}
}
package com.example.password;
import android.util.Base64;
public class B {
public static String a(String paramString) {
byte[] arrayOfByte = Base64.decode(paramString, 0);
for (int i = 0;; i++) {
if (i >= arrayOfByte.length)
return new String(arrayOfByte);
arrayOfByte[i] = (byte)(arrayOfByte[i] ^ 0xFF);
}
}
public static String b(String paramString1, String paramString2) {
return String.valueOf(paramString1) + " " + paramString2 + " Green";
}
}
<?xml version="1.0" encoding="utf-8"?>
<resources>
<integer-array name="Kappa">
<item>3</item>
<item>8</item>
</integer-array>
<string-array name="Kek">
<item>zcrPrQ==</item>
<item>paWtzsvPzw==</item>
<item>pcfPzw==</item>
<item>vpGbjZCWmw==</item>
<item>pafSya0=</item>
<item>pc7Pz88=</item>
<item>pafSzs8=</item>
<item>tLOnzs7P</item>
<item>jIqPzI0=</item>
<item>uq3SyZE=</item>
<item>qZqNjIaM</item>
</string-array>
</resources>