Skip to content

Latest commit

 

History

History
423 lines (343 loc) · 11.5 KB

README.org

File metadata and controls

423 lines (343 loc) · 11.5 KB

Week 9

droid

s = '6enp6enp6enp6enp6enp6enp6enp6eml6urq6unq6erp6urq6urq6urq6enp6unq6enp6unq6erp6enq6enp6unp6erp6erq6urq6urq6urq6urp6unp6enq6erq6unp6enp6unq6enp6unp6enp6unq6erq6urq6unp6urq6erq6unp6erp6unp6enp6erp6enp6enp6enp6enq6urp6urq6urq6urq6urq6erqsunp6unp6erp6unp6enp6enp6enq6enp6erq6unq6erq6urq6urq6urq6urp6enp6enp6enp6enp6enp6enp6enp6ek='

import base64

a = base64.b64decode(s)
b = bytes([c ^ 0xCA for c in a]).decode()

l = [b[i*22:(i+1)*22] for i in range(11)]
l = '\n'.join(l)
print(l)

######################
#     # # #         ##
# # ### # # ### ### ##
# ##             # ###
# #   ##### # ### ####
# # #      ##   #   ##
# # ###### ###########
#   #            #  x#
# ### # ########## ###
#   # #           o ##
######################

DDDDDDRRUUURRDRRRRRDDLLLDDRRRRRRRRRRRUURR

~/Envs/Reverse/week9/droid/Sol.java

Qwe

Use jasmin to compile .dis file

Decompile it to .java

Rewrite to python

from z3 import *

s = Solver()

x1 = Int('x1')
x2 = Int('x2')
x3 = Int('x3')

s.add(x1 * 5 + x2 * 4 + x3 * 4 == 11)
s.add(x1 * 4 + x2 * 5 + x3 * 4 == 8)
s.add(x1 * 4 + x2 * 4 + x3 * 5 == 7)

print(s.check())

m = s.model()

print(m[x1], m[x2], m[x3])

The Reshuffler

s = 'bpoctifh_t{tmkh_smowsllsfoe_smia_amsart_h\'i?ti_in}'
f = bytes(range(48, len(s) + 48))
print(f)
s = 'bpoctifh_t{tmkh_smowsllsfoe_smia_amsart_h\'i?ti_in}'
r = b'12A34=57?;6M8C<:09GJD@SFOBIE>HRPNLQYUV\\WK[T`_X]^Za'
r = [c - 48 for c in r]
res = [0 for _ in range(len(r))]
for (a, b) in zip(r, s):
    res[a] = b
print(''.join(res))

Elfstaller

Extract https://github.com/extremecoders-re/pyinstxtractor Decompyle pyinstaller.pyc

import os
flag = b'(d=\x01eq\x0c8V1\x10\x03!\x0f 6c\x19fgS\x0f8*?<=%1rfa\x00\x0f\x11;'
res = b''
c = 0
# text = input('Insert flag to continue playing:\n').encode()
flagd = b'SPbCTF'
for i in flag:
    res += bytes([i ^ flagd[(c % 6)]])
    c += 1
print(flagd + res)

Pytask

flag = '35x005x026x034x045x064x0b7x023x056x013x053x053x063x073x073x046x053x083x023x043x056x083x053x056x066x043x013x003x093x043x016x056x036x073x016x083x033x046x036x0d7x0'

def check(text):
    global flag
    res = ''
    for i in text:
        res += hex(int.from_bytes(i.encode(), 'big'))[::-1]
    else:
        print(res)
        return flag == res

def dec():
    return ''.join([chr(int(flag[i*4:(i + 1)*4][::-1][2:], 16)) for i in range(len(flag) // 4)])


if __name__ == '__main__':
    # flagin = input('Enter your flag: \n')
    # if check(flagin):
    #     print('[+] You win!')
    # else:
    #     print('[-] You lose!')
    print(dec())

Javatask

~/Envs/Reverse/week9/Javatask/Main.java

Winstaller

import base64
flag = b'==Qf==QT==AN==gU==QO==AM==gU==AU==wX==AT==AN==Qb==gU==AM==gT==wX==AN==wX==wM==wS==QM==AT==wX==wN==wU==QV==gS==wX==wd==AM==wV==we==gR==AV==wQ==gY==AU==wU'
res = b''
text = input('Please enter the flag:\n')
for i in text:
    res += base64.b64encode(i.encode())
else:
    if flag == res[::-1]:
        print('Flag is corect')
    else:
        print('Flag is incorect')
import base64
flag = b'==Qf==QT==AN==gU==QO==AM==gU==AU==wX==AT==AN==Qb==gU==AM==gT==wX==AN==wX==wM==wS==QM==AT==wX==wN==wU==QV==gS==wX==wd==AM==wV==we==gR==AV==wQ==gY==AU==wU'

print(b''.join(base64.b64decode(flag[::-1][i*4:(i+1)*4]) for i in range(len(flag)//4)))

Klingon

key = [  
    "06fa567b72d78b7e3ea746973fbbd1d5",
    "142ba1ee3860caecc3f86d7a03b5b175",
    "54229abfcfa5649e7003b83dd4755294",
    "8d2b901035fbd2df68a3b02940ff5196",
    "727999d580f3708378e3d903ddfa246d",
    "ea8a1a99f6c94c275a58dcd78f418c1f",
    "c51ce410c124a10e0db5e4b97fc2af39",
    "a5bfc9e07964f8dddeb95fc584cd965d"
]

from hashlib import md5

res = b''

for k in key:
    f = False
    for a in [b'0', b'1', b'2', b'3', b'4', b'5', b'6', b'7', b'8', b'9', b'A', b'B', b'C', b'D', b'E', b'F']:
        for b in [b'0', b'1', b'2', b'3', b'4', b'5', b'6', b'7', b'8', b'9', b'A', b'B', b'C', b'D', b'E', b'F']:
            if md5(a + b).hexdigest() == k:
                f = True
                res += a
                res += b
                
                break
        if f:
            break
print(res)

While fighting, only power is not enough

Battle

package com.hackbattle.task;

import android.content.Context;
import android.os.Bundle;
import android.support.v7.app.AppCompatActivity;
import android.util.Base64;
import android.view.View;
import android.widget.EditText;
import android.widget.Toast;
import java.io.BufferedOutputStream;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;

public class MainActivity extends AppCompatActivity {
  private Class asd;
  
  private Object qwe;
  
  private Method zxc;
  
  private static String b64e(String paramString) {
    int i = 0;
    byte[] arrayOfByte = Base64.decode(paramString, 0);
    while (i < arrayOfByte.length) {
      arrayOfByte[i] = (byte)(arrayOfByte[i] ^ 0xFF);
      i++;
    } 
    return new String(arrayOfByte);
  }
  
  public void checkPassword(View paramView) {
    String str = ((EditText)findViewById(2131230774)).getText().toString();
    try {
      // Toast.makeText(getApplicationContext(), (String)this.zxc.invoke(this.qwe, new Object[] { str }), 1).show();
	    Toast.makeText(getApplicationContext(), this.qwe.b(new Object[] { str }), 1).show();
      return;
    } catch (IllegalAccessException illegalAccessException) {
      illegalAccessException.printStackTrace();
      return;
    } catch (IllegalArgumentException illegalArgumentException) {
      illegalArgumentException.printStackTrace();
      return;
    } catch (InvocationTargetException invocationTargetException) {
      invocationTargetException.printStackTrace();
      return;
    } 
  }
  
  protected void onCreate(Bundle paramBundle) {
    super.onCreate(paramBundle);
    setContentView(2131361820);
    try {
	    // Decrypting jar
      // InputStream inputStream = getAssets().open('file.bin');
      // byte[] arrayOfByte = new byte[inputStream.available()];
      // inputStream.read(arrayOfByte);
      // for (int i = 0; i < arrayOfByte.length; i++)
      //   arrayOfByte[i] = (byte)(arrayOfByte[i] ^ 0xED); 
      // inputStream.close();
      // File file = new File(getFilesDir(), 'file.jar');
      // BufferedOutputStream bufferedOutputStream = new BufferedOutputStream(new FileOutputStream(file));
      // bufferedOutputStream.write(arrayOfByte);
      // bufferedOutputStream.close();



      // Class<?> clazz = Class.forName('dalvik.system.DexClassLoader');
      // Constructor<?> constructor = clazz.getConstructor(new Class[] { String.class, String.class, String.class, ClassLoader.class });
      // Object[] arrayOfObject = new Object[4];
      // arrayOfObject[0] = file.getCanonicalPath();
      // arrayOfObject[1] = getCacheDir().getCanonicalPath();
      // arrayOfObject[3] = ClassLoader.getSystemClassLoader();
      // file = (File)constructor.newInstance(arrayOfObject);
      // this.asd = (Class)clazz.getMethod('loadClass', new Class[] { String.class }).invoke(file, new Object[] { 'com.example.password.C' });

      this.asd = com.example.password.C.class;


      // this.qwe = this.asd.newInstance();
      this.qwe = new com.example.password.C;


      // this.zxc = this.asd.getMethod("a", new Class[] { Context.class, int.class, int.class });
      // this.zxc.invoke(this.qwe, new Object[] { getApplicationContext(), Integer.valueOf(2130837504), Integer.valueOf(2130837505) });
      this.qwe.a(new Object[] { getApplicationContext(), Integer.valueOf(2130837504), Integer.valueOf(2130837505) })

      // this.zxc = this.asd.getMethod("b", new Class[] { String.class });
	      this.zxc = com.example.password.C.b; // method
      return;
    } catch (IOException iOException) {
      iOException.printStackTrace();
      return;
    } catch (ClassNotFoundException classNotFoundException) {
      classNotFoundException.printStackTrace();
      return;
    } catch (NoSuchMethodException noSuchMethodException) {
      noSuchMethodException.printStackTrace();
      return;
    } catch (IllegalAccessException illegalAccessException) {
      illegalAccessException.printStackTrace();
      return;
    } catch (IllegalArgumentException illegalArgumentException) {
      illegalArgumentException.printStackTrace();
      return;
    } catch (InvocationTargetException invocationTargetException) {
      invocationTargetException.printStackTrace();
      return;
    } catch (InstantiationException instantiationException) {
      instantiationException.printStackTrace();
      return;
    } 
  }
}

Call a in C instance then check using b

package com.example.password;

import android.content.Context;

public class C {
  private A aa;
  
  private String bb;
  
  public void a(Context paramContext, int paramInt1 /* 2130837504 - Kappa */, int paramInt2 /* 2130837505 - Kek */) {
    this.aa = new A();
    this.aa.a(paramContext.getResources());
    this.bb = "Android sup3r Green";
  }
  
  public String b(String paramString) {
    return paramString.equals(this.bb) ? "Correct!" : "Wrong!";
  }
}

public class A {
  private Resources z;
  
  public void a(Resources paramResources) {
    this.z = paramResources;
  }
  
  public String[] b(int paramInt) {
    return this.z.getStringArray(paramInt);
  }
  
  public int[] c(int paramInt) {
    return this.z.getIntArray(paramInt);
  }
}
package com.example.password;

import android.util.Base64;

public class B {
  public static String a(String paramString) {
    byte[] arrayOfByte = Base64.decode(paramString, 0);
    for (int i = 0;; i++) {
      if (i >= arrayOfByte.length)
        return new String(arrayOfByte); 
      arrayOfByte[i] = (byte)(arrayOfByte[i] ^ 0xFF);
    } 
  }
  
  public static String b(String paramString1, String paramString2) {
    return String.valueOf(paramString1) + " " + paramString2 + " Green";
  }
}
<?xml version="1.0" encoding="utf-8"?>
<resources>
    <integer-array name="Kappa">
        <item>3</item>
        <item>8</item>
    </integer-array>
    <string-array name="Kek">
        <item>zcrPrQ==</item>
        <item>paWtzsvPzw==</item>
        <item>pcfPzw==</item>
        <item>vpGbjZCWmw==</item>
        <item>pafSya0=</item>
        <item>pc7Pz88=</item>
        <item>pafSzs8=</item>
        <item>tLOnzs7P</item>
        <item>jIqPzI0=</item>
        <item>uq3SyZE=</item>
        <item>qZqNjIaM</item>
    </string-array>
</resources>