![[SWPU2019] Android2](https://johngo-pic.oss-cn-beijing.aliyuncs.com/articles/20230605/2817142-20220629091648352-1280585251.png)
![[SWPU2019] Android2](https://www.johngo689.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
![[SWPU2019] Android2](https://johngo-pic.oss-cn-beijing.aliyuncs.com/articles/20230605/2817142-20220629091658439-1391112937.png)
![[SWPU2019] Android2](https://johngo-pic.oss-cn-beijing.aliyuncs.com/articles/20230605/2817142-20220629091648439-1341827219.png)
![[SWPU2019] Android2](https://johngo-pic.oss-cn-beijing.aliyuncs.com/articles/20230605/2817142-20220629091648491-1189964401.png)
有一个超长的线程延迟和永远为假的判断条件,应该就是要修改这两点。
使用apktool反编译apk之后,直接打开MainActivity.smali文件,找到 1000000000的16进制 <span class="ne-text">0x3b9aca00</span>
![[SWPU2019] Android2](https://johngo-pic.oss-cn-beijing.aliyuncs.com/articles/20230605/2817142-20220629091658480-1839809128.png)
全部改完之后使用apktool重新打包并签名,安装到模拟器里
![[SWPU2019] Android2](https://johngo-pic.oss-cn-beijing.aliyuncs.com/articles/20230605/2817142-20220629091648399-861853414.png)
这样在进入程序就会输出内容了,提示flag是之前的假flag的加密结果
![[SWPU2019] Android2](https://johngo-pic.oss-cn-beijing.aliyuncs.com/articles/20230605/2817142-20220629091658474-1985366881.png)
char *__fastcall decode(char *a1, int a2) { int i; // [xsp+10h] [xbp-10h] for ( i = 0; i < (unsigned __int64)strlen(a1); ++i ) { if ( (unsigned __int8)a1[i] < 0x41u || (unsigned __int8)a1[i] > 0x5Au ) { if ( (unsigned __int8)a1[i] >= 0x61u && (unsigned __int8)a1[i] 0x7Au ) a1[i] = ((unsigned __int8)a1[i] - 97 + a2) % 26 + 97; } else { a1[i] = ((unsigned __int8)a1[i] - 65 + a2) % 26 + 65; } } return a
不难发现,解密只针对了字母进行加密,符号和数字被排除在外了,而且大写字母只会变成大写字母,小写字母只会变成小写字母,但是有一个a2未知数在捣乱,需要利用26次循坏,每个结果挨个尝试才可以,代码如下:
s = "flag{WeLcome_to-SWPU}}"
for x in range(0,26):
for v in s:
if v >= "A" and v "Z":
v = chr(((ord(v) - 65) - x)%26 + 65)
if v >= "a" and v "z":
v = chr(((ord(v) - 97) - x)%26 + 97)
print(v,end="")
print()
得到的结果为:
flag{WeLcome_to-SWPU}}
ekzf{VdKbnld_sn-RVOT}}
djye{UcJamkc_rm-QUNS}}
cixd{TbIzljb_ql-PTMR}}
bhwc{SaHykia_pk-OSLQ}}
agvb{RzGxjhz_oj-NRKP}}
zfua{QyFwigy_ni-MQJO}}
yetz{PxEvhfx_mh-LPIN}}
xdsy{OwDugew_lg-KOHM}}
wcrx{NvCtfdv_kf-JNGL}}
vbqw{MuBsecu_je-IMFK}}
uapv{LtArdbt_id-HLEJ}}
tzou{KsZqcas_hc-GKDI}}
synt{JrYpbzr_gb-FJCH}}
rxms{IqXoayq_fa-EIBG}}
qwlr{HpWnzxp_ez-DHAF}}
pvkq{GoVmywo_dy-CGZE}}
oujp{FnUlxvn_cx-BFYD}}
ntio{EmTkwum_bw-AEXC}}
mshn{DlSjvtl_av-ZDWB}}
lrgm{CkRiusk_zu-YCVA}}
kqfl{BjQhtrj_yt-XBUZ}}
jpek{AiPgsqi_xs-WATY}}
iodj{ZhOfrph_wr-VZSX}}
hnci{YgNeqog_vq-UYRW}}
gmbh{XfMdpnf_up-TXQV}}
用flag{}包裹之后挨个提交尝试之后, 竟然都不正确!!!!
那么我就将前面的都改成flag,又尝试了一次, 还是不对!!!!
最后再删除一个 <span class="ne-text">}</span>符号,终于找到了结果为 <span class="ne-text">flag{BjQhtrj_yt-XBUZ}</span>,由 <span class="ne-text">kqfl{BjQhtrj_yt-XBUZ}}</span>变换而来
Original: https://www.cnblogs.com/WXjzc/p/16098024.html
Author: WXjzc
Title: [SWPU2019] Android2
原创文章受到原创版权保护。转载请注明出处:https://www.johngo689.com/601173/
转载文章受原作者版权保护。转载请注明原作者出处!