前两道wp来自于一位强大的师傅,她特意叮嘱不署名,在此表示感谢!十分感谢
a.打开题目后
b.看到此提示后,需要把显示出来的base64编码解码
a.随便输入后,给了无关的提示,需要动用反编译工具jeb
public void onClick(View arg11) {
int v0 = 18;
int[] v1 = new int[]{
74, 6, 81, 0x2F, 0x7F, 22, 105, 42, 87, 19, 120, 58, 83, 8, 97, 11, 0x74, 0x7D};
int[] v2 = new int[]{
42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42};
String v3 = MainActivity.this.text.getText().toString().trim();
String v5 = "不要调皮,应该好好输入";
if(TextUtils.isEmpty(((CharSequence)v3))) {
Toast.makeText(MainActivity.this, ((CharSequence)v5), 0).show();
}
else if(v3.length() == v0) {
char[] v0_1 = v3.toCharArray();
int v4;
for(v4 = 0; true; ++v4) {
int v7 = 17;
if(v4 >= v7) {
break;
}
v2[v4] = v4 % 2 == 0 ? v0_1[v4] ^ v4 : v0_1[v4] ^ v0_1[v4 + 1];
}
for(v4 = 0; v4 < v7; ++v4) {
if(v2[v4] != v1[v4]) {
Toast.makeText(MainActivity.this, ((CharSequence)v5), 0).show();
}
else if(v4 < 16) {
}
else {
Toast.makeText(MainActivity.this, "恭喜你,拿到flag", 0).show();
}
}
}
else {
Toast.makeText(MainActivity.this, "好好加油,再接再厉", 0).show();
}
}
}
分析了一下主要代码: v2[v4] = v4 % 2 == 0 ? v0_1[v4] ^ v4 : v0_1[v4] ^ v0_1[v4 + 1];
也就是把flag的偶数位异或 自己的位数,奇数位异或 下一位,然后异或后得出一个数组,按照思路利用已知数组反推回去即可。
接下来上代码:
public class wp {
public static void main(String[] args) {
int[]e= {
74,6,81,47,127,22,105,42,87,19,120,58,83,8,97,11,116,125};
for (int i = 0; i < 17; i++) {
int n = i % 2;
if (n == 0) {
e[i] = e[i] ^ i;
}
}
for (int i = 0; i < 17; i++) {
int n = i % 2;
if (n != 0) {
e[i] = e[i] ^e[i+1] ;
}
}
for (int i = 0; i < 18; i++) {
System.out.print(((char)e[i]));
}
}
}
运行结果如下:
得到flag:JUST{you_are_good}
a.
直接上工具吧,没啥好说的
b.分析代码可知用flag做了base64编码后,然后把密文进行位置互换,所以我们只需要把密文位置换回去,然后进行解密即可。
c.换位代码
int[] c = {
'v','t','v','h','J','b','1','C','r','O','1','S','B','A','x','T','j','B','3','C','v','O','2','S','v','5','z','x','n','5','3','g','Z','L','x','T','n','F','1','x','b','I','0','t','Z','Z','s','B'};
for (int i = 47; i>=2; i--) {
int temp = c[i - 2];
c[i - 2] = c[i];
c[i] = temp;
}
换位后为sBvtvhJb1CrO1SBAxTjB3CvO2Sv5zxn53gZLxTnF1xbI0tZZ
d.base64表被换位了,所以直接上网搜索自定义base64,随便找个自定义base64 的decode函数然后把表换了即可
首先把base64表写出
public final static char[] base64_alphabet = new char[]{
'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', '0', 'z', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '/', '+', '='};
public static String decode(String enContent) {
byte[] data = enContent.getBytes();
int i = 0, j = 0, enCode = 0;
int mLength = data.length;
byte[] char_array_4 = new byte[4];
byte[] char_array_3 = new byte[3];
String retContent = "";
// filter out the padding '=' chars
while (mLength > 0 && (((char) data[enCode]) != '=') && isBase64((char) data[enCode])) {
mLength--;
char_array_4[i++] = data[enCode++];
if (i == 4) {
for (i = 0; i < 4; i++)
char_array_4[i] = findChar((char) char_array_4[i]);
char_array_3[0] = (byte) ((char_array_4[0] << 2) + ((char_array_4[1] & 0x30) >> 4));
char_array_3[1] = (byte) (((char_array_4[1] & 0xf) << 4) + ((char_array_4[2] & 0x3c) >> 2));
char_array_3[2] = (byte) (((char_array_4[2] & 0x3) << 6) + char_array_4[3]);
for (i = 0; (i < 3); i++)
retContent += (char) char_array_3[i];
i = 0;
}
}
// last content handling
if (i > 0) {
for (j = i; j < 4; j++)
char_array_4[j] = 0;
for (j = 0; j < 4; j++)
char_array_4[j] = findChar((char) char_array_4[j]);
char_array_3[0] = (byte) ((char_array_4[0] << 2) + ((char_array_4[1] & 0x30) >> 4));
char_array_3[1] = (byte) (((char_array_4[1] & 0xf) << 4) + ((char_array_4[2] & 0x3c) >> 2));
char_array_3[2] = (byte) (((char_array_4[2] & 0x3) << 6) + char_array_4[3]);
for (j = 0; (j < i - 1); j++)
retContent += (char) char_array_3[j];
}
return retContent;
}
主函数里写出
String d="sBvtvhJb1CrO1SBAxTjB3CvO2Sv5zxn53gZLxTnF1xbI0tZZ";
String e=base64.decode(d);
System.out.println(e);
得出flag
JUST{Android_reverse_is_too_simple?}
在这里呢,贴一下一个完整的自定义base64代码,需要的自取
public class base64 {
public final static char[] base64_alphabet = new char[]{
'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's',
't', 'u', 'v', 'w', 'x', 'y', '0','z', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B',
'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U',
'V', 'W', 'X', 'Y', 'Z', '/','+', '='};
public static String encode(String content) {
byte[] data = content.getBytes();
int length = data.length;
byte[] char_array_3 = new byte[]{
0, 0, 0};
byte[] char_array_4 = new byte[]{
'=', '=', '=', '='};
String retContent = "";
int i = 0;
int j = 0;
int reversePos = 0;
while (length > 0) {
length--;
char_array_3[i++] = data[reversePos++];
if (i == 3) {
char_array_4[0] = (byte) ((char_array_3[0] & 0xfc) >> 2); // convert the char
char_array_4[1] = (byte) (((char_array_3[0] & 0x03) << 4) + ((char_array_3[1] & 0xf0) >> 4));
char_array_4[2] = (byte) (((char_array_3[1] & 0x0f) << 2) + ((char_array_3[2] & 0xc0) >> 6));
char_array_4[3] = (byte) (char_array_3[2] & 0x3f);
for (i = 0; (i < 4); i++)
retContent += base64_alphabet[char_array_4[i]];
i = 0;
}
}
// handling the last input content
if (i > 0) {
for (j = i; j < 3; j++)
char_array_3[j] = 0; // padding of zero
char_array_4[0] = (byte) ((char_array_3[0] & 0xfc) >> 2); // right shift
char_array_4[1] = (byte) (((char_array_3[0] & 0x03) << 4) + ((char_array_3[1] & 0xf0) >> 4));
char_array_4[2] = (byte) (((char_array_3[1] & 0x0f) << 2) + ((char_array_3[2] & 0xc0) >> 6));
char_array_4[3] = (byte) (char_array_3[2] & 0x3f);
for (j = 0; (j < i + 1); j++)
retContent += base64_alphabet[char_array_4[j]];
while ((i++ < 3)) // padding of '=' of output string
retContent += '=';
}
return retContent;
}
public static String decode(String enContent) {
byte[] data = enContent.getBytes();
int i = 0, j = 0, enCode = 0;
int mLength = data.length;
byte[] char_array_4 = new byte[4];
byte[] char_array_3 = new byte[3];
String retContent = "";
// filter out the padding '=' chars
while (mLength > 0 && (((char) data[enCode]) != '=') && isBase64((char) data[enCode])) {
mLength--;
char_array_4[i++] = data[enCode++];
if (i == 4) {
for (i = 0; i < 4; i++)
char_array_4[i] = findChar((char) char_array_4[i]);
char_array_3[0] = (byte) ((char_array_4[0] << 2) + ((char_array_4[1] & 0x30) >> 4));
char_array_3[1] = (byte) (((char_array_4[1] & 0xf) << 4) + ((char_array_4[2] & 0x3c) >> 2));
char_array_3[2] = (byte) (((char_array_4[2] & 0x3) << 6) + char_array_4[3]);
for (i = 0; (i < 3); i++)
retContent += (char) char_array_3[i];
i = 0;
}
}
// last content handling
if (i > 0) {
for (j = i; j < 4; j++)
char_array_4[j] = 0;
for (j = 0; j < 4; j++)
char_array_4[j] = findChar((char) char_array_4[j]);
char_array_3[0] = (byte) ((char_array_4[0] << 2) + ((char_array_4[1] & 0x30) >> 4));
char_array_3[1] = (byte) (((char_array_4[1] & 0xf) << 4) + ((char_array_4[2] & 0x3c) >> 2));
char_array_3[2] = (byte) (((char_array_4[2] & 0x3) << 6) + char_array_4[3]);
for (j = 0; (j < i - 1); j++)
retContent += (char) char_array_3[j];
}
return retContent;
}
public static boolean isBase64(char c) {
boolean base64 = false;
for (int i = 0; i < 64; i++) {
if (c == base64_alphabet[i]) {
base64 = true;
break;
}
}
return base64;
}
public static byte findChar(char x) {
byte index = 64; // 65th char '='
for (int i = 0; i < 64; i++) {
if (x == base64_alphabet[i]) {
index = (byte) i;
break;
}
}
return index;
}