XCTF Illusion wp
ndk(jni) 题。题目逻辑很简单,用户输入一个字符串,传递给 native checkFlag 函数验证。如果 encode 结果和预定义 ref 字符串相同就是 flag。
需要反解输入,但由于这是个逐字符加密的算法, 逐字符打表破解就可以。(打表再反过来求解不如直接暴力调用 encode 函数,因为同一个位置有不同解)
我让 gpt 在 python 复现了 encode 的逻辑,值得注意的是,ida 的反编译结果不完整。可以从传参不完整看出来(没看出来就寄了)
第59天:攻防世界-Mobile-lllusion_攻防世界 illusion-CSDN博客
import string
from typing import Dict
def do_encode(a1: int, const93: int = 93) -> int:
'''
这道题是 per-byte 调用的 encode 函数。打表反解即可。
'''
v2 = a1
if const93 < 0:
const93 = -const93
if a1 < 0:
a1 = -a1
v3 = 1
v4 = 0
if a1 >= const93:
# 放大 const93 和 v3,使其接近 a1
while const93 < 0x10000000 and const93 < a1:
const93 *= 16
v3 *= 16
while const93 < 0x80000000 and const93 < a1:
const93 *= 2
v3 *= 2
# 模拟类似二进制除法的操作
while True:
if a1 >= const93:
a1 -= const93
v4 |= v3
if a1 >= const93 >> 1:
a1 -= const93 >> 1
v4 |= v3 >> 1
if a1 >= const93 >> 2:
a1 -= const93 >> 2
v4 |= v3 >> 2
if a1 >= const93 >> 3:
a1 -= const93 >> 3
v4 |= v3 >> 3
if a1 == 0:
break
v3 >>= 4
if v3 == 0:
break
const93 >>= 4
# 如果初始 v2 为负数,则返回结果取反
if v2 < 0:
return -v4
return v4
def create_c_char_cipher_map() -> Dict[int, int]:
'''
创建 c_char 到密文的映射表
'''
# 生成密文
ret = {}
for c_char in range(-0x40, 2*0xFF + 1):
ret[c_char] = c_char - do_encode(c_char, 93) * 93 + 32
return ret
# 测试函数
if __name__ == "__main__":
sbox = "(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String"
map = create_c_char_cipher_map()
print(map)
expected = "Ku@'G_V9v(yGS"
plain = ''
for i, expecti in enumerate(expected):
c_expecti = ord(expecti)
for c_char, cipher in map.items():
if cipher == c_expecti:
try:
plaini = chr((c_char + 0x40 - ord(sbox[i])))
if plaini in '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~ ':
plain += plaini
break
except:
pass
# for plaini in string.printable:
# c_char = ord(plaini) + ord(sbox[i]) - 0x40
# cipher = c_char - do_encode(c_char, 93) * 93 + 32
# if cipher == c_expecti:
# plain += plaini
print(plain)