码迷,mamicode.com
首页 > 其他好文 > 详细

Hackergame 2019 - 献给最好的你 Writeup

时间:2019-11-01 20:41:02      阅读:158      评论:0      收藏:0      [点我收藏+]

标签:finish   try   title   rac   str1   对比   char   mic   encode   

  解包之后使用Java Decomplier GUI打开,在 com.hackergame.eternalEasterlyWind 里发现了端倪。

  代码如下:

@Metadata(bv = {1, 0, 3}, d1 = {"\000$\n\002\030\002\n\002\020\000\n\002\b\002\n\002\030\002\n\002\030\002\n\000\n\002\020\016\n\002\b\003\n\002\020\022\n\000\030\0002\0020\001B\005?\006\002\020\002J\024\020\003\032\b\022\004\022\0020\0050\0042\006\020\006\032\0020\007J\026\020\b\032\0020\0072\006\020\t\032\0020\0072\006\020\n\032\0020\013??\006\f"}, d2 = {"Lcom/hackergame/eternalEasterlyWind/data/LoginDataSource;", "", "()V", "login", "Lcom/hackergame/eternalEasterlyWind/data/Result;", "Lcom/hackergame/eternalEasterlyWind/data/model/LoggedInUser;", "password", "", "logout", "rawpassword", "flxg", "", "app_release"}, k = 1, mv = {1, 1, 15})
public final class LoginDataSource {
  public final Result<LoggedInUser> login(String paramString) {
    Intrinsics.checkParameterIsNotNull(paramString, "password");
    try {
      byte[] arrayOfByte = paramString.getBytes(Charsets.UTF_8);
      Intrinsics.checkExpressionValueIsNotNull(arrayOfByte, "(this as java.lang.String).getBytes(charset)");
      String str = Base64.encodeToString(arrayOfByte, 2);
      Intrinsics.checkExpressionValueIsNotNull(str, "password1String");
      CharIterator charIterator = StringsKt.iterator((CharSequence)str);
      str = "";
      Iterator iterator = (Iterator)charIterator;
      while (iterator.hasNext()) {
        char c2;
        char c1 = ((Character)iterator.next()).charValue();
        StringBuilder stringBuilder = new StringBuilder();
        this();
        stringBuilder.append(str);
        if (Character.isUpperCase(c1)) {
          char c = Character.toLowerCase(c1);
          c2 = c;
        } else {
          c2 = c1;
          if (Character.isLowerCase(c1)) {
            char c = Character.toUpperCase(c1);
            c2 = c;
          } 
        } 
        stringBuilder.append(c2);
        str = stringBuilder.toString();
      } 
      Log.d("pass1", str);
      LoginDataSource$login$1 loginDataSource$login$1 = LoginDataSource$login$1.INSTANCE;
      if (Intrinsics.areEqual(str, "AgfJA2vYz2fTztiWmtL3AxrOzNvUiq==")) {
        LoggedInUser loggedInUser = new LoggedInUser();
        String str1 = UUID.randomUUID().toString();
        Intrinsics.checkExpressionValueIsNotNull(str1, "java.util.UUID.randomUUID().toString()");
        byte[] arrayOfByte1 = loginDataSource$login$1.invoke(new int[] { 
              14, 13, 2, 12, 30, 30, 2, 0, 31, 11, 
              109, 81, 83, 8, 3, 54, 21, 6, 2, 39, 
              33, 104, 44, 62, 17, 14, 19, 23, 21, 18, 
              8, 24 });
        try {
          this(str1, logout(paramString, arrayOfByte1));
          Result.Success success = new Result.Success();
          this(loggedInUser);
          return (Result)success;
        } finally {}
      } else {
        Exception exception = new Exception();
        this("错误的密码");
        throw (Throwable)exception;
      } 
    } finally {}
    return (Result)new Result.Error((Exception)new IOException("Error logging in", paramString));
  }
  
  public final String logout(String paramString, byte[] paramArrayOfByte) {
    Intrinsics.checkParameterIsNotNull(paramString, "rawpassword");
    Intrinsics.checkParameterIsNotNull(paramArrayOfByte, "flxg");
    int i = paramArrayOfByte.length - 1;
    String str1 = "";
    String str2 = str1;
    if (i >= 0) {
      int j = 0;
      while (true) {
        char c = (char)(paramArrayOfByte[j] ^ paramString.charAt(j % paramString.length()));
        Log.d("pass2", String.valueOf(c));
        StringBuilder stringBuilder = new StringBuilder();
        stringBuilder.append(str1);
        stringBuilder.append(c);
        str1 = stringBuilder.toString();
        str2 = str1;
        if (j != i) {
          j++;
          continue;
        } 
        break;
      } 
    } 
    Log.d("pass2", str2);
    return str2;
  }
  
  @Metadata(bv = {1, 0, 3}, d1 = {"\000\022\n\000\n\002\020\022\n\000\n\002\020\025\n\002\020\b\n\000\020\000\032\0020\0012\n\020\002\032\0020\003\"\0020\004H\n?\006\002\b\005"}, d2 = {"byteArrayOfInts", "", "ints", "", "", "invoke"}, k = 3, mv = {1, 1, 15})
  static final class LoginDataSource$login$1 extends Lambda implements Function1<int[], byte[]> {
    public static final LoginDataSource$login$1 INSTANCE = new LoginDataSource$login$1();
    
    LoginDataSource$login$1() { super(1); }
    
    public final byte[] invoke(int... param1VarArgs) {
      Intrinsics.checkParameterIsNotNull(param1VarArgs, "ints");
      int i = param1VarArgs.length;
      byte[] arrayOfByte = new byte[i];
      for (byte b = 0; b < i; b++)
        arrayOfByte[b] = (byte)(byte)param1VarArgs[b]; 
      return arrayOfByte;
    }
  }
}

  代码首先将用户输入的字符串进行base64编码,再把得到的密文大小写转换一下,随后与字符串 AgfJA2vYz2fTztiWmtL3AxrOzNvUiq== 对比。

  转换字符串解码出来的是  hackergame2019withfun!

  然而这并不是最后的flag。在字符串对比之后还有一个logout函数,它利用数组 arrayOfByte1 对字符串进行异或运算。再计算一下,就可以拿到flag了。

 

# -*- coding:utf-8 -*-

#Works on Python 37_64

arr4y = [14, 13, 2, 12, 30, 30, 2, 0, 31, 11, 109, 81, 83, 8, 3, 54, 21, 6, 2, 39, 33, 104, 44, 62, 17, 14, 19, 23, 21, 18, 8, 24]
code = "hackergame2019withfun!"

for index, item in enumerate(arr4y):
  print(chr(ord(code[index % len(code)]) ^ item), end=‘‘)

‘‘‘
output:
"C:\Program Files (x86)\Microsoft Visual Studio\Shared\Python37_64\python.exe" C:/Users/Adm1n/PycharmProjects/untitled/hello.py
flag{learn_ab1t_andROID_reverse}
Process finished with exit code 0
‘‘‘

 

Hackergame 2019 - 献给最好的你 Writeup

标签:finish   try   title   rac   str1   对比   char   mic   encode   

原文地址:https://www.cnblogs.com/Travelr/p/11779136.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!