Hackergame 2019 - 献给最好的你 Writeup

Posted travelr

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Hackergame 2019 - 献给最好的你 Writeup相关的知识,希望对你有一定的参考价值。

  解包之后使用Java Decomplier GUI打开,在 com.hackergame.eternalEasterlyWind 里发现了端倪。

  代码如下:

@Metadata(bv = {1, 0, 3}, d1 = {"00$
023002
022000
0202
023002
023002
00
022016
0203
022022
003000202001B05?06022002J242003322204220200500420620063202007J2620320200720620	320200720620
3202013??06f"}, d2 = {"Lcom/hackergame/eternalEasterlyWind/data/LoginDataSource;", "", "()V", "login", "Lcom/hackergame/eternalEasterlyWind/data/Result;", "Lcom/hackergame/eternalEasterlyWind/data/model/LoggedInUser;", "password", "", "logout", "rawpassword", "flxg", "", "app_release"}, k = 1, mv = {1, 1, 15})
public final class LoginDataSource {
  public final Result<LoggedInUser> login(String paramString) {
    Intrinsics.checkParameterIsNotNull(paramString, "password");
    try {
      byte[] arrayOfByte = paramString.getBytes(Charsets.UTF_8);
      Intrinsics.checkExpressionValueIsNotNull(arrayOfByte, "(this as java.lang.String).getBytes(charset)");
      String str = Base64.encodeToString(arrayOfByte, 2);
      Intrinsics.checkExpressionValueIsNotNull(str, "password1String");
      CharIterator charIterator = StringsKt.iterator((CharSequence)str);
      str = "";
      Iterator iterator = (Iterator)charIterator;
      while (iterator.hasNext()) {
        char c2;
        char c1 = ((Character)iterator.next()).charValue();
        StringBuilder stringBuilder = new StringBuilder();
        this();
        stringBuilder.append(str);
        if (Character.isUpperCase(c1)) {
          char c = Character.toLowerCase(c1);
          c2 = c;
        } else {
          c2 = c1;
          if (Character.isLowerCase(c1)) {
            char c = Character.toUpperCase(c1);
            c2 = c;
          } 
        } 
        stringBuilder.append(c2);
        str = stringBuilder.toString();
      } 
      Log.d("pass1", str);
      LoginDataSource$login$1 loginDataSource$login$1 = LoginDataSource$login$1.INSTANCE;
      if (Intrinsics.areEqual(str, "AgfJA2vYz2fTztiWmtL3AxrOzNvUiq==")) {
        LoggedInUser loggedInUser = new LoggedInUser();
        String str1 = UUID.randomUUID().toString();
        Intrinsics.checkExpressionValueIsNotNull(str1, "java.util.UUID.randomUUID().toString()");
        byte[] arrayOfByte1 = loginDataSource$login$1.invoke(new int[] { 
              14, 13, 2, 12, 30, 30, 2, 0, 31, 11, 
              109, 81, 83, 8, 3, 54, 21, 6, 2, 39, 
              33, 104, 44, 62, 17, 14, 19, 23, 21, 18, 
              8, 24 });
        try {
          this(str1, logout(paramString, arrayOfByte1));
          Result.Success success = new Result.Success();
          this(loggedInUser);
          return (Result)success;
        } finally {}
      } else {
        Exception exception = new Exception();
        this("错误的密码");
        throw (Throwable)exception;
      } 
    } finally {}
    return (Result)new Result.Error((Exception)new IOException("Error logging in", paramString));
  }
  
  public final String logout(String paramString, byte[] paramArrayOfByte) {
    Intrinsics.checkParameterIsNotNull(paramString, "rawpassword");
    Intrinsics.checkParameterIsNotNull(paramArrayOfByte, "flxg");
    int i = paramArrayOfByte.length - 1;
    String str1 = "";
    String str2 = str1;
    if (i >= 0) {
      int j = 0;
      while (true) {
        char c = (char)(paramArrayOfByte[j] ^ paramString.charAt(j % paramString.length()));
        Log.d("pass2", String.valueOf(c));
        StringBuilder stringBuilder = new StringBuilder();
        stringBuilder.append(str1);
        stringBuilder.append(c);
        str1 = stringBuilder.toString();
        str2 = str1;
        if (j != i) {
          j++;
          continue;
        } 
        break;
      } 
    } 
    Log.d("pass2", str2);
    return str2;
  }
  
  @Metadata(bv = {1, 0, 3}, d1 = {"0022
00
022022
00
022025
0220
00200032020012
20023202003"02004H
?060205"}, d2 = {"byteArrayOfInts", "", "ints", "", "", "invoke"}, k = 3, mv = {1, 1, 15})
  static final class LoginDataSource$login$1 extends Lambda implements Function1<int[], byte[]> {
    public static final LoginDataSource$login$1 INSTANCE = new LoginDataSource$login$1();
    
    LoginDataSource$login$1() { super(1); }
    
    public final byte[] invoke(int... param1VarArgs) {
      Intrinsics.checkParameterIsNotNull(param1VarArgs, "ints");
      int i = param1VarArgs.length;
      byte[] arrayOfByte = new byte[i];
      for (byte b = 0; b < i; b++)
        arrayOfByte[b] = (byte)(byte)param1VarArgs[b]; 
      return arrayOfByte;
    }
  }
}

  代码首先将用户输入的字符串进行base64编码,再把得到的密文大小写转换一下,随后与字符串 AgfJA2vYz2fTztiWmtL3AxrOzNvUiq== 对比。

  转换字符串解码出来的是  hackergame2019withfun!

  然而这并不是最后的flag。在字符串对比之后还有一个logout函数,它利用数组 arrayOfByte1 对字符串进行异或运算。再计算一下,就可以拿到flag了。

 

# -*- coding:utf-8 -*-

#Works on Python 37_64

arr4y = [14, 13, 2, 12, 30, 30, 2, 0, 31, 11, 109, 81, 83, 8, 3, 54, 21, 6, 2, 39, 33, 104, 44, 62, 17, 14, 19, 23, 21, 18, 8, 24]
code = "hackergame2019withfun!"

for index, item in enumerate(arr4y):
  print(chr(ord(code[index % len(code)]) ^ item), end=‘‘)

‘‘‘
output:
"C:Program Files (x86)Microsoft Visual StudiosharedPython37_64python.exe" C:/Users/Adm1n/PycharmProjects/untitled/hello.py
flag{learn_ab1t_android_reverse}
Process finished with exit code 0
‘‘‘

 

以上是关于Hackergame 2019 - 献给最好的你 Writeup的主要内容,如果未能解决你的问题,请参考以下文章

ReLief 献给最亲爱的你怎么设置中文

2019Hackergame-Shell骇客

献给初学编程的你

一款安卓工具集献给初入安卓开发的你

一款安卓工具集献给初入安卓开发的你

一款安卓工具集献给初入安卓开发的你