Xp0int Team
Mostly a CTF Writeup placesCategory - 第五空间2021
解压出apps__UNI__14D1880\www\app-service.js
主要逻辑在这
f["encrypt"](c)调用类似chacha加密的函数,依葫芦画瓢解密即可
iv = [0, 0, 0, 0, 0, 0, 0, 74, 0, 0, 0, 0]key = [_ for _ in range(32)]def _get32(t, e):return t[e] ^ t[e+1] << 8 ^ t[e+2] << 16 ^ t[e+3] << 24n = 1_rounds = 20_sigma = [1634760805, 857760878, 2036477234, 1797285236]_param = [_sigma[0], _sigma[1], _sigma[2], _sigma[3], _get32(key, 0), _get32(key, 4), _get32(key, 8), _get32(key, 12), _get32(key, 16), _get32(key, 20), _get32(key, 24), _get32(key, 28), n, _get32(iv, 0), _get32(iv, 4), _get32(iv, 8)]_keystream = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]_byteCounter = 0def _rotl(num, e):return (num << e | num >> 32 - e) & 0xffffffffdef _quarterround(t, e, n, r, o):print(t)t[e] += t[n]t[e] &= 0xfffffffft[o
从capp.apk提取出app.exe,将ida f5后的伪代码复制另存为cpp文件,编译为exe方便windows上debug
#define _CRT_SECURE_NO_WARNINGS#include <cstdio>#include <cstdlib>unsigned char input[38] = { 0 };unsigned char ctr = 0;char my_getchar() {return input[ctr++];}int main(int argc, const char** argv, const char** envp){int result; // w0long long v4; // [xsp+0h] [xbp+0h] BYREFint* v5; // [xsp+20h] [xbp+20h]long long v6; // [xsp+28h] [xbp+28h]int v7; // [xsp+34h] [xbp+34h]int i; // [xsp+38h] [xbp+38h]int j; // [xsp+3Ch] [xbp+3Ch]v7 = 1000;v6 = 999LL;// v5 = (int *)(4 * (((unsigned __int64)&v4 + 3) >> 2));v5 = (int*)malloc(4 * 10000);i = 0;// slogan();scanf("%s", (char*)input);for (i = 0; i < v7; ++i)v5[i] = 0;for (j = 43; v5[j]; --v5[j]);++j;--j;++j;while (v5[j])--v5[j];for (j -= 43; v5[j]; --v5[j]);for (j += 42; v5[j]; --v5[j]){