非黑即白

思路:

简单的异或即可。

脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

#!/usr/bin/env python
# -*- coding:utf-8 -*-
from hashlib import sha256
def xor(a,b):
result = []
for (i, j) in zip(a, b):
result.append(chr(ord(i) ^ ord(j)))
return "".join(result)
def aHASH(msg):
return sha256(msg).digest()[:8]
def zjctf_encrypt(gen_keys, hahahah):
i = 0
d1 = hahahah[:8]
d2 = hahahah[8:]
for i in gen_keys:
d1 = xor(xor(aHASH(d2),i),d1)
d1, d2 = d2, d1
return d2 + d1
def gen_keymap(key):
maps = []
_ = key
for i in range(16):
_ = aHASH(_)
maps.append(_)
return maps
def encrypt(key, data):
keys = gen_keymap(key)
return zjctf_encrypt(keys, data).encode('hex')
def zjctf_decrypt(gen_keys, hahahah):
i = 0
d2 = hahahah[:8]
d1 = hahahah[8:]
for i in gen_keys:
tmp = xor(xor(aHASH(d1),i),d2)
d2 = d1
d1 = tmp
return d1+d2
if __name__ == "__main__":
result = encrypt("zzzzzjctffffffff", "This_is_the_flag")
keys = gen_keymap("zzzzzjctffffffff")
keys = keys[::-1]
c = '5ec0c0dd0cccc5a2c056e6e7fec3f0ea'.decode('hex')
print(zjctf_decrypt(keys,c))
# your result = 5ec0c0dd0cccc5a2c056e6e7fec3f0ea

序列变换

思路

反编译,打开MainActivity.class文件

`

1
2
3
4
5
6
7
8
9
10
11
12
13
public void readFile() {
final AssetManager assets = this.getAssets();
try {
final BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(assets.open("pwd.txt")));
String s = bufferedReader.readLine();
for (int n = 0; s != null; s = bufferedReader.readLine(), ++n) {
this.Seq[n] = s;
}
}
catch (IOException ex) {
ex.printStackTrace();
}
}

`

注意到从pwd.txt 中读取数据。

apk解压后可以搜索到pwd.txt文件,notepad++打开,找到第12701行序列:j4nlO512Y82Swe44CoNlVzWM

1
2
3
if (MainActivity.this.index % 20000 + 1 == 12701) {
text = "zjctf{" + tansform.transformSeq(s) + "}";
}

又注意到,若为第12701个序列,进行了变换,如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
{
public static String transformSeq(final String s) {
final int length = s.length();
final StringBuilder sb = new StringBuilder(s);
for (int i = 0; i < length; ++i) {
if (s.charAt(i) >= 'A' && s.charAt(i) <= 'Z') {
sb.setCharAt(i, (char)(s.charAt(i) + '\u0001'));
}
if (s.charAt(i) >= 'a' && s.charAt(i) <= 'z') {
sb.setCharAt(i, (char)(s.charAt(i) - '\u0001'));
}
}
return sb.toString();
}

编写py脚本

1
2
3
4
5
6
7
8
9
10
a = 'j4nlO512Y82Swe44CoNlVzWM'
b = ''
for i in a:
if i.isupper():
b += chr(ord(i)+1)
elif i.islower():
b += chr(ord(i)-1)
else:
b += i
print(b)

欢迎参加

思路

session为guest的md5
用admin的md5访问得到flag.php

白黑分明

思路

阅读js源码,得到路径/game/push,访问之,需要token,从HEAD类型的请求中拿到token,再从正常请求种拿到cookie,访问得到flag