-
-
看雪CTF2019Q2-第5题 丛林的秘密
-
发表于:
2019-6-18 23:45
3231
-
这个是Web页面, url: debK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5y4#2)9J5k6e0m8Q4x3X3f1H3i4K6u0W2x3g2)9K6b7e0R3H3x3o6l9`.
public class MainActivity extends AppCompatActivity {
private Button button1;
private EditText eText1;
private TextView txView1;
public String url;
static {
System.loadLibrary("gogogo");
}
public MainActivity() {
this.url = gogogoJNI.sayHello();
}
protected void onCreate(Bundle arg3) {
...
this.findViewById(2131165318).loadUrl(this.url);
this.findViewById(2131165318).getSettings().setJavaScriptEnabled(true);
...
}
}
jstring __fastcall Java_com_example_assemgogogo_gogogoJNI_sayHello(JNIEnv *a1)
{
// 8e0K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5y4#2)9J5k6e0m8Q4x3X3f1H3i4K6u0W2x3g2)9K6b7e0R3H3x3o6l9`.
for ( i = 0; i != 21; ++i )
url[i] = byte_2D28[i] ^ 0x66;
url[21] = 0;
return (*v2)->NewStringUTF(v2, url);
}
public class MainActivity extends AppCompatActivity {
private Button button1;
private EditText eText1;
private TextView txView1;
public String url;
static {
System.loadLibrary("gogogo");
}
public MainActivity() {
this.url = gogogoJNI.sayHello();
}
protected void onCreate(Bundle arg3) {
...
this.findViewById(2131165318).loadUrl(this.url);
this.findViewById(2131165318).getSettings().setJavaScriptEnabled(true);
...
}
}
jstring __fastcall Java_com_example_assemgogogo_gogogoJNI_sayHello(JNIEnv *a1)
{
// 8e0K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5J5y4#2)9J5k6e0m8Q4x3X3f1H3i4K6u0W2x3g2)9K6b7e0R3H3x3o6l9`.
for ( i = 0; i != 21; ++i )
url[i] = byte_2D28[i] ^ 0x66;
url[21] = 0;
return (*v2)->NewStringUTF(v2, url);
}
在JNI_OnLoad中监听8000端口, 发送html页面
.text:00000D1A ADD R1, PC ; "8000"
...
.text:00000D26 BLX getaddrinfo
.text:00000C50 ADD R0, PC ; "HTTP/1.1 200 OK\r\nContent-Type: text/h"...
...
.text:00000C60 BLX accept
...
.text:00000CA6 BLX send
.text:00000D1A ADD R1, PC ; "8000"
...
.text:00000D26 BLX getaddrinfo
.text:00000C50 ADD R0, PC ; "HTTP/1.1 200 OK\r\nContent-Type: text/h"...
...
.text:00000C60 BLX accept
...
.text:00000CA6 BLX send
html页面
<html>
<script>
var instance;
WebAssembly.compile(new Uint8Array(`
...
`.trim().split(/[\s\r\n]+/g).map(str => parseInt(str, 16))
)).then(module => {
new WebAssembly.instantiate(module).then(results => {
instance = results;
}).catch(console.error);})
function check_flag(){
var value = document.getElementById("key_value").value;
if(value.length != 32)
{
document.getElementById("tips").innerHTML = "Not Correct!";
return;
}
instance.exports.set_input_flag_len(value.length);
for(var ii=0;ii<value.length;ii++){
instance.exports.set_input_flag(value[ii].charCodeAt(),ii);
}
var ret = instance.exports.check_key();
if (ret == 1){
document.getElementById("tips").innerHTML = "Congratulations!"
}
else{
document.getElementById("tips").innerHTML = "Not Correct!"
}
}
</script>
<body>
<div>Key: <input id="key_value" type="text" name="key" style="width:60%" ;="" value=""> <input type="submit" value="check" onclick="check_flag()"></div>
</body></html>
<html>
<script>
var instance;
WebAssembly.compile(new Uint8Array(`
...
`.trim().split(/[\s\r\n]+/g).map(str => parseInt(str, 16))
)).then(module => {
new WebAssembly.instantiate(module).then(results => {
instance = results;
}).catch(console.error);})
function check_flag(){
var value = document.getElementById("key_value").value;
if(value.length != 32)
{
document.getElementById("tips").innerHTML = "Not Correct!";
return;
}
instance.exports.set_input_flag_len(value.length);
for(var ii=0;ii<value.length;ii++){
instance.exports.set_input_flag(value[ii].charCodeAt(),ii);
}
var ret = instance.exports.check_key();
if (ret == 1){
document.getElementById("tips").innerHTML = "Congratulations!"
}
else{
document.getElementById("tips").innerHTML = "Not Correct!"
}
}
</script>
<body>
<div>Key: <input id="key_value" type="text" name="key" style="width:60%" ;="" value=""> <input type="submit" value="check" onclick="check_flag()"></div>
</body></html>
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
