分析
題目是XCTF app3,下載得到一個ab后綴的文件
.ab后綴名的文件是Android系統的備份文件格式,它分為加密和未加密兩種類型
ab文件的前24個字節是類似文件頭的東西,如果是加密的,在前24個字節中會有AES-256的標志,如果未加密,則在前24個字節中會有none的標志
載入winHex,發現ANDROID BACKUP 2 1 none,nono代表沒有加密
將ab文件轉成zip文件
github上有個開源項目Android backup extractor可以將.ab文件轉換為壓縮文件,項目地址:https://github.com/nelenkov/android-backup-extractor
E:\Desktop>java -jar ade.jar unpack 1.ab ./1.zip 0% 1% 2% 3% 4% 5% 6% 7% 8% 9% 10% 11% 12% 13% 14% 15% 16% 17% 18% 19% 20% 21% 22 % 23% 24% 25% 26% 27% 28% 29% 30% 31% 32% 33% 34% 35% 36% 37% 38% 39% 40% 41% 42 % 43% 44% 45% 46% 47% 48% 49% 50% 51% 52% 53% 54% 55% 56% 57% 58% 59% 60% 61% 62 % 63% 64% 65% 66% 67% 68% 69% 70% 71% 72% 73% 74% 75% 76% 77% 78% 79% 80% 81% 82 % 83% 84% 85% 86% 87% 88% 89% 90% 91% 92% 93% 94% 95% 96% 97% 98% 99% 100% 9097216 bytes written to ./1.zip.
使用JEB載入app
解壓.ab轉換的壓縮文件,發現有一個apk文件和db文件,db文件打不開,猜測是加密了
載入apk,分析得出MainActivity文件包含了db數據庫的算法
根據a函數寫出解密腳本
class a { private String a; public a() { super(); this.a = "yaphetshan"; } public String a(String arg4, String arg5) { return arg4.substring(0, 4) + arg5.substring(0, 4); } public String a(String arg3) { new b(); return b.b(arg3 + this.a); } public String b(String arg2, String arg3) { new b(); return b.a(arg2); } } public class b { public b() { super(); } public static final String a(String arg9) { String v0_2; int v0 = 0; char[] v2 = new char[]{'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'}; try { byte[] v1 = arg9.getBytes(); MessageDigest v3 = MessageDigest.getInstance("MD5"); v3.update(v1); byte[] v3_1 = v3.digest(); int v4 = v3_1.length; char[] v5 = new char[v4 * 2]; int v1_1 = 0; while(v0 < v4) { int v6 = v3_1[v0]; int v7 = v1_1 + 1; v5[v1_1] = v2[v6 >>> 4 & 15]; v1_1 = v7 + 1; v5[v7] = v2[v6 & 15]; ++v0; } v0_2 = new String(v5); } catch(Exception v0_1) { v0_2 = null; } return v0_2; } public static final String b(String arg9) { String v0_2; int v0 = 0; char[] v2 = new char[]{'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'}; try { byte[] v1 = arg9.getBytes(); MessageDigest v3 = MessageDigest.getInstance("SHA-1"); v3.update(v1); byte[] v3_1 = v3.digest(); int v4 = v3_1.length; char[] v5 = new char[v4 * 2]; int v1_1 = 0; while(v0 < v4) { int v6 = v3_1[v0]; int v7 = v1_1 + 1; v5[v1_1] = v2[v6 >>> 4 & 15]; v1_1 = v7 + 1; v5[v7] = v2[v6 & 15]; ++v0; } v0_2 = new String(v5); } catch(Exception v0_1) { v0_2 = null; } return v0_2; } public static void main(String[] args) { a v1=new a(); String v2=v1.a("Stranger","123456");//123456是1E240的10進制 System.out.println(v1.a(v2 + v1.b(v2, "password")).substring(0, 7)); } }
運行腳本得出db文件密碼為ae56f99
使用DB Browser for SQLCipher打開加密的db,得到base64加密的字符串
解碼后得出flag
參考:https://www.52pojie.cn/thread-1082706-1-1.html