Java.perform(function () { let res = ""; Java.scheduleOnMainThread(function () { try{ constMainActivity = Java.use("com.example.mobile02.MainActivity"); const instance = MainActivity.$new(); const target = "011010000102021112011120012212010120"; const charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_=+[]{}|;:,.<>?/`~'; let key = instance.stringFromJN1(); for(let k =0;k<3;k++){ //两个字节爆破一次,一起6字节 for (let i = 0; i < charset.length; i++) { for (let j = 0; j < charset.length; j++) { const candidate = charset[i] + charset[j]; try { let result = instance.stringFromJNl(key,res +candidate); //前面的字节也要带上(res) result = result.slice(0,k*12 +12); // console.log(candidate + " => " + result); if (result === target.slice(0,k*12 +12)) { res+=candidate; //得到爆破结果加到res中 i = charset.length; //结束循环 console.log("[✔] Found match: " + candidate + " => " + result); break; } } catch (err) { console.error("Error with input:", candidate, err); } } } } console.log("res = " + res); } catch(e){ console.log(e); } });
constMainActivity = Java.use("com.example.mobile02.MainActivity"); MainActivity["stringFromJNI"].implementation = function (str1) { console.log(`MainActivity.stringFromJNI is called: str1=${str1}`); let result = this["stringFromJNI"](str1); console.log(`MainActivity.stringFromJNI result=${result}`); console.log("flag: " + "ISCC{"+ result+ res+ "}"); return result; };
MainActivity["CHECK1"].implementation = function (str1) { console.log(`MainActivity.CHECK1 is called: str1=${str1}`); let inp = "ISCC{111111111111111}" let result = this["CHECK1"](inp); // console.log(`MainActivity.CHECK1 result=${result}`); return result; };
// MainActivity["stringFromJNl"].implementation = function (key, input) { // console.log(`MainActivity.stringFromJNl is called: key=${key}, input=${input.slice(3, 9)}`); // let data = "8edf4116e5bbacd84bbe78bd8bdf99f7"; // let result = this["stringFromJNl"](data, input.slice(3, 9)); // console.log(`MainActivity.stringFromJNl result=${result}`); // return result; // }; // MainActivity["CHECK2"].implementation = function (str1) { // console.log(`MainActivity.CHECK2 is called: str1=${str1}`); // let result = this["CHECK2"](str1); // console.log(`MainActivity.CHECK2 result=${result}`); // return result; // }; // // MainActivity["stringFromJN1"].implementation = function () { // console.log(`MainActivity.stringFromJN1 is called`); // let result = this["stringFromJN1"](); // console.log(`MainActivity.stringFromJN1 result=${result}`); // return result; // };
});
/* [✔] Found match: A1 => 011010000102 [✔] Found match: b@ => 011010000102021112011120 [✔] Found match: 3c => 011010000102021112011120012212010120 res = A1b@3c MainActivity.CHECK1 is called: str1=1 MainActivity.stringFromJNI is called: str1=7kL@22 MainActivity.stringFromJNI result=%3G'bc'rw flag: ISCC{%3G'bc'rwA1b@3c} */
#将句子字符串转换为句子列表,每个句子是一个单词列表,每个单词是一个字符列表 definit_sentences(sentences): sentences = sentences.split('\n') sentences = [s.split(" ") for s in sentences if s] sentences = [[list(map(ord,s)) for s in sen] for sen in sentences] return sentences
s = Solver()
word = ['a','e','i','l','p','r','s','t','u'] word_int =[ord(i) for i in word] #将字母转换为整数列表
# 创建9宫格变量 var = [[Int(f"var_{i}_{j}") for j inrange(9)] for i inrange(9)]
# 约束 var[r][c] 必须是字母中的一个值 for r inrange(9): for c inrange(9): s.add(Or([var[r][c] == val for val in word_int]))
# 行列不相等 for i inrange(9): s.add(Distinct([var[i][j] for j inrange(9)])) s.add(Distinct([var[j][i] for j inrange(9)]))
# 3*3内不相等 for i inrange(3): for j inrange(3): three = [var[i*3+k][j*3+l] for k inrange(3) for l inrange(3)] s.add(Distinct(three))
# 条件句子 sentences ="""past is pleasure please user it rap less piter its pure latter is leet rit platstep all use peatrle pali atar usar sets a pure sereat tales sell appets """
for line_index,line inenumerate(sentences): # 一个句子中的每个单词在9宫格中满足的路径 line_paths =[] for word in line: #一个单词满足的路径 word_paths =[] word_len = len(word) # 遍历9宫格中每个格子,以每个格子为开始位置,往8个方向延伸,看是否满足单词 for i inrange(9): for j inrange(9): # 一个单词在一个格子上八个方向满足的路径 for start,end in vector: one_path = [] # 边界检查,延伸的长度不能超出9宫格 if i+start*word_len >= 0and i+start*word_len <= 9and j+end*word_len >= 0and j+end*word_len <= 9: # 其中的一条路径 for k inrange(word_len): one_path.append(var[i+start*k][j+end*k] == word[k]) word_paths.append(And(one_path)) #每个字母组成一个单词,每个字母必须全部出现 line_paths.append(Or(word_paths)) #每个单词至少出现一次 sentences_paths.append(And(line_paths)) #每个句子的单词必须全部出现
s.add(Or(sentences_paths)) # 添加每个句子的条件
# 判断句子是否出现 ifsentence = [Bool(f"if_sentence_{i}") for i inrange(len(sentences_paths))] for i inrange(len(sentences_paths)): s.add(Implies(ifsentence[i],sentences_paths[i]))
#如果句子出现就为1,否则为0,要满足至少5个句子出现 s.add(Sum([If(sen, 1, 0) for sen in ifsentence]) >= 5)
#输出结果 res = "" if s.check() == sat: m = s.model() for i inrange(9): for j inrange(9): res += chr(m[var[i][j]].as_long()) else: print("No solution found")
defxor(data:list, key:list) ->list: res =[] for i inrange(30): if i & 1: if i % 3: res.append(data[i] ^ key[i]) else: res.append(data[i] ^ (key[i]+5)) else: res.append(data[i] ^ (key[i]+2)) return res
let loop = setInterval(function () { let b = Java.use("com.example.mobile01.b"); letDESHelper = Java.use("com.example.mobile01.DESHelper"); b["c"].implementation = function () { console.log(`b.c is called`); return"WxYzAbCdEfGhIjKl"; //写回密钥 }; t+=1 if (t > 100) clearInterval(loop)
DESHelper.encrypt.implementation = function (str, str2, str3) { console.log(`DESHelper.encrypt is called: str=${str}, str2=${str2}, str3=${str3}`); let result = this["encrypt"](str, str2, str3); console.log(`DESHelper.encrypt result=${result}`); console.log(`FLAG=ISCC{${result}}`); return result; }; }, 100) }) //FLAG=ISCC{pAK51YtjzLPtTlO2WF16SLnw63oJpCHn}
interleaved = [] i = j = 0 for k inrange(len(res2)): if k % 2 == 0: interleaved.append(sb2[i]) i += 1 else: interleaved.append(sb[j]) j += 1 final_hex = ''.join(interleaved)
# 十六进制转字符 output = [] i = 0 while i < len(final_hex): if final_hex[i] == '0'and i + 2 < len(final_hex): output.append(chr(int(final_hex[i+1:i+3], 16))) i += 3 else: output.append(chr(int(final_hex[i:i+4], 16))) i += 4 plaintext = ''.join(output)
Java.perform(function () { letCipherDataHandler = Java.use("com.example.holygrail.CipherDataHandler"); var dec = CipherDataHandler.$new(); varArrayList = Java.use("java.util.ArrayList"); var list = ArrayList.$new(); var box = ["checkBox8","checkBox6","checkBox7","checkBox5","checkBox12","checkBox3","checkBox10","checkBox13", "checkBox11","checkBox","checkBox9","checkBox4","checkBox14"] box.forEach(function (item) { list.add(item); }); var res = dec.getCipherText(list); console.log(res);
let a = Java.use("com.example.holygrail.a"); a["vigenereEncrypt"].implementation = function (str, str2) { console.log(`a.vigenereEncrypt is called: str=${str}, str2=${str2}`); let result = this["vigenereEncrypt"](str, str2); console.log(`a.vigenereEncrypt result=${result}`); return result; };
var table ="0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!#$%&'()*+,-./:;<=>?@[\\]^_`{|}~"; var aa = a.$new();
var dict = {};
for (var i = 0; i < table.length; i++) { var res3 = aa.processWithNative(table[i]); dict[table[i]] = res3;
} for (var key in dict) { if (dict.hasOwnProperty(key)) { console.log( "'" + dict[key]+"'" +": " + "'" + key +"'"+','); } } })
import string defdecxor(data:list,key:list) -> list: res =[] for i,k inzip(data,key): res.append(i^k) return res
defto_str(data:list) -> str: res =b'' for i in data: a = i.to_bytes(4,byteorder="little") res+=a return res.decode()
defrecover(data:str,chartable:list,after_chartable:list) -> str: res =[] index = [i for i inrange(36)] for i inrange(36): index[i] = after_chartable.index(chartable[i]) res.append(data[index[i]]) return"".join(res)
Java.perform(function () { let c = Java.use("com.example.ggad.c").$new(); var res = c.decrypt("I2Z6T85I481439","ExpectoPatronum"); console.log(`c.a result=${res}`); })