2025数字中国决赛app wp

luyanpei
  2025-04-20 13:07:05 2025-04-20 13:07:05 Created   2025-04-30 13:18:50 2025-04-30 13:18:50 Updated      881 Words  4 Mins  

比赛时随手记录的笔记,待整理

1
2
user041
rG7S3G54

隐私合约2

image-20250419105347927

以下是危险权限:

  1. android.permission.POST_NOTIFICATIONS:允许应用发送通知
  2. android.permission.RECEIVE_BOOT_COMPLETED: 允许应用在系统启动时接收广播
  3. android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS: 允许应用请求忽略电池优化

其他权限虽然不被认为是危险权限,但也需要谨慎使用:

  1. android.permission.READ_SMS:允许应用读取短信内容
  2. android.permission.CALL_PHONE:允许应用拨打电话
  3. android.permission.WRITE_EXTERNAL_STORAGE:允许应用写入外部存储(如SD卡)
  4. android.permission.READ_EXTERNAL_STORAGE:允许应用读取外部存储(如SD卡)
1
2
3
1. android.permission.READ_SMS:允许应用读取短信内容
2. android.permission.CALL_PHONE:允许应用拨打电话
md5:69ef3b808a66aebc57aa0e9c13375693

flag{69ef3b808a66aebc57aa0e9c13375693}

比赛题目记录

1
2
3
user042

G2W4fW28

image

image

理论

image

‍crackme

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
#define _CRT_SECURE_NO_WARNINGS
#include <stdio.h>
#include <string.h>

int  main()
{
    unsigned char _encrypted_system_key[] =
    {
      0x30, 0x11, 0x76, 0x53, 0xBC, 0x9D, 0xFC, 0xDD, 0x32, 0x17,
      0x70, 0x51, 0xB8, 0x99, 0xFE, 0xDB
    };
    unsigned char _encrypted_system_iv[] =
    {
      0x23, 0x06, 0x65, 0x4C, 0xA5, 0x9D, 0xFC, 0xDD, 0x21, 0x00,
      0x63, 0x4E, 0xA1, 0x99, 0xFE, 0xDB
    };
    unsigned char a123456[] =
    {
      0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x00
    };
    unsigned char s1[] = "1234561234561234";
    for (int i = 0; i < 16; ++i)
    {
    
        _encrypted_system_key[i] ^= s1[i];
            _encrypted_system_iv[i] ^= s1[i];
    }
    for (size_t i = 0; i < 16; i++)
    {
        printf("%02x ", _encrypted_system_key[i]);
    }
    printf("iv \n");
    for (size_t i = 0; i < 16; i++)
    {
        printf("%02x ", _encrypted_system_iv[i]);
    }
    //aes加密 cbc模式,有key和iv
    //unsigned char _encrypted_system_password[] =
 /*   {
        0x9F, 0x8E, 0x53, 0x4C, 0x9A, 0x66, 0x32, 0x42, 0x16, 0x84,
            0x2F, 0x42, 0xE0, 0xDB, 0x6C, 0xEB
    };*/
    //verify_system_password
    return 0;
}

‍aes解密

wyy网易云

1
ACTIVITY com.example.wyy/.LoginActivity 4516241 pid=3965

1
2
3
4
5
6
7
8
User user = this.db.userDao().getUser(obj, obj2);
       if (user != null) {
           this.userManager.saveUser(user.getId(), user.getUsername());
           startActivity(new Intent(this, (Class<?>) MainActivity.class));
           finish();
           return;
       }

sqlite format3 数据库里面藏了 用户名和密码

1
2
3
4
5
6
7
8
9
PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
CREATE TABLE `songs` (`id` INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, `name` TEXT, `artist` TEXT, `path` TEXT);
INSERT INTO songs VALUES(1,'起风了','买辣椒也用券','qifengle.mp3');
INSERT INTO songs VALUES(2,'海阔天空','Beyond','haikuotiankong.mp3');
INSERT INTO songs VALUES(3,'晴天','周杰伦','qingtian.mp3');
INSERT INTO songs VALUES(4,'平凡之路','朴树','pingfanzhilu.mp3');
INSERT INTO songs VALUES(5,'光年之外','邓紫棋','guangnianzhiwai.mp3');
COMMIT;

user这个表

1
2
3
CREATE TABLE `users` (`id` INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, `username` TEXT, `password` TEXT);


com.allo.contacts/.activity.SplashActivity

ezapk

image

image

image

输入全部都是“1”

1
adb shell am start -n com.lovere.myapplication/.MainActivity

最终flag

1
2
3
4
5
6
7
8
9
10
11
12
RC4解密后是flag{a2_b3_c44_d44_hahahaha}
比较的密文:(26个字符)
AF 50 68 EC 0A 4D 9F 51 AB C8 F8 7F 17
72 FD 43 43 E8 E6 4C 60 F7 BA EE A8 1E


解密后是:
flag{aa_bbb_cccc_dddd_hahahaha}

flag{a2_b3_c44_d44_hahahaha}

flag{aa_bbb_cccc_dddd_hahahaha}

taskDB

com.example.managepatients

image

1
adb shell am start  -n  com.example.managepatients/.ui.LoginActivity

image

image

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
///data/user/0/com.example.managepatients/files

function hook_did() {
    Java.perform(function () {


        let CryptoUtil = Java.use("com.example.managepatients.utils.CryptoUtil");
        CryptoUtil["hashPassword"].implementation = function (str, bArr, i) {
            //console.log(`CryptoUtil.hashPassword is called: str=${str}, bArr=${bArr}, i=${i}`);
            //str="17581138909";
            var arg0 =Java.use('java.lang.String').$new("17581138909");
            var bArr1 = Java.array('byte',[ 0x9b,0x3c,0x0b,0xcb,0xd6,0x9b,0x5c,0xa0,0x1e,0x5a,0x3f,0x11,0x34,0x2d,0xc2,0x44,0xc0,0x84,0xcc,0x21,0xd8,0xcd,0xb1,0x85,0xfa,0xb2,0xef,0xd6,0x98,0x86,0x99,0x0d]);

            let result = this["hashPassword"](arg0, bArr1, i);
            console.log(`CryptoUtil.hashPassword result=${result}`);
            return result;
        };

    })
}
function hook_unity() {

}
function main() {
    hook_did();
    //  hook_did();
}
setImmediate(main)

// java.lang.Throwable
//         at com.boombit.sdk.firebase.core.Analytics.getAppInstanceId(Native Method)
//         at com.unity3d.player.UnityPlayer.nativeRender(Native Method)
//         at com.unity3d.player.UnityPlayer.-$$Nest$mnativeRender(Unknown Source:0)
//         at com.unity3d.player.UnityPlayer$F$a.handleMessage(Unknown Source:110)
//         at android.os.Handler.dispatchMessage(Handler.java:102)
//         at android.os.Looper.loop(Looper.java:223)
//         at com.unity3d.player.UnityPlayer$F.run(Unknown Source:20)

//setImmediate(main)
//frida -U -f com.example.weather -l frida_hook_field.js

//objection -g com.fieldrunners.tower.defense.Casual.games explore

//com.DefaultCompany.i_wanna

1
0b835d96ce6fed809af9f33169d5e3a7

image

  • Title: 2025数字中国决赛app wp
  • Author: luyanpei
  • Created at : 2025-04-20 13:07:05
  • Updated at : 2025-04-30 13:18:50
  • Link: https://redefine.ohevan.com/posts/27579.html
  • License: All Rights Reserved © luyanpei
On this page
2025数字中国决赛app wp
  1. 隐私合约2
  • 比赛题目记录
    1. 理论
    2. ‍crackme
    4. wyy网易云
    5. ezapk
    6. taskDB