analysis
Entitled XCTF app3, downloaded a file with the extension ab
.Ab file extension is the backup file format Android system, which is divided into two types of encrypted and unencrypted
Ab first 24 bytes of the file header is something similar to, if it is encrypted, the first 24 bytes of AES-256 will have a sign, if not encrypted, then the first 24 bytes will be none symbols of
Loading winHex, found the BACKUP 2 ANDROID 1 none , on behalf of nono is not encrypted
Ab file will be transferred into a zip file
There are open source projects on github Android backup extractorcan .ab files into a compressed file, the project address: https: //github.com/nelenkov/android-backup-extractor
C: \ Desktop > java -jar Adaekjar Unpack 1. Now K/l .zip 0% 1% 2% 3% 4% 5% 6% 7% 8% 9% 10% 11% 12% 13% 14% 15% 16% 17% 18% 19% 20% 21% 22 % 23% 24% 25% 26% 27% 28% 29% 30% 31% 32% 33% 34% 35% 36% 37% 38% 39% 40% 41% 42 % 43% 44% 45% 46% 47% 48% 49% 50% 51% 52% 53% 54% 55% 56% 57% 58% 59% 60% 61% 62 % 63% 64% 65% 66% 67% 68% 69% 70% 71% 72% 73% 74% 75% 76% 77% 78% 79% 80% 81% 82 % 83% 84% 85% 86% 87% 88% 89% 90% 91% 92% 93% 94% 95% 96% 97% 98% 99% 100% 9097216 bytes written to ./1.zip.
Use JEB loaded app
Decompression .ab convert compressed files, found a apk file and db file db file does not open, speculation is encrypted
Loading apk, analysis results MainActivity file contains the algorithm db database
Write the script based on a decryption function
class a { private String a; public a() { super(); this.a = "yaphetshan"; } public String a(String arg4, String arg5) { return arg4.substring(0, 4) + arg5.substring(0, 4); } public String a(String arg3) { new b(); return b.b(arg3 + this.a); } public String b(String arg2, String arg3) { new b(); return b.a(arg2); } } public class b { public b() { super(); } public static final String a(String arg9) { String v0_2; int v0 = 0; char[] v2 = new char[]{'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'}; try { byte[] v1 = arg9.getBytes(); MessageDigest v3 = MessageDigest.getInstance("MD5"); v3.update(v1); byte[] v3_1 = v3.digest(); int v4 = v3_1.length; char[] v5 = new char[v4 * 2]; int v1_1 = 0; while(v0 < v4) { int v6 = v3_1[v0]; int v7 = v1_1 + 1; v5[v1_1] = v2[v6 >>> 4 & 15]; v1_1 = v7 + 1; v5[v7] = v2[v6 & 15]; ++v0; } v0_2 = new String(v5); } catch(Exception v0_1) { v0_2 = null; } return v0_2; } public static final String b(String arg9) { String v0_2; int v0 = 0; char[] v2 = new char[]{'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'}; try { byte[] v1 = arg9.getBytes(); MessageDigest v3 = MessageDigest.getInstance("SHA-1"); v3.update(v1); byte[] v3_1 = v3.digest(); int v4 = v3_1.length; char[] v5 = new char[v4 * 2]; int v1_1 = 0; while(v0 < v4) { int v6 = v3_1[v0]; int v7 = v1_1 + 1; v5[v1_1] = v2[v6 >>> 4 & 15]; v1_1 = v7 + 1; v5[v7] = v2[v6 & 15]; ++v0; } v0_2 = new String(v5); } catch(Exception v0_1) { v0_2 = null; } return v0_2; } public static void main(String[] args) { a v1=new a(); String v2=v1.a("Stranger","123456");//123456是1E240的10进制 System.out.println(v1.a(v2 + v1.b(v2, "password")).substring(0, 7)); } }
运行脚本得出db文件密码为ae56f99
使用DB Browser for SQLCipher打开加密的db,得到base64加密的字符串
解码后得出flag
参考:https://www.52pojie.cn/thread-1082706-1-1.html