Skip to content

Instantly share code, notes, and snippets.

View mzhang28's full-sized avatar

michael mzhang28

View GitHub Profile

Data:

http://www.apk4fun.com/apk/1299/

Solution:

This is just a really difficult challenge. First, decompile snapchat.apk using a tool or a service like decompileandroid. Extact the src folder. Yay. Java.

The first step is to do a little bit of research on Snapchat decryption. Your research will probably lead you to this repo. However, it's outdated. Cry slowly. You should realize at this point that you need the Android ID to do anything. Use grep to search for android_id in src. This will reveal locations in the code that obtain the Android ID from the phone. You will eventually find in com.flurry.sdk.ea the following:

@mzhang28
mzhang28 / aplit.c
Created February 18, 2016 20:32
EasyCTF 2015 Shell Binary Sources
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
int main(int argc, char **argv) {
int score = 0;
printf("CollageBored (R) Advanced Placement Literature Grader\n");
if (argc != 2) {
printf("Usage: %s [essay]\n", argv[0]);
return 1;
~ » telnet wayward.tcp.easyctf.com 8580 michael@zhang
Trying 45.55.88.134...
Connected to wayward.tcp.easyctf.com.
Escape character is '^]'.
Please enter your pilot key: hello
The current time is: 1489720845.28
Please enter the coordinates (x, y) you would like to hit:
world
Sorry, you didn't enter valid coordinates.
Connection closed by foreign host.
@mzhang28
mzhang28 / solve.py
Created March 26, 2017 21:19
VC Solution
#!/usr/bin/env python
from PIL import Image
A = Image.open("A.png")
B = Image.open("B.png")
dA = A.load()
dB = B.load()
@mzhang28
mzhang28 / solve.py
Created March 26, 2017 21:24
PyCrypto Solution
#!/usr/bin/env python
frequencies = {'a': 0.0651738, 'b': 0.0124248, 'c': 0.0217339, 'd': 0.0349835, 'e': 0.1041442, 'f': 0.0197881, 'g': 0.0158610, 'h': 0.0492888, 'i': 0.0558094, 'j': 0.0009033, 'k': 0.0050529, 'l': 0.0331490, 'm': 0.0202124,
'n': 0.0564513, 'o': 0.0596302, 'p': 0.0137645, 'q': 0.0008606, 'r': 0.0497563, 's': 0.0515760, 't': 0.0729357, 'u': 0.0225134, 'v': 0.0082903, 'w': 0.0171272, 'x': 0.0013692, 'y': 0.0145984, 'z': 0.0007836, ' ': 0.1918182}
def single_byte_xor(b, s):
""" Performs XOR of the single byte against every character in string. """
assert len(b) == 1
x = ord(b)
@mzhang28
mzhang28 / solve.py
Created March 26, 2017 21:50
KeyPass Implementation
chars = " FuMlX%3kBJ:.N*epqA0Lh=En/diT1cwyaz$7SH,OoP;rUsWv4g\\Z<tx(8mf>-#I?bDYC+RQ!K5jV69&)G"
def get_key(seed):
result = ""
seed = 16631 * (seed % 0x7fffffff) + 511115
for i in range(16):
result += byte[seed % 0x7fffffff % 82]
seed = 16631 * (seed % 0x7fffffff) + 511115
result += chars[seed % 0x7fffffff % 82]
return result

Keybase proof

I hereby claim:

  • I am iptq on github.
  • I am failedxyz (https://keybase.io/failedxyz) on keybase.
  • I have a public key ASAOyYr2aYI5dkkI2c1UXnrjbb5t1l9ICUk__yJZpjvtIgo

To claim this, I am signing this object:

call plug#begin()
Plug 'vim-syntastic/syntastic'
Plug 'tomasiser/vim-code-dark'
Plug 'vim-airline/vim-airline'
Plug 'scrooloose/nerdtree'
Plug 'rhysd/vim-clang-format'
Plug 'kien/ctrlp.vim'
call plug#end()

Keybase proof

I hereby claim:

  • I am iptq on github.
  • I am michaelz (https://keybase.io/michaelz) on keybase.
  • I have a public key ASCEhMaJMl3DkJKGSXc8q1Nr5FIMVapUMwtEbQkCH7vIQAo

To claim this, I am signing this object:

Keybase proof

I hereby claim:

  • I am iptq on github.
  • I am michaelz (https://keybase.io/michaelz) on keybase.
  • I have a public key ASArajdaYzbql7aXaUnBl6G5yasMz7nhOIgkLEnDqEQdhwo

To claim this, I am signing this object: