首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 10)第2届移动安全挑战(MSC)
    3. 发新帖
[原创]第一题
发表于: 2015-10-20 23:59 13936

[原创]第一题

adslxyz 活跃值
2015-10-20 23:59
13936
第一题:
解压ipa后,拖level1到ida
定位到[ViewController onClick]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
// ViewController - (void)onClick
void __cdecl -[ViewController onClick](struct ViewController *self, SEL a2)
{
  __CFString *v2; // r6@1
  signed int v3; // r11@1
  void *v4; // r0@2
  void *v5; // r5@2
  void *v6; // r0@2
  void *v7; // r0@3
  void *v8; // r0@3
  void *v9; // r4@3
  void *v10; // r0@3
  const char *v11; // r5@3
  int v12; // r0@3
  size_t v13; // r6@5
  int v14; // r0@7
  int v15; // r1@7
  signed int v16; // r4@8
  void *v17; // r0@10
  __CFString *v18; // r3@11
  void *v19; // r0@13
  struct ViewController *v20; // [sp+10h] [bp-28h]@1
 
  v20 = self;
  v2 = CFSTR("mrMZAbjtZozDOGI9UeeH6g0iLHNnTNsFyzS0tYca4R3KkaQ0doxdDVuxZ7HoqYOcxFhgDiEvdGKix95VJNEUP8rdox4cm7GHVkbVcTJPmrTtH7hompW+xjTgGg2zQhs0tUGQ8lCggev2SNoWcaUOUU==");
  v3 = 5;
  do
  {
    v4 = objc_msgSend(&OBJC_CLASS___Ceasar_CipherModel, "alloc");
    --v3;
    v5 = objc_msgSend(v4, "initWithCipherKey:", v3);
    objc_msgSend(v5, "setCodedMessage:", v2);
    objc_msgSend(v5, "decrypt");
    v6 = objc_msgSend(v5, "originalMessage");
    v2 = (__CFString *)objc_msgSend(&OBJC_CLASS___AESCrypt, "decrypt:password:", v6, CFSTR("ZGlhb2RhX2ppYW5rYW5nCg=="));
  }
  while ( v3 > 0 );
  v7 = objc_msgSend(v20, "textFeild");
  v8 = objc_msgSend(v7, "text");
  v9 = objc_msgSend(v8, "UTF8String");
  v10 = objc_msgSend(v2, "UTF8String");
  v11 = (const char *)v10;
  v12 = *(_BYTE *)v10;
  if ( v12 )
  {
    if ( *(_BYTE *)v9 != v12 )
    {
LABEL_8:
      v16 = 0;
      goto LABEL_10;
    }
    v13 = 1;
    while ( v13 < strlen(v11) )
    {
      v14 = v11[v13];
      v15 = *((_BYTE *)v9 + v13++);
      if ( v15 != v14 )
        goto LABEL_8;
    }
  }
  v16 = 1;
LABEL_10:
  v17 = objc_msgSend(&OBJC_CLASS___UIAlertView, "alloc");
  if ( v16 == 1 )
    v18 = CFSTR("芠\x01xcknx\x01");
  else
    v18 = CFSTR("芠\x01x\x19");
  v19 = objc_msgSend(
          v17,
          "initWithTitle:message:delegate:cancelButtonTitle:otherButtonTitles:",
          &stru_1C808,
          v18,
          v20,
          CFSTR("諷"),
          CFSTR("nx"),
          0);
  j__objc_msgSend(v19, "show");
}


用Cycript:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
iPhone:~ root# cycript -p level1
cy# v2 = @"mrMZAbjtZozDOGI9UeeH6g0iLHNnTNsFyzS0tYca4R3KkaQ0doxdDVuxZ7HoqYOcxFhgDiEvdGKix95VJNEUP8rdox4cm7GHVkbVcTJPmrTtH7hompW+xjTgGg2zQhs0tUGQ8lCggev2SNoWcaUOUU==";
@"mrMZAbjtZozDOGI9UeeH6g0iLHNnTNsFyzS0tYca4R3KkaQ0doxdDVuxZ7HoqYOcxFhgDiEvdGKix95VJNEUP8rdox4cm7GHVkbVcTJPmrTtH7hompW+xjTgGg2zQhs0tUGQ8lCggev2SNoWcaUOUU=="
cy# v4 = [[Ceasar_CipherModel alloc] initWithCipherKey:4];
#"<Ceasar_CipherModel: 0x15d104c0>"
cy# [v4 setCodedMessage:v2];
cy# [v4 decrypt];
cy# v3 = [v4 originalMessage];
@"inIVWxfpVkvZKCE9QaaD6c0eHDJjPJoBuvO0pUyw4N3GgwM0zktzZRqtV7DkmUKytBdcZeArzCGet95RFJAQL8nzkt4yi7CDRgxRyPFLinPpD7dkilS+tfPcCc2vMdo0pQCM8hYccar2OJkSywQKQQ=="
cy# v1 = [AESCrypt decrypt:v3 password:@"ZGlhb2RhX2ppYW5rYW5nCg=="]
@"hDmx1/d5KNhr1BBYQlRNVsZSEaOdw4MtKTpT3082x/x9lZucw0qEm+UhMaOVuoSLyqD1x0elXGXqM4nFSP3W8khfyg1ynDEwLhLt12m68U8="
cy# v4 = [[Ceasar_CipherModel alloc] initWithCipherKey:3];
#"<Ceasar_CipherModel: 0x17033ec0>"
cy# [v4 setCodedMessage:v1];
cy# [v4 decrypt];
cy# v3 = [v4 originalMessage];
@"eAju1/a5HKeo1YYVNiOKSpWPBxLat4JqHQmQ3082u/u9iWrzt0nBj+ReJxLSrlPIvnA1u0biUDUnJ4kCPM3T8hecvd1vkABtIeIq12j68R8="
cy# v1 = [AESCrypt decrypt:v3 password:@"ZGlhb2RhX2ppYW5rYW5nCg=="]
@"e1s6fwEoaC3l/4VLi1DA4KKPJdGcGWK3elMxPqOuG7MNa9fcfWu6gpui+m3q1akL"
cy# v4 = [[Ceasar_CipherModel alloc] initWithCipherKey:2];
#"<Ceasar_CipherModel: 0x1713c5a0>"
cy# [v4 setCodedMessage:@"e1s6fwEoaC3l/4VLi1DA4KKPJdGcGWK3elMxPqOuG7MNa9fcfWu6gpui+m3q1akL"];
cy# [v4 decrypt];
cy# v3 = [v4 originalMessage];
@"c1q6duCmyA3j/4TJg1BY4IINHbEaEUI3cjKvNoMsE7KLy9dadUs6ensg+k3o1yiJ"
cy# v1 = [AESCrypt decrypt:v3 password:@"ZGlhb2RhX2ppYW5rYW5nCg=="]
@"4p2eb81lORtnnduYgcAc3pxfqGh8Fybny9NFnTzYJ6B="
cy# v4 = [[Ceasar_CipherModel alloc] initWithCipherKey:1];
#"<Ceasar_CipherModel: 0x15ed14f0>"
cy# [v4 setCodedMessage:v1];
cy# [v4 decrypt];
cy# v3 = [v4 originalMessage];
@"4o2da81kNQsmmctXfbZb3owepFg8Examx9MEmSyXI6A="
cy# v1 = [AESCrypt decrypt:v3 password:@"ZGlhb2RhX2ppYW5rYW5nCg=="]
@"QNEcNAUUYKq5mMZJTh3J5w=="
cy# v4 = [[Ceasar_CipherModel alloc] initWithCipherKey:0];
#"<Ceasar_CipherModel: 0x17044de0>"
cy# [v4 setCodedMessage:v1];
cy# [v4 decrypt];
cy# v3 = [v4 originalMessage];
@"QNEcNAUUYKq5mMZJTh3J5w=="
cy# v1 = [AESCrypt decrypt:v3 password:@"ZGlhb2RhX2ppYW5rYW5nCg=="]
@"Sp4rkDr0idKit"
cy#


得到答案。

或者写个tweak

1
2
3
4
5
6
%hook AESCrypt
 
+(id)decrypt:(id)data password:(id)key {
    { %log; id r = %orig; NSLog(@" = %@", r); return r; }
}
%end


输出:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Oct 20 22:59:43 iPhone level1[1091]: +[<AESCrypt: 0xfd0e4> decrypt:hmHUVweoUjuYJBD9PzzC6b0dGCIiOInAtuN0oTxv4M3FfvL0yjsyYQpsU7CjlTJxsAcbYdZqyBFds95QEIZPK8myjs4xh7BCQfwQxOEKhmOoC7cjhkR+seObBb2uLcn0oPBL8gXbbzq2NIjRxvPJPP== password:ZGlhb2RhX2ppYW5rYW5nCg==]
Oct 20 22:59:43 iPhone level1[1091]:  = (null)
Oct 20 22:59:52 iPhone launchproxy[3800]: /usr/libexec/sshd-keygen-wrapper: Connection from: 127.0.0.1 on port: 57630
Oct 20 22:59:52 iPhone sshd[3802]: Accepted publickey for root from 127.0.0.1 port 57630 ssh2
Oct 20 22:59:52 iPhone sshd: root@ttys001[3803]: USER_PROCESS: 3803 ttys001
Oct 20 23:00:00 iPhone level1[1091]: +[<AESCrypt: 0xfd0e4> decrypt:inIVWxfpVkvZKCE9QaaD6c0eHDJjPJoBuvO0pUyw4N3GgwM0zktzZRqtV7DkmUKytBdcZeArzCGet95RFJAQL8nzkt4yi7CDRgxRyPFLinPpD7dkilS+tfPcCc2vMdo0pQCM8hYccar2OJkSywQKQQ== password:ZGlhb2RhX2ppYW5rYW5nCg==]
Oct 20 23:00:00 iPhone level1[1091]:  = hDmx1/d5KNhr1BBYQlRNVsZSEaOdw4MtKTpT3082x/x9lZucw0qEm+UhMaOVuoSLyqD1x0elXGXqM4nFSP3W8khfyg1ynDEwLhLt12m68U8=
Oct 20 23:00:00 iPhone level1[1091]: +[<AESCrypt: 0xfd0e4> decrypt:eAju1/a5HKeo1YYVNiOKSpWPBxLat4JqHQmQ3082u/u9iWrzt0nBj+ReJxLSrlPIvnA1u0biUDUnJ4kCPM3T8hecvd1vkABtIeIq12j68R8= password:ZGlhb2RhX2ppYW5rYW5nCg==]
Oct 20 23:00:00 iPhone level1[1091]:  = e1s6fwEoaC3l/4VLi1DA4KKPJdGcGWK3elMxPqOuG7MNa9fcfWu6gpui+m3q1akL
Oct 20 23:00:00 iPhone level1[1091]: +[<AESCrypt: 0xfd0e4> decrypt:c1q6duCmyA3j/4TJg1BY4IINHbEaEUI3cjKvNoMsE7KLy9dadUs6ensg+k3o1yiJ password:ZGlhb2RhX2ppYW5rYW5nCg==]
Oct 20 23:00:00 iPhone level1[1091]:  = 4p2eb81lORtnnduYgcAc3pxfqGh8Fybny9NFnTzYJ6B=
Oct 20 23:00:00 iPhone level1[1091]: +[<AESCrypt: 0xfd0e4> decrypt:4o2da81kNQsmmctXfbZb3owepFg8Examx9MEmSyXI6A= password:ZGlhb2RhX2ppYW5rYW5nCg==]
Oct 20 23:00:00 iPhone level1[1091]:  = QNEcNAUUYKq5mMZJTh3J5w==
Oct 20 23:00:00 iPhone level1[1091]: +[<AESCrypt: 0xfd0e4> decrypt:QNEcNAUUYKq5mMZJTh3J5w== password:ZGlhb2RhX2ppYW5rYW5nCg==]
Oct 20 23:00:00 iPhone level1[1091]:  = Sp4rkDr0idKit


第二题:
ida载入后,由题目提示定位到cdevsw_add函数。
按ctrl+x打开xrefs窗口,选择第一个函数。
看到有random的提示
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
__TEXT:__text:800C0D88 sub_800C0D88                            ; DATA XREF: __DATA:__const:8039CF70o
__TEXT:__text:800C0D88
__TEXT:__text:800C0D88 perms           = -0x18
__TEXT:__text:800C0D88 fmt             = -0x14
__TEXT:__text:800C0D88 var_10          = -0x10
__TEXT:__text:800C0D88
__TEXT:__text:800C0D88                 PUSH            {R4-R7,LR}
__TEXT:__text:800C0D8A                 ADD             R7, SP, #0xC
__TEXT:__text:800C0D8C                 SUB             SP, SP, #0xC
__TEXT:__text:800C0D8E                 MOV             R0, #(off_803BD360 - 0x800C0D9A)
__TEXT:__text:800C0D96                 ADD             R0, PC ; off_803BD360
__TEXT:__text:800C0D98                 ADDW            R1, R0, #0xB14
__TEXT:__text:800C0D9C                 MOV.W           R0, #0xFFFFFFFF
__TEXT:__text:800C0DA0                 BL              _cdevsw_add
__TEXT:__text:800C0DA4                 MOV             R4, R0
__TEXT:__text:800C0DA6                 CMP.W           R4, #0xFFFFFFFF
__TEXT:__text:800C0DAA                 BGT             loc_800C0DBA
__TEXT:__text:800C0DAC                 MOV             R0, #(aRandom_initFai - 0x800C0DB8) ; "\"random_init: failed to allocate a maj"...
__TEXT:__text:800C0DB4                 ADD             R0, PC  ; "\"random_init: failed to allocate a maj"...
__TEXT:__text:800C0DB6                 BL              _panic


由【a-guide-to-kernel-exploitation.pdf】的一段话:

the value −1 is supplied as the index (0xFFFFFFFF). When cdevsw add() sees a negative value, it uses the absolute value of the index instead, and then begins scanning for a usable slot from this location. However, the value of −1 will cause cdevsw add() to start scanning from slot 0. The second argument to this function is of the type struct cdevsw.

知找struct cdevsw。
按shift+F1,打开Local Types 窗口,按insert(mac按fn+enter),插入结构体
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
struct cdevsw
{
  void (__cdecl *d_open)();
  void (__cdecl *d_close)();
  void (__cdecl *d_read)();
  void (__cdecl *d_write)();
  void (__cdecl *d_ioctl)();
  void (__cdecl *d_stop)();
  void (__cdecl *d_reset)();
  int **d_ttys;
  void (__cdecl *d_select)();
  void (__cdecl *d_mmap)();
  void (__cdecl *d_strategy)();
  void (__cdecl *d_getc)();
  void (__cdecl *d_putc)();
  int d_type;
}


然后在Local Types 窗口里双击刚刚插入的cdevsw,点击确认添加到ida数据库。

然后对应跳转到
803BDE74
转成cdevsw:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
__DATA:__data:803BDE74                 DCD sub_800C0E18+1      ; d_open
__DATA:__data:803BDE74                 DCD sub_800C0E34+1      ; d_close
__DATA:__data:803BDE74                 DCD sub_800C0EA0+1      ; d_read
__DATA:__data:803BDE74                 DCD sub_800C0E38+1      ; d_write
__DATA:__data:803BDE74                 DCD sub_800C0E04+1      ; d_ioctl
__DATA:__data:803BDE74                 DCD _nulldev+1          ; d_stop
__DATA:__data:803BDE74                 DCD _nulldev+1          ; d_reset
__DATA:__data:803BDE74                 DCD 0                   ; d_ttys
__DATA:__data:803BDE74                 DCD _enodev+1           ; d_select
__DATA:__data:803BDE74                 DCD _enodev+1           ; d_mmap
__DATA:__data:803BDE74                 DCD _enodev_strat+1     ; d_strategy
__DATA:__data:803BDE74                 DCD _enodev+1           ; d_getc
__DATA:__data:803BDE74                 DCD _enodev+1           ; d_putc
__DATA:__data:803BDE74                 DCD 0                   ; d_type

可得d_read,d_write,d_ioctl的地址

不知道kaslr怎么计算的,写不出答案。。

[注意]看雪招聘,专注安全领域的专业人才平台!

收藏
免费
支持
分享
最新回复 (4)
adslxyz
雪    币: 55
活跃值: (100)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
知道自己答案哪里错了,原来是都忘记+1了,哈哈哈哈
2015-10-21 22:34
0
影子不寂寞
雪    币: 6
活跃值: (19)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
3
谢谢楼主分享技术贴
2015-10-21 22:36
0
小调调
雪    币: 3466
活跃值: (3766)
能力值: ( LV4,RANK:40 )
在线值:
发帖
回帖
粉丝
私信
4
而且还必须小写
2015-10-21 22:50
0
不呲咔呲
雪    币: 68
活跃值: (663)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
5
楼主,请问下为毛我按照你的方法到最后添加到ida数据库后没有跳转的803BDE74?而是这里
00000000 cdevsw          struc ; (sizeof=0x38, align=0x4)
00000000 d_open          DCD ?                   ; offset
00000004 d_close         DCD ?                   ; offset
00000008 d_read          DCD ?                   ; offset
0000000C d_write         DCD ?                   ; offset
00000010 d_ioctl         DCD ?                   ; offset
00000014 d_stop          DCD ?                   ; offset
00000018 d_reset         DCD ?                   ; offset
0000001C d_ttys          DCD ?                   ; offset
00000020 d_select        DCD ?                   ; offset
00000024 d_mmap          DCD ?                   ; offset
00000028 d_strategy      DCD ?                   ; offset
0000002C d_getc          DCD ?                   ; offset
00000030 d_putc          DCD ?                   ; offset
00000034 d_type          DCD ?
00000038 cdevsw          ends
00000038
2015-10-22 01:59
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回

账号登录
验证码登录

忘记密码?
没有账号?立即免费注册
我已同意 《看雪服务条款》 《看雪课程免责声明》 《看雪隐私政策》