-
-
[原创] CTF2017 第六题破解记录
-
2017-6-13 12:08
-
话说android平台的第一次搞,没想到边学变做,光搭建个调试平台就费了九牛二虎之力,最后还是搞到个旧手机ROOT掉
先测试JEB2动态调试,极不方便,转而使用IDA,各位记得一定要安装JDK、Android SDK,然后配置好环境变量。
至于如何IDA附加调试,请搜索一下,网上有的,我就不再啰嗦了。
IDA附加进去后,断到so里头CHECK函数,然后就绕进去了,各种垃圾指令,跳来跳去,捕捉到"JPyjup3eCyJjlkV6DmSmGHQ="字符
61DA2000: loaded /data/app-lib/com.miss.rfchen-1/librf-chen.so
librf_chen.so:61DA4814 PUSH.W {R4-R10,LR}
librf_chen.so:61DA4818 ADD R7, SP, #0xC
librf_chen.so:61DA481A SUB SP, SP, #0x48
librf_chen.so:61DA481C MOV R9, R0
librf_chen.so:61DA481E LDR R0, =(dword_61DC1EA4 - 0x61DA482A)
librf_chen.so:61DA4820 LDR.W LR, =(unk_61DBF558 - 0x61DA482E)
librf_chen.so:61DA4824 MOV R10, SP
librf_chen.so:61DA4826 ADD R0, PC ; dword_61DC1EA4
librf_chen.so:61DA4828 MOV R8, R2
librf_chen.so:61DA482A ADD LR, PC ; unk_61DBF558
librf_chen.so:61DA482C MOV R3, R10
librf_chen.so:61DA482E LDR R0, [R0]
librf_chen.so:61DA4830 LDR.W R12, =(dword_61DC2040 - 0x61DA483A)
librf_chen.so:61DA4834 LDR R0, [R0]
librf_chen.so:61DA4836 ADD R12, PC ; dword_61DC2040
librf_chen.so:61DA4838 STR R0, [SP,#0x54+var_10]
librf_chen.so:61DA483A LDMIA.W LR!, {R1,R2,R4-R6}
librf_chen.so:61DA483E STMIA R3!, {R1,R2,R4-R6}
librf_chen.so:61DA4840 LDMIA.W LR!, {R1,R2,R4-R6}
librf_chen.so:61DA4844 STMIA R3!, {R1,R2,R4-R6}
librf_chen.so:61DA4846 LDMIA.W LR, {R0-R2,R4-R6}
librf_chen.so:61DA484A STMIA R3!, {R0-R2,R4-R6}
librf_chen.so:61DA484C LDR.W R0, [R12]
librf_chen.so:61DA4850 CMP R0, #6
librf_chen.so:61DA4852 BLT loc_61DA4874
librf_chen.so:61DA4854 B loc_61DA486C
librf_chen.so:61DA48EA ADD R12, PC ; "JPyjup3eCyJjlkV6DmSmGHQ=!!\n\n"
librf_chen.so:61DA48EC LDR R1, [R0]
librf_chen.so:61DA48EE ADDS R1, #1
librf_chen.so:61DA48F0 STR R1, [R0]
librf_chen.so:61DA48F2 MOVS R0, #0x4A
librf_chen.so:61DA48F4 MOVS R1, #0x79
librf_chen.so:61DA48F6 PUSH.W {R4-R10,LR}
librf_chen.so:61DA48FA POP.W {R4-R10,LR}
librf_chen.so:61DA48FE B unk_61DA4928
librf_chen.so:61DA49CA MOVS R1, #0x75
librf_chen.so:61DA4A36 MOVS R1, #0x33
librf_chen.so:61DA4AA2 MOVS R1, #0x43
librf_chen.so:61DA4B7A MOVS R0, #0x6C
librf_chen.so:61DA4BE6 MOVS R0, #0x56
librf_chen.so:61DA4C52 MOVS R0, #0x44
librf_chen.so:61DA4CBE MOVS R0, #0x53
librf_chen.so:61DA4D2A MOVS R0, #0x47
librf_chen.so:61DA4D96 MOVS R0, #0x51
librf_chen.so:61DA5204 CMP.W R5, #0xFFFFFFFF
librf_chen.so:61DA5208 BEQ.W loc_61DA5304
librf_chen.so:61DA520C ADD.W R4, R10, R4,LSL#1
librf_chen.so:61DA5210 LDRSH.W R3, [R4,#2]
librf_chen.so:61DA5214 UXTH R0, R3
librf_chen.so:61DA5216 CMP R0, R2
librf_chen.so:61DA5218 BEQ.W loc_61DA536C感觉特别像BASE64加密,遂先解密为十六进制数:24 fc a3 ba 9d de 0b 22 63 96 45 7a 0e 64 a6 18 74
跟踪过程在IDA里头发现“19931012”字样,作为RC4密钥。混淆很厉害,中间几经波折,差点放弃,对android真不熟悉。
中间来回公司、家往返,很多调试记录没有捕捉,很好奇兄弟们是怎样快速去除so里头的混淆的?
算法分析:
Input "123456789012"
Rc4_hash = RC4(input,"19931012")
Base64_hash_1 = BASE64(Rc4_hash) = "eK/068qRWWgzxR8x"
Check Base64_hash_1 == "JPyjup3eCyJjlkV6DmSmGHQ="
破解:
Base64解码,再RC4以19931012为密钥解码
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
