看雪CTF2019Q1-第2题-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

看雪CTF2019Q1-第2题

发表于: 2019-3-18 21:38 3402

看雪CTF2019Q1-第2题

风间仁

2019-3-18 21:38

3402

1. apk

so里判断密码是否正确, 正确则解密flag, 需要提交的是密码, 因此直接看so

package com.zhuotong.crackme;
public class MainActivity extends AppCompiatActivity;
 
package android.support.v7.app;
public class AppCompiatActivity extends AppCompatActivity {
    static {
        System.loadLibrary("oo000oo");
    }
    protected native boolean eq(String arg1);
    protected void onStart() {
                ...
        this.login.setOnClickListener(new View$OnClickListener() {
            public void onClick(View arg5) {
                                    ...
                        if(AppCompiatActivity.this.eq(AppCompiatActivity.this.mPassword)) {
                            byte[] v5 = AppCompiatActivity.this.mPassword.getBytes();
                            int v3 = 24;
                            if(v5.length != v3) {
                                byte[] v2 = new byte[v3];
                                while(v1 < v2.length) {
                                    byte v3_1 = v1 < v5.length ? v5[v1] : ((byte)v1);
                                    v2[v1] = v3_1;
                                    ++v1;
                                }
 
                                v5 = v2;
                            }
                            v5 = AppCompiatActivity.dec(v5, "2ggdrsLgM7iPNYPQrD58Rg==".getBytes());
                            AppCompiatActivity v1_1 = AppCompiatActivity.this;
                            StringBuilder v2_1 = new StringBuilder();
                            v2_1.append("flag{");
                            v2_1.append(new String(v5));
                            v2_1.append("}");
                            Toast.makeText(((Context)v1_1), v2_1.toString(), 1).show();
                        }
                        ...
            }
        });
        this.name = this.findViewById(2131165265);
        this.name.setEnabled(false);
        this.password = this.findViewById(2131165277);
    }  
}

2. liboo000oo.so

解密用到的字符串

1	`.init_array:00003E78 DCD .datadiv_decode5009363700628197108+1`

注册native函数android.support.v7.app.AppCompiatActivity.eq

int __fastcall JNI_OnLoad(JavaVM *a1)
{
  env = 0;
  if ( !(*a1)->GetEnv(a1, &env, 65540) )
    goto LABEL_4;
LABEL_2:
  result = -1;
  while ( _stack_chk_guard != v5 )
  {
LABEL_4:
    v2 = env;
    v3 = (*env)->FindClass(env, off_4010);
    dword_4110 = (*v2)->NewGlobalRef(v2, v3);
    if ( !v3 || (*v2)->RegisterNatives(v2, v3, &stru_4014, 1) <= -1 )
      goto LABEL_2;
    result = 65542;
  }
  return result;
}
 
.data:00004014 stru_4014       JNINativeMethod <aEq, aLjavaLangStrin, x_eq+1>

x_eq函数功能

字符串: 650f909c-7217-3647-9331-c82df8b98e98

去掉字符'-': 650f909c721736479331c82df8b98e98

package com.zhuotong.crackme;
public class MainActivity extends AppCompiatActivity;
 
package android.support.v7.app;
public class AppCompiatActivity extends AppCompatActivity {
    static {
        System.loadLibrary("oo000oo");
    }
    protected native boolean eq(String arg1);
    protected void onStart() {
                ...
        this.login.setOnClickListener(new View$OnClickListener() {
            public void onClick(View arg5) {
                                    ...
                        if(AppCompiatActivity.this.eq(AppCompiatActivity.this.mPassword)) {
                            byte[] v5 = AppCompiatActivity.this.mPassword.getBytes();
                            int v3 = 24;
                            if(v5.length != v3) {
                                byte[] v2 = new byte[v3];
                                while(v1 < v2.length) {
                                    byte v3_1 = v1 < v5.length ? v5[v1] : ((byte)v1);
                                    v2[v1] = v3_1;
                                    ++v1;
                                }
 
                                v5 = v2;
                            }
                            v5 = AppCompiatActivity.dec(v5, "2ggdrsLgM7iPNYPQrD58Rg==".getBytes());
                            AppCompiatActivity v1_1 = AppCompiatActivity.this;
                            StringBuilder v2_1 = new StringBuilder();
                            v2_1.append("flag{");
                            v2_1.append(new String(v5));
                            v2_1.append("}");
                            Toast.makeText(((Context)v1_1), v2_1.toString(), 1).show();
                        }
                        ...
            }
        });
        this.name = this.findViewById(2131165265);
        this.name.setEnabled(false);
        this.password = this.findViewById(2131165277);
    }  
}

package com.zhuotong.crackme;
public class MainActivity extends AppCompiatActivity;
 
package android.support.v7.app;
public class AppCompiatActivity extends AppCompatActivity {
    static {
        System.loadLibrary("oo000oo");
    }
    protected native boolean eq(String arg1);
    protected void onStart() {
                ...
        this.login.setOnClickListener(new View$OnClickListener() {
            public void onClick(View arg5) {
                                    ...
                        if(AppCompiatActivity.this.eq(AppCompiatActivity.this.mPassword)) {
                            byte[] v5 = AppCompiatActivity.this.mPassword.getBytes();
                            int v3 = 24;
                            if(v5.length != v3) {
                                byte[] v2 = new byte[v3];
                                while(v1 < v2.length) {
                                    byte v3_1 = v1 < v5.length ? v5[v1] : ((byte)v1);
                                    v2[v1] = v3_1;
                                    ++v1;
                                }
 
                                v5 = v2;
                            }
                            v5 = AppCompiatActivity.dec(v5, "2ggdrsLgM7iPNYPQrD58Rg==".getBytes());
                            AppCompiatActivity v1_1 = AppCompiatActivity.this;
                            StringBuilder v2_1 = new StringBuilder();
                            v2_1.append("flag{");
                            v2_1.append(new String(v5));
                            v2_1.append("}");
                            Toast.makeText(((Context)v1_1), v2_1.toString(), 1).show();
                        }
                        ...
            }
        });
        this.name = this.findViewById(2131165265);
        this.name.setEnabled(false);
        this.password = this.findViewById(2131165277);
    }  
}

package com.zhuotong.crackme;
public class MainActivity extends AppCompiatActivity;
 
package android.support.v7.app;
public class AppCompiatActivity extends AppCompatActivity {
    static {
        System.loadLibrary("oo000oo");
    }
    protected native boolean eq(String arg1);
    protected void onStart() {
                ...
        this.login.setOnClickListener(new View$OnClickListener() {
            public void onClick(View arg5) {
                                    ...
                        if(AppCompiatActivity.this.eq(AppCompiatActivity.this.mPassword)) {
                            byte[] v5 = AppCompiatActivity.this.mPassword.getBytes();
                            int v3 = 24;
                            if(v5.length != v3) {
                                byte[] v2 = new byte[v3];
                                while(v1 < v2.length) {
                                    byte v3_1 = v1 < v5.length ? v5[v1] : ((byte)v1);
                                    v2[v1] = v3_1;
                                    ++v1;
                                }
 
                                v5 = v2;
                            }
                            v5 = AppCompiatActivity.dec(v5, "2ggdrsLgM7iPNYPQrD58Rg==".getBytes());
                            AppCompiatActivity v1_1 = AppCompiatActivity.this;
                            StringBuilder v2_1 = new StringBuilder();
                            v2_1.append("flag{");
                            v2_1.append(new String(v5));
                            v2_1.append("}");
                            Toast.makeText(((Context)v1_1), v2_1.toString(), 1).show();
                        }
                        ...
            }
        });
        this.name = this.findViewById(2131165265);
        this.name.setEnabled(false);
        this.password = this.findViewById(2131165277);
    }  
}

2. liboo000oo.so

解密用到的字符串

1	`.init_array:00003E78 DCD .datadiv_decode5009363700628197108+1`

注册native函数android.support.v7.app.AppCompiatActivity.eq

int __fastcall JNI_OnLoad(JavaVM *a1)
{
  env = 0;
  if ( !(*a1)->GetEnv(a1, &env, 65540) )
    goto LABEL_4;
LABEL_2:
  result = -1;
  while ( _stack_chk_guard != v5 )
  {
LABEL_4:
    v2 = env;
    v3 = (*env)->FindClass(env, off_4010);
    dword_4110 = (*v2)->NewGlobalRef(v2, v3);
    if ( !v3 || (*v2)->RegisterNatives(v2, v3, &stru_4014, 1) <= -1 )
      goto LABEL_2;
    result = 65542;
  }
  return result;
}
 
.data:00004014 stru_4014       JNINativeMethod <aEq, aLjavaLangStrin, x_eq+1>

解密用到的字符串

1	`.init_array:00003E78 DCD .datadiv_decode5009363700628197108+1`

1	`.init_array:00003E78 DCD .datadiv_decode5009363700628197108+1`

注册native函数android.support.v7.app.AppCompiatActivity.eq

int __fastcall JNI_OnLoad(JavaVM *a1)
{
  env = 0;
  if ( !(*a1)->GetEnv(a1, &env, 65540) )
    goto LABEL_4;
LABEL_2:
  result = -1;
  while ( _stack_chk_guard != v5 )
  {
LABEL_4:
    v2 = env;
    v3 = (*env)->FindClass(env, off_4010);
    dword_4110 = (*v2)->NewGlobalRef(v2, v3);
    if ( !v3 || (*v2)->RegisterNatives(v2, v3, &stru_4014, 1) <= -1 )
      goto LABEL_2;
    result = 65542;
  }
  return result;
}
 
.data:00004014 stru_4014       JNINativeMethod <aEq, aLjavaLangStrin, x_eq+1>

int __fastcall JNI_OnLoad(JavaVM *a1)
{
  env = 0;
  if ( !(*a1)->GetEnv(a1, &env, 65540) )
    goto LABEL_4;
LABEL_2:
  result = -1;
  while ( _stack_chk_guard != v5 )
  {
LABEL_4:
    v2 = env;
    v3 = (*env)->FindClass(env, off_4010);
    dword_4110 = (*v2)->NewGlobalRef(v2, v3);
    if ( !v3 || (*v2)->RegisterNatives(v2, v3, &stru_4014, 1) <= -1 )
      goto LABEL_2;
    result = 65542;
  }
  return result;
}
 
.data:00004014 stru_4014       JNINativeMethod <aEq, aLjavaLangStrin, x_eq+1>