-
-
[原创]2019看雪CTF 团队赛 第二题 变形金钢WP
-
发表于: 2019-3-21 18:20
-
用jadx打开apk,找到MainActivity
看起来挺简单的,但是在手机上测试的结果却不是这样,随便输入点什么按登陆是提示error。
在MainActivity里也没有什么线索,尝试搜索"error",发现在 android.support.v7.app.AppCompiatActivity.onStart() 有另外的实现
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 | protected void onStart() { super.onStart(); this.login = (Button) findViewById(R.id.login_button); this.login.setOnClickListener(new OnClickListener() { public void onClick(View view) { AppCompiatActivity.this.mName = AppCompiatActivity.this.name.getText().toString(); AppCompiatActivity.this.mPassword = AppCompiatActivity.this.password.getText().toString(); if (TextUtils.isEmpty(AppCompiatActivity.this.mName) == null) { if (TextUtils.isEmpty(AppCompiatActivity.this.mPassword) == null) { int i = 0; AppCompiatActivity.this.login.setEnabled(false); if (AppCompiatActivity.this.eq(AppCompiatActivity.this.mPassword) != null) { view = AppCompiatActivity.this.mPassword.getBytes(); if (view.length != 24) { byte[] bArr = new byte[24]; while (i < bArr.length) { bArr[i] = i < view.length ? view[i] : (byte) i; i++; } view = bArr; } view = AppCompiatActivity.dec(view, "2ggdrsLgM7iPNYPQrD58Rg==".getBytes()); Context context = AppCompiatActivity.this; StringBuilder stringBuilder = new StringBuilder(); stringBuilder.append("flag{"); stringBuilder.append(new String(view)); stringBuilder.append("}"); Toast.makeText(context, stringBuilder.toString(), 1).show(); } else { Toast.makeText(AppCompiatActivity.this, "error", 1).show(); } return; } } Toast.makeText(AppCompiatActivity.this, "用户名或密码为空", 1).show(); } }); this.name = (EditText) findViewById(R.id.name); this.name.setEnabled(false); this.password = (EditText) findViewById(R.id.password); } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 | protected void onStart() { super.onStart(); this.login = (Button) findViewById(R.id.login_button); this.login.setOnClickListener(new OnClickListener() { public void onClick(View view) { AppCompiatActivity.this.mName = AppCompiatActivity.this.name.getText().toString(); AppCompiatActivity.this.mPassword = AppCompiatActivity.this.password.getText().toString(); if (TextUtils.isEmpty(AppCompiatActivity.this.mName) == null) { if (TextUtils.isEmpty(AppCompiatActivity.this.mPassword) == null) { int i = 0; AppCompiatActivity.this.login.setEnabled(false); if (AppCompiatActivity.this.eq(AppCompiatActivity.this.mPassword) != null) { view = AppCompiatActivity.this.mPassword.getBytes(); if (view.length != 24) { byte[] bArr = new byte[24]; while (i < bArr.length) { bArr[i] = i < view.length ? view[i] : (byte) i; i++; } view = bArr; } view = AppCompiatActivity.dec(view, "2ggdrsLgM7iPNYPQrD58Rg==".getBytes()); Context context = AppCompiatActivity.this; StringBuilder stringBuilder = new StringBuilder(); stringBuilder.append("flag{"); stringBuilder.append(new String(view)); stringBuilder.append("}"); Toast.makeText(context, stringBuilder.toString(), 1).show(); } else { Toast.makeText(AppCompiatActivity.this, "error", 1).show(); } return; } } Toast.makeText(AppCompiatActivity.this, "用户名或密码为空", 1).show(); } }); this.name = (EditText) findViewById(R.id.name); this.name.setEnabled(false); this.password = (EditText) findViewById(R.id.password); } |
查看eq方法
1 2 3 4 5 | protected native boolean eq(String str); static { System.loadLibrary("oo000oo"); } |
1 2 3 4 5 | protected native boolean eq(String str); static { System.loadLibrary("oo000oo"); } |
具体验证在so里实现,那我们先用readelf看下init_array的地址
用IDA打开so定位到函数
异或解密数据,可以写个IDC脚本
1 2 3 4 5 6 7 | auto i, x,addr=0x4020; auto q=0xA5; for ( i=0; i < 37; i=i+1 ) { x = Byte(addr+i); x = (x^q); PatchByte(addr+i,x); } |
1 2 3 4 5 6 7 | auto i, x,addr=0x4020; auto q=0xA5; for ( i=0; i < 37; i=i+1 ) { x = Byte(addr+i); x = (x^q); PatchByte(addr+i,x); } |
其他同理
解密以后发现有这个,可能是base64的码表
查看引用,定位到sub_784
[招生]科锐逆向工程师培训(2025年3月11日实地,远程教学同时开班, 第52期)!
最后于 2019-3-24 11:58
被梦游枪手编辑
,原因:
|
|
|---|---|
