-
-
[原创]2019看雪CTF 团队赛 第二题 变形金钢WP
-
发表于: 2019-3-21 18:20
-
用jadx打开apk,找到MainActivity
看起来挺简单的,但是在手机上测试的结果却不是这样,随便输入点什么按登陆是提示error。
在MainActivity里也没有什么线索,尝试搜索"error",发现在 android.support.v7.app.AppCompiatActivity.onStart() 有另外的实现
protected void onStart() {
super.onStart();
this.login = (Button) findViewById(R.id.login_button);
this.login.setOnClickListener(new OnClickListener() {
public void onClick(View view) {
AppCompiatActivity.this.mName = AppCompiatActivity.this.name.getText().toString();
AppCompiatActivity.this.mPassword = AppCompiatActivity.this.password.getText().toString();
if (TextUtils.isEmpty(AppCompiatActivity.this.mName) == null) {
if (TextUtils.isEmpty(AppCompiatActivity.this.mPassword) == null) {
int i = 0;
AppCompiatActivity.this.login.setEnabled(false);
if (AppCompiatActivity.this.eq(AppCompiatActivity.this.mPassword) != null) {
view = AppCompiatActivity.this.mPassword.getBytes();
if (view.length != 24) {
byte[] bArr = new byte[24];
while (i < bArr.length) {
bArr[i] = i < view.length ? view[i] : (byte) i;
i++;
}
view = bArr;
}
view = AppCompiatActivity.dec(view, "2ggdrsLgM7iPNYPQrD58Rg==".getBytes());
Context context = AppCompiatActivity.this;
StringBuilder stringBuilder = new StringBuilder();
stringBuilder.append("flag{");
stringBuilder.append(new String(view));
stringBuilder.append("}");
Toast.makeText(context, stringBuilder.toString(), 1).show();
} else {
Toast.makeText(AppCompiatActivity.this, "error", 1).show();
}
return;
}
}
Toast.makeText(AppCompiatActivity.this, "用户名或密码为空", 1).show();
}
});
this.name = (EditText) findViewById(R.id.name);
this.name.setEnabled(false);
this.password = (EditText) findViewById(R.id.password);
}
protected void onStart() {
super.onStart();
this.login = (Button) findViewById(R.id.login_button);
this.login.setOnClickListener(new OnClickListener() {
public void onClick(View view) {
AppCompiatActivity.this.mName = AppCompiatActivity.this.name.getText().toString();
AppCompiatActivity.this.mPassword = AppCompiatActivity.this.password.getText().toString();
if (TextUtils.isEmpty(AppCompiatActivity.this.mName) == null) {
if (TextUtils.isEmpty(AppCompiatActivity.this.mPassword) == null) {
int i = 0;
AppCompiatActivity.this.login.setEnabled(false);
if (AppCompiatActivity.this.eq(AppCompiatActivity.this.mPassword) != null) {
view = AppCompiatActivity.this.mPassword.getBytes();
if (view.length != 24) {
byte[] bArr = new byte[24];
while (i < bArr.length) {
bArr[i] = i < view.length ? view[i] : (byte) i;
i++;
}
view = bArr;
}
view = AppCompiatActivity.dec(view, "2ggdrsLgM7iPNYPQrD58Rg==".getBytes());
Context context = AppCompiatActivity.this;
StringBuilder stringBuilder = new StringBuilder();
stringBuilder.append("flag{");
stringBuilder.append(new String(view));
stringBuilder.append("}");
Toast.makeText(context, stringBuilder.toString(), 1).show();
} else {
Toast.makeText(AppCompiatActivity.this, "error", 1).show();
}
return;
}
}
Toast.makeText(AppCompiatActivity.this, "用户名或密码为空", 1).show();
}
});
this.name = (EditText) findViewById(R.id.name);
this.name.setEnabled(false);
this.password = (EditText) findViewById(R.id.password);
}
查看eq方法
protected native boolean eq(String str);
static {
System.loadLibrary("oo000oo");
}
protected native boolean eq(String str);
static {
System.loadLibrary("oo000oo");
}
具体验证在so里实现,那我们先用readelf看下init_array的地址
用IDA打开so定位到函数
异或解密数据,可以写个IDC脚本
auto i, x,addr=0x4020;
auto q=0xA5;
for ( i=0; i < 37; i=i+1 ) {
x = Byte(addr+i);
x = (x^q);
PatchByte(addr+i,x);
} auto i, x,addr=0x4020;
auto q=0xA5;
for ( i=0; i < 37; i=i+1 ) {
x = Byte(addr+i);
x = (x^q);
PatchByte(addr+i,x);
} 其他同理
解密以后发现有这个,可能是base64的码表
查看引用,定位到sub_784
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2019-3-24 11:58
被梦游枪手编辑
,原因:
|
|
|---|---|
