-
-
看雪CTF2019Q2-第5题 丛林的秘密
-
2019-6-18 23:45
2528
-
这个是Web页面, url: http://127.0.0.1:8000
public class MainActivity extends AppCompatActivity {
private Button button1;
private EditText eText1;
private TextView txView1;
public String url;
static {
System.loadLibrary("gogogo");
}
public MainActivity() {
this.url = gogogoJNI.sayHello();
}
protected void onCreate(Bundle arg3) {
...
this.findViewById(2131165318).loadUrl(this.url);
this.findViewById(2131165318).getSettings().setJavaScriptEnabled(true);
...
}
}
jstring __fastcall Java_com_example_assemgogogo_gogogoJNI_sayHello(JNIEnv *a1)
{
// http://127.0.0.1:8000
for ( i = 0; i != 21; ++i )
url[i] = byte_2D28[i] ^ 0x66;
url[21] = 0;
return (*v2)->NewStringUTF(v2, url);
}
在JNI_OnLoad中监听8000端口, 发送html页面
.text:00000D1A ADD R1, PC ; "8000"
...
.text:00000D26 BLX getaddrinfo
.text:00000C50 ADD R0, PC ; "HTTP/1.1 200 OK\r\nContent-Type: text/h"...
...
.text:00000C60 BLX accept
...
.text:00000CA6 BLX send
html页面
<html>
<script>
var instance;
WebAssembly.compile(new Uint8Array(`
...
`.trim().split(/[\s\r\n]+/g).map(str => parseInt(str, 16))
)).then(module => {
new WebAssembly.instantiate(module).then(results => {
instance = results;
}).catch(console.error);})
function check_flag(){
var value = document.getElementById("key_value").value;
if(value.length != 32)
{
document.getElementById("tips").innerHTML = "Not Correct!";
return;
}
instance.exports.set_input_flag_len(value.length);
for(var ii=0;ii<value.length;ii++){
instance.exports.set_input_flag(value[ii].charCodeAt(),ii);
}
var ret = instance.exports.check_key();
if (ret == 1){
document.getElementById("tips").innerHTML = "Congratulations!"
}
else{
document.getElementById("tips").innerHTML = "Not Correct!"
}
}
</script>
<body>
<div>Key: <input id="key_value" type="text" name="key" style="width:60%" ;="" value=""> <input type="submit" value="check" onclick="check_flag()"></div>
</body></html>
主要逻辑在WebAssembly中, 保存下来用wasm2c反编译成c代码
https://github.com/WebAssembly/wabt
./wasm2c test.wasm -o test.c
将代码抠出来, z3解得sn: K9nXu3_2o1q2_w3bassembly_r3vers3
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界
