-
-
KCTF2020秋季赛 第四题 突破重围
-
2020-11-22 17:19 3141
-
360加壳的apk..(不是不能用第三方壳吗?)
脱360的壳(略, 这题不用去恢复onCreate)
APPKEY=dcc499621c96447f SdkEntry=1 activityName=com.kanxue.crackme.MainActivity allowedSig=-500187489 analyse=1 apk-md5=adff65d9b74bf7c4715b672d88cc75cc binderHook=1 checkSum=4057935799 customization=0 edh=1 envcheck=1 fastLevel=0 jcrash=1 jiaguVersion=1.3.9.0 location=0 ls=13356 mark=0 mpv=166 ncrash=1 official=1 opt=1 pkg=com.kanxue.crackme pkl=0 protect-time=2020-11-14 11:19:34 pts=1605323974 rrs=1 sig=-672009692 sign=d3534d5b13cae9e310be0bb41c2fc528 stubAppName=com/stub/StubApp versionCode=1 versionName=1.0 x86=1
classes.dex
public class MainActivity extends AppCompatActivity { public void init() { MainActivity.copyAssetAndWrite("b.txt"); MainActivity.testDexClassLoader(MainActivity.appContext, new File(MainActivity.appContext.getCacheDir(), "b.txt").getAbsolutePath()); } } class com.kanxue.crackme.MainActivity$3 implements View$OnClickListener { public void onClick(View view) { // invoke com.kanxue.crackme.Crack->check MainActivity.this.check(this.val$inputEditText.getText().toString()); } } public class MyCrack { public static String crypt; static { MyCrack.crypt = "otVvmpP4ZI58pqB26OTaYw=="; // fake } public static native byte[] crackjni(MyCrack this, byte[] arg1); }
assets/b.txt
public class Crack { public static boolean check(String content) { // content.length() == 16 byte[] buf = rc4(content.getBytes()); buf = crackjni(buf); buf = rc4(buf); return Base64.encodeToString(buf, 0) == GetStaticFieldValue("com.kanxue.crackme.MyCrack", "crypt"); } // key="kaokaonio", 后面so中会修改为"keepGoing" // 00000000 1A 00 CF 3D const-string v0, "kaokaonio" // 0x3DCF是StringId, 文件偏移: 0x16D3A6 public static byte[] rc4(byte[] buf); }
lib/armeabi-v7a/libcrack.so
jbyteArray Java_com_kanxue_crackme_MyCrack_crackjni(JNIEnv *env, jobject object, jbyteArray buf) { unsigned char *src = FromByteArray(buf); unsigned char *dst = New(src_len); // aes_key = "kaokaonikaokaoni"; AesEncrypt(src, aes_key, dst); SetWord(b.txt + 0x16D3A6, 0x3DD3); // dexStringById(0x3DD3)="keepGoing" SetStaticFieldValue("com.kanxue.crackme.MyCrack", "crypt", "l+x7fKd2FBaaEY4NV4309A=="); return ToByteArray(dst); }
计算得到flag
public static void test() throws Exception { String expected = "l+x7fKd2FBaaEY4NV4309A=="; String k1 = "kaokaonio"; String k2 = "keepGoing"; byte[] buf = Base64.decode(expected); buf = rc4(k2, buf); Cipher cipher = Cipher.getInstance("AES/ECB/NoPadding"); cipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec("kaokaonikaokaoni".getBytes(), "AES")); buf = cipher.doFinal(buf); buf = rc4(k1, buf); System.out.println(new String(buf)); }
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
最后于 2020-11-22 17:35
被风间仁编辑
,原因:
赞赏
他的文章
KCTF2022春季赛 第三题 石像病毒
8253
KCTF2022春季赛 第二题 末日邀请
15379
KCTF2021秋季赛 第二题 迷失丛林
17910
KCTF2020秋季赛 第十题 终焉之战
8083
KCTF2020秋季赛 第九题 命悬一线
5813
看原图