-
-
[原创]第四题 突破重围 by k1ee
-
发表于: 2020-11-24 12:45
-
使用脚本先去除data段加密
送入IDA分析
分析crackjni,关键函数
看java层
调用b.txt dex里的函数
整不出来,总体来说就是crypt,crackjni,crypt,随后分析了这个
bdex是b.dex的地址,程序hook了openmemory,判断大小并记录指针
修改了il,本质是修改字符串引用,从而两次crypt的key不一样,完事,写出解密代码
import angr
import numpy as np
import claripy
import archinfo
def find_section(e, name):
for s in e.sections:
if s.name == name:
return s
path = r"E:\Ctf\KCTF2020Q4\disanti\disanti\lib\armeabi-v7a\libcrack0.so"
out = r"E:\Ctf\KCTF2020Q4\disanti\disanti\lib\armeabi-v7a\libcrack1.so"
proj = angr.Project(path, auto_load_libs=False)
elf = proj.loader.main_object
init_array = find_section(elf, '.init_array')
data = find_section(elf, '.data')
blank_state = proj.factory.blank_state()
addr = init_array.min_addr
mem = None
bxlr_init_array = []
while addr != init_array.max_addr:
func = blank_state.solver.eval(blank_state.mem[addr].int.resolved)
debased_func = func - elf.mapped_base
addr += elf.arch.bytes
if func == 0:
break
sym = proj.loader.find_symbol(func)
if sym is None or sym.name.find("datadiv_decode") == -1:
continue
else:
bxlr_init_array.append(debased_func)
simulate = proj.factory.blank_state(addr=func)
if mem is not None:
simulate.memory.store(data.min_addr, mem)
simulate.regs.lr = 0x80000000
sigmr = proj.factory.simgr(simulate)
sigmr.explore(find=0x80000000)
found = sigmr.found[0]
mem = found.memory.load(data.min_addr, data.memsize)
print(mem)
# Replace Data and InitArrayfp = open(path, 'rb')
so = list(fp.read())
fp.close()mem = list(blank_state.solver.eval(mem, cast_to=bytes))
so[data.min_offset(): data.max_offset + 1] = mem
# so[init_array.min_offset(): init_array.max_offset + 1] = list([0 for _ in range(init_array.memsize)])for func in bxlr_init_array:
so[func - 1: func + 1] = [0x70, 0x47]
fp = open(out, 'wb')
fp.write(bytes(so))fp.close()import angr
import numpy as np
import claripy
import archinfo
def find_section(e, name):
for s in e.sections:
if s.name == name:
return s
path = r"E:\Ctf\KCTF2020Q4\disanti\disanti\lib\armeabi-v7a\libcrack0.so"
out = r"E:\Ctf\KCTF2020Q4\disanti\disanti\lib\armeabi-v7a\libcrack1.so"
proj = angr.Project(path, auto_load_libs=False)
elf = proj.loader.main_object
init_array = find_section(elf, '.init_array')
data = find_section(elf, '.data')
blank_state = proj.factory.blank_state()
addr = init_array.min_addr
mem = None
bxlr_init_array = []
while addr != init_array.max_addr:
func = blank_state.solver.eval(blank_state.mem[addr].int.resolved)
debased_func = func - elf.mapped_base
addr += elf.arch.bytes
if func == 0:
break
sym = proj.loader.find_symbol(func)
if sym is None or sym.name.find("datadiv_decode") == -1:
continue
else:
bxlr_init_array.append(debased_func)
simulate = proj.factory.blank_state(addr=func)
if mem is not None:
simulate.memory.store(data.min_addr, mem)
simulate.regs.lr = 0x80000000
sigmr = proj.factory.simgr(simulate)
sigmr.explore(find=0x80000000)
found = sigmr.found[0]
mem = found.memory.load(data.min_addr, data.memsize)
print(mem)
# Replace Data and InitArrayfp = open(path, 'rb')
so = list(fp.read())
fp.close()mem = list(blank_state.solver.eval(mem, cast_to=bytes))
so[data.min_offset(): data.max_offset + 1] = mem
# so[init_array.min_offset(): init_array.max_offset + 1] = list([0 for _ in range(init_array.memsize)])for func in bxlr_init_array:
so[func - 1: func + 1] = [0x70, 0x47]
fp = open(out, 'wb')
fp.write(bytes(so))fp.close()import angr
import archinfo
table1 = [0x8D, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1B,
0x36, 0x6C, 0xD8, 0xAB, 0x4D, 0x9A, 0x2F, 0x5E, 0xBC, 0x63,
0xC6, 0x97, 0x35, 0x6A, 0xD4, 0xB3, 0x7D, 0xFA, 0xEF, 0xC5,
0x91, 0x39, 0x72, 0xE4, 0xD3, 0xBD, 0x61, 0xC2, 0x9F, 0x25,
0x4A, 0x94, 0x33, 0x66, 0xCC, 0x83, 0x1D, 0x3A, 0x74, 0xE8,
0xCB, 0x8D, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80,
0x1B, 0x36, 0x6C, 0xD8, 0xAB, 0x4D, 0x9A, 0x2F, 0x5E, 0xBC,
0x63, 0xC6, 0x97, 0x35, 0x6A, 0xD4, 0xB3, 0x7D, 0xFA, 0xEF,
0xC5, 0x91, 0x39, 0x72, 0xE4, 0xD3, 0xBD, 0x61, 0xC2, 0x9F,
0x25, 0x4A, 0x94, 0x33, 0x66, 0xCC, 0x83, 0x1D, 0x3A, 0x74,
0xE8, 0xCB, 0x8D, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40,
0x80, 0x1B, 0x36, 0x6C, 0xD8, 0xAB, 0x4D, 0x9A, 0x2F, 0x5E,
0xBC, 0x63, 0xC6, 0x97, 0x35, 0x6A, 0xD4, 0xB3, 0x7D, 0xFA,
0xEF, 0xC5, 0x91, 0x39, 0x72, 0xE4, 0xD3, 0xBD, 0x61, 0xC2,
0x9F, 0x25, 0x4A, 0x94, 0x33, 0x66, 0xCC, 0x83, 0x1D, 0x3A,
0x74, 0xE8, 0xCB, 0x8D, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20,
0x40, 0x80, 0x1B, 0x36, 0x6C, 0xD8, 0xAB, 0x4D, 0x9A, 0x2F,
0x5E, 0xBC, 0x63, 0xC6, 0x97, 0x35, 0x6A, 0xD4, 0xB3, 0x7D,
0xFA, 0xEF, 0xC5, 0x91, 0x39, 0x72, 0xE4, 0xD3, 0xBD, 0x61,
0xC2, 0x9F, 0x25, 0x4A, 0x94, 0x33, 0x66, 0xCC, 0x83, 0x1D,
0x3A, 0x74, 0xE8, 0xCB, 0x8D, 0x01, 0x02, 0x04, 0x08, 0x10,
0x20, 0x40, 0x80, 0x1B, 0x36, 0x6C, 0xD8, 0xAB, 0x4D, 0x9A,
0x2F, 0x5E, 0xBC, 0x63, 0xC6, 0x97, 0x35, 0x6A, 0xD4, 0xB3,
0x7D, 0xFA, 0xEF, 0xC5, 0x91, 0x39, 0x72, 0xE4, 0xD3, 0xBD,
0x61, 0xC2, 0x9F, 0x25, 0x4A, 0x94, 0x33, 0x66, 0xCC, 0x83,
0x1D, 0x3A, 0x74, 0xE8, 0xCB]
table2 = [0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01,
0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D,
0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4,
0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 0x04, 0xC7,
0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E,
0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB,
0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 0xD0, 0xEF, 0xAA, 0xFB,
0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C,
0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C,
0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D,
0x64, 0x5D, 0x19, 0x73, 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A,
0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3,
0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A,
0xAE, 0x08, 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E,
0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9,
0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9,
0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99,
0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16]
table2_reverse = [table2.index(i) for i in range(256)]
path = r"E:\Ctf\KCTF2020Q4\disanti\disanti2\lib\armeabi-v7a\libcrack.so"
proj = angr.Project(path, auto_load_libs=False)
mid = [107, 97, 111, 107, 97, 111, 110, 105, 107, 97, 111, 107, 97, 111, 110, 105, 194, 254, 150, 132, 163, 145, 248, 237, 200, 240, 151, 134, 169, 159, 249, 239, 27, 103, 73, 87, 184, 246, 177, 186, 112, 6, 38, 60, 217, 153, 223, 211, 241, 249, 47, 98, 73, 15, 158, 216, 57, 9, 184, 228, 224, 144, 103, 55, 153, 124, 181, 131, 208, 115, 43, 91, 233, 122, 147, 191, 9, 234, 244, 136, 14, 195, 113, 130, 222, 176, 90, 217, 55, 202, 201, 102, 62, 32, 61, 238, 153, 228, 89, 48, 71, 84, 3, 233, 112, 158, 202, 143, 78, 190, 247, 97, 119, 140, 182, 31, 48, 216, 181, 246, 64, 70, 127, 121, 14, 248, 136, 24, 182, 72, 27, 180, 134, 144, 174, 66, 198, 214, 209, 59, 200, 46, 89, 35, 156, 131, 61, 92, 26, 19, 147, 30, 220, 197, 66, 37, 20, 235, 27, 6, 67, 44, 82, 166, 89, 63, 193, 184, 133, 250, 131, 157, 145, 17, 152, 155]
def swap(arr, i1, i2):
t = arr[i1]
arr[i1] = arr[i2]
arr[i2] = t
def de_crypt(b, ckey):
b_key = ckey.encode()
key = [i for i in range(256)]
i1 = 0
i2 = 0
for i in range(256):
i2 = ((b_key[i1] & 0xFF) + (key[i] & 0xFF) + i2) & 0xFF
swap(key, i, i2)
i1 = (i1 + 1) % len(b_key)
x = 0
y = 0
ret = []
for i in range(len(b)):
x = (x + 1) & 0xFF
y = ((key[x] & 0xFF) + y) & 0xFF
swap(key, x, y)
ret.append(b[i] ^ key[((key[x] & 0xFF) + (key[y] & 0xFF)) & 0xFF])
return ret
def reverse_408220(b):
global proj
for _ in range(3):
blank_state = proj.factory.blank_state(addr=0x408221)
blank_state.regs.sp = 0x10000000
blank_state.regs.r7 = 0
blank_state.regs.lr = 0x80000000
for i in range(len(b)):
blank_state.mem[0x20000000 + i].byte = b[i]
blank_state.mem[0x41F310].int = 0x20000000
simgr = proj.factory.simgr(blank_state)
simgr.explore(find=0x80000000)
out = []
found = simgr.found[0]
for i in range(len(b)):
out.append(found.solver.eval(found.mem[0x20000000 + i].byte.resolved))
b = out
return b
def reverse_4080A0(off, out):
global mid
for i in range(4):
for j in range(4):
out[4 * i + j] ^= mid[16 * off + 4 * i + j]
return out
def reverse_4081A0(out):
shifted = [out[0], out[13], out[10], out[7], out[4], out[1], out[14], out[11], out[8], out[5], out[2], out[15], out[12], out[9], out[6], out[3]]
return shifted
def reverse_408120(out):
global table2
for i in range(4):
for j in range(4):
out[4 * i + j] = table2_reverse[out[4 * i + j]]
return out
def decrypt_xor(b):
b = reverse_4080A0(10, b)
b = reverse_4081A0(b)
b = reverse_408120(b)
for i in [9, 8, 7, 6, 5, 4, 3, 2, 1]:
b = reverse_4080A0(i, b)
b = reverse_408220(b)
b = reverse_4081A0(b)
b = reverse_408120(b)
b = reverse_4080A0(0, b)
return b
def sub_xor(b):
global proj, mid
blank_state = proj.factory.blank_state(addr=0x407F8D)
blank_state.regs.sp = 0x10000000
blank_state.regs.r7 = 0
blank_state.regs.lr = 0x80000000
for i in range(len(b)):
blank_state.mem[0x20000000 + i].byte = b[i]
blank_state.mem[0x41F310].int = 0x20000000
for i in range(len(mid)):
blank_state.mem[0x41F318 + i].byte = mid[i]
simgr = proj.factory.simgr(blank_state)
simgr.explore(find=0x80000000)
out = []
found = simgr.found[0]
for i in range(len(b)):
out.append(found.solver.eval(found.mem[0x20000000 + i].byte.resolved))
return out
final = [0x97, 0xEC, 0x7B, 0x7C, 0xA7, 0x76, 0x14, 0x16, 0x9A, 0x11, 0x8E, 0x0D, 0x57, 0x8D, 0xF4, 0xF4]
print(final)
step1 = de_crypt(final, 'keepGoing')
print(step1)
step2 = decrypt_xor(step1)
print(step2)
step3 = de_crypt(step2, 'kaokaonio')
print(step3)
str = bytes(step3).decode()
print(str)
import angr
import archinfo
table1 = [0x8D, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1B,
0x36, 0x6C, 0xD8, 0xAB, 0x4D, 0x9A, 0x2F, 0x5E, 0xBC, 0x63,
0xC6, 0x97, 0x35, 0x6A, 0xD4, 0xB3, 0x7D, 0xFA, 0xEF, 0xC5,
0x91, 0x39, 0x72, 0xE4, 0xD3, 0xBD, 0x61, 0xC2, 0x9F, 0x25,
0x4A, 0x94, 0x33, 0x66, 0xCC, 0x83, 0x1D, 0x3A, 0x74, 0xE8,
0xCB, 0x8D, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80,
0x1B, 0x36, 0x6C, 0xD8, 0xAB, 0x4D, 0x9A, 0x2F, 0x5E, 0xBC,
0x63, 0xC6, 0x97, 0x35, 0x6A, 0xD4, 0xB3, 0x7D, 0xFA, 0xEF,
0xC5, 0x91, 0x39, 0x72, 0xE4, 0xD3, 0xBD, 0x61, 0xC2, 0x9F,
0x25, 0x4A, 0x94, 0x33, 0x66, 0xCC, 0x83, 0x1D, 0x3A, 0x74,
0xE8, 0xCB, 0x8D, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40,
0x80, 0x1B, 0x36, 0x6C, 0xD8, 0xAB, 0x4D, 0x9A, 0x2F, 0x5E,
0xBC, 0x63, 0xC6, 0x97, 0x35, 0x6A, 0xD4, 0xB3, 0x7D, 0xFA,
0xEF, 0xC5, 0x91, 0x39, 0x72, 0xE4, 0xD3, 0xBD, 0x61, 0xC2,
0x9F, 0x25, 0x4A, 0x94, 0x33, 0x66, 0xCC, 0x83, 0x1D, 0x3A,
0x74, 0xE8, 0xCB, 0x8D, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20,
0x40, 0x80, 0x1B, 0x36, 0x6C, 0xD8, 0xAB, 0x4D, 0x9A, 0x2F,
0x5E, 0xBC, 0x63, 0xC6, 0x97, 0x35, 0x6A, 0xD4, 0xB3, 0x7D,
0xFA, 0xEF, 0xC5, 0x91, 0x39, 0x72, 0xE4, 0xD3, 0xBD, 0x61,
0xC2, 0x9F, 0x25, 0x4A, 0x94, 0x33, 0x66, 0xCC, 0x83, 0x1D,
0x3A, 0x74, 0xE8, 0xCB, 0x8D, 0x01, 0x02, 0x04, 0x08, 0x10,
0x20, 0x40, 0x80, 0x1B, 0x36, 0x6C, 0xD8, 0xAB, 0x4D, 0x9A,
0x2F, 0x5E, 0xBC, 0x63, 0xC6, 0x97, 0x35, 0x6A, 0xD4, 0xB3,
0x7D, 0xFA, 0xEF, 0xC5, 0x91, 0x39, 0x72, 0xE4, 0xD3, 0xBD,
0x61, 0xC2, 0x9F, 0x25, 0x4A, 0x94, 0x33, 0x66, 0xCC, 0x83,
0x1D, 0x3A, 0x74, 0xE8, 0xCB]
table2 = [0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01,
0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D,
0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4,
0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 0x04, 0xC7,
0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E,
0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB,
0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 0xD0, 0xEF, 0xAA, 0xFB,
0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C,
0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C,
0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D,
0x64, 0x5D, 0x19, 0x73, 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A,
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
最后于 2020-11-30 14:40
被k1ee编辑
,原因: 修正标题
|
|
|---|---|
|
|
|
|
|
|
|
|
|
