首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 看雪社区
  2. CTF对抗
    3. 发新帖
[原创]第四题 突破重围 by k1ee
2020-11-24 12:45 5084

[原创]第四题 突破重围 by k1ee

k1ee 活跃值
2
2020-11-24 12:45
5084

突破重围

使用脚本先去除data段加密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
import angr
import numpy as np
import claripy
import archinfo
 
def find_section(e, name):
    for s in e.sections:
        if s.name == name:
            return s
 
 
path = r"E:\Ctf\KCTF2020Q4\disanti\disanti\lib\armeabi-v7a\libcrack0.so"
out = r"E:\Ctf\KCTF2020Q4\disanti\disanti\lib\armeabi-v7a\libcrack1.so"
 
proj = angr.Project(path, auto_load_libs=False)
elf = proj.loader.main_object
init_array = find_section(elf, '.init_array')
data = find_section(elf, '.data')
 
blank_state = proj.factory.blank_state()
addr = init_array.min_addr
mem = None
bxlr_init_array = []
while addr != init_array.max_addr:
    func = blank_state.solver.eval(blank_state.mem[addr].int.resolved)
    debased_func = func - elf.mapped_base
    addr += elf.arch.bytes
 
    if func == 0:
        break
 
    sym = proj.loader.find_symbol(func)
    if sym is None or sym.name.find("datadiv_decode") == -1:
        continue
    else:
        bxlr_init_array.append(debased_func)
 
    simulate = proj.factory.blank_state(addr=func)
 
    if mem is not None:
        simulate.memory.store(data.min_addr, mem)
 
    simulate.regs.lr = 0x80000000
    sigmr = proj.factory.simgr(simulate)
    sigmr.explore(find=0x80000000)
    found = sigmr.found[0]
    mem = found.memory.load(data.min_addr, data.memsize)
    print(mem)
 
# Replace Data and InitArray
fp = open(path, 'rb')
so = list(fp.read())
fp.close()
 
mem = list(blank_state.solver.eval(mem, cast_to=bytes))
so[data.min_offset(): data.max_offset + 1] = mem
# so[init_array.min_offset(): init_array.max_offset + 1] = list([0 for _ in range(init_array.memsize)])
for func in bxlr_init_array:
    so[func - 1: func + 1] = [0x70, 0x47]
 
fp = open(out, 'wb')
fp.write(bytes(so))
fp.close()

送入IDA分析

 

image-20201124123741102

 

分析crackjni,关键函数

 

image-20201124123849071

 

看java层

 

image-20201124124055452

 

image-20201124124116609

 

调用b.txt dex里的函数

 

image-20201124124140761

 

整不出来,总体来说就是crypt,crackjni,crypt,随后分析了这个

 

image-20201124124244616

 

bdex是b.dex的地址,程序hook了openmemory,判断大小并记录指针

 

image-20201124124300407

 

image-20201124124335114

 

修改了il,本质是修改字符串引用,从而两次crypt的key不一样,完事,写出解密代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
import angr
import archinfo
 
table1 = [0x8D, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1B,
          0x36, 0x6C, 0xD8, 0xAB, 0x4D, 0x9A, 0x2F, 0x5E, 0xBC, 0x63,
          0xC6, 0x97, 0x35, 0x6A, 0xD4, 0xB3, 0x7D, 0xFA, 0xEF, 0xC5,
          0x91, 0x39, 0x72, 0xE4, 0xD3, 0xBD, 0x61, 0xC2, 0x9F, 0x25,
          0x4A, 0x94, 0x33, 0x66, 0xCC, 0x83, 0x1D, 0x3A, 0x74, 0xE8,
          0xCB, 0x8D, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80,
          0x1B, 0x36, 0x6C, 0xD8, 0xAB, 0x4D, 0x9A, 0x2F, 0x5E, 0xBC,
          0x63, 0xC6, 0x97, 0x35, 0x6A, 0xD4, 0xB3, 0x7D, 0xFA, 0xEF,
          0xC5, 0x91, 0x39, 0x72, 0xE4, 0xD3, 0xBD, 0x61, 0xC2, 0x9F,
          0x25, 0x4A, 0x94, 0x33, 0x66, 0xCC, 0x83, 0x1D, 0x3A, 0x74,
          0xE8, 0xCB, 0x8D, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40,
          0x80, 0x1B, 0x36, 0x6C, 0xD8, 0xAB, 0x4D, 0x9A, 0x2F, 0x5E,
          0xBC, 0x63, 0xC6, 0x97, 0x35, 0x6A, 0xD4, 0xB3, 0x7D, 0xFA,
          0xEF, 0xC5, 0x91, 0x39, 0x72, 0xE4, 0xD3, 0xBD, 0x61, 0xC2,
          0x9F, 0x25, 0x4A, 0x94, 0x33, 0x66, 0xCC, 0x83, 0x1D, 0x3A,
          0x74, 0xE8, 0xCB, 0x8D, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20,
          0x40, 0x80, 0x1B, 0x36, 0x6C, 0xD8, 0xAB, 0x4D, 0x9A, 0x2F,
          0x5E, 0xBC, 0x63, 0xC6, 0x97, 0x35, 0x6A, 0xD4, 0xB3, 0x7D,
          0xFA, 0xEF, 0xC5, 0x91, 0x39, 0x72, 0xE4, 0xD3, 0xBD, 0x61,
          0xC2, 0x9F, 0x25, 0x4A, 0x94, 0x33, 0x66, 0xCC, 0x83, 0x1D,
          0x3A, 0x74, 0xE8, 0xCB, 0x8D, 0x01, 0x02, 0x04, 0x08, 0x10,
          0x20, 0x40, 0x80, 0x1B, 0x36, 0x6C, 0xD8, 0xAB, 0x4D, 0x9A,
          0x2F, 0x5E, 0xBC, 0x63, 0xC6, 0x97, 0x35, 0x6A, 0xD4, 0xB3,
          0x7D, 0xFA, 0xEF, 0xC5, 0x91, 0x39, 0x72, 0xE4, 0xD3, 0xBD,
          0x61, 0xC2, 0x9F, 0x25, 0x4A, 0x94, 0x33, 0x66, 0xCC, 0x83,
          0x1D, 0x3A, 0x74, 0xE8, 0xCB]
 
table2 = [0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01,
          0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D,
          0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4,
          0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
          0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 0x04, 0xC7,
          0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
          0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E,
          0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
          0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB,
          0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 0xD0, 0xEF, 0xAA, 0xFB,
          0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C,
          0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
          0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C,
          0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D,
          0x64, 0x5D, 0x19, 0x73, 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A,
          0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
          0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3,
          0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
          0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A,
          0xAE, 0x08, 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
          0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E,
          0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9,
          0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9,
          0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
          0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99,
          0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16]
 
table2_reverse = [table2.index(i) for i in range(256)]
 
path = r"E:\Ctf\KCTF2020Q4\disanti\disanti2\lib\armeabi-v7a\libcrack.so"
proj = angr.Project(path, auto_load_libs=False)
 
mid = [107, 97, 111, 107, 97, 111, 110, 105, 107, 97, 111, 107, 97, 111, 110, 105, 194, 254, 150, 132, 163, 145, 248, 237, 200, 240, 151, 134, 169, 159, 249, 239, 27, 103, 73, 87, 184, 246, 177, 186, 112, 6, 38, 60, 217, 153, 223, 211, 241, 249, 47, 98, 73, 15, 158, 216, 57, 9, 184, 228, 224, 144, 103, 55, 153, 124, 181, 131, 208, 115, 43, 91, 233, 122, 147, 191, 9, 234, 244, 136, 14, 195, 113, 130, 222, 176, 90, 217, 55, 202, 201, 102, 62, 32, 61, 238, 153, 228, 89, 48, 71, 84, 3, 233, 112, 158, 202, 143, 78, 190, 247, 97, 119, 140, 182, 31, 48, 216, 181, 246, 64, 70, 127, 121, 14, 248, 136, 24, 182, 72, 27, 180, 134, 144, 174, 66, 198, 214, 209, 59, 200, 46, 89, 35, 156, 131, 61, 92, 26, 19, 147, 30, 220, 197, 66, 37, 20, 235, 27, 6, 67, 44, 82, 166, 89, 63, 193, 184, 133, 250, 131, 157, 145, 17, 152, 155]
 
 
def swap(arr, i1, i2):
    t = arr[i1]
    arr[i1] = arr[i2]
    arr[i2] = t
 
 
def de_crypt(b, ckey):
    b_key = ckey.encode()
    key = [i for i in range(256)]
    i1 = 0
    i2 = 0
    for i in range(256):
        i2 = ((b_key[i1] & 0xFF) + (key[i] & 0xFF) + i2) & 0xFF
        swap(key, i, i2)
        i1 = (i1 + 1) % len(b_key)
    x = 0
    y = 0
    ret = []
    for i in range(len(b)):
        x = (x + 1) & 0xFF
        y = ((key[x] & 0xFF) + y) & 0xFF
        swap(key, x, y)
        ret.append(b[i] ^ key[((key[x] & 0xFF) + (key[y] & 0xFF)) & 0xFF])
    return ret
 
 
def reverse_408220(b):
    global proj
    for _ in range(3):
        blank_state = proj.factory.blank_state(addr=0x408221)
        blank_state.regs.sp = 0x10000000
        blank_state.regs.r7 = 0
        blank_state.regs.lr = 0x80000000
 
        for i in range(len(b)):
            blank_state.mem[0x20000000 + i].byte = b[i]
        blank_state.mem[0x41F310].int = 0x20000000
 
        simgr = proj.factory.simgr(blank_state)
        simgr.explore(find=0x80000000)
        out = []
        found = simgr.found[0]
        for i in range(len(b)):
            out.append(found.solver.eval(found.mem[0x20000000 + i].byte.resolved))
        b = out
    return b
 
 
def reverse_4080A0(off, out):
    global mid
    for i in range(4):
        for j in range(4):
            out[4 * i + j] ^= mid[16 * off + 4 * i + j]
    return out
 
 
def reverse_4081A0(out):
    shifted = [out[0], out[13], out[10], out[7], out[4], out[1], out[14], out[11], out[8], out[5], out[2], out[15], out[12], out[9], out[6], out[3]]
    return shifted
 
 
def reverse_408120(out):
    global table2
    for i in range(4):
        for j in range(4):
            out[4 * i + j] = table2_reverse[out[4 * i + j]]
    return out
 
 
def decrypt_xor(b):
    b = reverse_4080A0(10, b)
    b = reverse_4081A0(b)
    b = reverse_408120(b)
    for i in [9, 8, 7, 6, 5, 4, 3, 2, 1]:
        b = reverse_4080A0(i, b)
        b = reverse_408220(b)
        b = reverse_4081A0(b)
        b = reverse_408120(b)
    b = reverse_4080A0(0, b)
    return b
 
def sub_xor(b):
    global proj, mid
    blank_state = proj.factory.blank_state(addr=0x407F8D)
    blank_state.regs.sp = 0x10000000
    blank_state.regs.r7 = 0
    blank_state.regs.lr = 0x80000000
 
    for i in range(len(b)):
        blank_state.mem[0x20000000 + i].byte = b[i]
    blank_state.mem[0x41F310].int = 0x20000000
 
    for i in range(len(mid)):
        blank_state.mem[0x41F318 + i].byte = mid[i]
 
    simgr = proj.factory.simgr(blank_state)
    simgr.explore(find=0x80000000)
    out = []
    found = simgr.found[0]
    for i in range(len(b)):
        out.append(found.solver.eval(found.mem[0x20000000 + i].byte.resolved))
    return out
 
 
final = [0x97, 0xEC, 0x7B, 0x7C, 0xA7, 0x76, 0x14, 0x16, 0x9A, 0x11, 0x8E, 0x0D, 0x57, 0x8D, 0xF4, 0xF4]
print(final)
 
step1 = de_crypt(final, 'keepGoing')
print(step1)
 
step2 = decrypt_xor(step1)
print(step2)
 
step3 = de_crypt(step2, 'kaokaonio')
print(step3)
 
str = bytes(step3).decode()
print(str)

[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法

最后于 2020-11-30 14:40 被k1ee编辑 ,原因: 修正标题
收藏
点赞2
打赏
分享
最新回复 (3)
YenKoc
雪    币: 2663
活跃值: (5215)
能力值: ( LV10,RANK:177 )
在线值:
发帖
回帖
粉丝
私信
YenKoc 2 2020-11-24 23:15
2
0
大佬是怎么立马看出data段是要解密的,我直接动调上去,倒没关注到
YenKoc
雪    币: 2663
活跃值: (5215)
能力值: ( LV10,RANK:177 )
在线值:
发帖
回帖
粉丝
私信
YenKoc 2 2020-11-24 23:15
3
0
angr这种操作太强了
Stevenhack
雪    币: 3
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
私信
Stevenhack 2020-11-27 17:56
4
0
游客
登录 | 注册 方可回帖
 回帖  表情 雪币赚取及消费
高级回复
返回