首页
社区
课程
招聘
[原创]2022KCTF秋季赛 第三题 水患猖獗
发表于: 2022-11-21 10:04 12676

[原创]2022KCTF秋季赛 第三题 水患猖獗

2022-11-21 10:04
12676

逻辑简单,输入name,serial,加载libcrackme.so,返回一个字符串表示结果

根据之前的经验,frida hook NewStringUTF获取最后打印的字符串,找到调用位置,部分hook代码如下

经过B BX BL指令后,ghidra识别出了一个函数头,以 0c e0 1f e5 为特征

观察数据部分,找到结果字符串的位置,做一个xor 解密

字符串offset 为0x13,ghidra暴力将所有数据以thumb解析后,搜索0x13

找到函数头,搜索0c e0 1f e5向上搜索,找到2c9a4

hook获取数据,部分hook代码如下

观察到2C9A4调用了32次,其中包含了serial,发现xor

将Name改成KCTF,重新计算得到serial

42A4ECA067F54074C3EB2F177ACB06FE1379055CD4FB2211C3BD874FAD9E101D

PS:观察到程序随意输入非hex字符,导致转换时会被视作F

出现多解 42A4ECA067F54074C3EB2F177ACB06QE1379055CD4FB2211C3BD874FAD9E101D

 
function hookart(){
    var baseAddr = Module.findBaseAddress("/apex/com.android.runtime/lib/libart.so");
    //var baseAddr = Module.findExportByName(null,"_ZN3art12_GLOBAL__N_18CheckJNI12NewStringUTFEP7_JNIEnvPKc");
    console.log("Art",baseAddr)
    Interceptor.attach(baseAddr.add(0x2C8581),
        {
            onEnter: function (args)
            {
                //console.log("NewString:" + args[1].readCString());
                if((args[1].readCString() == "不对!再探再报" || args[1].readCString() == "祝贺,闯关顺利")){
                    console.log(args[1].readCString(),args[1]);
                    var mainAddr = Module.findBaseAddress("libcrackme.so");
                    console.log("Return Addr:" + (this.context as any).lr.sub(mainAddr));
                    console.log(' called from:\n' +
                            Thread.backtrace(this.context, Backtracer.ACCURATE)
                            .map(DebugSymbol.fromAddress).join('\n') + '\n');
                    for(var i=0;i<64;i++){
                        if((this.context as any).sp.add(i*4).readPointer().sub(mainAddr).toUInt32() < 0x50000){
                            console.warn("[!!]"+(this.context as any).sp.add(i*4).readPointer(),(this.context as any).sp.add(i*4).readPointer().sub(mainAddr));
                        }
                        else{
                            console.log((this.context as any).sp.add(i*4).readPointer(),(this.context as any).sp.add(i*4).readPointer().sub(mainAddr));
                        }
                    }
 
                    console.log(hexdump(args[1].add(0xe0),{
                        offset:0,
                        length:128,
                        header:true,
                        ansi:true
                    }));
                    console.log(JSON.stringify(this.context));
                    console.log(hexdump(this.context.sp.sub(0),{
                        offset:0,
                        length:128,
                        header:true,
                        ansi:true
                    }));
                    memset_log = false;
                    mylogfile.close();
                    //debugger;
                }
            },
            onLeave: function (ret)
            {
 
            }
        }
    );
}
function hookart(){
    var baseAddr = Module.findBaseAddress("/apex/com.android.runtime/lib/libart.so");
    //var baseAddr = Module.findExportByName(null,"_ZN3art12_GLOBAL__N_18CheckJNI12NewStringUTFEP7_JNIEnvPKc");
    console.log("Art",baseAddr)
    Interceptor.attach(baseAddr.add(0x2C8581),
        {
            onEnter: function (args)
            {
                //console.log("NewString:" + args[1].readCString());
                if((args[1].readCString() == "不对!再探再报" || args[1].readCString() == "祝贺,闯关顺利")){
                    console.log(args[1].readCString(),args[1]);
                    var mainAddr = Module.findBaseAddress("libcrackme.so");
                    console.log("Return Addr:" + (this.context as any).lr.sub(mainAddr));
                    console.log(' called from:\n' +
                            Thread.backtrace(this.context, Backtracer.ACCURATE)
                            .map(DebugSymbol.fromAddress).join('\n') + '\n');
                    for(var i=0;i<64;i++){
                        if((this.context as any).sp.add(i*4).readPointer().sub(mainAddr).toUInt32() < 0x50000){
                            console.warn("[!!]"+(this.context as any).sp.add(i*4).readPointer(),(this.context as any).sp.add(i*4).readPointer().sub(mainAddr));
                        }
                        else{
                            console.log((this.context as any).sp.add(i*4).readPointer(),(this.context as any).sp.add(i*4).readPointer().sub(mainAddr));
                        }
                    }
 
                    console.log(hexdump(args[1].add(0xe0),{
                        offset:0,
                        length:128,
                        header:true,
                        ansi:true
                    }));
                    console.log(JSON.stringify(this.context));
                    console.log(hexdump(this.context.sp.sub(0),{
                        offset:0,
                        length:128,
                        header:true,
                        ansi:true
                    }));
                    memset_log = false;
                    mylogfile.close();
                    //debugger;
                }
            },
            onLeave: function (ret)
            {
 
            }
        }
    );
}
 
 
 

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 4
支持
分享
最新回复 (1)
雪    币: 4233
活跃值: (6250)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
共同学习,共同进步。
2022-11-26 14:31
0
游客
登录 | 注册 方可回帖
返回
//