-
-
[原创]2022KCTF秋季赛 第三题 水患猖獗
-
2022-11-21 10:04
-
分析Java层
逻辑简单,输入name,serial,加载libcrackme.so,返回一个字符串表示结果
分析native层
根据之前的经验,frida hook NewStringUTF获取最后打印的字符串,找到调用位置,部分hook代码如下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 | function hookart(){ var baseAddr = Module.findBaseAddress("/apex/com.android.runtime/lib/libart.so"); //var baseAddr = Module.findExportByName(null,"_ZN3art12_GLOBAL__N_18CheckJNI12NewStringUTFEP7_JNIEnvPKc"); console.log("Art",baseAddr) Interceptor.attach(baseAddr.add(0x2C8581), { onEnter: function (args) { //console.log("NewString:" + args[1].readCString()); if((args[1].readCString() == "不对!再探再报" || args[1].readCString() == "祝贺,闯关顺利")){ console.log(args[1].readCString(),args[1]); var mainAddr = Module.findBaseAddress("libcrackme.so"); console.log("Return Addr:" + (this.context as any).lr.sub(mainAddr)); console.log(' called from:\n' + Thread.backtrace(this.context, Backtracer.ACCURATE) .map(DebugSymbol.fromAddress).join('\n') + '\n'); for(var i=0;i<64;i++){ if((this.context as any).sp.add(i*4).readPointer().sub(mainAddr).toUInt32() < 0x50000){ console.warn("[!!]"+(this.context as any).sp.add(i*4).readPointer(),(this.context as any).sp.add(i*4).readPointer().sub(mainAddr)); } else{ console.log((this.context as any).sp.add(i*4).readPointer(),(this.context as any).sp.add(i*4).readPointer().sub(mainAddr)); } } console.log(hexdump(args[1].add(0xe0),{ offset:0, length:128, header:true, ansi:true })); console.log(JSON.stringify(this.context)); console.log(hexdump(this.context.sp.sub(0),{ offset:0, length:128, header:true, ansi:true })); memset_log = false; mylogfile.close(); //debugger; } }, onLeave: function (ret) { } } );} |
经过B BX BL指令后,ghidra识别出了一个函数头,以 0c e0 1f e5 为特征
观察数据部分,找到结果字符串的位置,做一个xor 解密
字符串offset 为0x13,ghidra暴力将所有数据以thumb解析后,搜索0x13
找到函数头,搜索0c e0 1f e5向上搜索,找到2c9a4
hook获取数据,部分hook代码如下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 | function hookGeneral(targetAddr:NativePointer,baseAddr:NativePointer){ Interceptor.attach(targetAddr,{ onEnter:function(args){ var mylog = ""; console.log("[Hook General]" +JSON.stringify(this.context)) mylog += "[Hook General]" + JSON.stringify(this.context) +"\n"; mylogfile.write(mylog); mylogfile.flush(); Thread.sleep(3); },onLeave:function(ret){ } }); }function hook2DFC9(targetAddr:NativePointer,baseAddr:NativePointer){ Interceptor.attach(targetAddr,{ onEnter:function(args){ var mylog = ""; console.log("[2DFC9]" +(this.context)['r8']) mylog += "[2DFC9]" +(this.context)['r8'] +"\n"; mylogfile.write(mylog); mylogfile.flush(); //Thread.sleep(1000); },onLeave:function(ret){ } }); }function hook2E447(targetAddr:NativePointer,baseAddr:NativePointer){ Interceptor.attach(targetAddr,{ onEnter:function(args){ var mylog = ""; console.log((this.context)['r11'].readDouble() + " " + (this.context)['d9']); //Thread.sleep(1000); },onLeave:function(ret){ } }); }function hook2C9A4(targetAddr:NativePointer,baseAddr:NativePointer){ Interceptor.attach(targetAddr,{ onEnter:function(args){ var mylog = ""; console.log("" + (this.context)['r4'] +" "+ (this.context)['r3'] +" "+ (this.context)['r1'] +" "+ (this.context)['r0'] +" "); mylog += "" + (this.context)['r4'] +" "+ (this.context)['r3'] +" "+ (this.context)['r1'] +" "+ (this.context)['r0'] +"\n"; mylogfile.write(mylog); mylogfile.flush(); //Thread.sleep(1000); },onLeave:function(ret){ } }); }function hook(baseAddr:NativePointer){ console.log("Hooking"); hook2C9A4(baseAddr.add(0x2c9a4),baseAddr); hookGeneral(baseAddr.add(0x2cfb9),baseAddr); // hook2E447(baseAddr.add(0x2e447),baseAddr); // hook2DFC9(baseAddr.add(0x2dfc9),baseAddr);} |
观察到2C9A4调用了32次,其中包含了serial,发现xor
将Name改成KCTF,重新计算得到serial
42A4ECA067F54074C3EB2F177ACB06FE1379055CD4FB2211C3BD874FAD9E101D
PS:观察到程序随意输入非hex字符,导致转换时会被视作F
出现多解 42A4ECA067F54074C3EB2F177ACB06QE1379055CD4FB2211C3BD874FAD9E101D
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界
