-
-
[原创]2022KCTF秋季赛 第三题 水患猖獗
-
发表于: 2022-11-21 10:04
-
逻辑简单,输入name,serial,加载libcrackme.so,返回一个字符串表示结果
根据之前的经验,frida hook NewStringUTF获取最后打印的字符串,找到调用位置,部分hook代码如下
经过B BX BL指令后,ghidra识别出了一个函数头,以 0c e0 1f e5 为特征
观察数据部分,找到结果字符串的位置,做一个xor 解密
字符串offset 为0x13,ghidra暴力将所有数据以thumb解析后,搜索0x13
找到函数头,搜索0c e0 1f e5向上搜索,找到2c9a4
hook获取数据,部分hook代码如下
观察到2C9A4调用了32次,其中包含了serial,发现xor
将Name改成KCTF,重新计算得到serial
42A4ECA067F54074C3EB2F177ACB06FE1379055CD4FB2211C3BD874FAD9E101D
PS:观察到程序随意输入非hex字符,导致转换时会被视作F
出现多解 42A4ECA067F54074C3EB2F177ACB06QE1379055CD4FB2211C3BD874FAD9E101D
function hookart(){ var baseAddr = Module.findBaseAddress("/apex/com.android.runtime/lib/libart.so");
//var baseAddr = Module.findExportByName(null,"_ZN3art12_GLOBAL__N_18CheckJNI12NewStringUTFEP7_JNIEnvPKc");
console.log("Art",baseAddr)
Interceptor.attach(baseAddr.add(0x2C8581),
{
onEnter: function (args)
{
//console.log("NewString:" + args[1].readCString());
if((args[1].readCString() == "不对!再探再报" || args[1].readCString() == "祝贺,闯关顺利")){
console.log(args[1].readCString(),args[1]);
var mainAddr = Module.findBaseAddress("libcrackme.so");
console.log("Return Addr:" + (this.context as any).lr.sub(mainAddr));
console.log(' called from:\n' +
Thread.backtrace(this.context, Backtracer.ACCURATE)
.map(DebugSymbol.fromAddress).join('\n') + '\n');
for(var i=0;i<64;i++){
if((this.context as any).sp.add(i*4).readPointer().sub(mainAddr).toUInt32() < 0x50000){
console.warn("[!!]"+(this.context as any).sp.add(i*4).readPointer(),(this.context as any).sp.add(i*4).readPointer().sub(mainAddr));
}
else{
console.log((this.context as any).sp.add(i*4).readPointer(),(this.context as any).sp.add(i*4).readPointer().sub(mainAddr));
}
}
console.log(hexdump(args[1].add(0xe0),{
offset:0,
length:128,
header:true,
ansi:true
}));
console.log(JSON.stringify(this.context));
console.log(hexdump(this.context.sp.sub(0),{
offset:0,
length:128,
header:true,
ansi:true
}));
memset_log = false;
mylogfile.close();
//debugger;
}
},
onLeave: function (ret)
{
}
}
);
}function hookart(){ var baseAddr = Module.findBaseAddress("/apex/com.android.runtime/lib/libart.so");
//var baseAddr = Module.findExportByName(null,"_ZN3art12_GLOBAL__N_18CheckJNI12NewStringUTFEP7_JNIEnvPKc");
console.log("Art",baseAddr)
Interceptor.attach(baseAddr.add(0x2C8581),
{
onEnter: function (args)
{
//console.log("NewString:" + args[1].readCString());
if((args[1].readCString() == "不对!再探再报" || args[1].readCString() == "祝贺,闯关顺利")){
console.log(args[1].readCString(),args[1]);
var mainAddr = Module.findBaseAddress("libcrackme.so");
console.log("Return Addr:" + (this.context as any).lr.sub(mainAddr));
console.log(' called from:\n' +
Thread.backtrace(this.context, Backtracer.ACCURATE)
.map(DebugSymbol.fromAddress).join('\n') + '\n');
for(var i=0;i<64;i++){
if((this.context as any).sp.add(i*4).readPointer().sub(mainAddr).toUInt32() < 0x50000){
console.warn("[!!]"+(this.context as any).sp.add(i*4).readPointer(),(this.context as any).sp.add(i*4).readPointer().sub(mainAddr));
}
else{
console.log((this.context as any).sp.add(i*4).readPointer(),(this.context as any).sp.add(i*4).readPointer().sub(mainAddr));
}
}
console.log(hexdump(args[1].add(0xe0),{
offset:0,
length:128,
header:true,
ansi:true
}));
console.log(JSON.stringify(this.context));
console.log(hexdump(this.context.sp.sub(0),{
offset:0,
length:128,
header:true,
ansi:true
}));
memset_log = false;
mylogfile.close();
//debugger;
}
},
onLeave: function (ret)
{
}
}
);
}[培训]传播安全知识、拓宽行业人脉——看雪讲师团队等你加入!
