-
-
[原创]newstarCTF2023 week4|REVERSE--简单的跨 writeup
-
发表于: 2023-10-27 10:27
-
题目为安卓apk,安装到模拟器或真机发现无输入点。
使用jadx-gui进行静态分析,定位关键代码:
encrypt()是java编写,RC4加密,key为“runrunrun"。
encode()是native函数,将lib中的libantidbg.so提取,使用ida分析,发现为base64(置换了字典表)编码,再和目标串“Jr0VJ81KJD1PJpY2WytxgeAnJWu2H1qutyA0xFtyJrZHJrZeJrM8ATCWJWft9FtgJsV2SCtR4yASJrE2Uv=="”比较:
逆向过程为:base64解码-->rc4解密即可得到flag。
这里有一个**“坑”**,base64解码的结果中含b"\x0c\x80",这是因为安卓写入空字符会encode成\xc0\x80,python进行decode()时将报错,直接替换为b"\x00"即可。
逆向脚本:
public void mbox(Integer[] numArr, String str) {
for (int i = 0; i < 256; i++) {
numArr[i] = Integer.valueOf(i);
}
int i2 = 0;
for (int i3 = 0; i3 < 256; i3++) {
i2 = ((i2 + numArr[i3].intValue()) + str.charAt(i3 % str.length())) % 256;
change(numArr, i3, i2);
}
}
public void genenc(Integer[] numArr, Character[] chArr, int i) {
int i2 = 0;
int i3 = 0;
for (int i4 = 0; i4 < i; i4++) {
i2 = (i2 + 1) % 256;
i3 = (i3 + numArr[i2].intValue()) % 256;
change(numArr, i2, i3);
chArr[i4] = Character.valueOf((char) numArr[(numArr[i2].intValue() + numArr[i3].intValue()) % 256].intValue());
}
}
public void change(Integer[] numArr, int i, int i2) {
Integer num = numArr[i];
numArr[i] = numArr[i2];
numArr[i2] = num;
}
public String encrypt(String str, String str2) {
Integer[] numArr = new Integer[256];
Character[] chArr = new Character[str.length()];
StringBuffer stringBuffer = new StringBuffer();
mbox(numArr, str2);
genenc(numArr, chArr, str.length());
for (int i = 0; i < str.length(); i++) {
stringBuffer.append((char) (str.charAt(i) ^ chArr[i].charValue()));
}
return stringBuffer.toString();
}
public void mbox(Integer[] numArr, String str) {
for (int i = 0; i < 256; i++) {
numArr[i] = Integer.valueOf(i);
}
int i2 = 0;
for (int i3 = 0; i3 < 256; i3++) {
i2 = ((i2 + numArr[i3].intValue()) + str.charAt(i3 % str.length())) % 256;
change(numArr, i3, i2);
}
}
public void genenc(Integer[] numArr, Character[] chArr, int i) {
int i2 = 0;
int i3 = 0;
for (int i4 = 0; i4 < i; i4++) {
i2 = (i2 + 1) % 256;
i3 = (i3 + numArr[i2].intValue()) % 256;
change(numArr, i2, i3);
chArr[i4] = Character.valueOf((char) numArr[(numArr[i2].intValue() + numArr[i3].intValue()) % 256].intValue());
}
}
public void change(Integer[] numArr, int i, int i2) {
Integer num = numArr[i];
numArr[i] = numArr[i2];
numArr[i2] = num;
}
public String encrypt(String str, String str2) {
Integer[] numArr = new Integer[256];
Character[] chArr = new Character[str.length()];
StringBuffer stringBuffer = new StringBuffer();
mbox(numArr, str2);
genenc(numArr, chArr, str.length());
for (int i = 0; i < str.length(); i++) {
stringBuffer.append((char) (str.charAt(i) ^ chArr[i].charValue()));
}
return stringBuffer.toString();
}
__int64 __fastcall xxx(__int64 a1, __int64 a2, __int64 a3){ unsigned __int8 *v5; // x21
int v6; // w0
const char *v7; // x0
const char *v8; // x1
v5 = (unsigned __int8 *)(*(__int64 (__fastcall **)(__int64, __int64, _QWORD))(*(_QWORD *)a1 + 1352LL))(a1, a3, 0LL);
v6 = (*(__int64 (__fastcall **)(__int64, __int64))(*(_QWORD *)a1 + 1344LL))(a1, a3);
v7 = (const char *)b64(v5, v6);
if ( !strcmp(v7, "Jr0VJ81KJD1PJpY2WytxgeAnJWu2H1qutyA0xFtyJrZHJrZeJrM8ATCWJWft9FtgJsV2SCtR4yASJrE2Uv==") )
v8 = "you win";
else
v8 = "you lost";
return (*(__int64 (__fastcall **)(__int64, const char *))(*(_QWORD *)a1 + 1336LL))(a1, v8);
}__int64 __fastcall xxx(__int64 a1, __int64 a2, __int64 a3){ unsigned __int8 *v5; // x21
int v6; // w0
const char *v7; // x0
const char *v8; // x1
v5 = (unsigned __int8 *)(*(__int64 (__fastcall **)(__int64, __int64, _QWORD))(*(_QWORD *)a1 + 1352LL))(a1, a3, 0LL);
v6 = (*(__int64 (__fastcall **)(__int64, __int64))(*(_QWORD *)a1 + 1344LL))(a1, a3);
v7 = (const char *)b64(v5, v6);
if ( !strcmp(v7, "Jr0VJ81KJD1PJpY2WytxgeAnJWu2H1qutyA0xFtyJrZHJrZeJrM8ATCWJWft9FtgJsV2SCtR4yASJrE2Uv==") )
v8 = "you win";
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
