首页
社区
课程
招聘
[原创]newstarCTF2023 week4|REVERSE--简单的跨 writeup
发表于: 2023-10-27 10:27 8100

[原创]newstarCTF2023 week4|REVERSE--简单的跨 writeup

2023-10-27 10:27
8100

题目为安卓apk,安装到模拟器或真机发现无输入点。

使用jadx-gui进行静态分析,定位关键代码:

encrypt()是java编写,RC4加密,key为“runrunrun"。

encode()是native函数,将lib中的libantidbg.so提取,使用ida分析,发现为base64(置换了字典表)编码,再和目标串“Jr0VJ81KJD1PJpY2WytxgeAnJWu2H1qutyA0xFtyJrZHJrZeJrM8ATCWJWft9FtgJsV2SCtR4yASJrE2Uv=="”比较:

逆向过程为:base64解码-->rc4解密即可得到flag。
这里有一个**“坑”**,base64解码的结果中含b"\x0c\x80",这是因为安卓写入空字符会encode成\xc0\x80,python进行decode()时将报错,直接替换为b"\x00"即可。
逆向脚本:

public void mbox(Integer[] numArr, String str) {
       for (int i = 0; i < 256; i++) {
           numArr[i] = Integer.valueOf(i);
       }
       int i2 = 0;
       for (int i3 = 0; i3 < 256; i3++) {
           i2 = ((i2 + numArr[i3].intValue()) + str.charAt(i3 % str.length())) % 256;
           change(numArr, i3, i2);
       }
   }
 
   public void genenc(Integer[] numArr, Character[] chArr, int i) {
       int i2 = 0;
       int i3 = 0;
       for (int i4 = 0; i4 < i; i4++) {
           i2 = (i2 + 1) % 256;
           i3 = (i3 + numArr[i2].intValue()) % 256;
           change(numArr, i2, i3);
           chArr[i4] = Character.valueOf((char) numArr[(numArr[i2].intValue() + numArr[i3].intValue()) % 256].intValue());
       }
   }
 
   public void change(Integer[] numArr, int i, int i2) {
       Integer num = numArr[i];
       numArr[i] = numArr[i2];
       numArr[i2] = num;
   }
 
   public String encrypt(String str, String str2) {
       Integer[] numArr = new Integer[256];
       Character[] chArr = new Character[str.length()];
       StringBuffer stringBuffer = new StringBuffer();
       mbox(numArr, str2);
       genenc(numArr, chArr, str.length());
       for (int i = 0; i < str.length(); i++) {
           stringBuffer.append((char) (str.charAt(i) ^ chArr[i].charValue()));
       }
       return stringBuffer.toString();
   }
public void mbox(Integer[] numArr, String str) {
       for (int i = 0; i < 256; i++) {
           numArr[i] = Integer.valueOf(i);
       }
       int i2 = 0;
       for (int i3 = 0; i3 < 256; i3++) {
           i2 = ((i2 + numArr[i3].intValue()) + str.charAt(i3 % str.length())) % 256;
           change(numArr, i3, i2);
       }
   }
 
   public void genenc(Integer[] numArr, Character[] chArr, int i) {
       int i2 = 0;
       int i3 = 0;
       for (int i4 = 0; i4 < i; i4++) {
           i2 = (i2 + 1) % 256;
           i3 = (i3 + numArr[i2].intValue()) % 256;
           change(numArr, i2, i3);
           chArr[i4] = Character.valueOf((char) numArr[(numArr[i2].intValue() + numArr[i3].intValue()) % 256].intValue());
       }
   }
 
   public void change(Integer[] numArr, int i, int i2) {
       Integer num = numArr[i];
       numArr[i] = numArr[i2];
       numArr[i2] = num;
   }
 
   public String encrypt(String str, String str2) {
       Integer[] numArr = new Integer[256];
       Character[] chArr = new Character[str.length()];
       StringBuffer stringBuffer = new StringBuffer();
       mbox(numArr, str2);
       genenc(numArr, chArr, str.length());
       for (int i = 0; i < str.length(); i++) {
           stringBuffer.append((char) (str.charAt(i) ^ chArr[i].charValue()));
       }
       return stringBuffer.toString();
   }
__int64 __fastcall xxx(__int64 a1, __int64 a2, __int64 a3)
{
  unsigned __int8 *v5; // x21
  int v6; // w0
  const char *v7; // x0
  const char *v8; // x1
 
  v5 = (unsigned __int8 *)(*(__int64 (__fastcall **)(__int64, __int64, _QWORD))(*(_QWORD *)a1 + 1352LL))(a1, a3, 0LL);
  v6 = (*(__int64 (__fastcall **)(__int64, __int64))(*(_QWORD *)a1 + 1344LL))(a1, a3);
  v7 = (const char *)b64(v5, v6);
  if ( !strcmp(v7, "Jr0VJ81KJD1PJpY2WytxgeAnJWu2H1qutyA0xFtyJrZHJrZeJrM8ATCWJWft9FtgJsV2SCtR4yASJrE2Uv==") )
    v8 = "you win";
  else
    v8 = "you lost";
  return (*(__int64 (__fastcall **)(__int64, const char *))(*(_QWORD *)a1 + 1336LL))(a1, v8);
}
__int64 __fastcall xxx(__int64 a1, __int64 a2, __int64 a3)
{
  unsigned __int8 *v5; // x21
  int v6; // w0
  const char *v7; // x0
  const char *v8; // x1
 
  v5 = (unsigned __int8 *)(*(__int64 (__fastcall **)(__int64, __int64, _QWORD))(*(_QWORD *)a1 + 1352LL))(a1, a3, 0LL);
  v6 = (*(__int64 (__fastcall **)(__int64, __int64))(*(_QWORD *)a1 + 1344LL))(a1, a3);
  v7 = (const char *)b64(v5, v6);
  if ( !strcmp(v7, "Jr0VJ81KJD1PJpY2WytxgeAnJWu2H1qutyA0xFtyJrZHJrZeJrM8ATCWJWft9FtgJsV2SCtR4yASJrE2Uv==") )
    v8 = "you win";

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 0
支持
分享
最新回复 (1)
雪    币: 3594
活跃值: (31031)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
感谢分享
2023-10-27 11:35
1
游客
登录 | 注册 方可回帖
返回
//