首页
论坛
专栏
课程
12

[原创]看雪CTF2017第6题

风间仁 2017-6-11 16:22 3903

1. jeb分析apk

没什么好看的, 验证逻辑在so里

if(utils.check(v1.toString().trim()))
public static native boolean check(utils this, String arg1) {


2. 分析so


IDA调试

adb shell am start -D -n com.miss.rfchen/com.miss.rfchen.MainActivity

jdb -connect com.sun.jdi.SocketAttach:hostname=127.0.0.1,port=xxxx


这里垃圾指令模式比较单一, 看到像垃圾指令的直接拉滚动条就行了


.text:00003C68 ; jint __stdcall JNI_OnLoad(JavaVM *vm, void *reserved)


反调试ptrace(PTRACE_TRACEME, 0, 0, 0), 直接nop掉即可

.text:00003C74                 MOVS            R1, #0
.text:00003C76                 MOVS            R2, #0
.text:00003C7A                 MOVS            R3, #0
.text:00003C86                 MOVS            R0, #0
.text:00003CEE                 BLX             ptrace

注册check对应的native函数

.text:00003CF2                 LDR             R0, [R4]
.text:00003D08                 ADD             R1, PC  ; "com/miss/rfchen/utils"
.text:00003D0A                 LDR             R2, [R2,#JNINativeInterface_.FindClass]
.text:00003D0C                 BLX             R2
.text:00003D0E                 MOV             R1, R0
.text:00003D80                 LDR.W           R4, [R2,#JNINativeInterface_.RegisterNatives]
.text:00003D84                 LDR             R2, =(off_20004 - 0x3D8A)
.text:00003D86                 ADD             R2, PC ; off_20004
.text:00003D88                 BLX             R4
.data:00020004 off_20004       DCD aCheck              ; DATA XREF: sub_3D58+2Eo
.data:00020008                 DCD aLjavaLangStrin     ; "(Ljava/lang/String;)Z"
.data:0002000C                 DCD _Z5checkP7_JNIEnvP7_jclassP8_jstring+1 ; check(_JNIEnv *,_jclass *,_jstring *)


3. 分析check函数

.text:00002814 ; check(_JNIEnv *, _jclass *, _jstring *)


失败6次就死循环了

.text:0000284C                 LDR.W           R0, [R12]
.text:00002850                 CMP             R0, #6
.text:00002852                 BLT             loc_2874
.text:00002854                 B               loop_endless


初始化字符串: JPyjup3eCyJjlkV6DmSmGHQ=

.text:000028F2                 MOVS            R0, #'J'
.text:000028F4                 MOVS            R1, #'y'
.text:0000295C                 STRH.W          R0, [SP,#0x22]
.text:000029C6                 STRH.W          R1, [SP,#0x24]
...


获取sn

.text:000036BE                 LDR.W           R3, [R0,#JNINativeInterface_.GetStringUTFChars]
.text:000036C2                 MOV             R0, R9
.text:000036C4                 BLX             R3


buf=malloc(len(sn)+1)

.text:00019F80                 MOV             R0, R4  ; size
.text:00019F82                 BLX             malloc
...
.text:00019FF0                 BLX             __aeabi_memclr


rc4_init(&ctx, "199310124853", 8)

.text:0001A0C8                 BL              rc4_init


rc4_crypt(&ctx, sn, len(sn))

.text:0001A13A                 BL              rc4_crypt


base64

.text:0001A222                 ADD             R1, R0
.text:0001A224                 MOV             R0, R5
.text:0001A226                 BL              base64


将b64结果与字符串JPyjup3eCyJjlkV6DmSmGHQ=比较

.text:00003798                 LDR.W           R0, =(unk_20020 - loc_38D2)
.text:000038CE                 ADD             R0, PC
.text:000038D0                 LDRB            R2, [R1,R4]
.text:000038D2                 LDRB            R3, [R0,R4]
.text:000038D4                 CMP             R3, R2
.text:000038D6                 BNE.W           sub_39B0
.text:000038DA                 ADDS            R4, #1
...
.text:00003942                 CMP             R4, #0x18
.text:00003944                 BNE             loc_38D0


>>> madebyericky94528




快讯:看雪智能设备漏洞挖掘公开课招生中!

最新回复 (2)
奔跑的阿狸 2017-6-13 16:08
2
原来199310124853是做这个用的,当时没看出来。。
Angelxf 2017-6-13 17:06
3
算法是王道啊
返回