首页
论坛
专栏
课程
10

[原创]看雪CTF2017 第六题分析

HighHand 2017-6-12 16:53 1211

zip解压缩apk文件,拿到.dex文件,经过dex2jar,jd-gui反编译拿到java 代码,发现被名称混淆了,而且字符串也加密了。

通过分析程序流程发现调用了.so库,函数名为check,且该函数需要返回1。

使用ida加载so库,arm指令被加花指令,不过还是可以找到规律。通过静态跳转分析,整理了部分代码

.text:00002814 ; check(_JNIEnv *, _jclass *, _jstring *)
.text:00002814                 EXPORT _Z5checkP7_JNIEnvP7_jclassP8_jstring
.text:00002814 _Z5checkP7_JNIEnvP7_jclassP8_jstring    ; CODE XREF: check(_JNIEnv *,_jclass *,_jstring *)+8j
.text:00002814                                         ; DATA XREF: .got:_Z5checkP7_JNIEnvP7_jclassP8_jstring_ptro ...
.text:00002814
.text:00002814 var_10          = -0x10
.text:00002814
.text:00002814                 PUSH.W          {R4-R10,LR}
.text:00002818                 ADD             R7, SP, #0xC
.text:0000281A                 SUB             SP, SP, #0x48
.text:0000281C                 MOV             R9, R0
.text:0000281E                 LDR             R0, =(__stack_chk_guard_ptr - 0x282A)
.text:00002820                 LDR.W           LR, =(unk_1D558 - 0x282E)
.text:00002824                 MOV             R10, SP
.text:00002826                 ADD             R0, PC ; __stack_chk_guard_ptr
.text:00002828                 MOV             R8, R2
.text:0000282A                 ADD             LR, PC ; unk_1D558
.text:0000282C                 MOV             R3, R10
.text:0000282E                 LDR             R0, [R0] ; __stack_chk_guard
.text:00002830                 LDR.W           R12, =(dword_20040 - 0x283A)
.text:00002834                 LDR             R0, [R0]
.text:00002836                 ADD             R12, PC ; dword_20040
.text:00002838                 STR             R0, [SP,#0x54+var_10]
.text:0000283A                 LDMIA.W         LR!, {R1,R2,R4-R6}
.text:0000283E                 STMIA           R3!, {R1,R2,R4-R6}
.text:00002840                 LDMIA.W         LR!, {R1,R2,R4-R6}
.text:00002844                 STMIA           R3!, {R1,R2,R4-R6}
.text:00002846                 LDMIA.W         LR, {R0-R2,R4-R6}
.text:0000284A                 STMIA           R3!, {R0-R2,R4-R6}
.text:0000284C                 LDR.W           R0, [R12]
.text:00002850                 CMP             R0, #6
.text:00002852                 BLT             loc_2874
.text:00002874 loc_2874                                ; CODE XREF: check(_JNIEnv *,_jclass *,_jstring *)+3Ej
.text:00002874                 LDR.W           R0, =(aAbcdefghijklmn+0x22) ; "ijklmnopqrstuvwxyz0123456789+/="
.text:000028DE                 MOVW            R2, #0xFFFF
.text:000028E2                 LDR.W           R12, =(unk_20020 - 0x28EE)
.text:000028E6                 MOVS            R4, #0
.text:000028E8                 ADD             R0, PC
.text:000028EA                 ADD             R12, PC ; unk_20020
.text:000028EC                 LDR             R1, [R0]
.text:000028EE                 ADDS            R1, #1
.text:000028F0                 STR             R1, [R0]
.text:000028F2                 MOVS            R0, #'J'
.text:000028F4                 MOVS            R1, #'y'
.text:000029C6                 STRH.W          R1, [SP,#arg_24]
.text:000029CA                 MOVS            R1, #'u'
.text:00002A32                 STRH.W          R1, [SP,#arg_26]
.text:00002A36                 MOVS            R1, #'3'
.text:00002A9E                 STRH.W          R1, [SP,#arg_28]
.text:00002AA2                 MOVS            R1, #'C'
.text:00002B0A                 STRH.W          R1, [SP,#arg_2A]
.text:00002B74                 MOVS            R1, #0
.text:00002B76                 STRH.W          R0, [SP,#arg_2C] J
.text:00002B7A                 MOVS            R0, #'l'
.text:00002BE2                 STRH.W          R0, [SP,#arg_2E]
.text:00002BE6                 MOVS            R0, #'V'
.text:00002C4E                 STRH.W          R0, [SP,#arg_30]
.text:00002C52                 MOVS            R0, #'D'
.text:00002CBA                 STRH.W          R0, [SP,#arg_32]
.text:00002CBE                 MOVS            R0, #'S'
.text:00002D26                 STRH.W          R0, [SP,#arg_34]
.text:00002D2A                 MOVS            R0, #'G'
.text:00002D92                 STRH.W          R0, [SP,#arg_36]
.text:00002D96                 MOVS            R0, #'Q'
.text:00002DFE                 STRH.W          R0, [SP,#arg_38
.text:00003066
.text:00003066 loc_3066                                ; CODE XREF: sub_3558+22j
.text:000030CC                 LDRSH.W         R5, [R10,R4,LSL#1]
.text:000030D0                 ADDS            R6, R4, #3
.text:00003204                 CMP.W           R5, #0xFFFFFFFF
.text:00003208                 BEQ.W           sub_3304
.text:0000320C                 ADD.W           R4, R10, R4,LSL#1
.text:00003210                 LDRSH.W         R3, [R4,#2]
.text:00003214                 UXTH            R0, R3
.text:00003216                 CMP             R0, R2
.text:00003218                 BEQ.W           sub_336C
.text:0000321C                 LDRH.W          R0, [R10,R5,LSL#1]
.text:00003220                 LDRH.W          R5, [R10,R3,LSL#1]
.text:00003224                 LDRSH.W         R4, [R4,#4]
.text:00003228                 SUBS            R0, R5, R0
.text:0000322A                 STRH.W          R0, [R10,R3,LSL#1]
.text:00003294                 SXTH            R0, R0
.text:00003296                 CMP             R0, #0
.text:00003298                 BGT.W           loc_350E
.text:00003438                 LDRB.W          R0, [R10,R5,LSL#1]
.text:0000343C                 STRB.W          R0, [R12,R1,LSL#1]
.text:000034FE                 MOV             R3, R3
.text:00003500                 POP.W           {R0,R4,R5,R7,LR}
.text:0000350C                 ADDS            R1, #1
.text:0000350E
.text:0000350E loc_350E                                ; CODE XREF: sub_3276+22j
.text:0000350E loc_350E                                ; CODE XREF: sub_3276+22j
.text:0000350E                                         ; sub_334C+1Ej
.text:0000350E                 MOV             R4, R6
.text:00003576                 CMP.W           R4, #0xFFFFFFFF
.text:0000357A                 BGT.W           loc_3066
.text:0000364A                 BL              sub_19FC

.text:000036B4                 LDR.W           R0, [R9]
.text:000036B8                 MOV             R1, R8
.text:000036BA                 MOVS            R2, #0
.text:000036BC                 MOVS            R4, #0
.text:000036BE                 LDR.W           R3, [R0,#0x2A4]
.text:000036C2                 MOV             R0, R9
.text:000036C4                 BLX             R3		; r0 = sn
.text:00003792                 BL              sub_19DA8        ;关键 函数调用
.text:00003796                 MOV             R1, R0
.text:00003798                 LDR.W           R0, =0x1C74E
.text:000038CE                 ADD             R0, PC
.text:000038D0
.text:000038D0 loc_38D0                                ; CODE XREF: sub_3924+20j
.text:000038D0                 LDRB            R2, [R1,R4]
.text:000038D2                 LDRB            R3, [R0,R4]
.text:000038D4                 CMP             R3, R2           ; 比较结果
.text:000038D6                 BNE.W           sub_39B0
.text:000038DA                 ADDS            R4, #1
.text:00003942                 CMP             R4, #0x18
.text:00003944                 BNE             loc_38D0
.text:000039AC                 MOVS            R0, #1
.text:000039B0 sub_39B0                                ; CODE XREF: sub_38B0+26j
.text:000039B0                 LDR.W           R0, =0x1C602
.text:00003A1A                 ADD             R0, PC
.text:00003A1C                 BL              sub_27C8
.text:00003A86                 CMP             R0, #0
.text:00003A88                 BEQ.W           sub_3B5A
.text:00003C26 loc_3C26                                ; CODE XREF: sub_3B3A+1Ej
.text:00003C26                 MOVS            R0, #0
.text:00003C28 loc_3C28                                ; CODE XREF: sub_398E+20j
.text:00003C28                 LDR             R1, =(__stack_chk_guard_ptr - 0x3C30)
.text:00003C2A                 LDR             R2, [SP,#arg_44]
.text:00003C2C                 ADD             R1, PC ; __stack_chk_guard_ptr
.text:00003C2E                 LDR             R1, [R1] ; __stack_chk_guard
.text:00003C30                 LDR             R1, [R1]
.text:00003C32                 SUBS            R1, R1, R2
.text:00003C34                 ITT EQ
.text:00003C36                 ADDEQ           SP, SP, #0x48
.text:00003C38                 POPEQ.W         {R4-R10,PC}

通过ida的动态调试,确定 sub_19DA8 为关键函数,其输入为sn,输出结果与 “JPyjup3eCyJjlkV6DmSmGHQ=” 进行比较,相等则返回1

下面继续分析 sub_19DA8,下面是整理后的代码

.text:00019DA8 sub_19DA8                               ; CODE XREF: sub_3774+1Ep
.text:00019DA8
.text:00019DA8 var_10          = -0x10
.text:00019DA8
.text:00019DA8                 PUSH.W          {R4-R9,LR}
.text:00019DAC                 ADD             R7, SP, #0xC
.text:00019DAE                 SUB.W           SP, SP, #0x408
.text:00019DB2                 SUB             SP, SP, #4
.text:00019DB4                 MOV             R9, R0
.text:00019DB6                 LDR.W           R0, =(__stack_chk_guard_ptr - 0x19DBE)
.text:00019DBA                 ADD             R0, PC ; __stack_chk_guard_ptr
.text:00019DBC                 LDR             R0, [R0] ; __stack_chk_guard
.text:00019DBE                 LDR             R0, [R0]
.text:00019DC0                 STR.W           R0, [R7,#var_10]
.text:00019DC4                 BL              sub_1A31C
.text:00019DC8                 MOV             R8, R0
.text:00019DCA                 MOV             R0, R9
.text:00019EE4 loc_19EE4                               ; CODE XREF: sub_19E7A+70j
.text:00019EE4                 LDRB.W          R1, [R0],#1
.text:00019EE8                 CMP             R1, #0
.text:00019EEA                 BNE             loc_19EE4
.text:00019EEC                 MVN.W           R1, R9
.text:00019EF0                 ADDS            R6, R0, R1
.text:00019EF2                 ADDS            R4, R6, #1
.text:00019F80                 MOV             R0, R4  ; size
.text:00019F82                 BLX             malloc
.text:00019F86                 MOV             R1, R4
.text:00019F88                 MOV             R5, R0
.text:00019FF0                 BLX             __aeabi_memclr
.text:00019FF4                 MOV             R4, SP
.text:00019FF6                 MOVS            R1, #8
.text:00019FF8                 MOV             R0, R4
.text:00019FFA                 MOV             R2, R8
.text:0001A0C8                 BL              sub_55E4			***********rc4_init**************
.text:0001A0CC                 MOV             R0, R4
.text:0001A0CE                 MOV             R1, R6
.text:0001A0D0                 MOV             R2, R9
.text:0001A0D2                 MOV             R3, R5
.text:0001A13A                 BL              sub_467E			***********rc4_update**************
.text:0001A13E                 MOV             R0, R5
.text:0001A1F2 loc_1A1F2                               ; CODE XREF: sub_1A188+70j
.text:0001A1F2                 LDRB.W          R1, [R0],#1
.text:0001A1F6                 CMP             R1, #0
.text:0001A1F8                 BNE             loc_1A1F2
.text:0001A1FA                 MVNS            R1, R5
.text:0001A222                 ADD             R1, R0
.text:0001A224                 MOV             R0, R5
.text:0001A226                 BL              sub_5AFC			******** base64 **********
.text:0001A22A                 LDR             R1, =0x5BA4
.text:0001A2F8                 LDR.W           R2, [R7,#-0x10]
.text:0001A2FC                 ADD             R1, PC
.text:0001A2FE                 LDR             R1, [R1]
.text:0001A300                 LDR             R1, [R1]
.text:0001A302                 SUBS            R1, R1, R2
.text:0001A304                 ITTT EQ
.text:0001A306                 ADDEQ.W         SP, SP, #0x408
.text:0001A30A                 ADDEQ           SP, SP, #4
.text:0001A30C                 POPEQ.W         {R4-R9,PC}

在 .text:0001A0C8 处下断,我们可以拿到rc4的密钥 “19931012”, .text:0001A13A处对sn进行加密,.text:0001A226处对rc4加密结果进行base64编码,返回。

通过上述分析,我们只需将 “JPyjup3eCyJjlkV6DmSmGHQ=” base64解码再rc4解密,即是sn

使用在线rc4解密并有base64编码功能的,进行解密:

sn=madebyericky94528




快讯:看雪智能设备漏洞挖掘公开课招生中!

最新回复 (0)
返回