首页
论坛
专栏
课程
13

[原创] CTF2017 第六题破解记录

爱琴海 2017-6-13 12:08 4164

话说android平台的第一次搞,没想到边学变做,光搭建个调试平台就费了九牛二虎之力,最后还是搞到个旧手机ROOT掉

先测试JEB2动态调试,极不方便,转而使用IDA,各位记得一定要安装JDK、Android  SDK,然后配置好环境变量。

至于如何IDA附加调试,请搜索一下,网上有的,我就不再啰嗦了。


IDA附加进去后,断到so里头CHECK函数,然后就绕进去了,各种垃圾指令,跳来跳去,捕捉到"JPyjup3eCyJjlkV6DmSmGHQ="字符

61DA2000: loaded /data/app-lib/com.miss.rfchen-1/librf-chen.so

librf_chen.so:61DA4814                 PUSH.W          {R4-R10,LR}
librf_chen.so:61DA4818                 ADD             R7, SP, #0xC
librf_chen.so:61DA481A                 SUB             SP, SP, #0x48
librf_chen.so:61DA481C                 MOV             R9, R0
librf_chen.so:61DA481E                 LDR             R0, =(dword_61DC1EA4 - 0x61DA482A)
librf_chen.so:61DA4820                 LDR.W           LR, =(unk_61DBF558 - 0x61DA482E)
librf_chen.so:61DA4824                 MOV             R10, SP
librf_chen.so:61DA4826                 ADD             R0, PC ; dword_61DC1EA4
librf_chen.so:61DA4828                 MOV             R8, R2
librf_chen.so:61DA482A                 ADD             LR, PC ; unk_61DBF558
librf_chen.so:61DA482C                 MOV             R3, R10
librf_chen.so:61DA482E                 LDR             R0, [R0]
librf_chen.so:61DA4830                 LDR.W           R12, =(dword_61DC2040 - 0x61DA483A)
librf_chen.so:61DA4834                 LDR             R0, [R0]
librf_chen.so:61DA4836                 ADD             R12, PC ; dword_61DC2040
librf_chen.so:61DA4838                 STR             R0, [SP,#0x54+var_10]
librf_chen.so:61DA483A                 LDMIA.W         LR!, {R1,R2,R4-R6}
librf_chen.so:61DA483E                 STMIA           R3!, {R1,R2,R4-R6}
librf_chen.so:61DA4840                 LDMIA.W         LR!, {R1,R2,R4-R6}
librf_chen.so:61DA4844                 STMIA           R3!, {R1,R2,R4-R6}
librf_chen.so:61DA4846                 LDMIA.W         LR, {R0-R2,R4-R6}
librf_chen.so:61DA484A                 STMIA           R3!, {R0-R2,R4-R6}
librf_chen.so:61DA484C                 LDR.W           R0, [R12]
librf_chen.so:61DA4850                 CMP             R0, #6
librf_chen.so:61DA4852                 BLT             loc_61DA4874
librf_chen.so:61DA4854                 B               loc_61DA486C

librf_chen.so:61DA48EA                 ADD             R12, PC ; "JPyjup3eCyJjlkV6DmSmGHQ=!!\n\n"
librf_chen.so:61DA48EC                 LDR             R1, [R0]
librf_chen.so:61DA48EE                 ADDS            R1, #1
librf_chen.so:61DA48F0                 STR             R1, [R0]
librf_chen.so:61DA48F2                 MOVS            R0, #0x4A
librf_chen.so:61DA48F4                 MOVS            R1, #0x79
librf_chen.so:61DA48F6                 PUSH.W          {R4-R10,LR}
librf_chen.so:61DA48FA                 POP.W           {R4-R10,LR}
librf_chen.so:61DA48FE                 B               unk_61DA4928

librf_chen.so:61DA49CA                 MOVS            R1, #0x75
librf_chen.so:61DA4A36                 MOVS            R1, #0x33
librf_chen.so:61DA4AA2                 MOVS            R1, #0x43
librf_chen.so:61DA4B7A                 MOVS            R0, #0x6C
librf_chen.so:61DA4BE6                 MOVS            R0, #0x56
librf_chen.so:61DA4C52                 MOVS            R0, #0x44
librf_chen.so:61DA4CBE                 MOVS            R0, #0x53
librf_chen.so:61DA4D2A                 MOVS            R0, #0x47
librf_chen.so:61DA4D96                 MOVS            R0, #0x51

librf_chen.so:61DA5204                 CMP.W           R5, #0xFFFFFFFF
librf_chen.so:61DA5208                 BEQ.W           loc_61DA5304
librf_chen.so:61DA520C                 ADD.W           R4, R10, R4,LSL#1
librf_chen.so:61DA5210                 LDRSH.W         R3, [R4,#2]
librf_chen.so:61DA5214                 UXTH            R0, R3
librf_chen.so:61DA5216                 CMP             R0, R2
librf_chen.so:61DA5218                 BEQ.W           loc_61DA536C

感觉特别像BASE64加密,遂先解密为十六进制数:24 fc a3 ba 9d de 0b 22 63 96 45 7a 0e 64 a6 18 74

跟踪过程在IDA里头发现“19931012”字样,作为RC4密钥。混淆很厉害,中间几经波折,差点放弃,对android真不熟悉。

中间来回公司、家往返,很多调试记录没有捕捉,很好奇兄弟们是怎样快速去除so里头的混淆的?


算法分析:
Input "123456789012"
Rc4_hash = RC4(input,"19931012")
Base64_hash_1 = BASE64(Rc4_hash) = "eK/068qRWWgzxR8x"
Check Base64_hash_1 == "JPyjup3eCyJjlkV6DmSmGHQ="

破解:
Base64解码,再RC4以19931012为密钥解码




快讯:看雪智能设备漏洞挖掘公开课招生中!

最新回复 (1)
Angelxf 2017-6-13 16:25
2
小弟去了花,可以看下,http://bbs.pediy.com/thread-218455.htm

原来算法这么简单,我是硬解的

佩服,哎,真可惜
返回