首页
论坛
课程
招聘
[原创]2022KCTF秋季赛 第三题 水患猖獗
2022-11-21 10:04 4671

[原创]2022KCTF秋季赛 第三题 水患猖獗

2022-11-21 10:04
4671

分析Java层

逻辑简单,输入name,serial,加载libcrackme.so,返回一个字符串表示结果

 

分析native层

根据之前的经验,frida hook NewStringUTF获取最后打印的字符串,找到调用位置,部分hook代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
function hookart(){
    var baseAddr = Module.findBaseAddress("/apex/com.android.runtime/lib/libart.so");
    //var baseAddr = Module.findExportByName(null,"_ZN3art12_GLOBAL__N_18CheckJNI12NewStringUTFEP7_JNIEnvPKc");
    console.log("Art",baseAddr)
    Interceptor.attach(baseAddr.add(0x2C8581),
        {
            onEnter: function (args)
            {
                //console.log("NewString:" + args[1].readCString());
                if((args[1].readCString() == "不对!再探再报" || args[1].readCString() == "祝贺,闯关顺利")){
                    console.log(args[1].readCString(),args[1]);
                    var mainAddr = Module.findBaseAddress("libcrackme.so");
                    console.log("Return Addr:" + (this.context as any).lr.sub(mainAddr));
                    console.log(' called from:\n' +
                            Thread.backtrace(this.context, Backtracer.ACCURATE)
                            .map(DebugSymbol.fromAddress).join('\n') + '\n');
                    for(var i=0;i<64;i++){
                        if((this.context as any).sp.add(i*4).readPointer().sub(mainAddr).toUInt32() < 0x50000){
                            console.warn("[!!]"+(this.context as any).sp.add(i*4).readPointer(),(this.context as any).sp.add(i*4).readPointer().sub(mainAddr));
                        }
                        else{
                            console.log((this.context as any).sp.add(i*4).readPointer(),(this.context as any).sp.add(i*4).readPointer().sub(mainAddr));
                        }
                    }
 
                    console.log(hexdump(args[1].add(0xe0),{
                        offset:0,
                        length:128,
                        header:true,
                        ansi:true
                    }));
                    console.log(JSON.stringify(this.context));
                    console.log(hexdump(this.context.sp.sub(0),{
                        offset:0,
                        length:128,
                        header:true,
                        ansi:true
                    }));
                    memset_log = false;
                    mylogfile.close();
                    //debugger;
                }
            },
            onLeave: function (ret)
            {
 
            }
        }
    );
}

 

 

经过B BX BL指令后,ghidra识别出了一个函数头,以 0c e0 1f e5 为特征

 

 

观察数据部分,找到结果字符串的位置,做一个xor 解密

 

 

 

字符串offset 为0x13,ghidra暴力将所有数据以thumb解析后,搜索0x13

 

 

 

找到函数头,搜索0c e0 1f e5向上搜索,找到2c9a4

 

 

 

hook获取数据,部分hook代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
function hookGeneral(targetAddr:NativePointer,baseAddr:NativePointer){
    Interceptor.attach(targetAddr,{
        onEnter:function(args){
            var mylog = "";
            console.log("[Hook General]" +JSON.stringify(this.context))
            mylog += "[Hook General]" + JSON.stringify(this.context) +"\n";
            mylogfile.write(mylog);
            mylogfile.flush();
            Thread.sleep(3);
        },onLeave:function(ret){
 
        }
    });  
}
function hook2DFC9(targetAddr:NativePointer,baseAddr:NativePointer){
    Interceptor.attach(targetAddr,{
        onEnter:function(args){
            var mylog = "";
            console.log("[2DFC9]" +(this.context)['r8'])
            mylog += "[2DFC9]" +(this.context)['r8'] +"\n";
            mylogfile.write(mylog);
            mylogfile.flush();
            //Thread.sleep(1000);
        },onLeave:function(ret){
 
        }
    });  
}
function hook2E447(targetAddr:NativePointer,baseAddr:NativePointer){
    Interceptor.attach(targetAddr,{
        onEnter:function(args){
            var mylog = "";
            console.log((this.context)['r11'].readDouble() + " " + (this.context)['d9']);
            //Thread.sleep(1000);
        },onLeave:function(ret){
 
        }
    });  
}
function hook2C9A4(targetAddr:NativePointer,baseAddr:NativePointer){
    Interceptor.attach(targetAddr,{
        onEnter:function(args){
            var mylog = "";
            console.log("" + (this.context)['r4'] +" "+ (this.context)['r3'] +" "+ (this.context)['r1'] +" "+ (this.context)['r0'] +" ");
            mylog += "" + (this.context)['r4'] +" "+ (this.context)['r3'] +" "+ (this.context)['r1'] +" "+ (this.context)['r0'] +"\n";
            mylogfile.write(mylog);
            mylogfile.flush();
            //Thread.sleep(1000);
        },onLeave:function(ret){
 
        }
    });  
}
function hook(baseAddr:NativePointer){
    console.log("Hooking");
    hook2C9A4(baseAddr.add(0x2c9a4),baseAddr);
    hookGeneral(baseAddr.add(0x2cfb9),baseAddr);
    // hook2E447(baseAddr.add(0x2e447),baseAddr);
    // hook2DFC9(baseAddr.add(0x2dfc9),baseAddr);
}

观察到2C9A4调用了32次,其中包含了serial,发现xor

 

 

 

将Name改成KCTF,重新计算得到serial

 

 

 

42A4ECA067F54074C3EB2F177ACB06FE1379055CD4FB2211C3BD874FAD9E101D

 

PS:观察到程序随意输入非hex字符,导致转换时会被视作F

 

出现多解 42A4ECA067F54074C3EB2F177ACB06QE1379055CD4FB2211C3BD874FAD9E101D


看雪招聘平台创建简历并且简历完整度达到90%及以上可获得500看雪币~

收藏
点赞2
打赏
分享
最新回复 (1)
雪    币: 1237
活跃值: 活跃值 (654)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
yp太阳神 活跃值 6天前
2
0
共同学习,共同进步。
游客
登录 | 注册 方可回帖
返回