2018SUSCTF-Mobile题

Wednesday, October 23rd 2019, 4:29 pm

BabyAndroid

常规,JEB反编译

1571714446839.png

根据输入的字符串长度,第一位和97异或,后面跟v0的字符异或,把结果字符串转入a函数中。a函数首先把给出的常量字符串转为数组,把传入的字符串转化为bytes数组,再根据数组长度把每一位做for中&和左移计算,结果为3267347723651E492C1D7E117C1946325D02432D493B0B62067B则为真。所以逆推,由于一次计算拼接两位,所以按照两位为一个字符计算。其中含有字母,调试得知是对应的十六进制数。

  1. #coding:utf-8
  3. strs = "3267347723651E492C1D7E117C1946325D02432D493B0B62067B"
  5. num = []
  6. for i in range(0, len(strs)):
  7. 	num.append(strs[i])   #52
  9. nums = []
  10. id = 0
  11. while id < 52:
  12. 	for i in range(0,200):
  13. 		if str((i & 0xF0) >> 4) == num[id]:
  14. 			if hex(i & 15).replace('0x','').upper() == num[id+1]:
  15. 				nums.append(i)
  16. 				break
  17. 	id = id + 2
  19. flag = []
  20. for i in range(0, len(nums)):
  21. 	if i == 0:
  22. 		first = nums[i] ^ 97
  23. 		flag.append(first)
  24. 	else:
  25. 		sc = nums[i] ^ nums[i-1]
  26. 		flag.append(sc)
  28. text = ''
  29. for i in flag:
  30. 	text = text + chr(i)
  31. print(text)
  34. >>> SUSCTF{We1come_to_Andr0id}

后来看了其他资料,才发现a函数下面的for循环就是找16进制对应的十进制数,如

  1. >>> int('32',16)
  2. 50
  3. 其中是利用50找到对应的十进制32.

这个点卡了N久,看到一份别人的poc写的是相当简洁了。

CrackMe

又是一个native层的APP。

1571734248316.png

IDA打开伪代码

1571801738496.png

根据汇编得知,中间for循环处操作的是数组

1571815444600.png

其中v11是给出的数据块,按照int型,四位一个字段,正好28个字段。

1571815444618.png

按照Java层逻辑和伪代码写出c代码为

  1. #include <stdio.h>
  2. #include <stdlib.h>
  4. int main(){
  5. 	int v11[28] = {0x571a9693,0x23a96034,0x6a943d8c,0x1f9222ed,0x73887c81,0x5c13a257,0x26407522,0x13646a3a,0x2139537f,0x35415c5f,0x321304b7,0x238a8c26,0xd7307f6,0x622d5268,0x7c3d2e04,0x72198f7e,0x7df76af2,0x4e8431aa,0x28650861,0xfd8e3e9,0x196c1f1a,0x5fe8ab3,0x1231495d,0x5359d998,0x35fcfde0,0x3b2d0dd4,0x61113e45,0x314c57b8};   //小端字节序
  6. 	int v0[28] = {0};
  7. 	int string[28] = {0};   //未定义,引入的参数变量
  8. 	int i;
  9. 	for (i=0; i<28; i++){
  10. 		if (i == 0){
  11. 			v0[i] = string[i] ^ 0xFF;
  12. 		}
  13. 		else{
  14. 			v0[i] = string[i] ^ string[i-1];
  15. 		}
  16. 	}
  18. 	srand(0x133ED6B);
  19. 	int v4[28] = {0};
  20. 	for (i=0; i<28; i++){
  21. 		v4[i] = v0[i] - rand();
  22. 		if (v11[i] != v4[i]){
  23. 			int v10 = 0;
  24. 			return v10;
  25. 		}
  26. 	int v10 = 1;
  27. 	printf("%c",v10);
  28. 	return v10;
  29. 	}
  31. }

也就是我们需要反向求出string的值

  1. #include <stdio.h>
  2. #include <stdlib.h>
  4. int main(){
  5. 	int v11[28] = {0x571a9693,0x23a96034,0x6a943d8c,0x1f9222ed,0x73887c81,0x5c13a257,0x26407522,0x13646a3a,0x2139537f,0x35415c5f,0x321304b7,0x238a8c26,0xd7307f6,0x622d5268,0x7c3d2e04,0x72198f7e,0x7df76af2,0x4e8431aa,0x28650861,0xfd8e3e9,0x196c1f1a,0x5fe8ab3,0x1231495d,0x5359d998,0x35fcfde0,0x3b2d0dd4,0x61113e45,0x314c57b8};
  6. 	int v0[28] = {0};
  7. 	srand(0x133ED6B);
  8. 	for (int i=0; i<28; i++){
  9. 		v0[i] = v11[i] - rand();
  10. 	}
  12. 	int string[28] = {0};
  13. 	for (int i=0; i<28; i++){
  14. 		if (i==0)
  15. 			string[i] = v0[i] ^ 0xFF;
  16. 		else{
  17. 			string[i] = v0[i] ^ v0[i-1];
  18. 		}
  19. 	}
  21. 	for (int i=0; i<28; i++){
  22. 		printf("%c", string[i]);
  23. 	}
  24. 	return 0;
  25. }

但是尴尬的是算出来的是乱码

1571816373431.png

然后没有找到这题的wp….也没找到其他问题的存在点。就这样吧,毕竟是汇编渣渣。



原文作者:Misaki

原文链接:https://misakikata.github.io/2019/10/2018SUSCTF-Mobile%E9%A2%98/

发表日期:October 23rd 2019, 4:29:20 pm

更新日期:January 9th 2023, 11:57:04 am

版权声明:本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可



# Android逆向