[原创]2022KCTF秋季赛第三题水患猖獗

[原创]2022KCTF秋季赛第三题水患猖獗
2022-11-21 11:2:26 Author: bbs.pediy.com(查看原文) 阅读量:17 收藏

[原创]2022KCTF秋季赛第三题水患猖獗

4小时前 220

分析Java层

逻辑简单，输入name，serial，加载libcrackme.so，返回一个字符串表示结果

分析native层

根据之前的经验，frida hook NewStringUTF获取最后打印的字符串，找到调用位置，部分hook代码如下

function hookart(){

var baseAddr = Module.findBaseAddress("/apex/com.android.runtime/lib/libart.so");

//var baseAddr = Module.findExportByName(null,"_ZN3art12_GLOBAL__N_18CheckJNI12NewStringUTFEP7_JNIEnvPKc");

console.log("Art",baseAddr)

Interceptor.attach(baseAddr.add(0x2C8581),

{

onEnter: function (args)

{

//console.log("NewString:" + args[1].readCString());

if((args[1].readCString() == "不对!再探再报" || args[1].readCString() == "祝贺,闯关顺利")){

console.log(args[1].readCString(),args[1]);

var mainAddr = Module.findBaseAddress("libcrackme.so");

console.log("Return Addr:" + (this.context as any).lr.sub(mainAddr));

console.log(' called from:\n' +

Thread.backtrace(this.context, Backtracer.ACCURATE)

.map(DebugSymbol.fromAddress).join('\n') + '\n');

for(var i=0;i<64;i++){

if((this.context as any).sp.add(i*4).readPointer().sub(mainAddr).toUInt32() < 0x50000){

console.warn("[!!]"+(this.context as any).sp.add(i*4).readPointer(),(this.context as any).sp.add(i*4).readPointer().sub(mainAddr));

}

else{

console.log((this.context as any).sp.add(i*4).readPointer(),(this.context as any).sp.add(i*4).readPointer().sub(mainAddr));

}

console.log(hexdump(args[1].add(0xe0),{

offset:0,

length:128,

header:true,

ansi:true

}));

console.log(JSON.stringify(this.context));

console.log(hexdump(this.context.sp.sub(0),{

offset:0,

length:128,

header:true,

ansi:true

}));

memset_log = false;

mylogfile.close();

//debugger;

}

},

onLeave: function (ret)

{

}

);

}

经过B BX BL指令后，ghidra识别出了一个函数头，以 0c e0 1f e5 为特征

观察数据部分，找到结果字符串的位置，做一个xor 解密

字符串offset 为0x13，ghidra暴力将所有数据以thumb解析后，搜索0x13

找到函数头，搜索0c e0 1f e5向上搜索，找到2c9a4

hook获取数据，部分hook代码如下

function hookGeneral(targetAddr:NativePointer,baseAddr:NativePointer){

Interceptor.attach(targetAddr,{

onEnter:function(args){

var mylog = "";

console.log("[Hook General]" +JSON.stringify(this.context))

mylog += "[Hook General]" + JSON.stringify(this.context) +"\n";

mylogfile.write(mylog);

mylogfile.flush();

Thread.sleep(3);

},onLeave:function(ret){

}

});

}

function hook2DFC9(targetAddr:NativePointer,baseAddr:NativePointer){

Interceptor.attach(targetAddr,{

onEnter:function(args){

var mylog = "";

console.log("[2DFC9]" +(this.context)['r8'])

mylog += "[2DFC9]" +(this.context)['r8'] +"\n";

mylogfile.write(mylog);

mylogfile.flush();

//Thread.sleep(1000);

},onLeave:function(ret){

}

});

}

function hook2E447(targetAddr:NativePointer,baseAddr:NativePointer){

Interceptor.attach(targetAddr,{

onEnter:function(args){

var mylog = "";

console.log((this.context)['r11'].readDouble() + " " + (this.context)['d9']);

//Thread.sleep(1000);

},onLeave:function(ret){

}

});

}

function hook2C9A4(targetAddr:NativePointer,baseAddr:NativePointer){

Interceptor.attach(targetAddr,{

onEnter:function(args){

var mylog = "";

console.log("" + (this.context)['r4'] +" "+ (this.context)['r3'] +" "+ (this.context)['r1'] +" "+ (this.context)['r0'] +" ");

mylog += "" + (this.context)['r4'] +" "+ (this.context)['r3'] +" "+ (this.context)['r1'] +" "+ (this.context)['r0'] +"\n";

mylogfile.write(mylog);

mylogfile.flush();

//Thread.sleep(1000);

},onLeave:function(ret){

}

});

}

function hook(baseAddr:NativePointer){

console.log("Hooking");

hook2C9A4(baseAddr.add(0x2c9a4),baseAddr);

hookGeneral(baseAddr.add(0x2cfb9),baseAddr);

// hook2E447(baseAddr.add(0x2e447),baseAddr);

// hook2DFC9(baseAddr.add(0x2dfc9),baseAddr);

}

观察到2C9A4调用了32次，其中包含了serial，发现xor

将Name改成KCTF，重新计算得到serial

42A4ECA067F54074C3EB2F177ACB06FE1379055CD4FB2211C3BD874FAD9E101D

PS：观察到程序随意输入非hex字符，导致转换时会被视作F

出现多解 42A4ECA067F54074C3EB2F177ACB06QE1379055CD4FB2211C3BD874FAD9E101D

[2022冬季班]《安卓高级研修班(网课)》月薪两万班招生中～

文章来源: https://bbs.pediy.com/thread-275247.htm
如有侵权请联系:admin#unsafe.sh