刷Android CTF题,感觉涉及的点不错,分享一下做题过程。
题目:
2015 RCTF / 攻防世界高手区 where
描述(提示):
Where is the flag.(The flag should include RCTF{})
hint: where is body
hint2: the KEY is visible strings, -k -nosalt
涉及的漏洞点:
1、炸弹引爆
2、dex修复
>>>> 1. 炸弹引爆
1. 炸弹引爆
这道题的隐藏点是/META-INFO文件夹中,关于隐藏点看如下图:
>>>> 2. dex修复
2. dex修复
header : DEX 文件头,记录了一些当前文件的信息以及其他数据结构在文件中的偏移量string_ids : 字符串的偏移量type_ids : 类型信息的偏移量proto_ids : 方法声明的偏移量field_ids : 字段信息的偏移量method_ids : 方法信息(所在类,方法声明以及方法名)的偏移量class_def : 类信息的偏移量data : :数据区link_data : 静态链接数据区
>>>> 1. 查看apk
1. 查看apk
(1)assets/abc
基本上这道题的思路就出来了,按漏洞点的思路找到隐藏的dex。
(2)META-INF/CERT.RSA
按照漏洞点隐藏代码应该是追加在CERT.RSA尾部,CERT.RSA大小是1396394-1395072 = 1322(0x52A)。
在0x52A附近可以找到如下线索:
DEX=
aes-128-cbc
根据题目的提示,DEX=之后的信息应该是dex body,需要是openssl进行解密获得真正的body。
openssl enc -d -aes-128-cbc -in body -out decrypted -k 'Misc@inf0#fjhx11' -nosalt解密后:decode_body
(3)META-INF/y
>>>> 2.dex修复还原
2.dex修复还原
(1)dex header+body
修复前:
(2)dex2jar
/* access modifiers changed from: protected */public void onCreate(Bundle bundle) {throw new VerifyError("bad dex opcode");}
CODE:00097390 # Source file: MainActivity.javaCODE:00097390 protected void com.example.hello.MainActivity.onCreate(CODE:00097390 android.os.Bundle savedInstanceState)CODE:00097390 this = v6CODE:00097390 savedInstanceState = v7CODE:00097390 0000 nopCODE:00097392 .prologue_endCODE:00097392 .line 15CODE:00097392 0000 nopCODE:00097394 0000 nopCODE:00097396 0000 nopCODE:00097398 .line 16CODE:00097398 0000 nopCODE:0009739A 0000 nopCODE:0009739C 0000 nopCODE:0009739E 0000 nopCODE:000973A0 0000 nopCODE:000973A2 0000 nopCODE:000973A4 .line 17CODE:000973A4 0000 nopCODE:000973A6 0000 nopCODE:000973A8 0000 nopCODE:000973AA 0000 nopCODE:000973AC 0000 nopCODE:000973AE 0000 nopCODE:000973B0 0000 nopCODE:000973B2 .local name:'strb' type:'Ljava/lang/StringBuilder;'CODE:000973B2 strb = v1CODE:000973B2 .line 18CODE:000973B2 0000 nopCODE:000973B4 0000 nopCODE:000973B6 0000 nopCODE:000973B8 0000 nopCODE:000973BA 0000 nopCODE:000973BC 0000 nopCODE:000973BE .line 19CODE:000973BE 0000 nopCODE:000973C0 0000 nopCODE:000973C2 0000 nopCODE:000973C4 0000 nopCODE:000973C6 0000 nopCODE:000973C8 0000 nopCODE:000973CA 0000 nopCODE:000973CC .line 20CODE:000973CC 0000 nopCODE:000973CE 0000 nopCODE:000973D0 0000 nopCODE:000973D2 0000 nopCODE:000973D4 0000 nopCODE:000973D6 0000 nopCODE:000973D8 0000 nopCODE:000973DA 0000 nopCODE:000973DC 0000 nopCODE:000973DE .line 21CODE:000973DE 0000 nopCODE:000973E0 0000 nopCODE:000973E2 0000 nopCODE:000973E4 0000 nopCODE:000973E6 0000 nopCODE:000973E8 0000 nopCODE:000973EA 0000 nopCODE:000973EC 0000 nopCODE:000973EE .line 22CODE:000973EE 0000 nopCODE:000973F0 0000 nopCODE:000973F2 0000 nopCODE:000973F4 0000 nopCODE:000973F6 .local name:'flag' type:'Ljava/lang/String;'CODE:000973F6 flag = v0CODE:000973F6 .line 23CODE:000973F6 0000 nopCODE:000973F8 0000 nopCODE:000973FA 0000 nopCODE:000973FC 0000 nopCODE:000973FE 0000 nopCODE:00097400 0000 nopCODE:00097402 0000 nopCODE:00097404 0000 nopCODE:00097406 0000 nopCODE:00097408 0000 nopCODE:0009740A 0000 nopCODE:0009740C 0000 nopCODE:0009740E 0000 nopCODE:00097410 0000 nopCODE:00097412 0000 nopCODE:00097414 0000 nopCODE:00097416 0000 nopCODE:00097418 0000 nopCODE:0009741A 0000 nopCODE:0009741C 0000 nopCODE:0009741E 0000 nopCODE:00097420 0000 nopCODE:00097422 .line 24CODE:00097422 0000 nopCODE:00097422 Method EndCODE:00097422 # ---------------------------------------------------------------------------
(3)修复onCreate
找到0x97390在dex中的位置:
public String seed = "m3ll0t_yetFLag";/* access modifiers changed from: protected */public void onCreate(Bundle bundle) {super.onCreate(bundle);setContentView((int) R.layout.activity_main);StringBuilder sb = new StringBuilder(this.seed);sb.replace(0, 1, "h");sb.replace(5, 6, "2");sb.replace(10, 11, "f");sb.replace(7, 8, "G");Toast.makeText(this, "flag is " + sb.toString(), 0).show();}
2、简单修复onCreate
3、修复过程中的文件在附件中
4、了解一个Android漏洞
看雪ID:neilwu
https://bbs.pediy.com/user-590753.htm
推荐文章++++
好书推荐
文章来源: http://mp.weixin.qq.com/s?__biz=MjM5NTc2MDYxMw==&mid=2458304064&idx=2&sn=c450fdd55e6575c96a83c1aed7b2d894&chksm=b1818eca86f607dc739afb2fb9eb1ceee8257ddf1ca257839d93c7c9fb2192d6bae14c5f9050#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh