网鼎杯青龙组逆向writeup
bang
- 配置frida环境:安装python3,pip install frida ,pip install fridatools。
在https://github.com/frida/frida/releases下载对应的frida-server
frida-server-12.8.20-android-arm.xz
frida-server-12.8.20-android-arm64.xz
frida-server-12.8.20-android-x86.xz
frida-server-12.8.20-android-x86_64.xz
用下面命令把frida-server push到手机或模拟器中
adb push frida-server /data/local/tmp
adb chmod 777 /data/local/tmp/frida-server
执行frida-server
再开一个命令行窗口,执行adb forward tcp:27042 tcp:27042
然后再模拟器里面启动apk
然后运行脱壳工具
- 用jeb反编译脱壳的dex,就可以看到flag
Jocker
1.首先在程序的开头就把代码段的一段空间修改为可读可写的属性。代码段本身属性是可读可执行,不可写的。
2.比较输入的flag字符串长度是否为24
3.有两段伪加解密和比较伪flag函数
char flag[]={'f','k','c','d',0x7f,'a','g','d',0x3b,'v','k','a',0x7b,0x26,0x3b,0x50,0x63,0x5f,0x4d,0x5a,0x71,
0xc,0x37,0x66};
for(int i=0;i<=23;i++)
{if(i&1)
{flag[i]=flag[i]+i; }
else
{flag[i]=flag[i]^i;
}
}//flag{fak3_alw35_sp_me!!}
4.解密正真的flag算法和比较代码,也就是1里面修改了内存属性的那一段地址代码。
下图是解密前的代码
5写脚本解密代码
stadd=0x401500
stsize=186
i=0
while(i<=186):
ch=ord(ida_bytes.get_bytes(stadd+i,1))^0x41
ida_bytes.patch_byte(stadd+i,ch)
i+=1
print("done")
下图是解密后真正计算和比较flag的代码
5算法
取输入的flag的19个字符与hahahaha_do_you_find_me?的前19个字符做异或运算
比较值是否为
{0xe,0xd,0x9,0x6,0x13,0x5,0x58,0x56,0x3e,0x6,0xc,0x3c,0x1f,0x57,0x14,0x6b,0x57,0x59,0xd}
如果相等就是正确的flag。
char key[]={"hahahaha_do_you_find_me?"};
char enflag[]={0xe,0xd,0x9,0x6,0x13,0x5,0x58,0x56,0x3e,0x6,0xc,0x3c,0x1f,0x57,0x14,
0x6b,0x57,0x59,0xd};
char a;
for(int i=0;i<20;i++)
{
a = key[i]^enflag[i];
printf("%c\n",a);
}
a = [0x25,0x74,0x70,0x26,0x3a]
flag = 'flag{d07abccf8a410c'
for i in range(len(a)):
flag += chr(a[i]^71)
print(flag)
Signal
1.是一个简单的虚拟机运行的题目
2.通过虚拟机的流程控制去执行相应的操作
3.流程控制执行的代码数组,下面的代码地址对应相应的case
4.下面是程序对输入的flag做的运算处理,计算每一个字符与{0x22,0x3f,0x34,0x32,0x72,0x33,0x18,0xfa7,0x31,0xf1,0x28,0xf84,0xfc1,0x1e,0x7a}去做对比
1 3 4 5 6 7 8 9 10 11 12 13 14 15 |
10h^input[0]-5=22h (20h^input[1])*3=3Fh input[2]-2-1=34h (input[3]+1)^4=32h input[4]*3-21h=72h input[5]-1-1=33h 9^input[6]-20=18 (51h+input[7])^24h=FA7 input[8]+1-1=31h 2*input[9]+25h=F1 (36h+input[10])^41h=28h (20h+input[11])*1=F84h 3*input[12]+25h=C1h 9^input[13]-20h=1Eh 41h+input[14]+1=7Ah |
5.还原flag
int main(int argc, char* argv[])
{
printf("%c",(0x10^(0x22+5)));
printf("%c",(0x20^(0x3f/3)));
printf("%c",(0x34+3));
printf("%c",((0x32^4)-1));
printf("%c",((0x72+0x21)/3));
printf("%c",(0x33+2));
printf("%c",(0x9^(0x18+0x20)));
printf("%c",((0xfa7^0x24)-0x51));
printf("%c",(0x31));
printf("%c",((0xf1-0x25)/2));
printf("%c",((0x28^0x41)-0x36));
printf("%c",(0xf84-0x20));
printf("%c",((0xc1-0x25)/3));
printf("%c",((0x1e+0x20)^0x9));
printf("%c\n",(0x7a-0x42));
return 0;
}