网鼎杯青龙组逆向writeup

bang

1. 配置frida环境：安装python3，pip install frida ，pip install fridatools。

在https://github.com/frida/frida/releases下载对应的frida-server

 

frida-server-12.8.20-android-arm.xz

frida-server-12.8.20-android-arm64.xz

frida-server-12.8.20-android-x86.xz

frida-server-12.8.20-android-x86_64.xz

 

用下面命令把frida-server  push到手机或模拟器中

 

adb push frida-server /data/local/tmp 

adb chmod 777 /data/local/tmp/frida-server

 

执行frida-server

 

再开一个命令行窗口，执行adb forward tcp:27042 tcp:27042

 

 

然后再模拟器里面启动apk

 

然后运行脱壳工具

 

1. 用jeb反编译脱壳的dex,就可以看到flag

Jocker

 

1.首先在程序的开头就把代码段的一段空间修改为可读可写的属性。代码段本身属性是可读可执行，不可写的。

 

2.比较输入的flag字符串长度是否为24

 

3.有两段伪加解密和比较伪flag函数

 

char flag[]={'f','k','c','d',0x7f,'a','g','d',0x3b,'v','k','a',0x7b,0x26,0x3b,0x50,0x63,0x5f,0x4d,0x5a,0x71,

0xc,0x37,0x66};

for(int i=0;i<=23;i++)

{if(i&1)

       {flag[i]=flag[i]+i; }

else

       {flag[i]=flag[i]^i;

}

}//flag{fak3_alw35_sp_me!!}

 

 

4.解密正真的flag算法和比较代码，也就是1里面修改了内存属性的那一段地址代码。

 

 

下图是解密前的代码

 

5写脚本解密代码

stadd=0x401500

stsize=186

i=0

while(i<=186):

    ch=ord(ida_bytes.get_bytes(stadd+i,1))^0x41

    ida_bytes.patch_byte(stadd+i,ch)

    i+=1

print("done")

下图是解密后真正计算和比较flag的代码

 

 

5算法

取输入的flag的19个字符与hahahaha_do_you_find_me?的前19个字符做异或运算

比较值是否为

{0xe,0xd,0x9,0x6,0x13,0x5,0x58,0x56,0x3e,0x6,0xc,0x3c,0x1f,0x57,0x14,0x6b,0x57,0x59,0xd}

如果相等就是正确的flag。

char key[]={"hahahaha_do_you_find_me?"};

char enflag[]={0xe,0xd,0x9,0x6,0x13,0x5,0x58,0x56,0x3e,0x6,0xc,0x3c,0x1f,0x57,0x14,

0x6b,0x57,0x59,0xd};

char a;

for(int i=0;i<20;i++)

{

       a = key[i]^enflag[i];

       printf("%c\n",a);

}

a = [0x25,0x74,0x70,0x26,0x3a]
flag = 'flag{d07abccf8a410c'
for i in range(len(a)):
    flag += chr(a[i]^71)
print(flag)

 

 

Signal

 

1.是一个简单的虚拟机运行的题目

2.通过虚拟机的流程控制去执行相应的操作

 

3.流程控制执行的代码数组，下面的代码地址对应相应的case

4.下面是程序对输入的flag做的运算处理，计算每一个字符与{0x22,0x3f,0x34,0x32,0x72,0x33,0x18,0xfa7,0x31,0xf1,0x28,0xf84,0xfc1,0x1e,0x7a}去做对比

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

10h^input[0]-5=22h (20h^input[1])*3=3Fh input[2]-2-1=34h (input[3]+1)^4=32h input[4]*3-21h=72h input[5]-1-1=33h 9^input[6]-20=18 (51h+input[7])^24h=FA7 input[8]+1-1=31h 2*input[9]+25h=F1 (36h+input[10])^41h=28h (20h+input[11])*1=F84h 3*input[12]+25h=C1h 9^input[13]-20h=1Eh 41h+input[14]+1=7Ah

 

5.还原flag

int main(int argc, char* argv[])

{

       printf("%c",(0x10^(0x22+5)));

       printf("%c",(0x20^(0x3f/3)));

       printf("%c",(0x34+3));

       printf("%c",((0x32^4)-1));

       printf("%c",((0x72+0x21)/3));

       printf("%c",(0x33+2));

       printf("%c",(0x9^(0x18+0x20)));

       printf("%c",((0xfa7^0x24)-0x51));

       printf("%c",(0x31));

       printf("%c",((0xf1-0x25)/2));

       printf("%c",((0x28^0x41)-0x36));

       printf("%c",(0xf84-0x20));

       printf("%c",((0xc1-0x25)/3));

       printf("%c",((0x1e+0x20)^0x9));

       printf("%c\n",(0x7a-0x42));

      

       return 0;

}