Android逆向解题-GKCTF2021-App-debug

字数统计: 1.1k字   |   阅读时长≈ 6分

GKCTF2021-App-debug

Android逆向解题-[GKCTF2021] App-debug

题目

[GKCTF 2021]App-debug | NSSCTF

Java层

没啥东西:

1
2
if (mainActivity.check(mainActivity.mEtflag.getText().toString())) {

直接看Native

Native层

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
// public native boolean check(String str);
__int64 __fastcall Java_com_example_myapplication_MainActivity_check(JNIEnv *env, jclass clazz, jstring str)
{
  int i; // [xsp+24h] [xbp-4Ch]
  unsigned __int8 ret; // [xsp+4Ch] [xbp-24h]
  char v6[24]; // [xsp+50h] [xbp-20h] BYREF
  __int64 v7; // [xsp+68h] [xbp-8h]

  v7 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
    // str用GB2312编码,然后再变成字节数组
  sub_3FE20(env, (__int64)str, (__int64)v6);
  if ( strlen_0(v6) == 8 )
  {
    for ( i = 0; i <= 6; ++i )                  // 最后一个字节没用上
      byte_C80E0[i] = *(_BYTE *)sub_40064(v6, i);
    ret = sub_3ED8C(byte_C80E0);	// 魔改TEA
  }
  else
  {
    ret = 0;
  }
  sub_3FC04(v6);
  _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
  return ret;
}

TEA:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
bool __fastcall sub_3ED8C(unsigned int *a1)
{
  unsigned int i; // [xsp+20h] [xbp-20h]
  int sum; // [xsp+24h] [xbp-1Ch]
  unsigned int v1; // [xsp+28h] [xbp-18h]
  unsigned int v0; // [xsp+2Ch] [xbp-14h]

  v0 = *a1;
  v1 = a1[1];
  sum = 0;
  for ( i = 0; i < 32; ++i )
  {
    sum += delta;
    v0 += (16 * v1 + dword_C8000) ^ (v1 + sum) ^ ((v1 >> 5) + dword_C8004);
    v1 += (16 * v0 + dword_C8008) ^ (v0 + sum) ^ ((v0 >> 5) + dword_C800C);
  }
  *a1 = v0;
  a1[1] = v1;
  return *a1 == 0xF5A98FF3 && a1[1] == 0xA21873A3;
}

Frida Hook脚本

通过Hook来读取TEA函数加密前后的值,来辅助解密脚本的编写。

同时也获得了具体的Key,防止Key被动态修改。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
let mod = Module.findBaseAddress("libnative-lib.so")
let offset = ptr(0x3ed8c)

let dword_C8000 = mod.add(0xC8000).readUInt()
let dword_C8004 = mod.add(0xC8004).readUInt()
let dword_C8008 = mod.add(0xC8008).readUInt()
let dword_C800C = mod.add(0xC800C).readUInt()

console.log("")
console.log(dword_C8000)
console.log(dword_C8004)
console.log(dword_C8008)
console.log(dword_C800C)

let sub_3ED8C = mod.add(offset)

Interceptor.attach(sub_3ED8C, {
    onEnter(args) {
        console.log(`[0x${args[0].readUInt().toString(16)}, 0x${args[0].add(4).readUInt().toString(16)}]`)
        this.a1 = args[0]
        
    },
    onLeave(retval) {

        console.log(`a1[0]:0x${this.a1.readUInt().toString(16)}, a1[1]:0x${this.a1.add(4).readUInt().toString(16)}`)
        console.log("")
    }
})

解题脚本

注意4个字节的key,在so里面还动态修改了一下。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
from ctypes import *

def encrypt(v, k):
    v0 = c_uint32(v[0])
    v1 = c_uint32(v[1])
    summ = c_uint32(0)
    delta = 0x458BCD42

    k0, k1, k2, k3 = c_uint32(k[0]), c_uint32(k[1]), c_uint32(k[2]), c_uint32(k[3])
    
    # print("%#x %#x" % (v0.value, v1.value))
    # print("%#x %#x %#x %#x" % (k0.value, k1.value, k2.value, k3.value))

    w = [0,0]
    for i in range(32):
        summ.value += delta
        v0.value += ((v1.value << 4) + k0.value) ^ (v1.value + summ.value) ^ ((v1.value >> 5) + k1.value)
        v1.value += ((v0.value << 4) + k2.value) ^ (v0.value + summ.value) ^ ((v0.value >> 5) + k3.value)
    w[0], w[1] = v0, v1
    return w

def decrypt(v, k):
    v0 = c_uint32(v[0])
    v1 = c_uint32(v[1])
    delta = 0x458BCD42

    summ = c_uint32(32*delta)

    k0, k1, k2, k3 = c_uint32(k[0]), c_uint32(k[1]), c_uint32(k[2]), c_uint32(k[3])
    
    # print("%#x %#x" % (v0.value, v1.value))
    # print("%#x %#x %#x %#x" % (k0.value, k1.value, k2.value, k3.value))

    w = [0,0]
    for i in range(32):
        v1.value -= ((v0.value << 4) + k2.value) ^ (v0.value + summ.value) ^ ((v0.value >> 5) + k3.value)
        v0.value -= ((v1.value << 4) + k0.value) ^ (v1.value + summ.value) ^ ((v1.value >> 5) + k1.value)
        summ.value -= delta
    w[0], w[1] = v0, v1
    return w


v = [0x34333231, 0xb3373635]
k = [9,7,8,6]
ret = encrypt(v,k)
print("%#x %#x" % (ret[0].value, ret[1].value))
enc = [0xF5A98FF3, 0xA21873A3]
# enc = [ret[0].value, ret[1].value]
dec = decrypt(enc,k)
print("%#x %#x" % (dec[0].value, dec[1].value))

print(b'\x47\x4b\x63\x54\x46\x67\x30')

import hashlib
md5o = hashlib.md5()
md5o.update(b'GKcTFg0')
print(md5o.hexdigest())

最后一个字节解密后发现实际上是空字节b’\x00’,不过这玩意根本不好输入到框内。隔着就是玩呗。

最后根据提示,把b'GKcTFg0'MD5哈希一下就好了。

反调试

根据其他尝试动调so的WP,这个so里面有反调试逻辑。

直接搜索调用strstr函数的调用点发现:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
__int64 sub_3EF3C()
{
  __int64 result; // x0
  char *v1; // [xsp+30h] [xbp-2E0h]
  unsigned int v2; // [xsp+64h] [xbp-2ACh]
  char *s1; // [xsp+80h] [xbp-290h]
  unsigned int fd; // [xsp+94h] [xbp-27Ch]
  unsigned int v5; // [xsp+98h] [xbp-278h]
  char *src; // [xsp+B0h] [xbp-260h]
  char *v7; // [xsp+150h] [xbp-1C0h]
  char v8[24]; // [xsp+198h] [xbp-178h] BYREF
  char v9[24]; // [xsp+1B0h] [xbp-160h] BYREF
  char v10[24]; // [xsp+1C8h] [xbp-148h] BYREF
  char v11[16]; // [xsp+1E0h] [xbp-130h] BYREF
  _QWORD v12[34]; // [xsp+1F0h] [xbp-120h] BYREF

  v12[33] = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
  sub_3F388(v10);
  sub_3F3C4(v11, 24LL);
  v5 = getpid();
  sub_3F4D4(v12, v5);
  sub_3F738(v11, v10);
  sub_3FAC4("/proc/", v10);
  sub_3FA78(v8, "/status");
  sub_3FBC8(v10, v9);
  sub_3FC04(v9);
  sub_3FC04(v8);
  v1 = (char *)operator new[](0x1EuLL);
  src = (char *)sub_3FC78(v10);
  strcpy(v1, src);
  s1 = (char *)operator new[](0x1F4uLL);
  fd = __open_2(v1, 0LL);
  __read_chk(fd, s1, 500LL, -1LL);
  v7 = strstr(s1, off_C8018[0]);
  v2 = (unsigned int)strstr(v7, asc_A457D) - (_DWORD)v7;
  __strncpy_chk(s1, v7 + 11, (int)(v2 - 11), -1LL);
  s1[v2 - 11] = 0;
  if ( !strcmp(s1, "0") )
    sub_3EF18();
  close(fd);
  sub_3FC9C(v11);
  result = sub_3FC04(v10);
  _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
  return result;
}

通过获取/proc/<pid>/status来检索TracerPid的值,判断是不是0,来发现有没有被调试。可以通过简单Patch来绕过。

参考

[BUUCTF GKCTF 2021]app-debug_ctf app-debug_皮皮蟹!的博客-CSDN博客

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia-plus根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

A junior undergraduate
studying in the college of cyber science and engineering
in Sichuan University
in Sichuan , China.
Pronouns:He/him.
A core member of 0x401 CTF team
majorly focus on Reverse Engineering chanllenges.