Raphael +
  • Stay hungry, Stay foolish.
  • albus.zly@gmail.com
    albus12138

    GCTF Re&Mobile WriteUp

    0x00 Mobile-01 APK逆向

    OnCreate

    从成功后的Toast提示可以很容易找出判断位置,即CheckSN函数,传入的参数是 “Tenshine”和输入的字符串

    CheckSN

    检验过程十分简单,检查username是否为空,sn长度是否为22,然后对username进行计算md5,然后以步长为2的方式从md5中取出字符,生成flag字符串

    最后,flag为bc72f242a6af3857

    0x01 Reverse-02 debug.exe

    用IDA打开exe文件,发现是用.Net编写的,改用dotPeek反编译出源码,其中函数名做了混淆,不过没关系,影响不大

    dotPeek

    dotPeek对于未加密的程序反编译出源码的效果非常好,将代码简单修改一下写入Visual Studio,运行,得到flag{967DDDFBCD32C1F53527C221D9E40A0B}

    using System;
    using System.Collections.Generic;
    using System.Security.Cryptography;
    using System.Linq;
    using System.Text;
    using System.Threading.Tasks;
    
    class funcs
    {
        static int xor(int a, int b)
        {
            return new int[30]
            {
                2,
                3,
                5,
                7,
                11,
                13,
                17,
                19,
                23,
                29,
                31,
                37,
                41,
                43,
                47,
                53,
                59,
                61,
                67,
                71,
                73,
                79,
                83,
                89,
                97,
                101,
                103,
                107,
                109,
                113
            }[b] ^ a;
        }
    
        static string flag(string a)
        {
            return "flag{" + BitConverter.ToString(new MD5CryptoServiceProvider().ComputeHash(Encoding.ASCII.GetBytes(a))).Replace("-", "") + "}";
        }
    
        public static void calc(string a, int b, ref string A_2)
        {
            int index = 0;
            if (0 < a.Length)
            {
                do
                {
                    char ch = a[index];
                    int A_1_1 = 1;
                    do
                    {
                        ch = Convert.ToChar(funcs.xor(Convert.ToInt32(ch), A_1_1));
                        ++A_1_1;
                    }
                    while (A_1_1 < 15);
                    A_2 = A_2 + (object)ch;
                    ++index;
                }
                while (index < a.Length);
            }
            A_2 = funcs.flag(A_2);
        }
    }
    
    namespace ConsoleApplication5
    {
        class Program
        { 
            static void Main(string[] args)
            {
                string A_2 = (string)null;
                funcs.calc("CreateByTenshine", Convert.ToInt32(string.Format("{0}", (object)(DateTime.Now.Hour + 1))), ref A_2);
                Console.WriteLine(A_2);
                if (Console.ReadLine() == A_2)
                {
                    Console.WriteLine("u got it!");
                    Console.ReadKey(true);
                }
                else
                    Console.Write("wrong");
                Console.ReadKey(true);
            }
        }
    }

    0x02 Reverse-03 Hackme

    先运行一下看一遍运行流程,然后用IDA打开,程序内容很多,先搜索一下字符串

    strings

    看到 Congras\nOh no!\n 基本上可以确定关键函数位置了

    data

    400F8E

    定位关键内容为中间的do-while循环,这个sub_406D90函数困扰了我很久,甚至用gdb去调试这个函数……但是水平一般没有解出来。在看了其他队伍的wp后发现其实不需要解出这个函数的功能,因为后面对22取模,所以v7的取值范围只能是0~21,写个脚本爆破一下

    byte = [0x5f,0xf2,0x5e,0x8b,0x4e,0xe,0xa3,0xaa,0xc7,0x93,0x81,0x3d,0x5f,0x74,0xa3,0x9,0x91,0x2b,0x49,0x28,0x93,0x67]
    string = ""
    for v7 in xrange(22):
        v9 = 0
        v6 = byte[i]
        v4 = v7 + 1
        v8 = 0
        while(v8 < v4):
            v8 += 1
            v9 = 0x6d01788d * v9 + 12345
        string += chr((v9 & 0xff) ^ v6)  # 因为最后 v9^v5 时是 unsigned __int8 所以这里和 0xff 做一下与运算
    print string

    最终结果:flag{d826e6926098ef46}

    Blog

    Coding

    Bookmarks