CISCN 2021初赛glass

runwu2204 Lv6
  2023-06-17 00:48:51 2023-06-17 00:48:51 创建   2023-06-17 00:57:44 2023-06-17 00:57:44 更新    

查看组件,就一个activity,直接看

1
2
3
4
5
6
7
8
9
10
11
12
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android" android:versionCode="1" android:versionName="1.0" android:compileSdkVersion="30" android:compileSdkVersionCodename="11" package="com.ciscn.glass" platformBuildVersionCode="30" platformBuildVersionName="11">
    <uses-sdk android:minSdkVersion="15" android:targetSdkVersion="30"/>
    <application android:theme="@style/AppTheme" android:label="@string/app_name" android:icon="@mipmap/ic_launcher" android:allowBackup="true" android:supportsRtl="true" android:roundIcon="@mipmap/ic_launcher_round" android:appComponentFactory="androidx.core.app.CoreComponentFactory">
        <activity android:name="com.ciscn.glass.MainActivity">
            <intent-filter>
                <action android:name="android.intent.action.MAIN"/>
                <category android:name="android.intent.category.LAUNCHER"/>
            </intent-filter>
        </activity>
    </application>
</manifest>

是一个标准的调用JNI接口的校验

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
package com.ciscn.glass;

import android.os.Bundle;
import android.view.View;
import android.widget.Button;
import android.widget.EditText;
import android.widget.Toast;
import androidx.appcompat.app.AppCompatActivity;

/* loaded from: classes.dex */
public class MainActivity extends AppCompatActivity {
    Button but;
    EditText txt;

    public native boolean checkFlag(String str);

    static {
        System.loadLibrary("native-lib");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // androidx.appcompat.app.AppCompatActivity, androidx.fragment.app.FragmentActivity, androidx.core.app.ComponentActivity, android.app.Activity
    public void onCreate(Bundle bundle) {
        super.onCreate(bundle);
        setContentView(C0273R.layout.activity_main);
        this.but = (Button) findViewById(C0273R.C0275id.button);
        this.txt = (EditText) findViewById(C0273R.C0275id.editText);
        this.but.setOnClickListener(new View.OnClickListener() { // from class: com.ciscn.glass.MainActivity.1
            @Override // android.view.View.OnClickListener
            public void onClick(View view) {
                MainActivity mainActivity = MainActivity.this;
                if (mainActivity.checkFlag(mainActivity.txt.getText().toString())) //校验flag
                {
                    Toast.makeText(MainActivity.this, "right!", 0).show();
                } else {
                    Toast.makeText(MainActivity.this, "wrong!", 0).show();
                }
            }
        });
    }
}

JNI中的checkFlag函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
bool __fastcall Java_com_ciscn_glass_MainActivity_checkFlag(int a1, int a2, int a3)
{
  const char *v3; // r4
  int length; // r5
  char key[256]; // [sp+0h] [bp-220h] BYREF
  char v7[260]; // [sp+100h] [bp-120h] BYREF

  v3 = (const char *)sub_F0C(a1, a3);
  if ( strlen(v3) != 39 )
    return 0;
  memset(v7, 0, 0x100u);
  qmemcpy(key, "12345678", sizeof(key));
  length = strlen(key);                         // 8
  sub_FFC(v7, (int)key, length);
  sub_1088(v7, v3, 39);
  sub_10D4(v3, 39, key, length);
  return memcmp(v3, &unk_497C, 0x27u) == 0;
}
/****************************下面是rc4加密的函数,key是上方的“12345678”********************************************/
int __fastcall sub_FFC(char *a1, char *a2, int a3)
{
  int i; // r6
  int v7; // r1
  int v8; // r0
  int v9; // r1
  int v10; // r3
  _BYTE v12[260]; // [sp+0h] [bp-120h] BYREF

  memset(v12, 0, 0x100u);
  for ( i = 0; i != 256; ++i )
  {
    a1[i] = i;
    sub_126C(i, a3);
    v12[i] = a2[v7];
  }
  v8 = 0;
  v9 = 0;
  while ( v8 != 256 )
  {
    v10 = (unsigned __int8)a1[v8];
    v9 = (v9 + v10 + (unsigned __int8)v12[v8]) % 256;
    a1[v8++] = a1[v9];
    a1[v9] = v10;
  }
  return _stack_chk_guard;
}

char *__fastcall sub_1088(char *result, char *a2, int length)
{
  int v3; // r3
  int v4; // r4
  int v5; // r5

  v3 = 0;
  v4 = 0;
  while ( length )
  {
    --length;
    v4 = (v4 + 1) % 256;
    v5 = (unsigned __int8)result[v4];
    v3 = (v3 + v5) % 256;
    result[v4] = result[v3];
    result[v3] = v5;
    *a2++ ^= result[(unsigned __int8)(v5 + result[v4])];
  }
  return result;
}

/**********************************************与明文校验前的混淆函数*********************************************/
char *__fastcall sub_10D4(char *result, int length, char *key, int keylength)
{
  int i; // r4
  char *v5; // r6
  char v6; // r5
  char v7; // lr
  char v8; // r12
  int j; // lr
  int k; // r6

  for ( i = 0; i < length; i += 3 )
  {
    v5 = &result[i];
    v6 = result[i + 2];
    v7 = result[i + 1];
    v8 = result[i] ^ v6;
    result[i] = v8;
    v5[2] = v6 ^ v7;
    v5[1] = v7 ^ v8;
  }
  for ( j = 0; j < length; j += keylength )
  {
    for ( k = 0; (keylength & ~(keylength >> 31)) != k && j + k < length; ++k )
      result[k] ^= key[k];
    result += keylength;
  }
  return result;
}

写了个python脚本用于求解混淆前的rc4密文

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
from z3 import *    
def sub_10d4(result,length,key,keylength):
	for i in range(0,length,3):
		v6=result[i+2]
		v7=result[i+1]
		v8=result[i]^v6
		result[i]=v8
		result[i+2]=v6^v7
		result[i+1]=v7^v8
	for j in range(0,length,keylength):
		k=0
		while((keylength&~(keylength>>31)!=k)and j+k<length):
			result[k+j]^=ord(key[k])
			k+=1
	return result
flag = [BitVec('flag[%2d]' % i, 8) for i in range(39)]  #初始化序列
cmp=[0xA3,0x1A,0xE3,0x69 ,0x2F 
,0xBB,0x1A,0x84,0x65 ,0xC2
,0xAD,0xAD,0x9E,0x96,   5
,   2,0x1F,0x8E,0x36 ,0x4F 
,0xE1,0xEB,0xAF,0xF0,0xEA
,0xC4,0xA8,0x2D ,0x42 ,0xC7
,0x6E ,0x3F ,0xB0,0xD3,0xCC
,0x78 ,0xF9,0x98,0x3F ,   0]
out=[0]*39
f=Solver()
for i in range(39):
	out[i]=flag[i]
out=sub_10d4(out,39,"12345678",8)
for i in range(39):
	f.add(out[i]==cmp[i])
if(f.check()==sat):
	m = f.model()
	str1='['
	for i in range(39):
		str1+='{:0>2X}'.format(int(str(m[flag[i]])))+' '
	str1+=']'
	print(str1)
  #str1=[F8 BA 6A 97 47 CA E8 91 C5 07 6E F7 92 0B 39 92 14 A8 AF 7E AA 50 45 8D 6D 2D B6 86 6E 9F 86 5E DF B3 1E 52 A6 62 6A ]

直接拿去rc4解密就行,key是12345678

image-20230617005742016

  • 标题: CISCN 2021初赛glass
  • 作者: runwu2204
  • 创建于 : 2023-06-17 00:48:51
  • 更新于 : 2023-06-17 00:57:44
  • 链接: https://runwu2204.github.io/2023/06/17/CTF WP/Re/安卓/CISCN 2021初赛glass/
  • 版权声明: 本文章采用 CC BY-NC-SA 4.0 进行许可。
评论
目录
CISCN 2021初赛glass