GKCTF 2021App-debug

参考wp[(41条消息) BUUCTF GKCTF 2021]app-debug_皮皮蟹！的博客-CSDN博客

就一个activity

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android" android:versionCode="1" android:versionName="1.0" android:compileSdkVersion="29" android:compileSdkVersionCodename="10" package="com.example.myapplication" platformBuildVersionCode="29" platformBuildVersionName="10">
    <uses-sdk android:minSdkVersion="21" android:targetSdkVersion="29"/>
    <application android:theme="@style/AppTheme" android:label="@string/app_name" android:icon="@mipmap/ic_launcher" android:debuggable="true" android:allowBackup="true" android:supportsRtl="true" android:roundIcon="@mipmap/ic_launcher_round" android:appComponentFactory="androidx.core.app.CoreComponentFactory">
        <activity android:name="com.example.myapplication.MainActivity">
            <intent-filter>
                <action android:name="android.intent.action.MAIN"/>
                <category android:name="android.intent.category.LAUNCHER"/>
            </intent-filter>
        </activity>
    </application>
</manifest>

主函数就是调用了JNI

package com.example.myapplication;

import android.os.Bundle;
import android.view.View;
import android.widget.Button;
import android.widget.EditText;
import android.widget.Toast;
import androidx.appcompat.app.AppCompatActivity;

/* loaded from: classes2.dex */
public class MainActivity extends AppCompatActivity {
    private Button mBtnLogin;
    private EditText mEtflag;

    public native boolean check(String str);

    static {
        System.loadLibrary("native-lib");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // androidx.appcompat.app.AppCompatActivity, androidx.fragment.app.FragmentActivity, androidx.core.app.ComponentActivity, android.app.Activity
    public void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(C0273R.layout.activity_main);
        this.mBtnLogin = (Button) findViewById(C0273R.C0275id.btn_login);
        this.mEtflag = (EditText) findViewById(C0273R.C0275id.bEn_edittext);
        this.mBtnLogin.setOnClickListener(new View.OnClickListener() { // from class: com.example.myapplication.MainActivity.1
            @Override // android.view.View.OnClickListener
            public void onClick(View v) {
                MainActivity mainActivity = MainActivity.this;
                if (mainActivity.check(mainActivity.mEtflag.getText().toString())) {
                    Toast.makeText(MainActivity.this, "You Are Right!flag is flag{md5(input)}", 0).show();
                } else {
                    Toast.makeText(MainActivity.this, "Sorry your flag is wrong!", 0).show();
                }
            }
        });
    }
}

JNI函数

bool __fastcall Java_com_example_myapplication_MainActivity_check(__int64 a1, __int64 a2, __int64 a3)
{
  int i; // [xsp+24h] [xbp-4Ch]
  bool v5; // [xsp+4Ch] [xbp-24h]
  char v6[24]; // [xsp+50h] [xbp-20h] BYREF
  __int64 v7; // [xsp+68h] [xbp-8h]

  v7 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
  sub_3FE20(a1, a3, (__int64)v6);//复制字符串
  if ( sub_40040((__int64)v6) == 8 )
  {
    for ( i = 0; i <= 6; ++i )
      byte_C80E0[i] = *(_BYTE *)sub_40064((__int64)v6, i);
    v5 = sub_3ED8C((unsigned int *)byte_C80E0);
  }
  else
  {
    v5 = 0;
  }
  sub_3FC04((__int64)v6);
  _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
  return v5;
}

为啥反编译不一样

bool __fastcall sub_3ED8C(unsigned int *a1)
{
  unsigned int i; // [xsp+20h] [xbp-20h]
  int v3; // [xsp+24h] [xbp-1Ch]
  unsigned int v4; // [xsp+28h] [xbp-18h]
  unsigned int v5; // [xsp+2Ch] [xbp-14h]

  v5 = *a1;
  v4 = a1[1];
  v3 = 0;
  for ( i = 0; i < 0x20; ++i )
  {
    v3 += dword_C8010;
    v5 += (16 * v4 + dword_C8000) ^ (v4 + v3) ^ ((v4 >> 5) + dword_C8004);
    v4 += (16 * v5 + dword_C8008) ^ (v5 + v3) ^ ((v5 >> 5) + dword_C800C);
  }
  *a1 = v5;
  a1[1] = v4;
  return *a1 == 0xF5A98FF3 && a1[1] == 0xA21873A3;
}

通过交叉引用发现有对key的修改key为{9,7,8,6}

void sub_3EF18()
{
  dword_C8004 = 7;
  dword_C8008 = 8;
  dword_C800C = 6;
}

有个自启动的函数对值进行修改，自启动的一般都在.init_array表内

.init_array:00000000000C0F98 ; Segment type: Pure data
.init_array:00000000000C0F98                 AREA .init_array, DATA, ALIGN=3
.init_array:00000000000C0F98                 ; ORG 0xC0F98
.init_array:00000000000C0F98 off_C0F98       DCQ sub_3EF3C           ; DATA XREF: LOAD:0000000000000088↑o
.init_array:00000000000C0F98                                         ; LOAD:00000000000001D8↑o
.init_array:00000000000C0F98 ; .init_array   ends
.init_array:00000000000C0F98

直接用之前写的tea算法

#include <stdio.h>
#include <stdint.h>
void teajiami (uint32_t* v, uint32_t* k) //此处uint32长度就为usigned int占32bit共4个字节
{
    uint32_t sum = 0;  // 注意sum也是32位无符号整型
    uint32_t v0 = v[0], v1 = v[1];
    uint32_t delta = 0x458BCD42;
    uint32_t k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3];

    for (int i=0; i<32; i++) //进行32轮迭代，次数越多越难破解，但同时效率也会降低
    {
        sum += delta;
        v0 += ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
        v1 += ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
    }

    v[0]=v0; 
    v[1]=v1;
}

void teajiemi (uint32_t* v, uint32_t* k) //解密也是进行相同的异或操作，通过异或同一个数恢复原数
{
    uint32_t v0 = v[0], v1 = v[1];
    uint32_t delta = 0x458BCD42;
    uint32_t sum = delta * 32;
    uint32_t k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3];

    for (int i=0; i<32; i++) {
        v1 -= ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
        v0 -= ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
        sum -= delta;
    }

    v[0]=v0; 
    v[1]=v1;
}

// test
int main()
{
    // 两个32位无符号整数，即待加密的64bit明文数据
    uint32_t v[2] = {0xF5A98FF3, 0xA21873A3};
    // 四个32位无符号整数，即128bit的key
    uint32_t k[4]= {0x9, 0x7, 0x8, 0x6};

    // printf("Data is : %x %x\n", v[0], v[1]);
    // teajiami(v, k);
    // printf("Encrypted data is : %x %x\n", v[0], v[1]);
    teajiemi(v, k);
    printf("Decrypted data is : %x %x\n", v[0], v[1]);
	puts((char*)v);

    return 0;
}

直接用md5