柏鹭杯 2021不重要的图形

[柏鹭杯 2021]不重要的图形 | NSSCTF

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android" android:versionCode="1" android:versionName="1.0" android:compileSdkVersion="30" android:compileSdkVersionCodename="11" package="com.octobox.ctf" platformBuildVersionCode="30" platformBuildVersionName="11">
    <uses-sdk android:minSdkVersion="21" android:targetSdkVersion="30"/>
    <application android:theme="@style/Theme.MyApplication" android:label="@string/app_name" android:icon="@mipmap/ic_launcher" android:allowBackup="true" android:supportsRtl="true" android:roundIcon="@mipmap/ic_launcher_round" android:appComponentFactory="androidx.core.app.CoreComponentFactory">
        <activity android:name="com.octobox.ctf.MainActivity">
            <intent-filter>
                <action android:name="android.intent.action.MAIN"/>
                <category android:name="android.intent.category.LAUNCHER"/>
            </intent-filter>
        </activity>
    </application>
</manifest>

只有一个主类

public class MainActivity extends AppCompatActivity {
  
        /**********************做完后表示以上函数为障眼法***************************************/
        try {
            Log.i("MainAct", stringBuffer.toString());
            InputStream open = getAssets().open("classes.dex");
            byte[] bArr = new byte[open.available()];
            open.read(bArr);
            File file = new File(getDir("data", 0), "decode.dex");
            FileOutputStream fileOutputStream = new FileOutputStream(file);
            fileOutputStream.write(bArr);
            fileOutputStream.close();
            open.close();
            if (checkPassword(stringBuffer.toString().toUpperCase(), file)) {
                this.unlockView.setVisibility(8);
                return true;
            }
        } catch (IOException e) {
            e.printStackTrace();
        }
        this.handler.sendEmptyMessageDelayed(0, 2000L);
        return false;
    }//将asset的classes.dex复制到data路径中的"decode.dex"

    private boolean checkPassword(String password, File loadDex) {
        try {
            Method declaredMethod = new DexClassLoader(loadDex.getAbsolutePath(), getDir("dex", 0).getAbsolutePath(), null, getClass().getClassLoader()).loadClass("C").getDeclaredMethod("isValidate", Context.class, String.class, int[].class);
            int[] intArray = getResources().getIntArray(C0652R.array.A_offset);
            String str = (String) declaredMethod.invoke(null, this, password, new int[]{0, intArray[0], intArray[1]}); // 3,3248
            Log.d("MainActivity", str);
            if (str != null && str.startsWith("Great!")) {
                this.tvText.setText(str);
                return true;
            }
        } catch (Exception e) {
            e.printStackTrace();
        }
        return false;
    }
}

重点

上面的intArray通过getResources().getIntArray(C0652R.array.A_offset);方法从res中取出了{3,3248}

注意此处的B_offset，以后要用

同时上面方法的通过反射机制调用了静态方法isValidate，并将最后结果传给了str

Method declaredMethod = new DexClassLoader(loadDex.getAbsolutePath(), getDir("dex", 0).getAbsolutePath(), null, getClass().getClassLoader()).loadClass("C").getDeclaredMethod("isValidate", Context.class, String.class, int[].class);
String str = (String) declaredMethod.invoke(null, this, password, new int[]{0, intArray[0], intArray[1]}); // 3,3248

isValidate方法(包括其调用的方法)如下

 public static String isValidate(Context context, String password, int[] original) throws Exception {
        ByteBuffer read;
        File fix;
        Log.i(TAG, "start check password");
        if (original.length != 3 || (read = read(context)) == null || (fix = fix(read, original[0], original[1], original[2], context)) == null) {
            return "";
        }
        ClassLoader classLoader = context.getClass().getClassLoader();
        File dir = context.getDir("fixed", 0);
        String str = (String) new DexClassLoader(fix.getAbsolutePath(), dir.getAbsolutePath(), null, classLoader).loadClass("A").getDeclaredMethod("d", Context.class, String.class).invoke(null, context, password);
        fix.delete();//调用fix修复后的文件再删除fix的文件
        new File(dir, fix.getName()).delete();
        return str;
    }

    private static File fix(ByteBuffer dexBuffer, int classIndex, int index, int offset, Context context) throws Exception {
        String signInfo = Utils.getSignInfo(context);
        if (signInfo == null || !signInfo.equals("78856d5c90624ec05bbc3d9be63d3715fd6fefce")) {//验证自身文件的特征值
            Log.i(TAG, "check signature failed");
            return null;
        }
        File dir = context.getDir("data", 0);
        int intValue = C0003D.getClassDefData(dexBuffer, classIndex).get("class_data_off").intValue();
        HashMap<String, int[][]> classData = C0003D.getClassData(dexBuffer, intValue);
        classData.get("direct_methods")[index][2] = offset;
        byte[] encodeClassData = C0003D.encodeClassData(classData);
        dexBuffer.position(intValue);
        dexBuffer.put(encodeClassData);
        dexBuffer.position(32);
        byte[] bArr = new byte[dexBuffer.capacity() - 32];
        dexBuffer.get(bArr);
        byte[] sha1 = Utils.getSha1(bArr);
        dexBuffer.position(12);
        dexBuffer.put(sha1);
        int checksum = Utils.checksum(dexBuffer);
        dexBuffer.position(8);
        dexBuffer.putInt(Integer.reverseBytes(checksum));
        byte[] array = dexBuffer.array();
        File file = new File(dir, "1.dex");
        FileOutputStream fileOutputStream = new FileOutputStream(file);
        fileOutputStream.write(array);
        fileOutputStream.close();//
        return file;
    }

    private static ByteBuffer read(Context context) {
        try {
            File file = new File(context.getDir("data", 0), "decode.dex");
            if (file.exists()) {
                FileInputStream fileInputStream = new FileInputStream(file);
                byte[] bArr = new byte[fileInputStream.available()];
                fileInputStream.read(bArr);
                ByteBuffer wrap = ByteBuffer.wrap(bArr);
                fileInputStream.close();
                return wrap;
            }
            return null;
        } catch (Exception unused) {
            return null;
        }
    }
}

A类的d方法是通过加密了的，fix方法将decode.dex中A类的d方法解密后再交给反射机制调用，最后再删除掉调用的dex(所以在运行中看不见这个文件，或者只出现一瞬间)

解密exp:

直接通过java模拟解密过程，将最后的dex解密出来

import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.lang.reflect.Array;
import java.math.BigInteger;
import java.nio.ByteBuffer;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.HashMap;

public class nssctf
{
    
    private static ByteBuffer read(String dir) {
        try {
            File file = new File(dir);
            if (file.exists()) {
                FileInputStream fileInputStream = new FileInputStream(file);
                byte[] bArr = new byte[fileInputStream.available()];
                fileInputStream.read(bArr);
                ByteBuffer wrap = ByteBuffer.wrap(bArr);
                fileInputStream.close();
                return wrap;
            }
            return null;
        } catch (Exception unused) {
            return null;
        }
    }
    public static HashMap<String, Integer> getClassDefData(ByteBuffer buffer, int index) {
        buffer.position(100);
        buffer.position(Integer.reverseBytes(buffer.getInt()) + (index * 32));
        HashMap<String, Integer> hashMap = new HashMap<>();
        int reverseBytes = Integer.reverseBytes(buffer.getInt());
        int reverseBytes2 = Integer.reverseBytes(buffer.getInt());
        int reverseBytes3 = Integer.reverseBytes(buffer.getInt());
        int reverseBytes4 = Integer.reverseBytes(buffer.getInt());
        int reverseBytes5 = Integer.reverseBytes(buffer.getInt());
        int reverseBytes6 = Integer.reverseBytes(buffer.getInt());
        int reverseBytes7 = Integer.reverseBytes(buffer.getInt());
        int reverseBytes8 = Integer.reverseBytes(buffer.getInt());
        hashMap.put("class_idx", Integer.valueOf(reverseBytes));
        hashMap.put("access_flag", Integer.valueOf(reverseBytes2));
        hashMap.put("superclass_idx", Integer.valueOf(reverseBytes3));
        hashMap.put("interfaces_off", Integer.valueOf(reverseBytes4));
        hashMap.put("source_file_idx", Integer.valueOf(reverseBytes5));
        hashMap.put("annotation_off", Integer.valueOf(reverseBytes6));
        hashMap.put("class_data_off", Integer.valueOf(reverseBytes7));
        hashMap.put("static_values_off", Integer.valueOf(reverseBytes8));
        return hashMap;
    }
    public static HashMap<String, int[][]> getClassData(ByteBuffer buffer, int offset) {
        buffer.position(offset);
        int i = fromULEB128(buffer)[0];
        int i2 = fromULEB128(buffer)[0];
        int i3 = fromULEB128(buffer)[0];
        int i4 = fromULEB128(buffer)[0];
        int[][] iArr = (int[][]) Array.newInstance(int.class, i, 2);
        if (i > 0) {
            int i5 = 0;
            for (int i6 = 0; i6 < i; i6++) {
                int[] encode_field = encode_field(buffer);
                if (i6 == 0) {
                    i5 = encode_field[0];
                } else {
                    i5 += encode_field[0];
                }
                int[] iArr2 = new int[2];
                iArr2[0] = i5;
                iArr2[1] = encode_field[1];
                iArr[i6] = iArr2;
            }
        }
        int[][] iArr3 = (int[][]) Array.newInstance(int.class, i2, 2);
        if (i2 > 0) {
            int i7 = 0;
            for (int i8 = 0; i8 < i2; i8++) {
                int[] encode_field2 = encode_field(buffer);
                if (i8 == 0) {
                    i7 = encode_field2[0];
                } else {
                    i7 += encode_field2[0];
                }
                int[] iArr4 = new int[2];
                iArr4[0] = i7;
                iArr4[1] = encode_field2[1];
                iArr3[i8] = iArr4;
            }
        }
        int[][] iArr5 = (int[][]) Array.newInstance(int.class, i3, 3);
        if (i3 > 0) {
            int i9 = 0;
            for (int i10 = 0; i10 < i3; i10++) {
                int[] encode_method = encode_method(buffer);
                if (i10 == 0) {
                    i9 = encode_method[0];
                } else {
                    i9 += encode_method[0];
                }
                int[] iArr6 = new int[3];
                iArr6[0] = i9;
                iArr6[1] = encode_method[1];
                iArr6[2] = encode_method[2];
                iArr5[i10] = iArr6;
            }
        }
        int[][] iArr7 = (int[][]) Array.newInstance(int.class, i4, 3);
        if (i4 > 0) {
            int i11 = 0;
            for (int i12 = 0; i12 < i2; i12++) {
                int[] encode_method2 = encode_method(buffer);
                if (i12 == 0) {
                    i11 = encode_method2[0];
                } else {
                    i11 += encode_method2[0];
                }
                int[] iArr8 = new int[3];
                iArr8[0] = i11;
                iArr8[1] = encode_method2[1];
                iArr8[2] = encode_method2[2];
                iArr7[i12] = iArr8;
            }
        }
        HashMap<String, int[][]> hashMap = new HashMap<>();
        hashMap.put("static_fields", iArr);
        hashMap.put("instance_fields", iArr3);
        hashMap.put("direct_methods", iArr5);
        hashMap.put("virtual_methods", iArr7);
        return hashMap;
    }
    public static int[] fromULEB128(ByteBuffer buffer) {
        int i;
        int i2 = buffer.get() & 255;
        if (i2 > 127) {
            int i3 = buffer.get() & 255;
            i2 = (i2 & 127) | ((i3 & 127) << 7);
            if (i3 > 127) {
                int i4 = buffer.get() & 255;
                i2 |= (i4 & 127) << 14;
                i = 3;
                if (i4 > 127) {
                    int i5 = buffer.get() & 255;
                    i2 |= (i5 & 127) << 21;
                    i = 4;
                    if (i5 > 127) {
                        i2 |= (buffer.get() & 255) << 28;
                        i = 5;
                    }
                }
            } else {
                i = 2;
            }
        } else {
            i = 1;
        }
        return new int[]{i2, i};
    }
    private static int[] encode_method(ByteBuffer buffer) {
        return new int[]{fromULEB128(buffer)[0], fromULEB128(buffer)[0], fromULEB128(buffer)[0]};
    }
    private static int[] encode_field(ByteBuffer buffer, int offset) {
        buffer.position(offset);
        return encode_field(buffer);
    }
    private static int[] encode_field(ByteBuffer buffer) {
        return new int[]{fromULEB128(buffer)[0], fromULEB128(buffer)[0]};
    }
    public static byte[] encodeClassData(HashMap<String, int[][]> data) {
        int[][] iArr = data.get("static_fields");
        int[][] iArr2 = data.get("instance_fields");
        int[][] iArr3 = data.get("direct_methods");
        int[][] iArr4 = data.get("virtual_methods");
        byte[] merge = merge(toULEB128(iArr.length), toULEB128(iArr2.length), toULEB128(iArr3.length), toULEB128(iArr4.length));
        if (iArr.length > 0) {
            int i = 0;
            for (int[] iArr5 : iArr) {
                merge = merge(merge, decode_field(iArr5, i));
                i = iArr5[0];
            }
        }
        if (iArr2.length > 0) {
            int i2 = 0;
            for (int[] iArr6 : iArr2) {
                merge = merge(merge, decode_field(iArr6, i2));
                i2 = iArr6[0];
            }
        }
        if (iArr3.length > 0) {
            int i3 = 0;
            for (int[] iArr7 : iArr3) {
                merge = merge(merge, decode_method(iArr7, i3));
                i3 = iArr7[0];
            }
        }
        if (iArr4.length > 0) {
            int i4 = 0;
            for (int[] iArr8 : iArr4) {
                merge = merge(merge, decode_method(iArr8, i4));
                i4 = iArr8[0];
            }
        }
        return merge;
    }

public static byte[] toULEB128(int data) {
    int i = data >> 28;
    if (i > 0) {
        return new byte[]{(byte) ((data & 127) | 128), (byte) (((data >> 7) & 127) | 128), (byte) (((data >> 14) & 127) | 128), (byte) (((data >> 21) & 127) | 128), (byte) (i & 15)};
    }
    int i2 = data >> 21;
    if (i2 > 0) {
        return new byte[]{(byte) ((data & 127) | 128), (byte) (((data >> 7) & 127) | 128), (byte) (((data >> 14) & 127) | 128), (byte) (i2 & 127)};
    }
    int i3 = data >> 14;
    if (i3 > 0) {
        return new byte[]{(byte) ((data & 127) | 128), (byte) (((data >> 7) & 127) | 128), (byte) (i3 & 127)};
    }
    int i4 = data >> 7;
    return i4 > 0 ? new byte[]{(byte) ((data & 127) | 128), (byte) (i4 & 127)} : new byte[]{(byte) (data & 127)};
}
private static byte[] merge(byte[]... data) {
    int i = 0;
    for (byte[] bArr : data) {
        i += bArr.length;
    }
    ByteBuffer allocate = ByteBuffer.allocate(i);
    for (byte[] bArr2 : data) {
        allocate.put(bArr2);
    }
    byte[] bArr3 = new byte[allocate.position()];
    allocate.position(0);
    allocate.get(bArr3);
    return bArr3;
}

private static byte[] decode_field(int[] data, int diff_idx) {
    return merge(toULEB128(data[0] - diff_idx), toULEB128(data[1]));
}

private static byte[] decode_method(int[] data, int diff_idx) {
    return merge(toULEB128(data[0] - diff_idx), toULEB128(data[1]), toULEB128(data[2]));
}

public static byte[] getSha1(byte[] data) {
    try {
        return MessageDigest.getInstance("SHA").digest(data);
    } catch (Exception unused) {
        return null;
    }
}

public static int checksum(ByteBuffer dexBuffer) {
    dexBuffer.position(12);
    int capacity = dexBuffer.capacity();
    int i = 1;
    int i2 = 0;
    boolean z = false;
    while (dexBuffer.position() < capacity) {
        ArrayList arrayList = new ArrayList();
        int i3 = 0;
        while (true) {
            if (i3 >= 1024) {
                break;
            }
            arrayList.add(Integer.valueOf(dexBuffer.get() & 255));
            if (dexBuffer.position() == dexBuffer.limit()) {
                z = true;
                break;
            }
            i3++;
        }
        int[] calculateVar = calculateVar(arrayList, i, i2);
        int i4 = calculateVar[0];
        int i5 = calculateVar[1];
        if (z) {
            return (i5 << 16) + i4;
        }
        i2 = i5;
        i = i4;
    }
    return 0;
}
private static int[] calculateVar(ArrayList<Integer> srcBytes, int vara, int varb) {
    for (int i = 0; i < srcBytes.size(); i++) {
        vara = (vara + srcBytes.get(i).intValue()) % 65521;
        varb = (varb + vara) % 65521;
    }
    return new int[]{vara, varb};
}
public static String md5(byte[] data) {
    try {
        String bigInteger = new BigInteger(1, MessageDigest.getInstance("md5").digest(data)).toString(16);
        for (int i = 0; i < 32 - bigInteger.length(); i++) {
            bigInteger = "0" + bigInteger;
        }
        return bigInteger;
    } catch (NoSuchAlgorithmException unused) {
        throw new RuntimeException("ops!!");
    }
}



    public static void main(String[] args) 
    {
        try{
        ByteBuffer dexBuffer=read("classes.dex");//修改为assets中的dex地址
        int classIndex=0;
        int index=3;
        int offset=3248;
        System.out.println(getClassDefData(dexBuffer, classIndex).get("class_data_off").intValue());   
        int intValue = getClassDefData(dexBuffer, classIndex).get("class_data_off").intValue();
        // intValue=11388;
        HashMap<String, int[][]> classData = getClassData(dexBuffer, intValue);
        classData.get("direct_methods")[index][2] = offset;
        byte[] encodeClassData = encodeClassData(classData);
        dexBuffer.position(intValue);
        dexBuffer.put(encodeClassData);
        dexBuffer.position(32);
        byte[] bArr = new byte[dexBuffer.capacity() - 32];
        dexBuffer.get(bArr);
        byte[] sha1 = getSha1(bArr);
        dexBuffer.position(12);
        dexBuffer.put(sha1);
        int checksum = checksum(dexBuffer);
        dexBuffer.position(8);
        dexBuffer.putInt(Integer.reverseBytes(checksum));
        byte[] array = dexBuffer.array();
        File file = new File("E:\\EDGE下载\\misc4\\assets\\1.dex");//你想存解密后的dex地址
        FileOutputStream fileOutputStream = new FileOutputStream(file);
        fileOutputStream.write(array);
        fileOutputStream.close();
        }catch(Exception e)
        {
            System.out.println("error");
        }

    }
}

发现解密后的dex只有A类的d方法且其相关的B类的d方法也是通过加密了的

猜测摁住ctrl点击 跳转中的B_offset也用于解密,所以将解密exp中的main方法中三个变量变为B类的变量，方法如下

int classIndex=0;
int index=3;
int offset=3248;
//改为
int classIndex=1;//不改的话会解密成A类的b方法，虽然结果可能没多大区别
int index=1;
int offset=3420;

两个解密后的方法如下

 //A类的方法
public static String d(Context context, String password) {
        String signInfo = Utils.getSignInfo(context);
        if (signInfo != null && signInfo.equals("78856d5c90624ec05bbc3d9be63d3715fd6fefce")) {
            String md5 = Utils.md5(password.getBytes());
            if (md5.equals("4155606cedd928c3bb0b93343c81f3f5")) {
                return "Great! please call B.d(\"" + Utils.md5(md5.getBytes()) + "\") to get flag";
            }
        }
        return "";
    }
//B类的方法
    public static String d(String src) {
        return "flag{ISEC-" + Utils.md5(Utils.getSha1(src.getBytes())) + "}";
    }
}

最终flag的exp:

import java.math.BigInteger;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;

public class Main{//运行需要将左边这个类名改为跟文件名一样
    public static byte[] getSha1(byte[] data) {
        try {
            return MessageDigest.getInstance("SHA").digest(data);
        } catch (Exception unused) {
            return null;
        }
    }
    public static String md5(byte[] data) {
        try {
            String bigInteger = new BigInteger(1, MessageDigest.getInstance("md5").digest(data)).toString(16);
            for (int i = 0; i < 32 - bigInteger.length(); i++) {
                bigInteger = "0" + bigInteger;
            }
            return bigInteger;
        } catch (NoSuchAlgorithmException unused) {
            throw new RuntimeException("ops!!");
        }
    }
    public static void main(String[] args) 
        {
        System.out.println("flag{ISEC-"+md5(getSha1(md5("4155606cedd928c3bb0b93343c81f3f5".getBytes()).getBytes()))+"}");//通过网上工具sha1的时候结果有问题可能是大小写原因
    
        }
    }