android-app-100 suctf-2016
jeb启动,找到点击事件:
验证流程:
输入作为参数 --> processObjectArrayFromNative 得到一返回值(ret_a) --> IsCorrect 返回0,失败;返回1,成功 --> 输出"Sharif_CTF("+md5(str(d+ret_a)+” “+”)“ (.d = 0x1BEBE)
可以发现flag的获取关键在于processObjectArrayFromNative 的返回值。
1 public void onClick(View arg8) { 2 new String(" "); 3 String v0 = this.a.b.getText().toString(); 4 Log.v("EditText", this.a.b.getText().toString()); 5 new String(""); 6 int v1 = this.a.processObjectArrayFromNative(v0); 7 int v2 = this.a.IsCorrect(v0); 8 v0 = String.valueOf(this.a.d + v1) + " "; 9 try { 10 MessageDigest v1_1 = MessageDigest.getInstance("MD5"); 11 v1_1.update(v0.getBytes()); 12 byte[] v1_2 = v1_1.digest(); 13 StringBuffer v3 = new StringBuffer(); 14 int v0_2; 15 for(v0_2 = 0; v0_2 < v1_2.length; ++v0_2) { 16 v3.append(Integer.toString((v1_2[v0_2] & 0xFF) + 0x100, 16).substring(1)); 17 } 18 19 if(v2 == 1 && this.a.e != "unknown") { 20 this.a.c.setText("Sharif_CTF(" + v3.toString() + ")"); 21 } 22 23 if(v2 == 1 && this.a.e == "unknown") { 24 this.a.c.setText("Just keep Trying :-)"); 25 } 26 27 if(v2 == 0) { 28 this.a.c.setText("Just keep Trying :-)"); 29 } 30 31 return; 32 } 33 catch(NoSuchAlgorithmException v0_1) { 34 v0_1.printStackTrace(); 35 return; 36 } 37 }
程序有两个native方法:
public native int IsCorrect(String arg1)
public native int processObjectArrayFromNative(String arg1)
IDA启动,
发现有混淆,但我们还是能发现这两个native方法中调用了strcmp方法
Java_com_example_ctf2_MainActivity_processObjectArrayFromNative:
1 ptr_chars = (env_2->functions->GetStringUTFChars)(env_2, jstring_2, 0); 2 *p_chars = ptr_chars; 3 temp_chars_ptr = *p_chars; 4 v46 = &v8; 5 v51 = 101; 6 v8 = 926246501; 7 v52 = 53; 8 v45 = 55; 9 v9 = 102; 10 v10 = 51; 11 v11 = 102; 12 v12 = 101; 13 v13 = 51; 14 v44 = 99; 15 v14 = 99; 16 v15 = 102; 17 v16 = 54; 18 v17 = 48; 19 v18 = 51; 20 v19 = 99; 21 v20 = 48; 22 v21 = 51; 23 v22 = 56; 24 v23 = 57; 25 v24 = 48; 26 v25 = 101; 27 v26 = 101; 28 v27 = 53; 29 v28 = 56; 30 v29 = 56; 31 v30 = 56; 32 v31 = 55; 33 v32 = 56; 34 v33 = 99; 35 v34 = 48; 36 v35 = 101; 37 v36 = 99; 38 v50_2 = v50; 39 v38 = 53; 40 v5 = j_strcmp(temp_chars_ptr, &v8);
processObjectArrayFromNative方法返回值:0或者0x57cbbd2
Java_com_example_ctf2_MainActivity_IsCorrect方法内也进行了字符串比较,
通过脚本我们可以获取到进行比较的字符串:
1 v51 = 'e'; 2 v8 = '75fe'[::-1]; 3 v52 = '5'; 4 v45 = '7'; 5 v9 = 'f'; 6 v10 = '3'; 7 v11 = 'f'; 8 v12 = 'e'; 9 v13 = '3'; 10 v44 = 'c'; 11 v14 = 'c'; 12 v15 = 'f'; 13 v16 = '6'; 14 v17 = '0'; 15 v18 = '3'; 16 v19 = 'c'; 17 v20 = '0'; 18 v21 = '3'; 19 v22 = '8'; 20 v23 = '9'; 21 v24 = '0'; 22 v25 = 'e'; 23 v26 = 'e'; 24 v27 = '5'; 25 v28 = '8'; 26 v29 = '8'; 27 v30 = '8'; 28 v31 = '7'; 29 v32 = '8'; 30 v33 = 'c'; 31 v34 = '0'; 32 v35 = 'e'; 33 v36 = 'c'; 34 x='' 35 for i in range(8,37): 36 x+=locals()['v'+str(i)] 37 print(x) 38 print(len(x)) 39 40 v12 = 101; 41 v13 = 102; 42 v14 = 53; 43 v15 = 55; 44 v16 = 102; 45 v17 = 51; 46 v18 = 102; 47 v19 = 101; 48 v20 = 51; 49 v21 = 99; 50 v22 = 102; 51 v23 = 54; 52 v24 = 48; 53 v25 = 51; 54 v26 = 99; 55 v27 = 48; 56 v28 = 51; 57 v29 = 56; 58 v30 = 57; 59 v31 = 48; 60 v32 = 101; 61 v33 = 101; 62 v34 = 53; 63 v35 = 56; 64 v36 = 56; 65 v37 = 56; 66 v38 = 55; 67 v39 = 56; 68 v40 = 99; 69 v41 = 48; 70 v42 = 101; 71 v43 = 99; 72 73 y='' 74 for i in range(12,44): 75 y+=chr(locals()['v'+str(i)]) 76 print(y) 77 print(len(y)) 78 79 80 ''' 81 ef57f3fe3cf603c03890ee588878c0ec 82 32 83 ef57f3fe3cf603c03890ee588878c0ec 84 32 85 '''