ps: The title was sent to me by someone else, and I am not qualified to participate in this competition
vulcrack
First open jadx and find it is a shell program
It is easy to see that libjiabu.so and the package name are a 360 shell. Here we use frida-dexDump, which is popular in major forums, to unpack .
Reason this topic very sick people, I opened with the Android emulator can not run time, the feeling may be to detect the presence simulator 360 shell, so can not only use the real machine instructions, and then my goose real machine more spicy Chicken, starting frida often reported errors, and even considered manual shelling, and finally finished shelling after a long time of tossing.
Shelling process
Start frida_server:
cd /data/local/tmp
./frida_server
Port forwarding:
adb forward tcp:27042 tcp:27042
Then run apk, run main.py
python main.py
Analysis dex
After getting the dex, check and find the main encryption address
The logic after unpacking is very simple
(1) Base64 decoding of keyFirst and keySecond,
(2) Passed into the comm method for some processing
Python script decryption:
import base64
keyFirst = "Zm1jan85NztBN0c0NjJIOzJGLzc8STk0OTZFSDE="
keySecond = "QTpISTlFNEkxRTY8fQ=="
flag = []
First=base64.b64decode(keyFirst)
Second=base64.b64decode(keySecond)
for i in range(len(First)):
flag.append(First[i] - (i % 8))
for i in range(len(Second)):
flag.append(Second[i] - (i % 4))
print(bytes(flag))
The decrypted flag is:
flag{414A6E12-B42E-48D3-95CE-A9FF9D2F1D49}
to sum up
The main difficulty of this question is unpacking. Using tools unpacking greatly simplifies this step. In the future, we will study some unpacking processes and write a manual unpacking plan.
java
First open the jadx analysis, as the name suggests, all the code is in the java layer
analysis
The main encryption logic is stored in the a method:
(1) First initialize the array bArr
(2) Perform AES encryption operation on strings a and b
(3) Call the method a, first XOR the string encrypted by aes with the bitwise XOR 22, and then perform the bitwise XOR operation with the c array in class c
(4) Perform base64 encoding on the character string after XOR and compare it with the character string b
There is a small pit here, that is, there is a place in the program code that replaces a character in the string ca
I always reported an error when I wrote the script at first
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xcc in position 3: invalid continuation byte, and finally found this replacement place through dynamic debugging to check the specific logic.
python script
import base64
from Crypto.Cipher import AES
b = "VsBDJCvuhD65/+sL+Hlf587nWuIa2MPcqZaq7GMVWI0Vx8l9R42PXWbhCRftoFB3"
c = [214, 144, 233, 254, 204, 225, 61, 183, 22, 182, 43, 103, 20, 194, 40, 251, 44, 5, 43, 103, 154, 118, 42, 190, 4,195, 43, 103, 170, 68, 19, 38, 73, 134, 43, 103, 153, 156, 66, 80, 244, 145, 80, 103, 239, 152, 122, 98, 50, 214]
x = base64.b64decode(b)
y = []
for i in range(len(x)):
y.append(x[i] ^ 22 ^ c[i])
y = bytes(y)
aeskey = "aes_check_key!@#".replace('e','o').encode("utf-8")
cipher = AES.new(aeskey, AES.MODE_ECB)
z = cipher.decrypt(y)
flag=str(z,encoding="utf-8")
print(flag)
The output result is:
flag{67587AAF-C20A-4B6D-991B-A40FD3C2098E} , the test result passed.
to sum up
This question is relatively simple. I only got this question later. This question is all java logic. The only pitfall is the replacement. I solved it with the help of dynamic debugging.
Welcome to follow the official account for more information:
