关于逆向工程:吾爱破解2024春节解题领红包活动喜迎新春

52次阅读

共计 12196 个字符,预计需要花费 31 分钟才能阅读完成。

(图作者 | 吾爱破解 @Aoemax)

前言

K 哥在这里,先祝各位小伙伴们新春快乐,财源广进,阖家幸福!

吾爱破解每年都有个解题领红包流动,往年也不例外,须要咱们使出看家逆向本事来剖析内容取得口令红包,依据难度等级不同会取得不同数量的吾爱币,流动继续到元宵节完结。流动一共有十个题,本文分享过年期间抽空做的几个题的相干思路。文章很早就写好了,不过遵循论坛的规定,提早至元宵节之后公布。

流动地址:https://www.52pojie.cn/thread-1889163-1-1.html

Windows 高级

间接应用 IDA 关上,先运行一次,轻易输出:

Please input password:
aaa
Error, please try again

搜寻对应字符串:

次要逻辑就是上面局部,先判断长度是否等于 36,再逐字节判断 v10 != v9,那么间接动静调试:

if (v36 == 36)
{sub_5B2490(&v27, Src);
    sub_5B1FE0(Block, -3, (char *)v27, v28);
    LOBYTE(v38) = 2;
    v9 = Block;
    v10 = v35;
    if (v34 >= 0x10)
      v9 = (char **)Block[0];
    if (v6 >= 0x10)
      v10 = v7;
    if (Block[4] != (char *)36 )
      goto LABEL_19;
    v11 = 32;
    while (1)
    {
      v12 = *v10;
      if (*v10 != *v9)
        break;
      ++v10;
      ++v9;
      v14 = v11 < 4;
      v11 -= 4;
      if (v14)
      {
        v13 = 0;
        goto LABEL_18;
      }
    }。。。。。。。。。。。。。。。。。。。。LABEL_18:
    v18 = "Success";
    if (v13)
    LABEL_19:
    v18 = "Wrong,please try again.";。。。。。。。。。。。。。。。。。。。。sub_5BA6EE("Pause");
}
else
{v8 = sub_5B27D0(v5, "Error, please try again");
    sub_5B2A80((int)v8);
    sub_5BA6EE("Pause");
}

if (v10 != v9 ) 这里下个断点,输出 “a”×36,很显著是明文比照了:

而后批改下数据类型,查看对应值,很显著 flag 就是 fl@g{H@ppy_N3w_e@r!2o24!Fighting!!!}:

还原也很简略就不详细分析了,惟一须要留神 IDA 辨认 \x80 成了字符 €,不要间接去复制了:

bytes([a - 3 for a in b"ioCj~KCss|bQ6zbhCu$5r57$Iljkwlqj$$$\x80"]).decode("utf-8")

安卓高级 1

抓猫能手

小小猫咪竟敢班门弄斧,偷走我的 flag,好歹我也是猫咪猎手:

抓到猫咪过后会播放“原神启动”,视频最初会呈现 flag,千万不要提前敞开:

JS 调试

抓猫局部是 html,应用的 webview,参考这篇文章:

https://www.52pojie.cn/thread-967665-1-1.html

开启调试,倡议应用 Edge。

间接搜寻失败的提醒 “ 挥汗如雨了吧,老弟!”,能够看到失败和胜利调用函数,在失败处下个断点,轻易点击:

JAVA 剖析

从下面内容当抓到小猫过后,回调了 onSolverReturnValue:

public void onSolverReturnValue(int i) {if (i == -1) {this.mContext.startActivity(new Intent(this.mContext, YSQDActivity.class));
    }
}

onSolverReturnValue 又加载 YSQDActivity:

String filePath = "/data/user/0/com.zj.wuaipojie2024_1/files/ys.mp4";
   
public void onCreate(Bundle bundle) {。。。。。。。。。。playVideo(this.filePath);
}

public void playVideo(String str) {
    .............................
    videoView.setOnPreparedListener(new MediaPlayer.OnPreparedListener() { 
        @Override 
        public void onPrepared(MediaPlayer mediaPlayer) {mediaPlayer.setVideoScalingMode(1);// 播放视频
        }
    });
    videoView.setOnCompletionListener(new MediaPlayer.OnCompletionListener() {
        @Override 
        public void onCompletion(MediaPlayer mediaPlayer) {// 播放完结设置 flag
            YSQDActivity.this.tv.setText(YSQDActivity.extractDataFromFile(YSQDActivity.this.filePath));
        }
    });
    .............
}

播放完结时调用了 extractDataFromFile 获取 flag,就是明文藏在视频中:

public static String extractDataFromFile(String str) {RandomAccessFile randomAccessFile = new RandomAccessFile(str, "r");
    long length = randomAccessFile.length();
    for (long max = Math.max(length - 30, 0L); max < length; max++) {if (new String(bArr, StandardCharsets.UTF_8).indexOf("flag{") != -1) {String str3 = str2.substring(indexOf).split("\\}")[0] + "}";
            randomAccessFile.close();
            return str3;
        }
    }
    randomAccessFile.close();
    return null;
}

安卓高级 2

家喻户晓原神是一个抽卡游戏,原神启动过后先来一发,抽中过后就会呈现 flag:

充钱是不可能充钱的,这辈子都不可能的:

要充钱首先就要找到充钱入口,简略搜寻一下:

public class WishActivity extends h {public int[] o = {10, 0, 0};
    public int[] p = {1, 2, 4, 8, 16, 32, 64, 128};
    public final void run() {textView.setText(iArr2[0] < 10 ? String.format(Locale.SIMPLIFIED_CHINESE, "以后已实现 %d 次祈愿,领有 %d 个纠缠之缘 \n%d 秒后将为你补充一个", Integer.valueOf(iArr2[1]), Integer.valueOf(wishActivity.o[0]), Integer.valueOf(wishActivity.o[2])) : String.format(Locale.SIMPLIFIED_CHINESE, "以后已实现 %d 次祈愿,以后领有 %d 个纠缠之缘 \n 纠缠之缘已满,%d 秒后将溢出一个,请尽快应用!", Integer.valueOf(iArr2[1]), Integer.valueOf(wishActivity.o[0]), Integer.valueOf(wishActivity.o[2])));
    }
};

能够看到充钱入口就在 wishActivity.o[0],间接用 Frida 充:

Java.perform(function x() {
    let WishActivity = Java.choose("com.kbtx.redpack_simple.WishActivity", {onMatch: function (instance) {console.log(`WishActivity instance found: ${instance}`);
            console.log(`WishActivity instance found: ${instance.o.value}`);
            instance.o.value[0] = 648*10;

        },
        onComplete: function () {}
    });
});

只能充一点点不能充多了,冲多了会封号:

充完钱就不必我教了吧。

上面是判断是否抽中,抽中过后,又调用了 FlagActivity:

if (random < (iArr2[1] <= 80 ? 0.006d : (iArr2[1] - 80) * 0.1d)) {Toast.makeText(wishActivity, "祝贺你十连出金了,奖品为 flag 提醒!", 1).show();
    wishActivity.startActivity(new Intent(wishActivity, FlagActivity.class));
    return;
}

在 FlagActivity 中,先获取了签名,再和 o 异或,就失去了 flag:

public static byte[] o = {86, -18, 98, 103, 75, -73, 51, -104, 104, 94, 73, 81, 125, 118, 112, 100, -29, 63, -33, -110, 108, 115, 51, 59, 55, 52, 77};。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。try {signatureArr = getPackageManager().getPackageInfo(getPackageName(), 64).signatures;
} catch (PackageManager.NameNotFoundException unused) {bArr = new byte[0];
}
if (signatureArr != null && signatureArr.length >= 1) {byte[] byteArray = signatureArr[0].toByteArray();
    ByteBuffer allocate = ByteBuffer.allocate(bArr2.length);
    for (int i = 0; i < bArr2.length; i++) {allocate.put((byte) (bArr2[i] ^ byteArray[i % byteArray.length]));
    }
    bArr = allocate.array();
    StringBuilder d = a.d("for honest players only: \n");
    d.append(new String(bArr));
    ((TextView) findViewById(R.id.tvFlagHint)).setText(d.toString());
}

间接利用 KeyStore Explorer,从 /META-INF/CERT.RSA 导出秘钥就行:

import base64
key = '''MIIDADCCAegCAQEwDQYJKoZIhvcNAQELBQAwRjEQMA4GA1UEAwwHa2J0eHdlcjEQ
MA4GA1UECwwHNTJwb2ppZTEQMA4GA1UECgwHNTJwb2ppZTEOMAwGA1UEBwwFQ2hp
bmEwHhcNMjQwMTE2MDYzMzIzWhcNNDkwMTA5MDYzMzIzWjBGMRAwDgYDVQQDDAdr
YnR4d2VyMRAwDgYDVQQLDAc1MnBvamllMRAwDgYDVQQKDAc1MnBvamllMQ4wDAYD
VQQHDAVDaGluYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIBIBBNf
V8FTmAmp9ikd0NqDxfn8V8rxmaSM/je5oMxGoQUhMqY0TjCaMbgO5xXf/L0gf4Sw
fmIMi8MjKwkwUEc/gp7LdKVF7o/UKf6uhIDkKEw1vGncQ9PBMOv3sKFsbRCFdhPC
JCAq53Em/P3JZCFEFYKH/noZaWO8UqR7uULw916wWSNr+mTFJxjHNUekw2LxF07G
QrmKMaTXy+jpkd+ifbcANdRRyHm13vEtu32xn9WrIREQJWxBVs0L5z0i0sBgMUTe
oY5lehLAwBRrpcXrprlzoie4FfyO/tTEonVHcYVL08BEaG7L5lBaVA56+qCZkzlB
C1qf64JkB0UsKIsCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAXhAk7ZWZLNjYgzTq
82D9VpntfSMzY03e1l6c2mIiu1rmgYnbavtYmMqfNDeVnbLlDObRn8O5gu3n6e1d
2SSI3tZpKK1ZOf3zGLF7SpXwIFu22iej3k97aXANlKJegHZ9JWtjABTiVGSLKjfW
iZWe9HKTp3LBUJ2zGw3e03eWT+kzZtjvgI4gfRsji7vVG2odODMODCm+4a/dBnTl
ADtM0lVdJaDPUj8ReR0ql/99EyNUMv7wtE+3o0xpCrUd5NVLp4doEusfaRnSvS35
fDfp6SfODQ9BqE9TPgEPyOGn+iA8HHw+XQhzsrn8bNdNnlOBMsbXJcMFvF92Cw+4
cQGoog=='''sign = base64.b64decode(key.replace('\n',''))
bArr2 = [86, -18, 98, 103, 75, -73, 51, -104, 104, 94, 73, 81, 125, 118, 112, 100, -29, 63, -33, -110, 108, 115, 51, 59,
         55, 52, 77];
bArr2 = [(b & 0xFF ^ sign[i % len(sign)]) for i, b in enumerate(bArr2)]
print(bytes(bArr2).decode('utf-8'))

安卓中级

玄天帝新生

2006 年正月初五 2/2 10:00 玄天帝新生,18 年后,偶遇前世一个宝藏:

一代玄天帝还没有发育起来就被毁灭了,预知后事如何,欢送吃席。

一线生机

在刺客联盟追捕下,少年玄天帝可怜坠落悬崖,依照剧情倒退应该又有奇遇了。在坠落悬崖时可怜碰到了头,他忽然想起 Android Studio 能够查看局部日志:

发现 checksum 不匹配,查看对应代码,dex 位于 /assets/classes.dex 而后开释到根目录改名为 1.dex 了,那么间接用 np 修复文件头,在替换回去:

public boolean checkPassword(String str) {
    try {InputStream open = getAssets().open("classes.dex");
        byte[] bArr = new byte[open.available()];
        open.read(bArr);
        File file = new File(getDir("data", 0), "1.dex");
        FileOutputStream fileOutputStream = new FileOutputStream(file);
        fileOutputStream.write(bArr);
        fileOutputStream.close();
        open.close();
        String str2 = (String) new DexClassLoader(file.getAbsolutePath(), getDir("dex", 0).getAbsolutePath(), null, getClass().getClassLoader()).loadClass("com.zj.wuaipojie2024_2.C").getDeclaredMethod("isValidate", Context.class, String.class, int[].class).invoke(null, this, str, getResources().getIntArray(R.array.A_offset));
        if (str2 == null || !str2.startsWith("唉!")) {return false;}
        this.tvText.setText(str2);
        this.myunlock.setVisibility(8);
        return true;
    } catch (Exception e) {e.printStackTrace();
        return false;
    }
}
// frida

var fileOutputStream = Java.use("java.io.FileOutputStream");
var a = 1;
fileOutputStream.write.overload('[B').implementation = function (bArr) {console.log("write:");
    if (a % 2) {bArr = [100, 101, 120。。。。。]// 修复后的字节,也可也只替换头
    }
    a++;
    var ret = fileOutputStream.write.overload('[B').call(this, bArr);
    return ret;
};

而后运行,又报错了,查看对应代码:

public static HashMap<String, Integer> getClassDefData(ByteBuffer byteBuffer, int i) {if (byteBuffer == null) {throw new IllegalArgumentException("Buffer cannot be null");
    }
}

byteBuffer 读取是在 fix(read(context), iArr[0], iArr[1], iArr[2], context),按提醒在 fix dex 而这里缺读取的 decode.dex,后面保留的又是 1.dex,那么间接把 1.dex 改个名字 /data/user/0/com.zj.wuaipojie2024_2/app_data/decode.dex:

private static ByteBuffer read(Context context) {File file = new File(context.getDir("data", 0), "decode.dex");
    if (file.exists()) {FileInputStream fileInputStream = new FileInputStream(file);
        byte[] bArr = new byte[fileInputStream.available()];
        fileInputStream.read(bArr);
        ByteBuffer wrap = ByteBuffer.wrap(bArr);
        fileInputStream.close();
        return wrap;
    }
    return null;
}

还留神到在获取了对应办法后,删掉了修复后的 dex,那么间接 hook 删除函数,或者 hook 写入函数传到电脑里:

var deleteFile = Java.use("java.io.File").delete;
deleteFile.implementation = function () {console.log("delete file:" + this);
};

查看修复胜利后的函数,很容易失去明码 048531267,也没啥用,还有个提醒:

后果发现没有任何有用信息,参考之前 A.d 的修复,再加上之前的传入了一个参数 A_offset,左近还有个 B_offset:

那么 hook 一下,批改为 B 的偏移,先把之前修复好了 2.dex 的改为 decode.dex,这样 A 就是修复好了的:

let MainActivity = Java.use("com.zj.wuaipojie2024_2.MainActivity");
MainActivity["checkPassword"].implementation = function (str) {
    str = "048531267"
    console.log(`MainActivity.checkPassword is called: str=${str}`);
    let result = this["checkPassword"](str);
    return result;
};
let AppCompatActivity = Java.use("androidx.appcompat.app.AppCompatActivity");
AppCompatActivity["getResources"].implementation = function () {let result = this["getResources"]();
    console.log(result.getIntArray(0x7f030001));
    console.log(result);
    return result;
};

而后运行,首先明码正确:

而后函数也修复进去了:

避免魔改被动调用一下:

Java.enumerateClassLoaders({"onMatch": function (loader) {if (loader.toString().indexOf("dalvik.system.DexClassLoader") !== -1) {
            Java.classFactory.loader = loader;
            console.log(loader);
        }
    },
    "onComplete": function () {console.log("success");
    }
});
let Utils = Java.use("com.zj.wuaipojie2024_2.Utils");
let password_uid="048531267"
let str = Java.use("java.lang.String").$new(password_uid);
let bArr = str.getBytes();
let sha1 = Utils.getSha1(bArr);
let md5 = Utils.md5(sha1);
console.log(` 机缘是 ${md5}`);

Web

flag3{GRsgk2} 视频结尾变动的。

flag1{52pj2024} 2-3s 左右变动的。

flag2{xHOpRP} 扫描二维码 间接拜访 https://2024challenge.52pojie.cn/ 会重定向,在响应头外面 X-Flag2: flag2{xHOpRP}:

flag4{YvJZNS} 网站会加载一张图片 flag4_flag10.png 外面间接显示 4。

flagA,登陆时后盾返回了加密 flagA 以及 UID,参考每次会申请 https://2024challenge.52pojie.cn/auth/uid 这个地址去解密 uid,间接批改 ck:

cookies = {"uid": "Uu6S/LKGcHP....ahI9KitSRsMFLDNu7ecW2TqkIcWBA==",// 批改为 flagA=**** 外面的值}
url = "https://2024challenge.52pojie.cn/auth/uid"
response = requests.get(url, cookies=cookies)
flagA{ea239d69}

flag5{P3prqF} 网页中有提醒 <!-- flag5 flag9 --> 以 -.. 换行,能够看出另一个 flag,微调一下,再缩放:

flag9{KHTALK}:

flag6{20240217} 计算 md5(*)==1c450bbafad15ad87c32831fa1a616fc,间接让网页跑一会就行,或者在 https://www.cmd5.com/ 这里查问。

flag7{Djl9NQ} 视频中的 Git 地址外面,利用历史记录查看 https://github.com/ganlvtech/52pojie-2024-challenge/commit/6bbac038c4813fbc5d129a8d605471ea2e374786。

flag8{OaOjIK} flagB 玩游戏就行,如果你买了 v50,会给你提醒溢出,间接买 2**62 =4611686018427387904 个,不出意外的话能够购买胜利。

flag10{6BxMkW} flag4_flag10.png 外面,没看懂轻易改了一个二进制就有了:

实际上应该是两个图层,默认是彩色的,flag4 是红色能够间接看,flag10 和背景一样导致显示不进去

间接在这个网站 https://www.georgeom.net/StegOnline/image,抉择 lnverse (RGBA) 甚至你还能够间接改后缀为 mp4:

flag11{HPQfVF} 拼图,网站给了提醒:

:root {
    --var1: 0; /* 在 0 ~ 100 范畴内找到一个适合的值 */
    --var2: 0; /* 在 0 ~ 100 范畴内找到一个适合的值 */
}

#a000 {
    position: absolute;
    left: 0;
    top: 0;
    width: 30px;
    height: 30px;
    background: url(flag11.png) 0px 0px;
    transform: translate(calc(942.5135817416999px + 1.0215884355337748px * var(--var1) + 0.24768196677010001px * var(--var2)), calc(224.16483995058888px + 2.9293942195858147px * var(--var1) + 0.8924085229409133px * var(--var2)));
}

transform 外面对应的应该是整数甚至能够说是 30 整数倍数才行,不然简直不可能还原图片:

a = 942.5135817416999
b = 1.0215884355337748
c = 0.24768196677010001
d = 224.16483995058888
e = 2.9293942195858147
f = 0.8924085229409133
for i in range(0, 100):
    for j in range(0, 100):
        dd= a+b*i+c*j
        ww= d+e*i+f*j
        print(dd, ww)
        print(i, j)
//1020.0 450.00000000000006
71 20

flag12{HOXI} 很简略 wasm,批改一下 num 就行:

let num = instance.exports.get_flag12(secret);//1213159497   (int32)(secret* 1103515245)!= 1 ? 0: 1213159497
let str = '';
while (num > 0) {str = String.fromCodePoint(num & 0xff) + str;
    num >>= 8;
}
return `flag12{${str}}`;

flagC 没看懂考的什么间接用他给案例图片,依据返回提醒批改,一开始提醒物体太多,删减 classes 到 4 个后就行了:

{"hint":"物体太多了","labels":["car 品种谬误","bus 品种谬误","truck 品种谬误","train 品种谬误","fire hydrant 品种谬误","motorcycle 品种正确 地位谬误","traffic light 品种正确 地位谬误","traffic light 品种正确 地位谬误","cat 品种谬误","bicycle 品种谬误","person 品种正确 地位正确","boat 品种谬误","traffic light 品种正确 地位谬误","airplane 品种正确 地位正确"],"colors":["ff9999","ff9999","ff9999","ff9999","ff9999","ffff99","ffff99","ffff99","ff9999","ff9999","99ff99","ff9999","ffff99","99ff99"]}

我这运气好,刚好有四种 traffic light person airplane motorcycle 轻易填按提醒批改就行,最初提交的内容:

data = {
    "boxes": [
        0.0071830302476882935,
        0.5186262726783752,
        0.4009798765182495,
        0.6479262709617615,
        0.4077116847038269,
        0.5121312141418457,
        0.7820706963539124,
        0.776945948600769,
        0.31250375509262085,
        0.2294374704360962,
        0.7281658053398132,
        0.4627001881599426,
        0.002122640609741211,
        0.8341933488845825,
        0.3802390992641449,
        0.9994925260543823
    ],
    "scores": [
        0.8933814167976379,
        0.8905049562454224,
        0.884631872177124,
        0.8726911544799805
    ],
    "classes": [
        0,
        9,
        3,
        4
    ]
}

{"hint":"flagC{b8ff9fbc} 过期工夫: 2024-02-17 22:50:00","labels":["person 品种正确 地位正确","traffic light 品种正确 地位正确","motorcycle 品种正确 地位正确","airplane 品种正确 地位正确"],"colors":["99ff99","99ff99","99ff99","99ff99"]}

正文完
 0