IS308 lab4

Posted by chinaljr on June 3, 2018

实验github

lab4

apk逆向

  • Android 系统架构
    • APPs
    • Java API Framework
    • Native C/C++ libraries + Android Runtime
      • Dalvik dex odex
      • ART oat
    • Hardware Abstraction layer
    • Linux Kernel Drivers
    • power management
  • Android 文件格式 图片
  • 用到的gongju
    • JEB 图形化
    • apktool 命令行

apk逆向

图片

这是apk逆向之后的class层次图.可以点进去,具体某个class反汇编得到java代码

答案

  • 图片的海绵宝宝里面有一个
  • com/h1702ctf/ctfone/InCryption 是一个
package com.h1702ctf.ctfone;

import java.math.BigInteger;
import java.security.Key;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;

public class InCryption {
    static String encryptedHex;

    static {
        InCryption.encryptedHex = "ec49822b5417f4dad5d6048804c07f128bb0552673171d078cc2e6b191b4cbaa2d8c5c0bb95e29cee0cb0ea0db961a33ad074d17c3a227d487c85b88487435c97c3f9992b1a3d08f43fc92f416820f95ba463a67b09eb3433fb94ce2d2c5ac25ec49822b5417f4dad5d6048804c07f127c3f9992b1a3d08f43fc92f416820f95ba463a67b09eb3433fb94ce2d2c5ac25069590e37f53bebf7c16b617482a4b8ae151286044c2a8237302612c7d88c8b2ce0eef96ce210effc6a2733a73b371b1d764b219e31def9c556a602e6b236b483469118ed906f6b3abeff55bcdc7e5a00d0d3f3cb085730e3335b7170a03ed91fca1309cccb8078e2a9100cbbeaff61e4be535b1314ecb6fb99b3985c06ae00616288270b1670f7bf609b8c9c3d62e29069590e37f53bebf7c16b617482a4b8ae151286044c2a8237302612c7d88c8b2ad074d17c3a227d487c85b88487435c9828b8963fd132831a1f74db480a35711e151286044c2a8237302612c7d88c8b2ad074d17c3a227d487c85b88487435c97c3f9992b1a3d08f43fc92f416820f950d0d3f3cb085730e3335b7170a03ed9186622d5215afd9192d1b553cba233ff2244ded87c4d06dd82895f2b20110bbadfca1309cccb8078e2a9100cbbeaff61e4be535b1314ecb6fb99b3985c06ae00616288270b1670f7bf609b8c9c3d62e29ec49822b5417f4dad5d6048804c07f127c3f9992b1a3d08f43fc92f416820f953d255754f0e4004ac69e2e9b2e35ebc79ef39beaabf2ba23780e727eeb4e277a2757324dfeeb647dd2ab010b91af0bd3ad074d17c3a227d487c85b88487435c98bb0552673171d078cc2e6b191b4cbaa2d8c5c0bb95e29cee0cb0ea0db961a339ef39beaabf2ba23780e727eeb4e277a3cad3497d53b3c22fdd26fbb83f5cae8fe5f529bf234dcef4e76913394ae8f85244ded87c4d06dd82895f2b20110bbade57dded1cc4a151b2da4b3fa1041bc7f569f11fcae23f0661a6722466e5697ce069590e37f53bebf7c16b617482a4b8ae151286044c2a8237302612c7d88c8b29a4ef6d9c9cf8127de64c59ecc865fd89a4ef6d9c9cf8127de64c59ecc865fd8d5a6b3cf8313ced4ca89414d00adb0c2a854ed5338d047e0b65b956bd2a19fcc0d0d3f3cb085730e3335b7170a03ed91e891d349f90afb2d3f9608a7cdba0714e891d349f90afb2d3f9608a7cdba071486622d5215afd9192d1b553cba233ff216288270b1670f7bf609b8c9c3d62e299ef39beaabf2ba23780e727eeb4e277a4be535b1314ecb6fb99b3985c06ae00616288270b1670f7bf609b8c9c3d62e299a4ef6d9c9cf8127de64c59ecc865fd8ce0eef96ce210effc6a2733a73b371b1d764b219e31def9c556a602e6b236b48ba463a67b09eb3433fb94ce2d2c5ac25069590e37f53bebf7c16b617482a4b8ac9dcd54eb33f50a80149e8457d843b84ba463a67b09eb3433fb94ce2d2c5ac25e6ff67049d59429fa81ea1d14e1a4abde5beb88aa4073a5c948816378f2cc96b87b18c9563646c0652a9efd72f29cdd33cad3497d53b3c22fdd26fbb83f5cae82d8c5c0bb95e29cee0cb0ea0db961a33ce0eef96ce210effc6a2733a73b371b10ea54646c339600f167b5dd2029ba72fe5beb88aa4073a5c948816378f2cc96b5762452778b31d42ead4f81062775b69e891d349f90afb2d3f9608a7cdba07147c3f9992b1a3d08f43fc92f416820f953d255754f0e4004ac69e2e9b2e35ebc7ec49822b5417f4dad5d6048804c07f127c3f9992b1a3d08f43fc92f416820f95c8dab6841e142338fcc2d01ad0a3bce686622d5215afd9192d1b553cba233ff216288270b1670f7bf609b8c9c3d62e29ec49822b5417f4dad5d6048804c07f127c3f9992b1a3d08f43fc92f416820f950d0d3f3cb085730e3335b7170a03ed91fca1309cccb8078e2a9100cbbeaff61e0f1f25bef4b7f6442b420b861ad834aac8dab6841e142338fcc2d01ad0a3bce67c3f9992b1a3d08f43fc92f416820f953469118ed906f6b3abeff55bcdc7e5a03469118ed906f6b3abeff55bcdc7e5a00d0d3f3cb085730e3335b7170a03ed91e891d349f90afb2d3f9608a7cdba071486622d5215afd9192d1b553cba233ff2244ded87c4d06dd82895f2b20110bbad828b8963fd132831a1f74db480a35711e151286044c2a8237302612c7d88c8b29a4ef6d9c9cf8127de64c59ecc865fd8d5a6b3cf8313ced4ca89414d00adb0c22d8c5c0bb95e29cee0cb0ea0db961a33ad074d17c3a227d487c85b88487435c9828b8963fd132831a1f74db480a35711c9dcd54eb33f50a80149e8457d843b845bd9ba2fb7cea981a019c784939dfd0587b18c9563646c0652a9efd72f29cdd328d63f46073aec9a139375fd6d2917d3e5beb88aa4073a5c948816378f2cc96b87b18c9563646c0652a9efd72f29cdd30f1f25bef4b7f6442b420b861ad834aa41c1b4f70e10af5fa9e82a2b773ea7070ea54646c339600f167b5dd2029ba72fe5beb88aa4073a5c948816378f2cc96b5762452778b31d42ead4f81062775b697c3f9992b1a3d08f43fc92f416820f953469118ed906f6b3abeff55bcdc7e5a05bd9ba2fb7cea981a019c784939dfd055762452778b31d42ead4f81062775b69e891d349f90afb2d3f9608a7cdba0714fca1309cccb8078e2a9100cbbeaff61e2757324dfeeb647dd2ab[...]07a25c129f9071f52f674b28cff9f4ade7244ded87c4d06dd82895f2b20110bbad011d2d66c36261ef7fb7ca949a22ed84";
    }

    public InCryption() {
        super();
    }

    static String bin2hex(byte[] arg5) {
        return String.format("%0" + arg5.length * 2 + "X", new BigInteger(1, arg5));
    }

    private static byte[] decrypt(byte[] arg4, byte[] arg5) throws Exception {
        SecretKeySpec v2 = new SecretKeySpec(arg4, "AES");
        Cipher v0 = Cipher.getInstance("AES/ECB/PKCS5Padding");
        v0.init(2, ((Key)v2));
        return v0.doFinal(arg5);
    }

    public static String getHash(String arg3) {
        MessageDigest v0;
        try {
            v0 = MessageDigest.getInstance("SHA-256");
        }
        catch(NoSuchAlgorithmException v1) {
            v1.printStackTrace();
            String v2 = "";
            return v2;
        }

        v0.reset();
        return InCryption.bin2hex(v0.digest(arg3.getBytes()));
    }

    public static String hashOfPlainText() throws Exception {
        return InCryption.getHash(new String(InCryption.hex2bytes(new String(InCryption.decrypt(InCryption.hex2bytes("0123456789ABCDEF0123456789ABCDEF"), InCryption.hex2bytes(InCryption.encryptedHex))).trim())));
    }

    static byte[] hex2bytes(String arg6) {
        byte[] v0 = new byte[arg6.length() / 2];
        int v1;
        for(v1 = 0; v1 < v0.length; ++v1) {
            int v2 = v1 * 2;
            v0[v1] = ((byte)Integer.parseInt(arg6.substring(v2, v2 + 2), 16));
        }

        return v0;
    }
}

  • 执行这段代码hashOfPlainText 里面去掉hash的部分
  • 得到dash dot space 的序列
  • 写一份代码转换成摩斯密码
  • 然后解析得到CAPWNBRACKETCRYP706R4PHYUNDERSCORE15UNDERSCOREH4RDUNDERSCOREBR0BRACKET
  • 翻译一下得到 cApwN{cryptography is hard bro}
  • 密码学真难,shit.

UPX脱壳

  • 加壳方式
    • 压缩代码
    • 加壳工具放在头部代码,告诉CPU如何解压
    • 可以独立运行,解压过程完全隐蔽
  • 使用PEID查壳工具分析程序加壳情况
    • 无壳
    • 有壳
  • 查看PE头
    • 无壳
    • 有壳
  • 堆栈平衡脱壳找到入口地址
    • 执行脱壳程序前 pushad 执行完之后 popad
    • 显然可以根据第一句压栈之后,设置访问断点,使得当pop的时候程序挂起
    • 我们知道程序入口 OEP = 01015330