刚刚参与了2024年ISCC2024年第21届信息安全与对抗技术竞赛,我们体验了一场紧张而充满挑战的竞技之旅。现在,让我们共同回顾一下竞赛中那些引人入胜的题目和巧妙的解题方法吧!在今天的讨论中,我们将专注于剖析那些与MOBILE题目及其解答方法!
ohHELP
在资源文件中找到word,翻转后发现是个key,逆天
PUDzbflthjqxlJVW
将代码粘下来直接跑
#a
package study;
import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.util.function.Consumer;
import java.util.zip.ZipEntry;
import java.util.zip.ZipFile;
/* loaded from: classes.dex */
public class a {
public static String a() {
return AesUtil.encrypt("1055853128000", "PUDzbflthjqxlJVW");
}
public static void unzipWithPassword(String str, final String str2, String str3) throws IOException {
File file = new File(str2);
if (!file.exists()) {
file.mkdir();
}
final ZipFile zipFile = new ZipFile(str);
zipFile.stream().forEach(new Consumer() { // from class: com.example.ohhelp.a$$ExternalSyntheticLambda0
@Override // java.util.function.Consumer
public final void accept(Object obj) {
a.lambda$unzipWithPassword$0(str2, zipFile, (ZipEntry) obj);
}
});
zipFile.close();
}
/* JADX INFO: Access modifiers changed from: package-private */
public static /* synthetic */ void lambda$unzipWithPassword$0(String str, ZipFile zipFile, ZipEntry zipEntry) {
try {
if (zipEntry.isDirectory()) {
new File(str + File.separator + zipEntry.getName()).mkdirs();
return;
}
BufferedInputStream bufferedInputStream = new BufferedInputStream(zipFile.getInputStream(zipEntry));
BufferedOutputStream bufferedOutputStream = new BufferedOutputStream(new FileOutputStream(str + File.separator + zipEntry.getName()));
byte[] bArr = new byte[1024];
while (true) {
int read = bufferedInputStream.read(bArr);
if (read != -1) {
bufferedOutputStream.write(bArr, 0, read);
} else {
bufferedOutputStream.close();
bufferedInputStream.close();
return;
}
}
} catch (IOException e) {
e.printStackTrace();
}
}
public static void main(String[] args) {
System.out.println(AesUtil.encrypt(a.a().substring(0, 8) + "e$*R@16OQgM2Fxv".substring("e$*R@16OQgM2Fxv".length() - 8), "IscC20244202CcsI"));
}
}
#AesUtil
package study;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.Random;
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
/* loaded from: classes.dex */
public class AesUtil {
private static final String AES_CBC = "AES/CBC/PKCS5Padding";
private static final String AES_CFB = "AES/CFB/PKCS5Padding";
private static final String AES_ECB = "AES/ECB/NOPadding";
private static final Integer IV_LENGTH = 16;
public static boolean isEmpty(Object obj) {
return obj == null || "".equals(obj);
}
public static byte[] getBytes(String str) {
if (isEmpty(str)) {
return null;
}
try {
return str.getBytes(StandardCharsets.UTF_8);
} catch (Exception e) {
throw new RuntimeException(e);
}
}
public static String getIV() {
Random random = new Random();
StringBuffer stringBuffer = new StringBuffer();
for (int i = 0; i < IV_LENGTH.intValue(); i++) {
stringBuffer.append("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789".charAt(random.nextInt(62)));
}
return stringBuffer.toString();
}
public static SecretKeySpec getSecretKeySpec(String str) {
return new SecretKeySpec(getBytes(str), "AES");
}
public static String encrypt(String str, String str2) {
if (isEmpty(str) || isEmpty(str2)) {
return null;
}
StringBuffer stringBuffer = new StringBuffer(str);
if (str.length() != 16) {
stringBuffer.insert(4, "0").insert(7, "0").insert(13, "0");
}
String stringBuffer2 = stringBuffer.toString();
try {
Cipher cipher = Cipher.getInstance(AES_ECB);
cipher.init(1, getSecretKeySpec(str2));
return Base64.getEncoder().encodeToString(cipher.doFinal(getBytes(stringBuffer2)));
} catch (Exception e) {
throw new RuntimeException(e);
}
}
public static String decrypt(String str, String str2) {
if (isEmpty(str) || isEmpty(str2)) {
return null;
}
byte[] decode = Base64.getDecoder().decode(str);
try {
Cipher cipher = Cipher.getInstance(AES_ECB);
cipher.init(2, getSecretKeySpec(str2));
return new String(cipher.doFinal(decode), StandardCharsets.UTF_8);
} catch (Exception e) {
throw new RuntimeException(e);
}
}
public static String encrypt(String str, String str2, String str3, String str4) {
if (isEmpty(str) || isEmpty(str2) || isEmpty(str3)) {
return null;
}
try {
Cipher cipher = Cipher.getInstance(str4);
cipher.init(1, getSecretKeySpec(str2), new IvParameterSpec(getBytes(str3)));
return Base64.getEncoder().encodeToString(cipher.doFinal(getBytes(str)));
} catch (Exception e) {
throw new RuntimeException(e);
}
}
public static String decrypt(String str, String str2, String str3, String str4) {
if (isEmpty(str) || isEmpty(str2) || isEmpty(str3)) {
return null;
}
byte[] decode = Base64.getDecoder().decode(str);
try {
Cipher cipher = Cipher.getInstance(str4);
cipher.init(2, getSecretKeySpec(str2), new IvParameterSpec(getBytes(str3)));
return new String(cipher.doFinal(decode), StandardCharsets.UTF_8);
} catch (Exception e) {
throw new RuntimeException(e);
}
}
public static void main(String[] args) {
Random random = new Random();
StringBuffer stringBuffer = new StringBuffer();
for (int i = 0; i < IV_LENGTH.intValue(); i++) {
stringBuffer.append("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789".charAt(random.nextInt(62)));
}
System.out.println(stringBuffer.toString());
}
}
#MyJni
package study;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.Date;
/* loaded from: classes.dex */
public class Myjni {
public static String GetKey() {
return "PUDzbflbthjqxlJVW";
}
public static String GetTime(String str) {
return str;
}
public static String GetTime() {
// return "1711501613"
System.out.println(String.valueOf(System.currentTimeMillis()));
System.out.println("1055848110000");
return "1055853128000";
}
}
challengemobile
动态加载类
查看a方法,是个解密
直接frida hook a dump出dex
function hook() { let MainActivity = Java.use("com.example.challengemobile.MainActivity"); MainActivity["a"].implementation = function (bArr) { console.log('a is called' + ', ' + 'bArr: ' + bArr); let ret = this.a(bArr); console.log('a ret value is ' + ret); return ret; };}function main(){ Java.perform(function (){ hook(); })}setImmediate(main);
将字节写入文件得到dex,jadx继续打开,xxtea
key为getKey()
ida打开,跟到代码逻辑
aes,解密拿到key
解密xxtea拿到flag
import base64
from ctypes import *
enc="C3ixAjRX34cuk3Cltu7rzynSImVvm81MPJ1jqo2kbzNB+4Du"
data=list(base64.b64decode(enc))
enc=[int.from_bytes(data[i:i + 4], "little") for i in range(0,len(data),4)]
key=list(map(ord,"0M21I908n117gC1~"))
key=[int.from_bytes(key[i:i + 4], "little") for i in range(0,len(key),4)]
def MX(z, y, sum1, k, p, e):
return c_uint32(((z.value>>5^y.value<<2)+(y.value>>3^z.value<<4))^((sum1.value^y.value)+(k[(p&3)^e.value]^z.value)))
def btea(v,k,n,delta):
if n>1:
sum1=c_uint32(0)
z=c_uint32(v[n-1])
rounds=6+52//n
e=c_uint32(0)
while rounds>0:
sum1.value+=delta
e.value=((sum1.value>>2)&3)
for p in range(n-1):
y=c_uint32(v
)
v
= c_uint32(v
+ MX(z,y,sum1,k,p,e).value).value
z.value=v
y=c_uint32(v[0])
v[n-1] = c_uint32(v[n-1] + MX(z,y,sum1,k,n-1,e).value).value
z.value=v[n-1]
rounds-=1
else:
sum1=c_uint32(0)
n=-n
rounds=6+52//(n+1)
sum1.value=rounds*delta
y=c_uint32(v[0])
e=c_uint32(0)
while rounds>0:
e.value=((sum1.value>>2)&3)
for p in range(n-1, 0, -1):
z=c_uint32(v[p-1])
v
= c_uint32(v
- MX(z,y,sum1,k,p,e).value).value
y.value=v
z=c_uint32(v[n-1])
v[0] = c_uint32(v[0] - MX(z,y,sum1,k,0,e).value).value
y.value=v[0]
sum1.value-=delta
rounds-=1
return v
if __name__=='__main__':
a=enc
k= key
delta=0x9e3779b9
n=len(a)
res=btea(a,k,-n,delta)
flag=''
import libnum
for i in res:
flag+=(libnum.n2s(i)[::-1].decode())
print("ISCC{"+flag.strip()+"}")
Puzzle_Game
定位关键代码
在lib中找到getset函数,将代码粘贴出来运行得到str2
#include"defs.h"
#include<stdlib.h>
#include<stdio.h>
_BYTE *getend(void)
{
_BYTE *result; // x0
result = (_BYTE*)malloc(0x10u);
__int64 v1; // x8
int v2; // w9
int v3; // w17
int v4; // w15
int v5; // w14
int v6; // w16
int v7; // w17
int v8; // w17
v1 = 0LL;
v2 = 0;
int aAbcdefghijklmn[]={0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6A,
0x6B, 0x6C, 0x6D, 0x6E, 0x6F, 0x70, 0x71, 0x72, 0x73, 0x74,
0x75, 0x76, 0x77, 0x78, 0x79, 0x7A, 0x41, 0x42, 0x43, 0x44,
0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C, 0x4D, 0x4E,
0x4F, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58,
0x59, 0x5A, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x00};
do
{
v3 = 100;
v4 = (v2 + 5 * (int)v1 + 7) % 62;
v5 = v2 + 10;
v6 = (unsigned __int8)aAbcdefghijklmn[v4];
do
{
--v3;
v4 = (v5 + v4) % 62;
v6 = (unsigned __int8)aAbcdefghijklmn[(v2 + v6 + v4) % 62];
}
while ( v3 );
v7 = 100;
do
{
--v7;
v4 = (v5 + v4) % 62;
v6 = (unsigned __int8)aAbcdefghijklmn[(v2 + v6 + v4) % 62];
}
while ( v7 );
v8 = 100;
do
{
--v8;
v4 = (v5 + v4) % 62;
LOBYTE(v6) = aAbcdefghijklmn[(v2 + v6 + v4) % 62];
}
while ( v8 );
result[v1] = v6;
if ( v2 )
--v2;
else
v2 = 15;
++v1;
}
while ( v1 != 15 );
puts((char*)result);
return result;
}
int main(){
getend();
}
爆破sha256
import hashlib
import itertools
from string import digits
def getdigest_hash(content):
return hashlib.sha256(str(content).encode('utf-8')).hexdigest()
for i in itertools.product(digits,repeat=8):
test="".join(list(i))+"gwC9nOCNUhsHqZm"
print("".join(list(i)))
if getdigest_hash(test) == "437414687cecdd3526281d4bc6492f3931574036943597fddd40adfbe07a9afa":
print(test)
break
将Receiver中的代码复制出来运行加密得到flag
import java.nio.charset.StandardCharsets;
import java.util.Base64;
/* loaded from: classes.dex */
public class get_flag {
private static String combineStrings(String arg1, String arg2) {
return arg1 + arg2;
}
private static byte[] customEncrypt(byte[] arg4, byte[] arg5) {
byte[] v0 = new byte[arg4.length];
int v1;
for(v1 = 0; v1 < arg4.length; ++v1) {
v0[v1] = (byte)(arg4[v1] ^ arg5[v1 % arg5.length]);
}
return v0;
}
public static String encrypt(String arg3, String arg4) {
byte[] v0 = {-23, 1, (byte)0x85, -13, -68, -25, -3, 71, -22, (byte)0xA1, -77, 84, -13, 39, -5, -74};
byte[] v3 = customEncrypt(combineStrings(arg3, arg4).getBytes(StandardCharsets.UTF_8), v0);
byte[] v4 = new byte[v0.length + v3.length];
System.arraycopy(v0, 0, v4, 0, v0.length);
System.arraycopy(v3, 0, v4, v0.length, v3.length);
return Base64.getEncoder().encodeToString(v4);
}
public static String encrypt2(String arg3) {
byte[] v3 = arg3.getBytes(StandardCharsets.UTF_8);
int v0 = 0;
int v1;
for(v1 = 0; v1 < v3.length; ++v1) {
v3[v1] = (byte)((v3[v1] + 0x7F) % 0x100);
}
byte[] v1_1 = new byte[v3.length];
while(v0 < v3.length) {
v1_1[v0] = (byte)(v0 % 2 == 0 ? v3[v0] ^ 0x7B : v3[v0] ^ 0xEA);
++v0;
}
return Base64.getEncoder().encodeToString(v1_1);
}
public static void main(String[] args) {
System.out.println("ISCC{"+encrypt2(encrypt("04999999", "gwC9nOCNUhsHqZm")).substring(0, 0x20)+"}");
}
}
更多资源,敬请关注ZeroPointZero安全团队
注:ZeroPointZero安全团队有对此文章的修改和解释权。如欲转载或传播此文章,必须保证此文章的完整性,包括版权声明等全部内容。未经允许,不得任意修改或者增减此文章内容,不得以任何方式将其用于商业目的
原文始发于微信公众号(Zacarx随笔):2024年ISCC竞赛MOBILE
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论