android bugku做题过程记录

工具

IDA、jadx、frida

入门逆向

https://ctf.bugku.com/challenges/detail/id/99.html
过程:用IDA打开,找到main函数,用R转换

最后得到flag{Re_1s_S0_C0OL}

mobile1(gctf)

https://ctf.bugku.com/challenges/detail/id/137.html

安装apk

1
adb install gctf_mobile1.apk

打开TopCtf

随便在输入框中输入,返回错误!

用jadx打开apk分析代码
打开MainActivity,有个checkSN方法是验证方法

1
2
3
4
5
6
7
8
9
public void onClick(View v) {
               if (!MainActivity.this.checkSN(MainActivity.this.edit_userName.trim(), MainActivity.this.edit_sn.getText().toString().trim())) {
                   Toast.makeText(MainActivity.this, R.string.unsuccessed, 0).show();
                   return;
               }
               Toast.makeText(MainActivity.this, R.string.successed, 0).show();
               MainActivity.this.btn_register.setEnabled(false);
               MainActivity.this.setTitle(R.string.registered);
           }

点进去查看方法,大概分析sn需要22位,进行了md5加密for循环改变了下位置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
public boolean checkSN(String userName, String sn) {
       if (userName == null) {
           return false;
       }
       try {
           if (userName.length() == 0 || sn == null || sn.length() != 22) {
               return false;
           }
           MessageDigest digest = MessageDigest.getInstance("MD5");
           digest.reset();
           digest.update(userName.getBytes());
           String hexstr = toHexString(digest.digest(), "");
           StringBuilder sb = new StringBuilder();
           for (int i = 0; i < hexstr.length(); i += 2) {
               sb.append(hexstr.charAt(i));
           }
           if (("flag{" + sb.toString() + "}").equalsIgnoreCase(sn)) {
               return true;
           }
           return false;
       } catch (NoSuchAlgorithmException e) {
           e.printStackTrace();
           return false;
       }
   }

我用的方法先hook toHexString方法,得到结果在进行for循环隔位取
完整frida hook代码
gctf.js

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
function hook_toHexString(){
    Java.perform(function(){
        var MainActivity=Java.use("com.example.crackme.MainActivity");
        MainActivity.toHexString.implementation=function(arg1,arg2){
            var result = this.toHexString(arg1, arg2);
            console.log(result);
            return result;  
        }
    })
}
function main(){
    hook_toHexString();
}
setImmediate(main)
//com.example.crackme
//frida -U -f com.example.crackme --no-pause -l gctf.js  
//b9c77224ff234f27ac6badf83b855c76
//bc72f242a6af3857
//flag{bc72f242a6af3857}

/****
 * public class HelloWorld {
    public static void main(String []args) {
		
       System.out.println("Hello World!");
		System.out.println("b9c77224ff234f27ac6badf83b855c76".toString());
		String hexstr ="b9c77224ff234f27ac6badf83b855c76";
		StringBuilder sb = new StringBuilder();
		for (int i = 0; i < hexstr.length(); i += 2) {
                sb.append(hexstr.charAt(i));
            }
		System.out.println(sb.toString());
    }
}

Hello World!
b9c77224ff234f27ac6badf83b855c76
bc72f242a6af3857

flag{bc72f242a6af3857}
 * 
 */

运行frida -U -f com.example.crackme –no-pause -l gctf.js
[Google Pixel XL::com.example.crackme]-> b9c77224ff234f27ac6badf83b855c76
在线java运行工具执行 隔位取操作
java

1
2
3
4
5
6
7
8
9
10
11
public class HelloWorld {
    public static void main(String []args) {
		String hexstr ="b9c77224ff234f27ac6badf83b855c76";
		StringBuilder sb = new StringBuilder();
		for (int i = 0; i < hexstr.length(); i += 2) {
                sb.append(hexstr.charAt(i));
            }
		System.out.println(sb.toString());
    }
}
//bc72f242a6af3857


得到结果bc72f242a6af3857,最后拼上flag{bc72f242a6af3857}

mobile2(gctf)

https://ctf.bugku.com/challenges/detail/id/138.html

解压后是以下文件

1
2
3
mobile2(gctf) » ls                                  
AndroidManifest.xml assets              res
META-INF            classes.dex         resources.arsc

经提示后,flag在AndroidManifest.xml里用010Editor打开查看

最后得到flag{8d6efd232c63b7d2}

First_Mobile(xman)

https://ctf.bugku.com/challenges/detail/id/139.html

安装

1
adb install 07bfacf2-82df-4eab-8b41-a34aa7486c5a.apk

运行随便输入点SUBMIT直接崩溃了 用jadx打开直接看反编译后的代码

1
adx-gui 07bfacf2-82df-4eab-8b41-a34aa7486c5a.apk

查看MainActivity有个check的方法

分析encode类下的check代码,编写一个python脚本进行爆破

python3在线运行工具

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#!/usr/bin/python
print("Hello, World!");
import time
coretu = [23,22,26,26,25,25,25,26,27,28,30,30,29,30,32,32]
print('XMAN{',end='')
for indexnum,i in enumerate(coretu):
    keynum =33
    while 1:
        nowb = (keynum+i)%61
        sss = chr(abs(((nowb*2)-indexnum)))
        #time.sleep(0.1)
        #print chr(keynum)
        if sss == chr(keynum%128):
            print(sss,end='')
            break
        else:
            keynum+=1
print('}',end='')

a = [23, 22, 26, 26, 25, 25, 25, 26, 27, 28, 30, 30, 29, 30, 32, 32]
key = ''
for m in range(16):
    for i in range(128):
        k = i
        k = (k + a[m]) % 61
        k = k * 2 - m
        if k == i:
            print(f"[*]第{m+1}位是{k}")
            key = key + chr(k)
            break
print("XMAN{" + key + "}")
k == ((k + a[m]) % 61)*2-m

最后的结果XMAN{LOHILMNMLKHILKHI}

HelloSmali2

1
2
3
4
解压后有个XMan.java 
HelloSmali2 (1) » ls                           
XMan.java
f45775643c-46846-5990-b3793-32e8ecd15f0d.smali

解压后有个XMan.java 在在线java运行平台上运行就出来了

最后结果flag{eM_5m4Li_i4_Ea5y}

题目链接: https://pan.baidu.com/s/1VpS_aew4BdLrheqBL0X_cg 密码: 27e0