正在加载一言...
0%

KGB Messenger 解题

最近发现一个有趣的题目KGB Messenger然后试着做下。

题目链接:
kgb_messenger

大佬的解题步骤:
安卓逆向学习 之 KGB Messenger的writeup(1)
安卓逆向学习 之 KGB Messenger的writeup(2)
安卓逆向学习之KGBMessenger的writeup(3)

工具:
jadx
frida

题目:
Challenges
你是国际秘密情报局的逆向工程师。今天早上,你的团队负责人指派你检查一个有问题的APP。据传有个特工斯特林·阿切尔曾与一些克格勃间谍接触并使用了这个APP。你的工作是对这个APP进行逆向,以核实谣言。
Alerts(Medium)
当我们app时,app总是给我们这些讨厌的警报。我们应该调查。
Login (Easy)
这是一个侦察挑战。密码中的所有字符都是小写的。
Social Engineering (Hard)
看来有人不善于保守秘密。他们可能容易受到社会工程的影响。我该说什么?

总共有3个地方需要解决
1.alert弹框
2.成功登录
3.社会工程?


解题:
Alerts(Medium)
1.安装app打开会弹出This app can only run on Russian devices. 无法正常进入app

使用jadx打开app进行反编译,搜索该字符串

分析代码逻辑直接hook System.getProperty(“user.home”)=Russia就可以进行绕过
frida代码

function main(){
    Java.perform(function(){
        Java.use("java.lang.System").getProperty.overload('java.lang.String').implementation = function(arg1){
            console.log(arg1)
            return "Russia";
        }
    })
}
setImmediate(main);
//frida -U -f com.tlamb96.spetsnazmessenger --no-pause -l kgb-messenger.js

绕过之后还有个弹框提示Must be on the user whitelist. 搜索关键字

...
public void onCreate(Bundle bundle) {
        super.onCreate(bundle);
        setContentView((int) R.layout.activity_main);
        String property = System.getProperty("user.home");
        String str = System.getenv("USER");
        if (property == null || property.isEmpty() || !property.equals("Russia")) {
            m4456a("Integrity Error", "This app can only run on Russian devices.");
        } else if (str == null || str.isEmpty() || !str.equals(getResources().getString(R.string.User))) {
            m4456a("Integrity Error", "Must be on the user whitelist.");
        } else {
            C0000a.m0a(this);
            startActivity(new Intent(this, LoginActivity.class));
        }
    }
...

分析代码同理可得System.getenv这个函数等于R.string.User就可以了,然后去找R.string.User的值

RkxBR3s1N0VSTDFOR180UkNIM1J9Cg==
frida代码

Java.use("java.lang.System").getenv.overload('java.lang.String').implementation = function(arg1){
            console.log(arg1)
            return "RkxBR3s1N0VSTDFOR180UkNIM1J9Cg==";
        }

绕过两个弹框就出现了登录界面
RkxBR3s1N0VSTDFOR180UkNIM1J9Cg==这个base64是第一个flag FLAG{57ERL1NG_4RCH3R}
使用cyberchef进行解密


Login (Easy)

随便输入登录会提示User not recognized.搜索字符串到登录的Activity

 public void onLogin(View view) {
        EditText editText = (EditText) findViewById(R.id.login_username);
        EditText editText2 = (EditText) findViewById(R.id.login_password);
        this.f2542n = editText.getText().toString();
        this.f2543o = editText2.getText().toString();
        if (this.f2542n != null && this.f2543o != null && !this.f2542n.isEmpty() && !this.f2543o.isEmpty()) {
            if (!this.f2542n.equals(getResources().getString(R.string.username))) {
                Toast.makeText(this, "User not recognized.", 0).show();
                editText.setText("");
                editText2.setText("");
            } else if (!m4455j()) {
                Toast.makeText(this, "Incorrect password.", 0).show();
                editText.setText("");
                editText2.setText("");
            } else {
                m4454i();
                startActivity(new Intent(this, MessengerActivity.class));
            }
        }
    }

分析代码逻辑克制username是R.string.username的值
在strings.xml找到codenameduchess
使用命令进行输入

adb shell input text codenameduchess     

密码在m4455j方法里

private boolean m4455j() {
        String str = "";
        for (byte b : this.f2541m.digest(this.f2543o.getBytes())) {
            str = str + String.format("%x", new Object[]{Byte.valueOf(b)});
        }
        return str.equals(getResources().getString(R.string.password));
    }
     this.f2541m = MessageDigest.getInstance("MD5");

分析代码可知密码是输入值进行md5后等于R.string.password
找到84e343a0486ff05530df6c705c8bb4
在进行反md5
在网上直接可以搜到值
guest

登录成功后会弹出第2个flag

Social Engineering (Hard)
会发现有个对话框
随便输入什么没有回复,猜测是要回复某些特定的内容才可以

找到MessengerActivity类onSendMessage方法有flag字段
分析代码

...
public void onSendMessage(View view) {
        EditText editText = (EditText) findViewById(R.id.edittext_chatbox);
        String obj = editText.getText().toString();
        if (!TextUtils.isEmpty(obj)) {
            this.f2547o.add(new C0829a(R.string.user, obj, m4460j(), false));
            this.f2546n.mo2625c();
            if (m4457a(obj.toString()).equals(this.f2548p)) {
                Log.d("MessengerActivity", "Successfully asked Boris for the password.");
                this.f2549q = obj.toString();
                this.f2547o.add(new C0829a(R.string.boris, "Only if you ask nicely", m4460j(), true));
                this.f2546n.mo2625c();
            }
            if (m4458b(obj.toString()).equals(this.f2550r)) {
                Log.d("MessengerActivity", "Successfully asked Boris nicely for the password.");
                this.f2551s = obj.toString();
                this.f2547o.add(new C0829a(R.string.boris, "Wow, no one has ever been so nice to me! Here you go friend: FLAG{" + m4459i() + "}", m4460j(), true));
                this.f2546n.mo2625c();
            }
            this.f2545m.mo2466b(this.f2545m.getAdapter().mo2610a() - 1);
            editText.setText("");
        }
    }
...
private String m4457a(String str) {
        char[] charArray = str.toCharArray();
        for (int i = 0; i < charArray.length / 2; i++) {
            char c = charArray[i];
            charArray[i] = (char) (charArray[(charArray.length - i) - 1] ^ '2');
            charArray[(charArray.length - i) - 1] = (char) (c ^ 'A');
        }
        return new String(charArray);
    }
....
private String f2548p = "V@]EAASB\u0012WZF\u0012e,a$7(&am2(3.\u0003";

分析代码可得输入的值经过m4457a方法后需要等于f2548p 然后需要反运算f2548p的值
分析m4457a代码charArray前一半异或了2 后一半从最后一位开始异或了A
直接复制java代码在在线平台运行代码在线平台
java代码

class Untitled {
    public static void main(String[] args) {
        System.out.println("hello https://tool.lu/");
        String str="V@]EAASB\u0012WZF\u0012e,a$7(&am2(3.\u0003";
         char[] charArray = str.toCharArray();
        for (int i = 0; i < charArray.length / 2; i++) {
            char c = charArray[i];
            charArray[i] = (char) (charArray[(charArray.length - i) - 1] ^ 'A');
            charArray[(charArray.length - i) - 1] = (char) (c ^ '2');
        }
        System.out.println( new String(charArray));
    }
}

输出Boris, give me the password

adb shell 
input text "Boris, give me the password"


然后分析获得flag的方法

···
 private String m4458b(String str) {
        char[] charArray = str.toCharArray();
        for (int i = 0; i < charArray.length; i++) {
            charArray[i] = (char) ((charArray[i] >> (i % 8)) ^ charArray[i]);
        }
        for (int i2 = 0; i2 < charArray.length / 2; i2++) {
            char c = charArray[i2];
            charArray[i2] = charArray[(charArray.length - i2) - 1];
            charArray[(charArray.length - i2) - 1] = c;
        }
        return new String(charArray);
    }
···
 private String f2550r = "\u0000dslp}oQ\u0000 dks$|M\u0000h +AYQg\u0000P*!M$gQ\u0000";
...

分析算法
输入的值先进行右移坐标除以8然后在自己异或 然后在进行位置倒序
进行爆破
python 获取字符

>>> import string
>>> string.printable
'0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~ \t\n\r\x0b\x0c'

java代码:


public class Test {
    public static void main(String [] args){
        String key = "\000dslp}oQ\000 dks$|M\000h +AYQg\000P*!M$gQ\000";
        search(key);

    }

    private static void search(String paramString) {
        char [] charArray = paramString.toCharArray();
        for (int i2 = 0; i2 < charArray.length / 2; i2++) {
            char c = charArray[i2];
            charArray[i2] = charArray[(charArray.length - i2) - 1];
            charArray[(charArray.length - i2) - 1] = c;
        }
        String test = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!\"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~ \t\n\r";
        char [] arrayOftest = test.toCharArray();
        char [] arrayOfparam = charArray;
        for(int i = 0 ; i < arrayOfparam.length; i++)
        {
            for(int j = 0; j < arrayOftest.length ; j++ ){
                char c = arrayOftest[j];
                c = (char)(char)((c >> (i % 8) )^ c);
                if(c == arrayOfparam[i]){
                    System.out.print(arrayOftest[j]);
                    break;
                }
            }
        }
    }



}

执行结果 aay I PaEASE have the aassworda
输入后得到flag