GLASS

360的出题被人称为让师傅们有经历了次高考

看到题目是一个apk文件

jeb打开,找到checkflag的函数,是native

img

但是没有想到上面引入了native-lib,看了别人的writeup后才知道,核心函数在lib.so里面,把apk文件改成zip就可以得到libnative-lib.so

看到另一种找到主函数的方法

将apk改为.zip
解压反编译classes.dex 使用dex2jar反编译

img

接下来IDA打开lib.so

找到checkflag这个函数

img

分别打开sub_FFCC sub_1088 sub_10D4

img

img

img

sub_1088中看到了256的循环,想起来是不是RC4算法

sub_FFC初始化,sub_1088 RC4加密 sub_10D4是个异或加密函数

直接上脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
key = '12345678'
key2 = [163,  26, 227, 105,  47, 187,  26, 132, 101, 194,
        173, 173, 158, 150,   5,   2,  31, 142,  54,  79,
        225, 235, 175, 240, 234, 196, 168,  45,  66, 199,
        110,  63, 176, 211, 204, 120, 249, 152,  63]
key3 = [146, 40, 208, 93, 26, 141, 45, 188, 84, 240, 158, 153, 171, 160, 50, 58, 46, 188, 5,
        123, 212, 221, 152, 200, 219, 246, 155, 25, 119, 241, 89, 7, 129, 225, 255, 76, 204, 174, 8]

for m in range(0, 5):
    for i in range(len(key2)):
        j = i % 8
        fla = key2[i] ^ ord(key[j])
        key2[i] = fla
print(key2)



for i in range(0, 39, 3):
    key3[i + 1] ^= key3[i]
    key3[i + 2] ^= key3[i + 1]
    key3[i] ^= key3[i + 2]
 
print(key3)
 
c = key3
#[248, 186, 106, 151, 71, 202, 232, 145, 197, 7, 110, 247, 146, 11, 57, 146, 20, 168, 175, 126, 170, 80, 69, 141, 109, 45, 182, 134, 110, 159, 134, 94, 223, 179, 30, 82, 166, 98, 106]
 
t = []
key = '12345678'
ch = ''
j = 0  # 初始化
s = list(range(256))  # 创建有序列表
for i in range(256):
    j = (j + s[i] + ord(key[i % len(key)])) % 256
    s[i], s[j] = s[j], s[i]
i = 0  # 初始化
j = 0  # 初始化
for r in c:
    i = (i + 1) % 256
    j = (j + s[i]) % 256
    s[i], s[j] = s[j], s[i]
    x = (s[i] + (s[j] % 256)) % 256
    ch += chr(r ^ s[x])
print(ch)
# CISCN{6654d84617f627c88846c172e0f4d46c}

img