DosSnake
没看
Strangeprograme
0x413D50处发现关键函数,分别解密DASCTF段和hook memcmp函数
在0x414b90处寻找DASCTF段地址并解密
解密完DASCTF段后跟进sub_411064(),修复函数
发现进行IAT Hook memcmp函数
疑似存在SEH反调试操作,检测到调试则不进行iathook,无法发现真实函数
直接运行exe,在输入前用本地附加调试即可绕过
跟进memcmp,发现真实函数
getflag脚本,首8字节作为异或key,后续每8字节一组异或,注意tea的轮次为16轮
#include<stdio.h>
void TeaDec(unsigned int* data, unsigned int* key)
{
int result; // eax
unsigned int i; // [esp+DCh] [ebp-2Ch]
unsigned int v4; // [esp+E8h] [ebp-20h]
unsigned int v5; // [esp+F4h] [ebp-14h]
unsigned int v6; // [esp+100h] [ebp-8h]
v6 = *data;
v5 = data[1];
v4 = 0;
for (int i = 0; i < 16; i++) {
v4 -= 0x61c88647;
}
for (i = 0; i < 16; ++i)
{
v4 += 0x61C88647;
v5 -= (key[3] + (v6 >> 5)) ^ (v4 + v6) ^ (key[2] + 16 * v6);
v6 -= (key[1] + (v5 >> 5)) ^ (v4 + v5) ^ (*key + 16 * v5);
}
*data = v6;
data[1] = v5;
}
int main()
{
unsigned char encflag[41] =
{
0xF9, 0x4D, 0x2B, 0xBC, 0x13, 0xDD, 0x13, 0x62, 0xC9, 0xFC,
0xFF, 0x89, 0x7D, 0x4F, 0xC9, 0x0F, 0x63, 0x1D, 0x6D, 0x52,
0x50, 0xFD, 0x41, 0xE3, 0x33, 0x76, 0x28, 0x97, 0x38, 0x36,
0xF9, 0x6B, 0x90, 0x39, 0x14, 0x83, 0x2C, 0xE2, 0x2C, 0x1F,0
};
unsigned char TeaKey[16] =
{
0x78, 0x56, 0x34, 0x12, 0x12, 0x11, 0x10, 0x09, 0x16, 0x15,
0x14, 0x13, 0x18, 0x17, 0x16, 0x15
};
unsigned int* phead = (unsigned int*)encflag;
for (int i = 8; i >=2; i-=2) {
*(unsigned int*)&encflag[4 * i + 4] ^= phead[1];
*(unsigned int*)&encflag[4 * i] ^= phead[0];
TeaDec(phead, TeaKey);
}
TeaDec(phead, TeaKey);
printf("%s", encflag);
return 0;
}
BabyAndroid
NoteActivity发现关键函数,逻辑如下:
- 解密并加载dex,获取encrypt方法
- 调用Native函数sendInit处理后使用encrypt加密数据
- 发送request
loadData方法,rc4解密dex,key=“DASCTF”
解密脚本,得到dex
import sys
from Crypto.Cipher import ARC4
def encrypt_file(input_file, output_file, key):
with open(input_file, 'rb') as file:
data = file.read()
cipher = ARC4.new(key)
encrypted_data = cipher.encrypt(data)
with open(output_file, 'wb') as file:
file.write(encrypted_data)
print("Encryption completed. Encrypted file saved as", output_file)
input_file = 'Sex.jpg'
output_file = 'decrypted_Sex.dex'
key = b'DASCTF'
encrypt_file(input_file, output_file, key)
分析dex真实encrypt方法的加密逻辑
解密脚本,解出request的data
import java.io.FileOutputStream;
import java.util.Base64;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
class DecryptoToFile {
private static final String KEY = "DSACTF";
private static final String TAG = "Encrypto";
private static byte[] customHash(String input) {
byte[] keyBytes = new byte[16];
int[] temp = new int[16];
for (int i = 0; i < input.length(); i++) {
int charVal = input.charAt(i);
for (int j = 0; j < 16; j++) {
temp[j] = ((temp[j] * 31) + charVal) % 251;
}
}
for (int i2 = 0; i2 < 16; i2++) {
keyBytes[i2] = (byte) (temp[i2] % 256);
}
return keyBytes;
}
public static void decryptToFile(String encryptedData, String outputFile) throws Exception {
byte[] encryptedBytes = Base64.getDecoder().decode(encryptedData);
byte[] keyBytes = customHash(KEY);
SecretKeySpec secretKeySpec = new SecretKeySpec(keyBytes, "AES");
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, secretKeySpec);
byte[] decryptedBytes = cipher.doFinal(encryptedBytes);
try (FileOutputStream fos = new FileOutputStream(outputFile)) {
fos.write(decryptedBytes);
}
System.out.println("Decryption completed. Decrypted file saved as " + outputFile);
}
}
public class Main {
public static void main(String[] args) throws Exception {
DecryptoToFile.decryptToFile("TwMkYUkg4bYsY0hL99ggYWnVjWyXQrWAdNmToB0eBXbS6wBzL6ktorjNWI9VOroTU4HgIUYyzGLpcHzd1zNGT+bFZZI7IoxJwpcgXfdwW1LSmiNSP+PuSUsqAzNclF1nJ07b4tYyLWg0zTypbzWsLhOIM+6uci3RFZLREUCALafi01M8mS+KMNxX1Pyn8mSP+KKKjQ5S5fasHRSn+L9qBFws0mWavpfI0QEiMgarxv0iGhYU8cfgonWyL70RvoXET5VUDP1vfYWIBLzzzaAqLC0OiMtUK3TTATSU7yijdgXm18OKMcGIke/NZIM6Sr5fL3t6psDOOkw2C/5uYrJVPn+D6U9KTL64bgREppDqMOvhvbhtuf/S3ASW/+rhtPMtoaD8FxDg0wWSLZA53fQfNA==","Decrypt.txt");
}
}
得到一组浮点数(共29个)
458.853181,-18.325492,-18.251911,-2.097520,-21.198660,-22.304648,21.103162,-5.786284,-15.248906,15.329286,16.919499,-19.669045,30.928253,-37.588034,-16.593954,-5.505211,3.014744,6.553616,31.131491,16.472500,6.802400,-78.278577,15.280099,3.893073,56.493581,-34.576344,30.146729,4.445671,6.732204
分析libnote.so,搜索sendInit方法,将字符串存储到vector并进行一维DCT-II变换
其中encrypt方法调用了**_Z7encryptRKNSt6__ndk16vectorIiNS_9allocatorIiEEEE()**,恢复函数名得到
encrypt(std::ndk1::vector<int, std::ndk1::allocator<int>> const&)
根据参数恢复符号,跟进发现是DCT-II变换
逆变换DCT-III求解
import cv2
import numpy as np
# 定义一个输入的频谱(DCT-II变换的结果)
spectrum = np.array([458.853181,-18.325492,-18.251911,-2.097520,-21.198660,-22.304648,21.103162,-5.786284,-15.248906,15.329286,16.919499,-19.669045,30.928253,-37.588034,-16.593954,-5.505211,3.014744,6.553616,31.131491,16.472500,6.802400,-78.278577,15.280099,3.893073,56.493581,-34.576344,30.146729,4.445671,6.732204], dtype=np.float32)
# 对频谱进行逆变换
signal = cv2.idct(spectrum).tolist()
for num in signal:
print(chr(round(num[0])),end='')# round对浮点数四舍五入,第二个参数可指定保留小数位数,默认不保留小数