NepCTF2024 WP

OezAndroid

点击次数对应s盒混淆次数，直接爆破

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main() {
    char key[] = "bangboo!Knows!!!";
    int s[256], t[256];
    int i, j, temp,tempj;
    
    for (i = 0; i < 256; i++) {
        s[i] = i;
    }
    
    for (i = 0; i < 256; i++) {
        t[i] = key[i % strlen(key)];
    }
    j=0;
    tempj = 0;

    for (unsigned int _ = 1; _ < 0xffffffff; _++) {
        for (i = 0; i < 256; i++) {
            tempj = (tempj + s[i] + t[i]) % 256;
            temp = s[i];
            s[i] = s[tempj];
            s[tempj] = temp;
        }

        i = 0;
        j = 0;
        int array[10];

        int trys[256];
        for (int m = 0; m < 256; m++) {
            trys[m] = s[m];
        }

        for (int k = 0; k < 10; k++) {
            i = (i + 1) % 256;
            j = (j + trys[i]) % 256;
            temp = trys[i];
            trys[i] = trys[j];
            trys[j] = temp;

            int x = (trys[i] + trys[j]) % 256;
            array[k] = trys[x];
        }

        if (array[2] == 126 && array[3] == 33 && array[4] == 181 && array[5] == 112 &&
            array[6] == 168 && array[7] == 113 && array[8] == 56 && array[9] == 109) {
            printf("%u\n", _);
            exit(0);
        }
    }

    return 0;
}

爆出来count为10714

这里有个这玩意，会导致点击就闪退，拿出mt管理器给他删了就行

然后frida hook encrypt，将传入的参数改成10714，点击确认就能拿到flag

function hook()
{
    Java.perform(function(){
        let MainActivity = Java.use("com.example.clickmemore.MainActivity");
        MainActivity["encrypt"].implementation = function (i, str) {
            console.log(`MainActivity.encrypt is called: i=${i}, str=${str}`);
            let result = this["encrypt"](10714, str);
            console.log(`MainActivity.encrypt result=${result}`);
            return result;
        };
    })
}



setImmediate(hook);

ezAndroid

主要逻辑在so层，去个花

复现出算法

from ctypes import *
test="01100101011101100110111101101100"
v6=len(test)-1
v5=c_uint32(0)
for i in range(0xffff):
    v7=v6
    if test[v6]=="1":
        v8=len(test)
        v5.value+=(2**(v8+~v7))
    v6=v7-1
    if v7-1<0:
        break
print(hex(v5.value))

v8=v5.value
rds=[0x72478f2c,0x10cd1d5c,0x58c3772b,0x59dad8ac,0x3d39678e,0x3d92e10e]
v9=0
v10=0
v11=0xfffffffa
rdIdx=0
c=0xE4BE1307
while(1):
    v12=v11+v9
    v13=rds[rdIdx]
    rdIdx+=1
    v14=v13+0x1f
    if v13>>31==0:
        v14=v13
    v15=(v13-(v14&0xe0))&0xff
    if (v9&1)!=0:
        if (v15&1)!=0:
            v17=(v10<<v15)&0xffffffff
            print("v17=(v10<<{})&0xffffffff".format(v15))
        else:
            v17=v10>>v15
            print("v17=v10>>{}".format(v15))
        v8=v17^v10
        print("v8=v17^v10")
        v7=v17^v10
        if v12==0xffffffff:
            exit()
    else:
        if (v15&1)!=0:
            v16=(v8<<v15)&0xffffffff
            print("v16=(v8<<{})&0xffffffff".format(v15))
        else:
            v16=v8>>v15
            print("v16=v8>>{}".format(v15))
        v10=v16^v8
        print("v10=v16^v8")
        v7=v16^v8
        if v12 == 0xffffffff:
            exit()
    v9 += 1
v16=v8>>12
v10=v16^v8
v17=v10>>28
v8=v17^v10
v16=(v8<<11)&0xffffffff
v10=v16^v8
v17=v10>>12
v8=v17^v10
v16=v8>>14
v10=v16^v8
v17=v10>>14
v8=v17^v10

然后z3求解就行

from z3 import *
v8=BitVec("v8",33)
v16=v8>>12
v10=v16^v8
v17=v10>>28
v8=v17^v10
v16=(v8<<11)&0xffffffff
v10=v16^v8
v17=v10>>12
v8=v17^v10
v16=v8>>14
v10=v16^v8
v17=v10>>14
v8=v17^v10
solve(v8==0xE4BE1307)
print(bin(1702260588)[2:].rjust(32,"0"))
#01100101011101100110111101101100

easyobf

不会去混淆，只能硬撕汇编

跟到这开始加密了

开始抄汇编

test=ord(j)
test+=4
eax=test
edx=test
edx^=0xFFFFFFFF
eax&=0x77A6670C
edx&=0x885998F3
eax^=0xFFFFFFFF
edx^=0xFFFFFFFF
edx&=eax
edx^=0xFFFFFFFF

eax=0x35+i
esi=0x35+i
eax^=0x0FFFFFFFF
esi&=0x78899A41
eax&=0x877665BE
esi^=0x0FFFFFFFF
eax^=0x0FFFFFFFF
eax&=esi
eax^=0x0FFFFFFFF


esi=edx
esi^=0x0FFFFFFFF
edi=eax
edi^=0x0FFFFFFFF
edx&=edi
eax&=esi
edx^=0x0FFFFFFFF
eax^=0x0FFFFFFFF
eax&=edx
eax^=0x0FFFFFFFF
edx=eax
edx^=0x0FFFFFFFF
edx&=0x0F2FFD4D
eax&=0x0F0D002B2
edx^=0x0FFFFFFFF
eax^=0x0FFFFFFFF
eax&=edx
eax^=0xffffffff

在这拿到密文

发现爆破出来答案不对，猜了一下发现差了个^i，应该是有反调试我没跟到吧，汗流浃背了

from string import printable
enc=[0xffffff98,0xffffffa1,0xffffffbe,0xffffff83,0xffffff9a,0xffffff8a,0xffffffbd,0xffffffb7,0xffffffba,0xffffffb8,0xffffffb0,0xffffffc5,0xffffffd1,0xffffffdd,0xffffffc5,0xffffffd7,0xffffffcf,0xffffffcb,0xffffffc1,0xffffffd7,0xffffffd1,0xffffffc8,0xffffffc1,0xffffffdf,0xffffffcf,0xffffffd5,0xffffffc9,0xffffffcc,0xffffffc1,0xffffffd3,0xffffffda,0xffffffc7,0xffffffe9,0xfffffffb,0xffffffec,0xffffffee,0xfffffffb,0xfffffff7,0xffffffe5,0xffffffe1,0xfffffff2,0xffffffe5,0xfffffff9,0xffffffc6,0xffffff33,0xffffff00,0xffffff00,0xffffff00,0xffffff0b,0xffffff76,0xffffff25,0xffffff1c,0xffffff87,0xffffff59,0xffffff0f,0xffffff77,0xffffff6e,0xffffff43,0xffffffeb,0xffffff45,0xffffffce,0xffffff72,0xffffff48,0xffffffe2
]
enc=[(enc[i]^0xffffffff)^i for i in range(len(enc))]
for i in range(len(enc)):
    for j in printable:
        test=ord(j)
        test+=4
        eax=test
        edx=test
        edx^=0xFFFFFFFF
        eax&=0x77A6670C
        edx&=0x885998F3
        eax^=0xFFFFFFFF
        edx^=0xFFFFFFFF
        edx&=eax
        edx^=0xFFFFFFFF

        eax=0x35+i
        esi=0x35+i
        eax^=0x0FFFFFFFF
        esi&=0x78899A41
        eax&=0x877665BE
        esi^=0x0FFFFFFFF
        eax^=0x0FFFFFFFF
        eax&=esi
        eax^=0x0FFFFFFFF


        esi=edx
        esi^=0x0FFFFFFFF
        edi=eax
        edi^=0x0FFFFFFFF
        edx&=edi
        eax&=esi
        edx^=0x0FFFFFFFF
        eax^=0x0FFFFFFFF
        eax&=edx
        eax^=0x0FFFFFFFF
        edx=eax
        edx^=0x0FFFFFFFF
        edx&=0x0F2FFD4D
        eax&=0x0F0D002B2
        edx^=0x0FFFFFFFF
        eax^=0x0FFFFFFFF
        eax&=edx
        eax^=0xffffffff
        if eax==enc[i]:
            print(j,end="")
#NepCTF{ollvm_is_a_good_way_to_do_obfuscation}

Super Neuro : Escape from Flame!

玩一玩，发现能贴墙飞（贴着墙，一直按方向键，然后连点空格），但是经常有障碍物给我卡着

Il2CppDumper后看看函数，这个应该就是生成那些平台的

直接ida给他ret了，然后平台就没了，然后就可以贴墙起飞了