TOC

12. androidcmd

程序被平坦化了,尝试去掉混淆没成功,只能直接看了。 首先在sub_10BC中进行了md5值的验证,可以直接把f5后的代码写进.c文件,加上一个验证的main函数,用angr求解(后来发现其实字符串是直接用字符相等验证的)

......
int main()
{
    char s[40];
    scanf("%s", s);
    if(sub_848(s) == 0)
        printf("Right\n");
    else
        printf("Wrong\n");
}

求解脚本:

import angr, sys

def is_successful(state):
    stdout_output = state.posix.dumps(sys.stdout.fileno()) # (1)
    if b'Right' in stdout_output: # (2)
        return True # (3)
    else:
        return False

def should_abort(state):
    stdout_output = state.posix.dumps(sys.stdout.fileno())   
    if b'Wrong' in  stdout_output:
        return True
    else:
        return False

def main():
    filename = "test"
    proj = angr.Project(filename)
    initial_state = proj.factory.entry_state()
    simgr = proj.factory.simgr(initial_state)
    simgr.explore(find=is_successful, avoid=should_abort)
    if simgr.found:
        solution = simgr.found[0]
        print(solution.posix.dumps(sys.stdin.fileno()))

if __name__ == "__main__":
    main()

求解出来md5的一部分是:“94bda84799d” 后面的验证部分跟求md5的一样,字符格式是82600087-****-4524-9eaa-69646e04bf68中间差了4字节需要用md5来爆破一下。注意求md5的字符串后面需要加上换行符…不然出不来结果

13. babyre

加密过程如下:

consts = xxx
j = 0
for i in range(0, 32, 8):
    a=consts^(flag[i] | (flag[i+2]<<8))
    buf[j]=(a&0xffff)^nums[j]
    j = j + 1
    b=consts^(flag[i+1] | (flag[i+3]<<8))
    buf[j]=(b&0xffff)^nums[j]
    j = j + 1
    c=consts^(flag[i+7] | (flag[i+4]<<8))
    buf[j]=(c&0xffff)^nums[j]
    j = j + 1
    d=consts^(flag[i+6] | flag[i+5] << 8)
    buf[j]=(d&0xffff)^nums[j]
    j = j + 1
    consts=consts ^ buf[j-1] ^ buf[j-2] ^ buf[j-3] ^ buf[j-4]

a=consts^(flag[32] | flag[35]<< 8)^0xFFFFBF9E
buf[j]=(a&0xffff)
j = j + 1
a = (flag[33] << 8 | flag[34]) ^ consts ^ 0xFA2C
buf[j]=(a&0xffff)

首先要求出加密用的常数,这个常数是根据main函数的部分异或算出来的,所以不能通过调试的方式得到,可以使用unicorn求得常数的值:

#coding=utf-8
from unicorn import *
from unicorn.x86_const import *

mu = Uc (UC_ARCH_X86, UC_MODE_64)

BASE = 0x400000
STACK_ADDR = 0x0
STACK_SIZE = 1024*1024
mu.mem_map(BASE, 1024*1024) # 初始化存储空间
mu.mem_map(STACK_ADDR, STACK_SIZE) # 初始化栈空间

mu.mem_write(BASE, read("./babyre")) # 加载程序
mu.reg_write(UC_X86_REG_RSP, STACK_ADDR + STACK_SIZE - 1)

def hook_code(mu, address, size, user_data):
    if address == 0x4054A9:
        c = mu.reg_read(UC_X86_REG_RBX)
        print(hex(c))

mu.hook_add(UC_HOOK_CODE, hook_code)

mu.emu_start(0x40546B, 0x4054B0)

这里得到的是v5,进行下面的操作后是const:

def HIDWORD(a):
    b = a & 0xffffffff00000000
    b = b >> 32
    return b
consts = (v5&0xffffffff) ^ ((v5&0xffffffff) >> 16) ^ HIDWORD(v5) ^ (v5 >> 48)

得到常数后直接解密就行:

nums = [7107, 2676, 52815, 3666, 54091, 28777, 35367, 10586, 25358, 65063, 6311, 24454, 42823, 33695, 16895, 7107, 49054, 64044]

enc = [55568, 49906, 1737, 38871, 50041, 14151, 40283, 30065, 9059, 61980, 19841, 3054, 26730, 6325, 56961, 34785, 23561, 8122]

def dec(consts):
    const_list = []
    for i in range(0,16,4):
        const_list.append(consts)
        consts=consts^enc[i]^enc[i+1]^enc[i+2]^enc[i+3]
    const_list.append(consts)
    j = 0
    for i in range(4):
        consts=const_list[i]
        for j in range(4*i, 4*i+4):
            enc[j]=enc[j]^nums[j]
            enc[j]=enc[j]^consts
            enc[j]=enc[j]&0xffff
    enc[16] = enc[16] ^ 0xFFFFBF9E
    enc[16] = enc[16] ^ const_list[-1]
    enc[16] = enc[16] & 0xffff
    enc[17] = enc[17] ^ 0xFA2C
    enc[17] = enc[17] ^ const_list[-1]
    enc[17] = enc[17] & 0xffff

if __name__ == "__main__":
    dec(0x64e2fbe3)
    s = "".join(hex(i)[2:].zfill(2) for i in enc)
    print(bytes.fromhex(s).decode('utf-8'))

解密以后需要根据加密调整一下字符的顺序