ez_apkk

解题过程:

  • 将apk拖入jadx,查看MainActivity,发现是简单RC4加密,密钥是“55667788”,最后再将加密结果+1

    public String Encrypt(String plainText, String key) {        int[] S = new int[256];        byte[] K = new byte[256];        char[] cArr = {'\n', '+', 181, '*', 225, ':', 244, 147, '\'', 182, 'J', 250, '-', 25, 135, 4, 188, '-', 230, '[', 'Q', '5', 'c', 22, 220, 25};        char[] cArr2 = new char[26];        Character[] keySchedul = new Character[plainText.length()];        KSA(S, K, key);        PRGA(S, keySchedul, plainText.length());    //前面是RC4算法初始化        for (int i = 0; i < plainText.length(); i++) {            cArr2[i] = (char) ((plainText.charAt(i) ^ keySchedul[i].charValue()) + 1);//这行代码是RC4加密当前字节后 +1        }        for (int i2 = 0; i2 < 26; i2++) {            if (cArr[i2] != cArr2[i2]) {                return "wrong!!!";            }        }        return "right";    }

解密脚本

#include void rc4_init(unsigned char* s, unsigned char* key, unsigned long Len_k){int i = 0, j = 0;char k[256] = { 0 };unsigned char tmp = 0;for (i = 0; i < 256; i++) {s[i] = i;k[i] = key[i % Len_k];}for (i = 0; i < 256; i++) {j = (j + s[i] + k[i]) % 256;tmp = s[i];s[i] = s[j];s[j] = tmp;}}void rc4_crypt(unsigned char* Data, unsigned long Len_D, unsigned char* key, unsigned long Len_k) //加解密{unsigned char s[256];rc4_init(s, key, Len_k);int i = 0, j = 0, t = 0;unsigned long k = 0;unsigned char tmp;for (k = 0; k < Len_D; k++) {i = (i + 1) % 256;j = (j + s[i]) % 256;tmp = s[i];s[i] = s[j];s[j] = tmp;t = (s[i] + s[j]) % 256;Data[k] = Data[k] ^ s[t];}}void main(){unsigned char key[] = "55667788";unsigned long key_len = sizeof(key) - 1;unsigned char data[] = {'\n', '+', 181, '*', 225, ':', 244, 147, '\'', 182, 'J', 250, '-', 25, 135, 4, 188, '-', 230, '[', 'Q', '5', 'c', 22, 220, 25};for (int i = 0; i < sizeof(data); i++){data[i]-=1;}rc4_crypt(data, sizeof(data), key, key_len);for (int i = 0; i < sizeof(data); i++){printf("%c", data[i]);}printf("\n");return;}

运行得到flag:flag{a9k_1s_enjoy_ha6py!!}

ezdriver

解题过程:

  • IDA打开 R3-CTF.exe,发现程序调用了驱动文件 Driver_ctf.sys,用deviceIoControl函数来调用驱动程序里的功能。发送的控制代码为 0x222000

  • 逆向分析Driver_ctf.sys,发现加密代码在函数sub_1400010A0,其中里面调用的函数sub_140001590为对称加密算法,对加密数据byte_140003000再执行一次此对称加密算法即可得到原数据。

  • 但是还有一段加密算法对数据进行了加密,这里使用了求模运算,只能单字节逐个爆破

    for ( j = 1; j < 32; ++j )      v12[j - 1] ^= ((unsigned __int8)v12[j - 1] % 0x12u + v12[j] + 5) ^ 0x41;
  • 我这里是使用递归算法来遍历每个可能的路径

解密算法:

#include #include #include unsigned char enc[] ={  0xA2, 0x23, 0x62, 0x6B, 0xDD, 0x75, 0x72, 0xD1, 0x7A, 0x88,   0x34, 0xD0, 0x6C, 0x23, 0xCB, 0x39, 0xAC, 0xDA, 0x76, 0x6C,   0x2E, 0x9B, 0x95, 0xC5, 0x79, 0x89, 0x39, 0x3C, 0x83, 0xC3,   0xDA, 0x1D, 0};void sub_140001590(unsigned int *a1, int a2){  int j; // [rsp+4h] [rbp-44h]  int i; // [rsp+8h] [rbp-40h]  int v4; // [rsp+Ch] [rbp-3Ch] BYREF  int *v5; // [rsp+10h] [rbp-38h]  int v6; // [rsp+18h] [rbp-30h]  char v7[16]; // [rsp+20h] [rbp-28h]  v7[1] = a2 ^ 0x24;  v7[0] = a2 ^ 0x6A;  v7[8] = a2 ^ 0x1A;  v7[2] = a2 ^ 0x35;  v7[9] = a2 ^ 0x8D;  v7[3] = a2 ^ 0x23;  v7[11] = a2 ^ 0x9A;  v7[4] = a2 ^ 0xCA;  v7[5] = a2 ^ 0x4B;  v7[6] = a2 ^ 0x21;  v7[7] = a2 ^ 0x35;  v7[10] = a2 ^ 0x91;  v7[12] = a2 ^ 0x2C;  v7[13] = a2 ^ 0xC2;  v7[14] = a2 ^ 0x92;  v7[15] = a2 ^ 7;  for ( i = 0; i < 4; ++i )  {    v5 = &v4;    v4 = *a1 ^ a2;    for ( j = 0; j < 4; ++j )    {    v5 = (int *)((char *)v5 + 1);      *((char *)v5 - 1) ^= v7[15 - (((unsigned __int8)i + (unsigned __int8)j) & 0xF)] | ((unsigned __int8)j <= 0;i--){unsigned char backup = enc[index - 1];unsigned char t = enc[i] + 5;for(int j = 18;j < 144;j+=0x12){for(int k = 0;k < 0x12;k++){                //此处存在剪枝策略,若不符合限制条件则不会遍历该节点及其所有子节点if(((k + t) ^ 0x41 ^ (k + j)) == enc[i - 1]) {enc[i - 1] = k+j;solver(index-1);enc[i-1] = backup; //状态回溯}}}if(index == 0)printf("%s\n",enc); //输出符合条件的路径}}int main(){unsigned int *p = (unsigned int*)enc;int v6 = 0;do{sub_140001590(p, v6++); //对称算法解密p += 4;}while(v6 < 2);//递归算法遍历所有可能的路径solver(31);}

运行后发现有四个结果,很明显第二个是正确的结果

blag{zcswelsvyioostfzjskygmojew}flag{zcswelsvyioostfzjskygmojew}olag{zcswelsvyioostfzjskygmojew}墏g{zcswelsvyioostfzjskygmojew}崅g{zcswelsvyioostfzjskygmojew}