好久沒更新blog了,也好久沒有玩CTF了,來水一篇好了^^

分析

易知具體邏輯在so層

Untitled

  • 分析後發現如下位置,最關鍵的就是那個與input異或的v13
  • 並且這個v13高機率是固定的

Untitled

異或完之後就與enc對比,全對才返回true

Untitled

解法

  • 由上述分析可知那個v13異或數組是最關鍵的
  • 我選擇使用指令trace的方式來獲取這個v13,用的是這個項目來生成trace日志
  • 生成的trace日志裡有以下這段,0xf3,0x3f...就是v13數組( 這其實少了第一個元素0xbb )
1
2
instruction	0x776a2c1430	0x776a2c13f8	4	ldr	w12, [x12, w14, uxtw #2]
statistics	x12:0xf3,0x39,0xd4,0x9,0xb1,0xde,0xa7,0xf0,0x33,0xa,0xcf,0xa6,0x3d,0x8,0xa5,0x72,0x9e,0x9d,0x49,0xc9,0x68,0x7d,0xb5,0x59,0x1b,0xd5,0xb7,0x59,0xad,0xe3,0x6e

解密腳本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
#include <iostream>
#include <string>

using namespace std;

int main() {
	unsigned char enc[] =
	{
	  0x8C, 0xC4, 0x00, 0xE6, 0x6A, 0x88, 0xB8, 0x90, 0xC2, 0x07,
	  0x6B, 0xA9, 0xC3, 0x0A, 0x3E, 0xC0, 0x44, 0xA6, 0xFE, 0x7E,
	  0xF0, 0x59, 0x4C, 0x83, 0x3D, 0x2B, 0xE2, 0xD3, 0x38, 0xCB,
	  0x82, 0x5B
	};
	unsigned char xorArr[] = { 0xbb, 0xf3, 0x39, 0xd4, 0x9, 0xb1, 0xde, 0xa7, 0xf0, 0x33, 0xa, 0xcf, 0xa6, 0x3d, 0x8, 0xa5, 0x72, 0x9e, 0x9d, 0x49, 0xc9, 0x68, 0x7d, 0xb5, 0x59, 0x1b, 0xd5, 0xb7, 0x59, 0xad, 0xe3, 0x6e };

	string flag = "";
	for (int i = 0; i < 32; i++) {
		flag += (char)(enc[i] ^ xorArr[i]);
	}
	cout << flag << endl;

}

Untitled

Untitled