[2nd Day of the Turn group] | Research on Baby_mips and Android XSS

2018-04-26

DDCTF Re1: (Baby_mips) refer to the night Shadow big Guy and Henryzhao WP.

1. Use QEMU to run the MIPS program:

Baby_mips is a program on the MIPS instruction set, IDA can only be analyzed statically, not debug. The approach is to install the QEMU emulator on a Linux machine and use QEMU to run the MIPS instruction program. After trying, baby_mips is the small-end program, using instructions to run the program. The effect is to enter 16 variables and then error the illegal instructions.

If you want to take advantage of IDA debugging, use instructions to monitor port 23946, principle: Qemu-g port command to open a gdbserver. The other end of the port can be debugged by an IDA or GDB connection.

2. Identification and removal of flower instructions:

The above encountered an illegal instruction, to see the IDA Anti-compilation code found in most of the instructions at the beginning of EB02 to trigger an illegal instruction error. And there are a lot of unresolved code snippet data, consider the flower instruction. Write the IDC script to remove the EB02 Start command, the following code from the Night Shadow Big guy:

1#include <idc.idc>2 3 Staticmatchbytes (Startaddr,match)4 {5 Auto len,i,patsub,srcsub;6Len =strlen (Match);7 8      while(i<Len)9     {TenPatsub = substr (match,i,i+1); OneSrcsub = Form ("%02x", Byte (STARTADDR)); ASrcsub = substr (srcsub,i%2, (i%2)+1); -  -         if(Patsub! ="?"&& patsub!=srcsub) the         { -             return 0; -         } -  +         if(i%2==1) -         { +startaddr++; A         } ati++; -     } -     return 1; - } -  -  in StaticMain () - { to Auto Startva, savedstartva,stopva,size,i,j; +  -  theStartva =0x400420; *STOPVA =0x403233; $ Panax NotoginsengSize = STOPVA-Startva; -Savedstartva =Startva; the  +  A      for(i=0; i<size/4; i++) the     { +         if(Matchbytes (Startva,"EB02????")) -         { $Message ("find%x:%02x%02x%02x%02x\n", Startva,byte (Startva), Byte (startva+1), Byte (startva+2), Byte (startva+3)); $              for(j=0;j<4; j + +) -             { -Patchbyte (Startva,0x00); the Makecode (STARTVA); -startva++;Wuyi             } the         } -         Else{ WuStartva = startva+4; -         } About     } $  - Analyzearea (SAVEDSTARTVA,STOPVA); -Message ("Clear eb02 Opcode Ok"); -}

Not familiar with the writing of IDC, attach a link: Ida's debug Script IDC

It contains some common functions that are easy to find.

After removing the flower instructions, the Analyzearea in IDC does not seem to work, or it is not fully recognized as the whole function body. After the Edit function sets it to a function, the approximate logic can be seen through the function jump graph, but it is still impossible to F5 Dafa.

3. Jeb2-mips (decompile MIPS):

Well, the night Shadow big man's cleaning code can not move, looked at the web big guy Henryzhao Re, Dish cry/(ㄒoㄒ)/~~, know JEB2 new MIPS anti-compilation function, download support MIPS JEB2 trial version, trying to decompile MIPS. Get

It can be seen that an equation group solves the problem, and the hand knocks the data to write the Python solution equations.

1 ImportNumPy as NP2  fromScipy.linalgImportSolve3A=[4[ -56251,64497,-61787,29993,-16853,2147,-51990,-36278,-34108,-1148,1798,-43452,-16150,-56087,-17677,-41752],5[ -39354,63754,50513,2396,-37448,43585,19468,-4688,-62869,-20663,41173,61113,30862,38224,-601,53899],6[26798,-58888,14929,-21751,-12385,55961,-20714,24897,40045,9805,25147,39173,-21952,-42840,37937,-8559],7[ -2789,53359,16747,54195,-30020,39916,-32582,60338,13971,27307,-30484,47826,37554,64914,-1745,27669],8[40374,6523,13380,-53413,-1194,7796,-31815,-51866,-40252,-56883,57811,23278,-5785,61525,-6984,-7335],9[ -57052,-64573,-62351,2628,21493,12939,-60006,435,15009,-4091,22743,4901,48803,-43203,5263,-32994],Ten[54760,41053,22537,-56473,46316,19787,-40180,2088,2044,26575,-5207,31098,-23838,21642,46750,13706], One[ -40176,-43382,48718,-25423,21452,-36714,-24119,-13231,-52192,49742,54709,-32636,20233,21460,48733,15155], A[38446,-880,-2443,50487,-46973,-56178,-37138,-9079,-19096,-60988,-1823,-21538,43896,-4141,-19370,-47796], -[5176,18400,-53852,36119,-32120,47724,17154,5390,-29717,14471,8755,1432,-45518,-8148,-56623,-48254], -[30203,-50712,-27560,-16075,3618,590,44305,20581,33442,-7743,-43075,-16234,45723,-44899,42321,49264], the[42705,-32299,-19156,5594,28870,8059,58103,-60723,-32112,-7128,45985,-24915,63910,18427,-51408,22619], -[ -57517,20738,-32286,55995,26666,37550,-51489,13733,32455,-2897,-39622,-54523,50733,-24649,-17849,-62326], -[ -15716,-38264,64476,-37524,-61551,13536,12920,1407,-63767,-55105,-46543,-36562,-20712,2063,-6668,9074], -[47490,18611,52416,3107,32177,-41780,11008,7223,5652,881,26719,-28444,46077,-272,-32475,-9432], +[ -58938,-35689,35708,44689,45902,36614,38550,731,49990,6727,61526,-35587,-39199,-43886,-56409,-25519], - ] +b=[-24232262,17175305,8705731,26962228,-6384428,-15459013,19554563,-188243,-19590071,-12754495,6442406,- 2869966,-4805280,-18964176,8938201,3896470] A  atA =Np.array (A) -b =Np.array (B) -x =Solve (A, b) - Print(x)

Finally get flag:

Summarize:

The identification of the flower instruction, the cleaning of the flower instruction (IDC script),

The anti-compilation of MIPS program (JEB2),

The Python solution for the equation set (SCIPY.LINALG). (Note: Scipy.linalg The solution feeling is approximate solution, the final input is to obtain the solve results of the rounding solution.) ）

Research on Android XSS:

Found a few better articles, looked at some, first affixed, have not practiced, practice and then write.

Android: The most comprehensive Webview detailed

Android: The way you want to interact with JS is here WebView

Android: You don't know the WebView usage Vulnerability

Other:

Today also looked at the DDCTF of the Re2 black box test, try to do their own, did not make out, or to see the night shadow big guy WP. Learn the means and habits of analyzing data structures. Tomorrow to reproduce the write.

Expected Tomorrow:

The black box test is finished and summarized.

Do the Android WebView experiment.

[2nd Day of the Turn group] | Research on Baby_mips and Android XSS