18/10/05-5-BugKu-逆向-LittleRotatorGame(NJCTF)

Posted 2021-01-10 fingerprint

0x00

题目链接：https://pan.baidu.com/s/1FLIaSN6EOe34qQNO_8yi-g
提取码：phou

 

0x01

native层分析

根据提示程序用了O-LLVM混淆，IDA分析ANativeActivity_onCreate函数，分析此处

1 v24 = flg((int)v67, &v89);
2                                           j___android_log_print(4, "an-activity", "The flag is:njctf{%s}", v24);
3                                           v4 = -681054051;
4                                           v25 = v2;
5                                           v66 = v2;
6                                           goto LABEL_214;

View Code

可看出flag与flg函数有关。

 

0x02

分析flg层函数。

 1 char *__fastcall flg(int a1, char *a2)
 2 {
 3   int v2; // ST0C_4
 4   int v3; // r4
 5   int v4; // r0
 6   char v5; // ST08_1
 7   int v6; // ST10_4
 8   int v7; // r0
 9   int v8; // r2
10   int v9; // r0
11   int v10; // r3
12   int v11; // r0
13 
14   v2 = a1;
15   v3 = a1;
16   v4 = a1 % 10;
17   v5 = v4;
18   *a2 = 20 * v4;
19   v6 = v3 / 100 % 10;
20   v7 = 19 * v6 + 20 * v4;
21   a2[1] = v7;
22   a2[2] = v7 - 4;
23   v8 = v3 / 10 % 10;
24   a2[3] = v3 / 1000000 % 10 + 11 * v8;
25   v9 = v3 / 10000 % 10;
26   v10 = v3 / 1000 % 10;
27   a2[4] = 20 * v10 - v9;
28   a2[5] = (v8 + v5) * v10;
29   a2[6] = v8 * v10 * v9;
30   v11 = v2 / 100000 % 10;
31   a2[7] = 20 * v11 - v6;
32   a2[8] = 10 * v10 | 1;
33   a2[9] = (v8 + v5) * v11 - 1;
34   a2[10] = v5 * v8 * v6 * v6 - 4;
35   *(_WORD *)(a2 + 11) = (unsigned __int8)((v6 + v8) * v11 - 5);
36   return a2;
37 }

View Code

发现有/1000000，说明输入的数大于1000000，可以进行爆破。

 

0x03

写脚本进行爆破，从1000000到10000000。

cpp脚本

 1 #include<iostream>
 2 void check(int num);
 3 int ok(char);
 4 int main(void)
 5 {
 6     for(int i = 1000000; i < 10000000; i++)
 7     {
 8         check(i);
 9     }
10     return 0;
11 }
12 void check(int num)
13 {
14     int m = 1;
15 
16     char flag[13];
17     int v4 = num % 10;
18     flag[0] = 20 * v4;
19     int v6 = num / 100 % 10;
20     int v7 = 19 * v6 + 20 * v4;
21     flag[1] = v7;
22     flag[2] = v7 - 4;
23     int v8 = num/10%10;
24     flag[3] = num / 1000000 % 10 + 11 * v8;
25     int v9 = num / 10000 % 10;
26     int v10 = num / 1000 % 10;
27     flag[4] = 20* v10 - v9;
28     flag[5] = (v8 + v4) * v10;
29     flag[6] = v8 * v10 * v9;
30     int v11 = num / 100000 % 10;
31     flag[7] = 20 * v11 - v6;
32     flag[8] = 10 * v10 | 1;
33     flag[9] = (v8 + v4) * v11 - 1;
34     flag[10] = v4 * v8 * v6 * v6 - 4;
35     flag[11] = (v6 + v8) * v11 - 5;
36     flag[12] = ‘‘;
37 
38     for(int i = 0; i < 12; i++)
39     {
40         if(!((flag[i] >= ‘A‘ && flag[i] <= ‘Z‘) || (flag[i] >= ‘a‘ && flag[i] <= ‘z‘) || (flag[i] >= ‘0‘ && flag[i] <= ‘9‘) ))
41         {
42             m = 0;
43         }
44     }
45     if(m == 1)
46     printf("%s
",flag);
47 }

View Code

python脚本

 1 def check1(num):
 2     flag = [0] * 12
 3     v4 = num % 10
 4     flag[0] = 20 * v4
 5     v6 = num / 100 % 10
 6     v7 = 19 * v6 + 20 * v4
 7     flag[1] = v7
 8     flag[2] = v7 - 4
 9     v8 = num / 10 % 10
10     flag[3] = num / 1000000 % 10 + 11 * v8
11     v9 = num / 10000 % 10
12     v10 = num / 1000 % 10
13     flag[4] = 20 * v10 - v9
14     flag[5] = (v8 + v4) * v10
15     flag[6] = v8 * v10 * v9
16     v11 = num / 100000 % 10
17     flag[7] = 20 * v11 - v6
18     flag[8] = 10 * v10 | 1
19     flag[9] = (v8 + v4) * v11 - 1
20     flag[10] = v4 * v8 * v6 * v6 - 4
21     flag[11] = (v6 + v8) * v11 - 5
22     m = 1
23     for i in flag:
24         if(check2(i)):
25             m = 0
26     if (m == 1):
27         str = ‘‘
28         for i in flag:
29             str += chr(i)
30         print str
31 
32 
33 def check2(num):
34     if ((num >= ord(‘A‘)) & (num <= ord(‘Z‘))):
35         return 0
36     if ((num >= ord(‘a‘)) & (num <= ord(‘z‘))):
37         return 0
38     if ((num >= ord(‘0‘)) & (num <= ord(‘9‘))):
39         return 0
40     return 1
41 
42 
43 for i in range(1000000,10000000):
44     check1(i)

View Code

python跑得会比较慢，在输出结果中有一个即是flag。