XX_mobile01
Java层逻辑很简单,就是调用了firstEncrypt() 和**secondEncrypt()** 函数对**str**进行处理
firstEncrypt() :
进入**firstencrypt()** 查看:
识别加密算法为**xxtea**
通过动调**so文件得到密钥**:
secondEncrypt() :
这里可以发现**secondEncrypt()** 没有什么有用的内容,可以得知**secondEncrypt()** 函数实际的功能是通过动态注册的
找到**JNI_Onload()** 函数:
发现对应的函数**sub_032479()** :
encrypt_block() :
RijnDael_AES_LONG_763878C0ED00:
识别为**魔改AES**
exp:
import struct
def shift(z, y, x, k, p, e):
return ((((z >> 5) ^ (y << 2)) + ((y >> 3) ^ (z << 4))) ^ ((x ^ y) + (k[(p & 3) ^ e] ^ z)))
def decrypt(v, k):
delta = 0x9E3779B9
n = len(v)
rounds = 6 + 52 // n
x = (rounds * delta) & 0xFFFFFFFF
y = v[0]
for i in range(rounds):
e = (x >> 2) & 3
for p in range(n - 1, 0, -1):
z = v[p - 1]
v[p] = (v[p] - shift(z, y, x, k, p, e)) & 0xFFFFFFFF
y = v[p]
p -= 1
z = v[n - 1]
v[0] = (v[0] - shift(z, y, x, k, p, e)) & 0xFFFFFFFF
y = v[0]
x = (x - delta) & 0xFFFFFFFF
return v
def xxtea_decrypt_bytes(data: bytes, key: list[int]) -> bytes:
"""XXTEA 解密"""
v = list(struct.unpack(f'>{len(data) // 4}I', data))
decrypt(v, key)
result = struct.pack(f'>{len(v)}I', *v)
return result.rstrip(b'\0')
# -*- coding: utf-8 -*-
MASK32 = 0xFFFFFFFF
def rol32(x, n):
n &= 31
x &= MASK32
if n == 0:
return x
return ((x << n) | (x >> (32 - n))) & MASK32
def ror32(x, n):
n &= 31
x &= MASK32
if n == 0:
return x
return ((x >> n) | (x << (32 - n))) & MASK32
# --- AES S-box(标准表) ---
SBOX = [
0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0x***, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16,
]
# --- AES 逆 S-box(标准表) ---
INV_SBOX = [
0x52, 0x09, 0x6A, 0xD5, 0x30, 0x36, 0xA5, 0x38, 0xBF, 0x40, 0xA3, 0x9E, 0x81, 0xF3, 0xD7, 0xFB,
0x7C, 0xE3, 0x39, 0x82, 0x9B, 0x2F, 0xFF, 0x87, 0x34, 0x8E, 0x43, 0x44, 0xC4, 0xDE, 0xE9, 0xCB,
0x54, 0x7B, 0x94, 0x32, 0xA6, 0xC2, 0x23, 0x3D, 0xEE, 0x4C, 0x95, 0x0B, 0x42, 0xFA, 0xC3, 0x4E,
0x08, 0x2E, 0xA1, 0x66, 0x28, 0xD9, 0x24, 0xB2, 0x76, 0x5B, 0xA2, 0x49, 0x6D, 0x8B, 0xD1, 0x25,
0x72, 0xF8, 0xF6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xD4, 0xA4, 0x5C, 0x***, 0x5D, 0x65, 0xB6, 0x92,
0x6C, 0x70, 0x48, 0x50, 0xFD, 0xED, 0xB9, 0xDA, 0x5E, 0x15, 0x46, 0x57, 0xA7, 0x8D, 0x9D, 0x84,
0x90, 0xD8, 0xAB, 0x00, 0x8C, 0xBC, 0xD3, 0x0A, 0xF7, 0xE4, 0x58, 0x05, 0xB8, 0xB3, 0x45, 0x06,
0xD0, 0x2C, 0x1E, 0x8F, 0xCA, 0x3F, 0x0F, 0x02, 0xC1, 0xAF, 0xBD, 0x03, 0x01, 0x13, 0x8A, 0x6B,
0x3A, 0x91, 0x11, 0x41, 0x4F, 0x67, 0xDC, 0xEA, 0x97, 0xF2, 0xCF, 0xCE, 0xF0, 0xB4, 0xE6, 0x73,
0x96, 0xAC, 0x74, 0x22, 0xE7, 0xAD, 0x35, 0x85, 0xE2, 0xF9, 0x37, 0xE8, 0x1C, 0x75, 0xDF, 0x6E,
0x47, 0xF1, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 0x6F, 0xB7, 0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B,
0xFC, 0x56, 0x3E, 0x4B, 0xC6, 0xD2, 0x79, 0x20, 0x9A, 0xDB, 0xC0, 0xFE, 0x78, 0xCD, 0x5A, 0xF4,
0x1F, 0xDD, 0xA8, 0x33, 0x88, 0x07, 0xC7, 0x31, 0xB1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xEC, 0x5F,
0x60, 0x51, 0x7F, 0xA9, 0x19, 0xB5, 0x4A, 0x0D, 0x2D, 0xE5, 0x7A, 0x9F, 0x93, 0xC9, 0x9C, 0xEF,
0xA0, 0xE0, 0x3B, 0x4D, 0xAE, 0x2A, 0xF5, 0xB0, 0xC8, 0xEB, 0xBB, 0x3C, 0x83, 0x53, 0x99, 0x61,
0x17, 0x2B, 0x04, 0x7E, 0xBA, 0x77, 0xD6, 0x26, 0xE1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0C, 0x7D,
]
def T(x):
# 逐字节过 SBOX,保持原位拼回 32 位
return (
SBOX[(x) & 0xFF] |
(SBOX[(x >> 8) & 0xFF] << 8) |
(SBOX[(x >> 16) & 0xFF] << 16) |
(SBOX[(x >> 24) & 0xFF] << 24)
) & MASK32
def invT(x):
# 与 T 相反:逐字节过逆 SBOX
return (
INV_SBOX[(x) & 0xFF] |
(INV_SBOX[(x >> 8) & 0xFF] << 8) |
(INV_SBOX[(x >> 16) & 0xFF] << 16) |
(INV_SBOX[(x >> 24) & 0xFF] << 24)
) & MASK32
DELTA = 1640531527 # 0x61C88647
def decrypt_block(words, a2=0x89ABCDEF):
"""
:param words: 可迭代对象,包含 4 个 32 位无符号整数 (Y0,Y1,Y2,Y3)
:param a2: 常量 0x89ABCDEF (可改)
:return: 4 个 32 位无符号整数 (X0,X1,X2,X3)
"""
y0, y1, y2, y3 = [w & MASK32 for w in words]
# 末尾白化(输出异或)去除
k = (T(rol32(a2, 24)) ^ 0xF1BBCDC8) & MASK32
a = (y0 ^ k) & MASK32
b = (y1 ^ rol32(k, 25)) & MASK32
c = (y2 ^ rol32(k, 18)) & MASK32
d = (y3 ^ rol32(k, 11)) & MASK32
# 8 轮逆运算:i = 7..0
for i in range(7, -1, -1):
v7 = i
v8 = i + 1
v6 = (3 * i) & 31 # 轮内使用的 a2 旋转位数
v5 = (-DELTA * i) & MASK32 # 该轮开始时的 v5
v11 = (v5 ^ T(rol32(a2, v6))) & MASK32
# 记当前状态 (A',B',C',D') = (a,b,c,d)
Ap, Bp, Cp, Dp = a, b, c, d
# 根据输出倒推中间量
v19 = Dp
v18 = (Cp ^ rol32(v19, 19) ^ rol32(Ap, 9)) & MASK32
v17 = (Bp ^ rol32(v19, 15) ^ rol32(v18, 13)) & MASK32
v15 = (Ap ^ rol32(v17, 7) ^ rol32(v18, 21)) & MASK32
v13 = (v19 ^ rol32(v15, 3) ^ rol32(v17, 27)) & MASK32
v16 = ror32((v18 ^ v13) & MASK32, v7 + 3)
v14 = ror32((v17 ^ v16) & MASK32, v7 + 2)
v12 = ror32((v15 ^ v14) & MASK32, v8)
# 由中间量恢复经 S 盒后的 sA..sD
sD = (v16 ^ rol32(v11, 15)) & MASK32
sC = (v14 ^ rol32(v11, 10)) & MASK32
sB = (v12 ^ rol32(v11, 5)) & MASK32
sA = (v11 ^ ror32((v13 ^ v12) & MASK32, v7)) & MASK32
# 反 T() 得到上一轮(或明文)A,B,C,D
a = invT(sA)
b = invT(sB)
c = invT(sC)
d = invT(sD)
return a & MASK32, b & MASK32, c & MASK32, d & MASK32
# ---- 可选:辅助字节序转换(便于和 16 字节块互转)----
def words_from_bytes(b16_le):
"""小端解析 16 字节 -> 4*32 位"""
assert len(b16_le) == 16
return (
int.from_bytes(b16_le[0:4], "little"),
int.from_bytes(b16_le[4:8], "little"),
int.from_bytes(b16_le[8:12], "little"),
int.from_bytes(b16_le[12:16], "little"),
)
def bytes_from_words(words4):
"""4*32 位 -> 小端 16 字节"""
return b"".join((w & MASK32).to_bytes(4, "little") for w in words4)
if __name__ == '__main__':
cipher = (0x57898BB6, 0x079330D4, 0x90AC35B2, 0x998D59C3)
plain_words = decrypt_block(cipher, a2=0x89ABCDEF)
plain_words = list(plain_words)
key = [0x12345678, 0x9ABCDEF0, 0xFEDCBA9, 0x87654321]
decrypt(plain_words, key)
print("IS***{", end='')
for i in plain_words:
print(i.to_bytes(4, byteorder='little').decode(errors='ignore'), end='')
print("}")
解得**flag:IS***{Isdhiwe_2@opsiwT}**
Pokemon
这题经分析要挑战完**8个道馆后才能进入终极试炼,并使用8个道馆的字符串组成最后的flag**
MainActivity:
查看有关**道馆信息的类,BadgeRepository**:
可以很明显的看出**道馆的序号、名称以及所对应的flag密文**
点击不同道馆会传入对应道馆的信息,并进入**ChallengeActivity**
public final void onClick(Badge badge) {
MainActivity.this.m183lambda$onCreate$1$***examplepokemonMainActivity(badge);
}
ChallengeActivity:
点击提交按钮后:
Rule forBadge = RuleRepository.forBadge(this.badgeId);
RuleRepository:
可以看到根据不同道馆的**id添加不同的操作规则类**
Aop:
流程:
从**
C0568R.raw.key获取key --> 与str**进行逐字节异或
exp:
def xor(enc: bytes, key: str) -> bytes:
key_len = len(key)
key = bytes(key, 'utf-8')
dec = []
for i in range(len(enc)):
dec.append(enc[i] ^ key[i % key_len])
return bytes(dec)
def decrypt(enc: str, key: str) -> bytes:
enc = bytes.fromhex(enc)
dec = xor(enc, key)
return dec
if __name__ == '__main__':
enc = "045e0c251301214e"
key = "Togepi"
dec = decrypt(enc, key)
print(dec.decode())
岩石道馆通关字符串:P1k@chu!
Bop:
流程:
转**
hex** --> 反转十六进制奇数位字符(偶数下标位) --> 还原为**bytes** --> 反转字符串
exp:
def bytearray_to_hexStr(s: bytearray) -> str:
hexStr = ""
for i in s:
hexStr += hex(i)[2:]
return hexStr
def reverse_reversefunc(s: bytearray) -> bytes:
s = bytearray_to_hexStr(s)
s = list(s)
tmp = []
for i in range(0, len(s), 2):
tmp.append(s[i])
for i in range(len(tmp) - 1, -1, -1):
s[(len(tmp) - 1 - i) * 2] = tmp[i]
s = "".join(s)
return bytes.fromhex(s)
def decrypt(enc: str) -> bytes:
enc = enc[::-1]
enc = bytearray(enc, "utf-8")
dec = reverse_reversefunc(enc)
return dec
if __name__ == '__main__':
enc = "Cr5aE0bqu\""
dec = decrypt(enc)
try:
print(dec.decode())
except:
print(f"解码失败 dec = {dec}")
华蓝道馆通关字符串:Bu1b@5aur#
Cop:
流程:
从**
C0568R.raw.key2获取key --> 调用nativeProcess()** 进行加密
这里通过**fridahooknativeProcess()** 函数发现可以通过爆破得到通关字符串:
setImmediate(function () {
Java.perform(function () {
let COp = Java.use("***.example.pokemon.verifier.op.COp");
const orig_nativeProcess = COp["nativeProcess"];
COp["nativeProcess"].implementation = function (bArr, bArr2) {
console.log(`COp.nativeProcess is called: bArr=${bArr}, bArr2=${bArr2}`);
let result = orig_nativeProcess.call(this, bArr, bArr2);
console.log(`COp.nativeProcess result=${result}`);
function func(enc, arr, n) {
for (let j = 0; j <= 127; j++) {
arr[n] = j;
console.log(`第 ${n} 位爆破:${arr} 中`);
let result_tmp = orig_nativeProcess.call(this, arr, bArr2);
result_tmp = result_tmp.substring(0, result_tmp.length - 2);
console.log(`第 ${n} 位爆破结果(去除校验位):${result_tmp}`);
let expected = enc.substring(enc.length - 2 * (n + 1), enc.length);
result_tmp = result_tmp.substring(result_tmp.length - 2 * (n + 1), result_tmp.length);
console.log(`比较目标:${expected} 和爆破比较目标:${result_tmp}`);
if (expected === result_tmp) {
return arr;
}
}
return null;
}
let enc = "01850468411918C2358D31BE";
enc = enc.substring(0, (enc.length - 2)); // 去除校验位
console.log(`爆破目标:${enc}`)
let arr = Java.array('byte', new Array(enc.length / 2).fill(0));
console.log(`爆破初始化:${arr}`);
for (let i = 0; i < enc.length / 2; i++) {
try {
arr = func.call(this, enc, arr, i);
if (arr === null) {
console.log(`第${i}位未爆破成功,func 返回 null`);
break;
}
} catch (error) {
console.log(`第${i}位未爆破成功(异常): ${error}`);
break;
}
}
console.log(`爆破结果:${arr}`);
let str = "";
try {
for (let i = 0; i < arr.length; i++) {
str += String.fromCharCode(arr[i]);
}
console.log(`爆破结果转换字符串:${str}`);
} catch (error) {
console.log(`爆破结果转换字符串失败${error}`);
}
return result;
};
});
});
爆破结果:
爆破结果:67,104,52,114,109,64,110,100,51,114,36
爆破结果转换字符串:Ch4rm@nd3r$
枯叶道馆通关字符串:Ch4rm@nd3r$
Dop:
使用**fridahooknativeGetKey()** 和**nativeGetIv()** :
setImmediate(function () {
Java.perform(function () {
let DOp = Java.use("***.example.pokemon.verifier.op.DOp");
DOp["nativeGetKey"].implementation = function () {
console.log(`DOp.nativeGetKey is called`);
let result = this["nativeGetKey"]();
console.log(`DOp.nativeGetKey result=${result}`);
return result;
};
DOp["nativeGetIv"].implementation = function () {
console.log(`DOp.nativeGetIv is called`);
let result = this["nativeGetIv"]();
console.log(`DOp.nativeGetIv result=${result}`);
return result;
};
});
});
得到**Key和IV**:
DOp.nativeGetKey is called
DOp.nativeGetKey result=79,66,93,8,86,39,81,3,116,17,72,111,65,82,53,78
DOp.nativeGetIv is called
DOp.nativeGetIv result=26,34,1,114,48,12,38,53,13,23,16,105,33,59,4,109
转一下**hex**:
x=[79,66,93,8,86,39,81,3,116,17,72,111,65,82,53,78]
print("key:",end="")
for i in x:
print(hex(i)[2:],end=" ")
print()
print("iv:",end="")
y=[26,34,1,114,48,12,38,53,13,23,16,105,33,59,4,109]
for i in y:
print(hex(i)[2:],end=" ")
key:4f 42 5d 8 56 27 51 3 74 11 48 6f 41 52 35 4e
iv:1a 22 1 72 30 c 26 35 d 17 10 69 21 3b 4 6d
使用**CyberChef解AES**:
金黄道馆通关字符串:SqU1rt!3%
Eop:
流程:
逐字节异或**
buildKey1** --> 逐字节反转 --> 逐字节异或**nativeGetKey2** --> 转**hex** --> 反转十六进制奇和偶数位字符 --> 反转字符串
使用**fridahooknativeGetKey2()** 和**buildKey1()** :
setImmediate(function () {
Java.perform(function () {
let EOp = Java.use("***.example.pokemon.verifier.op.EOp");
EOp["nativeGetKey2"].implementation = function () {
console.log(`EOp.nativeGetKey2 is called`);
let result = this["nativeGetKey2"]();
console.log(`EOp.nativeGetKey2 result=${result}`);
return result;
};
EOp["buildKey1"].implementation = function () {
console.log(`EOp.buildKey1 is called`);
let result = this["buildKey1"]();
console.log(`EOp.buildKey1 result=${result}`);
return result;
};
});
});
EOp.buildKey1 is called
EOp.buildKey1 result=99,55,125,98,63,123,68,80
EOp.nativeGetKey2 is called
EOp.nativeGetKey2 result=115,81,86,83,85,86,85,100
buildKey1:c7}b?{DP
nativeGetKey2:sQVSUVUd
exp:
def bytearray_to_hexStr(s: bytearray) -> str:
hexStr = ""
for i in s:
hexStr += hex(i)[2:]
return hexStr
def reverse_reversefunc(s: str) -> str:
s = list(s)
tmp_1 = []
tmp_2 = []
for i in range(0, len(s), 2):
tmp_1.append(s[i])
tmp_2.append(s[i + 1])
tmp_1 = tmp_1[::-1]
tmp_2 = tmp_2[::-1]
for i in range(0, len(s), 2):
s[i] = tmp_1[i // 2]
s[i + 1] = tmp_2[i // 2]
s = "".join(s)
return s
def decrypt(enc: str, native_key: str, buildKey1: str) -> bytes:
enc = enc[::-1]
dec = reverse_reversefunc(enc)
dec = bytearray.fromhex(dec)
for i in range(len(dec)):
dec[i] ^= ord(native_key[i % len(native_key)])
dec = dec[::-1]
for i in range(len(dec)):
dec[i] ^= ord(buildKey1[i % len(buildKey1)])
dec = bytes(dec)
return dec
if __name__ == '__main__':
enc = "050237671445B5169675F7"
native_key = "sQVSUVUd"
buildKey1 = "c7}b?{DP"
dec = decrypt(enc, native_key, buildKey1)
try:
print(dec.decode())
except:
print(f"解码失败 dec = {dec}")
玉虹道馆通关字符串:J1gg1yPuFF^
浅红道馆:
使用上面的**exp解得通关字符串:G3ng@r!0**
红莲道馆:
使用上面的**exp解得通关字符串:3Ev3e&**
常青道馆:
使用上面的**exp解得通关字符串:Sn0r1@x***
进入**终极试炼**:
对应代码:
两次**sha256**没得逆
根据题目给的提示:
Hint 5:终极试炼:Third, sixth;Fourth, tenth;Fourth, ninth;Second, fourth;Third, seventh;First, third;Third, fourth;First, eighth共16位
得到最后的**flag:IS***{khb#r3q1gPGnv3S*}**
