1、申 请 I D:SuperGate
2、个人邮箱:674232934@qq.com
3、原创技术文章:
RoarCTF 2019 Reverse-time
程序综述
题目原文件是Android backup文件,用abe.jar进行解包,得到一个apk文件和一个db.db的数据库文件。
用jadx打开apk文件,并查看MainActivity的OnCreate函数分析主要流程:
查看opendb和closedb函数:
发现会调用DatabaseHelper这个类,因此我们查看这个类的内容:
发现这个apk负责加密一个数据库并且不断地写+1进去,因此我们的大概思路就是将这个数据库解密,还原原来的数据。
具体分析
我们可以想到备份文件解压出来的db.db文件就很可能是我们需要的经过加密的数据库文件,因此接下来探寻文件的加密方式。
分析程序流程我们大概知道,程序对数据库文件进行了两次加密:
1. db = dbHelper.getWritableDatabase(passwd) 网上搜索一下发现getWritableDatabase方法的确有对数据库加密的功能,其中这个passwd为传入的密钥
2. 调用了一个fun函数,这个函数是native类型,因此使用apktool解包后找到libhello-jni.so,能找到该函数的具体实现:
int sub_940()
{
FILE *v0; // eax
FILE *v1; // esi
int v2; // edi
unsigned int v3; // esi
_BYTE *v4; // eax
int v5; // edx
int v6; // ecx
int v7; // ST34_4
unsigned int v8; // edi
int v9; // ebx
FILE *v10; // esi
void *v12; // [esp+8h] [ebp-134h]
size_t v13; // [esp+Ch] [ebp-130h]
FILE *v14; // [esp+14h] [ebp-128h]
char dest[275]; // [esp+29h] [ebp-113h]
v0 = fopen("/data/data/ctf.wm.timedatabase/databases/db.db", "rb");
if ( v0 )
{
v1 = v0;
fseek(v0, 0, 2);
v2 = ftell(v1);
fseek(v1, 0, 0);
v14 = v1;
v12 = malloc(v2);
fread(v12, 1u, v2, v1);
memcpy(dest, &unk_3004, 0xFFu);
v13 = v2;
if ( v2 )
{
v3 = 0;
v4 = v12;
v5 = v2;
v6 = 0;
do
{
v7 = v5;
v8 = v3
+ 1
- 255
* (((unsigned int)(((unsigned __int64)(-2139062143LL * (signed int)(v3 + 1)) >> 32) + v3 + 1) >> 31)
+ ((signed int)(((unsigned __int64)(-2139062143LL * (signed int)(v3 + 1)) >> 32) + v3 + 1) >> 7));
v9 = (unsigned __int8)dest[v8];
v6 = (v9 + v6) % 255;
dest[v8] = dest[v6];
dest[v6] = v9;
*v4++ ^= dest[(v9 + (unsigned int)(unsigned __int8)dest[v8]) % 0xFF];
--v5;
v3 = v3
+ 1
- 255
* (((unsigned int)(((unsigned __int64)(-2139062143LL * (signed int)(v3 + 1)) >> 32) + v3 + 1) >> 31)
+ ((signed int)(((unsigned __int64)(-2139062143LL * (signed int)(v3 + 1)) >> 32) + v3 + 1) >> 7));
}
while ( v7 != 1 );
}
fclose(v14);
v10 = fopen("/data/data/ctf.wm.timedatabase/databases/db.db", "wb");
fwrite(v12, 1u, v13, v10);
fclose(v10);
}
return _stack_chk_guard;
}
先对第二层加密进行分析,感觉上十分复杂,但是实际上加密方式就是对密文逐位异或。
因此这个算法是可逆的,并且密文不同并不会影响密钥(即每位密文异或的那个值)的值。因此对第二层进行解密,我们只需要将题目给出的db.db文件放进这个函数再次进行运算即可。
第二层加密解密脚本
#include<cstdio>
#include<iostream>
#include<cstring>
#include<cstdlib>
#include<algorithm>
#include<queue>
#include<stack>
#include<vector>
#include<cmath>
#include<map>
#define LL long long
using namespace std;
const int inf=0x3f3f3f3f;
unsigned char key[]={
0xAF,0x75,0x38,0xFA,0xEC,0xBB,0x1D,0x2F,0x7A,0x53,0x70,0x12,
0x9E,0x23,0x2E,0x6E,0x4D,0x46,0xBA,0x2B,0x15,0xD2,0xA3,0x35,0x32,0xFC,0x8D,0x8C,
0x30,0xAA,0xDB,0x47,0x4B,0xFD,0x11,0xA0,0xA1,0x6F,0x17,0x86,0x02,0xBD,0x7F,0x7B,
0x07,0xF6,0x0E,0xCF,0x26,0x88,0x27,0xC7,0xDD,0x7E,0x5F,0xD7,0x42,0xCE,0x49,0x43,
0x28,0x00,0x61,0xFE,0xE3,0xD9,0x94,0x1B,0x9B,0x21,0x2A,0x69,0x9A,0x0C,0xDE,0x31,
0x82,0x48,0xD0,0x77,0xC3,0x2C,0x3F,0x24,0x73,0xBC,0xF9,0x22,0x3E,0x51,0x09,0x96,
0xD6,0xE8,0x60,0x57,0x39,0x0B,0x04,0x95,0x14,0x84,0x5A,0xCC,0xEE,0xEA,0x1C,0x6D,
0x7D,0x40,0x1E,0x3A,0x2D,0xAD,0x55,0x01,0x63,0x91,0x05,0xA7,0xA4,0x29,0x92,0x8B,
0xC0,0xA8,0x58,0x8F,0x4A,0x6C,0x5D,0xB8,0xCB,0xB9,0x1A,0x98,0x81,0xE5,0xE4,0x0A,
0x18,0xAC,0x3C,0x08,0x20,0x45,0x67,0x89,0x72,0x4C,0x8A,0x64,0xFB,0x19,0xB3,0xD5,
0x4E,0xA6,0x13,0x9F,0x52,0x59,0xBF,0xA2,0xC1,0xC8,0x66,0x34,0xB5,0x06,0x71,0x62,
0x0D,0x9D,0xF5,0x99,0xE9,0xB2,0xBE,0x90,0x79,0x74,0x6A,0x9C,0xB1,0x36,0xF7,0x7C,
0xF4,0xE7,0xD8,0x44,0x78,0x41,0xDA,0xE1,0xEB,0xF8,0xD4,0x3B,0xC6,0xE2,0xAE,0xD1,
0x0F,0xA9,0xA5,0xE6,0xD3,0x50,0xF1,0xB6,0xDF,0xC5,0xB0,0x3D,0xC9,0x8E,0xF0,0x65,
0x54,0xCD,0xC4,0x97,0x1F,0xEF,0xF2,0xAB,0x25,0x10,0x93,0x80,0x6B,0x37,0xE0,0xB4,
0x5B,0x03,0x87,0x5C,0x76,0x83,0xCA,0x85,0xED,0x56,0xDC,0x4F,0x16,0x5E,0xB7,0xF3,
0xC2,0x68,0x33
};
int main(){
FILE *v0; // eax
FILE *v1; // esi
int v2; // edi
unsigned int v3; // esi
char *v4; // eax
int v5; // edx
int v6; // ecx
int v7; // ST34_4
unsigned int v8; // edi
int v9; // ebx
FILE *v10; // esi
void *v12; // [esp+8h] [ebp-134h]
size_t v13; // [esp+Ch] [ebp-130h]
FILE *v14; // [esp+14h] [ebp-128h]
char dest[275]; // [esp+29h] [ebp-113h]
v0 = fopen("C:\\Users\\Dell\\Desktop\\db.db", "rb");
if ( v0 )
{
v1 = v0;
fseek(v0, 0, 2);
v2 = ftell(v1);
fseek(v1, 0, 0);
v14 = v1;
v12 = malloc(v2);
fread(v12, 1u, v2, v1);
memcpy(dest, key, 0xFFu);
v13 = v2;
if ( v2 )
{
v3 = 0;
v4 = (char *)v12;
v5 = v2;
v6 = 0;
do
{
v7 = v5;
v8 = v3
+ 1
- 255
* (((unsigned int)((0xFFFFFFFF80808081LL * (signed int)(v3 + 1) >> 32) + v3 + 1) >> 31)
+ ((signed int)((0xFFFFFFFF80808081LL * (signed int)(v3 + 1) >> 32) + v3 + 1) >> 7));
v9 = (unsigned __int8)dest[v8];
v6 = (v9 + v6) % 255;
dest[v8] = dest[v6];
dest[v6] = v9;
*v4++ ^= dest[(v9 + (unsigned int)(unsigned __int8)dest[v8]) % 0xFF];
--v5;
v3 = v3
+ 1
- 255
* (((unsigned int)((0xFFFFFFFF80808081LL * (signed int)(v3 + 1) >> 32) + v3 + 1) >> 31)
+ ((signed int)((0xFFFFFFFF80808081LL * (signed int)(v3 + 1) >> 32) + v3 + 1) >> 7));
}
while ( v7 != 1 );
}
fclose(v14);
v10 = fopen("C:\\Users\\Dell\\Desktop\\decode.txt","wb");
fwrite(v12, 1u, v13, v10);
fclose(v10);
}
}
接下来对第一层进行分析。
我们知道第一层加密实质上就是使用sqlcipher加密数据库,因此可以使用工具对其进行解密,我们只需要找到密钥即可。
题目更新了提示,且标识重要,提示是长者的生日。
发现原程序有个getcurrentTime的函数和getrandom的函数,怀疑getcurrenttime的值应该是电脑时间为长者生日时得到的。
passwd = String.valueOf(new Random(System.currentTimeMillis() / 86400000).nextInt())
时间精确到天数之后,计算长者出生日期和1970.1.1的天数差(有符号)
最后当作随机数种子生成password
出key脚本
import java.text.DateFormat;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.Random;
import java.util.TimeZone;
public class ReTime {
public static void main(String args[]){
String passwd = String.valueOf(new Random(-15842).nextInt());
//15842是长者生日和1970.1.1的日期之差
System.out.println(passwd);
}
}
Key:
hex:0x84A5FF23
dec:-2069496029
unsigned dec :2225471267
第一层加密解密脚本:
sqlcipher-shell64.exe decode.db
PRAGMA key = '-2069496029';
ATTACH DATABASE 'plaintext.db' AS plaintext KEY '';
SELECT sqlcipher_export('plaintext');
DETACH DATABASE plaintext;
拿到这个 plaintext 之后,用数据库软件打开发现并没有任何有价值的信息,然后用二进制方式打开,在下方发现了flag
吾爱游客
发表于 2019-11-17 22:00
发表于 2019-11-19 15:53
