ƽ - LCG - LSG |׿ƽ||ƽܛ|ŷƱ  www.ykwek.com

 һܴa
 ע[Register]

QQ

ֻһ_ʼ

: ctf Ó ̳
鿴: 14290|؏: 196
һ} һ}

欧国联和欧洲杯 : [Android ԭ] 2020괺t}wp

    [朽]
Dָnj
Θ l 2020-2-10 03:03
Θ 2020-2-10 14:50 ݋

ʂ乤

ŷƱ www.ykwek.com IDA ProGDAC{ԇAndroidCһ_

GDA

ȰapkGDAҵMainActivityonClick


Ҫ߉݋asoļ

IDA{ԇ

ֱӰlibxtian.soGIDA]ҵcheckSnfDŽӑBעԵsoлooBֻC{ԇC{ԇIJEWкܶ@^
ӑBעNativeĺRegisterNatives{ԇIDAͣJNI_OnLoadD _ZN3art3JNI15RegisterNativesEP7_JNIEnvP7_jclassPK15JNINativeMethodi”\


SR2ĴҵcheckSnĵַ

checkSn”C߅ݔuidͼٴacCIDAͣcheckSnf@
F挦һ}

һԌOLLVMĿֱ̻ӲPCĴĴaIDAF5UַҲ\Еrŕo

ȥҞ@t}TȥֶҲ̫Q
@rͿIDAtraceץȡ^ָ^@t}Բץָʹfunction tracingֻץȡ{

֪tracewץȡеĺ{ֻŪ˂IDC_β

static main(void)
{
    do
    {
        step_over();
        wait_for_next_event(STEP,-1);
    }while(PC!=0xEEDAFC2C);//ͣں̎
}

עҪO_ֹͣcheckSn̎OÔcֹw


IDAͣcheckSn_function tracingһ_ͣcheckSnretnescҵw̎Ǿa”traceӛ䛺checkSn^һ

checkSnĺ{

ץ{úP]function tracingץȡָ”ۙѽ^һָע


һlBLXҲgetpwdlen”ͣºע^

R6ĴGetStringUTFLengthĵַf@_ȡַLȵuid߀pwdų
߳API{úصcheckSn^m¸ҵzpwdLȵĴa

pwdLȲ15ֱӷ҂޸¼ٴa^mץȡ

FڿDtraceҲ֪checkSn@ȡݔuidpwd{checkДǷpwduid޸checkķֵ1\Toast@ʾɹf_
FڰѷĿDcheckcheckҲл޸_PC!=0xEEDAF362”ʹIJEץȡк{

check

ҵIDAcheckoʹfunction tracingappԭδֻ֪ܸijinstruction tracingץȡָ̫Ͳչʾҕڸ
@fcheckķ˼·Ҫ
traceļҳBLX”ಽ{APItۙAPI{soĺǾֱLRĵַ”\Ҫӛӛ䛅ͷֵ
ÿ{õăȲtraceһxaXҪ̫rgӛ䛅ͷֵ{ֱӲ㷨²traceָ
check{gettimeofdayȻtimeval1800000Ҳ30


ȻuidͽYƴһһ32ֹhashڗ픵ַ̎

@hash㷨қ]߀ԭԞsm3ˎ״ζҲ^wֱ^߀òӰ푽}Ŀ
֮ȡhash17-20λ

cuidƴӵһȴ^

pwdMbase64aa޸^Dsm3hash˸ע

aMRC4key52pojie2020xtian

λ0x20


cuid+hash^

check̾

עԙC

]߀ԭhash㷨Բ܌עԙCpwdrЧֻ30
ֻJNI_OnLoad+43B2̎ƌǰrgĽYټpythonaһ

import hashlib
from Crypto.Cipher import ARC4
b64table = 'AzSxleoQp02MtvisIZUF8ThRaEL9Nd57qG6DfOkW4JHXmYjwV1Pn3uycrCgbKB-_='
decryptkey = '52pojie2020xtian'

def RC4(data, key):
    rc41 = ARC4.new(key)
    encrypted = rc41.encrypt(data)
    return encrypted

def b64encode(s):
    res = []
    leftover = len(s) % 3
    for i in range(0, len(s) - leftover, 3):
        c2 = ord(s[i])
        c1 = ord(s[i + 1])
        c0 = ord(s[i + 2])
        res.append(b64table[(c2 >> 2) & 0x3f])
        res.append(b64table[((c2 & 0x3) << 4) | ((c1 >> 4) & 0x0f)])
        res.append(b64table[((c1 & 0x0f) << 2) | ((c0 >> 6) & 0x03)])
        res.append(b64table[c0 & 0x3f])
    i += 3
    if leftover == 1:
        c2 = ord(s[i])
        res.append(b64table[(c2 >> 2) & 0x3f])
        res.append(b64table[(c2 & 0x3) << 4])
        res.append(b64table[-1])
        res.append(b64table[-1])
    elif leftover == 2:
        c2 = ord(s[i])
        c1 = ord(s[i + 1])
        res.append(b64table[(c2 >> 2) & 0x3f])
        res.append(b64table[((c2 & 0x3) << 4) | ((c1 >> 4) & 0x0f)])
        res.append(b64table[(c1 & 0x0f) << 2])
        res.append(b64table[-1])
    return ''.join(res)

def b64decode(s):
    res = []
    end = len(s)
    if s[-1] == b64table[-1]:
        end -= 4
    for i in range(0, end, 4):
        c3, c2, c1, c0 = b64table.index(s[i]), b64table.index(
            s[i + 1]), b64table.index(s[i + 2]), b64table.index(s[i + 3])
        res.append(chr(((c3 << 2)) | ((c2 >> 4) & 0x03)))
        res.append(chr(((c2 & 0x0f) << 4) | ((c1 >> 2) & 0x0f)))
        res.append(chr(((c1 & 0x03) << 6) | (c0 & 0x03f)))
    if end < len(s):
        if s[-2] == b64table[-1]:
            c3, c2 = b64table.index(s[end]), b64table.index(s[end + 1])
            res.append(chr(((c3 << 2)) | ((c2 >> 4) & 0x03)))
        else:
            c3, c2, c1 = b64table.index(s[end]), b64table.index(s[end + 1]), b64table.index(s[end + 2])
            res.append(chr(((c3 << 2)) | ((c2 >> 4) & 0x03)))
            res.append(chr(((c2 & 0x0f) << 4) | ((c1 >> 2) & 0x0f)))
    return ''.join(res)

def wuaiencrypt(message):
    r = ''
    for i in list(message):
        r += chr(ord(i) ^ 0x20)
    r = RC4(r, decryptkey)
    return b64encode(r)

def wuaidecrypt(message):
    c = list(b64decode(message))
    c = list(RC4(b''.join(c), decryptkey))
    for i in range(len(c)):
        c[i] = chr(ord(c[i]) ^ 0x20)
    return ''.join(c)

enc = 'lu_BURGbkz3qtwLXBkYm'
flag = '0325008b4f37de1'

print wuaidecrypt(enc)
print wuaiencrypt(flag)

ȴнhash㷨keygen@80CBļt߀Dzð

ǰvtraceļhtrace checkIDAʽ˲ٕrgֶ
traceidbtrcYĿIDAdidbòc}}Ŀעһ
idbtrace.zip (1.48 MB, dΔ: 53)

Mu

103ێ +313 ֵ +97
Hmiku + 1 + 1 Ļ؏
cst198926 + 1 + 1 ĄDNܛȫߺęn
+ 1 Һٝͬ
hssl1019 + 1 + 1 x[email protected]
jjm580 + 1 + 1 Һٝͬ
SCǹ + 1 + 1 Һٝͬ
Jioccer + 1 + 1 Ļ؏
zhangjunteng + 1 + 1 Ļ؏
explorer126 + 2 + 1 ĄDNܛȫߺęn
Ño@ʾ + 2 + 1 ĄDNܛȫߺęn
qq524350 + 1 x[email protected]
mda435 + 1 x[email protected]
GodIand + 1 + 1 Һٝͬ
㲻һ + 1 + 1 Ļ؏
Lugia + 1 + 1 x[email protected]
+ 1 + 1 ӑՓ@
cxfyg + 1 + 1 Ĥݴ??
KYO_2 + 1 Һٝͬ
padao + 1 + 1 ӑՓ@
һļ + 1 + 1 xlԭƷƽՓ
ZDavy + 1 + 1 x[email protected]
limpoamp + 1 + 1 x[email protected]
meino + 1 x[email protected]
15396991846 + 1 Һٝͬ
Īǧ + 1 + 1 x[email protected]
lynxtang + 1 + 1 x[email protected]
fandh88 + 1 Һٝͬ
Ldcsuki + 1 + 1 x[email protected]
С9527 + 1 + 1 Һٝͬ
wwh1004 + 3 + 1 ׿
jlzoe + 1 + 1 x[email protected]
sunbester + 1 + 1 xlԭƷƽՓ
ħҕX + 1 + 1 Ļ؏
lmjg520 + 1 + 1 ĄDNܛȫߺęn
habhab + 1 Һٝͬ
ԽԽ + 1 + 1 Сײ
HelloJavaScript + 1 + 1 Һٝͬ
ľ + 1 + 1 x[email protected]
ʯؿ + 1 + 1 Һٝͬ
xx666666 + 1 + 1 ӑՓ@
+ 1 + 1 Ļ؏
Ż + 1 + 1 gӭӑՓƽՓ
r + 1 + 1 xlԭƷƽՓ
gardenofida + 1 tql
517pojie + 1 + 1 Һٝͬ
`dashu + 1 + 1 Һٝͬ
ŬС + 1 + 1 Һٝͬ
qazqzz + 1 + 1 x[email protected]anks
gaosld + 1 + 1 x[email protected]
~h + 1 ӑՓ@
ҹ + 1 + 1 Ĥݴ
xiaobeis500c + 1 + 1
Ε + 1 Һٝͬ
W + 1 Һٝͬ
L庣{ + 1 + 1 Ļ؏
yixi + 1 + 1 x[email protected]
jiangfeng810814 + 1 Һٝͬ
Ǹ + 1 ӑՓ@
Liufei2019 + 1 Һٝͬ
ˮ° + 1 + 1 x[email protected]
AssassinQ + 1 + 1 x[email protected]
+ 1 + 1 Ļ؏
daniel7785 + 1 ӑՓ@
d^ëP + 1 + 1 Һٝͬ
fantion + 1 + 1 Һٝͬ
cnngtc + 3 + 1 ҕ
wujiakang + 1 + 1 Ĥݴ
meanwhile + 1 + 1 Һٝͬ
iBristlecone + 1 + 1 д
ffcc0077 + 1 Һٝͬ
_ + 2 + 1 Ĥݴ
yechen123 + 3 + 1 Һٝͬ
Dreace + 1 + 1 ӑՓ@
plasd + 1 + 1 x[email protected]
solly + 2 + 1 x[email protected]
CrazyNut + 3 + 1 ˁ Ĥݴ
oauth + 1 + 1 Һٝͬ
L + 1 + 1 Ĥݴ
maoyu + 1 + 1 Ļ؏
skywilling + 2 + 1 ӑՓ@
+ 1 + 1 Ĥݴ
LibertyCola + 1 + 1 Ļ؏
XhyEax + 3 + 1 x[email protected]
snowfox + 1 + 1 x[email protected]
lzc090 + 3 + 1 x[email protected]
ҹdzǡ + 2 + 1 ϸţ
kaoyange + 1 + 1 AndroidÅѽѽѽ
nws0507 + 1 + 1 tql
֪o + 1 xlԭƷƽՓ
996579747 + 1 + 1 Һٝͬ
Hmily + 200 + 1 xlԭƷƽՓ
wangyujie96 + 1 + 1 ̫
+ 2 x[email protected]
ǧ + 1 + 1
1006706246 + 1 + 1 Һٝͬ
wmsuper + 3 + 1 x[email protected]
wtujoxk + 2 + 1 Ĥݴ
+ 2 + 1 tql
qwe694698196 + 1 + 1 x[email protected]
JuncoJet + 1 Ĥݴқ]

鿴ȫu

lǰҪՓܕҪҵĴ𰸻ѽ˰l^ͬՈ؏Ͱl

؏

e

]
Hmily l 2020-2-10 13:10
ţ80cb_̫200
]
hlrlqy l 2020-2-10 03:31
˺ollvmĴ
@һtraceõČٌ@G
4#
ʷ l 2020-2-10 03:15
5#
һ l 2020-2-10 03:34
܏߀ě]^idatrace
6#
qwesyw2008 l 2020-2-10 05:36
Ǵnb
7#
fwmsuper l 2020-2-10 07:55
x
8#
l 2020-2-10 08:02
x
9#
l 2020-2-10 08:03
x
10#
jefel l 2020-2-10 08:17
^??
11#
kone153 l 2020-2-10 08:45
mȻ߀ǿWW

eҎt 棺Kֹˮ؏c}oP`P

ٻ؏ ղ б

RSSӆ|С|“ϵ҂|ŷƱ ( ICP16042023̖ | W 11010502030087̖ )

GMT+8, 2020-4-7 00:09

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

ٻ؏ ŷƱ б