Reverse Engineering
| Challenge | Link |
|---|---|
Read | |
Too Much | |
ezpz | |
CyberDark0x01: ShitComp | |
CyberDark_0x02: Installer | |
(Not) Easy | |
fire in the androiddd |
Read
Description
-
PoC
Given a pyc file then i just try to decompile it using uncompyle6.
The script looks obfuscated but it is still readable. There is one interesting function and here is the code
def lababa(lebula):
alalalalalalal = [
73, 13, 19, 88, 88, 2, 77, 26, 95, 85, 11, 23, 114, 2, 93, 54, 71, 67, 90, 8, 77, 26, 0, 3, 93, 68]
result = ''
for belu in range(len(alalalalalalal)):
if lebula[belu] != chr(alalalalalalal[belu] ^ ord(babababa[belu])):
return 'bbblalaabalaabbblala'
b2a = ''
a2b = [122, 86, 75, 75, 92, 90, 77, 24, 24, 24, 25, 106, 76, 91, 84, 80, 77, 25, 77, 81, 92, 25, 92, 87, 77, 80, 75, 92, 25, 74, 77, 75, 80, 87, 94, 25, 88, 74, 25, 95, 85, 88, 94]
for bbb in a2b:
b2a += chr(bbb ^ 57)
else:
return b2aIt seems like checking function and then return something whether the check function is true or false. So i try to reconstruct the code to showing the return value and checking value
def lababa():
alalalalalalal = [
73, 13, 19, 88, 88, 2, 77, 26, 95, 85, 11, 23, 114, 2, 93, 54, 71, 67, 90, 8, 77, 26, 0, 3, 93, 68]
result = ''
for belu in range(len(alalalalalalal)):
b2a = ''
a2b = [122, 86, 75, 75, 92, 90, 77, 24, 24, 24, 25, 106, 76, 91, 84, 80, 77, 25, 77, 81, 92, 25, 92, 87, 77, 80, 75, 92, 25, 74, 77, 75, 80, 87, 94, 25, 88, 74, 25, 95, 85, 88, 94]
for bbb in a2b:
b2a += chr(bbb ^ 57)
else:
return b2a
babababa = 'you-may-need-this-key-1337'
alalalalalalal = [73, 13, 19, 88, 88, 2, 77, 26, 95, 85, 11, 23, 114, 2, 93, 54, 71, 67, 90, 8, 77, 26, 0, 3, 93, 68]
flag = ""
for i in range(len(alalalalalalal)):
flag += chr(alalalalalalal[i]^ord(babababa[i]))
print("darkCON{"+flag+"}")Flag : darkCON{0bfu5c4710ns_v5_4n1m4710ns}
Too Much
Description
-
PoC
Given ELF 64-bit executable and then i try to decompile it using IDA
It has many function but all functions are identical. The difference is the variables and constant value. So we can get all value and generate the code then get the flag.
Get value using gdb scripting
#!/usr/bin/python3
static_val=[]
class SolverEquation(gdb.Command):
def __init__ (self):
super (SolverEquation, self).__init__ ("solve-equation",gdb.COMMAND_OBSCURE)
def invoke (self, arg, from_tty):
address_arr =['0x0000000000001189','0x00000000000011b4','0x00000000000011df','0x000000000000120a','0x0000000000001237','0x0000000000001262','0x000000000000128f','0x00000000000012bc','0x00000000000012e9','0x0000000000001314','0x000000000000133f','0x000000000000136a','0x0000000000001397','0x00000000000013c4','0x00000000000013ef','0x000000000000141a','0x0000000000001447','0x0000000000001472','0x000000000000149d','0x00000000000014c8','0x00000000000014f5','0x0000000000001522','0x000000000000154f','0x000000000000157c','0x00000000000015a7','0x00000000000015d4','0x00000000000015ff','0x000000000000162c','0x0000000000001659','0x0000000000001684','0x00000000000016b1','0x00000000000016de','0x000000000000170b','0x0000000000001736','0x0000000000001763','0x000000000000178e','0x00000000000017b9','0x00000000000017e6','0x0000000000001813','0x000000000000183e','0x0000000000001869','0x0000000000001896','0x00000000000018c1','0x00000000000018ec','0x0000000000001919','0x0000000000001946','0x0000000000001971','0x000000000000199c','0x00000000000019c9','0x00000000000019f6','0x0000000000001a21','0x0000000000001a4e','0x0000000000001a79','0x0000000000001aa4','0x0000000000001ad1','0x0000000000001afe','0x0000000000001b29','0x0000000000001b56','0x0000000000001b81','0x0000000000001bac','0x0000000000001bd9','0x0000000000001c06','0x0000000000001c33','0x0000000000001c60','0x0000000000001c8d','0x0000000000001cba','0x0000000000001ce7','0x0000000000001d14','0x0000000000001d41','0x0000000000001d6e','0x0000000000001d9b','0x0000000000001dc8','0x0000000000001df3','0x0000000000001e20','0x0000000000001e4b','0x0000000000001e78','0x0000000000001ea5','0x0000000000001ed2','0x0000000000001eff','0x0000000000001f2a','0x0000000000001f55','0x0000000000001f82','0x0000000000001fad','0x0000000000001fd8','0x0000000000002003','0x000000000000202e','0x0000000000002059','0x0000000000002084','0x00000000000020b1','0x00000000000020dc','0x0000000000002107','0x0000000000002132','0x000000000000215f','0x000000000000218a','0x00000000000021b5','0x00000000000021e2','0x000000000000220d','0x000000000000223a','0x0000000000002265','0x0000000000002290','0x00000000000022bb','0x00000000000022e6','0x0000000000002313','0x000000000000233e','0x0000000000002369','0x0000000000002394','0x00000000000023bf','0x00000000000023ec','0x0000000000002417','0x0000000000002442','0x000000000000246d','0x000000000000249a','0x00000000000024c5','0x00000000000024f2','0x000000000000251f','0x000000000000254a','0x0000000000002577','0x00000000000025a2','0x00000000000025cf','0x00000000000025fa','0x0000000000002627','0x0000000000002654','0x000000000000267f','0x00000000000026ac','0x00000000000026d7','0x0000000000002702','0x000000000000272f','0x000000000000275c','0x0000000000002787','0x00000000000027b4','0x00000000000027df','0x000000000000280a','0x0000000000002837','0x0000000000002864','0x000000000000288f','0x00000000000028bc','0x00000000000028e7','0x0000000000002914','0x0000000000002941','0x000000000000296c','0x0000000000002997','0x00000000000029c2','0x00000000000029ef','0x0000000000002a1c','0x0000000000002a47','0x0000000000002a72','0x0000000000002a9d','0x0000000000002aca','0x0000000000002af7','0x0000000000002b22','0x0000000000002b4d','0x0000000000002b7a','0x0000000000002ba7','0x0000000000002bd2','0x0000000000002bfd','0x0000000000002c28','0x0000000000002c53','0x0000000000002c7e','0x0000000000002ca9','0x0000000000002cd6','0x0000000000002d01','0x0000000000002d2c','0x0000000000002d59','0x0000000000002d84','0x0000000000002daf','0x0000000000002dda','0x0000000000002e05','0x0000000000002e30','0x0000000000002e5d','0x0000000000002e88','0x0000000000002eb3','0x0000000000002ede','0x0000000000002f0b','0x0000000000002f36','0x0000000000002f61','0x0000000000002f8e','0x0000000000002fb9','0x0000000000002fe4','0x0000000000003011','0x000000000000303e','0x000000000000306b','0x0000000000003098','0x00000000000030c3','0x00000000000030f0','0x000000000000311b','0x0000000000003148','0x0000000000003173','0x000000000000319e','0x00000000000031c9','0x00000000000031f6','0x0000000000003223','0x000000000000324e','0x000000000000327b','0x00000000000032a6','0x00000000000032d3','0x0000000000003300','0x000000000000332b','0x0000000000003358','0x0000000000003383','0x00000000000033ae']
global static_val
for i in address_arr:
tmp=gdb.execute('x/i '+hex(int(i,16)+35), to_string=True).strip().split(",")[1]
static_val.append(int(tmp,16))
print(static_val)
def addr2num(addr):
try:
return int(addr)&0xff # Python 3
except:
return long(addr) # Python 2
SolverEquation()Generate the comparison algorithm and get the value using z3
from z3 import *
a = [BitVec("x{}".format(i), 8) for i in range(200)]
arr=[70, 22, 39, 182, 52, 244, 228, 183, 67, 39, 51, 245, 151, 3, 87, 245, 39, 51, 67, 198, 198, 151, 245, 71, 134, 19, 230, 182, 19, 230, 147, 245, 71, 134, 67, 71, 245, 151, 3, 87, 245, 54, 67, 230, 245, 71, 39, 151, 245, 71, 134, 19, 83, 245, 214, 67, 230, 87, 67, 198, 198, 151, 243, 243, 243, 245, 244, 182, 245, 148, 245, 71, 134, 19, 230, 182, 245, 151, 3, 87, 245, 38, 51, 71, 71, 51, 39, 245, 87, 55, 51, 245, 55, 3, 214, 51, 245, 22, 87, 71, 3, 214, 67, 71, 51, 70, 245, 71, 3, 3, 198, 55, 245, 198, 19, 182, 51, 245, 67, 230, 147, 39, 245, 3, 39, 245, 165, 51, 245, 71, 3, 245, 214, 67, 182, 51, 245, 151, 3, 87, 39, 245, 198, 19, 102, 51, 245, 214, 87, 54, 134, 245, 86, 67, 55, 19, 51, 39, 226, 52, 3, 230, 118, 39, 67, 71, 55, 245, 102, 3, 39, 245, 55, 3, 198, 103, 19, 150, 230, 147, 245, 71, 134, 51, 245, 86, 67, 55, 151, 245, 54, 134, 67, 198, 198, 51, 230, 118, 51, 215]
s=Solver()
for i in range(200):
eval("s.add((16 * a["+str(i)+"]) + (a["+str(i)+"] >> 4) == "+str(arr[i])+")")
s.check()
model=s.model()
flag=""
for i in a:
flag+=chr(model[i].as_long())
print(flag)Flag : darkCON{4r3_y0u_r34lly_th1nk1n9_th4t_y0u_c4n_try_th15_m4nu4lly???_Ok_I_th1nk_y0u_b3tt3r_us3_s0m3_aut0m4t3d_t00ls_l1k3_4n9r_0r_Z3_t0_m4k3_y0ur_l1f3_much_e4s13r.C0ngr4ts_f0r_s0lv1in9_th3_e4sy_ch4ll3ng3}
ezpz
Description
-
PoC
Given apk file and then i try to decompile the apk.
Looking at MainActivity class we know that there is flag checking in YEET[0].equals(MainActivity.this.button.getText().toString()). So the idea is make the application showing flag instead of “Damn…500 times? are u kidding me” with patching the counter and change the string to be shown.
# Original ( MainActivity$1.smali )
const/16 v3, 0x1f4
# Patched ( MainActivity$1.smali )
const/16 v3, 0x0
# Original ( MainActivity$1.smali )
.line 50
:cond_1
iget-object v1, p0, Lcom/application/ezpz/MainActivity$1;->this$0:Lcom/application/ezpz/MainActivity;
invoke-virtual {v1}, Lcom/application/ezpz/MainActivity;->getApplicationContext()Landroid/content/Context;
move-result-object v1
const-string v3, "Damn...500 times? are u kidding me"
invoke-static {v1, v3, v2}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast;
move-result-object v1
invoke-virtual {v1}, Landroid/widget/Toast;->show()V
goto :goto_0
# Patched ( MainActivity$1.smali )
.line 50
:cond_1
iget-object v1, p0, Lcom/application/ezpz/MainActivity$1;->this$0:Lcom/application/ezpz/MainActivity;
invoke-virtual {v1}, Lcom/application/ezpz/MainActivity;->getApplicationContext()Landroid/content/Context;
move-result-object v1
iget-object v3, p0, Lcom/application/ezpz/MainActivity$1;->val$YEET:[Ljava/lang/String;
aget-object v3, v3, v2
invoke-static {v1, v3, v2}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast;
move-result-object v1
invoke-virtual {v1}, Landroid/widget/Toast;->show()V
goto :goto_0And then we will get the flag when click “CLICK ME” button
CyberDark0x01: ShitComp
Description
-
PoC
Given ELF 64-bit and then i try to decompile it using IDA
At first the program will compress our file ( as shown image above )
And then encrypted the compressed data. So the idea is decrypt the data by brute force the algorithm then uncompress the data by reversing the algorithm.
from Crypto.Util.number import bytes_to_long as b2l
f=open("Installer.shitty","r")
plain=f.read()
f.close()
v4 = "CyberDarkIsACoolGameAndIWannaPlayIt"
file = ""
for i in range(0,len(plain),3):
v8 = ord(v4[i%len(v4)])
v9 = v8
v11 = (v9>>4)&0xff
for j in range(0xff+1):
v10 = (j^v8)&0xf
tmp = v10 | 16 * ( v11 ^ ((j>>4)&0xff))
if(tmp==ord(plain[i])):
v8 = ord(v4[(i+2)%len(v4)])
v9 = v8
v11 = (v9>>4)&0xff
for k in range(0xff+1):
v10 = (k^v8)&0xf
tmp2 = v10 | 16 * ( v11 ^ ((k>>4)&0xff))
if(tmp2==ord(plain[i+2])):
v8 = ord(v4[(i+1)%len(v4)])
v9 = v8
v11 = (v9>>4)&0xff
for l in range(0xff+1):
v10 = (l^v8)&0xf
tmp3 = v10 | 16 * ( v11 ^ ((l>>4)&0xff))
if(tmp3==ord(plain[i+1])):
file+=chr(j)*b2l(chr(l)+chr(k))
break
break
break
file+="\x00"*15
f=open("original","wb")
f.write(file)
f.close()And then by running original ELF we will get the flag
CyberDark_0x02: Installer
Description
-
PoC
Now we need to work with the original ELF. So i try to decompile it using IDA
We can see there is function that the return value is compared by constant value and determine whether the result is correct key or wrong key.
At first the program check the input ( it must uppercase ) and store the input to variable ( except the “-” ).
After that it call function that generate values and our input will be the index of that value.
And the last is checking our input with comparison algorithm that using manipulation of index of array and array. So the idea is reversing the algorithm to generate the key then submit it to server. But i only got 8 correct key ( the other keys are incorrect because there is one character that are not uppercase ) . So for the 2 other keys i brute force one character and then got the correct uppercase character on that position and submit all keys.
( we can use tmp variable to store the index same as the original code in binary for simplicity )
from pwn import *
import string
list_char = list(map(ord,string.uppercase))
buf = [0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x1, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15, 0x4, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x5, 0x9a, 0x7, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75, 0x9, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, 0x53, 0xd1, 0x0, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf, 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x2, 0x7f, 0x50, 0x3c, 0x9f, 0xa8, 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, 0xcd, 0xc, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73, 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0xb, 0xdb, 0xe0, 0x32, 0x3a, 0xa, 0x49, 0x6, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79, 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x8, 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a, 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x3, 0xf6, 0xe, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e, 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf, 0x8c, 0xa1, 0x89, 0xd, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0xf, 0xb0, 0x54, 0xbb, 0x16, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]
off_3560 = [0x2c8, 0x131, 0x185, 0x2ef, 0x2d1, 0x194, 0x2e3, 0x3e8, 0x3cc, 0x276, 0x22c, 0x295, 0x138, 0x21b, 0x252, 0x1b6, 0x263, 0x1f6, 0x3ee, 0x19d, 0x151, 0x379, 0x39a, 0x119, 0x1ef, 0x1ff, 0x2c3, 0x2af, 0x24a, 0x31d, 0x1b8, 0x33d, 0x1b7, 0x206, 0x235, 0x144, 0x396, 0x316, 0x3af, 0x1c2, 0x115, 0x308, 0x301, 0x239, 0x129, 0x1d3, 0x388, 0x3b3, 0x2ed, 0x245, 0x3fd, 0x261, 0x3a4, 0x2e1, 0x143, 0x3dd, 0x16b, 0x3a3, 0x1ac, 0x380, 0x1a5, 0x2cd, 0x2c8, 0x3a1, 0x2c3, 0x253, 0x300, 0x35c, 0x287, 0x2f8, 0x1f5, 0x2cb, 0x246, 0x236, 0x305, 0x231, 0x23e, 0x37e, 0x177, 0x2a6, 0x3c1, 0x3c0, 0x18f, 0x16f, 0x268, 0x2c4, 0x2f8, 0x390, 0x129, 0x14b, 0x1d3, 0x268, 0x310, 0x3e2, 0x167, 0x249, 0x211, 0x21e, 0x16c, 0x157, 0x21e, 0x25f, 0x38f, 0x21f, 0x1db, 0x2ce, 0x1fe, 0x2d8, 0x272, 0x160, 0x36c, 0x14e, 0x3bc, 0x2b1, 0x229, 0x3b4, 0x2c1, 0x358, 0x156, 0x109, 0x1ad, 0x3f6, 0x379, 0x386, 0x1b9, 0x2e8, 0x101, 0x32a, 0x38e, 0x318, 0x2a0, 0x132, 0x337, 0x306, 0x375, 0x160, 0x27f, 0x347, 0x204, 0x188, 0x362, 0x13e, 0x2b6, 0x3f5, 0x31b, 0x33a, 0x2a1, 0x130, 0x2b5, 0x33a, 0x14c, 0x1b4, 0x3a5, 0x1dc, 0x26b, 0x184, 0x159, 0x3fc, 0x12e, 0x2db, 0x27c, 0x38f, 0x1c3, 0x2b7, 0x21f, 0x1c1, 0x20b, 0x150, 0x134, 0x2b8, 0x116, 0x103, 0x3b8, 0x34c, 0x397, 0x369, 0x1b0, 0x18f, 0x133, 0x3d9, 0x176, 0x1fc, 0x322, 0x153, 0x37b, 0x285, 0x3fc, 0x329, 0x3b3, 0x289, 0x3aa, 0x14b, 0x114, 0x189, 0x182, 0x29f, 0x290, 0x239, 0x1ea, 0x276, 0x173, 0x176, 0x19a, 0x3c2, 0x368, 0x335, 0x3c2, 0x2de, 0x190, 0x14c, 0x372, 0x3df, 0x281, 0x1df, 0x226, 0x2fc, 0x126, 0x32b, 0x2bf, 0x27e, 0x1c1, 0x155, 0x355, 0x328, 0x225, 0x384, 0x394, 0x2b0, 0x3ef, 0x108, 0x399, 0x200, 0x1cd, 0x304, 0x2f6, 0x3a6, 0x302, 0x208, 0x267, 0x1d4, 0x271, 0x121, 0x2f0, 0x26f, 0x2f7, 0x2ed, 0x3cf, 0x224, 0x32c, 0x1f1, 0x1aa, 0x1f8, 0x166, 0x205, 0x3fa, 0x105, 0x2f6, 0x2e7, 0x191, 0x3ad, 0x3ae, 0x192, 0x2f4, 0x176, 0x2f5, 0x10e, 0x1f7, 0x3fe, 0x3fd, 0x251, 0x23c, 0x186, 0x2f, 0x295, 0x1f3, 0x281, 0x3cc, 0x2d5, 0x1ca, 0x132, 0x257, 0x36a, 0x313, 0x3c5, 0x176, 0x1f9, 0xd1, 0x19f, 0x32d, 0x20, 0x25e, 0x30e, 0x3b, 0x3eb, 0x287, 0x110, 0x304, 0x2f, 0x1e8, 0x52, 0x2c7, 0x3c4, 0x2c3, 0x83, 0x2e7, 0x162, 0x1b, 0x1ba, 0x359, 0x3c8, 0x16f, 0x3d2, 0x11e, 0x2f, 0x20d, 0x1a, 0x276, 0x140, 0x20, 0x3c7, 0x18b, 0x39c, 0x1b9, 0x255, 0x3cf, 0x329, 0x385, 0x53, 0x396, 0x294, 0x2cd, 0x252, 0x5b, 0x24a, 0x84, 0x353, 0x3ff, 0x333, 0x15c, 0x2d9, 0x21a, 0x27c, 0x1a, 0x16f, 0x187, 0x245, 0x1d7, 0xbe, 0x367, 0x203, 0x2e2, 0x16d, 0x1a3, 0x1ed, 0x2a9, 0x341, 0x32b, 0x2cd, 0x1f4, 0x34b, 0x1cf, 0xbe, 0x147, 0x1df, 0x157, 0x3c6, 0x216, 0x84, 0x196, 0xed, 0x3bf, 0x1b0, 0x3e5, 0x264, 0x1e1, 0x27a, 0x19a, 0x221, 0x222, 0x165, 0x1b, 0x12b, 0x3cc, 0x29a, 0x365, 0x260, 0xb3, 0x3fa, 0x20b, 0x2a3, 0x34c, 0x3a6, 0x12f, 0x236, 0x3f0, 0x1fc, 0x3be, 0x3c9, 0x25c, 0x163, 0x3da, 0x235, 0x0, 0x23e, 0x235, 0x2c0, 0x53, 0x1c7, 0x2e4, 0x250, 0xbe, 0x378, 0x1d6, 0x2a6, 0x258, 0x5b, 0x266, 0xed, 0x1af, 0x158, 0x16b, 0x33d, 0x2da, 0x25a, 0x229, 0x1c0, 0x304, 0x2cb, 0x3b6, 0x310, 0x175, 0xbe, 0x213, 0x1fa, 0x1be, 0x3fe, 0x27a, 0x15c, 0x0, 0x2bb, 0x3e9, 0x39b, 0xa0, 0x192, 0x350, 0x1ad, 0x22b, 0x1cd, 0x6a, 0x13e, 0x20a, 0x343, 0x3be, 0x3a0, 0x2b8, 0x6e, 0x331, 0x0, 0x39f, 0x251, 0x224, 0x30c, 0x37d, 0x28e, 0x1ba, 0x23e, 0x2d3, 0x1e3, 0x137, 0x1e6, 0x220, 0x3e3, 0x274, 0x3ff, 0x3ed, 0x278, 0x1e8, 0x120, 0x33a, 0x215, 0x1da, 0x274, 0x53, 0x288, 0x2aa, 0x2dd, 0x2a5, 0x225, 0xd1, 0x262, 0x2ec, 0x152, 0x392, 0x236, 0x3fe, 0x1bd, 0x145, 0x226, 0x2d6, 0x2fa, 0x0, 0x358, 0x2a2, 0x27c, 0x162, 0x1b2, 0x2f4, 0x15e, 0x214, 0x2cc, 0x2c, 0x2e4, 0x286, 0x3b3, 0x335, 0x316, 0xb2, 0x16a, 0x1d9, 0x34f, 0x6a, 0x35c, 0xed, 0x14, 0x307, 0xfc, 0x11e, 0x382, 0x36e, 0x4a, 0x194, 0x29, 0x388, 0x136, 0x13a, 0x3ad, 0x3d7, 0x29, 0x2fa, 0x18f, 0x2cb, 0x17a, 0x298, 0x141, 0x2bd, 0x105, 0x15c, 0x255, 0xe6, 0x22e, 0x3b, 0x1c9, 0x96, 0x39, 0x3ff, 0x182, 0x11d, 0x5b, 0x38d, 0xbe, 0x13b, 0x249, 0x3bd, 0x3d1, 0x3d, 0x297, 0x23a, 0x159, 0xec, 0x1a7, 0x1d3, 0x2b9, 0xd1, 0x1af, 0x20, 0x3db, 0xd9, 0x19e, 0x222, 0x2c1, 0x20, 0x310, 0x2c2, 0xb1, 0x15b, 0x3bd, 0xe3, 0x12f, 0x101, 0x3e, 0x218, 0xb6, 0x7a, 0x31a, 0x266, 0x9d, 0x202, 0x14f, 0xa7, 0xbe, 0x2b8, 0x3f5, 0x29, 0x2f1, 0x2e9, 0x260, 0x53, 0x2a6, 0x22e, 0x54, 0x84, 0x33b, 0x6e, 0x201, 0x84, 0x35f, 0x6e, 0x348, 0x3a4, 0xb6, 0xe3, 0x2b0, 0x190, 0x6e, 0x174, 0x222, 0x1c, 0xd7, 0x256, 0x309, 0x52, 0x3e0, 0x114, 0x288, 0x3ea, 0x241, 0x32b, 0x13f, 0x273, 0xa9, 0x20b, 0x88, 0x2a, 0xa0, 0x2c4, 0x335, 0x33b, 0xa, 0xe3, 0x39c, 0x230, 0x26b, 0x6e, 0x101, 0xb1, 0xc4, 0x285, 0xe1, 0x12, 0x101, 0x36d, 0x1b, 0x28c, 0x1d6, 0x241, 0x214, 0x340, 0x2ba, 0x39c, 0x18, 0xc0, 0x2db, 0x153, 0x3ef, 0x289, 0x3c7, 0xfc, 0x1f4, 0xbe, 0x182, 0x21c, 0x287, 0x266, 0x1d6, 0x1ad, 0x3d5, 0x9c, 0x6d, 0x3b, 0x156, 0x358, 0x322, 0x3d3, 0x3ac, 0x39a, 0x197, 0x29, 0x14e, 0x1f7, 0x2c, 0x370, 0x2ab, 0x1c6, 0x8b, 0x5c, 0x299, 0x143, 0x0, 0x3d1, 0xc1, 0x136, 0x1b, 0x233, 0xea, 0x206, 0x229, 0x8f, 0x240, 0x1b0, 0x79, 0x1aa, 0x28d, 0x260, 0x1af, 0x347, 0x143, 0x1be, 0x3a3, 0x1e2, 0x382, 0x64, 0x1ba, 0x310, 0x16a, 0x270, 0x29, 0x247, 0x330, 0x65, 0x221, 0xfc, 0x22f, 0xda, 0x29, 0x2ee, 0x2c0, 0x2b1, 0x10c, 0x269, 0xd5, 0xed, 0x32e, 0x34d, 0xcb, 0x202, 0x5c, 0xe6, 0x190, 0x2f1, 0x39c, 0x1d7, 0x1d1, 0xed, 0x17c, 0x3, 0x359, 0xda, 0x217, 0x1c5, 0x1c4, 0x241, 0x2e1, 0x368, 0x3d2, 0x33e, 0x3b0, 0x2ce, 0x17c, 0x371, 0x3af, 0xed, 0x3e8, 0x37, 0x63, 0x31a, 0x10d, 0x2ec, 0x52, 0x26c, 0x2c2, 0x199, 0x2a4, 0x38d, 0x18d, 0xcb, 0x1e2, 0x2a6, 0xff, 0x2a0, 0x244, 0x160, 0x298, 0x1e2, 0x2b9, 0x25b, 0x5a, 0x1a1, 0x326, 0xa3, 0x297, 0x26f, 0x1be, 0x3fe, 0xb0, 0x0, 0x121, 0x394, 0x5b, 0x19a, 0x299, 0xd1, 0x2df, 0x2f8, 0x13c, 0xa0, 0x3a2, 0x352, 0x53, 0x30c, 0x72, 0x1b, 0x334, 0x70, 0x263, 0x5c, 0x352, 0x378, 0x154, 0x20f, 0x20c, 0x1a, 0x139, 0x154, 0x360, 0x3c4, 0x3d0, 0xcf, 0x2f5, 0xd1, 0x22d, 0x3a4, 0xeb, 0x2bd, 0x223, 0x39c, 0x23e, 0xb1, 0x3d7, 0x2ef, 0x148, 0x5a, 0x313, 0xf5, 0x53, 0x350, 0x108, 0x1b9, 0x3a6, 0x9a, 0x34, 0x12a, 0x5a, 0x26f, 0x2df, 0x279, 0x2a9, 0x37d, 0x9f, 0x3f6, 0xfb, 0x20, 0x110, 0x1cc, 0x10d, 0x15a, 0xfc, 0x1b6, 0x3f7, 0xea, 0x9a, 0x36c, 0x21d, 0x1c8, 0x1a0, 0x3b6, 0x212, 0x84, 0x1c0, 0xa0, 0x267, 0x277, 0x2ff, 0x5a, 0x171, 0xe3, 0x2a4, 0x2a9, 0x56, 0xcf, 0x6a, 0x1d4, 0x1a, 0x124, 0xe1, 0x351, 0x1c3, 0x389, 0x303, 0x5a, 0x1c2, 0x32b, 0x22e, 0x2c9, 0x48, 0x5a, 0x3f4, 0x43, 0x6a, 0x31a, 0xb5, 0x3b, 0x375, 0x2a9, 0x3d1, 0x13c, 0x65, 0x201, 0x3a2, 0x1d7, 0x327, 0x8b, 0x22b, 0x2a7, 0x10b, 0x99, 0x218, 0x26c, 0x277, 0x11b, 0x24d, 0x342, 0xef, 0x10b, 0x14b, 0x3a3, 0x3fb, 0x143, 0x4c, 0x2c7, 0xed, 0x169, 0x3a9, 0xd6, 0x325, 0x3fd, 0x9c, 0x56, 0xb3, 0x33e, 0x133, 0x69, 0xf7, 0x1e6, 0x1fa, 0xfc, 0x1b, 0x15c, 0x84, 0x338, 0x57, 0xee, 0x39f, 0xbb, 0xd6, 0x244, 0x238, 0x15d, 0x52, 0x386, 0x26e, 0x119, 0x42, 0xfc, 0x38f, 0x1a5, 0x211, 0x3d, 0x1d3, 0x320, 0x11d, 0x2c, 0x219, 0x28a, 0xb3, 0x25a, 0x33, 0x22a, 0x282, 0x3fd, 0x6d, 0x11, 0xe, 0x3b, 0x257, 0x232, 0x341, 0x3d2, 0x238, 0x6a, 0x1bd, 0x188, 0x184, 0xb0, 0x152, 0x21c, 0xc4, 0x76, 0x1f0, 0x1c, 0x325, 0x1ff, 0x3ca, 0x3e7, 0x12c, 0x1ed, 0x12d, 0x113, 0x56, 0x1d4, 0x111, 0x1e0, 0xb7, 0xda, 0x396, 0x1b4, 0x33a, 0x28b, 0xf3, 0x2d2, 0x16e, 0x18b, 0x331, 0x4b, 0xc5, 0x135, 0x175, 0x271, 0xf4, 0x18e, 0x171, 0x165, 0x300, 0x61, 0x343, 0x14e, 0x71, 0x7c, 0x19a, 0x246, 0x29e, 0xac, 0x2f6, 0x53, 0x2c3, 0x2c4, 0x2da, 0x11c, 0xa6, 0x3e, 0x33e, 0x1df, 0x396, 0xa5, 0xcd, 0x125, 0x147, 0x344, 0x1f2, 0x40, 0x1d2, 0x218, 0x1c4, 0xdc, 0x3ac, 0x38, 0x1ac, 0x305, 0x17e, 0x14e, 0x2b1, 0x91, 0x1c6, 0x37b, 0xce, 0x2b3, 0x37f, 0x383, 0x245, 0x70, 0x25e, 0x1a7, 0x2c9, 0x3b5, 0x3d0, 0x26e, 0x1a2, 0x30f, 0x2da, 0x387, 0x216, 0x15, 0x26c, 0x113, 0xea, 0x3db, 0x146, 0x31, 0x280, 0x3e7, 0x151, 0x78, 0x27f, 0x270, 0x360, 0xd1, 0x255, 0x1b4, 0x12, 0xb0, 0xc, 0x85, 0x2d3, 0x17b, 0x394, 0x140, 0x1c5, 0x3f8, 0x34e, 0xc4, 0x29d, 0xfa, 0x147, 0x1a9, 0x210, 0x152, 0x1f, 0x3ca, 0x44, 0x3d8, 0x31, 0xf7, 0x67, 0x322, 0x373, 0x299, 0x395, 0x1cb, 0x3bd, 0xcc, 0x2d9, 0x8d, 0x2d3, 0x2b6, 0xbb, 0x2f1, 0x25f, 0xd7, 0x3d5, 0x252, 0x32c, 0x265, 0x2cc, 0x120, 0x1c, 0x31c, 0x21d, 0x385, 0x30, 0x57, 0x3b, 0x3b3, 0x1e0, 0xd1, 0x2f, 0x12f, 0x1b6, 0x3da, 0x29d, 0xd6, 0x3f5, 0x1b2, 0x206, 0x11d, 0x353, 0x3fe, 0x2b4, 0xc4, 0x1e7, 0x41, 0x177, 0xd9, 0x2e3, 0x38a, 0x293, 0x20c, 0x2ae, 0x3f6, 0x11d, 0x37a, 0xa7, 0x11b, 0x2b9, 0x1b4, 0xe5, 0x169, 0x328, 0x1e4, 0x313, 0x3f, 0x24d, 0xc2, 0x380, 0x14e, 0x117, 0x2d4, 0x1ff, 0x1a5, 0x6a, 0x10c, 0x304, 0x155, 0x3a3, 0x3da, 0x4d, 0x278, 0x197, 0x0, 0xc3, 0x386, 0x7b, 0x8c, 0x1de, 0x271, 0x3c1, 0x17d, 0x127, 0x1e5, 0xc9, 0x3cb, 0x1f1, 0x16f, 0xb1, 0x213, 0x3c3, 0x20d, 0x308, 0x343, 0x2dd, 0x15, 0x1b6, 0x27, 0x33e, 0x20b, 0x30f, 0xb7, 0x2ec, 0x15d, 0x3b6, 0x272, 0x8d, 0x83, 0x329, 0xb1, 0xcc, 0x26, 0x246, 0x393, 0x3ae, 0xc0, 0x35, 0x18f, 0x2a4, 0x133, 0x2a4, 0x149, 0x202, 0x10, 0x21e, 0x128, 0x375, 0x59, 0x30e, 0x2ff, 0x123, 0x1fb, 0x38b, 0x33a, 0x88, 0x3de, 0x3b5, 0x69, 0x154, 0x200, 0xf8, 0x299, 0x3de, 0x154, 0x3fe, 0x5a, 0x24c, 0x14f, 0x1b5, 0x121, 0x34c, 0x332, 0x18b, 0x1fc, 0x88, 0x2d6, 0x259, 0x307, 0x31f, 0x43, 0x3c9, 0x1df, 0x4e, 0x348, 0x147, 0x2ff, 0x1e1, 0xb, 0x24e, 0x2b2, 0x1b9, 0x119, 0x96, 0x26a, 0x215, 0x2c5, 0x17b, 0x396, 0x51, 0x294, 0x16c, 0x276, 0xca, 0x37a, 0x183, 0x1bf, 0x6f, 0x294, 0x2fe, 0x2f6, 0x17c, 0x39d, 0x1ab, 0x163, 0xfa, 0xcb, 0x3dc, 0x258, 0x2e1, 0x234, 0x33e, 0x4b, 0x3d3, 0x3e6, 0x1ae, 0x229, 0x3eb, 0x217, 0x27a, 0x55, 0x240, 0x17e, 0x5b, 0x159, 0x38e, 0xc1, 0xa7, 0xf3, 0x3a8, 0x119, 0x3f0, 0x7d, 0x176, 0x12e, 0x1a0, 0x385, 0x221, 0x1a8, 0x1ec, 0x2c1, 0x216, 0xa, 0x342, 0x3e1, 0x197, 0x398, 0x1c, 0x1d9, 0x34, 0x90, 0x2e2, 0xa8, 0xdd, 0x6e, 0x1ac, 0x18e, 0x0, 0x321, 0x298, 0x259, 0xb7, 0x3d0, 0x14f, 0x342, 0x39b, 0x131, 0x1a, 0x296, 0x3d3, 0x9, 0x24d, 0x4b, 0x1cd, 0x2c7, 0x3c6, 0x1b9, 0x177, 0x288, 0x153, 0x22, 0x1b7, 0x38a, 0x2ee, 0xb6, 0x2b3, 0x2f0, 0x308, 0x24e, 0x18e, 0x96, 0x131, 0x38e, 0xb7, 0x55, 0x1c8, 0x347, 0x14a, 0x30e, 0x333, 0x17d, 0xcf, 0x183, 0x22, 0x24c, 0x97, 0x189, 0x22f, 0x15e, 0x1fd, 0x323, 0x3e3, 0xc0, 0x256, 0x95, 0x323, 0x2b3, 0x8a, 0xd6, 0x22c, 0x271, 0x1f8, 0x205, 0x11a, 0x1a7, 0xba, 0x3fa, 0x1ac, 0x1c4, 0x37, 0x3bd, 0x1c6, 0x7e, 0x20, 0xdf, 0x177, 0x12b, 0x1be, 0x2fe, 0x32a, 0x1c3, 0x1b1, 0x1c9, 0x2c2, 0x334, 0x1c5, 0x34e, 0x17e, 0x1ff, 0x302, 0xfe, 0x1e7, 0x3de, 0xdb, 0x2d5, 0x157, 0xed, 0x375, 0x252, 0x75, 0x3ae, 0x15c, 0x3c0, 0x309, 0x1f2, 0x48, 0xdb, 0x10e, 0x283, 0x2c0, 0x15f, 0x302, 0x179, 0x160, 0x18f, 0x205, 0x180, 0x7b, 0x2f1, 0x202, 0x92, 0x315, 0x26c, 0x376, 0x3aa, 0x3a2, 0x202, 0x24e, 0x159, 0x58, 0x3c2, 0x1a1, 0xf8, 0x34e, 0x183, 0x1a9, 0x2c1, 0x2a0, 0x1bb, 0x131, 0x336, 0x376, 0x30a, 0x3b, 0x28b, 0x1eb, 0x243, 0x167, 0x10c, 0x12d, 0xd7, 0x1c7, 0x2ad, 0x3fe, 0x195, 0xd6, 0x182, 0x30d, 0x1ad, 0x3a2, 0x6e, 0x20c, 0x65, 0x318, 0x263, 0x1ca, 0x76, 0x35f, 0x70, 0x115, 0x30a, 0x3e5, 0x3a7, 0x23f, 0xde, 0x3b5, 0xe0, 0x3ad, 0xfc, 0x2ca, 0x295, 0x4e, 0x15b, 0x1d8, 0x4f, 0x33f, 0x16d, 0xb1, 0x6a, 0xcf, 0x18e, 0xa5, 0x68, 0x26b, 0xe0, 0xfc, 0x369, 0x8b, 0x23f, 0x20d, 0xf, 0x1, 0x59, 0x1d0, 0x16c, 0x21c, 0x124, 0x236, 0xa2, 0x186, 0x6a, 0x2b8, 0xd3, 0x2a, 0x18d, 0x16e, 0x8b, 0x328, 0x34b, 0x12b, 0x4b, 0x7d, 0x36b, 0x38e, 0x269, 0x204, 0x178, 0x1c7, 0x237, 0x1b0, 0x1a1, 0xa, 0x2f2, 0x141, 0x283, 0x266, 0x134, 0x29, 0x46, 0x252, 0x3e9, 0x374, 0x13e, 0x16a, 0x16f, 0x330, 0xe5, 0x356, 0xdd, 0x1fb, 0x18a, 0x397, 0xa2, 0x1ca, 0x269, 0xd9, 0x4e, 0x295, 0x362, 0x22b, 0x42, 0xbc, 0x2a, 0x2c9, 0x15c, 0x33c, 0xf6, 0x22f, 0x30c, 0xe5, 0x2d5, 0x12e, 0x2d3, 0x34c, 0xb, 0x26a, 0xda, 0x336, 0x154, 0x8d, 0x32f, 0x5a, 0x3f8, 0x6b, 0x2d7, 0xc6, 0x153, 0x1ab, 0x21b, 0x4e, 0x374, 0x131, 0x85, 0x191, 0x354, 0x306, 0x2d7, 0x21b, 0x1ba, 0x346, 0x35f, 0x257, 0x310, 0x44, 0x14b, 0x17f, 0x2b1, 0x30b, 0xd8, 0x346, 0x1e3, 0x8c, 0x250, 0x353, 0x11d, 0x376, 0x3be, 0x22a, 0x1ef, 0x184, 0x22b, 0x311, 0x294, 0x397, 0x73, 0xba, 0x2ef, 0x19e, 0x3d8, 0x1bb, 0x3dd, 0xbd, 0x1e8, 0xa9, 0x94, 0x18e, 0x245, 0x2d1, 0x3b0, 0xb1, 0x1ae, 0x2f7, 0x33b, 0x277, 0x3e7, 0x26b, 0x1f8, 0x335, 0x261, 0x35f, 0x19b, 0x2f3, 0x3a4, 0x11c, 0x3ff, 0x1ca, 0x2b3, 0x3c4, 0x3d2, 0x3b2, 0x162, 0xa9, 0x51, 0x41, 0x75, 0x3ac, 0x13, 0xc1, 0x3d1, 0xe3, 0x217, 0x120, 0x56, 0x1d5, 0x3b5, 0x1a1, 0x377, 0x305, 0x1e7, 0x308, 0x97, 0x112, 0x119, 0x15b, 0x365, 0x219, 0x155, 0x277, 0x314, 0x177, 0x338, 0x221, 0x56, 0x196, 0x15e, 0x12c, 0x303, 0xcd, 0x369, 0x274, 0x22d, 0x2d2, 0x315, 0x28f, 0x2f8, 0x1de, 0x218, 0x2a5, 0xb3, 0x35a, 0x325, 0x11a, 0x26c, 0x166, 0x90, 0x227, 0x3f9, 0xc0, 0x13a, 0x119, 0x2b1, 0x179, 0x22c, 0x29, 0x103, 0x37e, 0x163, 0x3d5, 0x263, 0x53, 0xcb, 0x85, 0x17, 0x295, 0x49, 0x270, 0xf0, 0x32f, 0x23c, 0x62, 0x1fc, 0xca, 0x2a4, 0x315, 0x23e, 0x3d8, 0x37b, 0x200, 0x3f8, 0x213, 0x2cf, 0x352, 0x3f5, 0x22b, 0x39, 0x16, 0x16c, 0x3af, 0xb6, 0x1a5, 0x2aa, 0x38b, 0x12c, 0x2e4, 0x3b, 0x25, 0x3e6, 0x309, 0x119, 0x3fc, 0x2cb, 0x238, 0xbc, 0xd9, 0x2c3, 0x260, 0x142, 0x2b0, 0x23c, 0x12d, 0x3a8, 0x109, 0x4a, 0x22d, 0x212, 0x14c, 0x346, 0x276, 0xf8, 0x205, 0x3e5, 0x185, 0x1f3, 0x36e, 0x93, 0x3e7, 0xdf, 0x33b, 0x2e2, 0x2df, 0x90, 0x2d3, 0x3c, 0x3bd, 0xed, 0x168, 0x370, 0x1aa, 0x9d, 0x183, 0x367, 0x135, 0x9a, 0x178, 0x3a9, 0x179, 0x3fc, 0x211, 0x259, 0x151, 0x73, 0x351, 0x3b1, 0x2bc, 0x308, 0x36c, 0x343, 0x43, 0x3d2, 0xc5, 0x2b9, 0x10d, 0xca, 0x86, 0x1d4, 0x357, 0x356, 0x365, 0x117, 0x1a2, 0x1b3, 0x114, 0x291, 0x14e, 0x199, 0x184, 0x2a8, 0x333, 0x373, 0x140, 0x247, 0x9d, 0x3b, 0x1d2, 0x86, 0x2b8, 0x3b3, 0x271, 0x312, 0x19d, 0x170, 0x2dc, 0x369, 0x39c, 0xb0, 0x3b1, 0x2d, 0x2ce, 0x3b, 0x150, 0x3b8, 0x3ff, 0x314, 0x35b, 0x40, 0x164, 0x2f1, 0x1e0, 0x8f, 0x396, 0x138, 0x2a0, 0xe8, 0x53, 0x39e, 0x173, 0x2e0, 0xa6, 0x3e6, 0xc6, 0x286, 0xf, 0x95, 0xad, 0x10c, 0x115, 0x115, 0x3ea, 0x57, 0x2b6, 0xbb, 0x246, 0x2fa, 0x282, 0x24a, 0x36, 0x4f, 0x115, 0x121, 0x322, 0xff, 0x20d, 0x373, 0xf3, 0x98, 0x101, 0x148, 0x19e, 0xa2, 0x34d, 0x264, 0x30b, 0x1d5, 0x383, 0x389, 0x18c, 0x115, 0x2a4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]
key=[]
for v4 in range(len(off_3560)):
try:
key.append(chr(buf.index(off_3560.index(v4)))+chr(buf.index(off_3560[v4]))+chr(buf.index(off_3560[off_3560[v4+1]]))+chr(buf.index(off_3560[off_3560[off_3560[v4+1]+1]]))+"-"+chr(buf.index(off_3560[off_3560[off_3560[off_3560[v4+1]+1]+1]]))+chr(buf.index(off_3560[off_3560[off_3560[off_3560[off_3560[v4+1]+1]+1]+1]]))+chr(buf.index(off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[v4+1]+1]+1]+1]+1]]))+chr(buf.index(off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[v4+1]+1]+1]+1]+1]+1]]))+"-"+chr(buf.index(off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[v4+1]+1]+1]+1]+1]+1]+1]]))+chr(buf.index(off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[v4+1]+1]+1]+1]+1]+1]+1]+1]]))+chr(buf.index(off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[v4+1]+1]+1]+1]+1]+1]+1]+1]+1]]))+chr(buf.index(off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[off_3560[v4+1]+1]+1]+1]+1]+1]+1]+1]+1]+1]])))
except Exception as e:
continue
key[2]=key[2].replace("5","Q")
key[6]=key[6].replace("\xfd","W")
del key[8]
r=remote("65.1.92.179",49156)
for i in range(len(key)):
r.recvuntil("key:")
r.sendline(key[i])
print(r.recvline())
r.interactive()(Not) Easy
Description
-
PoC
Given PE file and then i try to open it using IDA
Looking at encryption function it seems like modified xxtea encryption so the idea is reconstruct decrypt function by reversing the encryption algorithm.
import struct
import string
key = [0x34, 0x65, 0x33, 0x30, 0x33, 0x37, 0x35, 0x38, 0x37, 0x38, 0x33, 0x37, 0x33, 0x33, 0x33, 0x34]
key = struct.unpack('<4I', bytes(key))
enc = [
0xef, 0xd0, 0x58, 0x66, 0xa2, 0x12, 0x23, 0x7a, 0x3a, 0x8b, 0x31, 0x66, 0x56, 0x40, 0x79, 0x4e, 0xff, 0x12, 0x6b, 0xa0, 0x29, 0xa0, 0xc5, 0x16, 0x47, 0x80, 0xb5, 0xa1,
0xb8, 0x87, 0xaf, 0x92, 0xb2, 0x39, 0xeb, 0x85, 0xd8, 0x3d, 0x10, 0x09, 0xf7, 0x0f, 0x80, 0x69, 0x77, 0x60, 0xd7, 0x2d, 0x24, 0x49, 0xb3, 0xc9, 0xec, 0x23, 0xcb, 0xdc,
0xa6, 0x94, 0x05, 0x49, 0xca, 0xdd, 0x1d, 0xab, 0x5b, 0x36, 0x63, 0xf6, 0x57, 0xe5, 0x42, 0x43, 0x34, 0xdd, 0xd4, 0x56, 0x36, 0xbe, 0x88, 0xdd, 0x3c, 0xdf, 0x1d, 0x2a
]
enc = [(bytes(enc[i:i+12])) for i in range(0,len(enc),12)]
flag = b""
for block in enc:
count = len(block) // 4
data = list(struct.unpack(f'<{count}I', block))
loop = 0x34 // len(data) + 6
t = 2604932717
for i in range(loop-1,-1,-1):
tmp = (t >> 2) & 3
for j in range(len(data)-1, -1, -1):
prev = data[(j - 1) % len(data)]
next = data[(j + 1) % len(data)]
data[j] -= (((prev >> 5) ^^ (next << 2)) + ((prev << 4) ^^ (next >> 3))) ^^ ((key[(j & 3) ^^ tmp] ^^ prev) + (t ^^ next))
data[j] = data[j] % 2**32
x = int(str(factorial(0x800 + 10*i*i))[:10])
t = (t - x) % 2^32
flag += struct.pack(f'<{len(data)}I', *data)
flag=flag.decode()
result=""
for i in flag:
if(i in string.printable[:-6]):
result+=i
print(result)Flag : darkCON{4_L177l3_crYp70_4_d4y_m4K3S_R3v3rS3s_g0_4W4Y}
fire in the androiddd
Description
-
PoC
Given apk file and then i try to decompile it.
Looking at MainActivity that we need internet connection to run this application and there are a method called from data_receiver class.
From getData method we know that class member ( data ) will store encrypted flag from firebase storage. data_receiver.data will be used in magic function which is called by doInBackground function from nested class ( loader class in MyReceiver class )
Magic method is called from native library so we need to decompile that library to know what is magic method do
From the code above we know that our input xored with looper(i) and compared with v4 which is encrypted_flag . Here is what looper function do
So the idea is getting the encrypted_flag using frida then run looper function and xor it with encrypted_flag and get the flag. Here is frida script that i used
Java.perform(function dump() {
function sleep (time) {
return new Promise((resolve) => setTimeout(resolve, time));
}
var api_key_class = Java.use("com.application.darkcon.data_receiver");
var api_key_instance = api_key_class.$new();
console.log("[+] instance created: " + api_key_instance);
console.log("[+] function called : " + api_key_instance.getData());
sleep(5000).then(() => {
console.log("[+] data value: " + api_key_instance.data.value);
});
});After that implemented the looper function
def looper(n):
if (n == 0 or n == 1):
return 1
v2 = [0 for i in range(n + 1)]
v2[0] = 1
v2[1] = 1
for i in range(2, n + 1):
v2[i] = 0
for j in range(i):
v2[i] = v2[i] + v2[j] * v2[i-j-1]
return v2[n]%2**32
enc = [101,96,112,110,77,101,202,470,1506,4758,16815,58877,208123,742855,2674489,9694735,35357570,129644713,477638735,1767263206,2269153033,2991430638,1288250377,3757197244,1413958429,43422424,2072914473,2325361044,2600037558,3008195127,3276256895,4169229947,300814809,3929270464,2526730686,2527522239,645964816,1351610749,573153031,1347646066,1945953402,3824419424,480774039,2833665279,2366904092,2809807660,3295802436,3644429150,720643560,906311378,992169127,1211139059,1465960990,4269303883,3179939394,4095898594,580984841,3596758568,1063564231,3288906933]
flag = ""
for i, j in enumerate(enc):
flag+=chr(j ^ looper(i))
print(flag)Flag : darkCON{th3_w31rd_c0mb1nat10n_of_fr1da_4nd_c4t4l4n_ov3rf10w}
Last updated
