DASCTF下半年赛_reverse

DASCTF2025下半年比赛逆向题。前一阵子一直在复习备考,没及时更新~~

androidfff

先用jadx看,发现MainActivity是空的,然后看了下AndroidManifest发现是flutter,用blutter恢复。

blutter安装教程:https://www.cnblogs.com/hansa/p/18337467

先用blutter解包得到符号表那些,ida打开libapp.so,导入符号表

image-20251213152716446

直接搜索flag找到对应的函数,这里就是密文

image-20251213195155622

不过找到主要加密逻辑还是有点麻烦,这里我看了其他师傅的解题过程

通过解包出来的pp.txt找到逻辑,地址就是0x29cb18

image-20251213195611107

这里是xor加密的逻辑,先2,2相当于左移1位,解密就是右移移1位,再xor0x32,

image-20251213162140217

解密脚本:

1
2
3
4
5
6
7
8
9
10
11
cipher = [0xEC,0xE6,0xC2,0xE2,0xCC,0xE8,0x92,0xA8,0xBC,0x8E,0x8C,0x8C,0xAE,0x80,0xDA,0xB6,0x82,0xDA,0x82,0xBA,0xDA,0xAE,0xA6,0x82,0x96,0x9E]

plain = []
for c in cipher:
    if c & 1:
        print("Error: odd byte!")
    else:
        p = (c >> 1) ^ 0x32
        plain.append(p)

print("Decrypted:", bytes(plain))

//DASCTF{flutter_is_so_easy}

ezmac

这里找到验证的部分,输出right/wrong

image-20251213201114111

然后看看上级的调用,看汇编,这里其实是传参的过程,传参是0x57,其实就是xor加密的密钥

image-20251213201346577

byte_100004022就是密文内容

这里就是xor加密部分

image-20251213202653025

解密脚本

1
2
3
4
5
6
7
8
9
10
data = [0x7D, 0x7B, 0x68, 0x7F, 0x69, 0x78, 0x44, 0x78, 0x72, 0x21,
0x74, 0x76, 0x75, 0x22, 0x26, 0x7B, 0x7C, 0x7E, 0x78, 0x7A, 0x2E, 0x2D,
0x7F, 0x2D]
res = []
for i,b in enumerate(data):
    key = 57 + i
    orig = b ^ key
    res.append(orig)
print(''.join(chr(x) for x in res))
//DASCTF{83c720da35436cc0}

androidfile

直接看mainactivity,发现所有的明文内容都被加密了,不过影响不大

image-20251213203525406

加密过程:先将flag进行AES-CBC加密,不过key和iv都是伪随机的,再进行base64加密,然后是RSA公钥加密,再base64加密,最后是在native层的校验。

解密就清晰了,先看so文件,native层的加密就是rc4+base64,rc4加密密钥就是REVERSE

image-20251213204054520

题目给的密文等信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
EvB2udc3ofALSbCxeH5j4O2QZjfyZ151Nj3tOBVpt+99XXudbbzYknID0CxFcVO5+Vf16SjxzVbCuOizTIm3TVXXprsM1IlyjzJnTIUc8s4cFIX+clb1zN5PqUm11Z9LDlUMGYu+fa0fZqB5o7EMXWJvl+uKOsk/K3zzrnU0Rdpn/Ylm0ZBBDqpaNDYeXkGM52Uj6NxOhRRMaW2VcH/u4rNg7y7/X6OKa68G2TstGohwelnKpzgp4eFBNxn2
<-encryptinput->
UBUSWb+1P3Z/aokV67e5xQ7eaHoEj3JAeC0XA1RckTWdWZYCB/+D7qC3Hao74goX



获取的RSA公钥和私钥
-----BEGIN PUBLIC KEY-----  
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ3AfAR+HoKn8iQaFT8xjSLkJf+uHuX5  dSH/gsLSAlqIkVeADHx7okRAfl5U2sCe0A/2SY9sDurGOLHTYcmHAuECAwEAAQ\=\=  
-----END PUBLIC KEY-----

-----BEGIN PRIVATE KEY-----  
MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAncB8BH4egqfyJBoVPzGNIuQl/64e5fl1If+CwtICWoiRV4AMfHuiREB+XlTawJ7QD/ZJj2wO6sY4sdNh  yYcC4QIDAQABAkEAh81Gdg+kcFHoD9AsbkRX/atuUtcwXkYL4gK2LMThpdEFHIO7  Scr+SYfwqmm/LMtkbojEGEnNoIfmoLvGfhXaAQIhANDWo8OSMSQFnvh129cFiVfY  KlS4ec24ixvFD8fUD4SRAiEAwWBuZ3kox1n21AsTAxom+E3z5KUUOSUjPXvG6tZB  gVECIDOP2y0tSi6/qIll6BqFxmxG9eSnC4PMfaQkmonXBOHRAiBmJUPsUGmj8/eX  xknCp7vSCYs9SZ3HGcDlp05Jmed8IQIhAJnE1PNe9lC5OazgRYhSG6bGCTbfFHT6  OuwCVIxRSx4P  
-----END PRIVATE KEY-----

提取第一段密文进行解密

image-20251213204454580

1
2
3
4
enkey_QMz2qirA80LJiOs30Efl00JsrIv+ZdrM9iB74P/nCWOrzEemEOaq2lN1/V5/rOAoTgBanJO/Acpo
okhVIOVdsA==
eniv_hKH/M/v8zwVICeWlc652BZk2eA/c2g0cLpBwvWBVlphiwBBasdn9HPWk7sb/IaRh8eppZrToUwz6
f1eomFJkEQ=

这是解出来的key和iv,下一步就是利用rsa来解密key和iv了,

image-20251213205459950

key:ElmGJYfKbc2gJh0G

image-20251213205543463

iv:JZ4tQgwSm3ZZIELJ

最后就是aes解密

image-20251213210218499

DASCTF{android_encrypto_file_and_plains}

login

在server端,这里是接收了一个account然后进行验证,byte_C1A0是对比的密文,属于rsa密文

image-20251213211625403

还有一个rc4加密

image-20251213211758378

sub_73B2使用rsa私钥解密

image-20251213211951486

在client端中获取RSA因⼦(P,Q)重建私钥解密byte_C1A0和byte_C0A,解密得到key和iv

image-20251213212157339

1

sub_49DD 和 sub_4125 函数都是AES-CBC加密

image-20251213213757369

解密脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_OAEP
import binascii

# RSA Parameters (Hex strings from analysis)
n_hex = (
    "9a49428cadd84b7a81cb80f916e645a6a9dd23c2fe679f93af6a77eff0f0bb13"
    "09b77fb7861275f07ab41e98ae5c2ecf933f27d47b9ce0a55a3e06569cacbb4"
    "c9183f8ee9a47f2cfbb3a5965c9326f45d2d608cfeabea1a1879eae95b70224"
    "d2e7736b9bc4109756f55a3f70f11a9b9c6564fb6456d329c336fbb59859db5"
    "fde1f2338294e863c4f05b4a89e6c3b761d52a2081a0af0a320fde831daa74"
    "1fad77aa7ef2dd30b3e33d1a6e7b44ed44ef40de4557a4fd65b63db63d105386bb"
    "d81071739ec3d0fe44b6a0952a2b065bededfecea6e22229fea32adfc9a6e2cc"
    "fdf5da437a56ad41d7ef08c2c4635d3a0218aab2a5ed6e9dd42d684bc918efe24d3"
)

e_hex = "10001"

d_hex = (
    "28c7df24a5798679db2a44979275f5f3179db180d91335702942fb1b70e985de"
    "825da90f2eb65d20ddf8be1d9d4e15bc1d84e95795ff8c0c28ce3c33fde054f6"
    "e82a4f4cc22597b350c9c62ccc0188bd4152a701a3601558f22aa9fae8b9fdac"
    "6c2bc09b1637f71e0511805e04b203c4fdb2b36ad232fe819b06ed4e57c74f39"
    "fd9b72623c16ff2100f148f622bf12876260c4859672360dc0da3da6b45c5c8c"
    "6215ccda072765840c213fba11a91d6bf598a8a8065797566c8950a34ea0a072"
    "a9ed0c38bdc58662f186ec578ca55d5098443fd566cc722ace9c4e89afc4e302"
    "c8a4870e11a003b935f4a102695bfd64bb0fa74dcc372682e2b24ff45a1a69"
)

c_account_hex = (
    "1638e0eb936140b5527033292cbefcd73b55cfc7fb79df51ae3768a0dd9c84ae"
    "4580e47a5133b425f4c93eac97e4b1aa0b4cd30589d004f6d0d19fcbc709e86c"
    "c2996b433d29f650b69987a466f05bef7f69945860dcc44742a511f3621385c8"
    "9fbd4d73153615789634b25cfc3151a4115bc30c96979e5f965290f36a863e33"
    "78b5cfc9ba31438c4bae22b23ef815edf7cf1771803bd392a5072b468900b75f"
    "5a4377d1daf3d6f7b7b6850d1a4a4134f2f65840efaa9b83d31083051df0fc80"
    "a786529159484f62bbb9524f68285f48c7ab8e03bdfeca1a6025aaed9f9728b3"
    "90689c0c963920c728eb5695fcb9413f9f4e06d3b93db40e26d6275c84e6126a"
)

c_key_hex = (
    "373a2a27b38fd778c716728ebb95be89a0a057109119a08d5ce49261ebb0e077"
    "6d254a40c4d21bd2463e61608771de401eed13ac6660d996bea8c8b82bdd0eaf"
    "56c38466776eba31f7b2219230b654a77ec0af395a01c31c139a4f6b7b8ba845"
    "192096165dd7acd0331e79dbe434ed8c9a66581d26f69e5faa295f66010076b9"
    "1a6dd61db7abd325f8bd25d928debcc02e5555ff81f7ae3e548e3e4659a37f5d"
    "3d3c39fbcad1b583e42fb04fa328ebb77e7841f45b711e77ee23e11989db2c0e"
    "06b8191a456d56bd1a7d42c47fdfdf1179228b57c6efca9b9b6a7d22682e5b67"
    "c7c46a877fb677f5f317b4823fcdc812f0362be27c0f5453037148ed30127b26"
)

c_account = binascii.unhexlify(c_account_hex[:512])
c_key = binascii.unhexlify(c_key_hex[:512])

print(f"N length: {len(binascii.unhexlify(n_hex))}")
print(f"Account length: {len(c_account)}")
print(f"Key length: {len(c_key)}")

n = int(n_hex, 16)
e = int(e_hex, 16)
d = int(d_hex, 16)

key = RSA.construct((n, e, d))
cipher = PKCS1_OAEP.new(key)

try:
    m_account = cipher.decrypt(c_account)
    print(f"Account: {m_account}")
except Exception as e:
    print(f"Account Decrypt Error: {e}")

try:
    m_key = cipher.decrypt(c_key)
    print(f"Key: {m_key}")
except Exception as e:
    print(f"Key Decrypt Error: {e}")

iv: aassddffgghhjjll
Key: qqwweerrttyyuuii

aes解密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
from Crypto.Cipher import AES
key = b'qqwweerrttyyuuii'
iv = b'aassddffgghhjjll'
enc = bytes([
0xAD, 0xD1, 0xD1, 0x19, 0x60, 0xC2, 0x2D, 0x91, 0x66, 0xDA,
0xC3, 0xC2, 0x67, 0x25, 0xC8, 0x19, 0x09, 0x17, 0x6B, 0x23,
0x8E, 0x30, 0x03, 0xAA, 0x57, 0xAA, 0xCB, 0xA0, 0xA2, 0x26,
0xB7, 0xC3, 0x1C, 0x22, 0x0B, 0x8D, 0x20, 0x9C, 0xB4, 0x95,
0xB5, 0x5D, 0xB4, 0xE2, 0x7D, 0x4E, 0x43, 0x8E
])
cipher = AES.new(key, AES.MODE_CBC, iv)
decrypted = cipher.decrypt(enc)
print(decrypted.decode('utf-8', errors='ignore'))
//DASCTF{dqmaxfwkm921kr21m;df1m1dqmlk1d12d1}
reverse比赛复现
#ctf-reverse-wp
DASCTF下半年赛_reverse
https://j1nxem-o.github.io/2025/12/13/DASCTF下半年赛-reverse/
作者
J1NXEM
发布于
2025年12月13日
更新于
2025年12月13日
许可协议