solve 함수를 보면 대충 아래와 같은 형태이다.
위와 같은 형태로 인풋으로 들어온 입력값 배열을 m0~m7의 함수를 통해 검증한다. 이 때 검증이 이루어지는 함수 구조를 보면 첫번째 인자는 인풋이고 두번째 인자와 같은 경우 scramble,getSecretNumber 함수의 반환 값이 들어간다. 위 코드 구조상 두번째 인자 값이 고정되어 있으면 간단히 브포를 통해 각 자리수를 구할 수 있는 상황이었다.
public static int getSecretNumber(int i) {
PackageInfo packageInfo;
CertificateFactory instance;
X509Certificate x509Certificate;
try {
packageInfo = cc.getPackageManager().getPackageInfo(cc.getPackageName(), 64);
} catch (NameNotFoundException e) {
e.printStackTrace();
packageInfo = null;
}
InputStream byteArrayInputStream = new ByteArrayInputStream(packageInfo.signatures[0].toByteArray());
try {
instance = CertificateFactory.getInstance("X509");
} catch (CertificateException e2) {
e2.printStackTrace();
instance = null;
}
try {
x509Certificate = (X509Certificate) instance.generateCertificate(byteArrayInputStream);
} catch (CertificateException e22) {
e22.printStackTrace();
x509Certificate = null;
}
try {
MessageDigest instance2 = MessageDigest.getInstance("SHA256");
int[] iArr = new int[256];
for (int i2 = 0; i2 < 8; i2++) {
byte[] encoded = x509Certificate.getEncoded();
encoded[i2] = (byte) 33;
encoded = instance2.digest(encoded);
for (int i3 = 0; i3 < encoded.length; i3++) {
byte b = encoded[i3];
if (b < (byte) 0) {
b += 256;
}
if (b == (byte) 0) {
b = (byte) 1;
}
iArr[(i2 * 32) + i3] = b;
}
}
return iArr[i];
} catch (int i4) {
i4.printStackTrace();
i4 = 2 / 0;
return 0;
} catch (int i42) {
i42.printStackTrace();
i42 = 2 / 0;
return 0;
}
}
public static int scramble(int i) {
int sleep = ((int) sleep(500)) - 499;
return ((i + ((int) Math.round(Math.sqrt((double) ((sleep * 4) * sleep)) / ((double) sleep)))) + 321) % 256;
}
scramble,getSecretNumber 함수는 위와 같은 코드였는데 뭔가 딱봤을때는 랜덤한 값이 나올것같았는게 프리다로 반복문 돌려서 찍어보니까 인풋이 같으면 동일한 리턴이 나왔다.첨엔 m0~m7 함수를 아이다에서 확인한 담에 파이썬코드로 변환해서 브포돌리거나 역연산짜거나 할려다 그냥 프리다로 후킹해서 브포돌리면 편할것 같아서 프리다를 사용했다.
exploit.py
import sys
import frida
def on_message(message, data):
print "[%s] -> %s" % (message, data)
jscode = """
Java.perform(function () {
var m_table = []
m_table[0] = [100,190,88,240,97,216,47,243,39,18,173,144,157,114,116,250,152,150,196,175,28,179,23,213,73,66,20,228,67,200,156,7,221,210,50,233,110,32,71,194,117,220,43,113,148,247,217,185,41,177,239,12,232,101,82,178,128,191,42,172,136,81,115,251,69,89,139,48,129,63,154,125,242,95,132,143,102,29,199,10,146,79,225,149,236,245,56,105,27,235,162,201,193,208,104,96,209,155,34,68,202,169,49,13,134,45,226,255,14,52,33,62,44,186,6,121,21,244,131,64,111,123,248,124,36,9,58,112,222,130,254,120,75,224,76,145,80,231,198,219,182,24,126,40,246,192,78,166,140,158,223,57,207,90,161,54,38,252,72,203,70,85,171,107,98,4,51,188,238,15,147,237,65,214,99,183,22,5,92,141,184,30,108,60,135,118,127,205,133,159,19,197,74,17,59,138,195,119,8,25,206,55,106,91,160,122,218,37,181,211,212,234,241,46,77,170,11,109,16,249,168,230,215,174,204,164,2,253,94,31,189,35,153,180,103,142,1,137,187,84,165,26,87,93,83,86,0,151,3,167,53,176,227,163,229,61]
m_table[1] = [29,131,174,82,200,183,179,143,182,216,9,79,44,203,167,6,135,62,4,58,242,84,72,175,171,126,140,188,18,250,114,205,137,142,16,163,159,24,105,154,186,209,169,116,138,206,57,219,132,234,129,127,247,28,49,178,5,37,93,148,25,238,118,50,166,102,146,231,81,86,201,33,197,181,155,133,85,224,176,208,170,99,40,38,204,194,74,222,144,145,212,161,141,7,123,92,26,185,101,119,223,164,31,172,249,43,88,8,19,61,241,76,157,47,111,130,60,120,252,90,117,207,192,189,158,23,253,199,80,106,41,160,221,233,71,0,36,32,230,246,52,248,147,150,95,87,104,34,232,229,202,63,66,39,168,108,139,22,244,75,190,98,124,237,77,193,149,11,100,240,227,42,121,162,55,215,165,48,67,211,35,56,70,54,78,14,45,187,89,184,213,255,27,96,1,69,122,125,110,217,228,91,156,113,243,65,196,64,3,128,109,12,153,173,53,94,68,97,152,151,2,73,107,236,17,46,112,177,10,103,225,254,136,245,13,218,115,239,195,214,180,134,83,30,59,20,51,235,191,226,15,21,251,210,198,220]
m_table[2] = [255,30,98,78,198,151,15,171,92,236,93,136,206,220,56,156,54,50,82,112,123,14,77,12,184,214,208,145,66,40,52,224,213,134,227,250,22,114,79,143,10,55,174,28,85,221,154,248,84,175,168,144,11,32,64,207,147,58,176,111,108,142,216,187,110,195,5,219,72,235,49,120,232,46,155,23,27,185,233,57,170,18,71,203,88,196,140,223,109,131,103,26,251,48,180,83,106,115,130,16,133,44,164,241,182,70,204,9,218,107,179,188,6,160,190,13,209,230,119,197,226,124,121,240,80,163,97,38,149,94,202,243,193,238,167,138,148,17,3,51,127,210,62,205,239,126,169,63,95,228,199,186,81,53,152,67,125,0,153,99,150,25,217,229,102,69,246,90,117,244,60,178,73,234,2,181,75,20,24,21,8,35,141,165,201,237,96,211,129,159,19,189,135,158,33,104,91,116,177,47,247,137,122,173,59,113,29,245,242,128,39,86,192,252,37,61,89,200,157,68,225,139,1,254,36,146,162,42,45,166,172,65,231,31,105,222,43,212,118,34,215,74,87,253,194,249,100,41,76,101,4,191,132,183,7,161]
m_table[3] = [1,223,134,163,178,59,65,116,117,17,224,122,99,85,52,63,206,131,204,32,40,177,132,133,92,101,97,230,106,144,30,73,0,153,192,107,44,123,86,233,62,164,118,80,71,179,197,184,29,108,4,58,244,235,8,209,41,28,150,199,14,94,45,203,159,51,212,222,183,157,95,66,142,34,185,61,74,26,161,39,55,248,16,180,191,247,25,129,91,54,181,88,207,193,5,216,231,121,211,174,167,255,227,176,82,137,12,38,198,109,152,250,126,169,187,33,253,87,173,221,46,182,24,84,228,239,75,19,72,112,208,251,220,254,90,218,2,64,246,50,114,156,168,160,148,68,242,130,113,171,139,76,23,49,138,6,225,241,11,213,48,196,110,146,119,202,69,237,22,93,175,154,102,120,21,57,140,9,141,162,190,60,53,205,136,158,105,145,166,115,249,77,252,70,78,226,217,37,111,127,27,243,195,128,186,83,229,96,89,81,189,219,210,15,194,147,10,245,165,98,155,240,43,214,188,232,236,201,42,125,143,100,215,103,67,36,3,47,13,124,172,20,238,7,234,135,18,151,79,149,31,56,200,104,170,35]
m_table[4] = [144,158,58,155,10,130,143,78,170,39,110,250,246,7,214,235,25,202,157,89,237,131,52,233,161,245,181,184,116,26,254,159,244,101,186,248,72,70,142,205,168,134,173,3,54,222,51,104,123,34,206,2,188,73,95,11,20,38,69,113,179,183,192,30,99,215,129,6,24,133,198,98,49,92,66,106,154,118,164,145,177,121,190,84,59,172,149,75,23,151,207,19,8,15,247,37,167,255,102,226,135,100,18,176,171,4,105,111,251,9,219,88,93,213,169,16,229,57,61,35,65,238,141,216,199,182,22,230,200,42,76,225,74,166,147,242,50,103,68,193,67,28,243,162,194,45,43,17,124,31,55,21,47,197,126,122,196,136,204,79,132,32,91,140,234,236,195,125,12,109,185,0,64,137,53,241,178,138,127,112,160,71,87,48,56,120,240,175,40,150,114,119,221,146,201,228,224,44,152,227,86,156,212,62,80,96,208,63,253,108,203,165,115,128,90,210,153,1,85,41,83,13,148,232,27,97,60,107,189,218,187,211,191,163,139,239,77,209,29,223,94,117,82,81,14,217,5,33,174,180,252,231,220,36,46,249]
m_table[6] = [6,112,67,152,88,74,161,124,42,100,247,70,226,19,215,61,141,186,190,129,24,255,173,131,23,180,25,27,33,84,237,245,30,45,8,122,126,133,234,114,185,89,97,203,125,10,90,213,71,99,172,196,224,208,251,206,209,142,91,239,174,176,94,0,4,75,167,222,205,146,156,108,240,199,76,238,18,51,63,228,113,16,158,182,183,69,110,9,65,120,249,204,81,233,34,62,220,216,166,162,57,13,78,192,159,7,191,171,17,188,211,218,168,246,135,128,56,225,140,232,231,107,14,11,58,153,136,201,60,36,132,243,111,73,163,144,164,39,236,137,77,160,47,241,87,66,200,223,170,250,37,103,92,157,96,105,217,28,139,53,93,82,179,130,195,35,2,26,59,229,101,116,147,109,40,44,214,184,235,80,154,79,21,43,119,207,193,104,102,244,22,85,68,106,202,151,254,41,145,15,98,219,49,117,143,5,48,72,86,20,198,12,253,248,1,118,242,177,29,175,148,227,121,115,50,134,123,3,83,38,194,54,230,127,210,64,189,165,149,181,252,212,32,95,187,155,150,55,178,46,221,169,31,52,138,197]
m_table[7] = [208,168,97,242,78,60,100,128,232,152,127,115,253,36,174,209,181,159,88,165,19,212,211,111,26,12,229,43,8,136,199,240,135,178,44,48,82,125,254,195,173,207,121,233,68,84,52,215,137,158,154,69,186,133,51,180,80,126,144,226,40,2,66,38,244,171,67,118,57,247,112,18,138,231,202,73,201,179,85,119,116,141,90,161,238,162,204,224,81,103,214,203,198,184,92,147,105,221,11,134,70,95,27,166,24,71,185,46,172,237,39,123,76,91,228,108,74,206,87,197,50,35,15,25,7,164,219,130,54,188,213,120,61,250,189,217,241,230,55,246,192,96,94,89,218,245,176,98,75,102,194,47,101,58,132,182,234,190,223,45,150,107,86,64,20,49,23,210,251,21,59,72,104,53,155,113,106,131,6,14,3,255,17,225,143,28,167,93,196,16,129,65,200,41,29,235,149,30,169,79,33,32,5,160,110,175,1,140,109,170,183,42,99,63,157,117,151,56,124,236,177,216,156,227,4,248,37,0,9,220,31,243,148,77,114,145,10,13,139,249,252,22,122,193,34,83,222,191,62,239,205,187,163,146,142,153]
m_table[8] = [74,42,108,90,10,82,182,2,156,188,147,187,66,137,18,140,44,115,26,64,255,229,204,50,153,53,30,101,161,145,136,155,159,78,11,142,131,226,68,233,109,62,88,99,94,19,114,100,39,138,237,144,143,98,251,246,146,33,199,91,171,195,200,192,126,248,38,35,29,205,230,71,166,176,239,197,6,217,25,209,241,152,202,93,117,13,228,86,80,207,96,21,48,196,224,102,58,149,133,89,232,157,106,125,132,7,63,60,165,254,9,116,59,208,216,111,173,105,84,201,151,253,123,220,69,225,236,24,22,242,16,194,31,110,193,36,20,61,150,167,162,184,190,127,72,234,172,141,175,54,8,174,5,206,168,45,67,43,148,250,51,87,103,81,119,73,189,163,214,178,221,227,4,23,130,240,120,55,177,85,243,247,249,180,231,52,223,218,183,34,46,128,70,77,65,32,97,203,49,95,219,56,185,215,15,124,37,238,12,210,1,244,76,57,211,129,75,28,212,3,113,121,107,169,92,170,135,154,181,41,213,222,112,164,252,0,134,27,14,40,118,245,235,191,104,17,79,186,198,179,83,158,139,47,122,160]
var SolverClass = Java.use("ooo.defcon2019.quals.veryandroidoso.Solver");
function getScrambleNumber()
{
var scramble_param = 13;
var SolverClass = Java.use("ooo.defcon2019.quals.veryandroidoso.Solver");
var resultArray = [];
for (var i=0; i<9; i++){
if (i==5){
resultArray[i]=0;
continue;
}
if (i==8){
scramble_param += 190;
}
scramble_param = SolverClass.scramble(scramble_param);
resultArray[i]=scramble_param;
}
return resultArray;
}
function bruteFlag(){
var SolverClass = Java.use("ooo.defcon2019.quals.veryandroidoso.Solver");
var correctNumberArray = [172,6,146,97,130,65,236,142,103]
var xorArray = [255,255,251,247,202,65,255,255,255]
for (var i=0; i<correctNumberArray.length; i++){
var result = "";
for (var j=0; j<256; j++){
if (i==5){
if ((j&xorArray[i]) == correctNumberArray[i]){
result += j + ","
}
}
else {
if ((SolverClass["m"+i](j,SolverClass.getSecretNumber(ScrambleNumberArray[i]))&xorArray[i]) == correctNumberArray[i]){
result += m_table[i].indexOf(j) + ","
}
}
}
console.log("Find " + i + "th String = " + result);
}
}
var ScrambleNumberArray = getScrambleNumber();
bruteFlag();
});
"""
process_name = "ooo.defcon2019.quals.veryandroidoso"
session = frida.get_usb_device().attach(process_name)
script = session.create_script(jscode)
script.on('message', on_message)
script.load()
sys.stdin.read()
코드를 돌려보면 1~8까지 인풋에 대해서는 만족하는 값이 아래와 같은 형태로 쭉 나왔는데 이상하게 마지막 9번째 값이 계속 안나왔다.
Find 0th String = 250
Find 1th String = 180
Find 2th String = 254,52
Find 3th String = 22,176
Find 4th String = 221,244,147,102,238,63,247,49,145,254,72,136,118,203,120,74
Find 5th String = 65,67,69,71,73,75,77,79,81,83,85,87,89,91,93,95,97,99,101,103,105,107,109,111,113,115,117,119,121,123,125,127,193,195,197,199,201,203,205,207,209,211,213,215,217,219,221,223,225,227,229,231,233,235,237,239,241,243,245,247,249,251,253,255
Find 6th String = 68
Find 7th String = 190
뭔가 이상해서 코드를 좀 자세히 보니 아래와 같이 마지막 인풋을 검증하기 전에 1~8번째 값을 가지고 m9함수를 호출하는걸 볼 수 있었다.
해당 함수와 같은 경우 아이다에서 분석해보려고 보니 디버깅 없이 정적분석으로는 분석이 잘안되서 그냥 위에서 구한 1~8 값에 대한 모든 케이스를 가지고 m9 함수 호출 후 마지막 9번째 input을 검증하는 형태의 브포 코드를 짰다.
첨엔 1~8 값에 대한 경우의수 4096*255 = 1044480 , 총 1044480번의 후킹을 해야해서 이게 값이 뽑힐까 했는데 막상 돌려보니 후킹속도가 엄청 빨라서 금방 뽑혔다.
최종적으로 사용한 익스코드는 아래와 같다.
getInputCase.py
import sys
import frida
def on_message(message, data):
print "[%s] -> %s" % (message, data)
jscode = """
Java.perform(function () {
var m_table = []
m_table[0] = [100,190,88,240,97,216,47,243,39,18,173,144,157,114,116,250,152,150,196,175,28,179,23,213,73,66,20,228,67,200,156,7,221,210,50,233,110,32,71,194,117,220,43,113,148,247,217,185,41,177,239,12,232,101,82,178,128,191,42,172,136,81,115,251,69,89,139,48,129,63,154,125,242,95,132,143,102,29,199,10,146,79,225,149,236,245,56,105,27,235,162,201,193,208,104,96,209,155,34,68,202,169,49,13,134,45,226,255,14,52,33,62,44,186,6,121,21,244,131,64,111,123,248,124,36,9,58,112,222,130,254,120,75,224,76,145,80,231,198,219,182,24,126,40,246,192,78,166,140,158,223,57,207,90,161,54,38,252,72,203,70,85,171,107,98,4,51,188,238,15,147,237,65,214,99,183,22,5,92,141,184,30,108,60,135,118,127,205,133,159,19,197,74,17,59,138,195,119,8,25,206,55,106,91,160,122,218,37,181,211,212,234,241,46,77,170,11,109,16,249,168,230,215,174,204,164,2,253,94,31,189,35,153,180,103,142,1,137,187,84,165,26,87,93,83,86,0,151,3,167,53,176,227,163,229,61]
m_table[1] = [29,131,174,82,200,183,179,143,182,216,9,79,44,203,167,6,135,62,4,58,242,84,72,175,171,126,140,188,18,250,114,205,137,142,16,163,159,24,105,154,186,209,169,116,138,206,57,219,132,234,129,127,247,28,49,178,5,37,93,148,25,238,118,50,166,102,146,231,81,86,201,33,197,181,155,133,85,224,176,208,170,99,40,38,204,194,74,222,144,145,212,161,141,7,123,92,26,185,101,119,223,164,31,172,249,43,88,8,19,61,241,76,157,47,111,130,60,120,252,90,117,207,192,189,158,23,253,199,80,106,41,160,221,233,71,0,36,32,230,246,52,248,147,150,95,87,104,34,232,229,202,63,66,39,168,108,139,22,244,75,190,98,124,237,77,193,149,11,100,240,227,42,121,162,55,215,165,48,67,211,35,56,70,54,78,14,45,187,89,184,213,255,27,96,1,69,122,125,110,217,228,91,156,113,243,65,196,64,3,128,109,12,153,173,53,94,68,97,152,151,2,73,107,236,17,46,112,177,10,103,225,254,136,245,13,218,115,239,195,214,180,134,83,30,59,20,51,235,191,226,15,21,251,210,198,220]
m_table[2] = [255,30,98,78,198,151,15,171,92,236,93,136,206,220,56,156,54,50,82,112,123,14,77,12,184,214,208,145,66,40,52,224,213,134,227,250,22,114,79,143,10,55,174,28,85,221,154,248,84,175,168,144,11,32,64,207,147,58,176,111,108,142,216,187,110,195,5,219,72,235,49,120,232,46,155,23,27,185,233,57,170,18,71,203,88,196,140,223,109,131,103,26,251,48,180,83,106,115,130,16,133,44,164,241,182,70,204,9,218,107,179,188,6,160,190,13,209,230,119,197,226,124,121,240,80,163,97,38,149,94,202,243,193,238,167,138,148,17,3,51,127,210,62,205,239,126,169,63,95,228,199,186,81,53,152,67,125,0,153,99,150,25,217,229,102,69,246,90,117,244,60,178,73,234,2,181,75,20,24,21,8,35,141,165,201,237,96,211,129,159,19,189,135,158,33,104,91,116,177,47,247,137,122,173,59,113,29,245,242,128,39,86,192,252,37,61,89,200,157,68,225,139,1,254,36,146,162,42,45,166,172,65,231,31,105,222,43,212,118,34,215,74,87,253,194,249,100,41,76,101,4,191,132,183,7,161]
m_table[3] = [1,223,134,163,178,59,65,116,117,17,224,122,99,85,52,63,206,131,204,32,40,177,132,133,92,101,97,230,106,144,30,73,0,153,192,107,44,123,86,233,62,164,118,80,71,179,197,184,29,108,4,58,244,235,8,209,41,28,150,199,14,94,45,203,159,51,212,222,183,157,95,66,142,34,185,61,74,26,161,39,55,248,16,180,191,247,25,129,91,54,181,88,207,193,5,216,231,121,211,174,167,255,227,176,82,137,12,38,198,109,152,250,126,169,187,33,253,87,173,221,46,182,24,84,228,239,75,19,72,112,208,251,220,254,90,218,2,64,246,50,114,156,168,160,148,68,242,130,113,171,139,76,23,49,138,6,225,241,11,213,48,196,110,146,119,202,69,237,22,93,175,154,102,120,21,57,140,9,141,162,190,60,53,205,136,158,105,145,166,115,249,77,252,70,78,226,217,37,111,127,27,243,195,128,186,83,229,96,89,81,189,219,210,15,194,147,10,245,165,98,155,240,43,214,188,232,236,201,42,125,143,100,215,103,67,36,3,47,13,124,172,20,238,7,234,135,18,151,79,149,31,56,200,104,170,35]
m_table[4] = [144,158,58,155,10,130,143,78,170,39,110,250,246,7,214,235,25,202,157,89,237,131,52,233,161,245,181,184,116,26,254,159,244,101,186,248,72,70,142,205,168,134,173,3,54,222,51,104,123,34,206,2,188,73,95,11,20,38,69,113,179,183,192,30,99,215,129,6,24,133,198,98,49,92,66,106,154,118,164,145,177,121,190,84,59,172,149,75,23,151,207,19,8,15,247,37,167,255,102,226,135,100,18,176,171,4,105,111,251,9,219,88,93,213,169,16,229,57,61,35,65,238,141,216,199,182,22,230,200,42,76,225,74,166,147,242,50,103,68,193,67,28,243,162,194,45,43,17,124,31,55,21,47,197,126,122,196,136,204,79,132,32,91,140,234,236,195,125,12,109,185,0,64,137,53,241,178,138,127,112,160,71,87,48,56,120,240,175,40,150,114,119,221,146,201,228,224,44,152,227,86,156,212,62,80,96,208,63,253,108,203,165,115,128,90,210,153,1,85,41,83,13,148,232,27,97,60,107,189,218,187,211,191,163,139,239,77,209,29,223,94,117,82,81,14,217,5,33,174,180,252,231,220,36,46,249]
m_table[6] = [6,112,67,152,88,74,161,124,42,100,247,70,226,19,215,61,141,186,190,129,24,255,173,131,23,180,25,27,33,84,237,245,30,45,8,122,126,133,234,114,185,89,97,203,125,10,90,213,71,99,172,196,224,208,251,206,209,142,91,239,174,176,94,0,4,75,167,222,205,146,156,108,240,199,76,238,18,51,63,228,113,16,158,182,183,69,110,9,65,120,249,204,81,233,34,62,220,216,166,162,57,13,78,192,159,7,191,171,17,188,211,218,168,246,135,128,56,225,140,232,231,107,14,11,58,153,136,201,60,36,132,243,111,73,163,144,164,39,236,137,77,160,47,241,87,66,200,223,170,250,37,103,92,157,96,105,217,28,139,53,93,82,179,130,195,35,2,26,59,229,101,116,147,109,40,44,214,184,235,80,154,79,21,43,119,207,193,104,102,244,22,85,68,106,202,151,254,41,145,15,98,219,49,117,143,5,48,72,86,20,198,12,253,248,1,118,242,177,29,175,148,227,121,115,50,134,123,3,83,38,194,54,230,127,210,64,189,165,149,181,252,212,32,95,187,155,150,55,178,46,221,169,31,52,138,197]
m_table[7] = [208,168,97,242,78,60,100,128,232,152,127,115,253,36,174,209,181,159,88,165,19,212,211,111,26,12,229,43,8,136,199,240,135,178,44,48,82,125,254,195,173,207,121,233,68,84,52,215,137,158,154,69,186,133,51,180,80,126,144,226,40,2,66,38,244,171,67,118,57,247,112,18,138,231,202,73,201,179,85,119,116,141,90,161,238,162,204,224,81,103,214,203,198,184,92,147,105,221,11,134,70,95,27,166,24,71,185,46,172,237,39,123,76,91,228,108,74,206,87,197,50,35,15,25,7,164,219,130,54,188,213,120,61,250,189,217,241,230,55,246,192,96,94,89,218,245,176,98,75,102,194,47,101,58,132,182,234,190,223,45,150,107,86,64,20,49,23,210,251,21,59,72,104,53,155,113,106,131,6,14,3,255,17,225,143,28,167,93,196,16,129,65,200,41,29,235,149,30,169,79,33,32,5,160,110,175,1,140,109,170,183,42,99,63,157,117,151,56,124,236,177,216,156,227,4,248,37,0,9,220,31,243,148,77,114,145,10,13,139,249,252,22,122,193,34,83,222,191,62,239,205,187,163,146,142,153]
m_table[8] = [74,42,108,90,10,82,182,2,156,188,147,187,66,137,18,140,44,115,26,64,255,229,204,50,153,53,30,101,161,145,136,155,159,78,11,142,131,226,68,233,109,62,88,99,94,19,114,100,39,138,237,144,143,98,251,246,146,33,199,91,171,195,200,192,126,248,38,35,29,205,230,71,166,176,239,197,6,217,25,209,241,152,202,93,117,13,228,86,80,207,96,21,48,196,224,102,58,149,133,89,232,157,106,125,132,7,63,60,165,254,9,116,59,208,216,111,173,105,84,201,151,253,123,220,69,225,236,24,22,242,16,194,31,110,193,36,20,61,150,167,162,184,190,127,72,234,172,141,175,54,8,174,5,206,168,45,67,43,148,250,51,87,103,81,119,73,189,163,214,178,221,227,4,23,130,240,120,55,177,85,243,247,249,180,231,52,223,218,183,34,46,128,70,77,65,32,97,203,49,95,219,56,185,215,15,124,37,238,12,210,1,244,76,57,211,129,75,28,212,3,113,121,107,169,92,170,135,154,181,41,213,222,112,164,252,0,134,27,14,40,118,245,235,191,104,17,79,186,198,179,83,158,139,47,122,160]
var SolverClass = Java.use("ooo.defcon2019.quals.veryandroidoso.Solver");
function getScrambleNumber()
{
var scramble_param = 13;
var SolverClass = Java.use("ooo.defcon2019.quals.veryandroidoso.Solver");
var resultArray = [];
for (var i=0; i<9; i++){
if (i==5){
resultArray[i]=0;
continue;
}
if (i==8){
scramble_param += 190;
}
scramble_param = SolverClass.scramble(scramble_param);
resultArray[i]=scramble_param;
}
return resultArray;
}
function bruteFlag(){
var SolverClass = Java.use("ooo.defcon2019.quals.veryandroidoso.Solver");
var correctNumberArray = [172,6,146,97,130,65,236,142,103]
var xorArray = [255,255,251,247,202,65,255,255,255]
for (var i=0; i<correctNumberArray.length; i++){
var result = "";
for (var j=0; j<256; j++){
if (i==5){
if ((j&xorArray[i]) == correctNumberArray[i]){
result += j + ","
}
}
else {
if ((SolverClass["m"+i](j,SolverClass.getSecretNumber(ScrambleNumberArray[i]))&xorArray[i]) == correctNumberArray[i]){
result += m_table[i].indexOf(j) + ","
}
}
}
console.log("Find " + i + "th String = " + result);
}
}
var ScrambleNumberArray = getScrambleNumber();
bruteFlag();
});
"""
process_name = "ooo.defcon2019.quals.veryandroidoso"
session = frida.get_usb_device().attach(process_name)
script = session.create_script(jscode)
script.on('message', on_message)
script.load()
sys.stdin.read()
findFlag.py
import sys
import frida
def on_message(message, data):
print "[%s] -> %s" % (message, data)
jscode = """
Java.perform(function () {
var lastNumberList = [74,42,108,90,10,82,182,2,156,188,147,187,66,137,18,140,44,115,26,64,255,229,204,50,153,53,30,101,161,145,136,155,159,78,11,142,131,226,68,233,109,62,88,99,94,19,114,100,39,138,237,144,143,98,251,246,146,33,199,91,171,195,200,192,126,248,38,35,29,205,230,71,166,176,239,197,6,217,25,209,241,152,202,93,117,13,228,86,80,207,96,21,48,196,224,102,58,149,133,89,232,157,106,125,132,7,63,60,165,254,9,116,59,208,216,111,173,105,84,201,151,253,123,220,69,225,236,24,22,242,16,194,31,110,193,36,20,61,150,167,162,184,190,127,72,234,172,141,175,54,8,174,5,206,168,45,67,43,148,250,51,87,103,81,119,73,189,163,214,178,221,227,4,23,130,240,120,55,177,85,243,247,249,180,231,52,223,218,183,34,46,128,70,77,65,32,97,203,49,95,219,56,185,215,15,124,37,238,12,210,1,244,76,57,211,129,75,28,212,3,113,121,107,169,92,170,135,154,181,41,213,222,112,164,252,0,134,27,14,40,118,245,235,191,104,17,79,186,198,179,83,158,139,47,122,160]
var SolverClass = Java.use("ooo.defcon2019.quals.veryandroidoso.Solver");
var dic1 = [52, 254]
var dic2 = [22, 176]
var dic3 = [221, 244, 147, 102, 238, 63, 247, 49, 145, 254, 72, 136, 118, 203, 120, 74]
var dic4 = [65, 67, 69, 71, 73, 75, 77, 79, 81, 83, 85, 87, 89, 91, 93, 95, 97, 99, 101, 103, 105, 107, 109, 111, 113, 115, 117, 119, 121, 123, 125, 127, 193, 195, 197, 199, 201, 203, 205, 207, 209, 211, 213, 215, 217, 219, 221, 223, 225, 227, 229, 231, 233, 235, 237, 239, 241, 243, 245, 247, 249, 251, 253, 255]
for(var i=0; i<dic1.length; i++){
for(var j=0; i<dic2.length; j++){
for(var k=0; i<dic3.length; k++){
for(var p=0; p<dic4.length; p++){
var result = [250,180,dic1[i],dic2[j],dic3[k],dic4[p],68,190,0]
SolverClass.m9((((((result[0] + result[1]) + result[2]) + result[3]) + result[4]) + result[5]) + (result[6] * result[7]))
for (var n=0; n<256; n++){
if ((SolverClass.m8(n,23)&255) == 103){
result[8] = lastNumberList.indexOf(n);
if (((((((((SolverClass.getSecretNumber(result[0])) * (SolverClass.getSecretNumber(result[1]))) * (SolverClass.getSecretNumber(result[2]))) * (SolverClass.getSecretNumber(result[3]))) * (SolverClass.getSecretNumber(result[4]))) * (SolverClass.getSecretNumber(result[5]))) * (SolverClass.getSecretNumber(result[6]))) + (result[7]) + (SolverClass.getSecretNumber(result[8]))) % 144 == 37){
var findFlag = "";
for (var a=0; a<result.length; a++){
findFlag += result[a].toString(16);
}
console.log("Find Flag = OOO{" + findFlag + "}");
}
}
}
}
}
}
}
});
"""
process_name = "ooo.defcon2019.quals.veryandroidoso"
session = frida.get_usb_device().attach(process_name)
script = session.create_script(jscode)
script.on('message', on_message)
script.load()
sys.stdin.read()
Find Flag = OOO{fab43416484944beba}