[原创]KCTF2021 第五题 华山论剑 writeup
source link: https://bbs.pediy.com/thread-267628.htm
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
KCTF2021 第五题 华山论剑 writeup
拖进jadx java层逻辑简单,只需要关注native层stringFromJNI。
public void Btn1_Click(View view) {
String
str
;
String
input
=
this.text.getText().toString();
String input2
=
this.text2.getText().toString();
if
(
input
=
=
null ||
input
.isEmpty()) {
str
=
"name为空"
;
}
else
if
(input2
=
=
null || input2.isEmpty()) {
str
=
"serial为空"
;
}
else
{
System.loadLibrary(
"hello-jni"
);
str
=
stringFromJNI(
input
, input2);
}
AlertDialog.Builder builder
=
new AlertDialog.Builder(mContext);
builder.setTitle("");
builder.setMessage(
str
);
builder.show();
}
使用IDA静态分析libhello-jni.so,两个跳转让我直接懵逼,都不知道跳哪去了。
尝试用IDA调试,直接挂,有点绝望。
掏出frida,先跑了下frida-trace,结果正确的序列号弹出了“输入错误”,打不出正确的调用路径。让我直接放弃frida,绝望++。
想起之前瞥过一眼的unidbg-v0.9.3,感觉这题用它正合适。
先试着使用unidbg主动调用stringFromJNI:
能够运行和输出正确结果,感觉找对了路。
尝试使用IDA连unidbg动态调试:emulator.attach(DebuggerType.ANDROID_SERVER_V7);
IDA附加进程后,简单跟踪了几步后,要么跑飞要么卡死...
emulator.traceCode();
traceLog看下发现ARM指令和Thumb指令来回切换。
想恢复IDA的指令静态分析,无奈找不到替代Alt+G(Change Segment Register Value)的api函数,放弃。
看着traceCode的效果:
### Trace Instruction [libhello-jni.so] [0x07028] [ 01 40 84 e2 ] 0x40007028: add r4, r4, #1
### Trace Instruction [libhello-jni.so] [0x0702c] [ 01 30 43 e2 ] 0x4000702c: sub r3, r3, #1
### Trace Instruction [libhello-jni.so] [0x07030] [ ca a0 a0 e1 ] 0x40007030: asr sl, sl, #1
### Trace Instruction [libhello-jni.so] [0x07034] [ df ff ff ea ] 0x40007034: b #0x40006fb8
### Trace Instruction [libhello-jni.so] [0x06fb8] [ 0a 20 01 e0 ] 0x40006fb8: and r2, r1, sl
### Trace Instruction [libhello-jni.so] [0x06fbc] [ 52 23 a0 e1 ] 0x40006fbc: asr r2, r2, r3
### Trace Instruction [libhello-jni.so] [0x06fc0] [ 00 20 22 e2 ] 0x40006fc0: eor r2, r2, #0
失望,对于合格的TraceLog来说应该有寄存器的变化。
还是自己写个吧
package com.kctf;
import
capstone.Capstone;
import
com.github.unidbg.AndroidEmulator;
import
com.github.unidbg.Emulator;
import
com.github.unidbg.Module;
import
com.github.unidbg.Symbol;
import
com.github.unidbg.arm.ARM;
import
com.github.unidbg.arm.HookStatus;
import
com.github.unidbg.arm.backend.Backend;
import
com.github.unidbg.arm.backend.CodeHook;
import
com.github.unidbg.arm.backend.DebugHook;
import
com.github.unidbg.arm.context.Arm32RegisterContext;
import
com.github.unidbg.arm.context.RegisterContext;
import
com.github.unidbg.debugger.DebuggerType;
import
com.github.unidbg.hook.HookContext;
import
com.github.unidbg.hook.ReplaceCallback;
import
com.github.unidbg.hook.hookzz.
*
;
import
com.github.unidbg.hook.xhook.IxHook;
import
com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import
com.github.unidbg.linux.android.AndroidResolver;
import
com.github.unidbg.linux.android.XHookImpl;
import
com.github.unidbg.linux.android.dvm.AbstractJni;
import
com.github.unidbg.linux.android.dvm.DalvikModule;
import
com.github.unidbg.linux.android.dvm.DvmClass;
import
com.github.unidbg.linux.android.dvm.VM;
import
com.github.unidbg.linux.android.dvm.array.ByteArray;
import
com.github.unidbg.memory.Memory;
import
com.github.unidbg.utils.Inspector;
import
com.sun.jna.Pointer;
import
unicorn.ArmConst;
import
java.io.
*
;
import
java.nio.charset.StandardCharsets;
import
java.util.
*
;
public
class
hellojni extends AbstractJni {
private final AndroidEmulator emulator;
private final VM vm;
private final Module module;
private final DvmClass hellojniUtils;
private final boolean logging;
private final
Set
<Integer> trace_addr;
private final
Map
<Integer, String> insn_map;
private final
Map
<Integer, Integer> insn_size;
private String lastContent;
private
int
[] lastReg;
hellojni(boolean logging) {
lastContent
=
"";
lastReg
=
null;
trace_addr
=
new TreeSet<Integer>();
insn_map
=
new TreeMap<Integer, String>();
insn_size
=
new TreeMap<>();
this.logging
=
logging;
emulator
=
AndroidEmulatorBuilder.for32Bit().setProcessName(
"com.example.hellojni"
).build();
/
/
创建模拟器实例,要模拟
32
位或者
64
位,在这里区分
final Memory memory
=
emulator.getMemory();
/
/
模拟器的内存操作接口
memory.setLibraryResolver(new AndroidResolver(
23
));
/
/
设置系统类库解析
vm
=
emulator.createDalvikVM(null);
/
/
创建Android虚拟机
vm.setJni(this);
vm.setVerbose(logging);
/
/
设置是否打印Jni调用细节
DalvikModule dm
=
vm.loadLibrary(new
File
(
"unidbg-android/src/test/resources/example_binaries/libhello-jni.so"
), true);
/
/
加载libhello
-
jni.so到unicorn虚拟内存,加载成功以后会默认调用init_array等函数
dm.callJNI_OnLoad(emulator);
/
/
手动执行JNI_OnLoad函数
module
=
dm.getModule();
/
/
加载好的libhello
-
jni.so对应为一个模块
/
/
com_example_hellojni_HelloJni_
hellojniUtils
=
vm.resolveClass(
"com/example/hellojni/HelloJni"
);
}
void destroy() throws IOException {
Object
[] itr
=
trace_addr.toArray();
File
f
=
new
File
(
"E:/out.txt"
);
FileWriter fw
=
new FileWriter(f);
for
(
Object
i : itr) {
/
/
System.out.println(String.
format
(
"set_color(0x%x, CIC_FUNC, 0xd3d3d3) %s"
, (Integer) i, insn_map.get(i)));
/
/
fw.write(insn_map.get(i));
fw.write(String.
format
(
"setreg(0x%x, %d)\n"
, i, insn_size.get(i)));
}
fw.close();
emulator.close();
if
(logging) {
System.out.println(
"destroy"
);
}
}
public static void main(String[] args) throws Exception {
com.kctf.hellojni test
=
new com.kctf.hellojni(true);
String data
=
test.stringFromJNI(
"ed8b9244350d3644"
,
"7C9815255BFE832D3F93140B"
);
System.out.println(data);
test.destroy();
}
public static
int
[] getReg(String reg) {
int
[] ret
=
new
int
[
1
];
switch (reg) {
case
"r0"
: ret[
0
]
=
ArmConst.UC_ARM_REG_R0;
break
;
case
"r1"
: ret[
0
]
=
ArmConst.UC_ARM_REG_R1;
break
;
case
"r2"
: ret[
0
]
=
ArmConst.UC_ARM_REG_R2;
break
;
case
"r3"
: ret[
0
]
=
ArmConst.UC_ARM_REG_R3;
break
;
case
"r4"
: ret[
0
]
=
ArmConst.UC_ARM_REG_R4;
break
;
case
"r5"
: ret[
0
]
=
ArmConst.UC_ARM_REG_R5;
break
;
case
"r6"
: ret[
0
]
=
ArmConst.UC_ARM_REG_R6;
break
;
case
"r7"
: ret[
0
]
=
ArmConst.UC_ARM_REG_R7;
break
;
case
"r8"
: ret[
0
]
=
ArmConst.UC_ARM_REG_R8;
break
;
case
"r9"
: ret[
0
]
=
ArmConst.UC_ARM_REG_R9;
break
;
case
"r10"
: ret[
0
]
=
ArmConst.UC_ARM_REG_R10;
break
;
case
"r11"
: ret[
0
]
=
ArmConst.UC_ARM_REG_R11;
break
;
case
"r12"
: ret[
0
]
=
ArmConst.UC_ARM_REG_R12;
break
;
case
"pc"
: ret[
0
]
=
ArmConst.UC_ARM_REG_PC;
break
;
case
"sp"
: ret[
0
]
=
ArmConst.UC_ARM_REG_SP;
break
;
case
"lr"
: ret[
0
]
=
ArmConst.UC_ARM_REG_LR;
break
;
case
"sb"
: ret[
0
]
=
ArmConst.UC_ARM_REG_SB;
break
;
default:
return
null;
}
return
ret;
}
String getMemStr(Backend backend,
int
addr) {
StringBuilder builder
=
new StringBuilder();
a:
do {
try
{
byte[] bytes
=
backend.mem_read(addr,
1
);
for
(
int
i
=
0
; i < bytes.length; i
+
+
) {
int
fb
=
bytes[i];
if
(fb <
=
31
|| fb >
=
127
)
break
a;
builder.append(String.
format
(
"%c"
,fb));
}
addr
+
+
;
} catch (Exception e) {
return
"";
}
}
while
(true);
return
builder.toString();
}
String stringFromJNI(String name, String serial) {
if
(false)
{
Object
ret
=
hellojniUtils.callStaticJniMethodObject(emulator,
"stringFromJNI(Ljava/lang/String;Ljava/lang/String)Ljava/lang/String"
, name, serial);
/
/
执行Jni方法
return
ret.toString();
}
/
/
so function address
final
Set
<Integer> st
=
new TreeSet<Integer>() {{
Integer[] a
=
new Integer[]{
0xff5
,
0x1035
,
0x10e5
,
0x1421
,
0x1438
,
0x14dc
,
0x152c
,
0x1634
,
0x16c0
,
0x1724
,
0x1854
,
0x1914
,
0x19c4
,
0x1a48
,
0x1aa4
,
0x1ad0
,
0x1b98
,
0x1fa4
,
0x2350
,
0x2394
,
0x24b4
,
0x2540
,
0x28c8
};
for
(Integer b : a) {
add(b);
}
}};
emulator.getBackend().hook_add_new(new DebugHook() {
@Override
public void onBreak(Backend backend,
long
address,
int
size,
Object
user) {
}
@Override
public void hook(Backend backend,
long
address,
int
size,
Object
user) {
/
/
打印当前地址。这里要把unidbg使用的基址给去掉。
int
addr
=
(
int
) address
-
0x40000000
;
trace_addr.add(addr);
if
(st.contains(addr
+
1
)) {
/
/
System.out.println(String.
format
(
"0x%x"
, addr));
}
/
/
if
(false) {
Capstone.CsInsn[] insns
=
emulator.printAssemble(System.out, address, size);
/
/
ARM.showRegs(emulator, ARM.getRegArgs(emulator));
}
if
(true) {
ByteArrayOutputStream baos
=
new ByteArrayOutputStream();
PrintStream ps
=
null;
try
{
ps
=
new PrintStream(baos, true,
"utf-8"
);
} catch (IOException e) {
}
Capstone.CsInsn[] insns
=
emulator.printAssemble(ps, address, size);
String content
=
new String(baos.toByteArray(), StandardCharsets.UTF_8);
content
=
content.replace(
'\n'
,
' '
);
ps.close();
String regStr
=
"";
for
(
int
i
=
0
; i < insns.length; i
+
+
) {
regStr
=
insns[i].opStr.split(
","
)[
0
];
}
int
[] regs
=
getReg(regStr);
if
(regs !
=
null) {
content
=
content
+
" >>> "
+
regStr
+
"="
+
"0x%x"
;
}
if
(lastReg
=
=
null) {
System.out.
print
(lastContent);
ARM.showRegs(emulator, null);
}
else
{
int
value
=
backend.reg_read(lastReg[
0
]).intValue();
String memStr
=
getMemStr(backend, value);
if
(!memStr.equals("")) {
memStr
=
"\""
+
memStr
+
"\""
;
}
System.out.println(String.
format
(lastContent, value)
+
" "
+
memStr);
}
lastContent
=
content;
lastReg
=
regs;
if
(!insn_map.containsKey(addr)) {
insn_map.put(addr, content);
insn_size.put(addr, (
int
) insns[
0
].size);
}
}
}
},
0x40000ff4
,
0x400076BC
, null);
/
/
emulator.traceCode();
/
/
emulator.traceWrite();
/
/
emulator.traceRead();
/
/
emulator.attach(DebuggerType.ANDROID_SERVER_V7);
/
/
附加IDA android_server,可输入c命令取消附加继续运行
Object
ret
=
hellojniUtils.callStaticJniMethodObject(emulator,
"stringFromJNI(Ljava/lang/String;Ljava/lang/String)Ljava/lang/String"
, name, serial);
/
/
执行Jni方法
return
ret.toString();
}
}
我这东拼西凑的代码,能用就行。看着日志效果感觉还不错
### Trace Instruction [libhello-jni.so] [0x075e4] [ 46 66 a0 e1 ] 0x400075e4: asr r6, r6, #0xc >>> r6=0x6
### Trace Instruction [libhello-jni.so] [0x075e8] [ 01 00 06 e2 ] 0x400075e8: and r0, r6, #1 >>> r0=0x0
### Trace Instruction [libhello-jni.so] [0x075ec] [ f0 30 01 e2 ] 0x400075ec: and r3, r1, #0xf0 >>> r3=0x30
### Trace Instruction [libhello-jni.so] [0x075f0] [ 43 32 a0 e1 ] 0x400075f0: asr r3, r3, #4 >>> r3=0x3
### Trace Instruction [libhello-jni.so] [0x075f4] [ 0f 40 01 e2 ] 0x400075f4: and r4, r1, #0xf >>> r4=0x2
### Trace Instruction [libhello-jni.so] [0x075f8] [ 04 41 9d e7 ] 0x400075f8: ldr r4, [sp, r4, lsl #2] >>> r4=0x401cd018 "ed8b9244350d3644"
### Trace Instruction [libhello-jni.so] [0x075fc] [ 00 f1 8f e0 ] 0x400075fc: add pc, pc, r0, lsl #2 >>> pc=0x40007604
### Trace Instruction [libhello-jni.so] [0x07604] [ 00 00 00 ea ] 0x40007604: b #0x4000760c >>> r0=0x0 r1=0x6532 r2=0x40005624 r3=0x3 r4=0x401cd018 r5=0xffff r6=0x6 r7=0x0 r8=0x0 sb=0x0 sl=0x0 fp=0x0 ip=0x0 SP=0xbffff440 LR=RX@0x40005285[libhello-jni.so]0x5285 PC=RX@0x4000760c[libhello-jni.so]0x760c cpsr: N=0, Z=0, C=0, V=0, T=0, mode=0b10000
### Trace Instruction [libhello-jni.so] [0x0760c] [ 0f 5c 01 e2 ] 0x4000760c: and r5, r1, #0xf00 >>> r5=0x500
### Trace Instruction [libhello-jni.so] [0x07610] [ 45 54 a0 e1 ] 0x40007610: asr r5, r5, #8 >>> r5=0x5
### Trace Instruction [libhello-jni.so] [0x07614] [ 05 51 9d e7 ] 0x40007614: ldr r5, [sp, r5, lsl #2] >>> r5=0x401cd018 "ed8b9244350d3644"
正确的序列号 name:ed8b9244350d3644 serial:7C9815255BFE832D3F93140B
生成日志trace_log_true.txt,37MB的日志23w多行,直接去分析太耗时间了。
试着控制最小变量来找差异,把序列号最后一位改成C:
name:ed8b9244350d3644 serial:7C9815255BFE832D3F93140C
生成日志trace_log_flase_serial.txt,与正确的大小和行数差不多。
用BeyondCompare比较下,忽略掉push pop nop b 指令行,减少干扰。
看着这差异行并不是很多,才477个差异部分,感觉自己又可以了。
根据习惯倒着浏览差异处
0x400076a4的r4寄存器存着输入的序列号最后一位,感觉找到了关键位置。
搜索 "0x400076a4" "0x400076a8" trace_log_true.txt (匹配60次)
行
225718
:
### Trace Instruction [libhello-jni.so] [0x076a4] [ 04 41 9d e7 ] 0x400076a4: ldr r4, [sp, r4, lsl #2] >>> r4=0x7c
行
226097
:
### Trace Instruction [libhello-jni.so] [0x076a4] [ 04 41 9d e7 ] 0x400076a4: ldr r4, [sp, r4, lsl #2] >>> r4=0x98
行
226476
:
### Trace Instruction [libhello-jni.so] [0x076a4] [ 04 41 9d e7 ] 0x400076a4: ldr r4, [sp, r4, lsl #2] >>> r4=0x15
行
226855
:
### Trace Instruction [libhello-jni.so] [0x076a4] [ 04 41 9d e7 ] 0x400076a4: ldr r4, [sp, r4, lsl #2] >>> r4=0x25
行
227234
:
### Trace Instruction [libhello-jni.so] [0x076a4] [ 04 41 9d e7 ] 0x400076a4: ldr r4, [sp, r4, lsl #2] >>> r4=0x5b
行
227613
:
### Trace Instruction [libhello-jni.so] [0x076a4] [ 04 41 9d e7 ] 0x400076a4: ldr r4, [sp, r4, lsl #2] >>> r4=0xfe
行
227992
:
### Trace Instruction [libhello-jni.so] [0x076a4] [ 04 41 9d e7 ] 0x400076a4: ldr r4, [sp, r4, lsl #2] >>> r4=0x83
行
228371
:
### Trace Instruction [libhello-jni.so] [0x076a4] [ 04 41 9d e7 ] 0x400076a4: ldr r4, [sp, r4, lsl #2] >>> r4=0x2d
行
228750
:
### Trace Instruction [libhello-jni.so] [0x076a4] [ 04 41 9d e7 ] 0x400076a4: ldr r4, [sp, r4, lsl #2] >>> r4=0x3f
行
229129
:
### Trace Instruction [libhello-jni.so] [0x076a4] [ 04 41 9d e7 ] 0x400076a4: ldr r4, [sp, r4, lsl #2] >>> r4=0x93
行
229508
:
### Trace Instruction [libhello-jni.so] [0x076a4] [ 04 41 9d e7 ] 0x400076a4: ldr r4, [sp, r4, lsl #2] >>> r4=0x14
行
229887
:
### Trace Instruction [libhello-jni.so] [0x076a4] [ 04 41 9d e7 ] 0x400076a4: ldr r4, [sp, r4, lsl #2] >>> r4=0xb
行
225719
:
### Trace Instruction [libhello-jni.so] [0x076a8] [ 04 50 35 e0 ] 0x400076a8: eors r5, r5, r4 >>> r5=0x0
行
226098
:
### Trace Instruction [libhello-jni.so] [0x076a8] [ 04 50 35 e0 ] 0x400076a8: eors r5, r5, r4 >>> r5=0x0
行
226477
:
### Trace Instruction [libhello-jni.so] [0x076a8] [ 04 50 35 e0 ] 0x400076a8: eors r5, r5, r4 >>> r5=0x0
行
226856
:
### Trace Instruction [libhello-jni.so] [0x076a8] [ 04 50 35 e0 ] 0x400076a8: eors r5, r5, r4 >>> r5=0x0
行
227235
:
### Trace Instruction [libhello-jni.so] [0x076a8] [ 04 50 35 e0 ] 0x400076a8: eors r5, r5, r4 >>> r5=0x0
行
227614
:
### Trace Instruction [libhello-jni.so] [0x076a8] [ 04 50 35 e0 ] 0x400076a8: eors r5, r5, r4 >>> r5=0x0
行
227993
:
### Trace Instruction [libhello-jni.so] [0x076a8] [ 04 50 35 e0 ] 0x400076a8: eors r5, r5, r4 >>> r5=0x0
行
228372
:
### Trace Instruction [libhello-jni.so] [0x076a8] [ 04 50 35 e0 ] 0x400076a8: eors r5, r5, r4 >>> r5=0x0
行
228751
:
### Trace Instruction [libhello-jni.so] [0x076a8] [ 04 50 35 e0 ] 0x400076a8: eors r5, r5, r4 >>> r5=0x0
行
229130
:
### Trace Instruction [libhello-jni.so] [0x076a8] [ 04 50 35 e0 ] 0x400076a8: eors r5, r5, r4 >>> r5=0x0
行
229509
:
### Trace Instruction [libhello-jni.so] [0x076a8] [ 04 50 35 e0 ] 0x400076a8: eors r5, r5, r4 >>> r5=0x0
行
229888
:
### Trace Instruction [libhello-jni.so] [0x076a8] [ 04 50 35 e0 ] 0x400076a8: eors r5, r5, r4 >>> r5=0x0
搜索 "0x400076a4" "0x400076a8" trace_log_flase_serial.txt (匹配60次)
行
225718
:
### Trace Instruction [libhello-jni.so] [0x076a4] [ 04 41 9d e7 ] 0x400076a4: ldr r4, [sp, r4, lsl #2] >>> r4=0x7c
行
226097
:
### Trace Instruction [libhello-jni.so] [0x076a4] [ 04 41 9d e7 ] 0x400076a4: ldr r4, [sp, r4, lsl #2] >>> r4=0x98
行
226476
:
### Trace Instruction [libhello-jni.so] [0x076a4] [ 04 41 9d e7 ] 0x400076a4: ldr r4, [sp, r4, lsl #2] >>> r4=0x15
行
226855
:
### Trace Instruction [libhello-jni.so] [0x076a4] [ 04 41 9d e7 ] 0x400076a4: ldr r4, [sp, r4, lsl #2] >>> r4=0x25
行
227234
:
### Trace Instruction [libhello-jni.so] [0x076a4] [ 04 41 9d e7 ] 0x400076a4: ldr r4, [sp, r4, lsl #2] >>> r4=0x5b
行
227613
:
### Trace Instruction [libhello-jni.so] [0x076a4] [ 04 41 9d e7 ] 0x400076a4: ldr r4, [sp, r4, lsl #2] >>> r4=0xfe
行
227992
:
### Trace Instruction [libhello-jni.so] [0x076a4] [ 04 41 9d e7 ] 0x400076a4: ldr r4, [sp, r4, lsl #2] >>> r4=0x83
行
228371
:
### Trace Instruction [libhello-jni.so] [0x076a4] [ 04 41 9d e7 ] 0x400076a4: ldr r4, [sp, r4, lsl #2] >>> r4=0x2d
行
228750
:
### Trace Instruction [libhello-jni.so] [0x076a4] [ 04 41 9d e7 ] 0x400076a4: ldr r4, [sp, r4, lsl #2] >>> r4=0x3f
行
229129
:
### Trace Instruction [libhello-jni.so] [0x076a4] [ 04 41 9d e7 ] 0x400076a4: ldr r4, [sp, r4, lsl #2] >>> r4=0x93
行
229508
:
### Trace Instruction [libhello-jni.so] [0x076a4] [ 04 41 9d e7 ] 0x400076a4: ldr r4, [sp, r4, lsl #2] >>> r4=0x14
行
229887
:
### Trace Instruction [libhello-jni.so] [0x076a4] [ 04 41 9d e7 ] 0x400076a4: ldr r4, [sp, r4, lsl #2] >>> r4=0xc
行
225719
:
### Trace Instruction [libhello-jni.so] [0x076a8] [ 04 50 35 e0 ] 0x400076a8: eors r5, r5, r4 >>> r5=0x0
行
226098
:
### Trace Instruction [libhello-jni.so] [0x076a8] [ 04 50 35 e0 ] 0x400076a8: eors r5, r5, r4 >>> r5=0x0
行
226477
:
### Trace Instruction [libhello-jni.so] [0x076a8] [ 04 50 35 e0 ] 0x400076a8: eors r5, r5, r4 >>> r5=0x0
行
226856
:
### Trace Instruction [libhello-jni.so] [0x076a8] [ 04 50 35 e0 ] 0x400076a8: eors r5, r5, r4 >>> r5=0x0
行
227235
:
### Trace Instruction [libhello-jni.so] [0x076a8] [ 04 50 35 e0 ] 0x400076a8: eors r5, r5, r4 >>> r5=0x0
行
227614
:
### Trace Instruction [libhello-jni.so] [0x076a8] [ 04 50 35 e0 ] 0x400076a8: eors r5, r5, r4 >>> r5=0x0
行
227993
:
### Trace Instruction [libhello-jni.so] [0x076a8] [ 04 50 35 e0 ] 0x400076a8: eors r5, r5, r4 >>> r5=0x0
行
228372
:
### Trace Instruction [libhello-jni.so] [0x076a8] [ 04 50 35 e0 ] 0x400076a8: eors r5, r5, r4 >>> r5=0x0
行
228751
:
### Trace Instruction [libhello-jni.so] [0x076a8] [ 04 50 35 e0 ] 0x400076a8: eors r5, r5, r4 >>> r5=0x0
行
229130
:
### Trace Instruction [libhello-jni.so] [0x076a8] [ 04 50 35 e0 ] 0x400076a8: eors r5, r5, r4 >>> r5=0x0
行
229509
:
### Trace Instruction [libhello-jni.so] [0x076a8] [ 04 50 35 e0 ] 0x400076a8: eors r5, r5, r4 >>> r5=0x0
行
229888
:
### Trace Instruction [libhello-jni.so] [0x076a8] [ 04 50 35 e0 ] 0x400076a8: eors r5, r5, r4 >>> r5=0x7
看着这熟悉的序列号,算法大概是通过name算出serial后再与输入的进行异或对比。
使用 name:KCTF serial:7C9815255BFE832D3F93140B 生成trace_log_false_name_kctf.txt
搜索 "0x400076a8" "0x400076a8" trace_log_false_name_kctf.txt (匹配60次) 还好相同,说明没有少跑逻辑。
行
220030
:
### Trace Instruction [libhello-jni.so] [0x076a4] [ 04 41 9d e7 ] 0x400076a4: ldr r4, [sp, r4, lsl #2] >>> r4=0x7c
行
220409
:
### Trace Instruction [libhello-jni.so] [0x076a4] [ 04 41 9d e7 ] 0x400076a4: ldr r4, [sp, r4, lsl #2] >>> r4=0x98
行
220788
:
### Trace Instruction [libhello-jni.so] [0x076a4] [ 04 41 9d e7 ] 0x400076a4: ldr r4, [sp, r4, lsl #2] >>> r4=0x15
行
221167
:
### Trace Instruction [libhello-jni.so] [0x076a4] [ 04 41 9d e7 ] 0x400076a4: ldr r4, [sp, r4, lsl #2] >>> r4=0x25
行
221546
:
### Trace Instruction [libhello-jni.so] [0x076a4] [ 04 41 9d e7 ] 0x400076a4: ldr r4, [sp, r4, lsl #2] >>> r4=0x5b
行
221925
:
### Trace Instruction [libhello-jni.so] [0x076a4] [ 04 41 9d e7 ] 0x400076a4: ldr r4, [sp, r4, lsl #2] >>> r4=0xfe
行
222304
:
### Trace Instruction [libhello-jni.so] [0x076a4] [ 04 41 9d e7 ] 0x400076a4: ldr r4, [sp, r4, lsl #2] >>> r4=0x83
行
222683
:
### Trace Instruction [libhello-jni.so] [0x076a4] [ 04 41 9d e7 ] 0x400076a4: ldr r4, [sp, r4, lsl #2] >>> r4=0x2d
行
223062
:
### Trace Instruction [libhello-jni.so] [0x076a4] [ 04 41 9d e7 ] 0x400076a4: ldr r4, [sp, r4, lsl #2] >>> r4=0x3f
行
223441
:
### Trace Instruction [libhello-jni.so] [0x076a4] [ 04 41 9d e7 ] 0x400076a4: ldr r4, [sp, r4, lsl #2] >>> r4=0x93
行
223820
:
### Trace Instruction [libhello-jni.so] [0x076a4] [ 04 41 9d e7 ] 0x400076a4: ldr r4, [sp, r4, lsl #2] >>> r4=0x14
行
224199
:
### Trace Instruction [libhello-jni.so] [0x076a4] [ 04 41 9d e7 ] 0x400076a4: ldr r4, [sp, r4, lsl #2] >>> r4=0xb
行
220031
:
### Trace Instruction [libhello-jni.so] [0x076a8] [ 04 50 35 e0 ] 0x400076a8: eors r5, r5, r4 >>> r5=0x6b
行
220410
:
### Trace Instruction [libhello-jni.so] [0x076a8] [ 04 50 35 e0 ] 0x400076a8: eors r5, r5, r4 >>> r5=0xea
行
220789
:
### Trace Instruction [libhello-jni.so] [0x076a8] [ 04 50 35 e0 ] 0x400076a8: eors r5, r5, r4 >>> r5=0x76
行
221168
:
### Trace Instruction [libhello-jni.so] [0x076a8] [ 04 50 35 e0 ] 0x400076a8: eors r5, r5, r4 >>> r5=0x14
行
221547
:
### Trace Instruction [libhello-jni.so] [0x076a8] [ 04 50 35 e0 ] 0x400076a8: eors r5, r5, r4 >>> r5=0x81
行
221926
:
### Trace Instruction [libhello-jni.so] [0x076a8] [ 04 50 35 e0 ] 0x400076a8: eors r5, r5, r4 >>> r5=0xf1
行
222305
:
### Trace Instruction [libhello-jni.so] [0x076a8] [ 04 50 35 e0 ] 0x400076a8: eors r5, r5, r4 >>> r5=0x64
行
222684
:
### Trace Instruction [libhello-jni.so] [0x076a8] [ 04 50 35 e0 ] 0x400076a8: eors r5, r5, r4 >>> r5=0x1a
行
223063
:
### Trace Instruction [libhello-jni.so] [0x076a8] [ 04 50 35 e0 ] 0x400076a8: eors r5, r5, r4 >>> r5=0x2b
行
223442
:
### Trace Instruction [libhello-jni.so] [0x076a8] [ 04 50 35 e0 ] 0x400076a8: eors r5, r5, r4 >>> r5=0xf
行
223821
:
### Trace Instruction [libhello-jni.so] [0x076a8] [ 04 50 35 e0 ] 0x400076a8: eors r5, r5, r4 >>> r5=0x96
行
224200
:
### Trace Instruction [libhello-jni.so] [0x076a8] [ 04 50 35 e0 ] 0x400076a8: eors r5, r5, r4 >>> r5=0x9
推测r5异或前就是正确的序列号
行
220028
:
### Trace Instruction [libhello-jni.so] [0x0769c] [ 03 51 9d e7 ] 0x4000769c: ldr r5, [sp, r3, lsl #2] >>> r5=0x17
行
220407
:
### Trace Instruction [libhello-jni.so] [0x0769c] [ 03 51 9d e7 ] 0x4000769c: ldr r5, [sp, r3, lsl #2] >>> r5=0x72
行
220786
:
### Trace Instruction [libhello-jni.so] [0x0769c] [ 03 51 9d e7 ] 0x4000769c: ldr r5, [sp, r3, lsl #2] >>> r5=0x63
行
221165
:
### Trace Instruction [libhello-jni.so] [0x0769c] [ 03 51 9d e7 ] 0x4000769c: ldr r5, [sp, r3, lsl #2] >>> r5=0x31
行
221544
:
### Trace Instruction [libhello-jni.so] [0x0769c] [ 03 51 9d e7 ] 0x4000769c: ldr r5, [sp, r3, lsl #2] >>> r5=0xda
行
221923
:
### Trace Instruction [libhello-jni.so] [0x0769c] [ 03 51 9d e7 ] 0x4000769c: ldr r5, [sp, r3, lsl #2] >>> r5=0xf
行
222302
:
### Trace Instruction [libhello-jni.so] [0x0769c] [ 03 51 9d e7 ] 0x4000769c: ldr r5, [sp, r3, lsl #2] >>> r5=0xe7
行
222681
:
### Trace Instruction [libhello-jni.so] [0x0769c] [ 03 51 9d e7 ] 0x4000769c: ldr r5, [sp, r3, lsl #2] >>> r5=0x37
行
223060
:
### Trace Instruction [libhello-jni.so] [0x0769c] [ 03 51 9d e7 ] 0x4000769c: ldr r5, [sp, r3, lsl #2] >>> r5=0x14
行
223439
:
### Trace Instruction [libhello-jni.so] [0x0769c] [ 03 51 9d e7 ] 0x4000769c: ldr r5, [sp, r3, lsl #2] >>> r5=0x9c
行
223818
:
### Trace Instruction [libhello-jni.so] [0x0769c] [ 03 51 9d e7 ] 0x4000769c: ldr r5, [sp, r3, lsl #2] >>> r5=0x82
行
224197
:
### Trace Instruction [libhello-jni.so] [0x0769c] [ 03 51 9d e7 ] 0x4000769c: ldr r5, [sp, r3, lsl #2] >>> r5=0x2
17726331DA0FE737149C8202
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK