20170617_googleCTF

20170617_googleCTF

Last week, I joined googleCTF, but I couldn’t solve only 2 chall :-(.  I make writeup of chall I solve.

 
Food
 

This is RE chall and at first, I am given android apk file “food.apk”.

At first dissassemble this file in online service: http://ift.tt/1H4YAZ1.

And get source file. After some investigate, I realize that FoodActivity class execute System.loadLibrary(“cook”) in com/google/ctf/food.

Then I check libcook.so in lib/x86/ by IDA Pro.

 

In this JNI_OnLoad ection, so many values move to stack and execute dec_str function (I named).

 

Then I try to find out what this function do, and recoginize it as beolw.

# divide int to 4-byte value
def parse_to_byte(val):
    byte = []
    byte.append((val>>24)&0xff) # BYTE3
    byte.append((val>>16)&0xff) # BYTE2
    byte.append((val>>8)&0xff) # BYTE1
    byte.append((val)&0xff)
return byte
 
string = “”
 
# decrypt 
for i in str:
    byte_array = parse_to_byte(i)
 
    string += chr(byte_array[0]^byte_array[1])
    string += chr(~((byte_array[2] | ~byte_array[3]) & (byte_array[3] | ~byte_array[2])))
 
print string[::1]
 
#str = [0x1D650B6E, 0x1377416F, 0x16724D62, 0x5320096C, 0x5691D74, 0x86E5A75, 0x4420046B, 0x6F096F, 0x4D634620, 0x10640D6E, 0x4F614520, 0x0A660265, 0x0A650D62, 0x47204A64, 0x36E1A75, 0x0C6F5D72, 0x6675420, 0x4650C68, 0x5B744120, 0x10640564, 0x25410F20]
# -> “/data/data/http://ift.tt/2tisMQq”

 

Then area of 0x00001640+0x15a8 write to d.dex file.

 

And finally call sub_710 function.

 

After analyze of this function, I realize that this function replace one part of d.dex file to another data. 

Inspected source of this function is as below

 

 

Data to replace is in the 0x000015A0+0x90 and xor-ed it by 0x5a.

So I replace this data to d.dex by binary editor manually. And decompile d.dex again by online service.

 

Then I can find 4 files in com/google/ctf/food directory. In C0000F class, flag value and cc() function.

And in cc() function C0004.m0() function caluculate flag and this.f2k.

I can calculate this.f2k by xor-ing bArr and “\u0013\u0011\u0013\u0003\u0004\u0003\u0001\u0005”, So I can find out flag by execute C0004.m0(flag, this.f2k).

I make java file of m0 function, and execute it. (java source is below link)

https://github.com/nacayoshi00/CTF-writeup/blob/master/20170617_googleCTF/solve_.java

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s