干了这杯Java Writeup

Posted by Pwnhub on 2017-05-16

各位胖友,大家好!这里是胖哈勃电台。

上周五我们上了一道 Reverse ,十分感谢 @explorer 的贡献。本次题目貌似有点难度,最终只有三位胖友成功破解。

接下来,公布一下本次公开赛的 WriteUp ,来自本次比赛的题主。


这次的题目写作java reverse,读作crypto。
题目的源代码等比赛结束之后会在github上公开。地址如下:here

代码首先要求8个字节作为password,将这8个字节与一个table循环亦或之后作为索引去重新排序一个256字节的数组。然后将重排的数据做一个sha256然后比较。如果正确就将这段数据的MD5作为后面解密我们主类的AES密钥。

当然,256字节数据想还原出来是不太可能的。不过应该可以猜到,作为索引的那256个字节数组在异或我们的passcode之后,应该是0-254每个索引一个。不多不少才对。通过这个条件。就可以还原出8个字节的密钥。虽然会跑出不止一个key,但是剩下的key全部测试一遍就能找到正确的密钥了。
代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
import string
table = [166, 11, 230, 189, 10, 98, 164, 82, 18, 125, 248, 131, 119, 67, 177, 224, 75, 43, 40, 209, 237, 62, 97, 116, 110, 146, 77, 99, 222, 174, 163, 30, 38, 227, 58, 151, 0, 97, 244, 85, 188, 213, 67, 152, 156, 189, 179, 22, 230, 255, 200, 103, 243, 18, 17, 214, 21, 81, 140, 184, 113, 209, 216, 122, 73, 45, 48, 153, 190, 164, 115, 161, 88, 253, 33, 162, 55, 201, 136, 23, 56, 185, 50, 42, 143, 178, 238, 44, 222, 254, 126, 72, 189, 123, 217, 197, 125, 163, 104, 62, 169, 61, 106, 130, 164, 200, 111, 94, 52, 143, 129, 70, 194, 48, 57, 224, 49, 54, 143, 12, 93, 53, 71, 51, 176, 199, 102, 100, 209, 36, 90, 222, 123, 168, 69, 113, 162, 106, 54, 135, 131, 172, 213, 187, 196, 193, 26, 171, 33, 154, 123, 17, 57, 116, 109, 13, 215, 153, 51, 181, 253, 134, 25, 147, 82, 166, 221, 108, 178, 100, 7, 178, 8, 180, 72, 210, 42, 180, 17, 65, 145, 13, 193, 40, 8, 139, 5, 195, 203, 141, 156, 162, 94, 189, 238, 200, 96, 186, 62, 14, 172, 160, 92, 148, 212, 77, 248, 49, 225, 141, 106, 155, 27, 165, 109, 185, 29, 186, 41, 216, 213, 75, 191, 213, 135, 242, 204, 158, 86, 200, 209, 220, 104, 47, 175, 19, 2, 102, 104, 145, 65, 5, 103, 69, 187, 87, 45, 138, 223, 9, 242, 110, 87, 204, 112, 55]
def check(key):
i = 0
l = []
while i < len(key):
for j in range(32):
l.append(table[j*8 + i] ^ ord(key[i]))
i += 1
if len(set(l)) == len(l):
return True
else:
return False
def run(key):
if len(key) == 8:
print key
return
for i in string.printable:
if check(key+i):
run(key+i)
run('')

知道了密钥之后就可以解密出那个加密的类的。写java代码解密也行,直接内存dump也行。javaagent也行。总之都能获得得到class。

下面这个是我用来加密class用的程序。稍微改一改就可以用来解密。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
import com.sun.crypto.provider.AESKeyGenerator;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import java.io.*;
import java.net.URISyntaxException;
import java.net.URL;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
public class en {
public static void main(String[] args) throws URISyntaxException, IOException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidAlgorithmParameterException, InvalidKeyException, BadPaddingException, IllegalBlockSizeException {
File f = new File("C:/nameless/Dropbox/preject/java/license/out/production/license/License/a.class");
en(f,Cipher.ENCRYPT_MODE);
}
private static void en(File a,int flag) throws IOException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidAlgorithmParameterException, InvalidKeyException, BadPaddingException, IllegalBlockSizeException {
File f = a;
FileInputStream fi = new FileInputStream(f);
long len = f.length();
byte[] raw = new byte[(int)len];
int r = fi.read(raw);
if(r != len){
System.out.println(a+":can't read");
}
System.out.println(raw.length);
byte[] code = new byte[]{30 , -15 , 69 , -126 , 9 , 120 , -11 , -14 , -32 , -61 , 31 , -44 , -80 , -33 , 15 , 46 , 16 , 71 , -71 , 102 , 20 , -15 , 48 , -32 , 62 , 79 , 49 , -61 , -27 , -124 , 53 , 87 , -12 , 53 , -128 , 55 , -101 , 98 , -22 , 34 , 58 , -29 , 70 , -125 , -119 , 22 , 12 , 18 , -51 , 0 , 74 , 124 , -41 , -96 , -54 , 114 , 24 , 93 , -48 , 84 , 66 , -86 , -87 , 78 , 32 , 124 , -12 , -98 , 52 , -45 , -66 , -95 , 50 , -126 , 2 , 68 , 7 , 55 , -116 , 30 , 36 , -29 , 32 , -15 , 17 , 29 , 72 , 106 , 110 , -34 , -97 , 124 , 56 , -5 , 87 , -80 , -61 , 53 , 82 , 86 , -115 , 111 , -33 , 42 , 69 , -122 , 34 , -35 , 109 , -101 , -21 , 118 , -66 , 90 , 66 , -27 , -126 , -65 , 85 , -122 , 36 , 66 , -109 , 34 , -20 , 43 , -112 , 28 , 33 , -30 , 100 , -5 , 65 , -111 , 123 , 12 , -59 , -54 , 84 , 9 , -9 , -59 , -21 , -42 , 37 , 70 , 8 , -60 , 120 , -52 , -2 , -24 , 15 , -81 , 91 , 18 , 100 , 9 , 18 , -20 , 73 , 63 , -22 , 72 , -107 , 23 , -6 , 40 , 3 , -98 , -54 , -76 , 124 , -59 , 31 , -41 , 2 , -25 , 50 , -65 , -50 , -49 , 60 , -85 , 12 , 50 , -128 , -37 , -60 , 59 , 27 , 67 , -124 , -121 , 37 , 47 , -50 , 10 , 117 , 21 , -29 , 67 , -80 , -64 , 44 , 103 , -96 , 109 , 27 , 21 , 3 , 115 , 59 , 59 , -104 , 113 , -45 , 105 , -23 , 6 , -89 , 53 , -39 , 82 , 51 , 29 , 63 , 65 , 35 , -108 , -37 , 23 , 76 , 25 , 113 , -37 , 95 , 38 , -79 , 12 , 50 , -125 , -61 , -109 , -98 , 99 , -87 , 124 , 11 , 38 , 60 , -75 , 39 , 18 , 103 , 72};
String ivStr = "****************";
MessageDigest md = MessageDigest.getInstance("MD5");
md.update(code);
byte[] key = md.digest();
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
SecretKeySpec skey = new SecretKeySpec(key,"AES");
IvParameterSpec iv = new IvParameterSpec(ivStr.getBytes());
cipher.init(flag,skey,iv);
byte[] en = cipher.doFinal(raw);
String name = a.getName();
byte[] data = new byte[name.length()-6];
System.arraycopy(name.getBytes(),0,data,0,name.length()-6);
File b = new File("C:/nameless/Dropbox/preject/java/license/out/production/license/License/"+md5(data)+".class");
FileOutputStream fo = new FileOutputStream(b);
System.out.println(en.length);
fo.write(en);
fi.close();
f.delete();
}

然后就是主角licens类的逆向了。每个函数对应的加密算法是什么可以看看我的源代码。函数名称已经写清楚了。
总的来说就是按照要求输入license,如果license正确就可以直接获得flag。具体的license格式就不赘述了,源码一看就清楚。这里就说说构造license里比较麻烦的两个rsa。

第一个rsa是对DES解密时候的key的加密。由于代码中只能得到N和e的值,即使密钥是由我们自己指定的,不知道d也没办法正确的加密密钥。
不过熟悉rsa的童鞋应该都清楚在e特别大而d特别小的时候可以使用Wiener’s attack来计算d。用github找的攻击脚本就能得到d。

然后就是license最后有个数字签名。这次的rsa用的e就是正规的0x10001没有办法破解了。但是数字签名使用的算法是crc。了解过crc的应该清楚。通过数据末尾的冗余数据来控制crc的生产是很容易的事情。只要通过license内字段的冗余就可以控制crc从而绕过数字签名的检查。

这里是给定数据和指定crc,计算应该添加到末尾的4字节冗余数据的脚本。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
from libnum import *
from zlib import crc32
from pwn import *
from ctypes import *
import struct
crc_table = [0x0,0x77073096,0xee0e612c,0x990951ba,0x76dc419,0x706af48f,0xe963a535,0x9e6495a3,0xedb8832,
0x79dcb8a4,0xe0d5e91e,0x97d2d988,0x9b64c2b,0x7eb17cbd,0xe7b82d07,0x90bf1d91,0x1db71064,
0x6ab020f2,0xf3b97148,0x84be41de,0x1adad47d,0x6ddde4eb,0xf4d4b551,0x83d385c7,0x136c9856,
0x646ba8c0,0xfd62f97a,0x8a65c9ec,0x14015c4f,0x63066cd9,0xfa0f3d63,0x8d080df5,0x3b6e20c8,
0x4c69105e,0xd56041e4,0xa2677172,0x3c03e4d1,0x4b04d447,0xd20d85fd,0xa50ab56b,0x35b5a8fa,
0x42b2986c,0xdbbbc9d6,0xacbcf940,0x32d86ce3,0x45df5c75,0xdcd60dcf,0xabd13d59,0x26d930ac,
0x51de003a,0xc8d75180,0xbfd06116,0x21b4f4b5,0x56b3c423,0xcfba9599,0xb8bda50f,0x2802b89e,
0x5f058808,0xc60cd9b2,0xb10be924,0x2f6f7c87,0x58684c11,0xc1611dab,0xb6662d3d,0x76dc4190,
0x1db7106,0x98d220bc,0xefd5102a,0x71b18589,0x6b6b51f,0x9fbfe4a5,0xe8b8d433,0x7807c9a2,
0xf00f934,0x9609a88e,0xe10e9818,0x7f6a0dbb,0x86d3d2d,0x91646c97,0xe6635c01,0x6b6b51f4,
0x1c6c6162,0x856530d8,0xf262004e,0x6c0695ed,0x1b01a57b,0x8208f4c1,0xf50fc457,0x65b0d9c6,
0x12b7e950,0x8bbeb8ea,0xfcb9887c,0x62dd1ddf,0x15da2d49,0x8cd37cf3,0xfbd44c65,0x4db26158,
0x3ab551ce,0xa3bc0074,0xd4bb30e2,0x4adfa541,0x3dd895d7,0xa4d1c46d,0xd3d6f4fb,0x4369e96a,
0x346ed9fc,0xad678846,0xda60b8d0,0x44042d73,0x33031de5,0xaa0a4c5f,0xdd0d7cc9,0x5005713c,
0x270241aa,0xbe0b1010,0xc90c2086,0x5768b525,0x206f85b3,0xb966d409,0xce61e49f,0x5edef90e,
0x29d9c998,0xb0d09822,0xc7d7a8b4,0x59b33d17,0x2eb40d81,0xb7bd5c3b,0xc0ba6cad,0xedb88320,
0x9abfb3b6,0x3b6e20c,0x74b1d29a,0xead54739,0x9dd277af,0x4db2615,0x73dc1683,0xe3630b12,
0x94643b84,0xd6d6a3e,0x7a6a5aa8,0xe40ecf0b,0x9309ff9d,0xa00ae27,0x7d079eb1,0xf00f9344,
0x8708a3d2,0x1e01f268,0x6906c2fe,0xf762575d,0x806567cb,0x196c3671,0x6e6b06e7,0xfed41b76,
0x89d32be0,0x10da7a5a,0x67dd4acc,0xf9b9df6f,0x8ebeeff9,0x17b7be43,0x60b08ed5,0xd6d6a3e8,
0xa1d1937e,0x38d8c2c4,0x4fdff252,0xd1bb67f1,0xa6bc5767,0x3fb506dd,0x48b2364b,0xd80d2bda,
0xaf0a1b4c,0x36034af6,0x41047a60,0xdf60efc3,0xa867df55,0x316e8eef,0x4669be79,0xcb61b38c,
0xbc66831a,0x256fd2a0,0x5268e236,0xcc0c7795,0xbb0b4703,0x220216b9,0x5505262f,0xc5ba3bbe,
0xb2bd0b28,0x2bb45a92,0x5cb36a04,0xc2d7ffa7,0xb5d0cf31,0x2cd99e8b,0x5bdeae1d,0x9b64c2b0,
0xec63f226,0x756aa39c,0x26d930a,0x9c0906a9,0xeb0e363f,0x72076785,0x5005713,0x95bf4a82,
0xe2b87a14,0x7bb12bae,0xcb61b38,0x92d28e9b,0xe5d5be0d,0x7cdcefb7,0xbdbdf21,0x86d3d2d4,
0xf1d4e242,0x68ddb3f8,0x1fda836e,0x81be16cd,0xf6b9265b,0x6fb077e1,0x18b74777,0x88085ae6,
0xff0f6a70,0x66063bca,0x11010b5c,0x8f659eff,0xf862ae69,0x616bffd3,0x166ccf45,0xa00ae278,
0xd70dd2ee,0x4e048354,0x3903b3c2,0xa7672661,0xd06016f7,0x4969474d,0x3e6e77db,0xaed16a4a,
0xd9d65adc,0x40df0b66,0x37d83bf0,0xa9bcae53,0xdebb9ec5,0x47b2cf7f,0x30b5ffe9,0xbdbdf21c,
0xcabac28a,0x53b39330,0x24b4a3a6,0xbad03605,0xcdd70693,0x54de5729,0x23d967bf,0xb3667a2e,
0xc4614ab8,0x5d681b02,0x2a6f2b94,0xb40bbe37,0xc30c8ea1,0x5a05df1b,0x2d02ef8d]
data = '1491998457.399855\x001\x00explorer\x00test license'
target_crc = 764206822
m_crc = crc32(data)
m_crc = struct.unpack('I',struct.pack('i',m_crc))[0]
m_crc = m_crc ^ 0xffffffff
for i in range(len(crc_table)):
if crc_table[i] & 0xff000000 == target_crc & 0xff000000:
print i
c1 = crc_table[i]
i1 = i
for i in range(len(crc_table)):
if (c1 & 0x00ff0000) ^ ((crc_table[i]&0xff000000)>>8) == target_crc & 0x00ff0000:
print i
c2 = crc_table[i]
i2 = i
for i in range(len(crc_table)):
if (c1 & 0x0000ff00) ^ ((c2&0x00ff0000)>>8) ^ ((crc_table[i]&0xff000000)>>16) == target_crc & 0x0000ff00:
print i
c3 = crc_table[i]
i3 = i
for i in range(len(crc_table)):
if (c1 & 0x000000ff) ^ ((c2&0x0000ff00)>>8) ^ ((c3&0x00ff0000)>>16) ^ ((crc_table[i]&0xff000000)>>24) == target_crc & 0x000000ff:
print i
c4 = crc_table[i]
i4 = i
b1 = (m_crc & 0xff) ^ i4
m_crc = crc_table[i4] ^ (m_crc >> 8);
b2 = (m_crc & 0xff) ^ i3
m_crc = crc_table[i3] ^ (m_crc >> 8);
b3 = (m_crc & 0xff) ^ i2
m_crc = crc_table[i2] ^ (m_crc >> 8);
b4 = (m_crc & 0xff) ^ i1
m_crc = crc_table[i1] ^ (m_crc >> 8);
print m_crc
print hex(b1),hex(b2),hex(b3),hex(b4)

至于加解密使用的e,d,N都在源代码的注释中。
最后是一个我自己生成的license

1
AAIAADAAAAAAAgAAQ8yAwSSbaDaZEc/9Vh96kMcppEY6bXYr9y9yO1msaWKic5lDgFOahtOQOJER3paZW9ZdH/MyK8DQOvvmJ+52mAk5YiRVQ52jEnQuzpQjwC1ZkZtsKnh5hVnr6+kzJLQC+AtQsa3EG0gbjLi9MGXw6I+Su7wY6skuXLBJB2Diu3pytTy0HNeO2lKVGeyK7TQ6CL9isbEBolly3F99jN35XnsCw3tUQLvBgVMc3He57MOCOQVi8N/Btaa32OCSU+TNS4QhLqTk9DBrPkrqHZ/fCODwhaogGyQJHQcFOa1ForyKiZhzzSLvsP1JmqxmGKfF+G+lMNwtheomgo9/B/WJApQHQBWKP20skvTL2rVmBtQqMZZo08j5hSfhCksoOT7TnQuaD5uLojGc/ocnAY1Wcy5z4fEtCp0c2aGUbdqJ1XCBO5PNyRPBb5TMpyhMk3OonpflzIKK/tsMgdRxnaxKLqV7v30GKKeC8sdn/ntsIDhU+fctc4tAY5Xt7nZPT1oWm1LYMONxNV9ftQ3hZT/OI1sOId2Memrq6JlhsxD/mpFoa8HffhuAgekBdQSaItk/6UtfrfFD45POVTufEX7twEuW8Io1WzK5OM+2AMlo1wRtkI95egXxxIDJCOykj2aC2L5KGcfV4pj7VzpLf55qrwrYtJhH+vi5tG5z+fh5KlMe+XS5kwIVhiBnfez9CSr+9jyFRN2WJm953ruyXZUdUAJwrLe5ywgJgf6guLZI0uvANVdKMTaFrtbyP8W+txPmKSdeEpZDGqhkddblHbXNYpyqyntRk4k0R8s76/7P4Zc90nmJ8KwBjF3Kqf9VK7c6rXs+qiJzS4T3aGj50qsHxJ1S3GTLo6cI0wvY0/9uORe8Vrc25zpphcZQIcT9sbRlaMl6lW95ZICUlGAL4CWdPX083iGyeu04vBOAgSeIzrAsTDr6RaKHPFr2bTxnIs+dhb66pXWbn2PgzhHsHdJ8YK8EHb5TtJFS5LM0Zk0jnhk2ntGdC4YIPW64w6K4/SjsLlzvG52qRLZ8w1G+B3zEMzbtppLy4swBN3bt6X6mnvJdJkSLJR3+tJkXWPzlHNi3c+RCuscpeEZMiE1yEe7ClyQRuzMPPcapPZXIyNfzLISrrgfZmatfnkvmgn757g9BeFYsiyvLyy8N3gE5fNRii9Q/AxlU/kTFj/quzxuMu7UyDt05A7CpRZDGQVxGLyy8AS/Ij9kx5HwdL27uCzeCFlNtLpRiGay8+bslmVDDucTHGQPATIcLohhGaNIwf1pO5u8NKr6VxqJZovGdswWTABmzPaT7r6TaGmFki98YdG3KGs+cObeVrq+pj1+cdGDsmGsOil9ectAtuQHv4CHPF2MxIX7GBcpglP0e8Cektxx/NXiodGJCyf4wd/BQNBxJQlq9XkDld9aORcirBmUCNjHFDiOp3MSs+uBA0vqU/1VxCCkU

最后打个广告:欢迎各位踊跃投稿题目呀,有任何好玩的、刺激的、有趣的思路,都可以大胆实现!

本次播报到此结束,关注 PwnHub ,准备搞事情啦——5/27 的 成信“胖哈勃杯” CTF大赛等你来燥!