数据加密
crackme
找到关键函数,因为不知道CCCrypt(0, 0, 1u对应什么算法,得到正确的key和iv后尝试解密
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
| __int64 __fastcall verify_system_password(const void *a1)
{
_BYTE v2[4]; // [xsp+20h] [xbp-90h] BYREF
__int64 *v3; // [xsp+28h] [xbp-88h]
_BYTE *dataOut; // [xsp+30h] [xbp-80h]
int v5; // [xsp+3Ch] [xbp-74h]
int i; // [xsp+44h] [xbp-6Ch]
const char *v8; // [xsp+48h] [xbp-68h]
size_t dataOutMoved[3]; // [xsp+50h] [xbp-60h] BYREF
size_t dataOutAvailable; // [xsp+68h] [xbp-48h]
size_t v11; // [xsp+70h] [xbp-40h]
const void *v12; // [xsp+78h] [xbp-38h]
unsigned int v13; // [xsp+84h] [xbp-2Ch]
char iv[16]; // [xsp+88h] [xbp-28h] BYREF
char key[16]; // [xsp+98h] [xbp-18h] BYREF
v3 = &qword_1000140B0;
v12 = a1;
++qword_1000140B0;
v11 = strlen((const char *)a1);
dataOutAvailable = (v11 + 16) & 0xFFFFFFFFFFFFFFF0LL;
dataOutMoved[2] = (size_t)v2;
dataOut = &v2[-((dataOutAvailable + 15) & 0xFFFFFFFFFFFFFFF0LL)];
dataOutMoved[1] = dataOutAvailable;
dataOutMoved[0] = 0LL;
v8 = "1234561234561234";
for ( i = 0; i < 16; ++i )
{
++v3[1];
key[i] = encrypted_system_key[i] ^ v8[i];
iv[i] = encrypted_system_iv[i] ^ v8[i];
}
print_crypto_info();
if ( CCCrypt(0, 0, 1u, key, 0x10uLL, iv, v12, v11, dataOut, dataOutAvailable, dataOutMoved) )
{
++v3[2];
v13 = 0;
v5 = 1;
}
else
{
if ( dataOutMoved[0] == 16 )
{
LOBYTE(v13) = memcmp(dataOut, &encrypted_system_password, 0x10uLL) == 0;
v13 = (unsigned __int8)v13;
}
else
{
++v3[3];
v13 = 0;
}
v5 = 1;
}
return v13;
}
|
隐私合规
TaskPrivate(1)
发现des和base64
只找到了key,猜测key和iv是一样的
密文先from hex再解base64,最后des解密
**MD5{银行卡+密码}**后提交
TaskPrivate(2)
MainActivity里找到申请读取短信和打电话的权限
md5后得到flag
