20210424解题

demo.py

# 算法还原
import binascii
from Crypto.Cipher import AES
from Crypto.Util import Padding


def get_cipher():
    key = b'goodl-aes-key124'
    iv = b'goodl-aes-iv1235'
    return AES.new(key, AES.MODE_CBC, iv=iv)


def encrypt(plaintext: str):
    plaintext = plaintext + 'REAL'
    plaintext = Padding.pad(plaintext.encode('utf-8'), 16)
    cipher = get_cipher()
    ciphertext = cipher.encrypt(plaintext)
    print(binascii.b2a_hex(ciphertext))


def decrypt(ciphertext: str):
    ciphertext = binascii.a2b_hex(ciphertext)
    cipher = get_cipher()
    plaintext = cipher.decrypt(ciphertext)
    print(Padding.unpad(plaintext, 16).decode('utf-8').replace('REAL', ''))

print('r0ysuell0vey0us0much')

# plaintext = 'a'
# encrypt(plaintext)

ciphertext = '4143cb60bf8083ac94c57418a9a7ff5a'
decrypt(ciphertext)

ciphertext = '57fdeca2cac0509b2e9e5c52a5b573c1'
decrypt(ciphertext)

# 4143cb60bf8083ac94c57418a9a7ff5a 14a63feade6b46d9d0af3182ccbdf7af
# 57fdeca2cac0509b2e9e5c52a5b573c1 608a33ac1ffb9e8210d2e129557e7f1b

hook_args.js

// hook脚本
function hook(){

    function attach_libroysue_ll11l1l1ll(name, address){
        console.log("attaching libroysue_ll11l1l1ll ", name, address);
        Interceptor.attach(address, {
            onEnter:function(args){
                console.log("Entering => ", name);
                console.log("args0 => ", args[0].readCString());
            },
            onLeave:function(retval){
                console.log("aes plaintext 1 retval => ", retval.readCString())
            }
        })
    }

    function attach_libroysue_ll11lll1l1(name, address){
        console.log("attaching libroysue_ll11lll1l1 ", name, address);
        Interceptor.attach(address, {
            onEnter:function(args){
            },
            onLeave:function(retval){
                console.log("aes key retval => ", retval.readCString())
            }
        })
    }

    function attach_libroysue_ll11l1l1l1(name, address){
        console.log("attaching libroysue_ll11l1l1l1 ", name, address);
        Interceptor.attach(address, {
            onEnter:function(args){
            },
            onLeave:function(retval){
                console.log("aes iv retval => ", retval.readCString())
            }
        })
    }

    function attach_libroysue_ll11l1l11l(name, address){
        console.log("attaching libroysue_ll11l1l11l ", name, address);
        Interceptor.attach(address, {
            onEnter:function(args){
                console.log("Entering => ", name);
                console.log("args0 => ", args[0].readCString());
            },
            onLeave:function(retval){
                console.log("aes plaintext 2 retval => ", retval.readCString())
            }
        })
    }

    var so_name = "libroysue.so";
    var modules = Process.enumerateModules();
    for(var i = 0;i<modules.length;i++){
        var module = modules[i];

        if(module.name != "libroysue.so") continue;

        var exports = module.enumerateExports();
        for(var j = 0;j<exports.length;j++){
            if(exports[j].name == "ll11l1l1ll"){
                attach_libroysue_ll11l1l1ll(exports[j].name, exports[j].address);
            }
        }

    }

    var base_addr = Module.findBaseAddress(so_name);
    var addr_aes_key_func = base_addr.add(0x3CC10).add(1);
    attach_libroysue_ll11lll1l1("aes_key_func", addr_aes_key_func);
    var addr_aes_iv_func = base_addr.add(0x3D1FC).add(1);
    attach_libroysue_ll11l1l1l1("aes_iv_func", addr_aes_iv_func);
    var addr_plaintext_2_func = base_addr.add(0x3CA5C).add(1);
    attach_libroysue_ll11l1l11l("plaintext_2_func", addr_plaintext_2_func);
}

function main(){
    console.log("Entering main")
    hook();
}
setImmediate(main)