wang's No Hack No CTF 2024 official-Writeup

,

先說個抱歉,這我第一次當出題者,出的不是很好 不知道為什麼這麼少人解w

First of all, I would like to apologize. This is my first time as a question maker, and my results are not very good. I don’t know why so few people solved

(Sorry, my english…I ues google translater)

CTFtime

Kid game

講在前面 Tell it in front

會出這題是因為學校課程在教用Appinventor設計APP,我發現它有個有趣的function,就去簡單逆一下,發現蠻容易反混淆的,於是就有了這題Reverse

This question came up because the school course taught how to use Appinventor to design APPs. I found that it had an interesting function, so I simply reversed it and found that it was quite easy to reverse obfuscation, so I came up with this question Reverse.

image

Writeup

在安卓手機或模擬器開

Open on Android phone or emulator

image
將apk反編譯,這邊是用www.decompiler.com

Decompile apk, here we usewww.decompiler.com

image
image
因為遊戲畫面中有提到flag,直接搜尋keyword flag,看附近關鍵程式碼,得知關鍵應該是被混淆的東西

Because flag is mentioned in the game screen, I directly search for keyword flag and look at the nearby key code to know that the key should be something that has been confused.

image
去分析反混淆function

Go analyze the anti-obfuscation function

image
image
寫腳本反混淆Screen1.java的
\u0016\u0005\u0018\u0000\u0018\f\u0005\t\u001b\t.\u0010\t;\u0018\u0000\u000f\u001b\u000f\u0002\u0000\u000f\u0015\u0019\r\f
KEY jpapuipn
怎麼寫 問就是chatGPT

Write a script to deobfuscate with chatGPT

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
def text_deobfuscate(text, key):
    # The length of the obfuscated text
    text_length = len(text)
    decoded = []

    # Extend the key to match the length of the text
    extended_key = (key * ((text_length // len(key)) + 1))[:text_length]

    # Iterating through each character in the obfuscated text
    for i in range(text_length):
        obf_char = text[i]
        key_char = extended_key[i]

        # Getting the ASCII code of characters
        obf_char_code = ord(obf_char)
        key_char_code = ord(key_char)

        # Decoding process using XOR and bit manipulation
        decoded_char_code = (obf_char_code ^ (text_length - i)) & 0xFF
        decoded_char_code = (decoded_char_code ^ key_char_code) & 0xFF

        # Appending decoded character to the result
        decoded.append(chr(decoded_char_code))

    return ''.join(decoded)

# Obfuscated text and key
obfuscated_text = "\u0016\u0005\u0018\u0000\u0018\f\u0005\t\u001b\t.\u0010\t;\u0018\u0000\u000f\u001b\u000f\u0002\u0000\u000f\u0015\u0019\r\f"
key = "jpapuipn"

# Perform deobfuscation
decoded_text = text_deobfuscate(obfuscated_text, key)
print(decoded_text)

FLAG:flag{patch_or_deobfuscate}

其實也可以patch
In fact, you can also patch
Screen1.java 

1
2
3
if (runtime.callYailPrimitive(moduleMethod, LList.list2(runtime.getProperty$1(simpleSymbol, simpleSymbol2), runtime.callYailPrimitive(runtime.text$Mndeobfuscate, LList.list2("\u0010\f\u0004\u0004", "rcgbiqei"), Lit33, "deobfuscate text")), Lit34, "=") == Boolean.FALSE) {
    return null;
}

== patch to !=