CTF WriteUp

HSpace CTF Pengsu Wallet - Mobile

Realsung 2021. 5. 11. 01:38

대회때 거의 다 했는데 Log.d로 출력하는거 못 봐서 아쉽게 마무리 못했던 문제이다.

Hooking해서 풀어도 되고 아니면 그냥 AES Decrypt 해도 됐다.

문제 풀이 과정은 간단하다. 블루스택이나 녹스를 사용할때 루팅으로 후킹해서 문제를 풀려면 루팅체크하는 부분을 우회해서 후킹을 해야한다. 출제자 풀이를 보면 finish 후킹했는데 나는 라이브러리 후킹해서 풀었다. finish 후킹할 생각을 못해서 조금 시간 뺏겼다. 그 이후로는 쉬움!


PS. 문제 풀면서 느낀게 jadx보단 jeb가 훨씬 좋다 ㅇㅇ.. (유료가 최고임)



package com.hspace.pengsu;

import android.os.Bundle;
import android.util.Log;
import android.view.View.OnClickListener;
import android.view.View;
import android.widget.ImageButton;
import android.widget.ProgressBar;
import android.widget.TextView;
import android.widget.Toast;
import b.b.c.h;
import b.b.c.u;
import c.b.a.a.a;
import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.util.Random;

public class MainActivity extends h implements View.OnClickListener {
    public int o;
    public Random p;
    public TextView q;
    public ProgressBar r;
    public ImageButton[] s;
    public RootCheck t;
    public static final int[] u;
    public static int v;

    public static {
        MainActivity.u = new int[]{0x7F0800B7, 0x7F0800B8, 0x7F0800B9, 0x7F0800BA, 0x7F0800BB, 0x7F0800BC, 0x7F0800BD, 0x7F0800BE};  // id:ib1
        MainActivity.v = 0;

    public MainActivity() {
        this.o = 0;
        this.p = new Random();

    @Override  // android.view.View$OnClickListener
    public void onClick(View arg5) {
        int v5 = this.p.nextInt(10);
        this.o = v5;
        int v1 = MainActivity.v + v5;
        MainActivity.v = v1;
        if(v1 == 100) {
            try {
            catch(Exception v5_1) {

        if(this.o != 3 && this.o != 5 && this.o != 7 && this.o != 9 && this.o != 10) {
            TextView v5_2 = this.q;
            StringBuilder v0 = c.a.a.a.a.f("Pengsu\'s Wallet : ");

        MainActivity.v = 0;
        TextView v5_3 = this.q;
        StringBuilder v0_1 = c.a.a.a.a.f("Pengsu\'s Wallet : ");

    @Override  // b.b.c.h
    public void onCreate(Bundle arg6) {
        this.s = new ImageButton[8];
        this.setContentView(0x7F0B001C);  // layout:activity_main
        this.q = (TextView)this.findViewById(0x7F0801A0);  // id:wallet
        this.findViewById(0x7F0801A1);  // id:wallet2
        this.r = (ProgressBar)this.findViewById(0x7F080128);  // id:progress
        ((u)this.o()).e.setTitle("Make Pengsu earn 100$");
        this.q.setText("Pengsu\'s Wallet : 0");
        int v0;
        for(v0 = 0; v0 < 8; ++v0) {
            this.s[v0] = (ImageButton)this.findViewById(MainActivity.u[v0]);

        RootCheck v6 = new RootCheck();
        this.t = v6;
        if(!v6.rootCheck()) {
            StringBuffer v2 = new StringBuffer();
            try {
                Process v6_2 = Runtime.getRuntime().exec("ps adbd");
                BufferedReader v3 = new BufferedReader(new InputStreamReader(v6_2.getInputStream()));
                while(true) {
                    String v6_3 = v3.readLine();
                    if(v6_3 == null) {

                    v2.append(v6_3 + "\n");
            catch(Exception v6_1) {

            if(v2.toString().indexOf("bad") != -1) {
                Toast.makeText(this, "No Rooted or ADB Process Detected", 1).show();
                Log.d("MainActivity", "Detection Not Rooted or ADB!");

        Toast.makeText(this, "Detection Rooted or ADB Process!", 1).show();
        Log.d("MainActivity", String.valueOf(this.t.rootCheck()));
        Log.d("MainActivity", "Detection Rooted or ADB Process!");



package com.hspace.pengsu;

public class RootCheck {
    public static {

    public static native String a() {

    public native boolean rootCheck() {



__int64 __fastcall Java_com_hspace_pengsu_RootCheck_rootCheck()
  unsigned int v0; // ebx

  if ( !access("/sbin/su", 0)
    || !access("/system/su", 0)
    || !access("/system/sbin/su", 0)
    || !access("/system/xbin/su", 0)
    || !access("/data/data/com.example.demoapp.su", 0)
    || !access("/system/app/Superuser.apk", 0)
    || !access("/system/bin/su", 0)
    || !access("/system/bin/.ext/.su", 0)
    || !access("/system/usr/we-need-root/su-backup", 0)
    || (v0 = 0, !access("/system/xbin/mu", 0)) )
    __android_log_print(6LL, "C++", "There is a suspected rooting file.");
    LOBYTE(v0) = 1;
  return v0;




__int64 __fastcall Java_com_hspace_pengsu_RootCheck_a(__int64 a1)
  char *v1; // rbp
  unsigned __int8 v2; // bl
  unsigned __int64 v3; // rdx
  char *v4; // rsi
  char *v5; // rsi
  char *v6; // rsi
  __int64 v7; // rax
  __int64 v8; // rcx
  unsigned __int64 v9; // rdx
  __int64 v10; // rax
  __int64 v11; // rcx
  unsigned __int8 v12; // bl
  char *v13; // r12
  unsigned int v14; // ebp
  __int64 v15; // r14
  __int64 v16; // rax
  int v17; // ebx
  int v18; // ebp
  int v19; // eax
  int v20; // er8
  int v21; // er9
  int v22; // ebx
  __int64 v23; // rbp
  int v24; // eax
  int v25; // er9
  __int64 v26; // rbx
  unsigned __int8 v28; // [rsp+8h] [rbp-A0h] BYREF
  char v29; // [rsp+9h] [rbp-9Fh] BYREF
  unsigned int v30; // [rsp+10h] [rbp-98h]
  void *v31; // [rsp+18h] [rbp-90h]
  __int128 v32; // [rsp+20h] [rbp-88h] BYREF
  void *v33; // [rsp+30h] [rbp-78h]
  __int128 v34; // [rsp+40h] [rbp-68h] BYREF
  void *v35; // [rsp+50h] [rbp-58h]
  __int128 v36; // [rsp+60h] [rbp-48h] BYREF
  void *ptr; // [rsp+70h] [rbp-38h]
  unsigned __int64 v38; // [rsp+78h] [rbp-30h]

  v38 = __readfsqword(0x28u);
  ptr = (void *)operator new(0x20uLL);
  v36 = xmmword_40750;
  strcpy((char *)ptr, "\b!0ASD%/!7!'19-az13FZ9(=(-\"!");
  v35 = (void *)operator new(0x20uLL);
  v34 = xmmword_40720;
  strcpy((char *)v35, "\b$003Z#/AZOQ()*7-az13FZ9(*-\"!");
  v33 = (void *)operator new(0x20uLL);
  v32 = xmmword_40670;
  strcpy((char *)v33, "\b!0c7)%/!7!'16-0=% %-(=(-\"!");
  v1 = (char *)&v32 + 1;
  v2 = 33;
  v3 = 0LL;
  while ( (v2 & 1) == 0 )
    v4 = (char *)&v32 + 1;
    if ( v3 >= v2 >> 1 )
      goto LABEL_12;
    v4[v3] ^= 0x44u;
    v5 = (char *)&v36 + 1;
    if ( (v36 & 1) != 0 )
      v5 = (char *)ptr;
    v5[v3] ^= 0x44u;
    v6 = (char *)&v34 + 1;
    if ( (v34 & 1) != 0 )
      v6 = (char *)v35;
    v6[v3++] ^= 0x44u;
    v2 = v32;
  if ( *((_QWORD *)&v32 + 1) > v3 )
    v4 = (char *)v33;
    goto LABEL_8;
  v7 = std::__put_character_sequence<char,std::char_traits<char>>(
         "standard time starting",
         (char *)&v34 + 1);
  if ( (v32 & 1) != 0 )
    v1 = (char *)v33;
    v9 = *((_QWORD *)&v32 + 1);
    v9 = (unsigned __int64)(unsigned __int8)v32 >> 1;
  v10 = std::__put_character_sequence<char,std::char_traits<char>>(v7, v1, v9, v8);
  std::__put_character_sequence<char,std::char_traits<char>>(v10, "\n", 1LL, v11);
  std::string::basic_string(&v28, &v32);
  v12 = v28;
  v13 = (char *)v31;
  if ( (v28 & 1) != 0 )
    v14 = v30;
    v14 = v28 >> 1;
  v15 = (*(__int64 (__fastcall **)(__int64, _QWORD))(*(_QWORD *)a1 + 1408LL))(a1, v14);
  if ( (v12 & 1) == 0 )
    v13 = &v29;
  (*(void (__fastcall **)(__int64, __int64, _QWORD, _QWORD, char *))(*(_QWORD *)a1 + 1664LL))(a1, v15, 0LL, v14, v13);
  v16 = (*(__int64 (__fastcall **)(__int64, const char *))(*(_QWORD *)a1 + 48LL))(a1, "java/nio/charset/Charset");
  v17 = v16;
  v18 = (*(__int64 (__fastcall **)(__int64, __int64, const char *, const char *))(*(_QWORD *)a1 + 904LL))(
  v19 = (*(__int64 (__fastcall **)(__int64, const char *))(*(_QWORD *)a1 + 1336LL))(a1, "UTF-8");
  v22 = _JNIEnv::CallStaticObjectMethod(a1, v17, v18, v19, v20, v21);
  v23 = (*(__int64 (__fastcall **)(__int64, const char *))(*(_QWORD *)a1 + 48LL))(a1, "java/lang/String");
  v24 = (*(__int64 (__fastcall **)(__int64, __int64, const char *, const char *))(*(_QWORD *)a1 + 264LL))(
  v26 = _JNIEnv::NewObject(a1, v23, v24, v15, v22, v25);
  if ( (v28 & 1) != 0 )
    operator delete(v31);
    if ( (v32 & 1) != 0 )
      goto LABEL_27;
    if ( (v34 & 1) == 0 )
      goto LABEL_23;
    operator delete(v35);
    if ( (v36 & 1) != 0 )
      operator delete(ptr);
    if ( (v32 & 1) == 0 )
      goto LABEL_22;
    operator delete(v33);
    if ( (v34 & 1) != 0 )
      goto LABEL_28;
    if ( (v36 & 1) != 0 )
      goto LABEL_24;
  return v26;


Exploit code

// com.hspace.pengsu

		    onEnter: function(args){
		        console.log('[*] rooting');
		    onLeave: function(ret){
		    	return 0x0;

			var log = Java.use('android.util.Log');
			log.d.overload('java.lang.String','java.lang.String').implementation = function(a,b){
				console.log('[*]FLAG : ' + a.toString() + ", " + b.toString());
				return this.d(a,b);

		    console.warn("[*] 1");
		    var s = Java.use('com.hspace.pengsu.MainActivity');
		    s.v.value = 100;

			var d = Java.use('com.hspace.pengsu.RootCheck');
			d.rootCheck.implementation = function(){
				var retv = this.rootCheck();
				return false;
}, 1000);


펭수 귀엽다.


FLAG : hspace{Vu!lner0able_9an13d0ro6id_1a3p3p1}