more ctf stuff

This commit is contained in:
2025-09-20 21:10:36 +02:00
parent 443a793e6b
commit e0ed1e486b
92 changed files with 14630 additions and 7 deletions

BIN
2025/tfc/misc/minijail.zip Normal file

Binary file not shown.

3
2025/tfc/rev/.gitignore vendored Normal file
View File

@@ -0,0 +1,3 @@
game_dec/
game_jadx/
patched_app/

Binary file not shown.

BIN
2025/tfc/rev/apk.keystore Normal file

Binary file not shown.

Binary file not shown.

7
2025/tfc/rev/get_flag.sh Executable file
View File

@@ -0,0 +1,7 @@
adb logcat -c
adb shell am start -n com.example.oxidized_intentions/.MainActivity
adb shell am broadcast \
-a com.example.oxidized_intentions.TICKET \
-n com.example.oxidized_intentions/.TicketReceiver \
--es seed "fe2o3rust"
adb logcat | rg OXI

View File

@@ -0,0 +1,11 @@
<?xml version="1.0" encoding="UTF-8"?>
<FILE_INFO>
<BASIC_INFO>
<STATE NAME="CONTENT_TYPE" TYPE="string" VALUE="Program" />
<STATE NAME="PARENT" TYPE="string" VALUE="/" />
<STATE NAME="FILE_ID" TYPE="string" VALUE="839fddbdb61f20537512505756" />
<STATE NAME="FILE_TYPE" TYPE="int" VALUE="0" />
<STATE NAME="READ_ONLY" TYPE="boolean" VALUE="false" />
<STATE NAME="NAME" TYPE="string" VALUE="liboxi.so" />
</BASIC_INFO>
</FILE_INFO>

View File

@@ -0,0 +1,5 @@
VERSION=1
/
00000000:liboxi.so:839fddbdb61f20537512505756
NEXT-ID:1
MD5:d41d8cd98f00b204e9800998ecf8427e

View File

@@ -0,0 +1,5 @@
VERSION=1
/
00000000:liboxi.so:839fddbdb61f20537512505756
NEXT-ID:1
MD5:d41d8cd98f00b204e9800998ecf8427e

View File

@@ -0,0 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<FILE_INFO>
<BASIC_INFO>
<STATE NAME="OWNER" TYPE="string" VALUE="cato" />
</BASIC_INFO>
</FILE_INFO>

View File

@@ -0,0 +1,15 @@
<?xml version="1.0" encoding="UTF-8"?>
<PROJECT>
<PROJECT_DATA_XML_NAME NAME="DISPLAY_DATA">
<SAVE_STATE>
<ARRAY NAME="EXPANDED_PATHS" TYPE="string">
<A VALUE="android_rev:" />
</ARRAY>
<STATE NAME="SHOW_TABLE" TYPE="boolean" VALUE="false" />
</SAVE_STATE>
</PROJECT_DATA_XML_NAME>
<TOOL_MANAGER ACTIVE_WORKSPACE="Workspace">
<WORKSPACE NAME="Workspace" ACTIVE="true" />
</TOOL_MANAGER>
</PROJECT>

View File

@@ -0,0 +1,11 @@
<?xml version="1.0" encoding="UTF-8"?>
<FILE_INFO>
<BASIC_INFO>
<STATE NAME="CONTENT_TYPE" TYPE="string" VALUE="ProgramUserData" />
<STATE NAME="PARENT" TYPE="string" VALUE="/" />
<STATE NAME="FILE_ID" TYPE="string" VALUE="c0a8036ab7722760556847918" />
<STATE NAME="FILE_TYPE" TYPE="int" VALUE="0" />
<STATE NAME="READ_ONLY" TYPE="boolean" VALUE="false" />
<STATE NAME="NAME" TYPE="string" VALUE="udf_839fddbdb61f20537512505756" />
</BASIC_INFO>
</FILE_INFO>

View File

@@ -0,0 +1,4 @@
VERSION=1
/
NEXT-ID:0
MD5:d41d8cd98f00b204e9800998ecf8427e

View File

@@ -0,0 +1,2 @@
IADD:00000000:/udf_839fddbdb61f20537512505756
IDSET:/udf_839fddbdb61f20537512505756:c0a8036ab7722760556847918

View File

@@ -0,0 +1,4 @@
VERSION=1
/
NEXT-ID:0
MD5:d41d8cd98f00b204e9800998ecf8427e

View File

@@ -0,0 +1,4 @@
VERSION=1
/
NEXT-ID:0
MD5:d41d8cd98f00b204e9800998ecf8427e

Binary file not shown.

Binary file not shown.

53
2025/tfc/rev/notes.md Normal file
View File

@@ -0,0 +1,53 @@
When running the application in an emulator and executing
```
adb shell am broadcast \
-a com.example.oxidized_intentions.TICKET \
-n com.example.oxidized_intentions/.TicketReceiver \
--es seed "testseed123"
```
Following logs are written:
```
08-30 16:28:14.359 6201 6201 D OXI : Got broadcast, seed=testseed123
08-30 16:28:15.550 6201 6201 D OXI : Required seed is: fe2o3rust
08-30 16:28:15.562 6201 6201 D OXI : Computing flag for seed='testseed123' ...
08-30 16:28:15.563 6201 6201 D OXI : Seed 'testseed123' is not expected; required seed is 'fe2o3rust'
08-30 16:28:15.585 6201 6201 D OXI : FLAG=FAKE{wrong_seed}
```
When using `fe2o3rust` as the seed output looks like this:
```
08-30 16:34:30.981 7429 7429 D OXI : Got broadcast, seed=fe2o3rust
08-30 16:34:30.991 7429 7429 D OXI : Computing flag for seed='fe2o3rust' ...
08-30 16:34:32.021 7429 7429 D OXI : anti_hook_check elapsed=1007ms
```
Next idea: Just increase the anti_hook_check limit and see what happens
Patching the binary:
https://book.jorianwoltjer.com/mobile/patching-apks
Patched Bytes:
`00000000000047AD 0x1 68 6D` This is a marker to test if the right patched library is loaded (just change a letter in a log entry)
`0000000000011D2A 0x1 07 3F` anti_hook_check now tests if execution took >4000ms and not only 500ms
Current progress:
```
adb logcat | rg OXI
08-30 19:02:05.234 9868 9868 D OXI : Got broadcast, seed=fe2o3rust
08-30 19:02:05.397 9868 9868 D OXI : Required seed is: fe2o3rust
08-30 19:02:05.400 9868 9868 D OXI : Computing flag for seed='fe2o3rust' ...
08-30 19:02:06.403 9868 9868 D OXI : anti_mook_check elapsed=1000ms
08-30 19:02:06.437 9868 9868 D OXI : FLAG=FAKE{0000000358f228d7}
```
From where does the FAKE flag come from?
The program checks if a magic number is set. Just invert the branch condition
`0000000000011DE0 0x1 E1 E0` Changes B.NE to B.EQ

14
2025/tfc/rev/patch_apk.sh Executable file
View File

@@ -0,0 +1,14 @@
#!/bin/sh
echo "Starting patch"
set -euo pipefail
apktool b -f patched_app
zipalign -f 4 patched_app/dist/app-release.apk patched_app/dist/app-release-aligned.apk
apksigner sign -out patched_app/dist/app-release-signed.apk --ks-key-alias 'apk' --ks apk.keystore --key-pass 'pass:password' --ks-pass 'pass:password' -v patched_app/dist/app-release-aligned.apk
adb uninstall com.example.oxidized_intentions
adb install patched_app/dist/app-release-signed.apk
echo "Patched successfully"