AIS3 2016 Final CTF Writeup
我把這份文件改成唯獨了,想要修改請聯絡助教(Inndy)

歡迎大家提供其他的解法!

Misc1

Throw the ball to the pokemon! http://pastebin.com/raw/eYueLrKx

begin 644 → Uuencoding
Online unencoding decoding: http://www.webutils.pl/index.php?idx=uu

Solution 1 - 兩張圖相疊後可得(需支援透明圖層)


  • apt-get install gimp

 
User-uploaded image: pub_ball2.png

Solution 2 - XOR

 
User-uploaded image: a.png

Solution 3 - DIFF門薩認證

Solution 4 - compare

compare -compose src pub_ball.png pub_mon.png out.png
 
User-uploaded image: out.png

 Misc 2

What is the IP address where the malware sends data?

Solution 1

用 jadx 解出 source code
grep '\d+\.\d+\.\d+\.\d+' -r source_code 

Solution 2

https://play.google.com/store/apps/details?id=org.uguess.android.sysinfo.pro&hl=zh_TW
以身試毒

Misc 3

What is a suspicious string in the Android memory dump (18 characters including English letters and punctuation)?

Crypto 1 (Forensic)

What is the email account of the facebook user?
/data/data/com.facebook/com.facebook.katana/databases/prefs_db 
 
User-uploaded image: +2016-08-28+16.53.56.png
  • also can use teacher’s tool 
  • python sqlparse_v1.3.py -f prefs_db -o ans.txt
  • 無聊順帶一提題目的facebook真實存在

其實在/data/system/users/0/accounts.db 有所有的account資訊,不只FB還有Google

其實 grep -r 'gmail.com' * 就出來了(誒

Crypto 2

類似 SSL 的 CRIME Attack:https://en.wikipedia.org/wiki/CRIME

from pwn import *
import time

context(log_level='ERROR')  # disable annoying log from pwn tools