跳转至

mobile Android2.0

1 题目

jadx后检查, 

        this.button.setOnClickListener(new View.OnClickListener() { // from class: com.example.test.ctf03.MainActivity.1
            @Override // android.view.View.OnClickListener
            public void onClick(View v) {
                String str = MainActivity.this.pwd.getText().toString();
                int result = JNI.getResult(str);
                MainActivity.this.Show(result);
            }
        });

逆向so文件: 

undefined4
Java_com_example_test_ctf03_JNI_getResult(int *param_1,undefined4 param_2,undefined4 param_3)

{
  char *__s;
  size_t sVar1;
  char *pcVar2;
  char *__s1;
  char *__s1_00;
  int iVar3;

  __s = (char *)(**(code **)(*param_1 + 0x2a4))(param_1,param_3,0);
  sVar1 = strlen(__s);
  if (sVar1 == 0xf) {
    pcVar2 = (char *)malloc(1);
    __s1 = (char *)malloc(1);
    __s1_00 = (char *)malloc(1);
    Init(pcVar2,__s1,__s1_00,__s,0xf);
    iVar3 = First(pcVar2);
    if (iVar3 != 0) {
      iVar3 = 0;
      do {
        __s1[iVar3] = pcVar2[iVar3] ^ __s1[iVar3];
        iVar3 = iVar3 + 1;
      } while (iVar3 != 4);
      iVar3 = strcmp(__s1," 5-\x16a");
      if (iVar3 == 0) {
        iVar3 = 0;
        do {
          __s1_00[iVar3] = __s1[iVar3] ^ __s1_00[iVar3];
          iVar3 = iVar3 + 1;
        } while (iVar3 != 4);
        iVar3 = strcmp(__s1_00,"AFBo}");
        if (iVar3 == 0) {
          return 1;
        }
        return 0;
      }
    }
  }
  return 0;
}

2 逆向libNative.so

函数First及其逆向
/* First(char*) */

bool First(char *param_1)

{
  int iVar1;

  iVar1 = 0;
  do {
    param_1[iVar1] = param_1[iVar1] << 1 ^ 0x80;
    iVar1 = iVar1 + 1;
  } while (iVar1 != 4);
  iVar1 = strcmp(param_1,"LN^dl");
  return iVar1 == 0;
}

exp1.py 

c = b"LN^dl"
r= []
for i in range(4):
    r.append((c[i]^0x80)>>1)

r.append(c[4])
print(bytes(r))   #b'fgorl'

第二个函数及其逆向
      iVar3 = 0;
      do {
        __s1[iVar3] = pcVar2[iVar3] ^ __s1[iVar3];
        iVar3 = iVar3 + 1;
      } while (iVar3 != 4);
      iVar3 = strcmp(__s1," 5-\x16a");
      if (iVar3 == 0) {

exp2.py 

c=b" 5-\x16a"
r1=b'LN^dl'

r= []
for i in range(4):
    r.append(c[i]^r1[i])
r.append(c[4])

print(bytes(r))   #b'l{sra'

第三个函数及其逆向
        iVar3 = 0;
        do {
          __s1_00[iVar3] = __s1[iVar3] ^ __s1_00[iVar3];
          iVar3 = iVar3 + 1;
        } while (iVar3 != 4);
        iVar3 = strcmp(__s1_00,"AFBo}");
        if (iVar3 == 0) {
          return 1;
        }

exp3.py 

c=b"AFBo}"
r2=b" 5-\x16a"

r= []
for i in range(4):
    r.append(c[i]^r2[i])
r.append(c[4])

print(bytes(r))   #b'asoy}'

函数Init及其逆向
/* Init(char*, char*, char*, char const*, int) */

void Init(char *param_1,char *param_2,char *param_3,char *param_input,int param_5)

{
  uint uVar1;
  int iVar2;
  int iVar3;

  if (param_5 < 1) {
    iVar3 = 0;
  }
  else {
    uVar1 = 0;
    iVar3 = 0;
    do {
      iVar2 = (int)((ulonglong)((longlong)(int)uVar1 * 0x55555556) >> 0x20);
      iVar2 = uVar1 + (iVar2 - (iVar2 >> 0x1f)) * -3;
      if (iVar2 == 2) {
        param_3[uVar1 / 3] = param_input[uVar1];
      }
      else if (iVar2 == 1) {
        param_2[uVar1 / 3] = param_input[uVar1];
      }
      else if (iVar2 == 0) {
        iVar3 = iVar3 + 1;
        param_1[uVar1 / 3] = param_input[uVar1];
      }
      uVar1 = uVar1 + 1;
    } while (param_5 != uVar1);
  }
  param_1[iVar3] = '\0';
  param_2[iVar3] = '\0';
  param_3[iVar3] = '\0';
  return;
}

3 exp4.py

p1 = b'fgorl'
p2 = b'l{sra'
p3 = b'asoy}'

r = []
for (p11,p21,p31) in zip(p1,p2,p3):
    r.append(p11)
    r.append(p21)
    r.append(p31)

print(bytes(r))   # b'flag{sosorryla}'