easyjni
模拟器打开界面
JEB打开MainActivity,发现调用了a方法
而a方法又调用了a类
a类很明显是base64改变的,有了新的解码表,缺少了对比的字符串,我们转回MainActivity,找到一个id:0x7F0B0075
public class a {
private static final char[] a;
static {
a.a = new char[]{'i', '5', 'j', 'L', 'W', '7', 'S', '0', 'G', 'X', '6', 'u', 'f', '1', 'c', 'v', '3', 'n', 'y', '4', 'q', '8', 'e', 's', '2', 'Q', '+', 'b', 'd', 'k', 'Y', 'g', 'K', 'O', 'I', 'T', '/', 't', 'A', 'x', 'U', 'r', 'F', 'l', 'V', 'P', 'z', 'h', 'm', 'o', 'w', '9', 'B', 'H', 'C', 'M', 'D', 'p', 'E', 'a', 'J', 'R', 'Z', 'N'};
}
public a() {
super();
}
public String a(byte[] arg10) {
int v8 = 3;
StringBuilder v4 = new StringBuilder();
int v0;
for(v0 = 0; v0 <= arg10.length - 1; v0 += 3) {
byte[] v5 = new byte[4];
int v3 = 0;
byte v2 = 0;
while(v3 <= 2) {
if(v0 + v3 <= arg10.length - 1) {
v5[v3] = ((byte)(v2 | (arg10[v0 + v3] & 0xFF) >>> v3 * 2 + 2));
v2 = ((byte)(((arg10[v0 + v3] & 0xFF) << (2 - v3) * 2 + 2 & 0xFF) >>> 2));
}
else {
v5[v3] = v2;
v2 = 0x40;
}
++v3;
}
v5[v8] = v2;
int v2_1;
for(v2_1 = 0; v2_1 <= v8; ++v2_1) {
if(v5[v2_1] <= 0x3F) {
v4.append(a.a[v5[v2_1]]);
}
else {
v4.append('=');
}
}
}
return v4.toString();
}
}
JEB中找到这个id:0x7F0B0075,但是并不能发现有效字符串
用ida打开lib目录下的.so文件
v5 = (const char *)(*(int (__fastcall **)(int, int, _DWORD))(*(_DWORD *)a1 + 676))(a1, a3, 0);
if ( strlen(v5) == 32 )
{
for ( i = 0; i != 16; ++i )
{
v7 = &v12[i];
v12[i] = v5[i + 16];
v8 = v5[i];
v7[16] = v8;
}
(*(void (__fastcall **)(int, int, const char *))(*(_DWORD *)a1 + 680))(a1, a3, v5);
v9 = 0;
do
{
v10 = v9 < 30;
v13 = v12[v9];
v12[v9] = v12[v9 + 1];
v12[v9 + 1] = v13;
v9 += 2;
}
while ( v10 );
result = memcmp(v12, "MbT3sQgX039i3g==AQOoMQFPskB1Bsc7", 0x20u) == 0;
}
else
{
(*(void (__fastcall **)(int, int, const char *))(*(_DWORD *)a1 + 680))(a1, a3, v5);
result = 0;
}
return result;
}
在这边找到了要解码的字符串,python写脚本
import base64
base64new='i5jLW7S0GX6uf1cv3ny4q8es2Q+bdkYgKOIT/tAxUrFlVPzhmow9BHCMDpEaJRZN'
pre='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
string='QAoOQMPFks1BsB7cbM3TQsXg30i9g3=='
print(base64.b64decode(string.translate(str.maketrans(base64new,pre))))
运行
b'flag{just_ANot#er_@p3}'