[鹏城杯 2022] baby_re

最新推荐文章于 2024-07-25 19:20:53 发布

fa1c4

最新推荐文章于 2024-07-25 19:20:53 发布

阅读量384

点赞数 1

分类专栏：逆向工程 Android 文章标签：逆向安卓

本文链接：https://blog.csdn.net/qq_33976344/article/details/125893468

版权

逆向工程同时被 2 个专栏收录

78 篇文章 9 订阅

订阅专栏

Android

1 篇文章 0 订阅

订阅专栏

分析

jadx打开, 随意搜索文本, 发现有flag字串
在这里插入图片描述
直接定位到关键代码

package com.example.createso;

import android.os.Bundle;
import android.view.View;
import android.widget.Button;
import android.widget.EditText;
import android.widget.Toast;
import androidx.appcompat.app.AppCompatActivity;
import com.example.createso.databinding.ActivityMainBinding;
import java.util.Arrays;
import java.util.LinkedHashMap;
import java.util.Map;
import kotlin.Metadata;
import kotlin.jvm.internal.DefaultConstructorMarker;
import kotlin.jvm.internal.Intrinsics;

@Metadata(d1 = {"\u0000(\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u0015\n\u0002\b\u0002\n\u0002\u0010\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\u0018\u0000 \f2\u00020\u0001:\u0001\fB\u0005¢\u0006\u0002\u0010\u0002J\u0011\u0010\u0005\u001a\u00020\u00062\u0006\u0010\u0007\u001a\u00020\u0006H† J\u0012\u0010\b\u001a\u00020\t2\b\u0010\n\u001a\u0004\u0018\u00010\u000bH\u0015R\u000e\u0010\u0003\u001a\u00020\u0004X‚.¢\u0006\u0002\n\u0000¨\u0006\r"}, d2 = {"Lcom/example/createso/MainActivity;", "Landroidx/appcompat/app/AppCompatActivity;", "()V", "binding", "Lcom/example/createso/databinding/ActivityMainBinding;", "baby_xor", "", "x", "onCreate", "", "savedInstanceState", "Landroid/os/Bundle;", "Companion", "app_debug"}, k = 1, mv = {1, 6, 0}, xi = 48)
/* compiled from: MainActivity.kt */
public final class MainActivity extends AppCompatActivity {
    public static final Companion Companion = new Companion((DefaultConstructorMarker) null);
    public Map<Integer, View> _$_findViewCache = new LinkedHashMap();
    private ActivityMainBinding binding;

    public void _$_clearFindViewByIdCache() {
        this._$_findViewCache.clear();
    }

    public View _$_findCachedViewById(int i) {
        Map<Integer, View> map = this._$_findViewCache;
        View view = map.get(Integer.valueOf(i));
        if (view != null) {
            return view;
        }
        View findViewById = findViewById(i);
        if (findViewById == null) {
            return null;
        }
        map.put(Integer.valueOf(i), findViewById);
        return findViewById;
    }

    public final native int[] baby_xor(int[] iArr);

    /* access modifiers changed from: protected */
    public void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        ActivityMainBinding inflate = ActivityMainBinding.inflate(getLayoutInflater());
        Intrinsics.checkNotNullExpressionValue(inflate, "inflate(layoutInflater)");
        this.binding = inflate;
        if (inflate == null) {
            Intrinsics.throwUninitializedPropertyAccessException("binding");
            inflate = null;
        }
        setContentView((View) inflate.getRoot());
        ((Button) _$_findCachedViewById(R.id.btn)).setOnClickListener(new MainActivity$$ExternalSyntheticLambda0(this, new int[]{119, 9, 40, 44, 106, 83, 126, 123, 33, 87, 113, 123, 112, 93, 125, 127, 41, 82, 44, 127, 39, 3, 126, 125, 119, 87, 47, 125, 33, 6, 44, 127, 112, 0, 126, 123, 115, 24}));
    }

    /* access modifiers changed from: private */
    /* renamed from: onCreate$lambda-0  reason: not valid java name */
    public static final void m1onCreate$lambda0(MainActivity this$0, int[] $c, View it) {
        Intrinsics.checkNotNullParameter(this$0, "this$0");
        Intrinsics.checkNotNullParameter($c, "$c");
        int[] array = ((EditText) this$0._$_findCachedViewById(R.id.input)).getText().toString().chars().toArray();
        Intrinsics.checkNotNullExpressionValue(array, "flag.toArray()");
        if (Arrays.equals(this$0.baby_xor(array), $c)) {
            Toast.makeText(this$0, "Success", 1).show();
        } else {
            Toast.makeText(this$0, "Failed", 0).show();
        }
    }

    @Metadata(d1 = {"\u0000\f\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0002\b\u0002\b†\u0003\u0018\u00002\u00020\u0001B\u0007\b\u0002¢\u0006\u0002\u0010\u0002¨\u0006\u0003"}, d2 = {"Lcom/example/createso/MainActivity$Companion;", "", "()V", "app_debug"}, k = 1, mv = {1, 6, 0}, xi = 48)
    /* compiled from: MainActivity.kt */
    public static final class Companion {
        public /* synthetic */ Companion(DefaultConstructorMarker defaultConstructorMarker) {
            this();
        }

        private Companion() {
        }
    }

    static {
        System.loadLibrary("createso");
    }
}

输入的字符串经过baby_xor处理后与$c = [119, 9, 40, 44, 106, 83, 126, 123, 33, 87, 113, 123, 112, 93, 125, 127, 41, 82, 44, 127, 39, 3, 126, 125, 119, 87, 47, 125, 33, 6, 44, 127, 112, 0, 126, 123, 115, 24]进行比较
IDA打开libcreateso.so找到baby_xor的定义

int __cdecl Java_com_example_createso_MainActivity_baby_1xor(int a1, int a2, int a3)
{
  int i; // [esp+30h] [ebp-1Ch]
  int v5; // [esp+34h] [ebp-18h]
  int v6; // [esp+38h] [ebp-14h]

  v6 = _JNIEnv::GetArrayLength(a1, a3);
  v5 = _JNIEnv::GetIntArrayElements(a1, a3, 0);
  for ( i = 0; i < v6; ++i )
    *(_DWORD *)(v5 + 4 * i) ^= key[i % 4];
  _JNIEnv::SetIntArrayRegion(a1, a3, 0, v6, v5);
  return a3;
}

_DWORD *hide_key(void)
{
  _DWORD *result; // eax

  result = key;
  key[0] ^= 0x47u;
  key[1] ^= 0x32u;
  key[2] ^= 0x11u;
  key[3] ^= 0x12u;
  return result;
}

破解

key = [0x56, 0x57, 0x58, 0x59]
hide_key是异或得实际key的处理函数
所以对输入的处理就是, key异或后再与输入异或

#include <stdlib.h>
#include <iostream>
#include <string>
using namespace std;

int main() {
    char key[] = {0x56, 0x57, 0x58, 0x59};
    key[0] ^= 0x47;
    key[1] ^= 0x32;
    key[2] ^= 0x11;
    key[3] ^= 0x12;

    char arr[] = {119, 9, 40, 44, 106, 83, 126, 123, 33, 87, 113, 123, 112, 93, 125, 127, 41, 82, 44, 127, 39, 3, 126, 125, 119, 87, 47, 125, 33, 6, 44, 127, 112, 0, 126, 123, 115, 24};
    string flag = "";
    for (int i = 0; i < sizeof(arr) / sizeof(char); ++i) {
        flag += arr[i] ^ key[i % 4];
    }    

    cout << flag << endl;
}