[SWPU2019] Android1

给出一个apk文件,用jadx打开简单看看源代码

发现调用了一个库文件,后面的函数只做了登录,是否成功都不会有有用的信息出来了,那么就把库文件解压出来放入ida中看看

查看函数的时候发现了四个奇怪的函数

char *Aa(void)
{
  int i; // [xsp+1Ch] [xbp-14h]
  char v2[4]; // [xsp+20h] [xbp-10h] BYREF
  int v3; // [xsp+24h] [xbp-Ch]
  __int64 v4; // [xsp+28h] [xbp-8h]

  v4 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
  v3 = 5068641;
  for ( i = 0; i <= 2; ++i )
    v2[i] = *((_BYTE *)&v3 + i) ^ 0x38;
  _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
  return v2;
}

char *aA(void)
{
  int i; // [xsp+1Ch] [xbp-14h]
  char v2[4]; // [xsp+20h] [xbp-10h] BYREF
  int v3; // [xsp+24h] [xbp-Ch]
  __int64 v4; // [xsp+28h] [xbp-8h]

  v4 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
  v3 = 4281925;
  for ( i = 0; i <= 2; ++i )
    v2[i] = *((_BYTE *)&v3 + i) ^ 0x24;
  _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
  return v2;
}

char *aa(void)
{
  int i; // [xsp+1Ch] [xbp-14h]
  char v2[4]; // [xsp+20h] [xbp-10h] BYREF
  int v3; // [xsp+24h] [xbp-Ch]
  __int64 v4; // [xsp+28h] [xbp-8h]

  v4 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
  v3 = 5398339;
  for ( i = 0; i <= 2; ++i )
    v2[i] = *((_BYTE *)&v3 + i) ^ 0x37;
  _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
  return v2;
}

char *AA(void)
{
  int i; // [xsp+18h] [xbp-18h]
  char v2[4]; // [xsp+1Ch] [xbp-14h] BYREF
  char v3[8]; // [xsp+20h] [xbp-10h] BYREF
  __int64 v4; // [xsp+28h] [xbp-8h]

  v4 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
  strcpy(v3, "5D$#");
  for ( i = 0; i <= 3; ++i )
    v2[i] = v3[i] ^ 0x77;
  _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
  return v2;
}

其中v3分别为506864142819255398339"5D$#"很明显,要将数字转为字符串,数字为ascii码的十进制,将这些数字分别转为字符串,即为MWaAVER_C5D$#,分别对应函数Aa,aA,aa和AA

Aa = "MWa"
aA = "AVE"
aa = "R_C"
AA = "5D$#"
res = []
for v in AA:
    res.append(chr(ord(v) ^ 0x77))
for v in aa:
    res.append(chr(ord(v) ^ 0x37))
for v in aA:
    res.append(chr(ord(v) ^ 0x24))
for v in Aa:
    res.append(chr(ord(v) ^ 0x38))
for v in res[::-1]:
    print(v,end="")

得到的结果是YouaretheTS3B,然而提交并不正确,最后一个单词明显是B3ST,上网查了一下,别人都是AA为#$D5,搞不懂为什么,调用了strcpy,难道还会把字符串逆序吗??

总之,最后结果是flag{YouaretheB3ST}

posted @ 2022-04-03 20:46  WXjzc  阅读(481)  评论(0编辑  收藏  举报