[SWPU2019] Android1

给出一个apk文件，用jadx打开简单看看源代码

发现调用了一个库文件，后面的函数只做了登录，是否成功都不会有有用的信息出来了，那么就把库文件解压出来放入ida中看看

查看函数的时候发现了四个奇怪的函数

char *Aa(void)
{
  int i; // [xsp+1Ch] [xbp-14h]
  char v2[4]; // [xsp+20h] [xbp-10h] BYREF
  int v3; // [xsp+24h] [xbp-Ch]
  __int64 v4; // [xsp+28h] [xbp-8h]

  v4 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
  v3 = 5068641;
  for ( i = 0; i <= 2; ++i )
    v2[i] = *((_BYTE *)&v3 + i) ^ 0x38;
  _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
  return v2;
}

char *aA(void)
{
  int i; // [xsp+1Ch] [xbp-14h]
  char v2[4]; // [xsp+20h] [xbp-10h] BYREF
  int v3; // [xsp+24h] [xbp-Ch]
  __int64 v4; // [xsp+28h] [xbp-8h]

  v4 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
  v3 = 4281925;
  for ( i = 0; i <= 2; ++i )
    v2[i] = *((_BYTE *)&v3 + i) ^ 0x24;
  _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
  return v2;
}

char *aa(void)
{
  int i; // [xsp+1Ch] [xbp-14h]
  char v2[4]; // [xsp+20h] [xbp-10h] BYREF
  int v3; // [xsp+24h] [xbp-Ch]
  __int64 v4; // [xsp+28h] [xbp-8h]

  v4 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
  v3 = 5398339;
  for ( i = 0; i <= 2; ++i )
    v2[i] = *((_BYTE *)&v3 + i) ^ 0x37;
  _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
  return v2;
}

char *AA(void)
{
  int i; // [xsp+18h] [xbp-18h]
  char v2[4]; // [xsp+1Ch] [xbp-14h] BYREF
  char v3[8]; // [xsp+20h] [xbp-10h] BYREF
  __int64 v4; // [xsp+28h] [xbp-8h]

  v4 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
  strcpy(v3, "5D$#");
  for ( i = 0; i <= 3; ++i )
    v2[i] = v3[i] ^ 0x77;
  _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
  return v2;
}

其中v3分别为5068641，4281925，5398339，"5D$#"很明显，要将数字转为字符串，数字为ascii码的十进制，将这些数字分别转为字符串，即为MWa，AVE，R_C，5D$#，分别对应函数Aa,aA,aa和AA

Aa = "MWa"
aA = "AVE"
aa = "R_C"
AA = "5D$#"
res = []
for v in AA:
    res.append(chr(ord(v) ^ 0x77))
for v in aa:
    res.append(chr(ord(v) ^ 0x37))
for v in aA:
    res.append(chr(ord(v) ^ 0x24))
for v in Aa:
    res.append(chr(ord(v) ^ 0x38))
for v in res[::-1]:
    print(v,end="")

得到的结果是YouaretheTS3B，然而提交并不正确，最后一个单词明显是B3ST,上网查了一下，别人都是AA为#$D5，搞不懂为什么，调用了strcpy，难道还会把字符串逆序吗？？

总之，最后结果是flag{YouaretheB3ST}

posted @ 2022-04-03 20:46 WXjzc 阅读(572) 评论(0) 编辑收藏举报

刷新页面返回顶部

Welcome to WXjzc's blog

[SWPU2019] Android1

公告