BUGKU-逆向(reverse)-writeup (4)

汇编

伪代码

上面是自己加了注释，然后通过看汇编与伪代码分析得出流程，即将传入的99进行2 * i % 3运算，判断得到的余数。

如果等于0，将one与two-1传到JAVA层的check1进行计算

如果等于1，将one与two-1传到JAVA层的check2进行计算

如果等于2，将one与two-1传到JAVA层的check3进行计算

去查看下check123函数

public int check1(int input, int s) { int t = input; for (int i = 1; i < 100; i++) { t += i; } return chec(t, s); } public int check2(int input, int s) { int t = input; int i; if (s % 2 == 0) { for (i = 1; i < 1000; i++) { t += i; } return chec(t, s); } for (i = 1; i < 1000; i++) { t -= i; } return chec(t, s); } public int check3(int input, int s) { int t = input; for (int i = 1; i < 10000; i++) { t += i; } return chec(t, s); }

发现只是简单的遍历然后加减运算，计算完又返回chec函数

只到two小于等于1，输出结果。

于是写逆函数就不难了,check123 加变减，减变加就可以了。本来从99到2(因为two小于等于1)，变成从2到99。

#!usr/bin/env python #!coding=utf-8 __author__ = 'zhengjim' def check1(input,s): t = input for i in range(1,100): t -= i return t def check2(input,s): t = input if(s % 2 == 0): for i in range(1,1000): t -= i return t for i in range(1,1000): t += i return t def check3(input,s): t = input for i in range(1,10000): t -= i return t output = 1835996258 for i in range(2,100): flag = 2 * i % 3 if flag == 0 : output = check1(output, i-1) elif flag == 1 : output = check2(output, i-1) elif flag == 2 : output = check3(output, i-1) print output

得到236492408 ，带入apk运行出现flag。

easy-100(LCTF)

下载文件发现是apk ，先安装运行下（我的逍遥安卓运行失败，不懂为啥）。
用jeb2反编译(用jadx-gui反编译出了问题，a方法重载反编译出了问题)，双击看MainActivity查看

package com.example.ring.myapplication; import android.content.pm.ApplicationInfo; import android.os.Bundle; import android.support.v7.a.q; import java.io.InputStream; public class MainActivity extends q { private String v; public MainActivity() { super(); } static String a(MainActivity arg1) { return arg1.v; } static boolean a(MainActivity arg1, String arg2, String arg3) { return arg1.a(arg2, arg3); } private boolean a(String arg4, String arg5) { return new c().a(arg4, arg5).equals(new String(new byte[]{21, -93, -68, -94, 86, 117, -19, -68, -92, 33, 50, 118, 16, 13, 1, -15, -13, 3, 4, 103, -18, 81, 30, 68, 54, -93, 44, -23, 93, 98, 5, 59})); } protected void onCreate(Bundle arg3) { super.onCreate(arg3); this.setContentView(2130968602); ApplicationInfo v0 = this.getApplicationInfo(); v0.flags &= 2; this.p(); this.findViewById(2131427413).setOnClickListener(new d(this)); } private void p() { try { InputStream v0_1 = this.getResources().getAssets().open("url.png"); int v1 = v0_1.available(); byte[] v2 = new byte[v1]; v0_1.read(v2, 0, v1); byte[] v0_2 = new byte[16]; System.arraycopy(v2, 144, v0_2, 0, 16); this.v = new String(v0_2, "utf-8"); } catch(Exception v0) { v0.printStackTrace(); } } }

首先看onCreate()方法

protected void onCreate(Bundle arg3) { super.onCreate(arg3); this.setContentView(2130968602); ApplicationInfo v0 = this.getApplicationInfo(); v0.flags &= 2; this.p(); this.findViewById(2131427413).setOnClickListener(new d(this)); }

执行了p()方法，然后创建了一个按钮监听事件在classs d 。

跟过去看下class d

package com.example.ring.myapplication; import android.view.View$OnClickListener; import android.view.View; import android.widget.TextView; import android.widget.Toast; class d implements View$OnClickListener { d(MainActivity arg1) { this.a = arg1; super(); } public void onClick(View arg5) { if(MainActivity.a(this.a, MainActivity.a(this.a), this.a.findViewById(2131427414).getText().toString())) { View v0 = this.a.findViewById(2131427412); Toast.makeText(this.a.getApplicationContext(), "Congratulations!", 1).show(); ((TextView)v0).setText(2131099682); } else { Toast.makeText(this.a.getApplicationContext(), "Oh no.", 1).show(); } } }