NJCTF (easycrack)

安装app查看。一个输入框，输入随便输入显示Try again.

放入JEB反编译。

关于输入框监听是第一次见，具体可以看看这个博客https://www.jianshu.com/p/f976c677189a

函数的作用是，如果字符串s变动，将会执行具体的实现。这里是调用了native层的parseText函数。

接下来反编译apk，用IDA打开位于lib文件夹中的so文件，如下图所示。

具体关于JNI，可以看这个博客，https://blog.csdn.net/smbroe/article/details/44133741

jni方法有两种映射：

动态注册的native方法，必须实现JNI_OnLoad方法，同时实现一个JNINativeMethod[]数组， 实现Java方法与native方法的映射绑定 
静态注册的native方法，必须是以Java+类完整路径+方法名的格式来命名native方法。

这里是静态注册的，首先要选中这里的a1，按Y，改成下图所示，这样IDA才能够正确分析。

返回Java层，查看messageMe函数。函数很简单，直接赋值java包的名字，复制黏贴代码到java编译器中跑出即可。

 public class easycrack100 {
     public static void main(String[] args) {
         String v3 = "";
         int v4 = 51;
         String[] v1 = "com.njctf.mobile.easycrack".split("\\.");
         /*1、如果用“.”作为分隔的话,必须是如下写法,String.split("\\."),这样才能正确的分隔开,不能用String.split(".");
         2、如果用“|”作为分隔的话,必须是如下写法,String.split("\\|"),这样才能正确的分隔开,不能用String.split("|");
         “.”和“|”都是转义字符,必须得加"\\";*/
         char[] v6 = v1[v1.length - 1].toCharArray();
         int v7 = v6.length;
         int v5;
         for(v5 = 0; v5 < v7; ++v5) {
             v4 ^= v6[v5];
             v3 += ((char)v4);
         }
         System.out.println(v3);
     }
 }

message='V7D=^,M.E'

返回IDA继续分析。

这个循环也容易理解，异或后的字符串放入了v23。再往下。

打开init函数。

稍微改一下放到c编译器中得到key数组。

#include<stdio.h>
using namespace std;
int main()
{
  string a2 = "I_am_the_key";
  string v11 = a2;
  int res[];
  int v3 = ;
  int v14[];
  int *v8;
  int v4 = ;
  int v5 = ;
  int *v7;
  int i = ;
  do
  {
    res[v5] = v5;
    v14[v5++] = v11[i];
    i++;
    i%=;
  }
  while ( v5 !=  );
  v7=v14;
  v8 = res;
  int v9;
  do
  {
    v9 = *v8;
    v4 = (v9 + v4 + *v7) % ;
    *v8 = res[v4];
    res[v4] = v9;
    --v3;
    ++v7;
    ++v8;
  }
  while ( v3 );
  for(int i=;i<;i++) printf("0x%02x,",res[i]);
  return ;
}

再往下，将得到key和异或后的字符串进行加密。

因为我们要逆向得到正确的输入（即flag），所以需要知道经过整个加密过程后的对比字符串。

这里双击compare就能看到了。这是一串十六进制。

在它的上面，还有一步，就是把经过crypt后的字符串转成16进制，如下图。

下面画个流程图，梳理一下思路。

最后跟据crypt函数写出脚本即可。

#include<iostream>
using namespace std;
int main()
{
    int a3 = ;
    int v3 = ;
    int v4 = ;
    int v5;
    int i = ;
    int a2[] = {0xC8,0xE4,0xEF,0x0E,0x4D,0xCC,0xA6,0x83,0x08,0x81,0x34,0xF8,0x63,0x5E,0x97,0x0E,0xEA,0xD9,0xE2,0x77,0xF3,0x14,0x86,0x9F,0x7E,0xF5,0x19,0x8A,0x2A,0xA4};
    int result[] = {0x39,0xa9,0x72,0x2d,0xe8,0x58,0x26,0x32,0x81,0xd,0xac,0x49,0xbb,0x10,0x46,0x65,0xb3,0x92,0xf,0x84,0xb8,0xbf,0xf2,0x52,0xe3,0x5b,0xfc,0xd5,0x59,0x6a,0xf0,0x5d,0x60,0x69,0x16,0x8e,0xfb,0x94,0x48,0xbc,0x71,0x36,0x57,0xad,0x44,0x7c,0x95,0xda,0xb7,0x47,0xdb,0x35,0x3c,0xd2,0x23,0xc5,0xa8,0xb,0x9f,0x31,0xd8,0x1f,0x3f,0xb0,0x2e,0xe1,0x5a,0x4a,0xf9,0x1,0x54,0xa7,0xa5,0xee,0x8,0x99,0x63,0x9b,0x50,0xbd,0x5,0xf7,0xcb,0xab,0x22,0xc2,0x8a,0x38,0x7d,0x6,0xb1,0xc0,0x4e,0x74,0x3a,0xe5,0x67,0x2b,0xa3,0x73,0x89,0x9e,0xba,0x88,0x3d,0x28,0x62,0x8f,0xfd,0x43,0x98,0x4d,0x56,0xb2,0xc,0x29,0x6e,0x78,0x25,0xe0,0xe9,0xf6,0x9c,0x13,0xed,0xf8,0xc4,0x20,0x87,0x2,0x7b,0xf1,0x6d,0xc7,0x8c,0x9d,0x86,0x3b,0x66,0xfa,0xb6,0x42,0x6f,0x14,0xd0,0x19,0xaf,0x11,0x21,0x96,0x85,0x91,0xb5,0xa0,0x1b,0x18,0xa6,0xa2,0x4b,0x40,0xd4,0x8d,0x2a,0x8b,0x5c,0x2c,0xe6,0xfe,0xa4,0x30,0xe7,0xff,0xc8,0x5f,0xe2,0x1c,0xdf,0xae,0x7f,0xc3,0x61,0xef,0x90,0x6c,0x51,0x2f,0xec,0x12,0x7a,0xaa,0xdd,0x77,0xf5,0x4,0xd9,0x83,0x33,0xeb,0x80,0x27,0x3,0xb4,0x9,0x37,0x6b,0x41,0x4f,0x7e,0xf3,0x24,0xf4,0xc9,0x7,0xd1,0x45,0x70,0xa1,0xd7,0x34,0x93,0x15,0xca,0x4c,0xcd,0x97,0xb9,0xea,0x0,0x5e,0x1a,0x9a,0xcf,0x79,0xa,0x3e,0x82,0xd3,0x68,0x75,0x64,0xce,0x55,0xe,0xbe,0x1d,0xe4,0xc1,0xc6,0xde,0xcc,0x1e,0x17,0xd6,0xdc,0x53,0x76};
    do
    {
      v3 = (v3 + ) % ;
      v5 = *(int *)(result + v3);
      v4 = (v5 + v4) % ;
      *(int *)(result + v3) = *(int *)(result + v4);
      *(int *)(result + v4) = v5;
      a2[i] ^= *(int *)(result + ((*(int *)(result + v3) + v5) & 0xFF));
      --a3;
      ++i;
    }
    while ( a3 );
  string ss="V7D=^,M.E";
  string flag="";
  for(int i=;i<;i++)
  {
      int j=i%;
      flag+=ss[j]^a2[i];
  }
  cout << flag;
  return ;
}