2025数字中国创新大赛 数字安全赛道 移动互联网(APP)安全积分争夺赛 【桃李组】技能实操赛 WriteUp (部分题目)

4.5k words

只列出了我做的题的wp.

逆向工程:

GoodLuck:

发现塞了很多混淆,OOXX看起来像是某种哈希,结合mainactivity中给出的md5值343701266d3d3c897670a0598dedcfb6,查询md5得到r9d3jv3,flag{r9d3jv3}.

偷天换日:

在so中找到check函数:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
bool __fastcall Java_com_ctf_goodluck1_Check_check(_JNIEnv *a1, __int64 a2, __int64 a3)
{
char *s1; // [xsp+28h] [xbp-48h]
__int64 v5; // [xsp+38h] [xbp-38h]
__int64 MethodID; // [xsp+40h] [xbp-30h]
__int64 Class; // [xsp+48h] [xbp-28h]

Class = _JNIEnv::FindClass(a1, byte_36010);
MethodID = _JNIEnv::GetMethodID(a1, Class, byte_36024, byte_36030);
v5 = _JNIEnv::CallObjectMethod(a1, a3, MethodID);
sub_E5D4(a1, v5);
s1 = (char *)_JNIEnv::GetStringUTFChars();
return strcmp(s1, byte_36040) != 0;
}

发现sub_E5D4是一个标准的base64,观察发现byte_36040附近是一些比较集中但是有偏移的数值:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
.data:0000000000036010 byte_36010      DCB  0xD,   6,0x11,   6,0x48, 0xB,   6,   9,   0,0x48,0x34,0x13,0x15, 0xE,   9,   0
.data:0000000000036010 ; DATA XREF: Java_com_ctf_goodluck1_Check_check+C↑o
.data:0000000000036010 ; .datadiv_decode15146375311672927909+1C↑o
.data:0000000000036020 DCB 0x67, 0, 0, 0
.data:0000000000036024 ; _BYTE byte_36024[12]
.data:0000000000036024 byte_36024 DCB 0xE1,0xE3,0xF2,0xC4,0xFF,0xF2,0xE3,0xF5,0x86, 0, 0, 0
.data:0000000000036024 ; DATA XREF: Java_com_ctf_goodluck1_Check_check+14↑o
.data:0000000000036024 ; .datadiv_decode15146375311672927909+24↑o
.data:0000000000036030 ; _BYTE byte_36030[16]
.data:0000000000036030 byte_36030 DCB 0xAB, 0xAA, 0xD8, 0xC1, 0x83, 0, 0, 0, 0, 0, 0, 0
.data:0000000000036030 ; DATA XREF: Java_com_ctf_goodluck1_Check_check+1C↑o
.data:0000000000036030 ; .datadiv_decode15146375311672927909+2C↑o
.data:000000000003603C DCB 0, 0, 0, 0
.data:0000000000036040 ; char byte_36040[32]
.data:0000000000036040 byte_36040 DCB 0xA8, 0xBD, 0xAD, 0x9F, 0xF6, 0xB1, 0xBF, 0x8C, 0x90
.data:0000000000036040 ; DATA XREF: Java_com_ctf_goodluck1_Check_check+28↑o
.data:0000000000036040 ; .datadiv_decode15146375311672927909+34↑o
.data:0000000000036049 DCB 0x87, 0xAB, 0x9F, 0x96, 0x94, 0xA9, 0xA4, 0x8D, 0x8F
.data:0000000000036052 DCB 0xB0, 0x8F, 0x81, 0x87, 0xFC, 0xE4, 0xE4, 0xC5, 0
.data:000000000003605B DCB 0, 0, 0, 0, 0
.data:0000000000036060 ; _BYTE byte_36060[32]
.data:0000000000036060 byte_36060 DCB 0x10, 0x1F, 0x15, 3, 0x1E, 0x18, 0x15, 0x5E, 0x10
.data:0000000000036060 ; DATA XREF: sub_DD38+20↑o
.data:0000000000036060 ; .datadiv_decode15146375311672927909+3C↑o
.data:0000000000036069 DCB 1, 1, 0x5E, 0x30, 0x12, 5, 0x18, 7, 0x18, 5, 8, 0x25
.data:0000000000036075 DCB 0x19, 3, 0x14, 0x10, 0x15, 0x71, 0, 0, 0, 0, 0
.data:0000000000036080 ; _BYTE byte_36080[32]
.data:0000000000036080 byte_36080 DCB 0xCF, 0xFF, 0xC9, 0xCE, 0xCE, 0xD9, 0xD2, 0xC8, 0xFD
.data:0000000000036080 ; DATA XREF: sub_DD38+28↑o
.data:0000000000036080 ; .datadiv_decode15146375311672927909+44↑o
.data:0000000000036089 DCB 0xDF, 0xC8, 0xD5, 0xCA, 0xD5, 0xC8, 0xC5, 0xE8, 0xD4
.data:0000000000036092 DCB 0xCE, 0xD9, 0xDD, 0xD8, 0xBC, 0, 0, 0, 0, 0, 0, 0
.data:000000000003609E DCB 0, 0
.data:00000000000360A0 ; _BYTE byte_360A0[32]
.data:00000000000360A0 byte_360A0 DCB 0x85, 0xA8, 0xA7, 0xAD, 0xBB, 0xA6, 0xA0, 0xAD, 0xE6
.data:00000000000360A0 ; DATA XREF: sub_DD38+30↑o
.data:00000000000360A0 ; .datadiv_decode15146375311672927909+4C↑o
.data:00000000000360A9 DCB 0xA8, 0xB9, 0xB9, 0xE6, 0x88, 0xAA, 0xBD, 0xA0, 0xBF
.data:00000000000360B2 DCB 0xA0, 0xBD, 0xB0, 0x9D, 0xA1, 0xBB, 0xAC, 0xA8, 0xAD
.data:00000000000360BB DCB 0xF2, 0xC9, 0, 0, 0
.data:00000000000360C0 ; _BYTE byte_360C0[32]
.data:00000000000360C0 byte_360C0 DCB 0xAA, 0x8E, 0xA9, 0xAE, 0xB3, 0xAE, 0xA6, 0xAB, 0x86
.data:00000000000360C0 ; DATA XREF: sub_DD38+38↑o
.data:00000000000360C0 ; .datadiv_decode15146375311672927909+54↑o
.data:00000000000360C9 DCB 0xB7, 0xB7, 0xAB, 0xAE, 0xA4, 0xA6, 0xB3, 0xAE, 0xA8
.data:00000000000360D2 DCB 0xA9, 0xC7, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
.data:00000000000360E0 ; _BYTE byte_360E0[32]
.data:00000000000360E0 byte_360E0 DCB 0xAD, 0x80, 0x8F, 0x85, 0x93, 0x8E, 0x88, 0x85, 0xCE
.data:00000000000360E0 ; DATA XREF: sub_DD38+40↑o
.data:00000000000360E0 ; .datadiv_decode15146375311672927909+5C↑o
.data:00000000000360E9 DCB 0x80, 0x91, 0x91, 0xCE, 0xA0, 0x91, 0x91, 0x8D, 0x88
.data:00000000000360F2 DCB 0x82, 0x80, 0x95, 0x88, 0x8E, 0x8F, 0xDA, 0xE1, 0
.data:00000000000360FB DCB 0, 0, 0, 0, 0
.data:0000000000036100 ; _BYTE byte_36100[24]
.data:0000000000036100 byte_36100 DCB 0xA7, 0xA8, 0xA2, 0xB4, 0xA9, 0xAF, 0xA2, 0xE9, 0xA7
.data:0000000000036100 ; DATA XREF: sub_DD38+48↑o
.data:0000000000036100 ; .datadiv_decode15146375311672927909+64↑o
.data:0000000000036109 DCB 0xB6, 0xB6, 0xE9, 0x87, 0xB6, 0xB6, 0xAA, 0xAF, 0xA5
.data:0000000000036112 DCB 0xA7, 0xB2, 0xAF, 0xA9, 0xA8, 0xC6
.data:0000000000036118 ; _BYTE byte_36118[24]
.data:0000000000036118 byte_36118 DCB 0x98, 0x9A, 0x8B, 0xBE, 0x8C, 0x8C, 0x9A, 0x8B, 0x8C
.data:0000000000036118 ; DATA XREF: sub_DD38+50↑o
.data:0000000000036118 ; .datadiv_decode15146375311672927909+6C↑o
.data:0000000000036121 DCB 0xFF, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
.data:0000000000036130 ; _BYTE byte_36130[48]
.data:0000000000036130 byte_36130 DCB 0x4E, 0x4F, 0x2A, 7, 8, 2, 0x14, 9, 0xF, 2, 0x49, 5
.data:0000000000036130 ; DATA XREF: sub_DD38+58↑o
.data:0000000000036130 ; .datadiv_decode15146375311672927909+74↑o
.data:000000000003613C DCB 9, 8, 0x12, 3, 8, 0x12, 0x49, 0x14, 3, 0x15, 0x49
.data:0000000000036147 DCB 0x27, 0x15, 0x15, 3, 0x12, 0x2B, 7, 8, 7, 1, 3, 0x14
.data:0000000000036153 DCB 0x5D, 0x66, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
.data:0000000000036160 ; _BYTE byte_36160[36]
.data:0000000000036160 byte_36160 DCB 0x5C, 0x53, 0x59, 0x4F, 0x52, 0x54, 0x59, 0x12, 0x5E
.data:0000000000036160 ; DATA XREF: sub_DD38+60↑o
.data:0000000000036160 ; .datadiv_decode15146375311672927909+7C↑o
.data:0000000000036169 DCB 0x52, 0x53, 0x49, 0x58, 0x53, 0x49, 0x12, 0x4F, 0x58
.data:0000000000036172 DCB 0x4E, 0x12, 0x7C, 0x4E, 0x4E, 0x58, 0x49, 0x70, 0x5C
.data:000000000003617B DCB 0x53, 0x5C, 0x5A, 0x58, 0x4F, 0x3D, 0, 0, 0
.data:0000000000036184 ; _BYTE byte_36184[12]
.data:0000000000036184 byte_36184 DCB 0x13, 0xC, 0x19, 0x12, 0x3A, 0x18, 0x7C, 0, 0, 0, 0
.data:0000000000036184 ; DATA XREF: sub_DD38+68↑o
.data:0000000000036184 ; .datadiv_decode15146375311672927909+84↑o
.data:000000000003618F DCB 0
.data:0000000000036190 ; _BYTE byte_36190[64]
.data:0000000000036190 byte_36190 DCB 0xD5, 0xB1, 0x97, 0x9C, 0x8B, 0x9C, 0xD2, 0x91, 0x9C
.data:0000000000036190 ; DATA XREF: sub_DD38+70↑o
.data:0000000000036190 ; .datadiv_decode15146375311672927909+8C↑o
.data:0000000000036199 DCB 0x93, 0x9A, 0xD2, 0xAE, 0x89, 0x8F, 0x94, 0x93, 0x9A
.data:00000000000361A2 DCB 0xC6, 0xD4, 0xB1, 0x9C, 0x93, 0x99, 0x8F, 0x92, 0x94
.data:00000000000361AB DCB 0x99, 0xD2, 0x9E, 0x92, 0x93, 0x89, 0x98, 0x93, 0x89
.data:00000000000361B4 DCB 0xD2, 0x8F, 0x98, 0x8E, 0xD2, 0xBC, 0x8E, 0x8E, 0x98
.data:00000000000361BD DCB 0x89, 0xBB, 0x94, 0x91, 0x98, 0xB9, 0x98, 0x8E, 0x9E
.data:00000000000361C6 DCB 0x8F, 0x94, 0x8D, 0x89, 0x92, 0x8F, 0xC6, 0xFD, 0
.data:00000000000361CF DCB 0
.data:00000000000361D0 ; _BYTE byte_361D0[16]
.data:00000000000361D0 byte_361D0 DCB 0x89, 0x89, 0xC4, 0x8E, 0x8B, 0x9E, 0xEA, 0, 0, 0
.data:00000000000361D0 ; DATA XREF: sub_DD38+78↑o
.data:00000000000361D0 ; .datadiv_decode15146375311672927909+94↑o
.data:00000000000361DA DCB 0, 0, 0, 0, 0, 0
.data:00000000000361E0 ; _BYTE byte_361E0[40]
.data:00000000000361E0 byte_361E0 DCB 0x63, 0x6C, 0x66, 0x70, 0x6D, 0x6B, 0x66, 0x2D, 0x61
.data:00000000000361E0 ; DATA XREF: sub_DD38+80↑o
.data:00000000000361E0 ; .datadiv_decode15146375311672927909+9C↑o
.data:00000000000361E9 DCB 0x6D, 0x6C, 0x76, 0x67, 0x6C, 0x76, 0x2D, 0x70, 0x67
.data:00000000000361F2 DCB 0x71, 0x2D, 0x43, 0x71, 0x71, 0x67, 0x76, 0x44, 0x6B
.data:00000000000361FB DCB 0x6E, 0x67, 0x46, 0x67, 0x71, 0x61, 0x70, 0x6B, 0x72
.data:0000000000036204 DCB 0x76, 0x6D, 0x70, 2
.data:0000000000036208 ; _BYTE byte_36208[12]
.data:0000000000036208 byte_36208 DCB 0xA9, 0xAB, 0xBA, 0x82, 0xAB, 0xA0, 0xA9, 0xBA, 0xA6
.data:0000000000036208 ; DATA XREF: sub_DD38+88↑o
.data:0000000000036208 ; .datadiv_decode15146375311672927909+A4↑o
.data:0000000000036211 DCB 0xCE, 0, 0
.data:0000000000036214 ; _BYTE byte_36214[4]
.data:0000000000036214 byte_36214 DCB 0xD2, 0xD3, 0xB0, 0xFA
.data:0000000000036214 ; DATA XREF: sub_DD38+90↑o
.data:0000000000036214 ; .datadiv_decode15146375311672927909+AC↑o
.data:0000000000036218 ; _BYTE byte_36218[8]
.data:0000000000036218 byte_36218 DCB 0x8C, 0x93, 0x86, 0x8D, 0xE3, 0, 0, 0
.data:0000000000036218 ; DATA XREF: sub_DD38+98↑o
.data:0000000000036218 ; .datadiv_decode15146375311672927909+B4↑o
.data:0000000000036220 ; _BYTE byte_36220[48]
.data:0000000000036220 byte_36220 DCB 0xF6, 0x92, 0xB4, 0xBF, 0xA8, 0xBF, 0xF1, 0xB2, 0xBF
.data:0000000000036220 ; DATA XREF: sub_DD38+A0↑o
.data:0000000000036220 ; .datadiv_decode15146375311672927909+BC↑o
.data:0000000000036229 DCB 0xB0, 0xB9, 0xF1, 0x8D, 0xAA, 0xAC, 0xB7, 0xB0, 0xB9
.data:0000000000036232 DCB 0xE5, 0xF7, 0x92, 0xB4, 0xBF, 0xA8, 0xBF, 0xF1, 0xB7
.data:000000000003623B DCB 0xB1, 0xF1, 0x97, 0xB0, 0xAE, 0xAB, 0xAA, 0x8D, 0xAA
.data:0000000000036244 DCB 0xAC, 0xBB, 0xBF, 0xB3, 0xE5, 0xDE, 0, 0, 0, 0, 0
.data:000000000003624F DCB 0
.data:0000000000036250 ; _BYTE byte_36250[20]
.data:0000000000036250 byte_36250 DCB 0xD4, 0xDF, 0xC8, 0xDF, 0x91, 0xD7, 0xD1, 0x91, 0xF7
.data:0000000000036250 ; DATA XREF: sub_DD38+A8↑o
.data:0000000000036250 ; .datadiv_decode15146375311672927909+C4↑o
.data:0000000000036259 DCB 0xD0, 0xCE, 0xCB, 0xCA, 0xED, 0xCA, 0xCC, 0xDB, 0xDF
.data:0000000000036262 DCB 0xD3, 0xBE
.data:0000000000036264 ; _BYTE byte_36264[8]
.data:0000000000036264 byte_36264 DCB 0xE3, 0xF4, 0xF0, 0xF5, 0x91, 0, 0, 0
.data:0000000000036264 ; DATA XREF: sub_DD38+B0↑o
.data:0000000000036264 ; .datadiv_decode15146375311672927909+CC↑o
.data:000000000003626C ; _BYTE byte_3626C[20]
.data:000000000003626C byte_3626C DCB 0x57, 0x24, 0x3D, 0x36, 0x36, 0x56, 0x36, 0x7F, 0
.data:000000000003626C ; DATA XREF: sub_DD38+B8↑o
.data:000000000003626C ; .datadiv_decode15146375311672927909+D4↑o
.data:0000000000036275 DCB 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
.data:0000000000036280 aJbbijbbiaxnfax DCB "jbbijbbiaxnfaxnf",0xD,0
.data:0000000000036280 ; DATA XREF: sub_DD38+C8↑o
.data:0000000000036280 ; .datadiv_decode15146375311672927909+DC↑o
.data:0000000000036292 ALIGN 0x20
.data:00000000000362A0 ; _BYTE byte_362A0[20]
.data:00000000000362A0 byte_362A0 DCB 0x24, 0x2F, 0x38, 0x2F, 0x61, 0x20, 0x27, 0x21, 0x61
.data:00000000000362A0 ; DATA XREF: sub_DD38+D0↑o
.data:00000000000362A0 ; .datadiv_decode15146375311672927909+E4↑o
.data:00000000000362A9 DCB 0xC, 0x37, 0x3A, 0x2B, 0xC, 0x3B, 0x28, 0x28, 0x2B
.data:00000000000362B2 DCB 0x3C, 0x4E
.data:00000000000362B4 a4 DCB "!,,/#!4%@",0 ; DATA XREF: sub_DD38+D8↑o
.data:00000000000362B4 ; .datadiv_decode15146375311672927909+EC↑o
.data:00000000000362BE ALIGN 0x20
.data:00000000000362C0 ; _BYTE byte_362C0[28]
.data:00000000000362C0 byte_362C0 DCB 0x2C, 0x4D, 0x2D, 0x48, 0x6E, 0x65, 0x72, 0x65, 0x2B
.data:00000000000362C0 ; DATA XREF: sub_DD38+E0↑o
.data:00000000000362C0 ; .datadiv_decode15146375311672927909+F4↑o
.data:00000000000362C9 DCB 0x6A, 0x6D, 0x6B, 0x2B, 0x46, 0x7D, 0x70, 0x61, 0x46
.data:00000000000362D2 DCB 0x71, 0x62, 0x62, 0x61, 0x76, 0x3F, 4, 0, 0, 0
.data:00000000000362DC ; _BYTE byte_362DC[4]
.data:00000000000362DC byte_362DC DCB 0x43, 0x46, 0x47, 0x33
.data:00000000000362DC ; DATA XREF: sub_DD38+E8↑o
.data:00000000000362DC ; .datadiv_decode15146375311672927909+FC↑o
.data:00000000000362E0 ; _BYTE byte_362E0[28]
.data:00000000000362E0 byte_362E0 DCB 0xD1, 0xA2, 0xBB, 0xD0, 0xB5, 0x93, 0x98, 0x8F, 0x98
.data:00000000000362E0 ; DATA XREF: sub_DD38+F0↑o
.data:00000000000362E0 ; .datadiv_decode15146375311672927909+104↑o
.data:00000000000362E9 DCB 0xD6, 0x97, 0x90, 0x96, 0xD6, 0xBB, 0x80, 0x8D, 0x9C
.data:00000000000362F2 DCB 0xBB, 0x8C, 0x9F, 0x9F, 0x9C, 0x8B, 0xC2, 0xF9, 0
.data:00000000000362FB DCB 0
.data:00000000000362FC aNqmwjwqp DCB "NQMWJWQP>",0 ; DATA XREF: sub_DD38+FC↑o
.data:00000000000362FC ; .datadiv_decode15146375311672927909+110↑o
.data:0000000000036306 ALIGN 0x10
.data:0000000000036310 ; _BYTE byte_36310[32]
.data:0000000000036310 byte_36310 DCB 0xFC, 0x9D, 0xFD, 0x98, 0xBE, 0xB5, 0xA2, 0xB5, 0xFB
.data:0000000000036310 ; DATA XREF: sub_DD38+108↑o
.data:0000000000036310 ; .datadiv_decode15146375311672927909+11C↑o
.data:0000000000036319 DCB 0xBA, 0xBD, 0xBB, 0xFB, 0x96, 0xA1, 0xB2, 0xB2, 0xB1
.data:0000000000036322 DCB 0xA6, 0xEF, 0xD4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
.data:0000000000036330 ; _BYTE byte_36330[32]
.data:0000000000036330 byte_36330 DCB 0xC0, 0xCC, 0xCE, 0x8C, 0xC0, 0xD7, 0xC5, 0x8C, 0xC4
.data:0000000000036330 ; DATA XREF: sub_DD38+114↑o
.data:0000000000036330 ; .datadiv_decode15146375311672927909+128↑o
.data:0000000000036339 DCB 0xCC, 0xCC, 0xC7, 0xCF, 0xD6, 0xC0, 0xC8, 0x92, 0x8C
.data:0000000000036342 DCB 0xEE, 0xC2, 0xCA, 0xCD, 0xE2, 0xC0, 0xD7, 0xCA, 0xD5
.data:000000000003634B DCB 0xCA, 0xD7, 0xDA, 0xA3, 0
.data:0000000000036350 ; _BYTE byte_36350[16]
.data:0000000000036350 byte_36350 DCB 0xE6, 0xED, 0xFA, 0xED, 0xA3, 0xE0, 0xED, 0xE2, 0xEB
.data:0000000000036350 ; DATA XREF: sub_DD38+120↑o
.data:0000000000036350 ; .datadiv_decode15146375311672927909+134↑o
.data:0000000000036359 DCB 0xA3, 0xCF, 0xE0, 0xED, 0xFF, 0xFF, 0x8C
.data:0000000000036360 aHjLcnCNkj DCB "HJ[lCN\\c@NKJ]/",0 ; DATA XREF: sub_DD38+12C↑o
.data:0000000000036360 ; .datadiv_decode15146375311672927909+140↑o
.data:0000000000036370 ; _BYTE byte_36370[32]
.data:0000000000036370 byte_36370 DCB 0xA9, 0xA8, 0xCD, 0xEB, 0xE0, 0xF7, 0xE0, 0xAE, 0xED
.data:0000000000036370 ; DATA XREF: sub_DD38+138↑o
.data:0000000000036370 ; .datadiv_decode15146375311672927909+14C↑o
.data:0000000000036379 DCB 0xE0, 0xEF, 0xE6, 0xAE, 0xC2, 0xED, 0xE0, 0xF2, 0xF2
.data:0000000000036382 DCB 0xCD, 0xEE, 0xE0, 0xE5, 0xE4, 0xF3, 0xBA, 0x81, 0
.data:000000000003638B DCB 0, 0, 0, 0, 0
.data:0000000000036390 ; _BYTE byte_36390[32]
.data:0000000000036390 byte_36390 DCB 0x23, 0x26, 0x2B, 0x31, 0x2E, 0x2C, 0x68, 0x34, 0x3E
.data:0000000000036390 ; DATA XREF: sub_DD38+144↑o
.data:0000000000036390 ; .datadiv_decode15146375311672927909+158↑o
.data:0000000000036399 DCB 0x34, 0x33, 0x22, 0x2A, 0x68, 0x17, 0x26, 0x33, 0x2F
.data:00000000000363A2 DCB 4, 0x2B, 0x26, 0x34, 0x34, 0xB, 0x28, 0x26, 0x23, 0x22
.data:00000000000363AC DCB 0x35, 0x47, 0, 0
.data:00000000000363B0 ; _BYTE byte_363B0[16]
.data:00000000000363B0 byte_363B0 DCB 0xD7, 0xC6, 0xD3, 0xCF, 0xEB, 0xCE, 0xD4, 0xD3, 0xA7
.data:00000000000363B0 ; DATA XREF: sub_DD38+150↑o
.data:00000000000363B0 ; .datadiv_decode15146375311672927909+164↑o
.data:00000000000363B9 DCB 0, 0, 0, 0, 0, 0, 0
.data:00000000000363C0 ; _BYTE byte_363C0[32]
.data:00000000000363C0 byte_363C0 DCB 0x84, 0xAC, 0xA9, 0xA4, 0xBE, 0xA1, 0xA3, 0xE7, 0xBB
.data:00000000000363C0 ; DATA XREF: sub_DD38+15C↑o
.data:00000000000363C0 ; .datadiv_decode15146375311672927909+170↑o
.data:00000000000363C9 DCB 0xB1, 0xBB, 0xBC, 0xAD, 0xA5, 0xE7, 0x8C, 0xAD, 0xB0
.data:00000000000363D2 DCB 0x98, 0xA9, 0xBC, 0xA0, 0x84, 0xA1, 0xBB, 0xBC, 0xF3
.data:00000000000363DB DCB 0xC8, 0, 0, 0, 0
.data:00000000000363E0 ; _BYTE byte_363E0[28]
.data:00000000000363E0 byte_363E0 DCB 0x24, 0x21, 0x2C, 0x36, 0x29, 0x2B, 0x6F, 0x33, 0x39
.data:00000000000363E0 ; DATA XREF: sub_DD38+168↑o
.data:00000000000363E0 ; .datadiv_decode15146375311672927909+17C↑o
.data:00000000000363E9 DCB 0x33, 0x34, 0x25, 0x2D, 0x6F, 4, 0x25, 0x38, 0x10
.data:00000000000363F2 DCB 0x21, 0x34, 0x28, 0xC, 0x29, 0x33, 0x34, 0x40, 0, 0
.data:00000000000363FC ; _BYTE byte_363FC[20]
.data:00000000000363FC byte_363FC DCB 0x68, 0x69, 0x74, 0x49, 0x60, 0x69, 0x61, 0x69, 0x62
.data:00000000000363FC ; DATA XREF: sub_DD38+174↑o
.data:00000000000363FC ; .datadiv_decode15146375311672927909+188↑o
.data:0000000000036405 DCB 0x78, 0x7F, 0xC, 0, 0, 0, 0, 0, 0, 0, 0
.data:0000000000036410 ; _BYTE byte_36410[48]
.data:0000000000036410 byte_36410 DCB 0x97, 0x80, 0xA8, 0xAD, 0xA0, 0xBA, 0xA5, 0xA7, 0xE3
.data:0000000000036410 ; DATA XREF: sub_DD38+180↑o
.data:0000000000036410 ; .datadiv_decode15146375311672927909+194↑o
.data:0000000000036419 DCB 0xBF, 0xB5, 0xBF, 0xB8, 0xA9, 0xA1, 0xE3, 0x88, 0xA9
.data:0000000000036422 DCB 0xB4, 0x9C, 0xAD, 0xB8, 0xA4, 0x80, 0xA5, 0xBF, 0xB8
.data:000000000003642B DCB 0xE8, 0x89, 0xA0, 0xA9, 0xA1, 0xA9, 0xA2, 0xB8, 0xF7
.data:0000000000036434 DCB 0xCC, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
.data:0000000000036440 ; _BYTE byte_36440[40]
.data:0000000000036440 byte_36440 DCB 0xD0, 0xD5, 0xD8, 0xC2, 0xDD, 0xDF, 0x9B, 0xC7, 0xCD
.data:0000000000036440 ; DATA XREF: sub_DD38+18C↑o
.data:0000000000036440 ; .datadiv_decode15146375311672927909+1A0↑o
.data:0000000000036449 DCB 0xC7, 0xC0, 0xD1, 0xD9, 0x9B, 0xFD, 0xDA, 0xF9, 0xD1
.data:0000000000036452 DCB 0xD9, 0xDB, 0xC6, 0xCD, 0xF0, 0xD1, 0xCC, 0xF7, 0xD8
.data:000000000003645B DCB 0xD5, 0xC7, 0xC7, 0xF8, 0xDB, 0xD5, 0xD0, 0xD1, 0xC6
.data:0000000000036464 DCB 0xB4, 0, 0, 0
.data:0000000000036468 ; _BYTE byte_36468[8]
.data:0000000000036468 byte_36468 DCB 0x15, 0x40, 0x47, 0x40, 0x5D, 0x17, 0x29, 0
.data:0000000000036468 ; DATA XREF: sub_DD38+198↑o
.data:0000000000036468 ; .datadiv_decode15146375311672927909+1AC↑o
.data:0000000000036470 ; _BYTE byte_36470[48]
.data:0000000000036470 byte_36470 DCB 0x59, 0x3D, 0x1B, 0x10, 7, 0x10, 0x5E, 0x1F, 0x18
.data:0000000000036470 ; DATA XREF: sub_DD38+1A4↑o
.data:0000000000036470 ; .datadiv_decode15146375311672927909+1B8↑o
.data:0000000000036479 DCB 0x1E, 0x5E, 0x33, 8, 5, 0x14, 0x33, 4, 0x17, 0x17
.data:0000000000036483 DCB 0x14, 3, 0x4A, 0x3D, 0x1B, 0x10, 7, 0x10, 0x5E, 0x1D
.data:000000000003648D DCB 0x10, 0x1F, 0x16, 0x5E, 0x32, 0x1D, 0x10, 2, 2, 0x3D
.data:0000000000036497 DCB 0x1E, 0x10, 0x15, 0x14, 3, 0x4A, 0x58, 0x27, 0x71
.data:00000000000364A0 ; _BYTE byte_364A0[20]
.data:00000000000364A0 byte_364A0 DCB 0x7E, 0x75, 0x62, 0x75, 0x3B, 0x61, 0x60, 0x7D, 0x78
.data:00000000000364A0 ; DATA XREF: sub_DD38+1B0↑o
.data:00000000000364A0 ; .datadiv_decode15146375311672927909+1C4↑o
.data:00000000000364A9 DCB 0x3B, 0x55, 0x66, 0x66, 0x75, 0x6D, 0x58, 0x7D, 0x67
.data:00000000000364B2 DCB 0x60, 0x14
.data:00000000000364B4 ; _BYTE byte_364B4[12]
.data:00000000000364B4 byte_364B4 DCB 0xA4, 0xA1, 0xA1, 0xC5, 0, 0, 0, 0, 0, 0, 0, 0
.data:00000000000364B4 ; DATA XREF: sub_DD38+1BC↑o
.data:00000000000364B4 ; .datadiv_decode15146375311672927909+1D0↑o
.data:00000000000364C0 ; _BYTE byte_364C0[24]
.data:00000000000364C0 byte_364C0 DCB 0x88, 0xEC, 0xCA, 0xC1, 0xD6, 0xC1, 0x8F, 0xCC, 0xC1
.data:00000000000364C0 ; DATA XREF: sub_DD38+1C8↑o
.data:00000000000364C0 ; .datadiv_decode15146375311672927909+1DC↑o
.data:00000000000364C9 DCB 0xCE, 0xC7, 0x8F, 0xEF, 0xC2, 0xCA, 0xC5, 0xC3, 0xD4
.data:00000000000364D2 DCB 0x9B, 0x89, 0xFA, 0xA0, 0, 0
.data:00000000000364D8 ; _BYTE byte_364D8[8]
.data:00000000000364D8 byte_364D8 DCB 0x45, 0x5E, 0x70, 0x43, 0x43, 0x50, 0x48, 0x31
.data:00000000000364D8 ; DATA XREF: sub_DD38+1D4↑o
.data:00000000000364D8 ; .datadiv_decode15146375311672927909+1E8↑o
.data:00000000000364E0 ; _BYTE byte_364E0[24]
.data:00000000000364E0 byte_364E0 DCB 0xD3, 0xD2, 0xA0, 0xB7, 0x91, 0x9A, 0x8D, 0x9A, 0xD4
.data:00000000000364E0 ; DATA XREF: sub_DD38+1E0↑o
.data:00000000000364E0 ; .datadiv_decode15146375311672927909+1F4↑o
.data:00000000000364E9 DCB 0x97, 0x9A, 0x95, 0x9C, 0xD4, 0xB4, 0x99, 0x91, 0x9E
.data:00000000000364F2 DCB 0x98, 0x8F, 0xC0, 0xFB, 0, 0
.data:00000000000364F8 ; _BYTE byte_364F8[8]
.data:00000000000364F8 byte_364F8 DCB 0xEB, 0xEA, 0x95, 0xC3, 0, 0, 0, 0
.data:00000000000364F8 ; DATA XREF: sub_DD38+1EC↑o
.data:00000000000364F8 ; .datadiv_decode15146375311672927909+200↑o

查看这些数据的xref:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
_BYTE *datadiv_decode15146375311672927909()
{
_BYTE *result; // x0
unsigned int v52; // [xsp+Ch] [xbp-2C4h]
unsigned int v53; // [xsp+10h] [xbp-2C0h]
unsigned int v54; // [xsp+14h] [xbp-2BCh]
unsigned int v55; // [xsp+18h] [xbp-2B8h]
unsigned int v56; // [xsp+1Ch] [xbp-2B4h]
unsigned int v57; // [xsp+20h] [xbp-2B0h]
unsigned int v58; // [xsp+24h] [xbp-2ACh]
unsigned int v59; // [xsp+28h] [xbp-2A8h]
unsigned int v60; // [xsp+2Ch] [xbp-2A4h]
unsigned int v61; // [xsp+30h] [xbp-2A0h]
unsigned int v62; // [xsp+34h] [xbp-29Ch]
unsigned int v63; // [xsp+38h] [xbp-298h]
unsigned int v64; // [xsp+3Ch] [xbp-294h]
unsigned int v65; // [xsp+40h] [xbp-290h]
unsigned int v66; // [xsp+44h] [xbp-28Ch]
unsigned int v67; // [xsp+48h] [xbp-288h]
unsigned int v68; // [xsp+4Ch] [xbp-284h]
unsigned int v69; // [xsp+50h] [xbp-280h]
unsigned int v70; // [xsp+54h] [xbp-27Ch]
unsigned int v71; // [xsp+58h] [xbp-278h]
unsigned int v72; // [xsp+5Ch] [xbp-274h]
unsigned int v73; // [xsp+60h] [xbp-270h]
unsigned int v74; // [xsp+64h] [xbp-26Ch]
unsigned int v75; // [xsp+68h] [xbp-268h]
unsigned int v76; // [xsp+6Ch] [xbp-264h]
unsigned int v77; // [xsp+70h] [xbp-260h]
unsigned int v78; // [xsp+74h] [xbp-25Ch]
unsigned int v79; // [xsp+78h] [xbp-258h]
unsigned int v80; // [xsp+7Ch] [xbp-254h]
unsigned int v81; // [xsp+80h] [xbp-250h]
unsigned int v82; // [xsp+84h] [xbp-24Ch]
unsigned int v83; // [xsp+88h] [xbp-248h]
unsigned int v84; // [xsp+8Ch] [xbp-244h]
unsigned int v85; // [xsp+90h] [xbp-240h]
unsigned int v86; // [xsp+94h] [xbp-23Ch]
unsigned int v87; // [xsp+98h] [xbp-238h]
unsigned int v88; // [xsp+9Ch] [xbp-234h]
unsigned int v89; // [xsp+A0h] [xbp-230h]
unsigned int v90; // [xsp+A4h] [xbp-22Ch]
unsigned int v91; // [xsp+A8h] [xbp-228h]
signed int v92; // [xsp+ACh] [xbp-224h]
unsigned int v93; // [xsp+B0h] [xbp-220h]
unsigned int v94; // [xsp+B4h] [xbp-21Ch]
unsigned int v95; // [xsp+B8h] [xbp-218h]
unsigned int v96; // [xsp+BCh] [xbp-214h]
unsigned int v97; // [xsp+C0h] [xbp-210h]
unsigned int v98; // [xsp+C4h] [xbp-20Ch]
unsigned int v99; // [xsp+C8h] [xbp-208h]
unsigned int v100; // [xsp+CCh] [xbp-204h]
unsigned int v101; // [xsp+D0h] [xbp-200h]
unsigned int v102; // [xsp+D4h] [xbp-1FCh]

result = byte_36118;
v102 = 0;
do
asc_36010[v102] ^= 0x67u;
while ( v102++ < 0x10 );
v101 = 0;
do
byte_36024[v101] ^= 0x86u;
while ( v101++ < 8 );
v100 = 0;
do
byte_36030[v100] ^= 0x83u;
while ( v100++ < 4 );
v99 = 0;
do
byte_36040[v99] ^= 0xC5u;
while ( v99++ < 0x19 );
v98 = 0;
do
byte_36060[v98] ^= 0x71u;
while ( v98++ < 0x1A );
v97 = 0;
do
byte_36080[v97] ^= 0xBCu;
while ( v97++ < 0x16 );
v96 = 0;
do
byte_360A0[v96] ^= 0xC9u;
while ( v96++ < 0x1C );
v95 = 0;
do
byte_360C0[v95] ^= 0xC7u;
while ( v95++ < 0x13 );
v94 = 0;
do
byte_360E0[v94] ^= 0xE1u;
while ( v94++ < 0x19 );
v93 = 0;
do
byte_36100[v93] ^= 0xC6u;
while ( v93++ < 0x17 );
v92 = 0;
do
byte_36118[v92] = ~byte_36118[v92];
while ( (unsigned int)v92++ < 9 );
v91 = 0;
do
byte_36130[v91] ^= 0x66u;
while ( v91++ < 0x24 );
v90 = 0;
do
byte_36160[v90] ^= 0x3Du;
while ( v90++ < 0x20 );
v89 = 0;
do
byte_36184[v89] ^= 0x7Cu;
while ( v89++ < 6 );
v88 = 0;
do
byte_36190[v88] ^= 0xFDu;
while ( v88++ < 0x3D );
v87 = 0;
do
byte_361D0[v87] ^= 0xEAu;
while ( v87++ < 6 );
v86 = 0;
do
byte_361E0[v86] ^= 2u;
while ( v86++ < 0x27 );
v85 = 0;
do
byte_36208[v85] ^= 0xCEu;
while ( v85++ < 9 );
v84 = 0;
do
byte_36214[v84] ^= 0xFAu;
while ( v84++ < 3 );
v83 = 0;
do
byte_36218[v83] ^= 0xE3u;
while ( v83++ < 4 );
v82 = 0;
do
byte_36220[v82] ^= 0xDEu;
while ( v82++ < 0x29 );
v81 = 0;
do
byte_36250[v81] ^= 0xBEu;
while ( v81++ < 0x13 );
v80 = 0;
do
byte_36264[v80] ^= 0x91u;
while ( v80++ < 4 );
v79 = 0;
do
byte_3626C[v79] ^= 0x7Fu;
while ( v79++ < 7 );
v78 = 0;
do
aJbbijbbiaxnfax[v78] ^= 0xDu;
while ( v78++ < 0x10 );
v77 = 0;
do
byte_362A0[v77] ^= 0x4Eu;
while ( v77++ < 0x13 );
v76 = 0;
do
a4[v76] ^= 0x40u;
while ( v76++ < 8 );
v75 = 0;
do
byte_362C0[v75] ^= 4u;
while ( v75++ < 0x18 );
v74 = 0;
do
byte_362DC[v74] ^= 0x33u;
while ( v74++ < 3 );
v73 = 0;
do
byte_362E0[v73] ^= 0xF9u;
while ( v73++ < 0x19 );
v72 = 0;
do
aNqmwjwqp[v72] ^= 0x3Eu;
while ( v72++ < 8 );
v71 = 0;
do
byte_36310[v71] ^= 0xD4u;
while ( v71++ < 0x14 );
v70 = 0;
do
byte_36330[v70] ^= 0xA3u;
while ( v70++ < 0x1E );
v69 = 0;
do
byte_36350[v69] ^= 0x8Cu;
while ( v69++ < 0xF );
v68 = 0;
do
aHjLcnCNkj[v68] ^= 0x2Fu;
while ( v68++ < 0xE );
v67 = 0;
do
byte_36370[v67] ^= 0x81u;
while ( v67++ < 0x19 );
v66 = 0;
do
byte_36390[v66] ^= 0x47u;
while ( v66++ < 0x1D );
v65 = 0;
do
byte_363B0[v65] ^= 0xA7u;
while ( v65++ < 8 );
v64 = 0;
do
byte_363C0[v64] ^= 0xC8u;
while ( v64++ < 0x1B );
v63 = 0;
do
byte_363E0[v63] ^= 0x40u;
while ( v63++ < 0x19 );
v62 = 0;
do
byte_363FC[v62] ^= 0xCu;
while ( v62++ < 0xB );
v61 = 0;
do
byte_36410[v61] ^= 0xCCu;
while ( v61++ < 0x24 );
v60 = 0;
do
byte_36440[v60] ^= 0xB4u;
while ( v60++ < 0x24 );
v59 = 0;
do
byte_36468[v59] ^= 0x29u;
while ( v59++ < 6 );
v58 = 0;
do
byte_36470[v58] ^= 0x71u;
while ( v58++ < 0x2F );
v57 = 0;
do
byte_364A0[v57] ^= 0x14u;
while ( v57++ < 0x13 );
v56 = 0;
do
byte_364B4[v56] ^= 0xC5u;
while ( v56++ < 3 );
v55 = 0;
do
byte_364C0[v55] ^= 0xA0u;
while ( v55++ < 0x15 );
v54 = 0;
do
byte_364D8[v54] ^= 0x31u;
while ( v54++ < 7 );
v53 = 0;
do
byte_364E0[v53] ^= 0xFBu;
while ( v53++ < 0x15 );
v52 = 0;
do
byte_364F8[v52] ^= 0xC3u;
while ( v52++ < 3 );
return result;
}

编写idapython脚本进行手动解密:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
import ida_bytes

# 定义需要操作的全局变量及其对应的异或值
variables = [
("asc_36010", 0x67, 0x10),
("byte_36024", 0x86, 8),
("byte_36030", 0x83, 4),
("byte_36040", 0xC5, 0x19),
("byte_36060", 0x71, 0x1A),
("byte_36080", 0xBC, 0x16),
("byte_360A0", 0xC9, 0x1C),
("byte_360C0", 0xC7, 0x13),
("byte_360E0", 0xE1, 0x19),
("byte_36100", 0xC6, 0x17),
("byte_36118", None, 9), # 特殊处理:按位取反
("byte_36130", 0x66, 0x24),
("byte_36160", 0x3D, 0x20),
("byte_36184", 0x7C, 6),
("byte_36190", 0xFD, 0x3D),
("byte_361D0", 0xEA, 6),
("byte_361E0", 2, 0x27),
("byte_36208", 0xCE, 9),
("byte_36214", 0xFA, 3),
("byte_36218", 0xE3, 4),
("byte_36220", 0xDE, 0x29),
("byte_36250", 0xBE, 0x13),
("byte_36264", 0x91, 4),
("byte_3626C", 0x7F, 7),
("aJbbijbbiaxnfax", 0xD, 0x10),
("byte_362A0", 0x4E, 0x13),
("a4", 0x40, 8),
("byte_362C0", 4, 0x18),
("byte_362DC", 0x33, 3),
("byte_362E0", 0xF9, 0x19),
("aNqmwjwqp", 0x3E, 8),
("byte_36310", 0xD4, 0x14),
("byte_36330", 0xA3, 0x1E),
("byte_36350", 0x8C, 0xF),
("aHjLcnCNkj", 0x2F, 0xE),
("byte_36370", 0x81, 0x19),
("byte_36390", 0x47, 0x1D),
("byte_363B0", 0xA7, 8),
("byte_363C0", 0xC8, 0x1B),
("byte_363E0", 0x40, 0x19),
("byte_363FC", 0xC, 0xB),
("byte_36410", 0xCC, 0x24),
("byte_36440", 0xB4, 0x24),
("byte_36468", 0x29, 6),
("byte_36470", 0x71, 0x2F),
("byte_364A0", 0x14, 0x13),
("byte_364B4", 0xC5, 3),
("byte_364C0", 0xA0, 0x15),
("byte_364D8", 0x31, 7),
("byte_364E0", 0xFB, 0x15),
("byte_364F8", 0xC3, 3),
]

def apply_xor_or_not(var_name, xor_value, length):
addr = ida_name.get_name_ea(ida_idaapi.BADADDR, var_name)
if addr == ida_idaapi.BADADDR:
print(f"[-] Variable {var_name} not found!")
return

for i in range(length):
byte = ida_bytes.get_byte(addr + i)
if xor_value is not None:
new_byte = byte ^ xor_value
else:
new_byte = ~byte & 0xFF # 按位取反
ida_bytes.patch_byte(addr + i, new_byte)

print(f"[+] Updated variable {var_name} at 0x{addr:X}")

def main():
print("[*] Starting decryption script...")
for var_name, xor_value, length in variables:
apply_xor_or_not(var_name, xor_value, length)
print("[*] Decryption completed!")

if __name__ == "__main__":
main()

原密文A8BDAD9FF6B1BF8C9087AB9F9694A9A48D8FB08F8187FCE4E4C5异或C5得到mxhZ3tzIUBnZSQlaHJuJDB9!!,发现头部缺少了一个大写字母Z,补上后得到ZmxhZ3tzIUBnZSQlaHJuJDB9!!,base64解得flag{s!@ge$%hrn$0},但是交上去不对,仔细观察JNI动态加载,发现有一个可疑的函数sub_DD38,其中加载了一个名为cc.dat的文件,并用上文解出来的keygoodgoodluckluck进行RC4解密:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
__int64 __fastcall sub_DAD8(__int64 a1, unsigned __int64 a2, __int64 key, unsigned __int64 lenkey)
{
__int64 result; // x0
unsigned int v5; // w8
int v6; // w8
int v7; // w9
char v8; // [xsp+2Ch] [xbp-154h]
unsigned __int64 i; // [xsp+30h] [xbp-150h]
unsigned int v10; // [xsp+40h] [xbp-140h]
unsigned int v11; // [xsp+44h] [xbp-13Ch]
_BYTE v14[264]; // [xsp+68h] [xbp-118h] BYREF

_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
result = sub_D918((__int64)v14, key, lenkey);
v11 = 0;
v10 = 0;
for ( i = 0LL; i < a2; ++i )
{
if ( (int)(v11 + 1) >= 0 )
v5 = v11 + 1;
else
v5 = v11 + 256;
v11 = v11 + 1 - (v5 & 0xFFFFFF00);
v6 = v10 + (unsigned __int8)v14[v11];
v7 = v6 + 255;
if ( v6 >= 0 )
v7 = v10 + (unsigned __int8)v14[v11];
v10 = v6 - (v7 & 0xFFFFFF00);
v8 = v14[v11];
v14[v11] = v14[v10];
v14[v10] = v8;
*(_BYTE *)(a1 + i) ^= v14[(unsigned __int8)(v14[v11] + v14[v10])];
}
_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));
return result;
}

解密得到一个dex文件,查看:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
package com.ctf.goodluck1;

/* loaded from: C:\Users\LENOVO\Desktop\dump.dex */
public class Check {
private static final int BASE_256 = 256;
private static final char[] ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz".toCharArray();
private static final int CHARCS = ALPHABET.length;
private static final int[] INDEXES = new int[128];

static {
for (int i = 0; i < INDEXES.length; i++) {
INDEXES[i] = -1;
}
for (int i2 = 0; i2 < ALPHABET.length; i2++) {
INDEXES[ALPHABET[i2]] = i2;
}
}

public static String iiooii(byte[] input) {
if (input.length == 0) {
return "";
}
byte[] input2 = copyOfRange(input, 0, input.length);
int zeroCount = 0;
while (zeroCount < input2.length && input2[zeroCount] == 0) {
zeroCount++;
}
byte[] temp = new byte[input2.length * 2];
int j = temp.length;
int startAt = zeroCount;
while (startAt < input2.length) {
byte mod = ooiioo(input2, startAt);
if (input2[startAt] == 0) {
startAt++;
}
j--;
temp[j] = (byte) ALPHABET[mod];
}
while (j < temp.length && temp[j] == ALPHABET[0]) {
j++;
}
while (true) {
zeroCount--;
if (zeroCount < 0) {
return new String(copyOfRange(temp, j, temp.length));
}
j--;
temp[j] = (byte) ALPHABET[0];
}
}

private static byte ooiioo(byte[] number, int startAt) {
int remainder = 0;
for (int i = startAt; i < number.length; i++) {
int temp = (remainder * BASE_256) + (number[i] & 255);
number[i] = (byte) (temp / CHARCS);
remainder = temp % CHARCS;
}
return (byte) remainder;
}

private static byte[] copyOfRange(byte[] source, int from, int to) {
byte[] range = new byte[to - from];
System.arraycopy(source, from, range, 0, range.length);
return range;
}

public static boolean check(String content) {
if (iiooii(content.getBytes()).equals("xpoetRPP2XbiAqZb57dz7yE")) {
return true;
}
return false;
}
}

发现是base58,解密得到flag{j#n$j@m^,*0}.

隐私合规:

harmony:

查看检验函数:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
public Object checkPassword(Object functionObject, Object newTarget, Index this) {
asyncfunctionenter = asyncfunctionenter();
try {
if (this.userInput == false) {
prompt = import { default as prompt } from "@ohos:prompt";
prompt.showToast(createobjectwithbuffer(["message", "请输入密码", "duration", 2000]));
return asyncfunctionresolve(null, asyncfunctionenter);
}
CryptoJS = import { CryptoJS } from "@package:pkg_modules/.ohpm/@ohos+crypto-js@2.0.4/pkg_modules/@ohos/crypto-js/index";
MD5 = CryptoJS.MD5(this.userInput);
if ((this.storedHash == MD5.toString() ? 1 : 0) != 0) {
prompt2 = import { default as prompt } from "@ohos:prompt";
obj = prompt2.showToast;
obj2 = createobjectwithbuffer(["message", 0, "duration", 2000]);
obj2.message = "恭喜,密码 " + this.userInput + " 正确!";
obj(obj2);
CryptoJS2 = import { CryptoJS } from "@package:pkg_modules/.ohpm/@ohos+crypto-js@2.0.4/pkg_modules/@ohos/crypto-js/index";
MD52 = CryptoJS2.MD5(this.userInput + this.storedHash);
this.exam1Flag = "Flag{" + MD52.toString() + "}";
} else {
this.exam1Flag = "密码错误,请重试~";
}
return asyncfunctionresolve(null, asyncfunctionenter);
} catch (ExceptionI0 unused) {
return asyncfunctionreject(asyncfunctionenter, asyncfunctionenter);
}
}

发现要输入一个字符串,使其的md5和内部存储的md5相同,flag为输入的字符串+md5整体的md5,用ABCDecompiler找到字符串secret为:16f85293e920fd49eda6bf0df98bfd33,解密得到goodgood,拼接得到Flag{ee51e080d1db85f9927fe87aa92267bb}.