easyjni
难度系数: 7
题目来源: 暂无
题目描述:无
题目场景: 暂无
题目附件: 附件1
https://adworld.xctf.org.cn/task/answer?type=mobile&number=6&grade=0&id=5091&page=1

反编译一波
image.png

按钮点击事件中,调用一个 a方法,参数为输入的字符串。
a方法中 又创建一个a类的a方法。最后调用so库的ncheck方法。

跟进a类,一时看不懂。一开始像base64。发现不对。看了网上大佬的思路。base64变种。只是改变了字符的位置.

base64原理 https://www.cnblogs.com/xiaxveliang/p/15097947.html

package com.a.easyjni;

/* loaded from: classes.dex */
public class a {
    private static final char[] a = {'i', '5', 'j', 'L', 'W', '7', 'S', '0', 'G', 'X', '6', 'u', 'f', '1', 'c', 'v', '3', 'n', 'y', '4', 'q', '8', 'e', 's', '2', 'Q', '+', 'b', 'd', 'k', 'Y', 'g', 'K', 'O', 'I', 'T', '/', 't', 'A', 'x', 'U', 'r', 'F', 'l', 'V', 'P', 'z', 'h', 'm', 'o', 'w', '9', 'B', 'H', 'C', 'M', 'D', 'p', 'E', 'a', 'J', 'R', 'Z', 'N'};

    public String a(byte[] bArr) {
        StringBuilder sb = new StringBuilder();
        for (int i = 0; i <= bArr.length - 1; i += 3) {
            byte[] bArr2 = new byte[4];
            byte b = 0;
            for (int i2 = 0; i2 <= 2; i2++) {
                if (i + i2 <= bArr.length - 1) {
                    bArr2[i2] = (byte) (b | ((bArr[i + i2] & 255) >>> ((i2 * 2) + 2)));
                    b = (byte) ((((bArr[i + i2] & 255) << (((2 - i2) * 2) + 2)) & 255) >>> 2);
                } else {
                    bArr2[i2] = b;
                    b = 64;
                }
            }
            bArr2[3] = b;
            for (int i3 = 0; i3 <= 3; i3++) {
                if (bArr2[i3] <= 63) {
                    sb.append(a[bArr2[i3]]);
                } else {
                    sb.append('=');
                }
            }
        }
        return sb.toString();
    }
}

反编译so文件

bool __fastcall Java_com_a_easyjni_MainActivity_ncheck(JNIEnv *env, jclass a2, const char *str)
{
  const char *v5; // r6
  int i; // r0
  char *v7; // r2
  char v8; // r1
  int v9; // r0
  bool v10; // cc
  char v12[32]; // [sp+3h] [bp-35h] BYREF
  char v13; // [sp+23h] [bp-15h]

  v5 = (*env)->GetStringUTFChars(env, str, 0);//入参
  if ( strlen(v5) == 32 )
  {
    //前16和后16位交换
    for ( i = 0; i != 16; ++i )
    {
      v7 = &v12[i];
      v12[i] = v5[i + 16];
      v8 = v5[i];
      v7[16] = v8;
    }
    (*env)->ReleaseStringUTFChars(env, str, v5);

    //2位一组,交换位置
    v9 = 0;
    do
    {
      v10 = v9 < 30;
      v13 = v12[v9];
      v12[v9] = v12[v9 + 1];
      v12[v9 + 1] = v13;
      v9 += 2;
    }
    while ( v10 );
    
    //v12和"MbT3sQgX039i3g==AQOoMQFPskB1Bsc7"比较
    return memcmp(v12, "MbT3sQgX039i3g==AQOoMQFPskB1Bsc7", 0x20u) == 0;
  }
  else
  {
    (*env)->ReleaseStringUTFChars(env, str, v5);
    return 0;
  }
}

找个base64工具类,修改一下字典解码

import java.io.ByteArrayOutputStream;

/**
 * @author 夜雨
 * @Web www.yeyusmile.top
 * @date 2022/4/9
 */
public class MyBase64 {

    /* renamed from: a */
    private  final char[] keys = {'i', '5', 'j', 'L', 'W', '7', 'S', '0', 'G', 'X', '6', 'u', 'f', '1', 'c', 'v', '3', 'n', 'y', '4', 'q', '8', 'e', 's', '2', 'Q', '+', 'b', 'd', 'k', 'Y', 'g', 'K', 'O', 'I', 'T', '/', 't', 'A', 'x', 'U', 'r', 'F', 'l', 'V', 'P', 'z', 'h', 'm', 'o', 'w', '9', 'B', 'H', 'C', 'M', 'D', 'p', 'E', 'a', 'J', 'R', 'Z', 'N'};


    private  byte[] base64DecodeChars = new byte[128];


    public MyBase64(){
        for (int i = 0; i < base64DecodeChars.length; i++) {
            base64DecodeChars[i] = -1;
        }

        for (int j = 0; j < keys.length; j++) {
            base64DecodeChars[keys[j]] = (byte) getIndex(keys[j]);
        }
       // base64DecodeChars[64] = (byte) getIndex('=');


    }


    public int getIndex(char b){
        for (int i = 0; i < keys.length; i++) {
            if(keys[i] == b){
                return i;
            }
        }
        return -1;
    }


    /**
     *
     *
     * @param str
     */
    public  byte[] decode(String str) throws Exception {
        byte[] data = str.getBytes("UTF-8");
        int len = data.length;
        ByteArrayOutputStream buf = new ByteArrayOutputStream(len);
        int i = 0;
        int b1, b2, b3, b4;

        while (i < len) {

            /* b1 */
            do {
                b1 = base64DecodeChars[data[i++]];
            } while (i < len && b1 == -1);
            if (b1 == -1) {
                break;
            }

            /* b2 */
            do {
                b2 = base64DecodeChars[data[i++]];
            } while (i < len && b2 == -1);
            if (b2 == -1) {
                break;
            }
            buf.write((b1 << 2) | ((b2 & 0x30) >>> 4));

            /* b3 */
            do {
                b3 = data[i++];
                if (b3 == 61) {
                    return buf.toByteArray();
                }
                b3 = base64DecodeChars[b3];
            } while (i < len && b3 == -1);
            if (b3 == -1) {
                break;
            }
            buf.write(((b2 & 0x0f) << 4) | ((b3 & 0x3c) >>> 2));

            /* b4 */
            do {
                b4 = data[i++];
                if (b4 == 61) {
                    return buf.toByteArray();
                }
                b4 = base64DecodeChars[b4];
            } while (i < len && b4 == -1);
            if (b4 == -1) {
                break;
            }
            buf.write(((b3 & 0x03) << 6) | b4);
        }
        return buf.toByteArray();
    }
}


import java.nio.charset.StandardCharsets;

/**
 * @author 夜雨
 * @Web www.yeyusmile.top
 * @date 2022/4/9
 */
public class EasyJNI {
    static byte str[] = "MbT3sQgX039i3g==AQOoMQFPskB1Bsc7".getBytes(StandardCharsets.UTF_8);

    public static void main(String[] args) throws Exception {

        int k = 0;
        do {
            byte tmp = str[k];
            str[k] = str[k + 1]; //r0=r1   r2=r3 .....  r30 = r32
            str[k + 1] = tmp; //r1=ro      r3=r2   .....r32= r30
            k += 2;
        } while (k <= 30);
        String str1 = new String(str);
        System.out.println(str1);
        str1 = str1.substring(16) + str1.substring(0, 16);
        System.out.println(str1);
        System.out.println(new String(new MyBase64().decode(str1)));
    }

}

image.png


牛刀小试apk3:https://adworld.xctf.org.cn/task/answer?type=mobile&number=6&grade=0&id=5088&page=1

Q.E.D.