这题目主要是思路是字节码 MV 我们开始动调 主要目标进入 MV 做对齐 ,TEA
对其关键代码进行分析
image.png
跟进VM
image.png
分析 一共是case 5次 长度为40 opencode 静态也找不到需要的 我们进行动调 在vm出断点 f9 f7 进入 call 跳转 进入 vm public
image.png
更近他们 var_10 栈 列表 一步一步对其
我们需要从下往上写 堆栈的原理的 先入栈的会在栈底
image.png

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
		0xF1[0,0,2]
                                0xF1[1,1,2]
                                0xF1[3,0,0]
                        	0xF1[2,0,0]

                                0xF2[3,0x9e3779b9,0]

                                0xF1[4,1,1]
                        	0xF5[4,5]
                        	0xF2[4,1,2]
                        	0xF1[5,1,1]
                        	0xF2[5,3,1]
                                0xF4[4,5]
                        	  0xF2[0,4,1]
                        	  0xF1[4,0,1]
                                  0xF5[4,5]
                            	  0xF2[4,3,2]
		  0xF1[5,0,1]
                                  0xF3[5,5]
                        	  0xF2[5,2,2]
                                  0xF4[4,5]
	                  0xF1[5,0,1]
                        	  0xF2[5,3,1]
                                  0xF4[4,5]
                                  0xF2[1,4,1]
                                  0xF2[2,1,0]
0xFF,0xF6

后面数值 在K 和 enc 可以找到

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
#include<bits/stdc++.h>
#include<stdint.h>
using namespace std;
signed main(){
    unsigned __int64 enc[]={0x76B9621A, 0xCCE4ADDE, 0x25C8BFC8, 0x16C2D472,0xF317D53A, 0xF2A111A1, 0xDF89F0E6, 0xDCCDA623, 0x21C2F409, 0xDBD88D63};
    unsigned int k[8]={2,0,2,3};
    unsigned int *result; // rax
    unsigned int v3; // [rsp+4h] [rbp-24h]
    unsigned int v4; // [rsp+8h] [rbp-20h]
    unsigned int v5; // [rsp+Ch] [rbp-1Ch]
    unsigned int i; // [rsp+10h] [rbp-18h]
    for(int j=0;j<5;j+=1){
        v4 = enc[2*j];
        v5 = enc[2*j+1];
        unsigned int delta=0x9e3779b9;
        v3 += 40*delta;
        
    for ( i = 0; i < 40; ++i ){
        v5 -= ((v4>>5)+k[3])^((v4<<5)+k[2])^(v4+v3);
        v4 -= ((v5>>5)+k[1])^((v5<<5)+k[0])^(v5+v3);
        v3 -= delta;
        }
     enc[j*2] = v4;
     enc[j*2+1] = v5;
    }
    for(int i=0;i<10;i++){
        for(int m=0;m<=3;m++)
            printf("%c", enc[i]>>(8*m))&0xff);
    }
}

简单的跨栏

apk 反编译 是一段RC4 加密
image.png
点encode是native函数,将lib中的libantidbg.so提取 丢ida 看看 变表base64
image.png
base64 解码 转hex 替换参数

写RC4

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#include<bits/stdc++.h>
using namespace std;
signed main(){
	int base64_table[] = {0xe0,0x27,0x00,0x71,0xa0,0x55,0xcc,0xa3,0xd2,0x79,0xb6,0x83,
    0xb8,0x1e,0x4f,0x3b,0x80,0x4a,0xfc,0xed,0x2e,0xed,0x1c,0xe3,0x48,0x2a,0x53,0x28,0x87,
    0x4e,0x26,0xde,0xf9,0x90,0xd7,0x13,0xa4,0xea,0x99};
	string key = "runrunrun";
	int s[256],k[256];
	int j=0;
	for (int i = 0; i < 256; i++) {
            s[i] = i;
            k[i] = key[i % key.length()];
        }
        for (int i2 = 0; i2 < 256; i2++) {
            j = (s[i2] + j + k[i2]) & 255;
            int temp = s[i2];
            s[i2] = s[j];
            s[j] = temp;
        }
	int j2 = 0;
    int i3 = 0;
        for (int i4 : base64_table) {
            i3 = (i3 + 1) & 255;
            j2 = (s[i3] + j2) & 255;
            int temp2 = s[i3];
            s[i3] = s[j2];
            s[j2] = temp2;
            int rnd = s[(s[i3] + s[j2]) & 255];
            cout<<((char) (i4 ^ rnd));
        }
}

js

丢工具反一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
function _0x4a2285(_0x2b5a00) {
    var _0x37bb73 = new Array(256);
  
    var _0x53324d = new Array(256);
  
    var _0x563e78, _0x1be492, _0x5b4a53;
   // RC4
    for (_0x563e78 = 0; _0x563e78 < 256; _0x563e78++) {
      _0x37bb73[_0x563e78] = _0x563e78;
      _0x53324d[_0x563e78] = _0x2b5a00["charCodeAt"](_0x563e78 % _0x2b5a00["length"]);
    }
  
    for (_0x563e78 = _0x1be492 = 0; _0x563e78 < 256; _0x563e78++) {
      _0x1be492 = (_0x1be492 + _0x37bb73[_0x563e78] + _0x53324d[_0x563e78]) % 256;
      _0x5b4a53 = _0x37bb73[_0x563e78];
      _0x37bb73[_0x563e78] = _0x37bb73[_0x1be492];
      _0x37bb73[_0x1be492] = _0x5b4a53;
    }
  
    return _0x37bb73;
  }
  
  function _0x569454(_0x1f637f, _0x46bf6a) {
    return String["fromCharCode"](_0x1f637f["charCodeAt"](0) + 13) + String["fromCharCode"](_0x46bf6a["charCodeAt"](0) - 1) + "wstar" + '_' + String["fromCharCode"](_0x46bf6a['charCodeAt'](1) + 1) + String["fromCharCode"](_0x1f637f["charCodeAt"](3) + 1) + 's';
  }
  
  function _0x221c90(_0x2acf55, _0x549db3) {
    var _0x300c36 = '',
        _0x22f2ea = new Array(256);
  
    _0x22f2ea = _0x4a2285(_0x2acf55);
  
    var _0x37dfd2, _0x3c262d, _0x20fab4;
  
    _0x37dfd2 = _0x3c262d = 0;
  
    for (var _0x4ff9a6 = 0; _0x4ff9a6 < _0x549db3['length']; _0x4ff9a6++) {
      _0x37dfd2 = (_0x37dfd2 + 1 + 1) % 256;
      _0x3c262d = (_0x3c262d + _0x22f2ea[_0x37dfd2]) % 256;
      _0x20fab4 = _0x22f2ea[_0x37dfd2];
      _0x22f2ea[_0x37dfd2] = _0x22f2ea[_0x3c262d];
      _0x22f2ea[_0x3c262d] = _0x20fab4;
      _0x300c36 += String["fromCharCode"](_0x549db3["charCodeAt"](_0x4ff9a6) ^ _0x22f2ea[(_0x22f2ea[_0x37dfd2] + _0x22f2ea[_0x3c262d]) % 256] ^ 3);
    }
  
    return _0x300c36;
  }
  
  window["_0x54cd23"] = _0x53816c;
  var _0x24eb58 = window['_0x54cd23'];
  
  function _0x53816c(_0x3cc7e4) {
    return btoa(_0x3cc7e4) === "Cn8RHIJEVdvlrRESjETCscwQZdlhRfsRkWoHCTa0HcfLPg==";
  }
  
  function _0x499d16() {
    alert("来试试吧");
    var _0x2fd441 = document["getElementById"]("username")['value'];
    var _0x387488 = document["getElementById"]("password")['value'];
    var _0x130920 = document['getElementById']("flagtext")["value"];
  
    if (_0x2fd441 === "admin" && _0x387488 === "123456") {
      alert("正在验证账号密码------");
      alert("账号密码正确!再接再厉");
      alert("正在验证flag------");
  
      var _0x271a69 = _0x221c90(_0x569454(_0x2fd441, _0x387488), _0x130920);
  
      _0x24eb58(_0x271a69) ? alert("flag正确!") : alert("不行不行!");
    } else {
      alert('不行不行');
    }
  }

base64解码转hex
js在线穿他 admin 和 123456
对原脚本修改

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#include<bits/stdc++.h>
using namespace std;
signed main(){
	int base64_table[] = {0x0A ,0x7F ,0x11 ,0x1C ,0x82 ,0x44 ,0x55 ,0xDB ,0xE5 ,0xAD ,0x11,
	 0x12 ,0x8C ,0x44 ,0xC2 ,0xB1 ,0xCC ,0x10 ,0x65 ,0xD9 ,0x61 ,0x45 ,0xFB ,0x11 ,0x91 ,0x6A ,0x07 ,0x09 ,0x36 ,0xB4 ,0x1D ,0xC7 ,0xCB ,0x3E };
	string key = "n0wstar_3js";
	int s[256],k[256];
	int j=0;
	for (int i = 0; i < 256; i++) {
            s[i] = i;
            k[i] = key[i % key.length()];
        }
        for (int i2 = 0; i2 < 256; i2++) {
            j = (s[i2] + j + k[i2]) & 255;
            int temp = s[i2];
            s[i2] = s[j];
            s[j] = temp;
        }
	int j2 = 0;
        int i3 = 0;
        for (int i4 : base64_table) {
            i3 = (i3 + 1 +1) & 255;
            j2 = (s[i3] + j2) & 255;
            int temp2 = s[i3];
            s[i3] = s[j2];
            s[j2] = temp2;
            int rnd = s[(s[i3] + s[j2]) & 255];
            cout<<((char) (i4 ^ rnd^3));
        }


}