示例程序

攻防世界 pingpong

jadx

package com.geekerchina.pingpongmachine;

import android.os.Bundle;
import android.support.v7.app.AppCompatActivity;
import android.view.Menu;
import android.view.MenuItem;
import android.view.View;
import android.view.View.OnClickListener;
import android.widget.Button;
import android.widget.TextView;

public class MainActivity extends AppCompatActivity {
    OnClickListener jping = new OnClickListener() {
        public void onClick(View v) {
            if (MainActivity.this.tt % 2 == 1) {
                MainActivity.this.p = 0;
                MainActivity.this.num = 0;
                MainActivity.this.tt = MainActivity.this.ttt;
            }
            MainActivity.this.tt--;
            MainActivity.this.p = MainActivity.this.ping(MainActivity.this.p, MainActivity.this.num);
            MainActivity.this.num++;
            if (MainActivity.this.num >= 7) {
                MainActivity.this.num = 0;
            }
            TextView t = (TextView) MainActivity.this.findViewById(R.id.out);
            t.setText("PING");
            if (MainActivity.this.tt == 0) {
                t.setText("FLAG: BCTF{MagicNum" + Integer.toString(MainActivity.this.p) + "}");
            }
        }
    };
    OnClickListener jpong = new OnClickListener() {
        public void onClick(View v) {
            if (MainActivity.this.tt % 2 == 0) {
                MainActivity.this.p = 0;
                MainActivity.this.num = 0;
                MainActivity.this.tt = MainActivity.this.ttt;
            }
            MainActivity.this.tt--;
            MainActivity.this.p = MainActivity.this.pong(MainActivity.this.p, MainActivity.this.num);
            MainActivity.this.num++;
            if (MainActivity.this.num >= 7) {
                MainActivity.this.num = 0;
            }
            TextView t = (TextView) MainActivity.this.findViewById(R.id.out);
            t.setText("PONG");
            if (MainActivity.this.tt == 0) {
                t.setText("FLAG: BCTF{MagicNum" + Integer.toString(MainActivity.this.p) + "}");
            }
        }
    };
    public int num = 0;
    public int p = 0;
    public int tt = this.ttt;
    public int ttt = 1000000;

    public native int ping(int i, int i2);

    public native int pong(int i, int i2);

    /* access modifiers changed from: protected */
    public void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView((int) R.layout.activity_main);
        ((Button) findViewById(R.id.button)).setOnClickListener(this.jping);
        ((Button) findViewById(R.id.button2)).setOnClickListener(this.jpong);
    }

    public boolean onCreateOptionsMenu(Menu menu) {
        getMenuInflater().inflate(R.menu.menu_main, menu);
        return true;
    }

    public boolean onOptionsItemSelected(MenuItem item) {
        if (item.getItemId() == R.id.action_settings) {
            return true;
        }
        return super.onOptionsItemSelected(item);
    }

    static {
        System.loadLibrary("pp");
    }
}

这是主要逻辑
需要循环点击ping pong按钮,直到出现flag
ping pong函数属于native层的函数

upload successful

upload successful

so库的两个主要函数,都是经过了混淆,这里可以利用so库移植到别的程序上,通过程序来实现点击按钮的效果,而ping pong函数每次执行都会沉睡1s,1000000s的时间后就会得到flag了,所以我们需要修改so库的sleep函数

upload successful

另一个函数同理

编写app

  1. 创建一个与源程序名称相同的app

upload successful

  1. 将程序中的so库移动到新建的app的libs目录下

upload successful

  1. 修改build.gradle

    添加一下代码

task nativeLibsToJar(type: Zip, description: "create a jar archive of the native libs") {
    destinationDir file("$projectDir/libs")
    baseName "Native_Libs2"
    extension "jar"
    from fileTree(dir: "libs", include: "**/*.so")
    into "lib"
}

tasks.withType(JavaCompile) {
    compileTask -> compileTask.dependsOn(nativeLibsToJar)
}
  1. 修改MainActivity代码
package com.geekerchina.pingpongmachine;

import androidx.appcompat.app.AppCompatActivity;

import android.os.Bundle;
import android.util.Log;
import android.widget.Button;
import android.widget.TextView;

public class MainActivity extends AppCompatActivity {
    private static final String TAG = "MainActivity";
    static {
        System.loadLibrary("pp");
    }

    public native int ping(int i, int i2);

    public native int pong(int i, int i2);

    public void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView((int) R.layout.activity_main);
        int ttt = 1000000;
        int num = 0;
        int tt = ttt;
        int p = 0;
        while(true){
            if (tt % 2 == 1) {
                tt--;
                p = pong(p, num);
                num++;
                if (num >= 7) {
                    num = 0;
                }
                if (tt == 0) {
                    Log.d(TAG, "BCTF{MagicNum" + Integer.toString(p) + "}");
                    break;
                }
            }
            else{
                tt--;
                p = ping(p, num);
                num++;
                if (num >= 7) {
                    num = 0;
                }
                if (tt == 0) {
                    Log.d(TAG, "BCTF{MagicNum" + Integer.toString(p) + "}");
                    break;
                }
            }
        }
    }
}

运行程序

upload successful

总结

so库移植使用起来,真是能够减少对so层代码的研究,节省时间

Reference

https://stfpeak.github.io/2017/04/18/bctf-2017-pingpong-writeup/
https://blog.csdn.net/JasaLee/article/details/70242837



android      android

本博客所有文章除特别声明外,均采用 CC BY-SA 3.0协议 。转载请注明出处!