山东省 “中孚信息杯” 之时光机
时隔一年,我又碰到这个题了,后悔没当时在做阿里CTF的时候没有记录一份……好久没打比赛,当时看到题最后都懵了,真尴尬。
熟悉的界面,也就改了标题貌似。看一下反编译代码,也就两个关键点
一个是is算法
public static boolean is2(int n) {
if (n <= 3) {
if (n > 1) {
return true;
}
return false;
} else if (n % 2 == 0 || n % 3 == 0) {
return false;
} else {
int i = 5;
while (i * i <= n) {
if (n % i == 0 || n % (i + 2) == 0) {
return false;
}
i += 6;
}
return true;
}
}
一个是判断时间是否结束,然后显示flag,还有对k加100还是减去1
if (MainActivity.this.beg - MainActivity.this.now <= 0) {
tv1.setText("The flag is:");
tv2.setText("flag{" + MainActivity.this.stringFromJNI2(MainActivity.this.k) + "}");
}
MainActivity mainActivity;
if (MainActivity.is2(MainActivity.this.beg - MainActivity.this.now)) {
mainActivity = MainActivity.this;
mainActivity.k += 100;
} else {
mainActivity = MainActivity.this;
mainActivity.k--;
}
然后这个flag的生成就是利用这个k值调用native方法生成的。神秘的k~
提取出来关键算法,然后先算出来k(1616384),hook掉big值,让if 直接走显示flag,另外一个是hook掉stringFromJNI2直接用算出来的k作为参数。在此我使用xposed进行的hook:
package com.xcroot.fucktimemachine;
import android.os.Bundle;
import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XposedBridge;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.callbacks.XC_LoadPackage;
/**
* Created by CRoot on 2017/11/8.
*/
public class XModule implements IXposedHookLoadPackage {
private final String PackgeName = "net.bluelotus.tomorrow.easyandroid";
@Override
public void handleLoadPackage(XC_LoadPackage.LoadPackageParam loadPackageParam) throws Throwable {
if(this.PackgeName.equals(loadPackageParam.packageName))
{
XposedBridge.log("Find " + this.PackgeName + "!");
Class mainactivity = XposedHelpers.findClass(PackgeName.concat(".MainActivity"),loadPackageParam.classLoader);
//XposedBridge.log(manactivity.toString());
//K之算法
int k = 0;
for(int i = 200000;i >0;i--)
{
if (this.is2(i)) {
k += 100;
} else {
k--;
}
}
XposedBridge.log("神奇的k值等于:" + k);
final int currentTime = (int) (System.currentTimeMillis() / 1000);
XposedHelpers.findAndHookMethod(mainactivity, "onCreate", Bundle.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
XposedHelpers.setIntField(param.thisObject, "beg", currentTime - 200002);
}
});
XposedHelpers.findAndHookMethod(mainactivity, "stringFromJNI2", int.class, new XC_MethodHook() {
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
param.args[0] = 1616384;
}
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
XposedBridge.log(param.getResult().toString());
}
});
}
}
public static boolean is2(int n) {
if (n <= 3) {
if (n > 1) {
return true;
}
return false;
} else if (n % 2 == 0 || n % 3 == 0) {
return false;
} else {
int i = 5;
while (i * i <= n) {
if (n % i == 0 || n % (i + 2) == 0) {
return false;
}
i += 6;
}
return true;
}
}
}
