山东省 “中孚信息杯” 之时光机

时隔一年，我又碰到这个题了，后悔没当时在做阿里CTF的时候没有记录一份……好久没打比赛，当时看到题最后都懵了，真尴尬。

熟悉的界面，也就改了标题貌似。看一下反编译代码，也就两个关键点

一个是is算法

public static boolean is2(int n) {
        if (n <= 3) {
            if (n > 1) {
                return true;
            }
            return false;
        } else if (n % 2 == 0 || n % 3 == 0) {
            return false;
        } else {
            int i = 5;
            while (i * i <= n) {
                if (n % i == 0 || n % (i + 2) == 0) {
                    return false;
                }
                i += 6;
            }
            return true;
        }
    }

一个是判断时间是否结束，然后显示flag，还有对k加100还是减去1

if (MainActivity.this.beg - MainActivity.this.now <= 0) {
                    tv1.setText("The flag is:");
                    tv2.setText("flag{" + MainActivity.this.stringFromJNI2(MainActivity.this.k) + "}");
                }
                MainActivity mainActivity;
                if (MainActivity.is2(MainActivity.this.beg - MainActivity.this.now)) {
                    mainActivity = MainActivity.this;
                    mainActivity.k += 100;
                } else {
                    mainActivity = MainActivity.this;
                    mainActivity.k--;
                }

然后这个flag的生成就是利用这个k值调用native方法生成的。神秘的k~

提取出来关键算法，然后先算出来k（1616384），hook掉big值，让if 直接走显示flag，另外一个是hook掉stringFromJNI2直接用算出来的k作为参数。在此我使用xposed进行的hook：

package com.xcroot.fucktimemachine;

import android.os.Bundle;

import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.XposedBridge;
import de.robv.android.xposed.XposedHelpers;
import de.robv.android.xposed.callbacks.XC_LoadPackage;

/**
 * Created by CRoot on 2017/11/8.
 */

public class XModule implements IXposedHookLoadPackage {
    private final String PackgeName = "net.bluelotus.tomorrow.easyandroid";
    @Override
    public void handleLoadPackage(XC_LoadPackage.LoadPackageParam loadPackageParam) throws Throwable {
        if(this.PackgeName.equals(loadPackageParam.packageName))
        {
            XposedBridge.log("Find " + this.PackgeName + "!");
            Class mainactivity = XposedHelpers.findClass(PackgeName.concat(".MainActivity"),loadPackageParam.classLoader);
            //XposedBridge.log(manactivity.toString());

            //K之算法
            int k = 0;
            for(int i = 200000;i >0;i--)
            {
                if (this.is2(i)) {
                    k += 100;
                } else {
                    k--;
                }
            }
            XposedBridge.log("神奇的k值等于：" + k);
            final int currentTime = (int) (System.currentTimeMillis() / 1000);
            XposedHelpers.findAndHookMethod(mainactivity, "onCreate", Bundle.class, new XC_MethodHook() {
                @Override
                protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                    XposedHelpers.setIntField(param.thisObject, "beg", currentTime - 200002);
                }
            });

            XposedHelpers.findAndHookMethod(mainactivity, "stringFromJNI2", int.class, new XC_MethodHook() {
                @Override
                protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
                    param.args[0] = 1616384;
                }
                @Override
                protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                    XposedBridge.log(param.getResult().toString());
                }
            });
        }
    }

    public static boolean is2(int n) {
        if (n <= 3) {
            if (n > 1) {
                return true;
            }
            return false;
        } else if (n % 2 == 0 || n % 3 == 0) {
            return false;
        } else {
            int i = 5;
            while (i * i <= n) {
                if (n % i == 0 || n % (i + 2) == 0) {
                    return false;
                }
                i += 6;
            }
            return true;
        }
    }
}