Android Normal Write Up 2017 DDCTF

直接把APK拖进JEB里边分析，发现要调用so库，并且有三个so文件：

其中，mips、armeabi、armeabi-v7a和x86都表示CPU的类型。一般的手机或平板都是用arm的cpu。不同的cpu的特性不一样。

armeabi  是针对普通的或旧的arm v5 cpu，32位

armeabi-v7a 是针对有浮点运算或高级扩展功能的arm v7 cpu，32位

arm64-v8a 针对64位的

mips  是一种采取精简指令集（RISC）的处理器架构，32位

mips64  64位

x86   IA-32位指令集

x86_64  64位

通常采用armeabi-v7a的so文件，下面对Java的Main进行分析：

发现了调用了hello-libs的stringFromJNI函数，下面开始对so文件逆向：

其中gpower函数是求2^k，感觉在这里不知道什么用，GetTicks是一个获取当前精确时间相关的函数，所以我们队19行的函数进行分析，一路跟踪下去，发现：

看起来memcpy函数像是对flag进行复制的函数，我们直接写个程序改写这里的函数，把a1输出，意外地拿到了flag：

#include <iostream>

#include <cstdio>

#include <cstring>

using namespace std;

int byte1[182] ={0xD8,0xC2,0x6B,0x42,0x82,0x67,0xC8,0x4D,0x7A,0x95,0xE8,0x81,0x48,0xC1,0x9E,0x40,0xE8,0xFB,0xCF,0xE6,

0x4F,0xBA,0xE6,0xAF,0x78,0x19,0x6F,0x9C,0xE9,0xF7,0x7A,0xDD,0x42,0xCE,0x8C,0x3,0xB8,0x66,0xD3,0xAB,0x0,0x7E,0xDE,

0x3E,0x53,0xDE,0x30,0x91,0x3D,0xF7,0xCD,0x72,0x14,0x51,0x82,0xEE,0x1B,0x8D,0xB4,0x8C,0xD0,0x8A,0xF6,0x9A,0x96,0x71,

0x98,0x62,0x93,0x4A,0x30,0x2F,0x9C,0xA8,0x79,0x16,0xC1,0xE0,0xEC,0xD7,0xE5,0xEC,0x8A,0x64,0xB4,0x46,0xCF,0xD9,0xE5,

0x96,0xF3,0x94,0x73,0xA9,0xFF,0xEA,0xCB,0x15,0x9C,0x7C,0xA1,0xD8,0x3E,0xBB,0x1D,0x38,0xCB,0x55,0xD0,0x19,0x25,0xB2,

0xB,0x92,0xE8,0x88,0xAE,0x6,0xA2,0x9B,0x93,0x64,0x5E,0xFB,0x9,0x5,0xF6,0x2F,0x1F,0x35,0xCC,0xEF,0x5,0x6C,0x19,0x42,

0x38,0xA5,0x59,0x2E,0x80,0xA,0x19,0xFC,0x33,0x5B,0xBB,0xD6,0xEB,0x2B,0xAC,0xF7,0xE,0xAD,0xD8,0x57,0x40,0x98,0x71,

0x2C,0x78,0x68,0x91,0x82,0x4F,0x5B,0xD6,0x40,0x8F,0x3,0xBD,0x55,0xB,0x47,0x3D,0xF4,0x5A,0x49,0x5B,0xF2,0xA2,0x9E};

int byte2[182] ={0xE1,0xA1,0x1,0xE4,0x82,0x56,0x9D,0x70,0xD9,0xF5,0x8,0x10,0x22,0xA7,0x2D,0x2B,0x41,0xF0,0xBD,0xA4,

0x67,0x3D,0x9A,0x20,0xB9,0xFB,0x11,0xD3,0xAD,0xB3,0x39,0x89,0x4,0xE3,0xBF,0x3A,0x8F,0x7,0xEA,0x9B,0x61,0x4D,0xEC,

0x8,0x64,0xE8,0x4,0xA0,0xB,0xC2,0xF5,0x10,0x76,0x32,0xBB,0xD9,0x2E,0xBE,0x86,0xBA,0xE7,0xBA,0xC6,0xFC,0xA2,0x13,

0xD8,0x6,0xFA,0x2E,0x59,0x4C,0xF4,0xDD,0x1,0x7F,0xAF,0x87,0xC2,0xB4,0x8A,0x81,0x8A,0xF2,0xB6,0x60,0x9A,0x13,0x52,

0xC0,0x6D,0x9E,0x5A,0x52,0xB5,0x8F,0x47,0x5E,0xE6,0x41,0xAD,0xF5,0xBB,0xA9,0x7A,0x6C,0xA1,0x4C,0x38,0x60,0xF2,0x4B,

0x5C,0xE8,0x5B,0xE5,0xE3,0xBA,0x46,0x70,0x33,0x4,0xA7,0x58,0x19,0x10,0x49,0x20,0x1D,0x51,0x48,0x9D,0x78,0xF9,0xB4,

0x2E,0x66,0x58,0x1B,0xE8,0xEE,0x51,0x9,0x21,0x80,0xBC,0xC8,0x7B,0xF5,0x4E,0x99,0xFD,0xFC,0x9A,0xFD,0x65,0x20,0x13,

0x57,0xD1,0x83,0x4D,0xF6,0x2C,0xAF,0x25,0x3C,0x12,0xF0,0x7C,0x16,0x66,0x97,0x7F,0x6A,0x2,0xBC,0x98,0x52,0xD7,0xE3,0x56};

char v8[182];

char a1[182];

int main() {

       for(inti = 0; i < 182; i++) {

              v8[i]= byte1[i]^byte2[i];

       }

       int v4;

       int v3= 0;

     do {

          v4 = (unsigned __int8)v8[((unsigned int)(unsigned__int8)v8[0] >> 1) + v3++];

     } while ( v4 );

     int v5 = v3 - 1;

     int v6 = 0;

     if ( v3 - 1 >= 1 ) {

          memcpy(a1, &v8[(unsigned int)(unsigned__int8)v8[0] >> 1], v3 - 1);

          v6 = v5;

     }

     printf("%s\n", a1);

       return0;

}