XCTFmobile之easy-so write up

Dragged simulator is a validation box, we direct the jeb:

Call native method public static native int CheckString (String arg0), if the verification consistent returns 1, otherwise it returns 0.

After apk rename zip decompression, in the lib directory .so files dragged into IDA, find the function CheckString, code is as follows:

_BOOL4 __cdecl Java_com_testjava_jack_pingan2_cyberpeace_CheckString(int a1, int a2, int a3)
{
  const char *v3; // ST1C_4
  size_t v4; // edi
  char *v5; // esi
  size_t v6; // edi
  char v7; // al
  char v8; // al
  size_t v9; // edi
  char v10; // al

  v3 = (const char *)(*(int (__cdecl **)(int, int, _DWORD))(*(_DWORD *)a1 + 676))(a1, a3, 0);
  v4 = strlen(v3);
  v5 = (char *)malloc(v4 + 1);
  memset(&v5[v4], 0, v4 != -1);
  memcpy(v5, v3, v4);
  if ( strlen(v5) >= 2 )
  {
    v6 = 0;
    do
    {
      v7 = v5[v6];
      v5[v6] = v5[v6 + 16];
      v5[v6++ + 16] = v7;
    }
    while ( v6 < strlen(v5) >> 1 );
  }
  v8 = *v5;
  if ( *v5 )
  {
    *v5 = v5[1];
    v5[1] = v8;
    if ( strlen(v5) >= 3 )
    {
      v9 = 2;
      do
      {
        v10 = v5[v9];
        v5[v9] = v5[v9 + 1];
        v5[v9 + 1] = v10;
        v9 += 2;
      }
      while ( v9 < strlen(v5) );
    }
  }
  return strcmp(v5, "f72c5a36569418a20907b55be5bf95ad") == 0;
}

We dare to speculate const char * v3 is passed in a string, then one by one analysis code logic:

v4 = strlen(v3);              //取变量v4=v3的字符串长度，假设v3="abcd",v4=4
v5 = (char *)malloc(v4 + 1);  //为字符指针v5请求一块长度为v4+1的内存空间
memset(&v5[v4], 0, v4 != -1); //将v5扩增一倍并后面扩增的部分初始化为0，此行代码结束，v5=----0000
memcpy(v5, v3, v4);           //将v3的内容复制到v5中
if ( strlen(v5) >= 2 )        //若v5的长度大于等于2则执行花括号内的内容
  {
    v6 = 0;             //初始化v6=0
    do                  //执行循环
    {
      v7 = v5[v6];     //从第0个开始读取v5的每个字符
      v5[v6] = v5[v6 + 16];   //逐个将v5的第v6个字符与第v6+16个字符交换位置
      v5[v6++ + 16] = v7;     //v6自增1
    }
    while ( v6 < strlen(v5) >> 1 );
  }

After the incoming string is assumed abcd, then the code above is finished v5 cdab

Continue to analyze the following code:

v8 = *v5;      //指针v8指向v5
  if ( *v5 )      //v5存在，执行花括号内的逻辑
  {   
    *v5 = v5[1];    
    v5[1] = v8;
    if ( strlen(v5) >= 3 ) //v5的长度大于等于3
    {
      v9 = 2;         //初始化v9=2
      do
      {
        v10 = v5[v9];   
        v5[v9] = v5[v9 + 1];
        v5[v9 + 1] = v10;
        v9 += 2;
      }
      while ( v9 < strlen(v5) );
    }
  }

This code is very simple twenty-two exchange.

Get code flag according to the above we direct manual:

1. The exchange f72c5a36569418a20907b55be5bf95ad twenty-two obtained 7fc2a5636549812a90705bb55efb59da

2. 7fc2a5636549812a90705bb55efb59da cut off from the middle, spliced ​​to the end of the head, to give 90705bb55efb59da7fc2a5636549812a

3. Add the flag {} is the flag.