鹏城杯 2022 baby_re

xml中仅有一个activity组件

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android" android:versionCode="1" android:versionName="1.0" android:compileSdkVersion="32" android:compileSdkVersionCodename="12" package="com.example.createso" platformBuildVersionCode="32" platformBuildVersionName="12">
    <uses-sdk android:minSdkVersion="21" android:targetSdkVersion="32"/>
    <application android:theme="@style/Theme.CreateSo" android:label="@string/app_name" android:icon="@mipmap/ic_launcher" android:debuggable="true" android:allowBackup="true" android:supportsRtl="true" android:fullBackupContent="@xml/backup_rules" android:roundIcon="@mipmap/ic_launcher_round" android:appComponentFactory="androidx.core.app.CoreComponentFactory" android:dataExtractionRules="@xml/data_extraction_rules">
        <activity android:name="com.example.createso.MainActivity" android:exported="true">
            <intent-filter>
                <action android:name="android.intent.action.MAIN"/>
                <category android:name="android.intent.category.LAUNCHER"/>
            </intent-filter>
        </activity>
    </application>
</manifest>

package com.example.createso;

import android.os.Bundle;
import android.view.View;
import android.widget.Button;
import android.widget.EditText;
import android.widget.Toast;
import androidx.appcompat.app.AppCompatActivity;
import com.example.createso.databinding.ActivityMainBinding;
import java.util.Arrays;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.stream.IntStream;
import kotlin.Metadata;
import kotlin.jvm.internal.DefaultConstructorMarker;
import kotlin.jvm.internal.Intrinsics;

/* compiled from: MainActivity.kt */
@Metadata(d1 = {"\u0000(\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u0015\n\u0002\b\u0002\n\u0002\u0010\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\u0018\u0000 \f2\u00020\u0001:\u0001\fB\u0005¢\u0006\u0002\u0010\u0002J\u0011\u0010\u0005\u001a\u00020\u00062\u0006\u0010\u0007\u001a\u00020\u0006H\u0086 J\u0012\u0010\b\u001a\u00020\t2\b\u0010\n\u001a\u0004\u0018\u00010\u000bH\u0015R\u000e\u0010\u0003\u001a\u00020\u0004X\u0082.¢\u0006\u0002\n\u0000¨\u0006\r"}, d2 = {"Lcom/example/createso/MainActivity;", "Landroidx/appcompat/app/AppCompatActivity;", "()V", "binding", "Lcom/example/createso/databinding/ActivityMainBinding;", "baby_xor", "", "x", "onCreate", "", "savedInstanceState", "Landroid/os/Bundle;", "Companion", "app_debug"}, k = 1, mv = {1, 6, 0}, xi = 48)
/* loaded from: classes3.dex */
public final class MainActivity extends AppCompatActivity {
    public static final Companion Companion = new Companion(null);
    public Map<Integer, View> _$_findViewCache = new LinkedHashMap();
    private ActivityMainBinding binding;

    public void _$_clearFindViewByIdCache() {
        this._$_findViewCache.clear();
    }

    public View _$_findCachedViewById(int i) {
        Map<Integer, View> map = this._$_findViewCache;
        View view = map.get(Integer.valueOf(i));
        if (view == null) {
            View findViewById = findViewById(i);
            if (findViewById != null) {
                map.put(Integer.valueOf(i), findViewById);
                return findViewById;
            }
            return null;
        }
        return view;
    }

    public final native int[] baby_xor(int[] iArr);

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity
    public void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        ActivityMainBinding inflate = ActivityMainBinding.inflate(getLayoutInflater());
        Intrinsics.checkNotNullExpressionValue(inflate, "inflate(layoutInflater)");
        this.binding = inflate;
        if (inflate == null) {
            Intrinsics.throwUninitializedPropertyAccessException("binding");
            inflate = null;
        }
        setContentView(inflate.getRoot());
        final int[] c = {119, 9, 40, 44, 106, 83, 126, 123, 33, 87, 113, 123, 112, 93, 125, 127, 41, 82, 44, 127, 39, 3, 126, 125, 119, 87, 47, 125, 33, 6, 44, 127, 112, 0, 126, 123, 115, 24};
        ((Button) _$_findCachedViewById(R.id.btn)).setOnClickListener(new View.OnClickListener() { // from class: com.example.createso.MainActivity$$ExternalSyntheticLambda0
            @Override // android.view.View.OnClickListener
            public final void onClick(View view) {
                MainActivity.m26onCreate$lambda0(MainActivity.this, c, view);
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* renamed from: onCreate$lambda-0  reason: not valid java name */
    public static final void m26onCreate$lambda0(MainActivity this$0, int[] c, View it) {
        Intrinsics.checkNotNullParameter(this$0, "this$0");
        Intrinsics.checkNotNullParameter(c, "$c");
        IntStream flag = ((EditText) this$0._$_findCachedViewById(R.id.input)).getText().toString().chars();
        int[] array = flag.toArray();
        Intrinsics.checkNotNullExpressionValue(array, "flag.toArray()");
        int[] cipher = this$0.baby_xor(array);//调用了动态类的内部函数baby_xor,对flag进行加密
        if (Arrays.equals(cipher, c)) {
            Toast.makeText(this$0, "Success", 1).show();
        } else {
            Toast.makeText(this$0, "Failed", 0).show();
        }
    }

    /* compiled from: MainActivity.kt */
    @Metadata(d1 = {"\u0000\f\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0002\b\u0002\b\u0086\u0003\u0018\u00002\u00020\u0001B\u0007\b\u0002¢\u0006\u0002\u0010\u0002¨\u0006\u0003"}, d2 = {"Lcom/example/createso/MainActivity$Companion;", "", "()V", "app_debug"}, k = 1, mv = {1, 6, 0}, xi = 48)
    /* loaded from: classes3.dex */
    public static final class Companion {
        public /* synthetic */ Companion(DefaultConstructorMarker defaultConstructorMarker) {
            this();
        }

        private Companion() {
        }
    }

    static {
        System.loadLibrary("createso");//加载了lib中的库文件
    }
}

查看对应的库，就是一个用key对传入字符进行加密的函数

int __cdecl Java_com_example_createso_MainActivity_baby_1xor(int a1, int a2, int a3)
{
  int i; // [esp+30h] [ebp-1Ch]
  int IntArrayElements; // [esp+34h] [ebp-18h]
  int ArrayLength; // [esp+38h] [ebp-14h]

  ArrayLength = _JNIEnv::GetArrayLength(a1, a3);
  IntArrayElements = _JNIEnv::GetIntArrayElements(a1, a3, 0);
  for ( i = 0; i < ArrayLength; ++i )
    *(_DWORD *)(IntArrayElements + 4 * i) ^= key[i % 4];
  _JNIEnv::SetIntArrayRegion(a1, a3, 0, ArrayLength, IntArrayElements);
  return a3;
}
/************************************************进去看key值*******************************************************/
.data:00002000 ; _DWORD key[4]
.data:00002000 key             dd 56h, 57h, 58h, 59h   ; DATA XREF: LOAD:00000290↑o
.data:00002000                                         ; .got:key_ptr↑o
.data:00002000 _data           ends
.data:00002000

在用上述的key值进行异或时，并不能得出正确答案。

然后偷窥别人的wp，发现有个

_DWORD *hide_key(void)
{
  _DWORD *result; // eax

  result = key;
  key[0] ^= 0x47u;
  key[1] ^= 0x32u;
  key[2] ^= 0x11u;
  key[3] ^= 0x12u;
  return result;
}
/*********************************************其通过下面的代码自启动************************************************/
.init_array:00001EB0 _init_array     segment dword public 'DATA' use32
.init_array:00001EB0                 assume cs:_init_array
.init_array:00001EB0                 ;org 1EB0h
.init_array:00001EB0                 dd offset _Z8hide_keyv  ; hide_key(void)
.init_array:00001EB0 _init_array     ends
/********************************************问了下AI**************************************************************/
/*这段代码是一个在 Linux 系统下的 ELF 可执行文件中 .init_array 节段的汇编源代码。

.init_array 节段是 ELF 可执行文件中的一个特殊节段，主要用于存储一组函数指针，这些函数指针将在程序运行时自动被调用。具体来说，当程序被加载到内存中并开始运行时，系统会首先调用 .init_array 节段中存储的所有函数指针，以完成程序的初始化工作。

该代码定义了一个包含一个函数指针的 .init_array 节段，并将该函数指针设置为 _Z8hide_keyv，即 hide_key(void) 函数的入口地址。

在程序运行时，当 .init_array 节段中的函数指针被调用时，程序将会跳转到 hide_key(void) 函数的入口地址，并执行该函数中的代码。该函数可能会对程序进行一些初始化操作，或者执行其他的逻辑代码。由于该函数指针存储在 .init_array 节段中，因此其可以保证在程序运行前被正确地初始化和调用。*/

In [78]: b
Out[78]: [17, 101, 73, 75]

In [79]: a=[119, 9, 40, 44, 106, 83, 126, 123, 33, 87, 113, 123, 112, 93, 125, 127, 41, 82, 44, 127, 39, 3, 126, 125, 1
    ...: 19, 87, 47, 125, 33, 6, 44, 127, 112, 0, 126, 123, 115, 24]
    ...: for i in range(len(a)):
    ...:     a[i]^=b[i%4]
    ...:

In [80]: bytes(a).decode()
Out[80]: 'flag{6700280a84487e46f76f2f60ce4ae70b}'

得出了最后的flag