vm_flutter

附件地址

https://buuoj.cn/match/matches/195/challenges#vm_flutter
可以在buu下载到。
flutter我也不会，只是这个题目加密算法全部在java层，其实就是一个异或和相加。

反编译

package k;

import java.util.Stack;

/* loaded from: classes.dex */
public class b {

    /* renamed from: a  reason: collision with root package name */
    public final Stack<Integer> f740a = new Stack<>();

    /* renamed from: b  reason: collision with root package name */
    public final int[] f741b = new int[50];

    public void a() {
        if (this.f740a.size() >= 2) {
            i(h() << h());
            return;
        }
        throw new RuntimeException("Not enough operands on the stack");
    }

    public void b() {
        if (this.f740a.size() >= 2) {
            i(h() >> h());
            return;
        }
        throw new RuntimeException("Not enough operands on the stack");
    }

    public void c() {
        if (this.f740a.size() >= 2) {
            i(h() + h());
            return;
        }
        throw new RuntimeException("Not enough operands on the stack");
    }

    public void d() {
        if (this.f740a.size() >= 2) {
            i(h() & h());
            return;
        }
        throw new RuntimeException("Not enough operands on the stack");
    }

    public void e(int i2) {
        if (i2 >= 0) {
            int[] iArr = this.f741b;
            if (i2 < iArr.length) {
                i(iArr[i2]);
                return;
            }
        }
        throw new RuntimeException("Invalid memory address");
    }

    public void f() {
        if (this.f740a.size() >= 2) {
            i(h() * h());
            return;
        }
        throw new RuntimeException("Not enough operands on the stack");
    }

    public void g() {
        if (this.f740a.size() >= 2) {
            i(h() | h());
            return;
        }
        throw new RuntimeException("Not enough operands on the stack");
    }

    public int h() {
        if (!this.f740a.isEmpty()) {
            return this.f740a.pop().intValue();
        }
        throw new RuntimeException("Stack underflow");
    }

    public void i(int i2) {
        this.f740a.push(Integer.valueOf(i2));
    }

    public void j(int i2) {
        if (i2 >= 0) {
            int[] iArr = this.f741b;
            if (i2 < iArr.length) {
                iArr[i2] = h();
                return;
            }
        }
        throw new RuntimeException("Invalid memory address");
    }

    public void k() {
        if (this.f740a.size() >= 2) {
            i(h() - h());
            return;
        }
        throw new RuntimeException("Not enough operands on the stack");
    }

    public void l() {
        if (this.f740a.size() >= 2) {
            i(h() ^ h());
            return;
        }
        throw new RuntimeException("Not enough operands on the stack");
    }
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110

vm部分在这里

没有好的方法，直接hook b类的函数，打印日记

frida-hook

function hook(){
    Java.perform(function(){
        const activity = Java.use("k.b");
        activity.a.implementation = function(){
            console.log("Lshift");
        }
        activity.b.implementation = function(){
            console.log("Rshift");
        }
        activity.c.implementation = function(){
            console.log("add");
        }
        activity.d.implementation = function(){
            console.log("and");
        }
        activity.e.implementation = function(x){
            console.log("load "+x);
        }
        activity.f.implementation = function(){
            console.log("mul");
        }
        activity.g.implementation = function(){
            console.log("or");
        }
        activity.h.implementation = function(){
            console.log("pop");
        }
        activity.i.implementation = function(x){
            console.log("push "+x);
        }
        activity.j.implementation = function(x){
            console.log("store "+x);
        }
        activity.k.implementation = function(){
            console.log("sub");
        }
        activity.l.implementation = function(){
            console.log("xor");
        }
    })
}

setImmediate(hook);
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

这里输入了33个a

push 97
store 0
push 176
push 11
load 0
add
xor
store 0
push 97
store 1
push 198
push 18
load 1
add
xor
store 1
push 97
store 2
push 66
push 5
load 2
add
xor
store 2
push 97
store 3
push 199
push 18
load 3
add
xor
store 3
push 97
store 4
push 170
push 14
load 4
add
xor
store 4
push 97
store 5
push 32
push 13
load 5
add
xor
store 5
push 97
store 6
push 31
push 14
load 6
add
xor
store 6
push 97
store 7
push 60
push 18
load 7
add
xor
store 7
push 97
store 8
push 26
push 13
load 8
add
xor
store 8
push 97
store 9
push 89
push 18
load 9
add
xor
store 9
push 97
store 10
push 60
push 17
load 10
add
xor
store 10
push 97
store 11
push 119
push 19
load 11
add
xor
store 11
push 97
store 12
push 60
push 17
load 12
add
xor
store 12
push 97
store 13
push 90
push 5
load 13
add
xor
store 13
push 97
store 14
push 104
push 13
load 14
add
xor
store 14
push 97
store 15
push 174
push 19
load 15
add
xor
store 15
push 97
store 16
push 146
push 11
load 16
add
xor
store 16
push 97
store 17
push 179
push 5
load 17
add
xor
store 17
push 97
store 18
push 67
push 15
load 18
add
xor
store 18
push 97
store 19
push 73
push 11
load 19
add
xor
store 19
push 97
store 20
push 50
push 12
load 20
add
xor
store 20
push 97
store 21
push 92
push 19
load 21
add
xor
store 21
push 97
store 22
push 170
push 19
load 22
add
xor
store 22
push 97
store 23
push 160
push 9
load 23
add
xor
store 23
push 97
store 24
push 166
push 15
load 24
add
xor
store 24
push 97
store 25
push 47
push 8
load 25
add
xor
store 25
push 97
store 26
push 155
push 19
load 26
add
xor
store 26
push 97
store 27
push 115
push 9
load 27
add
xor
store 27
push 97
store 28
push 60
push 13
load 28
add
xor
store 28
push 97
store 29
push 52
push 12
load 29
add
xor
store 29
push 97
store 30
push 42
push 5
load 30
add
xor
store 30
push 97
store 31
push 96
push 19
load 31
add
xor
store 31
push 97
store 32
push 72
push 7
load 32
add
xor
store 32
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264

所以根据密文异或相应的值，再减去相应的值就行了