-
vm_flutter
附件地址
https://buuoj.cn/match/matches/195/challenges#vm_flutter
可以在buu下载到。
flutter我也不会,只是这个题目加密算法全部在java层,其实就是一个异或和相加。反编译
package k; import java.util.Stack; /* loaded from: classes.dex */ public class b { /* renamed from: a reason: collision with root package name */ public final Stack<Integer> f740a = new Stack<>(); /* renamed from: b reason: collision with root package name */ public final int[] f741b = new int[50]; public void a() { if (this.f740a.size() >= 2) { i(h() << h()); return; } throw new RuntimeException("Not enough operands on the stack"); } public void b() { if (this.f740a.size() >= 2) { i(h() >> h()); return; } throw new RuntimeException("Not enough operands on the stack"); } public void c() { if (this.f740a.size() >= 2) { i(h() + h()); return; } throw new RuntimeException("Not enough operands on the stack"); } public void d() { if (this.f740a.size() >= 2) { i(h() & h()); return; } throw new RuntimeException("Not enough operands on the stack"); } public void e(int i2) { if (i2 >= 0) { int[] iArr = this.f741b; if (i2 < iArr.length) { i(iArr[i2]); return; } } throw new RuntimeException("Invalid memory address"); } public void f() { if (this.f740a.size() >= 2) { i(h() * h()); return; } throw new RuntimeException("Not enough operands on the stack"); } public void g() { if (this.f740a.size() >= 2) { i(h() | h()); return; } throw new RuntimeException("Not enough operands on the stack"); } public int h() { if (!this.f740a.isEmpty()) { return this.f740a.pop().intValue(); } throw new RuntimeException("Stack underflow"); } public void i(int i2) { this.f740a.push(Integer.valueOf(i2)); } public void j(int i2) { if (i2 >= 0) { int[] iArr = this.f741b; if (i2 < iArr.length) { iArr[i2] = h(); return; } } throw new RuntimeException("Invalid memory address"); } public void k() { if (this.f740a.size() >= 2) { i(h() - h()); return; } throw new RuntimeException("Not enough operands on the stack"); } public void l() { if (this.f740a.size() >= 2) { i(h() ^ h()); return; } throw new RuntimeException("Not enough operands on the stack"); } }- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
vm部分在这里
没有好的方法,直接hook b类的函数,打印日记frida-hook
function hook(){ Java.perform(function(){ const activity = Java.use("k.b"); activity.a.implementation = function(){ console.log("Lshift"); } activity.b.implementation = function(){ console.log("Rshift"); } activity.c.implementation = function(){ console.log("add"); } activity.d.implementation = function(){ console.log("and"); } activity.e.implementation = function(x){ console.log("load "+x); } activity.f.implementation = function(){ console.log("mul"); } activity.g.implementation = function(){ console.log("or"); } activity.h.implementation = function(){ console.log("pop"); } activity.i.implementation = function(x){ console.log("push "+x); } activity.j.implementation = function(x){ console.log("store "+x); } activity.k.implementation = function(){ console.log("sub"); } activity.l.implementation = function(){ console.log("xor"); } }) } setImmediate(hook);- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
这里输入了33个a
push 97 store 0 push 176 push 11 load 0 add xor store 0 push 97 store 1 push 198 push 18 load 1 add xor store 1 push 97 store 2 push 66 push 5 load 2 add xor store 2 push 97 store 3 push 199 push 18 load 3 add xor store 3 push 97 store 4 push 170 push 14 load 4 add xor store 4 push 97 store 5 push 32 push 13 load 5 add xor store 5 push 97 store 6 push 31 push 14 load 6 add xor store 6 push 97 store 7 push 60 push 18 load 7 add xor store 7 push 97 store 8 push 26 push 13 load 8 add xor store 8 push 97 store 9 push 89 push 18 load 9 add xor store 9 push 97 store 10 push 60 push 17 load 10 add xor store 10 push 97 store 11 push 119 push 19 load 11 add xor store 11 push 97 store 12 push 60 push 17 load 12 add xor store 12 push 97 store 13 push 90 push 5 load 13 add xor store 13 push 97 store 14 push 104 push 13 load 14 add xor store 14 push 97 store 15 push 174 push 19 load 15 add xor store 15 push 97 store 16 push 146 push 11 load 16 add xor store 16 push 97 store 17 push 179 push 5 load 17 add xor store 17 push 97 store 18 push 67 push 15 load 18 add xor store 18 push 97 store 19 push 73 push 11 load 19 add xor store 19 push 97 store 20 push 50 push 12 load 20 add xor store 20 push 97 store 21 push 92 push 19 load 21 add xor store 21 push 97 store 22 push 170 push 19 load 22 add xor store 22 push 97 store 23 push 160 push 9 load 23 add xor store 23 push 97 store 24 push 166 push 15 load 24 add xor store 24 push 97 store 25 push 47 push 8 load 25 add xor store 25 push 97 store 26 push 155 push 19 load 26 add xor store 26 push 97 store 27 push 115 push 9 load 27 add xor store 27 push 97 store 28 push 60 push 13 load 28 add xor store 28 push 97 store 29 push 52 push 12 load 29 add xor store 29 push 97 store 30 push 42 push 5 load 30 add xor store 30 push 97 store 31 push 96 push 19 load 31 add xor store 31 push 97 store 32 push 72 push 7 load 32 add xor store 32- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
- 154
- 155
- 156
- 157
- 158
- 159
- 160
- 161
- 162
- 163
- 164
- 165
- 166
- 167
- 168
- 169
- 170
- 171
- 172
- 173
- 174
- 175
- 176
- 177
- 178
- 179
- 180
- 181
- 182
- 183
- 184
- 185
- 186
- 187
- 188
- 189
- 190
- 191
- 192
- 193
- 194
- 195
- 196
- 197
- 198
- 199
- 200
- 201
- 202
- 203
- 204
- 205
- 206
- 207
- 208
- 209
- 210
- 211
- 212
- 213
- 214
- 215
- 216
- 217
- 218
- 219
- 220
- 221
- 222
- 223
- 224
- 225
- 226
- 227
- 228
- 229
- 230
- 231
- 232
- 233
- 234
- 235
- 236
- 237
- 238
- 239
- 240
- 241
- 242
- 243
- 244
- 245
- 246
- 247
- 248
- 249
- 250
- 251
- 252
- 253
- 254
- 255
- 256
- 257
- 258
- 259
- 260
- 261
- 262
- 263
- 264
所以根据密文异或相应的值,再减去相应的值就行了
-
相关阅读:
(十)延迟队列
同样是数据库 SQL和MySQL的区别是什么?
【学习笔记】[AGC058D] Yet Another ABC String
数字图像处理:亮度对比度-几何变换-噪声处理
C# 向us7ascii编码的oracle数据库插入中文数据????问号乱码的解决方案
德语在线翻译
JAVA小游戏 “拼图”
RDD算子介绍
Vue基础之组件通信provide、inject
BI工具:让数据分析井然有序一望而知
- 原文地址:https://blog.csdn.net/weixin_52118017/article/details/134053231
