CISCN 2020 Android逆向题：反复横跳

Android逆向，用JEB打开可以看到判断逻辑

Crypto的实现，根据符号以及算法分析可以知道函数采用TEA加密，

其中Crypto中的Crypto.getFlag()和Crypto.getKey()为动态生成的常量。用调试器查看或者使用Frida手动调用两个函数dump结果,以下为Frida使用的脚本FunctionInject.js

if(Java.available){
    Java.perform(function(){
	    var Crypto = Java.use("com.example.jumpaga1n.Crypto");
		var instance = Crypto.$new();
		var len1 = instance.getFlag().length;
		var len2 = instance.getKey().length;
		console.log("printing getFlag!");
		var v = new String();
		for(var i=0;i<len1;i++){
			v+=String(instance.getFlag()[i])+",";
		}
		console.log(v);
		console.log("printing getKey!")
		v = new String();
		for(var i=0;i<len2;i++){
			v+=String(instance.getKey()[i])+",";
		}
		console.log(v);
		//console.log(instance.getFlag())		
    });

}

安装apk到Android模拟器并启动Frida服务端，在本机执行 frida -U -f com.example.jumpaga1n -l FunctionInject.js –no-pause

获取到getKey是长度为40的Byte数组，getFlag()是长度为4的int数组
最后编写程序用TEA解密即可

#include <stdio.h>

char getFlag[]={-4,-110,88,-112,106,-68,99,56,
										85,-40,73,-17,-125,97,65,20,
										-90,49,-69,-127,-104,-76,21,-88,
										-47,-111,8,97,109,-89,89,-34,
										46,81,85,15,108,80,-40,-50};
int getKeys[]={56101863,-684705192,-1648642544,-1087280420};

void decrypt(unsigned int* v, unsigned int* key) {
  unsigned int l = v[0], r = v[1], sum = 0, delta = 0x9e3779b9;
  sum = delta *32;
  for (size_t i = 0; i < 32; i++) {
    r -= ((l << 4) + key[2]) ^ (l + sum) ^ ((l >> 5) + key[3]);
    l -= ((r << 4) + key[0]) ^ (r + sum) ^ ((r >> 5) + key[1]);
    sum -= delta;
  }
  v[0] = l;
  v[1] = r;
}

int main(int argc, char const *argv[])
{
    //test
    unsigned int * sec=(unsigned int*)getFlag;
    for(int i =0;i<12;i+=2){
        decrypt(&sec[i],(unsigned int*)getKeys);
    }
    for(int i=0;i<48;i++){
      printf("%c",getFlag[i]);
    }
    return 0;
}

得到flag为flag{D0_n0t_Cr0ss_jump_r3p3aT3dly}