MoeCTF_2023

EQUITION

考察IDA修改数组，和z3求解器。

IDA修改数组

首先我们看到这里的数组v4大小，char v4[24]，但是scanf(“%31s”, v4);这里就知道数组的大小出了问题

我们需要对他的大小进行修改。

我们双击4v进入：

然后在第一个 位置 ，右键：

选中转换为数组

修改成31

z3解密

定义数组

v4 = [Int('serial%d' % i)for i in range(31)]

最后：

from z3 import *
v4 = [Int('serial%d' % i) for i in range(31)]
solver = Solver()
solver.add(填入式子)

flag = []
if solver.check()==sat:
    m = solver.model()
    for i in v4:
        flag.append(str(m[i]))
    print ("".join(flag))
    print ('ok')

if solver.check() == sat:
    print("结果：", solver.model())

然后再手动

from z3 import *
s = Solver()

flag_length = 31
v4=[i for i in range(flag_length)]

for i in range(flag_length):
    v4[i] = BitVec("v{}".format(i), 8)

#增加flag特殊条件
s.add(v4[0]==ord('m'))
s.add(v4[1]==ord('o'))
s.add(v4[2]==ord('e'))
s.add(v4[3]==ord('c'))
s.add(v4[4]==ord('t'))
s.add(v4[5]==ord('f'))
s.add(v4[6]==ord('{'))

s.add(0x14E*v4[28]+0x64*v4[27]+369*v4[26]+124*v4[25]+278*v4[24]+158*v4[23]+162*v4[22]+145*v4[19]+27*v4[17]+91*v4[15]+195*v4[14]+342*v4[13]+391*v4[10]+204*v4[9]+302*v4[8]+153*v4[7]+292*v4[6]+382*v4[5]+221*v4[4]+316*v4[3]+118*v4[2]+295*v4[1]+247*v4[0]+236*v4[11]+27*v4[12]+361*v4[16]+81*v4[18]+105*v4[20]+65*v4[21]+67*v4[29]+41*v4[30]==596119)
s.add(371*v4[29]+338*v4[28]+269*v4[27]+312*v4[26]+67*v4[25]+299*v4[24]+235*v4[23]+294*v4[22]+303*v4[21]+211*v4[20]+122*v4[19]+333*v4[18]+341*v4[15]+111*v4[14]+253*v4[13]+68*v4[12]+347*v4[11]+44*v4[10]+262*v4[9]+357*v4[8]+323*v4[5]+141*v4[4]+329*v4[3]+378*v4[2]+316*v4[1]+235*v4[0]+59*v4[6]+37*v4[7]+264*v4[16]+73*v4[17]+126*v4[30]==634009)
s.add(337*v4[29]+338*v4[28]+118*v4[27]+82*v4[26]+239*v4[21]+58*v4[20]+304*v4[19]+330*v4[18]+377*v4[17]+306*v4[16]+221*v4[13]+345*v4[12]+124*v4[11]+272*v4[10]+270*v4[9]+229*v4[8]+377*v4[7]+373*v4[6]+297*v4[5]+112*v4[4]+386*v4[3]+90*v4[2]+361*v4[1]+236*v4[0]+386*v4[14]+73*v4[15]+315*v4[22]+33*v4[23]+141*v4[24]+129*v4[25]+123*v4[30]==685705)
s.add(367*v4[29]+55*v4[28]+374*v4[27]+150*v4[24]+350*v4[23]+141*v4[22]+124*v4[21]+366*v4[20]+230*v4[19]+307*v4[18]+191*v4[17]+153*v4[12]+383*v4[11]+145*v4[10]+109*v4[9]+209*v4[8]+158*v4[7]+221*v4[6]+188*v4[5]+22*v4[4]+146*v4[3]+306*v4[2]+230*v4[1]+13*v4[0]+287*v4[13]+257*v4[14]+137*v4[15]+7*v4[16]+52*v4[25]+31*v4[26]+355*v4[30]==557696)
s.add(100*v4[29]+191*v4[28]+362*v4[27]+55*v4[26]+210*v4[25]+359*v4[24]+348*v4[21]+83*v4[20]+395*v4[19]+350*v4[16]+291*v4[15]+220*v4[12]+196*v4[11]+399*v4[8]+68*v4[7]+84*v4[6]+281*v4[5]+334*v4[4]+53*v4[3]+399*v4[2]+338*v4[0]+18*v4[1]+148*v4[9]+21*v4[10]+174*v4[13]+36*v4[14]+2*v4[17]+41*v4[18]+137*v4[22]+24*v4[23]+368*v4[30]==538535)
s.add(188*v4[29]+(v4[26]<<7)+93*v4[25]+248*v4[24]+83*v4[23]+207*v4[22]+217*v4[19]+309*v4[16]+16*v4[15]+135*v4[14]+251*v4[13]+200*v4[12]+49*v4[11]+119*v4[10]+356*v4[9]+398*v4[8]+303*v4[7]+224*v4[6]+208*v4[5]+244*v4[4]+209*v4[3]+189*v4[2]+302*v4[1]+395*v4[0]+314*v4[17]+13*v4[18]+310*v4[20]+21*v4[21]+67*v4[27]+127*v4[28]+100*v4[30]==580384)
s.add(293*v4[29]+343*v4[28]+123*v4[27]+387*v4[26]+114*v4[25]+303*v4[24]+248*v4[23]+258*v4[21]+218*v4[20]+180*v4[19]+196*v4[18]+398*v4[17]+398*v4[14]+138*v4[9]+292*v4[8]+38*v4[7]+179*v4[6]+190*v4[5]+57*v4[4]+358*v4[3]+191*v4[2]+215*v4[1]+88*v4[0]+22*v4[10]+72*v4[11]+357*v4[12]+9*v4[13]+389*v4[15]+81*v4[16]+85*v4[30]==529847)
s.add(311*v4[29]+202*v4[28]+234*v4[27]+272*v4[26]+55*v4[25]+328*v4[24]+246*v4[23]+362*v4[22]+86*v4[21]+75*v4[20]+142*v4[17]+244*v4[16]+216*v4[15]+281*v4[14]+398*v4[13]+322*v4[12]+251*v4[11]+357*v4[8]+76*v4[7]+292*v4[6]+389*v4[5]+275*v4[4]+312*v4[3]+200*v4[2]+110*v4[1]+203*v4[0]+99*v4[9]+21*v4[10]+269*v4[18]+33*v4[19]+356*v4[30]==631652)
s.add(261*v4[29]+189*v4[26]+55*v4[25]+23*v4[24]+202*v4[23]+185*v4[22]+182*v4[21]+285*v4[20]+217*v4[17]+157*v4[16]+232*v4[15]+132*v4[14]+169*v4[13]+154*v4[12]+121*v4[11]+389*v4[10]+376*v4[9]+292*v4[6]+225*v4[5]+155*v4[4]+234*v4[3]+149*v4[2]+241*v4[1]+312*v4[0]+368*v4[7]+129*v4[8]+226*v4[18]+288*v4[19]+201*v4[27]+288*v4[28]+69*v4[30]==614840)
s.add(60*v4[29]+118*v4[28]+153*v4[27]+139*v4[26]+23*v4[25]+279*v4[24]+396*v4[23]+287*v4[22]+237*v4[19]+266*v4[18]+149*v4[17]+193*v4[16]+395*v4[15]+97*v4[14]+16*v4[13]+286*v4[12]+105*v4[11]+88*v4[10]+282*v4[9]+55*v4[8]+134*v4[7]+114*v4[6]+101*v4[5]+116*v4[4]+271*v4[3]+186*v4[2]+263*v4[1]+313*v4[0]+149*v4[20]+129*v4[21]+145*v4[30]==510398)
s.add(385*v4[29]+53*v4[28]+112*v4[27]+8*v4[26]+232*v4[25]+145*v4[24]+313*v4[23]+156*v4[22]+321*v4[21]+358*v4[20]+46*v4[19]+382*v4[18]+144*v4[16]+222*v4[14]+329*v4[13]+161*v4[12]+335*v4[11]+50*v4[10]+373*v4[9]+66*v4[8]+44*v4[7]+59*v4[6]+292*v4[5]+39*v4[4]+53*v4[3]+310*v4[0]+154*v4[1]+24*v4[2]+396*v4[15]+81*v4[17]+355*v4[30]==558740)
s.add(249*v4[29]+386*v4[28]+313*v4[27]+74*v4[26]+22*v4[25]+168*v4[24]+305*v4[21]+358*v4[20]+191*v4[19]+202*v4[18]+14*v4[15]+114*v4[14]+224*v4[13]+134*v4[12]+274*v4[11]+372*v4[10]+159*v4[9]+233*v4[8]+70*v4[7]+287*v4[6]+297*v4[5]+318*v4[4]+177*v4[3]+173*v4[2]+270*v4[1]+163*v4[0]+77*v4[16]+25*v4[17]+387*v4[22]+18*v4[23]+345*v4[30]==592365)
s.add(392*v4[29]+385*v4[28]+302*v4[27]+13*v4[25]+27*v4[24]+99*v4[22]+343*v4[19]+324*v4[18]+223*v4[17]+372*v4[16]+261*v4[15]+181*v4[14]+203*v4[13]+232*v4[12]+305*v4[11]+393*v4[10]+325*v4[9]+231*v4[8]+92*v4[7]+142*v4[6]+22*v4[5]+86*v4[4]+264*v4[3]+300*v4[2]+387*v4[1]+360*v4[0]+225*v4[20]+127*v4[21]+2*v4[23]+80*v4[26]+268*v4[30]==619574)
s.add(270*v4[28]+370*v4[27]+235*v4[26]+96*v4[22]+85*v4[20]+150*v4[19]+140*v4[18]+94*v4[17]+295*v4[16]+19*v4[14]+176*v4[12]+94*v4[11]+258*v4[10]+302*v4[9]+171*v4[8]+66*v4[7]+278*v4[6]+193*v4[5]+251*v4[4]+284*v4[3]+218*v4[2]+(v4[1]<<6)+319*v4[0]+125*v4[13]+24*v4[15]+267*v4[21]+160*v4[23]+111*v4[24]+33*v4[25]+174*v4[29]+13*v4[30]==480557)
s.add(87*v4[28]+260*v4[27]+326*v4[26]+210*v4[25]+357*v4[24]+170*v4[23]+315*v4[22]+376*v4[21]+227*v4[20]+43*v4[19]+358*v4[18]+364*v4[17]+309*v4[16]+282*v4[15]+286*v4[14]+365*v4[13]+287*v4[12]+377*v4[11]+74*v4[10]+225*v4[9]+328*v4[6]+223*v4[5]+120*v4[4]+102*v4[3]+162*v4[2]+123*v4[1]+196*v4[0]+29*v4[7]+27*v4[8]+352*v4[30]==666967)
s.add(61*v4[29]+195*v4[28]+125*v4[27]+(v4[26]<<6)+260*v4[25]+202*v4[24]+116*v4[23]+230*v4[22]+326*v4[21]+211*v4[20]+371*v4[19]+353*v4[16]+124*v4[13]+188*v4[12]+163*v4[11]+140*v4[10]+51*v4[9]+262*v4[8]+229*v4[7]+100*v4[6]+113*v4[5]+158*v4[4]+378*v4[3]+365*v4[2]+207*v4[1]+277*v4[0]+190*v4[14]+320*v4[15]+347*v4[17]+11*v4[18]+137*v4[30]==590534)
s.add(39*v4[28]+303*v4[27]+360*v4[26]+157*v4[25]+324*v4[24]+77*v4[23]+308*v4[22]+313*v4[21]+87*v4[20]+201*v4[19]+50*v4[18]+60*v4[17]+28*v4[16]+193*v4[15]+184*v4[14]+205*v4[13]+140*v4[12]+311*v4[11]+304*v4[10]+35*v4[9]+356*v4[8]+23*v4[5]+85*v4[4]+156*v4[3]+16*v4[2]+26*v4[1]+157*v4[0]+150*v4[6]+72*v4[7]+58*v4[29]==429108)
s.add(157*v4[29]+137*v4[28]+71*v4[27]+269*v4[26]+161*v4[25]+317*v4[20]+296*v4[19]+385*v4[18]+165*v4[13]+159*v4[12]+132*v4[11]+296*v4[10]+162*v4[7]+254*v4[4]+172*v4[3]+132*v4[0]+369*v4[1]+257*v4[2]+134*v4[5]+384*v4[6]+53*v4[8]+255*v4[9]+229*v4[14]+129*v4[15]+23*v4[16]+41*v4[17]+112*v4[21]+17*v4[22]+222*v4[23]+96*v4[24]+126*v4[30]==563521)
s.add(207*v4[29]+83*v4[28]+111*v4[27]+35*v4[26]+67*v4[25]+138*v4[22]+223*v4[21]+142*v4[20]+154*v4[19]+111*v4[18]+341*v4[17]+175*v4[16]+259*v4[15]+225*v4[14]+26*v4[11]+334*v4[10]+250*v4[7]+198*v4[6]+279*v4[5]+301*v4[4]+193*v4[3]+334*v4[2]+134*v4[0]+37*v4[1]+183*v4[8]+5*v4[9]+270*v4[12]+21*v4[13]+275*v4[23]+48*v4[24]+163*v4[30]==493999)
s.add(393*v4[29]+176*v4[28]+105*v4[27]+162*v4[26]+148*v4[25]+281*v4[24]+300*v4[23]+342*v4[18]+262*v4[17]+152*v4[12]+43*v4[11]+296*v4[10]+273*v4[9]+75*v4[6]+18*v4[4]+217*v4[2]+132*v4[1]+112*v4[0]+210*v4[3]+72*v4[5]+113*v4[7]+40*v4[8]+278*v4[13]+24*v4[14]+77*v4[15]+11*v4[16]+55*v4[19]+255*v4[20]+241*v4[21]+13*v4[22]+356*v4[30]==470065)
s.add(369*v4[29]+231*v4[28]+285*v4[25]+290*v4[24]+297*v4[23]+189*v4[22]+390*v4[21]+345*v4[20]+153*v4[19]+114*v4[18]+251*v4[17]+340*v4[16]+44*v4[15]+58*v4[14]+335*v4[13]+359*v4[12]+392*v4[11]+181*v4[8]+103*v4[7]+229*v4[6]+175*v4[5]+208*v4[4]+92*v4[3]+397*v4[2]+349*v4[1]+356*v4[0]+(v4[9]<<6)+5*v4[10]+88*v4[26]+40*v4[27]+295*v4[30]==661276)
s.add(341*v4[27]+40*v4[25]+374*v4[23]+201*v4[22]+77*v4[21]+215*v4[20]+283*v4[19]+213*v4[18]+392*v4[17]+224*v4[16]+v4[15]+270*v4[12]+28*v4[11]+75*v4[8]+386*v4[7]+298*v4[6]+170*v4[5]+287*v4[4]+247*v4[3]+204*v4[2]+103*v4[1]+21*v4[0]+84*v4[9]+27*v4[10]+159*v4[13]+192*v4[14]+213*v4[24]+129*v4[26]+67*v4[28]+27*v4[29]+361*v4[30]==555288)
s.add(106*v4[29]+363*v4[28]+210*v4[27]+171*v4[26]+289*v4[25]+240*v4[24]+164*v4[23]+342*v4[22]+391*v4[19]+304*v4[18]+218*v4[17]+32*v4[16]+350*v4[15]+339*v4[12]+303*v4[11]+222*v4[10]+298*v4[9]+47*v4[8]+48*v4[6]+264*v4[4]+113*v4[3]+275*v4[2]+345*v4[1]+312*v4[0]+171*v4[5]+384*v4[7]+175*v4[13]+5*v4[14]+113*v4[20]+19*v4[21]+263*v4[30]==637650)
s.add(278*v4[29]+169*v4[28]+62*v4[27]+119*v4[26]+385*v4[25]+289*v4[24]+344*v4[23]+45*v4[20]+308*v4[19]+318*v4[18]+270*v4[17]+v4[16]+323*v4[15]+332*v4[14]+287*v4[11]+170*v4[10]+163*v4[9]+301*v4[8]+303*v4[7]+23*v4[6]+327*v4[5]+169*v4[3]+28*v4[0]+365*v4[1]+15*v4[2]+352*v4[12]+72*v4[13]+140*v4[21]+65*v4[22]+346*v4[30]==572609)
s.add(147*v4[29]+88*v4[28]+143*v4[27]+237*v4[26]+63*v4[24]+281*v4[22]+388*v4[21]+142*v4[20]+208*v4[19]+60*v4[18]+354*v4[15]+88*v4[14]+146*v4[13]+290*v4[12]+349*v4[11]+43*v4[10]+230*v4[9]+267*v4[6]+136*v4[5]+383*v4[4]+35*v4[3]+226*v4[2]+385*v4[1]+238*v4[0]+348*v4[7]+20*v4[8]+158*v4[16]+21*v4[17]+249*v4[23]+9*v4[25]+343*v4[30]==603481)
s.add(29*v4[29]+323*v4[26]+159*v4[25]+118*v4[20]+326*v4[19]+211*v4[18]+225*v4[17]+355*v4[16]+201*v4[15]+149*v4[14]+296*v4[13]+184*v4[12]+315*v4[11]+364*v4[10]+142*v4[9]+75*v4[8]+313*v4[7]+142*v4[6]+396*v4[5]+348*v4[4]+272*v4[3]+26*v4[2]+206*v4[1]+173*v4[0]+155*v4[21]+144*v4[22]+366*v4[23]+257*v4[24]+148*v4[27]+24*v4[28]+253*v4[30]==664504)
s.add(4*v4[29]+305*v4[28]+226*v4[27]+212*v4[26]+175*v4[25]+93*v4[24]+165*v4[23]+341*v4[20]+14*v4[19]+394*v4[18]+(v4[17]<<8)+252*v4[16]+336*v4[15]+38*v4[14]+82*v4[13]+155*v4[12]+215*v4[11]+331*v4[10]+230*v4[9]+241*v4[8]+225*v4[7]+186*v4[4]+90*v4[3]+50*v4[2]+62*v4[1]+34*v4[0]+237*v4[5]+11*v4[6]+336*v4[21]+36*v4[22]+29*v4[30]==473092)
s.add(353*v4[29]+216*v4[28]+252*v4[27]+8*v4[26]+62*v4[25]+233*v4[24]+254*v4[23]+303*v4[22]+234*v4[21]+303*v4[20]+(v4[19]<<8)+148*v4[18]+324*v4[17]+317*v4[16]+213*v4[15]+309*v4[14]+28*v4[13]+280*v4[11]+118*v4[10]+58*v4[9]+50*v4[8]+155*v4[7]+161*v4[6]+(v4[5]<<6)+303*v4[4]+76*v4[3]+43*v4[2]+109*v4[1]+102*v4[0]+93*v4[30]==497492)
s.add(89*v4[29]+148*v4[28]+82*v4[27]+53*v4[26]+274*v4[25]+220*v4[24]+202*v4[23]+123*v4[22]+231*v4[21]+169*v4[20]+278*v4[19]+259*v4[18]+208*v4[17]+219*v4[16]+371*v4[15]+181*v4[12]+104*v4[11]+392*v4[10]+285*v4[9]+113*v4[8]+298*v4[7]+389*v4[6]+322*v4[5]+338*v4[4]+237*v4[3]+234*v4[0]+261*v4[1]+10*v4[2]+345*v4[13]+3*v4[14]+361*v4[30]==659149)
s.add(361*v4[29]+359*v4[28]+93*v4[27]+315*v4[26]+69*v4[25]+137*v4[24]+69*v4[23]+58*v4[22]+300*v4[21]+371*v4[20]+264*v4[19]+317*v4[18]+215*v4[17]+155*v4[16]+215*v4[15]+330*v4[14]+239*v4[13]+212*v4[12]+88*v4[11]+82*v4[10]+354*v4[9]+85*v4[8]+310*v4[7]+84*v4[6]+374*v4[5]+380*v4[4]+215*v4[3]+351*v4[2]+141*v4[1]+115*v4[0]+108*v4[30]==629123)


flag = []
if s.check() == sat:
    ans = s.model()
    for i in range(flag_length):
        flag.append(ans[v4[i]])
else:
    print("unable to solve...")
for x in flag:
    print(chr(int(str(x))),end="")

junk_code

花指令

											test    eax, eax
.text:00460610 74 01                         jz      short near ptr loc_460612+1

这里是一个永恒的跳转，所以下面的call 是一个花指令，我们需要nop掉

点击change byte 然后把他nop掉【nop的机器码是90】

但是这里我们发现还是不能反编译成功，这里就需要用p，让他重新来一下

对着这个函数的首地址，按下 p

然后就反编译成功了

下面那个同理

exp:

key = 'hj`^oavt+pZm`h+q._'
flag1 = ''

for i in key:
    temp = ord(i)
    temp +=5
    flag1 += chr(temp)
print(f"{flag1}")
#moectf{y0u_rem0v3d

key2 = [57,0x12,0x0e,0x55,0x39,0x0c,0x13,8,0x0d,0x39,5,0x56,
        2,0x55,0x47,0x47,0x47,0x1b]
flag2 = ''
for i in key2:
    temp = i ^ 0x66
    flag2 += chr(temp)
print(f"{flag1}{flag2}")

RRRRc4

rc4

这里主要是一个分析代码

利用 ^ 的特征来解题

100 ^ 5 = 97
97 ^ 5 = 100

所以当在用 ^ 所加密的时候，我们只是需要用正方向再一次的运行代码

这里主要是记录一下python写脚本的代码方便以后查看

flag = ''
key = [0x1b,0x9b,0x0fb,0x19,6,0x6a,0x0b5,0x3b,0x7c,0x0ba,3,0x0f3,0x91,0x0b8,0x0b6,0x3d,0x8a,0x0c1,0x48,0x2e,0x50,0x11,
       0x0e7,0xc7,0x4f,0xb1,0x27,0x0cf,0x0f3,0x0ae,3,9,0x0b2,8,0x0fb,0x0dc,0x22,0x0b]

v5 = [i for i in range(256)]
v7 ="moectf2023"
v6 = ''
v10 = 0
v14 = 0
for i in range(256):
       v6  += (v7[i%10])

for j in range(256):
       v10 = (ord(v6[j]) + v5[j] + v10)%256
       v12 = v5[v10]
       v5[v10] = v5[j]
       v5[j] = v12
v14 = 0
v9 = 0
v11 = 0
for i in range(38):
       v9 = v9+1
       v11 = (v5[v9] + v11) % 256
       v13 = v5[v11]
       v5[v11] = v5[v9]
       v5[v9] = v13
       key[v14] ^= v5[(v5[v11] + v5[v9]) % 256]
       v14 +=1
for i in range(38):
       print(chr(key[i]),end='')

也可以用在线网站解密https://gchq.github.io/CyberChef/

---

SMC

首先把SMC.exe加载到IDA里面

找到主要的地方【通过运行该EXE文件，然后再IDA中找字符串进行定位】

通过简单的分析：

前面2个是printf 和 scanf 函数 在 if 判断前面有2个函数，根据题目就可以得出，第一个函数是对SMC解密的函数，第二个才是真正的函数。

并且可以看到在if 里面的判断的函数是反编译错误的

现在主要就是对第一个加密的函数进行分析，然后逆向，让IDA进行重新分析，得到正确的代码

VirtualProtect–API

lpAddress，要改变属性的内存起始地址。

dwSize，要改变属性的内存区域大小。

flNewProtect，内存新的属性类型，设置为PAGE_EXECUTE_READWRITE（0x40）时该内存页为可读可写可执行。

pflOldProtect，内存原始属性类型保存地址。

能通过这个函数知道：对0x1000u的地址空间进行了改变

然后是这个for循环，知道其对地址进行了XOR的操作，这里外面用IDApython进行XOR回来

shitf + f12 选中 python 然后运行

for i in range(0x4014D0,0x401549):
    patch_byte(i,get_wide_byte(i)^0x66)

很明显的看到0x4014D0：地址之后的东西进行了改变

之前：

patch之后：

然后根据上面的VirtualProtect API 知道对0x1000个地址进行了操作，让他可执行

所以这里就需要选中0x1000 个大小的空间。【我之间就选了patch的122个空间就错误了】

这样用左键选中就好了，然后按下“c”键，让IDA进行重新分析

然后就好了

看到中间的for循环，更具经验就知道这里是逆向的地方。然后双击byte_40a000地址，就能看到字符了。

然后在用python写代码就完事。

exp:

flag = ''
enc = [0x9f,0x91,0x0a7,0x0a5,0x94,0x0a6,0x8d,0x0b5,0x0a7,0x9c,
0x0a6,0x0a1,0x0bf,0x91,0x0a4,0x53,0x0a6,0x53,0x0a5,0x0a3,0x94,0x9b,0x91,0x9e,0x8f,0,0,0]

for i in enc:
    temp = 0x39 ^ i
    temp = temp - 57
    flag +=chr(temp)
print(f"{flag}")

也可以动态调试，在运行解密函数后，找到加密的位置对他重新分析。

ezandroid

通过寻找MainActivity

看到这native，就知道是要去找到.so文件了

将.apk 改成.zip 然后解压缩，找到armeabi-v7a里面的libezandroid.so文件

用IDA打开它：

看到这4个函数都有走迷宫。

看到JNI_OnLoad里面有·com/doctor3/ezandroid/MainActivity·

猜测是这个

看到是135个，然后你去看其他函数wsad都是+15

所以就15 15 一行：

最后就是：ssaassssdddddwwddddwwa

GUI