BugkuCTF逆向题目05 - [阿里Timer]

这是在52上看的一个题

本来以为要搞so还是啥得

没想到等就行了。

于是我还是动动手吧

public class AliTImer {
    public static void main(String[] args) throws InterruptedException {
        int beg = (((int) (System.currentTimeMillis() / 1000)) + 200000);
        int k = 0;
        int now;
        long t = 0;
        boolean isfirst = true;
        long time = 0;

        while (true) {
            if (isfirst) {
                t = System.currentTimeMillis();
                time = System.currentTimeMillis();
                isfirst = false;
            }else {
                time = t = time + 1000;
            }
            System.out.println("t:" + t);
            now = (int) (t / 1000);
            t = 1500 - (t % 1000);
            if (beg - now <= 0) {
                System.out.println("ok");
                break;
            }
            if (is2(beg - now)) {
                k += 100;
            } else {
                k--;
            }

            System.out.println("Time Remaining(s):" + (beg - now));
        }

        System.out.println("k:" + k);

    }

    public static boolean is2(int n) {
        if (n <= 3) {
            if (n > 1) {
                return true;
            }
            return false;
        } else if (n % 2 == 0 || n % 3 == 0) {
            return false;
        } else {
            int i = 5;
            while (i * i <= n) {
                if (n % i == 0 || n % (i + 2) == 0) {
                    return false;
                }
                i += 6;
            }
            return true;
        }
    }


}

java部分直接模拟

image.png

跑出来得k值是这个

接着用frida搞它
frida高版本还是用console.log吧 print有时候打不出东西 气死我了 一直找不出原因
没想到是这个

frida 12.4.8版本

import frida, sys,io

def on_message(message, data):
    if message['type'] == 'send':
        print("[*] {0}".format(message['payload']))
    else:
        print(message)

jscode = """
Java.perform(function () {
    var mainActivity = Java.use('net.bluelotus.tomorrow.easyandroid.MainActivity');
    var isFirst = true
    console.log(mainActivity)
    mainActivity.is2.overload('int').implementation = function(n){
        if(isFirst){
            isFirst = false
            
            
            Java.choose("net.bluelotus.tomorrow.easyandroid.MainActivity", {
            onMatch: function(instance) {
                var string = instance.stringFromJNI2(1616384)
                console.log(string)
            },
            onComplete: function() { }
        });
        }
        var bool = this.is2(n)
        return bool
    }
    
    
    
    
});
"""

# device = frida.get_device_manager().enumerate_devices()[-1]
# pid = device.spawn(["net.bluelotus.tomorrow.easyandroid"])
# session = device.attach(pid)
# print("[*] Attach Application id:",pid)
# device.resume(pid)
# print("[*] Application onResume")
# script = session.create_script(jscode)
# script.on('message', on_message)
# print('[*] Running CTF')
# script.load()
# sys.stdin.read()

process = frida.get_usb_device().attach('net.bluelotus.tomorrow.easyandroid')
script = process.create_script(jscode)
script.on('message', on_message)
print('Running...')
script.load()
sys.stdin.read()

image.png

出来结果是这个