猿人学APP-第三题
看这结构,能不能拿到数据八成跟m的值有关系,看一下这个m值的形成过程
定位到第三题的函数调用过程
确定m在第二个参数,查看一下他的用例
进入第二个参数crypto中
用frida去hook一下这个函数,看看传入的参数都是啥
可以看出来是第一个参数是"001时间戳",第二个参数是"时间戳",上unidbg吧
ps: 我以为这个001是在整个过程全部都是"001时间戳",结果不是的,而是"三位的页数"+"时间戳"
直接上代码,需要注意的是,我写好代码后发现使用刚才的时间戳去运行后,每次的结果都不一样,可能是用了RSA?
package com.yuanrenxue.match2022;
import com.github.unidbg.AndroidEmulator;import com.github.unidbg.linux.android.AndroidEmulatorBuilder;import com.github.unidbg.linux.android.AndroidResolver;import com.github.unidbg.linux.android.dvm.DalvikModule;import com.github.unidbg.linux.android.dvm.DvmClass;import com.github.unidbg.linux.android.dvm.StringObject;import com.github.unidbg.linux.android.dvm.VM;import com.github.unidbg.linux.android.dvm.jni.ProxyClassFactory;import com.github.unidbg.memory.Memory;
import java.io.File;import java.io.IOException;
public class ChallengeThreeFragment {
private final AndroidEmulator emulator;
private final DvmClass cSignUtil;private final VM vm;
public ChallengeThreeFragment() {emulator = AndroidEmulatorBuilder.for64Bit().setProcessName("/Users/william/Desktop/Tools/Android/unidbg-0.9.7/unidbg-android/src/test/java/com/yuanrenxue/match2022/yuanrenxuem109.apk").build();Memory memory = emulator.getMemory();memory.setLibraryResolver(new AndroidResolver(23));vm = emulator.createDalvikVM();vm.setDvmClassFactory(new ProxyClassFactory());vm.setVerbose(false);DalvikModule dm = vm.loadLibrary(new File("/Users/william/Desktop/Tools/Android/unidbg-0.9.7/unidbg-android/src/test/java/com/yuanrenxue/match2022/libmatch03.so"), false);cSignUtil = vm.resolveClass("com.yuanrenxue.match2022.fragment.challenge.ChallengeThreeFragment");dm.callJNI_OnLoad(emulator);}
public void destroy() throws IOException {emulator.close();}
public String crypto(int Page) {
long timestamp1 = System.currentTimeMillis();String page = String.format("%03d",Page);System.out.println(page);StringObject array = cSignUtil.callStaticJniMethodObject(emulator, "crypto(Ljava/lang/String;J)Ljava/lang/String;",new StringObject(vm,page+timestamp1),timestamp1); // 执行Jni方法return array.getValue();}
public static void main(String[] args) throws Exception {ChallengeThreeFragment challengeTwoFragment = new ChallengeThreeFragment();String crypto = challengeTwoFragment.crypto(100);System.out.println("sign=" + crypto);}}
from urllib.parse import quotefrom lxpy import copy_headers_dictimport jsonimport requestsimport jpype
def main():NUM = 0jpype.startJVM("/Library/Java/JavaVirtualMachines/jdk-13.0.2.jdk/Contents/Home/lib/libjli.dylib", "-ea", "-Djava.class.path=unidbg-android3.jar") # 启动java虚拟机jclass = jpype.JClass("com.yuanrenxue.match2022.ChallengeThreeFragment") # 获取java类ChallengeTwoFragment = jclass() # 实例化java对象for page in range(1,101):m = str(ChallengeTwoFragment.crypto(jpype.JInt(page)))data=f"m={m}&page={page}&token=4a7uy2lcnUi8Nx5haZ9WepeaszvnRooXGFPDjtn8N6bSF8u6xYwWzgYsCyilp7if"getData(data)nums = getData(data).get("data")print(nums)for num in nums:NUM += int(num.get('value'))print(NUM)
def getData(data):DURL = "https://appmatch.yuanrenxue.cn/app3"headers = {"Content-Type":"application/x-www-form-urlencoded"}data = requests.post(DURL,data=data,headers=headers,verify=False).json()return data
if __name__ == '__main__':main()
评论