猿人学APP-第三题

william1024

共 5874字,需浏览 12分钟

 ·

2024-04-10 21:11


123bc8f1a93c015092b43a4af8e38b79.webp


看这结构,能不能拿到数据八成跟m的值有关系,看一下这个m值的形成过程

定位到第三题的函数调用过程

ca493cc5d5791526f686b1532dd26f3d.webp

确定m在第二个参数,查看一下他的用例

589a4a6713cd30bc112461a7a4467159.webp

进入第二个参数crypto中

d1f9c255e7aceb259a1818844e802128.webp用frida去hook一下这个函数,看看传入的参数都是啥

8924e74b9b88366d2cea4f5a629cfd10.webp

3d914a809e441e389de639abd1afa4cc.webp可以看出来是第一个参数是"001时间戳",第二个参数是"时间戳",上unidbg吧

ps: 我以为这个001是在整个过程全部都是"001时间戳",结果不是的,而是"三位的页数"+"时间戳"

直接上代码,需要注意的是,我写好代码后发现使用刚才的时间戳去运行后,每次的结果都不一样,可能是用了RSA?


      
        package com.yuanrenxue.match2022;
      
      
        
          
import com.github.unidbg.AndroidEmulator; import com.github.unidbg.linux.android.AndroidEmulatorBuilder; import com.github.unidbg.linux.android.AndroidResolver; import com.github.unidbg.linux.android.dvm.DalvikModule; import com.github.unidbg.linux.android.dvm.DvmClass; import com.github.unidbg.linux.android.dvm.StringObject; import com.github.unidbg.linux.android.dvm.VM; import com.github.unidbg.linux.android.dvm.jni.ProxyClassFactory; import com.github.unidbg.memory.Memory;
import java.io.File; import java.io.IOException;
public class ChallengeThreeFragment {

private final AndroidEmulator emulator;
private final DvmClass cSignUtil; private final VM vm;
public ChallengeThreeFragment() { emulator = AndroidEmulatorBuilder.for64Bit() .setProcessName("/Users/william/Desktop/Tools/Android/unidbg-0.9.7/unidbg-android/src/test/java/com/yuanrenxue/match2022/yuanrenxuem109.apk") .build(); Memory memory = emulator.getMemory(); memory.setLibraryResolver(new AndroidResolver(23)); vm = emulator.createDalvikVM(); vm.setDvmClassFactory(new ProxyClassFactory()); vm.setVerbose(false); DalvikModule dm = vm.loadLibrary(new File("/Users/william/Desktop/Tools/Android/unidbg-0.9.7/unidbg-android/src/test/java/com/yuanrenxue/match2022/libmatch03.so"), false); cSignUtil = vm.resolveClass("com.yuanrenxue.match2022.fragment.challenge.ChallengeThreeFragment"); dm.callJNI_OnLoad(emulator); }
public void destroy() throws IOException { emulator.close(); }
public String crypto(int Page) {
long timestamp1 = System.currentTimeMillis(); String page = String.format("%03d",Page); System.out.println(page); StringObject array = cSignUtil.callStaticJniMethodObject(emulator, "crypto(Ljava/lang/String;J)Ljava/lang/String;",new StringObject(vm,page+timestamp1),timestamp1); // 执行Jni方法 return array.getValue(); }

public static void main(String[] args) throws Exception { ChallengeThreeFragment challengeTwoFragment = new ChallengeThreeFragment(); String crypto = challengeTwoFragment.crypto(100); System.out.println("sign=" + crypto); } }


      
        from urllib.parse import quote
      
      
        from lxpy import copy_headers_dict
      
      
        import json
      
      
        import requests
      
      
        import jpype
      
      
        
          
def main(): NUM = 0 jpype.startJVM("/Library/Java/JavaVirtualMachines/jdk-13.0.2.jdk/Contents/Home/lib/libjli.dylib", "-ea", "-Djava.class.path=unidbg-android3.jar") # 启动java虚拟机 jclass = jpype.JClass("com.yuanrenxue.match2022.ChallengeThreeFragment") # 获取java类 ChallengeTwoFragment = jclass() # 实例化java对象 for page in range(1,101): m = str(ChallengeTwoFragment.crypto(jpype.JInt(page))) data=f"m={m}&page={page}&token=4a7uy2lcnUi8Nx5haZ9WepeaszvnRooXGFPDjtn8N6bSF8u6xYwWzgYsCyilp7if" getData(data) nums = getData(data).get("data") print(nums) for num in nums: NUM += int(num.get('value')) print(NUM)

def getData(data): DURL = "https://appmatch.yuanrenxue.cn/app3" headers = {"Content-Type":"application/x-www-form-urlencoded"} data = requests.post(DURL,data=data,headers=headers,verify=False).json() return data
if __name__ == '__main__': main()



df1da8dfb328e0a18c9aa546a354e5e9.webp





浏览 17
点赞
评论
收藏
分享

手机扫一扫分享

分享
举报
评论
图片
表情
推荐
点赞
评论
收藏
分享

手机扫一扫分享

分享
举报