0x00
Title link: https://pan.baidu.com/s/1p684GHsV_FMrBs-is-eO1g extraction code: bdg9
0x01
Java Layer Analysis
The Form Method in the format class intercepts the 5th-to-38th-bits of the input string in the app, and then passes in the native function at the native layer. It is assumed that XXXXX In the input flag {XXXXX} is intercepted.
0x02
Native Layer Analysis
1)
Check the base64 encoding table of the string in IDA and the "forbidden." suspected ciphertext. Change "." to "=" and decrypt it to "ttttievahtnodiesuacebllehsatnawi ".
2)
Before base64 encryption, the incoming Xxxxx is processed. The analysis is to turn the beginning and end of XXXXX (1234 to 4321 ).
1 v20 = __readgsdword(0x14u); 2 src = (const char *)(*(int (__cdecl **)(int, int, _DWORD))(*(_DWORD *)a1 + 676))(a1, a3, 0); 3 if ( !src ) 4 return 0; 5 dest = (char *)operator new[](0x21u); 6 strcpy(dest, src); 7 sub_8700((int)&v19, (char *)&unk_236F3); 8 v5 = strlen(dest) - 1; 9 if ( v5 )10 {11 v6 = 1;12 do13 {14 v7 = dest[v6 - 1];15 dest[v6 - 1] = dest[v5];16 dest[v5--] = v7;17 v8 = v6++ < v5;18 }19 while ( v8 );20 }
View code
The input Xxxxx is iwantashellbecauseidonthaveitttt, and the flag is obtained.
18/09/28-3-bugku-reverse-easyeasy-200 (lctf)