vm_flutter

附件地址

https://buuoj.cn/match/matches/195/challenges#vm_flutter
可以在buu下载到。
flutter我也不会，只是这个题目加密算法全部在java层，其实就是一个异或和相加。

反编译

package k;

import java.util.Stack;

/* loaded from: classes.dex */
public class b {

    /* renamed from: a  reason: collision with root package name */
    public final Stack<Integer> f740a = new Stack<>();

    /* renamed from: b  reason: collision with root package name */
    public final int[] f741b = new int[50];

    public void a() {
        if (this.f740a.size() >= 2) {
            i(h() << h());
            return;
        }
        throw new RuntimeException("Not enough operands on the stack");
    }

    public void b() {
        if (this.f740a.size() >= 2) {
            i(h() >> h());
            return;
        }
        throw new RuntimeException("Not enough operands on the stack");
    }

    public void c() {
        if (this.f740a.size() >= 2) {
            i(h() + h());
            return;
        }
        throw new RuntimeException("Not enough operands on the stack");
    }

    public void d() {
        if (this.f740a.size() >= 2) {
            i(h() & h());
            return;
        }
        throw new RuntimeException("Not enough operands on the stack");
    }

    public void e(int i2) {
        if (i2 >= 0) {
            int[] iArr = this.f741b;
            if (i2 < iArr.length) {
                i(iArr[i2]);
                return;
            }
        }
        throw new RuntimeException("Invalid memory address");
    }

    public void f() {
        if (this.f740a.size() >= 2) {
            i(h() * h());
            return;
        }
        throw new RuntimeException("Not enough operands on the stack");
    }

    public void g() {
        if (this.f740a.size() >= 2) {
            i(h() | h());
            return;
        }
        throw new RuntimeException("Not enough operands on the stack");
    }

    public int h() {
        if (!this.f740a.isEmpty()) {
            return this.f740a.pop().intValue();
        }
        throw new RuntimeException("Stack underflow");
    }

    public void i(int i2) {
        this.f740a.push(Integer.valueOf(i2));
    }

    public void j(int i2) {
        if (i2 >= 0) {
            int[] iArr = this.f741b;
            if (i2 < iArr.length) {
                iArr[i2] = h();
                return;
            }
        }
        throw new RuntimeException("Invalid memory address");
    }

    public void k() {
        if (this.f740a.size() >= 2) {
            i(h() - h());
            return;
        }
        throw new RuntimeException("Not enough operands on the stack");
    }

    public void l() {
        if (this.f740a.size() >= 2) {
            i(h() ^ h());
            return;
        }
        throw new RuntimeException("Not enough operands on the stack");
    }
}

vm部分在这里

没有好的方法，直接hook b类的函数，打印日记

frida-hook

function hook(){
    Java.perform(function(){
        const activity = Java.use("k.b");
        activity.a.implementation = function(){
            console.log("Lshift");
        }
        activity.b.implementation = function(){
            console.log("Rshift");
        }
        activity.c.implementation = function(){
            console.log("add");
        }
        activity.d.implementation = function(){
            console.log("and");
        }
        activity.e.implementation = function(x){
            console.log("load "+x);
        }
        activity.f.implementation = function(){
            console.log("mul");
        }
        activity.g.implementation = function(){
            console.log("or");
        }
        activity.h.implementation = function(){
            console.log("pop");
        }
        activity.i.implementation = function(x){
            console.log("push "+x);
        }
        activity.j.implementation = function(x){
            console.log("store "+x);
        }
        activity.k.implementation = function(){
            console.log("sub");
        }
        activity.l.implementation = function(){
            console.log("xor");
        }
    })
}

setImmediate(hook);

这里输入了33个a

push 97
store 0
push 176
push 11
load 0
add
xor
store 0
push 97
store 1
push 198
push 18
load 1
add
xor
store 1
push 97
store 2
push 66
push 5
load 2
add
xor
store 2
push 97
store 3
push 199
push 18
load 3
add
xor
store 3
push 97
store 4
push 170
push 14
load 4
add
xor
store 4
push 97
store 5
push 32
push 13
load 5
add
xor
store 5
push 97
store 6
push 31
push 14
load 6
add
xor
store 6
push 97
store 7
push 60
push 18
load 7
add
xor
store 7
push 97
store 8
push 26
push 13
load 8
add
xor
store 8
push 97
store 9
push 89
push 18
load 9
add
xor
store 9
push 97
store 10
push 60
push 17
load 10
add
xor
store 10
push 97
store 11
push 119
push 19
load 11
add
xor
store 11
push 97
store 12
push 60
push 17
load 12
add
xor
store 12
push 97
store 13
push 90
push 5
load 13
add
xor
store 13
push 97
store 14
push 104
push 13
load 14
add
xor
store 14
push 97
store 15
push 174
push 19
load 15
add
xor
store 15
push 97
store 16
push 146
push 11
load 16
add
xor
store 16
push 97
store 17
push 179
push 5
load 17
add
xor
store 17
push 97
store 18
push 67
push 15
load 18
add
xor
store 18
push 97
store 19
push 73
push 11
load 19
add
xor
store 19
push 97
store 20
push 50
push 12
load 20
add
xor
store 20
push 97
store 21
push 92
push 19
load 21
add
xor
store 21
push 97
store 22
push 170
push 19
load 22
add
xor
store 22
push 97
store 23
push 160
push 9
load 23
add
xor
store 23
push 97
store 24
push 166
push 15
load 24
add
xor
store 24
push 97
store 25
push 47
push 8
load 25
add
xor
store 25
push 97
store 26
push 155
push 19
load 26
add
xor
store 26
push 97
store 27
push 115
push 9
load 27
add
xor
store 27
push 97
store 28
push 60
push 13
load 28
add
xor
store 28
push 97
store 29
push 52
push 12
load 29
add
xor
store 29
push 97
store 30
push 42
push 5
load 30
add
xor
store 30
push 97
store 31
push 96
push 19
load 31
add
xor
store 31
push 97
store 32
push 72
push 7
load 32
add
xor
store 32

所以根据密文异或相应的值，再减去相应的值就行了