# 2016 AliCTF Timer 50

2016年阿里CTF的第一道Mobile题，分值50

使用Jadx反编译样本，刚开始看着代码感觉有点怪怪的，看了一会，整理了逻辑，使用`postDelayed()`循环执行，间隔为1s

![](/files/0Yhzva0ZACujhm4zO9Wa)

`is2()`函数用于判断素数

![](/files/KTcBzXKh7y0AKNF2Fuk1)

那么在去掉其余代码，总结就是：循环200000次，然后循环的时候进行素数判断，根据判断的结果进行不同的操作

Java还原

```java
package test;

public class Main {
	
	public static void main(String[] args) throws Exception{
		int beg = 200000;
		int k = 0;
		int i;
		for(i = beg; i > 0; i--){
	        if(is2(beg - i)) {
	            k += 100;
	        } else {
	            k--;
	        }
		}
		System.out.println(Integer.toString(k));
		System.out.println("Finish!");
	}
		
	public static boolean is2(long l) {
        if (l <= 3) {
            if (l > 1) {
                return true;
            }
            return false;
        } else if (l % 2 == 0 || l % 3 == 0) {
            return false;
        } else {
            int i = 5;
            while (i * i <= l) {
                if (l % i == 0 || l % (i + 2) == 0) {
                    return false;
                }
                i += 6;
            }
            return true;
        }
    }
}
```

跑出结果

```
1616384
Finish!
```

那么这个数字传入

```
public native String stringFromJNI2(int i);
```

这是一个native方法，小书包里掏出IDA

![](/files/JnGxKhQ8FawFPNNCUlXc)

我去，一堆除和余，分析太费劲，反正没有其它的干扰了，写个APP自己调用这个so

```java
package net.bluelotus.tomorrow.easyandroid;

import android.support.v7.app.AppCompatActivity;
import android.os.Bundle;
import android.util.Log;
import android.widget.Toast;

import com.wnagzihxa1n.demo.R;

public class MainActivity extends AppCompatActivity {

    static {
        System.loadLibrary("lhm");
    }

    public native String stringFromJNI2(int number);

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
//        Toast.makeText(this, stringFromJNI2(1616384), Toast.LENGTH_LONG).show();
        Log.i("wnagzihxa1n", stringFromJNI2(1616384));
    }
}
```

有几点要注意

* so直接放`src/main/`目录下的`jniLibs`，没有就自己创建，记得把`armeabi`带上
* 调用类的路径需要和so里描述的一样，不然会找不到方法
* `int __fastcall Java_net_bluelotus_tomorrow_easyandroid_MainActivity_stringFromJNI2(int a1, int a2, signed int a3)`

最后看一下完整的路径结构，这种调用so的方法不需要修改`build.gradle`，虽然不建议

![](/files/GXymJGUBYBIwTx0fTSzO)

跑起来，输出flag

```
03-28 09:02:21.066 25084-25084/com.wnagzihxa1n.demo I/wnagzihxa1n: Y0vAr3TimerMa3te7
```

毕竟才50分，还要分析so那简直太折腾，还是走捷径比较好，要是想锻炼so分析能力的同学可以去折腾一下


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://wnagzihxa1n.gitbook.io/happy-android-security/capture_the_flag/2016_alictf_timer.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.