前 言
样例来源于3W班10月份第1题,考察java核心代码被保护起来,如何通过修改aosp源码,快速逆向分析方法,破解flag。
思 路
解 题
一、静态分析apk
二、VMP LOG分析
======summery
called: java.lang.String com.kanxue.test.MainActivity.stringFromJNI(java.lang.String)
called: byte[] java.lang.String.getBytes(java.lang.String)
called: void javax.crypto.spec.SecretKeySpec.<init>(byte[], java.lang.String)
called: javax.crypto.Cipher javax.crypto.Cipher.getInstance(java.lang.String)
called: void javax.crypto.Cipher.init(int, java.security.Key)
called: byte[] javax.crypto.Cipher.doFinal(byte[])
called: byte[] android.util.Base64.encode(byte[], int)
called: java.lang.String java.lang.StringFactory.newStringFromBytes(byte[])
called: java.lang.String java.lang.String.replace(java.lang.CharSequence, java.lang.CharSequence)
called: boolean java.lang.String.equals(java.lang.Object)
1> 输入input -->srtingFromJNI(libnative-lib.so)
2> Cipher加密分析
三、Frida hook分析具体函数
1> java.lang.String com.kanxue.test.MainActivity.stringFromJNI(java.lang.String)
2> javax.crypto.Cipher.getInstance(java.lang.String)
3> void javax.crypto.Cipher.init(int, java.security.Key)
4> byte[] javax.crypto.Cipher.doFinal(byte[])
5> byte[] android.util.Base64.encode(byte[], int)
MainActivity.stringFromJNI:: 1111 rst: ptx4WA==
Cipher.getInstance :: AES/ECB/PKCS5Padding
Cipher.init :: 1
Cipher.init :: [48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102]
Cipher.doFinal input:: ptx4WA==
Base64.encode:: int--> 0
Base64.encode rstStr:: bauiEdMM9zdcklxoLHXU9g==
<1>input --> stringFromJNI (1111 --> ptx4WA==)
<2> AES_ECB_PKCS5Padding (key: 0123456789abcdef) --> Base64
called: boolean java.lang.String.equals(java.lang.Object)
String.equals:: arg1: +OcSHGzedhKYu34wz2DqbONkdYp9OGzQ+KkX552G6S0=
正确的密码:+OcSHGzedhKYu34wz2DqbONkdYp9OGzQ+KkX552G6S0=
加密流程:
stringFromJni -->AES/ECB/PKCS5Padding(已知key) --> base64算法
故而解除密码:
base64算法 --> AES/ECB/PKCS5Padding(已知key) --> stringFromJni
四、AES/ECB/PKCS5Padding算法
[48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102]
tohex: 30313233343536373839616263646566
toBase64: MDEyMzQ1Njc4OWFiY2RlZg==
toUTF8: 0123456789abcdef
Input(base64):: +OcSHGzedhKYu34wz2DqbONkdYp9OGzQ+KkX552G6S0=
五、stringFromJNI分析
__int64 __fastcall Java_com_kanxue_test_MainActivity_stringFromJNI(__int64 a1, __int64 a2, __int64 a3)
{
__int64 v3; // ST48_8
__int64 v4; // x0
__int64 v5; // ST28_8
__int64 v6; // x0
__int64 v7; // ST20_8
__int64 v8; // ST08_8
__int64 v9; // ST18_8
v3 = a1;
v4 = sub_15EC(a1, a3, 0LL);
v5 = v4;
v6 = strlen(v4);
v7 = malloc(v6);
strcpy(v7, v5);
sub_1440(&unk_3008, v7); //关键函数
v8 = strlen(v5);
v9 = sub_8AC(v7, v8); //标准的base64算法
sub_1440(&unk_3008, v7);
return sub_163C(v3, v9);
}
1> sub_1440(&unk_3008, v7); //关键函数
核心日志:
sub_1440 onEnter==========
sub_1440 arg0:: 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
7edacf6008 72 63 34 74 65 73 74 00 00 00 00 00 00 00 00 00 rc4test.........
sub_1440 arg1:: 1111
sub_1440 onLeave==========
sub_1440 ret:: 0x7feced9600
sub_1440 this.arg1:: 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
7ee6fff600 a6 dc 78 58
2> sub_8AC(v7, v8);
核心日志:
sub_8AC arg0:: 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
7ee6fff450 a6 dc 78 58
sub_8AC arg1:: 0x4
sub_8AC onLeave==========
sub_8AC ret:: ptx4WA==
看雪ID:laifuling
https://bbs.pediy.com/user-home-814746.htm
《安卓高级研修班》2021年6月班开始招生!
# 往期推荐
球分享
球点赞
球在看
点击“阅读原文”,了解更多!