前言
简单的安卓逆向
工具就用开源的jadx
参考https://openingsource.org/258/
分析过程
拖进jadx-gui, 得到源码
package com.example.ctf2;
import android.app.Activity;
import android.os.Build;
import android.os.Bundle;
import android.widget.Button;
import android.widget.EditText;
import android.widget.TextView;
public class MainActivity extends Activity {
Button a;
EditText b;
TextView c;
int d = 123;
String e = "Code";
static {
System.loadLibrary("adnjni");
}
public native int IsCorrect(String str);
public void onCreate(Bundle bundle) {
super.onCreate(bundle);
setContentView(R.layout.activity_main);
this.a = (Button) findViewById(R.id.Btn);
this.b = (EditText) findViewById(R.id.edit_message);
this.c = (TextView) findViewById(R.id.text_id);
this.e = Build.SERIAL;
this.d = 114366;
this.a.setOnClickListener(new a(this));
}
public native int processObjectArrayFromNative(String str);
}
package com.example.ctf2;
import android.util.Log;
import android.view.View;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
class a implements View.OnClickListener {
final /* synthetic */ MainActivity a;
a(MainActivity mainActivity) {
this.a = mainActivity;
}
public void onClick(View view) {
new String(" ");
String editable = this.a.b.getText().toString();
Log.v("EditText", this.a.b.getText().toString());
new String("");
int processObjectArrayFromNative = this.a.processObjectArrayFromNative(editable);
int IsCorrect = this.a.IsCorrect(editable);
String str = String.valueOf(this.a.d + processObjectArrayFromNative) + " ";
try {
MessageDigest instance = MessageDigest.getInstance("MD5");
instance.update(str.getBytes());
byte[] digest = instance.digest();
StringBuffer stringBuffer = new StringBuffer();
for (byte b : digest) {
stringBuffer.append(Integer.toString((b & 255) + 256, 16).substring(1));
}
if (IsCorrect == 1 && this.a.e != "unknown") {
this.a.c.setText("Sharif_CTF(" + stringBuffer.toString() + ")");
}
if (IsCorrect == 1 && this.a.e == "unknown") {
this.a.c.setText("Just keep Trying :-)");
}
if (IsCorrect == 0) {
this.a.c.setText("Just keep Trying :-)");
}
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
}
}
}
输入一串字符串以后做两个native函数处理
int processObjectArrayFromNative = this.a.processObjectArrayFromNative(editable);
int IsCorrect = this.a.IsCorrect(editable);
然后是MD5加密, IsCorrect == 1 && this.a.e != "unknown"
通过验证拿到flag, 所以目的不是完全破解程序, 只要找到IsCorrect
的返回值为1时的输入串, 然后运行时输入正确串就能通过验证拿到flag, 并不需要破解MD5
native函数需要到库中查看
导出gradle文件, 然后src文件夹中找到.so文件拖进IDA(32位), 找到IsCorrect
和processObjectArrayFromNative
解
上面分析知道程序中用strcmp
比较了输入和字符串ef57f3fe3cf603c03890ee588878c0ec
所以用模拟器跑起来apk, 然后输入ef57f3fe3cf603c03890ee588878c0ec
就能得到flag
安卓模拟器, 用网易的https://mumu.163.com/
总结
…没啥好总结的, pass