ADworld reverse wp - android-app-100

前言

简单的安卓逆向
工具就用开源的jadx
参考https://openingsource.org/258/

分析过程

拖进jadx-gui, 得到源码

package com.example.ctf2;

import android.app.Activity;
import android.os.Build;
import android.os.Bundle;
import android.widget.Button;
import android.widget.EditText;
import android.widget.TextView;

public class MainActivity extends Activity {
    Button a;
    EditText b;
    TextView c;
    int d = 123;
    String e = "Code";

    static {
        System.loadLibrary("adnjni");
    }

    public native int IsCorrect(String str);

    public void onCreate(Bundle bundle) {
        super.onCreate(bundle);
        setContentView(R.layout.activity_main);
        this.a = (Button) findViewById(R.id.Btn);
        this.b = (EditText) findViewById(R.id.edit_message);
        this.c = (TextView) findViewById(R.id.text_id);
        this.e = Build.SERIAL;
        this.d = 114366;
        this.a.setOnClickListener(new a(this));
    }

    public native int processObjectArrayFromNative(String str);
}
package com.example.ctf2;

import android.util.Log;
import android.view.View;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;

class a implements View.OnClickListener {
    final /* synthetic */ MainActivity a;

    a(MainActivity mainActivity) {
        this.a = mainActivity;
    }

    public void onClick(View view) {
        new String(" ");
        String editable = this.a.b.getText().toString();
        Log.v("EditText", this.a.b.getText().toString());
        new String("");
        int processObjectArrayFromNative = this.a.processObjectArrayFromNative(editable);
        int IsCorrect = this.a.IsCorrect(editable);
        String str = String.valueOf(this.a.d + processObjectArrayFromNative) + " ";
        try {
            MessageDigest instance = MessageDigest.getInstance("MD5");
            instance.update(str.getBytes());
            byte[] digest = instance.digest();
            StringBuffer stringBuffer = new StringBuffer();
            for (byte b : digest) {
                stringBuffer.append(Integer.toString((b & 255) + 256, 16).substring(1));
            }
            if (IsCorrect == 1 && this.a.e != "unknown") {
                this.a.c.setText("Sharif_CTF(" + stringBuffer.toString() + ")");
            }
            if (IsCorrect == 1 && this.a.e == "unknown") {
                this.a.c.setText("Just keep Trying :-)");
            }
            if (IsCorrect == 0) {
                this.a.c.setText("Just keep Trying :-)");
            }
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        }
    }
}

输入一串字符串以后做两个native函数处理

        int processObjectArrayFromNative = this.a.processObjectArrayFromNative(editable);
        int IsCorrect = this.a.IsCorrect(editable);

然后是MD5加密, IsCorrect == 1 && this.a.e != "unknown"通过验证拿到flag, 所以目的不是完全破解程序, 只要找到IsCorrect的返回值为1时的输入串, 然后运行时输入正确串就能通过验证拿到flag, 并不需要破解MD5
native函数需要到库中查看
ADworld reverse wp - android-app-100

导出gradle文件, 然后src文件夹中找到.so文件拖进IDA(32位), 找到IsCorrectprocessObjectArrayFromNative
ADworld reverse wp - android-app-100

上面分析知道程序中用strcmp比较了输入和字符串ef57f3fe3cf603c03890ee588878c0ec
所以用模拟器跑起来apk, 然后输入ef57f3fe3cf603c03890ee588878c0ec就能得到flag
安卓模拟器, 用网易的https://mumu.163.com/

ADworld reverse wp - android-app-100

总结

…没啥好总结的, pass

上一篇:linux入门(一)


下一篇:传递给 LEFT 或 SUBSTRING 函数的长度参数无效