此篇文章适合纯新手进行学习。

前言

安卓逆向是一门非常有意思的学问,它对受试者的考察包括但不限于Java代码读写能力,漏洞审计能力,JS脚本编写能力,反调试绕过能力,Native层代码阅读修复能力等,相当综合,甚至有时非常有挑战性,但重要的是自己多去尝试做而不是只看理论和教学,安卓逆向对实践的需求非常大。

Java层

一般来说安卓逆向会分为Java层和Natiev层,分别是apk和so文件。其中较为重要的是Java层,因为Java层可以看到一整个app的运行逻辑,包括但不限于各种运算逻辑,Native层的调用,各种资源的引用,甚至是一些隐藏的算法逻辑都可以在Java层中找到,对做题的作用巨大。

我们对Java层的定义一般是apk丢进JADX中反编译之后所显现出的形式,如下图所示

阅读Java层时需要做到事无巨细,拿以下代码为例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
@Override // e.AbstractActivityC0110h, androidx.activity.k, z.f, android.app.Activity
public final void onCreate(Bundle bundle) {
super.onCreate(bundle);
setContentView(R.layout.activity_pattern);
this.f1916y = new h(this);
final PatternLockView patternLockView = (PatternLockView) findViewById(R.id.patternLockView);
final TextView textView = (TextView) findViewById(R.id.patternStatusText);
textView.setText("Draw a valid pattern to continue.");
patternLockView.setOnPatternComplete(new c(this, textView, patternLockView));
((MaterialButton) findViewById(R.id.clearPatternButton)).setOnClickListener(new View.OnClickListener() { // from class: N0.b
    @Override // android.view.View.OnClickListener
    public final void onClick(View view) {
        int i2 = PatternActivity.f1914z;
        PatternLockView patternLockView2 = patternLockView;
        patternLockView2.b.clear();
        patternLockView2.invalidate();
        textView.setText("Pattern cleared.");
    }
});
}

在看Java层时我们主要看各种类的调用,但是在有混淆的情况下就不是很好看了,像上面这个代码,除了创建了按钮,还调用了一个名为h和一个名为c的类(分别在第5行和第9行)。知道了调用类之后我们就能追踪类来找到一些加密的真实逻辑,但由于代码量的巨大所以有时候这最关键的部分会变得很困难。

值得一提的是,当我们从Java层抽取数据到C语言代码中编写逆向脚本时,最好使用uint8_t来定义数组或者变量,这样就能避免由于编译器和底层运算逻辑的不同而导致的数据截断问题了。

JADX

做题自然少不了工具,而JADX就是我们在做安卓逆向时的好帮手,GitHub上能下,下载就不说了,我们说说基本使用,除了上图所显示的代码块JADX还有如下的显示

左侧跟IDA中的functions功能近似就不赘述了,主要讲讲上面的功能

长得像房子一样的是一步定位到main逻辑,长得像准心的东西是在侧边栏同步右侧代码块所在的层级。这两个功能表面看起来没什么但是笔者曾经是不知道的,所以在做一道找隐藏函数的题时手动翻函数非常累还没翻到,但是有了这两个功能就可以实现快速定位main逻辑来找附近的隐藏函数。然后就是看起来平平无奇的文件

其中的首选项用处极大。有时做题会遇到JADX出现类似于下图的反编译错误

这个时候进入首选项勾选下图所示的选项

就可以发现代码可读性大大增强

Native层

Native层可谓是安卓逆向中最恶心的部分之一,因为当我们把so文件丢进IDA中会出现包括但不限于反编译错误,结构体错误,极为的严重混淆等问题,加了逆向分析的难度和时间。但面对灾难我们并非无计可施(玩梗别介意,我也想让这篇文章多点趣味),限于笔者水平,Native层的破解之法一般有两个:一个是直接静态分析;一个是Frida直接hook调用——这种一般适用于自解密逻辑或者自逆逻辑,但由于笔者还没用过所以暂时不是很清楚。Native层逆向出得比较好的两道题目分别是NCTF的安卓逆向和星盟招新赛的安卓逆向。

Native层逆向其实跟普通的exe逆向区别不是很大(星盟招新赛那题是个例外),不赘述了,主要靠自己多体会。

例题

FridaLab-0x1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
void check(int i, int i2) {
       if ((i * 2) + 4 == i2) {
           Toast.makeText(getApplicationContext(), "Yey you guessed it right", 1).show();
           StringBuilder sb = new StringBuilder();
           for (int i3 = 0; i3 < 20; i3++) {
               char cCharAt = "AMDYV{WVWT_CJJF_0s1}".charAt(i3);
               if (cCharAt >= 'a' && cCharAt <= 'z') {
                   cCharAt = (char) (cCharAt - 21);
                   if (cCharAt < 'a') {
                   }
               } else if (cCharAt >= 'A' && cCharAt <= 'Z' && (cCharAt = (char) (cCharAt - 21)) < 'A') {
                   cCharAt = (char) (cCharAt + 26);
               }
               sb.append(cCharAt);
           }
           this.t1.setText(sb.toString());
           return;
       }
       Toast.makeText(getApplicationContext(), "Try again", 1).show();
   }

由于这里给了目标字符串和逻辑,我们直接抄就能抄过来,不过其实这就是个位移密码(凯撒),左移21位,可以在线工具一把梭

但是这样就少了很多趣味,并且学不到什么frida的知识,所以我们重点看fridahook

进入mainactivity,发现如下

1
2
3
4
5
6
 final int i = get_random()
int get_random() {
       return new Random().nextInt(100);
   }
  if ((i * 2) + 4 == i2) {
           Toast.makeText(getApplicationContext(), "Yey you guessed it right", 1).show();

调用了random函数,意味着我们可以hook这个点。官方solution中的解法在我frida17.6.2中并不适用,没办法用spawn来hook,需要attach,脚本如下

1
2
3
4
5
6
7
Java.perform(function() {
    var MainActivity = Java.use("com.ad2001.frida0x1.MainActivity");
    MainActivity.get_random.implementation = function() {
        console.log("attached");
        return 5;
    };
});

在powershell中输入

1
frida -U -n "Frida 0x1" -l "hook.js"

由于我们是attach上的,所以我们需要让程序刷新一次,经搜索得知,当我们旋转虚拟机的屏幕后,虚拟机会销毁当前activity并重启,这样我们就能强行attach上了。又由源码中的计算公式得知,当我们return 5时,我们需要输入14,输入后得到flag

FridaLab-0x2

逻辑清晰的题,主逻辑如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
public class MainActivity extends AppCompatActivity {
    static TextView t1;

    @Override // androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
        t1 = (TextView) findViewById(R.id.textview);
    }

    public static void get_flag(int a) throws BadPaddingException, NoSuchPaddingException, IllegalBlockSizeException, NoSuchAlgorithmException, InvalidKeyException, InvalidAlgorithmParameterException {
        if (a == 4919) {
            try {
                SecretKeySpec secretKeySpec = new SecretKeySpec("HILLBILLWILLBINN".getBytes(), "AES");
                Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
                IvParameterSpec iv = new IvParameterSpec(new byte[16]);
                cipher.init(2, secretKeySpec, iv);
                byte[] decryptedBytes = cipher.doFinal(Base64.decode("q7mBQegjhpfIAr0OgfLvH0t/D0Xi0ieG0vd+8ZVW+b4=", 0));
                String decryptedText = new String(decryptedBytes);
                t1.setText(decryptedText);
            } catch (Exception e) {
                e.printStackTrace();
            }
        }
    }
}

可以看到当a=4919时app就会实现自解密。运行app回显如下

可以看到app并没有给出一个可以输入的地方,那么我们就只能通过frida强制赋值然后让程序输出flag。hook脚本如下

1
2
3
4
5
Java.perform(function() {
    var a = Java.use("com.ad2001.frida0x2.MainActivity");
    a.get_flag(4919);
})

输入后可以看到app回显如下

便可以得到flag了

nctf-hookmysecret

虽然题目叫hookmysecret,但是暂时不知道哪里能够动态hook,我是直接静态分析的。首先丢进jadx中定位到主函数,发现是有三个阶段的程序,解压apk看native层后发现so文件中只有stage2的加密逻辑,那估计就只能一层一层来看。

首先看第一层,主要的逻辑如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
@Override // e.AbstractActivityC0110h, androidx.activity.k, z.f, android.app.Activity
public final void onCreate(Bundle bundle) {
super.onCreate(bundle);
setContentView(R.layout.activity_pattern);
this.f1916y = new h(this);
final PatternLockView patternLockView = (PatternLockView) findViewById(R.id.patternLockView);
final TextView textView = (TextView) findViewById(R.id.patternStatusText);
textView.setText("Draw a valid pattern to continue.");
patternLockView.setOnPatternComplete(new c(this, textView, patternLockView));
((MaterialButton) findViewById(R.id.clearPatternButton)).setOnClickListener(new View.OnClickListener() { // from class: N0.b
    @Override // android.view.View.OnClickListener
    public final void onClick(View view) {
        int i2 = PatternActivity.f1914z;
        PatternLockView patternLockView2 = patternLockView;
        patternLockView2.b.clear();
        patternLockView2.invalidate();
        textView.setText("Pattern cleared.");
    }
});
}

可以看到我们看不到什么,但是这里有一个 c 的类被调用了,我们追踪,其主要逻辑如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
while (true) {
          if (!it.hasNext()) {
              break;
          }
          Object next = it.next();
          i2++;
          if (i2 > 1) {
              sb.append((CharSequence) ",");
          }
          if (next != null ? next instanceof CharSequence : true) {
              charSequenceValueOf = (CharSequence) next;
          } else if (next instanceof Character) {
              sb.append(((Character) next).charValue());
          } else {
              charSequenceValueOf = String.valueOf(next);
          }
          sb.append(charSequenceValueOf);
      }
      sb.append((CharSequence) "");
      String string = sb.toString();
      W0.c.d(string, "toString(...)");
      PatternActivity patternActivity = this.f478a;
      h hVar = patternActivity.f1916y;
      if (hVar == null) {
          W0.c.g("stateManager");
          throw null;
      }
      hVar.z(string);
      MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
      byte[] bytes = b1.h.L(string).toString().getBytes(b1.a.f1342a);
      W0.c.d(bytes, "getBytes(...)");
      byte[] bArrDigest = messageDigest.digest(bytes);
      W0.c.d(bArrDigest, "digest(...)");
      StringBuilder sb2 = new StringBuilder();
      sb2.append((CharSequence) "");
      int i3 = 0;
      for (byte b : bArrDigest) {
          i3++;
          if (i3 > 1) {
              sb2.append((CharSequence) "");
          }
          sb2.append((CharSequence) String.format("%02x", Arrays.copyOf(new Object[]{Byte.valueOf(b)}, 1)));
      }
      sb2.append((CharSequence) "");
      String string2 = sb2.toString();
      W0.c.d(string2, "toString(...)");
      boolean zEquals = string2.equals("4a6bc34076c8eef0f9eac59ad30d99bb4f56ecea4b0bfab92540fb655ac680f3");
      TextView textView = this.b;
      if (zEquals) {
          h hVar2 = patternActivity.f1916y;
          if (hVar2 == null) {
              W0.c.g("stateManager");
              throw null;
          }
          ((SharedPreferences) hVar2.b).edit().putBoolean("stage1Passed", true).apply();
          textView.setText("Pattern accepted.");
          patternActivity.startActivity(new Intent(patternActivity, (Class<?>) Stage2Activity.class));
          patternActivity.finish();
      } else {
          textView.setText("Pattern incorrect.");
          h hVar3 = patternActivity.f1916y;
          if (hVar3 == null) {
              W0.c.g("stateManager");
              throw null;
          }

可以看到这个逻辑主要的行为是对我们的输入进行SHA256加密再与目标字符串进行对比,虚拟机运行apk后发现是一个图形密码,又看到有 “,” 的逻辑,那应该是把我们输入的当作0~8,每个之间用逗号隔开,然后整体拿去SHA256加密,再结果与目标字符串进行对比。直接爆破就行,爆破脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
import hashlib
from itertools import permutations


def crack_nctf_pattern():
    target_hash = "4a6bc34076c8eef0f9eac59ad30d99bb4f56ecea4b0bfab92540fb655ac680f3"
    nodes = "012345678"

    for length in range(4, 10):
        for p in permutations(nodes, length):
            pattern_str = ",".join(p)

            # 2. 尝试两种可能:原样哈希 或 反转后哈希 (对应 b1.h.L 可能的操作)
            possibilities = [
                pattern_str,  # 原样
                pattern_str[::-1]  # 反转
            ]

            for candidate in possibilities:
                guess_hash = hashlib.sha256(candidate.encode('utf-8')).hexdigest()

                if guess_hash == target_hash:
                    print(f"[!] 爆破成功!")
                    print(f"[!] 原始路径串: {candidate}")
                    return

    print("\n[-] 未能匹配。")


if __name__ == "__main__":
    crack_nctf_pattern()

运行即可得到结果为0,1,2,4,8,输入后发现正确即可绕过第一层。

进入第二层,可以找到如下逻辑

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
hVar.z(str);
long jElapsedRealtimeNanos = SystemClock.elapsedRealtimeNanos();
int[] iArrEncryptStage2 = NativeBridge.f1911a.encryptStage2(str);
int[] iArr = K0.a.f457a;
if (iArrEncryptStage2.length == 16) {
    int i4 = 0;
    while (true) {
        if (i4 >= i2) {
            zA = true;
        } else if (iArrEncryptStage2[i4] == iArr[i4]) {
            i4++;
            i2 = 16;
        }
    }
}
long jElapsedRealtimeNanos2 = (SystemClock.elapsedRealtimeNanos() - jElapsedRealtimeNanos) / 1000;
StringBuilder sb = zA ? new StringBuilder("Stage 2 accepted in ") : new StringBuilder("Stage 2 rejected in ");
sb.append(jElapsedRealtimeNanos2);
sb.append("us.");
textView.setText(sb.toString());
if (zA) {
    h hVar2 = stage2Activity.f1918x;
    if (hVar2 == null) {
        W0.c.g("stateManager");
        throw null;
    }
    ((SharedPreferences) hVar2.b).edit().putBoolean("stage2Passed", true).apply();
    h hVar3 = stage2Activity.f1918x;
    if (hVar3 == null) {
        W0.c.g("stateManager");
        throw null;
    }
    String string2 = b1.h.L(str).toString();
    W0.c.e(string2, "value");
    ((SharedPreferences) hVar3.b).edit().putString("stage2Key", string2).apply();
    stage2Activity.startActivity(new Intent(stage2Activity, (Class<?>) Stage3Activity.class));
    stage2Activity.finish();
    return;
}

其中可以看到在对比时调用了一个iArr = K0.a.f457a,我们追踪这个类可以看到

1
2
3
4
5
6
7
8
package K0;

/* loaded from: classes.dex */
public abstract class a {

    /* renamed from: a, reason: collision with root package name */
    public static final int[] f457a = {250, 113, 87, 185, 6, 125, 167, 156, 4, 0, 229, 239, 119, 155, 187, 95};
}

大抵是第二层加密的目标数据,回到native层分析stage2的加密逻辑,进入native层后发现被严重混淆,抽离语句后核心的伪代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
LABEL_27:
if ( v19 )
    sub_20F50(&dest, ptr_2);
ptr_4 = operator new(size_1);
*&dest = ptr_4;
*(&dest + 1) = ptr_4;
ptr = &ptr_4[size_1];
n81 = 0x51;
size_3 = 0;
while ( 1 )
{
    ptr_13 = &v71 + 1;
    if ( !v17 )
        ptr_13 = ptr_12;
    v25 = ptr_13[size_3];
    _11111111111111 = __ROL1__(v25 ^ n81 ^ (0xD * size_3 + 0x42), 3) + size_3 + 7 * n81;
    if ( ptr_4 == ptr )
        break;
    *ptr_4++ = _11111111111111;
    *(&dest + 1) = ptr_4;
    LABEL_56:
    v44 = n81 + v25;
    v45 = size_3++ ^ _11111111111111;
     v17 = (v71 & 1) == 0;
        if ( (v71 & 1) != 0 )
          size_2 = size;
        else
          size_2 = v71 >> 1;
        n81 = v45 + v44;
        if ( size_3 >= size_2 )

简化之后如下

1
2
3
4
5
6
int a=0x51;
for(int i=0;i<strlen(input);i++)
{
    enc[i]=ROL8(input[i]^a^(0xD*i+0x42),3)+i+7*a;//IDA中是ROL1字节,这里则是ROL8位,更符合C语言语法
    a=a+input[i]+(i^enc[i]);
}

而目标密文就是在java层找到的数组,我们就可以得到逆向脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#include <bits/stdc++.h>
#define ROR8(x,n) (((x) >> (n)) | ((x) << (8-(n))))
int main()
{
    uint8_t enc[]={250, 113, 87, 185, 6, 125, 167, 156, 4, 0, 229, 239, 119, 155, 187, 95};
    uint8_t flag[100];
    uint8_t a=0x51;
    for(int i=0;i<16;i++)
    {
        uint8_t temp=(uint8_t)(enc[i]-i-7*a);
        flag[i]=ROR8(temp,3)^a^(0xD*i+0x42);
        a=a+flag[i]+(i^enc[i]);
        printf("%c", flag[i]);
    }
    return 0;
}

这里有个需要注意的点:从java层转过来的值在运算的时候最好是使用unit8_t来进行定义和计算,这样就可以避免编译器的自动截断

算出来的结果为k7Xm2Pq9Wv4N8bRt,经检验是对的,进入stage3。在Stage3Activity中我们并没有找到正常的逻辑,但是在发现stage2结果数组的下面发现了stage3的实现逻辑,是一个AESCBC加密。详细如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
Context context = aVar.f475a;
W0.c.e(context, "context");
SharedPreferences sharedPreferences = context.getSharedPreferences("challenge_state", 0);
W0.c.d(sharedPreferences, "getSharedPreferences(...)");
String string4 = sharedPreferences.getString("stage2Key", "");
if (string4 == null) {
    string4 = "";
}
if (string4.length() != 0) {
    Iterable cVar = new Z0.c(0, string4.length() - 1, 1);
    if (!(cVar instanceof Collection) || !((Collection) cVar).isEmpty()) {
        Iterator it = cVar.iterator();
        while (true) {
            if (((Z0.b) it).f603c) {
                Z0.b bVar = (Z0.b) it;
                int i6 = bVar.f604d;
                if (i6 != bVar.b) {
                    bVar.f604d = bVar.f602a + i6;
                } else {
                    if (!bVar.f603c) {
                        throw new NoSuchElementException();
                    }
                    bVar.f603c = false;
                }
                char cCharAt = string4.charAt(i6);
                if (!Character.isWhitespace(cCharAt) && !Character.isSpaceChar(cCharAt)) {
                    Cursor cursorRawQuery = new M0.a(context).getReadableDatabase().rawQuery("SELECT v FROM app_cfg WHERE k = ?", new String[]{"stage3_iv"});
                    try {
                        if (cursorRawQuery.moveToFirst()) {
                            bArrDecode = Base64.decode(cursorRawQuery.getString(0), 0);
                            A.c.p(cursorRawQuery, null);
                        } else {
                            A.c.p(cursorRawQuery, null);
                            bArrDecode = null;
                        }
                        if (bArrDecode != null) {
                            byte[] bytes = b1.h.J(b1.h.L(string4).toString(), "-", "").getBytes(b1.a.f1342a);
                            W0.c.d(bytes, "getBytes(...)");
                            Integer[] numArr = {16, 24, 32};
                            LinkedHashSet linkedHashSet = new LinkedHashSet(g.J0(3));
                            for (int i7 = 0; i7 < 3; i7++) {
                                linkedHashSet.add(numArr[i7]);
                            }
                            if (!linkedHashSet.contains(Integer.valueOf(bytes.length))) {
                                bytes = null;
                            }
                            if (bytes != null) {
                                Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
                                cipher.init(1, new SecretKeySpec(bytes, "AES"), new IvParameterSpec(bArrDecode));
                                byte[] bytes2 = string3.getBytes(b1.a.f1342a);
                                W0.c.d(bytes2, "getBytes(...)");
                                zA = W0.c.a(Base64.encodeToString(cipher.doFinal(bytes2), 2), "jSaMnziall55Tdr+IZc7EKUNm/N4uwrZw1QFPw6DuirfYFJZg88j6GKLhWfNljAB");
                            }
                        }

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
package M0;

import W0.c;
import android.content.ContentValues;
import android.content.Context;
import android.database.SQLException;
import android.database.sqlite.SQLiteDatabase;
import android.database.sqlite.SQLiteOpenHelper;

/* loaded from: classes.dex */
public final class a extends SQLiteOpenHelper {
    /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
    public a(Context context) {
        super(context, "config.db", (SQLiteDatabase.CursorFactory) null, 1);
        c.e(context, "context");
    }

    public static void a(SQLiteDatabase sQLiteDatabase, String str, String str2) {
        ContentValues contentValues = new ContentValues();
        contentValues.put("k", str);
        contentValues.put("v", str2);
        sQLiteDatabase.insert("app_cfg", null, contentValues);
    }

    @Override // android.database.sqlite.SQLiteOpenHelper
    public final void onCreate(SQLiteDatabase sQLiteDatabase) throws SQLException {
        c.e(sQLiteDatabase, "db");
        sQLiteDatabase.execSQL("CREATE TABLE app_cfg (\n    k TEXT PRIMARY KEY,\n    v TEXT NOT NULL\n)");
        a(sQLiteDatabase, "stage3_iv", "VmVyaWZ5VmVjdG9yMTIzNA==");
        a(sQLiteDatabase, "theme", "ember");
        a(sQLiteDatabase, "version", "2025.1");
        a(sQLiteDatabase, "welcome_text", "trace carefully");
    }

    @Override // android.database.sqlite.SQLiteOpenHelper
    public final void onUpgrade(SQLiteDatabase sQLiteDatabase, int i2, int i3) {
        c.e(sQLiteDatabase, "db");
    }
}

厨子一把梭,结果如下

xm招新赛-MixTielele

首先照旧APK丢进JADX中看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
package com.example.titlele;

import android.app.Activity;
import android.os.Bundle;
import android.util.Log;
import android.view.View;
import android.widget.Button;
import android.widget.TextView;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.net.HttpURLConnection;
import java.net.URL;

/* loaded from: classes4.dex */
public class OO00OO0OOOO000O000 extends Activity {
    private String TAG = "Fi1ix";
    TextView resultText;
    Button sendBtn;

    public native String EncTitlele(String str);

    static {
        System.loadLibrary("mixtitlele");
    }

    @Override // android.app.Activity
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
        this.resultText = (TextView) findViewById(R.id.resultText);
        this.sendBtn = (Button) findViewById(R.id.sendBtn);
        this.sendBtn.setOnClickListener(new View.OnClickListener() { // from class: com.example.titlele.OO00OO0OOOO000O000$$ExternalSyntheticLambda1
            @Override // android.view.View.OnClickListener
            public final void onClick(View view) {
                this.f$0.m51lambda$onCreate$0$comexampletitleleOO00OO0OOOO000O000(view);
            }
        });
    }

    /* renamed from: lambda$onCreate$0$com-example-titlele-OO00OO0OOOO000O000, reason: not valid java name */
    /* synthetic */ void m51lambda$onCreate$0$comexampletitleleOO00OO0OOOO000O000(View v) {
        new Thread(new Runnable() { // from class: com.example.titlele.OO00OO0OOOO000O000$$ExternalSyntheticLambda0
            @Override // java.lang.Runnable
            public final void run() throws IOException {
                this.f$0.login();
            }
        }).start();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void login() throws IOException {
        try {
            OO00OO0OO0000OOOOO.load(this);
            OO00OO0OOOOO0O00OO OO00OO0OO000 = OO00OO0OO00OOOOOO0.get();
            String LoginInfo = OO00OO0OO000.Login("user");
            String json = EncTitlele(LoginInfo);
            URL url = new URL("http://120.48.104.4:2788/24ab99d75d3327cf3c46/login");
            HttpURLConnection conn = (HttpURLConnection) url.openConnection();
            conn.setRequestMethod("POST");
            conn.setConnectTimeout(5000);
            conn.setReadTimeout(5000);
            conn.setDoOutput(true);
            conn.setRequestProperty("Content-Type", "application/json");
            OutputStream os = conn.getOutputStream();
            os.write(json.toString().getBytes("UTF-8"));
            os.close();
            BufferedReader br = new BufferedReader(new InputStreamReader(conn.getInputStream()));
            final StringBuilder sb = new StringBuilder();
            while (true) {
                String line = br.readLine();
                if (line != null) {
                    sb.append(line);
                } else {
                    br.close();
                    Log.i(this.TAG, sb.toString());
                    runOnUiThread(new Runnable() { // from class: com.example.titlele.OO00OO0OOOO000O000$$ExternalSyntheticLambda2
                        @Override // java.lang.Runnable
                        public final void run() {
                            this.f$0.m49lambda$login$1$comexampletitleleOO00OO0OOOO000O000(sb);
                        }
                    });
                    return;
                }
            }
        } catch (Exception e) {
            runOnUiThread(new Runnable() { // from class: com.example.titlele.OO00OO0OOOO000O000$$ExternalSyntheticLambda3
                @Override // java.lang.Runnable
                public final void run() {
                    this.f$0.m50lambda$login$2$comexampletitleleOO00OO0OOOO000O000();
                }
            });
        }
    }

    /* renamed from: lambda$login$1$com-example-titlele-OO00OO0OOOO000O000, reason: not valid java name */
    /* synthetic */ void m49lambda$login$1$comexampletitleleOO00OO0OOOO000O000(StringBuilder sb) {
        this.resultText.setText(sb.toString());
    }

    /* renamed from: lambda$login$2$com-example-titlele-OO00OO0OOOO000O000, reason: not valid java name */
    /* synthetic */ void m50lambda$login$2$comexampletitleleOO00OO0OOOO000O000() {
        this.resultText.setText("Failed");
    }
}

进一步跟进

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
package com.example.titlele;

import android.content.Context;
import dalvik.system.PathClassLoader;
import java.io.File;

/* loaded from: classes4.dex */
public final class OO00OO0OO0000OOOOO {
    private static boolean sLoaded;

    public static void load(Context ctx) {
        if (sLoaded) {
            return;
        }
        File so = new File(ctx.getApplicationInfo().nativeLibraryDir, "libflutter.so");
        PathClassLoader pcl = new PathClassLoader(so.getAbsolutePath(), ctx.getClassLoader());
        try {
            Class.forName("com.example.titlele.OO00OO0OO00O0OO000", true, pcl);
            sLoaded = true;
        } catch (Throwable t) {
            throw new RuntimeException("load payload failed", t);
        }
    }
}

可以看到native层的调用,以及登入的user,进入native层,看到在进入IDA中时,这个so文件的界面是不一样的

那基本可以确定这个so文件不是正常的so,而是一个apk或者zip,改后缀丢进JADX中看看。尝试直接定位mainactivity,发现JADX报错说找不到,根据源程序的JADX界面中的目录在此so文件中找到逻辑,可以找到一些关键点

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
package com.example.titlele;

import android.util.Base64;
import com.example.proto.UserProto;
import com.example.utils.Encrypt;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Method;

/* loaded from: classes3.dex */
public final class OO00OO0OOO00O00O00 implements InvocationHandler {
    @Override // java.lang.reflect.InvocationHandler
    public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {
        if ("Login".equals(method.getName())) {
            return LogInfo((String) args[0]);
        }
        return null;
    }

    private String LogInfo(String s) {
        UserProto.LoginInfo info = UserProto.LoginInfo.newBuilder().setUser(s).setIsHacker(true).build();
        byte[] serialized = info.toByteArray();
        byte[] data = Encrypt.enc(serialized);
        String base64 = Base64.encodeToString(data, 2);
        return base64;
    }
}

这里可以看到又出现了一个Login的逻辑,所以基本可以判定之前的apk的逻辑有问题,还出现了一个base64和LoginInfo,那大概我们传入的username和base64有关。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
package com.example.titlele;

import java.lang.reflect.Method;
import java.lang.reflect.Proxy;

/* loaded from: classes3.dex */
public final class OO00OO0OO00O0OO000 {
    static {
        register();
    }

    private static void register() {
        try {
            ClassLoader cl = OO00OO0OO00O0OO000.class.getClassLoader();
            Class<?> signInterface = cl.loadClass("com.example.titlele.OO00OO0OOOOO0O00OO");
            Object proxy = Proxy.newProxyInstance(signInterface.getClassLoader(), new Class[]{signInterface}, new OO00OO0OOO00O00O00());
            Class<?> center = cl.loadClass("com.example.titlele.OO00OO0OO00OOOOOO0");
            Method register = center.getMethod("register", signInterface);
            register.invoke(null, proxy);
        } catch (Throwable t) {
            throw new RuntimeException(t);
        }
    }
}

这里主要是调用,没有什么特殊之处。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
package com.example.utils;

/* loaded from: classes6.dex */
public class Encrypt {
    private static final int INCREMENT = 1013904223;
    private static final int INITIAL_SEED = 622918;
    private static final int MULTIPLIER = 1664525;

    public static byte[] enc(byte[] data) {
        if (data == null || data.length == 0) {
            return data;
        }
        byte[] result = new byte[data.length];
        int currentKey = INITIAL_SEED;
        for (int i = 0; i < data.length; i++) {
            byte xorMask = (byte) currentKey;
            result[i] = (byte) (data[i] ^ xorMask);
            currentKey = (MULTIPLIER * currentKey) + INCREMENT;
        }
        return result;
    }
}

这里出现了一个线性同余加密算法。现在梳理一遍:

我们输入的字符串程序接收之后通过protobuf传输到这个apk中,然后字符串被转为字节数据,接着被传入线性同余算法中计算之后传入base64中进行加密,然后得到最终传入的输入。

接下来的分析转到libmixtitlele.so中。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
jint JNI_OnLoad(JavaVM *vm, void *reserved)
{
  __int64 _com_example_titlele_OO00OO0OOOO000O000_; // [xsp+10h] [xbp-30h]
  jint n65542; // [xsp+2Ch] [xbp-14h]
  void *v5[2]; // [xsp+30h] [xbp-10h] BYREF

  v5[1] = *(_ReadStatusReg(TPIDR_EL0) + 40);
  v5[0] = 0;
  if ( _JavaVM::GetEnv(vm, v5, 65542) )
  {
    n65542 = -1;
  }
  else if ( perform_security_check() )
  {
    __android_log_print(4, "AntiFrida", "Frida detected during JNI_OnLoad");
    n65542 = -1;
  }
  else
  {
    _com_example_titlele_OO00OO0OOOO000O000_ = _JNIEnv::FindClass(v5[0], off_2304A0);// "com/example/titlele/OO00OO0OOOO000O000"
    if ( _com_example_titlele_OO00OO0OOOO000O000_ )
    {
      if ( (_JNIEnv::RegisterNatives(v5[0], _com_example_titlele_OO00OO0OOOO000O000_, off_20DCA8, 1) & 0x80000000) != 0 )// "EncTitlele"
        n65542 = -1;
      else
        n65542 = 65542;
    }
    else
    {
      n65542 = -1;
    }
  }
  _ReadStatusReg(TPIDR_EL0);
  return n65542;
}

可以看到出现了frida反调试和_JNIEnv::RegisterNatives注册函数,追踪参数off_20DCA8,可以定位到关键函数sub_D6DF8

继续追踪sub_D6DF8的逻辑,得到

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
__int64 __fastcall sub_D6DF8(_JNIEnv *a1, __int64 a2, __int64 a3)
{
  const char *v3; // x0
  __int64 v5; // [xsp+28h] [xbp-238h]
  __int64 v6; // [xsp+30h] [xbp-230h]
  __int64 v7; // [xsp+38h] [xbp-228h]
  __int64 v8; // [xsp+40h] [xbp-220h]
  __int64 StringUTFChars; // [xsp+58h] [xbp-208h]
  __int64 v12; // [xsp+78h] [xbp-1E8h]
  _QWORD v13[3]; // [xsp+C0h] [xbp-1A0h] BYREF
  _QWORD v14[3]; // [xsp+D8h] [xbp-188h] BYREF
  __int64 v15[3]; // [xsp+F0h] [xbp-170h] BYREF
  _BYTE v16[24]; // [xsp+108h] [xbp-158h] BYREF
  _BYTE v17[16]; // [xsp+120h] [xbp-140h] BYREF
  _BYTE v18[264]; // [xsp+130h] [xbp-130h] BYREF
  unsigned __int8 v19[16]; // [xsp+238h] [xbp-28h] BYREF
  unsigned __int8 v20[16]; // [xsp+248h] [xbp-18h] BYREF
  __int64 v21; // [xsp+258h] [xbp-8h]

  v21 = *(_ReadStatusReg(TPIDR_EL0) + 40);
  if ( a3 )
  {
    StringUTFChars = _JNIEnv::GetStringUTFChars(a1, a3, 0);
    sub_D6234(v16, StringUTFChars);
    _JNIEnv::ReleaseStringUTFChars(a1, a3, StringUTFChars);
    if ( RAND_bytes(v20, 16) != 1 )
      __memset_chk(v20, 17, 16, 16);
    __memset_chk(v19, 0, 16, 16);
    rsaEncryptKey(v15, v20, 16);
    aesEncryptInfo(v14, v16, v20, v19);
    sub_D71C4(v17);
    v8 = sub_D72B4(v18, "{\"a1\":\"");
    v7 = sub_D72FC(v8, v15);
    sub_D72B4(v7, "\",");
    v6 = sub_D72B4(v18, "\"b2\":\"");
    v5 = sub_D72FC(v6, v14);
    sub_D72B4(v5, "\"}");
    sub_D7348(v13, v17);
    v3 = sub_D6608(v13);
    v12 = _JNIEnv::NewStringUTF(a1, v3);
    std::string::~string(v13);
    sub_D7378(v17);
    std::string::~string(v14);
    std::string::~string(v15);
    std::string::~string(v16);
  }
  else
  {
    v12 = _JNIEnv::NewStringUTF(a1, &byte_96973);
  }
  _ReadStatusReg(TPIDR_EL0);
  return v12;
}

追踪执行流可得,由程序随机生成一个16字节数据,然后被传进RSA中进行加密,同时被传进AESCBC128中加密,然后最终结果为{a1:RSA密文,b2:AES密文}

由于题目描述为"please login as admin"所以可得我们输入的username大概率就是admin,回看题目的最初的APK,发现地址http://120.48.104.4:2788/24ab99d75d3327cf3c46/login,通过POST协议将我们的最终结果发送到此地址中应该就能回显flag。

那我们的做法就应该是发送admin并且将ishacker改为false然后发送到服务端让其输出flag,但是问题来了,native层显示的是随机产生16字节的数据来进行计算key,我们完全不知道这个随机数产生的逻辑和我编译器该如何进行逆向呢?

其实这题我们需要的不是静态的硬分析,而是通过伪实现一个完整的流程让程序误以为我们的数据是正确的,因为程序程序并不会检查我们的key数据是否为随机产生的,只会检测RSA和AES的key是否为同一个key,然后去解密。所以我们只需要让我们所需的数据完整实现一次程序的流程发包到目标地址就可以让地址误以为我们成功得到了真正的数据从而得到flag。

那么逆向脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
import os
import json
import base64
import requests
import ctypes
from Crypto.Cipher import AES
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_v1_5
from Crypto.Util.Padding import pad

RSA_PUB = """-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAovOZy74DuQ55Nr/mOKRO
qHjcjVF8V2OrRPEAXz6x61z+jgUBZ6aIFLh3S0/6YSO9/OlWIsrkaJlISCPdrLOj
nvSwt6IOiWKVbzcxqyblR8MHbM74Lp7l9T8M9rKqQmjiCFPcbcpyAsABg5Cwgthf
Bo26BIusvptmb+rHXO5kylRHTMbXrBfC5Yagp25M7bCbpg7JqtR4uaaKg9c849+B
rvYq5PHtfDMAbUVSCbXG17/lR/1WENQSbPTAgdtmkUvdcwV14iHYIhuspiXnIa/Z
5Ze/xekUvwYVk09/pU7T0zSVxR+gRUhNPtKZYiZ/w7alSAVjvGooOSc+ps+7KVCk
yQIDAQAB
-----END PUBLIC KEY-----"""
proto_data = b'x0ax05adminx10x00'

res = bytearray()
curr = ctypes.c_int32(622918)
for b in proto_data:
    res.append(b^(curr.value & 0xff))
    curr.value = (1664525 * curr.value) + 1013904223

enc_data = bytes(res)

inner_paylode = base64.b64encode(enc_data)

aes_key = os.urandom(16)
aes_iv = b'\x00'*16
aes = AES.new(aes_key, AES.MODE_CBC, aes_iv)
cipher = aes.encrypt(pad(inner_paylode, 16))
b1 = base64.b64encode(cipher).decode()

rsa = PKCS1_v1_5.new(RSA.importKey(RSA_PUB))
a1 = base64.b64encode(rsa.encrypt(aes_key)).decode()

payload = json.dumps({
    "a1": a1,
    "b2": b1
})

url = "http://120.48.104.4:2788/24ab99d75d3327cf3c46/login"
headers = {"Content-Type": "application/json"}

try:
    req = requests.post(url, data=payload, headers=headers)
    print(req.status_code)
    print(req.text)
except Exception as e:
    print("error:", e)

以下是Rose的Fridahook脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Java.perform(function () {
  console.log("[*] hook loaded");
  var Main = Java.use("com.example.titlele.OO00OO0OOOO000O000");
  console.log("[*] class found");
  var enc = Main.EncTitlele.overload("java.lang.String");
  console.log("[*] method found");
  enc.implementation = function (s) {
    console.log("[*] original EncTitlele arg = " + s);

    var fixed = "TOgJw7cYcg==";
    console.log("[*] patched EncTitlele arg = " + fixed);

    var ret = enc.call(this, fixed);
    console.log("[*] returned json = " + ret);
    return ret;
  };
});