52pj2025春节红包解题-安卓中级

先找到判断方法,显然是一个native

ida加载so,导出表中没有这个函数,所以是动态注册的,找到jni_onload

找到函数地址

修改3个参数的类型,便于分析

总得来看,最终要执行的不是a就是ao了

bool __fastcall sub_BE440(JNIEnv *env, jobject object, jstring inputKey)
{
  int v5; // r4
  const char *key; // r0
  const char *v7; // r9
  int v8; // r4
  int v9; // r6
  int v10; // r1
  unsigned int v11; // r6
  char *v12; // r4
  _BOOL4 v13; // r8
  int v14; // r0
  void (__fastcall *v15)(_BYTE *, const char *, int, void *); // r8
  void *v16; // r5
  int v17; // r4
  const std::nothrow_t *v18; // r1
  unsigned __int64 v20; // [sp+0h] [bp-58h]
  _BYTE v21[16]; // [sp+18h] [bp-40h] BYREF
  _QWORD v22[2]; // [sp+28h] [bp-30h] BYREF

  v5 = 0;
  key = (*env)->GetStringUTFChars(env, inputKey, 0);
  if ( key )
  {
    v7 = key;
    HIDWORD(v20) = inputKey;
    v8 = A();
    v9 = CNJAK();
    if ( !byte_134E49 )
    {
      afdm::decrypt_buffer((afdm *)byte_134D7E, &byte_4, 0xA8FC3415, v20);
      byte_134E49 = 1;
    }
    v10 = -1;
    if ( v8 )
      v10 = 1;
    v11 = v9 + v10;
    v12 = getenv(byte_134D7E);                  // 反调?
    v13 = v12 == 0 || v11 < 3;
    v14 = jgbjkb();                             // 反调?
    if ( v11 <= 2 && v12 )
    {
      v13 = 1;
      dword_134D90 = -559038669;
    }
    v22[0] = *(_QWORD *)&off_12FCE8;            // 下面的v15是为了获得一个函数,不是a就是ao
    v22[1] = *(_QWORD *)&off_12FCF0;
    v15 = (void (__fastcall *)(_BYTE *, const char *, int, void *))nullsub_9(*(_DWORD *)((unsigned int)v22 | (4 * ((v14 | v13) ^ (unsigned int)sub_BE6CC & 1 ^ (((unsigned int)ao ^ (unsigned int)a) >> 24) & 1))));
    dword_134D90 = -559038669;
    memset(v21, 0, sizeof(v21));
    v16 = (void *)operator new[](0x13u);
    v15(v21, v7, 19, v16);                      // v15是一个函数,这边v7就是输入的key
    v17 = memcmp(v16, &unk_3A0FC, 0x13u);       // 比较结果
    operator delete[](v16, v18);
    (*env)->ReleaseStringUTFChars(env, (jstring)HIDWORD(v20), v7);
    return v17 == 0;
  }
  return v5;
}

aao的差异很小,但总归是要执行其中的一个的,所以反调可以直接忽略掉,两个函数都看一下

改一下参数的类型,发现这两个函数唯一的差别就是ao没有去动态修改sub_BED58生成的值,因此解密函数应该是a

int __fastcall a(_BYTE *a1, char *key, int a3, void *a4)
{
  __int64 v5; // d17
  int i; // r6
  int v9; // r5
  char v10; // r0
  _QWORD v12[2]; // [sp+0h] [bp-30h] BYREF
  int v13; // [sp+14h] [bp-1Ch]

  v5 = *((_QWORD *)a1 + 1);
  v12[0] = *(_QWORD *)a1;
  v12[1] = v5;
  if ( a3 )                                     // a3=19
  {
    for ( i = 0; i != a3; ++i )
    {
      v9 = i & 0xF;
      if ( (i & 0xF) == 0 )
        sub_BED58((unsigned __int8 *)v12);      // 初始化v12的值,需要注意v12的长度是16,但一共有19次循环,第17次时这个函数又会被调用一次
      v10 = key[i] ^ *((_BYTE *)v12 + v9);      // 异或
      *((_BYTE *)a4 + i) = v10;
      *((_BYTE *)v12 + v9) = v10;
    }
  }
  return v13;
}
int __fastcall ao(_BYTE *a1, char *key, int a3, void *a4)
{
  __int64 v5; // d17
  int i; // r4
  _QWORD v10[2]; // [sp+0h] [bp-30h] BYREF
  int v11; // [sp+14h] [bp-1Ch]

  v5 = *((_QWORD *)a1 + 1);
  v10[0] = *(_QWORD *)a1;
  v10[1] = v5;
  if ( a3 )
  {
    for ( i = 0; i != a3; ++i )
    {
      if ( (i & 0xF) == 0 )
        sub_BED58((unsigned __int8 *)v10);
      *((_BYTE *)a4 + i) = key[i] ^ *((_BYTE *)v10 + (i & 0xF));
    }
  }
  return v11;
}

最后比较结果,比较的值是0x48,0x27,0x8f,0xaf,0x9b,0xf8,0xec,0x72,0x98,0x07,0x72,0x0c,0x6b,0xe2,0x3a,0xb6,0x42,0x59,0xf7

最后根据手机的实际情况选择对应架构的so进行hook或者调试,分析时用的是armeabi-v7a,我的手机是arm64,应该用arm64-v8a(重打包apk,把其他架构的删掉也可以)

Java.perform(function(){
  var soAddr = Process.getModuleByName("libwuaipojie2025_game.so");
  var func_addr = soAddr.base.add(0xE9954);
  Interceptor.attach(func_addr, {
    onEnter: function(args){
      console.log("hook到函数");
    },
    onLeave: function(retval){
      console.log(retval.readByteArray(16));
    }
  });
});

得到该函数两次执行的结果,第二次是要依据第一次的输入来做的,所以要先解一下前16位

0x2e,0x4b,0xee,0xc8,0xe0,0x95,0x88,0x47,0xb0,0x72,0x1b,0x68,0x40,0xd0,0x0a,0x84

target = [0x48,0x27,0x8f,0xaf,0x9b,0xf8,0xec,0x72,0x98,0x07,0x72,0x0c,0x6b,0xe2,0x3a,0xb6,0x42,0x59,0xf7]
result = [0x2e,0x4b,0xee,0xc8,0xe0,0x95,0x88,0x47,0xb0,0x72,0x1b,0x68,0x40,0xd0,0x0a,0x84]

for i in range(0,len(result)):
    print(chr(target[i]^result[i]),end='')
#flag{md5(uid+202

再次输入密钥时输入flag{md5(uid+202(发现反调试时需要getenv返回非0,hook了一下,至于另一个函数,可能是因为我用frida的原因?它没有检测到),得到后3位0x77,0x70,0x8a

Java.perform(function(){
  var soAddr = Process.getModuleByName("libwuaipojie2025_game.so");
  var jgbjkb_addr = Module.findExportByName("libwuaipojie2025_game.so","_Z6jgbjkbv");
  Interceptor.attach(jgbjkb_addr, {
    onEnter: function(args){
      console.log("hook到jgbjkb");
    },
    onLeave: function(retval){
      console.log("jgbjkb返回值为"+retval);
    }
  });    
  var getenv_addr = Module.findExportByName("libc.so","getenv");
  Interceptor.attach(getenv_addr, {
    onEnter: function(args){
      console.log("hook到getenv");
    },
    onLeave: function(retval){
      console.log("修改getenv返回值为1");
      retval.replace(1);
    }
  });    
  var func_addr = soAddr.base.add(0xE9954);
  Interceptor.attach(func_addr, {
    onEnter: function(args){
      console.log("hook到函数");
    },
    onLeave: function(retval){
      console.log(retval.readByteArray(16));
    }
  });
});

target = [0x48,0x27,0x8f,0xaf,0x9b,0xf8,0xec,0x72,0x98,0x07,0x72,0x0c,0x6b,0xe2,0x3a,0xb6,0x42,0x59,0xf7]
result = [0x2e,0x4b,0xee,0xc8,0xe0,0x95,0x88,0x47,0xb0,0x72,0x1b,0x68,0x40,0xd0,0x0a,0x84,0x77,0x70,0x8a]

for i in range(0,len(result)):
    print(chr(target[i]^result[i]),end='')
#flag{md5(uid+2025)}

得到flagflag{md5(uid+2025)}

posted @   WXjzc  阅读(36)  评论(0编辑  收藏  举报
相关博文:
阅读排行:
· DeepSeek “源神”启动!「GitHub 热点速览」
· 我与微信审核的“相爱相杀”看个人小程序副业
· 微软正式发布.NET 10 Preview 1:开启下一代开发框架新篇章
· C# 集成 DeepSeek 模型实现 AI 私有化(本地部署与 API 调用教程)
· spring官宣接入deepseek,真的太香了~
点击右上角即可分享
微信分享提示