【Android逆向】Frida 无脑暴力破解看雪test2.apk

1. 安装apk到手机

adb install -t test2.apk

apk下载位置： https://www.kanxue.com/work-task_read-800625.htm

2. 题目提示输入一个五位的数字，那么可以尝试暴力破解

3. apk拖入到jadx中可以看到

public class MainActivity extends AppCompatActivity {
    TextView message_tv;
    EditText password_et;
    EditText username_et;

    public static native String Sign(String str);

    static {
        System.loadLibrary("roysue");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // androidx.appcompat.app.AppCompatActivity, androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity
    public void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
        this.username_et = (EditText) findViewById(R.id.editText);
        this.message_tv = (TextView) findViewById(R.id.textView);
        findViewById(R.id.button).setOnClickListener(new View.OnClickListener() { // from class: com.roysue.easyso1.MainActivity.1
            @Override // android.view.View.OnClickListener
            public void onClick(View v) {
                String res = MainActivity.Sign(MainActivity.this.username_et.getText().toString());
                if (res.compareTo("4143cb60bf8083ac94c57418a9a7ff5a14a63feade6b46d9d0af3182ccbdf7af") == 0) {
                    MainActivity.this.message_tv.setText("恭喜你！");
                } else {
                    MainActivity.this.message_tv.setText("壮士请继续加油！");
                }
            }
        });
    }
}

4. 那么尝试反复调用sign方法可以碰撞出密码

开发脚本

function main() {
    Java.perform(function () {
        var MainActivityHandler = Java.use('com.roysue.easyso1.MainActivity')

        for (var i = 0; i <= 99999; i++) {
            var str = i + ""
            var ret = MainActivityHandler.Sign(str)
            if (i % 1000 == 0) {
                console.log("now is", str);
            }
            if (ret == "4143cb60bf8083ac94c57418a9a7ff5a14a63feade6b46d9d0af3182ccbdf7af") {
                console.log("find it : " + i)
                break
            }
        }
        

    })

}

setTimeout(main)

5. 执行frida -UF com.roysue.easyso1 -l lesson05.js --no-pause,发现不行会报错

Failed to attach: unable to access process with pid 13287 due to system restrictions; try `sudo sysctl kernel.yama.ptrace_scope=0`, or run Frida as root

怀疑有反调试手段，反编译so可以看到

jint JNI_OnLoad(JavaVM *vm, void *reserved)
{
  void *env; // [sp+18h] [bp-10h] BYREF

.......
  env = 0;
  ptrace(PTRACE_TRACEME, 0, 0, 0); //这里！！！！
  if ( _JavaVM::GetEnv(vm, &env, 65542) )
    return -1;
  if ( !env )
    _assert2(
      "/root/Desktop/202104test/easyso1/app/src/main/cpp/roysue.cpp",
      161,
      "jint JNI_OnLoad(JavaVM *, void *)",
      "env != nullptr");
  if ( registerMethods((JNIEnv *)env, "com/roysue/easyso1/MainActivity", method_table, 1) )
    return 65542;
  else
    return -1;
}

这里有两个方案，一 nop掉这里； 二 换frida spawned模式启动（即 -f）

6. 执行 frida -U -f com.roysue.easyso1 -l lesson05.js --no-pause

#日志
now is 36000
now is 37000
now is 38000
now is 39000
now is 40000
now is 41000
now is 42000
now is 43000
now is 44000
now is 45000
find it : 45678

# 爆出密码