【Android逆向】破解看雪9月算法破解第一题

1. 安装apk到手机

2. 随意输入账号和密码,点击register,报错crackme1:ERROR

3. 将apk拖入到jadx中进行观察

    public native String register(String str);

    static {
        System.loadLibrary("native-lib");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity
    public void onCreate(Bundle bundle) {
        super.onCreate(bundle);
        setContentView(R.layout.activity_main);
        initViews();
    }

    private void initViews() {
        this.edt_code = (EditText) findViewById(R.id.edt_code);
        this.edt_username = (EditText) findViewById(R.id.edt_username);
        Button button = (Button) findViewById(R.id.btn_register);
        this.btn_register = button;
        button.setOnClickListener(new View.OnClickListener() { // from class: com.r0ysue.first.MainActivity.1
            @Override // android.view.View.OnClickListener
            public void onClick(View view) {
                String obj = MainActivity.this.edt_username.getText().toString();
                String obj2 = MainActivity.this.edt_code.getText().toString(); // password
                if (obj.equals("")) {
                    Toast.makeText(MainActivity.this, "用户名不能为空", 0).show();
                    return;
                }
                String register = MainActivity.this.register(obj);
                if (register.equals(obj2) && !register.equals("Error!")) {
                    Toast.makeText(MainActivity.this, "SUCCESS!", 0).show();
                } else {
                    Toast.makeText(MainActivity.this, "ERROR!", 0).show();
                }
            }
        });
    }

那么很明显就是账号通过native函数处理后与密码进行比较来判断成功与失败

4. 加压缩apk, 拿到so文件,丢入到IDA中进行静态分析看看

__int64 __fastcall Java_com_r0ysue_first_MainActivity_register(JNIEnv *env, jobject object, void *name)
{
  const char *char_arr; // x21
  JNIEnv t_env; // x8
  __int128 *ret_chars; // x1
  unsigned int str_len; // w0
  __int128 v10[6]; // [xsp+0h] [xbp-90h] BYREF
  int v11; // [xsp+60h] [xbp-30h]
  __int64 v12; // [xsp+68h] [xbp-28h]

  v12 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
  char_arr = (*env)->GetStringUTFChars(env, name, 0LL);
  if ( strlen(char_arr) - 6 < 0xF )
  {
    v11 = 0;
    memset(v10, 0, sizeof(v10));
    str_len = strlen(char_arr);
    base64_encode((const unsigned __int8 *)char_arr, str_len, (char *)v10);
    (*env)->ReleaseStringUTFChars(env, name, char_arr);
    t_env = *env;
    ret_chars = v10;
  }
  else
  {
    (*env)->ReleaseStringUTFChars(env, name, char_arr);
    t_env = *env;
    ret_chars = (__int128 *)"Error!";
  }
  return (__int64)t_env->NewStringUTF(env, (const char *)ret_chars);
}

这里可以看到 输入的字符串长度必须大于6 且小于20才可以,并且会进行base64_encode处理,这里是不是正真base64呢? 打开函数看看,整理后可得

unsigned __int8 *__fastcall base64_encode(unsigned __int8 *char_arr_p, unsigned int length, char *ret_v10)
{
  unsigned __int8 *t_char; // x8
  int v4; // w13
  int v5; // w12
  __int64 i; // x10
  char t_tbale_char; // w14
  int v8; // w15
  __int64 v9; // x13
  int step; // w14
  unsigned __int64 tt_Char; // x11
  int v12; // w9
  int v13; // w10
  int v14; // w9

  if ( length )
  {
    t_char = char_arr_p;
    v4 = 0;
    v5 = 0;
    LODWORD(char_arr_p) = 0;
    i = length;
    do
    {
      tt_Char = *t_char;
      if ( v5 == 2 )
      {
        t_tbale_char = word_8FC[((unsigned int)tt_Char >> 6) & 0xFFFFFFC3 | (4 * (v4 & 0xF))];
        v5 = 0;
        v8 = (_DWORD)char_arr_p + 1;
        v9 = tt_Char & 0x3F;
        ret_v10[(unsigned int)char_arr_p] = t_tbale_char;
        step = 2;
      }
      else if ( v5 == 1 )
      {
        v5 = 2;
        v9 = (16 * v4) & 0x30LL | (tt_Char >> 4);
        step = 1;
        v8 = (int)char_arr_p;
      }
      else
      {
        v9 = tt_Char >> 2;
        step = 1;
        v8 = (int)char_arr_p;
        v5 = 1;
      }
      char_arr_p = (unsigned __int8 *)(unsigned int)((_DWORD)char_arr_p + step);
      ret_v10[v8] = word_8FC[v9];
      --i;
      ++t_char;
      v4 = tt_Char;
    }
    while ( i );
    if ( v5 == 2 )
    {
      v14 = (_DWORD)char_arr_p + 1;
      ret_v10[(unsigned int)char_arr_p] = word_8FC[(4 * (int)tt_Char) & 0x3CLL];
      char_arr_p = (unsigned __int8 *)(unsigned int)((_DWORD)char_arr_p + 2);
      ret_v10[v14] = 61;
    }
    else if ( v5 == 1 )
    {
      v12 = (_DWORD)char_arr_p + 1;
      v13 = (_DWORD)char_arr_p + 2;
      ret_v10[(unsigned int)char_arr_p] = word_8FC[(16 * (int)tt_Char) & 0x30LL];
      char_arr_p = (unsigned __int8 *)(unsigned int)((_DWORD)char_arr_p + 3);
      ret_v10[v12] = 61;
      ret_v10[v13] = 61;
      ret_v10[(unsigned int)char_arr_p] = 0;
      return char_arr_p;
    }
    ret_v10[(unsigned int)char_arr_p] = 0;
  }
  else
  {
    char_arr_p = 0LL;
    *ret_v10 = 0;
  }
  return char_arr_p;
}

这里有一个关键的变量 word_8FC,点进去看看

.rodata:00000000000008FC 41 42 43 44 45 46 47 48 49 4A+aAbcdefghijklmn DCB "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
.rodata:00000000000008FC 4B 4C 4D 4E 4F 50 51 52 53 54+                                        ; DATA XREF: base64_encode(uchar const*,uint,char *)+4↑o
.rodata:00000000000008FC 55 56 57 58 59 5A 61 62 63 64+     

可以看到一个标准的base64编解码表"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"

由此可以推测,这就是一个标准的base64编码函数

5. 用frida调用验证一下

function main() {
    Java.perform(function () {

        var MainActivityHandler = Java.use('com.r0ysue.first.MainActivity')

        console.log('1111')
        if (MainActivityHandler != undefined) {
            console.log('2222' )
            MainActivityHandler.register.implementation = function (str) {
                console.log('hooked i = ' + str)
                var ret = this.register(str)
                console.log('hooked ret = ' + ret)

                return ret
            }
        }

    })

}

setTimeout(main, 1000)

日志

ooked i = dfdd
hooked ret = Error!
hooked i = dfddfggv
hooked ret = ZGZkZGZnZ3Y=
hooked i = 1234567
hooked ret = MTIzNDU2Nw==                                                                                                                                                                                                           
hooked i = 1234567
hooked ret = MTIzNDU2Nw==
hooked i = 12345678
hooked ret = MTIzNDU2Nzg=
hooked i = ddddddd
hooked ret = ZGRkZGRkZA==
hooked i = dddd
hooked ret = Error!
hooked i = ddddd
hooked ret = Error!
hooked i = dddddd
hooked ret = ZGRkZGRk
hooked i = dddddd
hooked ret = ZGRkZGRk
hooked i = dddddd
hooked ret = ZGRkZGRk

使用在线编解码工具测试,确实是正确的

6. 使用python开发注册机

import base64
 
while True:
    username = input("请输入用户名(长度小于等于20): ")
    if len(username) > 20:
        print("输入长度超过20,请重新输入")
    elif len(username) < 6:
        print("输入长度小于6,请重新输入")
    else:
        b64_byt = base64.b64encode(username.encode('utf-8'))
        print("密码:", b64_byt)
posted @ 2023-02-28 14:44  明月照江江  阅读(89)  评论(0编辑  收藏  举报