【Android逆向】破解看雪9月算法破解第三题

这题的目标是算法还原,并写出注册机

1. 9月份算法第一题.apk 安装到手机

2. 随意输入账号密码,提示错误

3. apk拖入到jadx中

public native boolean register(String str, String str2);

    static {
        System.loadLibrary("register");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity
    public void onCreate(Bundle bundle) {
        super.onCreate(bundle);
        requestWindowFeature(1);
        getWindow().setFlags(1024, 1024);
        setContentView(R.layout.activity_main);
        initViews();
    }

    private void initViews() {
        this.imageView = (ImageView) findViewById(R.id.imageView);
        this.textView = (TextView) findViewById(R.id.textView);
        this.edt_password = (EditText) findViewById(R.id.edt_password);
        this.edt_username = (EditText) findViewById(R.id.edt_username);
        this.btn_register = (Button) findViewById(R.id.btn_register);
        Button button = (Button) findViewById(R.id.btn_tips);
        this.btn_tips = button;
        button.setOnClickListener(this);
        this.btn_register.setOnClickListener(this);
        if (Integer.parseInt(new SimpleDateFormat("hh").format(Long.valueOf(System.currentTimeMillis()))) >= 16) {
            this.imageView.setImageResource(R.drawable.good_night_img);
            this.textView.setText("Night");
        }
        ......

    @Override // android.view.View.OnClickListener
    public void onClick(View view) {
        switch (view.getId()) {
            case R.id.btn_register /* 2131296354 */:
                String obj = this.edt_username.getText().toString();
                String obj2 = this.edt_password.getText().toString();
                if (obj.equals("") || obj2.equals("")) {
                    Toasty.error((Context) this, (CharSequence) "请输入用户名和密码", 1, true).show();
                    return;
                } else if (obj.length() < 6 || obj.length() > 20) {
                    Toasty.error((Context) this, (CharSequence) "请输入正确用户名", 1, true).show();
                    return;
                } else if (!register(obj, obj2)) {
                    Toasty.error((Context) this, (CharSequence) "注册失败", 1, true).show();
                    return;
                } else {
                    Toasty.success((Context) this, (CharSequence) "注册成功,恭喜恭喜", 1, true).show();
                    return;
                }
            case R.id.btn_tips /* 2131296355 */:
                Toasty.info((Context) this, (CharSequence) "题目要求:逆向这个APP,查看使用了哪些算法,并做一个注册机\n可横向华滑动背景调整主题哦~", 1, true).show();
                return;
            default:
                return;
        }
    }

4. 那么答案在libregister.so中, IDA打开它,查看关键函数

bool __fastcall sub_868(const char *username, const char *password)
{
  __int64 len; // x0
  void *v5; // x20
  __int64 v6; // x0
  __int128 v8[6]; // [xsp+0h] [xbp-D0h] BYREF
  int v9; // [xsp+60h] [xbp-70h]
  char v10[8]; // [xsp+68h] [xbp-68h] BYREF
  __int64 v11; // [xsp+70h] [xbp-60h]
  char v12; // [xsp+78h] [xbp-58h]
  __int128 v13; // [xsp+80h] [xbp-50h] BYREF
  __int64 md5_result[2]; // [xsp+90h] [xbp-40h] BYREF
  char v15; // [xsp+A0h] [xbp-30h]
  __int64 v16; // [xsp+A8h] [xbp-28h]

  v16 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
  md5_result[0] = 0LL;
  md5_result[1] = 0LL;
  v15 = 0;
  len = strlen(username);
  sub_26EC(username, len, md5_result);
  *(_QWORD *)v10 = 0LL;
  v11 = 0LL;
  v12 = 0;
  v13 = aDtayydsDtayyds;
  v5 = (void *)sub_1A40(16LL);
  sub_181C(&v13, v5);
  sub_1AA4(md5_result, v10, v5);
  free(v5);
  v9 = 0;
  memset(v8, 0, sizeof(v8));
  v6 = __strlen_chk(v10, 0x11u);
  base64_sub_A0C(v10, v6, v8);
  return strcmp((const char *)v8, password) == 0;
}

5. 先看sub_26EC

其中看到一串常量

  v13 = 0xEFCDAB89;
  v14 = 0x98BADCFE;
  v15 = 0x67452301;
  v16 = 0x10325476;

这就是MD5算法的特征,怀疑就是MD5算法,hook看一下
frida代码

function main() {
    Java.perform(function () {
        hookCheck();

        Java.choose('com.r0ysue.a202109crakeme.MainActivity', {
            onMatch: function(instance) {
                var username = "1234567890"
                var password = "123456"
                instance.register(username, password)
            },
            onComplete: function() {

            }
        })

    })

}

function hookCheck() {
    var lib_hanlder = Process.findModuleByName("libregister.so");
    console.log("lib_handler: " + lib_hanlder.base)
        
    if (lib_hanlder) {
        //64位 不加一
        var addr_hook = lib_hanlder.base.add(0x00000000000008E8)       
        Interceptor.attach(addr_hook,{
            onEnter: function(args) {
                console.log(" === hook before")
                console.log("=== context:" + JSON.stringify(this.context))
                console.log("=== context.x0:" + print_dump(this.context.x0))
                console.log("====  对比 e807f1fcf82d132f9bb018ca6738a19f")


                // Memory.protect(this.context.r1, 1024, 'rw-')
                // this.context.r1.writeUtf8String("REAL")
                // console.log("=== r1:" + this.context.r1.readCString())
            },
            onLeave:function(retVal) {
                console.log(" === hook after: ")
                //print_dump(retVal, 128)
                //console.log("=== after r1:" + this.context.r1.readCString())

            }
        })
    }
}

function print_dump(arg, size) {
    console.log(hexdump(arg, {
        offset: 0,
        length: size,
        header: true,
        ansi: true
    }))
}

setTimeout(main, 1000)

日志

=== hook before
=== context:{"pc":"0x777f8048e8","sp":"0x7780642f50","x0":"0x7780642fe0","x1":"0x7780642fb8","x2":"0x779c454600","x3":"0xad","x4":"0xd0","x5":"0xa","x6":"0x0","x7":"0x0","x8":"0x777f819000","x9":"0x2c","x10":"0x2c","x11":"0x777f806b00","x12":"0x777f809000","x13":"0x777f809005","x14":"0x777f809008","x15":"0xab","x16":"0x7826c6e000","x17":"0x7780f3e330","x18":"0x0","x19":"0x779c4110c8","x20":"0x779c454600","x21":"0x7780645588","x22":"0x779c433130","x23":"0x779c4110c8","x24":"0xc","x25":"0x7780645588","x26":"0x779c4a08a0","x27":"0x7780645588","x28":"0x7780645588","fp":"0x7780643020","lr":"0x777f8048dc"}
             0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
7780642fe0  e8 07 f1 fc f8 2d 13 2f 9b b0 18 ca 67 38 a1 9f  .....-./....g8..
7780642ff0  00 00 00 00 00 00 00 00 21 cb 42 b8 90 0f ab 02  ........!.B.....                                                                                                                                                       
7780643000  88 30 64 80 77 00 00 00 88 30 64 80 77 00 00 00  .0d.w....0d.w...

====  对比 e807f1fcf82d132f9bb018ca6738a19f

利用在线md5验证,发现确实md5算法

6. 再看sub_1A40sub_181C

在sub_181C 中看到全局数组unk_2B00, 取前面几个值63 7C 77 7B F2 6B 6F C5 搜索引擎搜索,发现是AES的sbox表,说明这里是AES算法特征,github搜索AES算法实现,发现代码与https://github.com/dhuertas/AES类似sub_1A40对应init, sub_181C对应expansionsub_1AA4对应aes_cipher

7. 再看sub_A0C, 直接发现其字典数组,说明这是一个base64算法

.rodata:0000000000002A40 41 42 43 44 45 46 47 48 49 4A+aAbcdefghijklmn DCB "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
.rodata:0000000000002A40 4B 4C 4D 4E 4F 50 51 52 53 54+                                        ; DATA XREF: base64_sub_A0C+4↑o
.rodata:0000000000002A40 55 56 57 58 59 5A 61 62 63 64+                                        ; base64_sub_A0C+1C↑o

8 证明猜想,编写frida验证

function main() {
    Java.perform(function () {
        hookCheck();

        Java.choose('com.r0ysue.a202109crakeme.MainActivity', {
            onMatch: function(instance) {
                var username = "1234567890"
                var password = "123456"
                instance.register(username, password)
            },
            onComplete: function() {

            }
        })

    })

}

function hookCheck() {
    var lib_hanlder = Process.findModuleByName("libregister.so");
    console.log("lib_handler: " + lib_hanlder.base)
        
    if (lib_hanlder) {
        //64位 不加一
        var addr_hook = lib_hanlder.base.add(0x00000000000008E8)       
        Interceptor.attach(addr_hook,{
            onEnter: function(args) {
                console.log(" === hook before")
                console.log("=== context:" + JSON.stringify(this.context))
                console.log("=== context.x0:" + print_dump(this.context.x0))
                console.log("====  对比 e807f1fcf82d132f9bb018ca6738a19f")


                // Memory.protect(this.context.r1, 1024, 'rw-')
                // this.context.r1.writeUtf8String("REAL")
                // console.log("=== r1:" + this.context.r1.readCString())
            },
            onLeave:function(retVal) {
                console.log(" === hook after: ")
                //print_dump(retVal, 128)
                //console.log("=== after r1:" + this.context.r1.readCString())

            }
        })

        var aes_hook = lib_hanlder.base.add(0x0000000000000920)
        Interceptor.attach(aes_hook,{
            onEnter: function(args) {
                console.log(" === aes hook before")
                console.log("=== context:" + JSON.stringify(this.context))
                console.log("=== context.x0:" + print_dump(this.context.x0))
                console.log("=== 0be6e80d12c7780a10ace20c02728350")

            },
            onLeave:function(retVal) {
                console.log(" === hook after: ")
                //print_dump(retVal, 128)
                //console.log("=== after r1:" + this.context.r1.readCString())

            }
        })


        var base64_hook = lib_hanlder.base.add(0x000000000000092C)
        Interceptor.attach(base64_hook,{
            onEnter: function(args) {
                console.log(" === base64 hook before")
                console.log("=== context:" + JSON.stringify(this.context))
                console.log("=== context.x0:" + print_dump(this.context.x0))

            },
            onLeave:function(retVal) {
                console.log(" === hook after: ")
                //print_dump(retVal, 128)
                //console.log("=== after r1:" + this.context.r1.readCString())

            }
        })
    }

}

function print_dump(arg, size) {
    console.log(hexdump(arg, {
        offset: 0,
        length: size,
        header: true,
        ansi: true
    }))
}

setTimeout(main, 1000)

日志

=== hook before
=== context:{"pc":"0x777f8048e8","sp":"0x7780642f50","x0":"0x7780642fe0","x1":"0x7780642fb8","x2":"0x779c454600","x3":"0xad","x4":"0xd0","x5":"0xa","x6":"0x0","x7":"0x0","x8":"0x777f819000","x9":"0x2c","x10":"0x2c","x11":"0x777f806b00","x12":"0x777f809000","x13":"0x777f809005","x14":"0x777f809008","x15":"0xab","x16":"0x7826c6e000","x17":"0x7780f3e330","x18":"0x0","x19":"0x779c4110c8","x20":"0x779c454600","x21":"0x7780645588","x22":"0x779c433130","x23":"0x779c4110c8","x24":"0xc","x25":"0x7780645588","x26":"0x779c4a08a0","x27":"0x7780645588","x28":"0x7780645588","fp":"0x7780643020","lr":"0x777f8048dc"}
             0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
7780642fe0  e8 07 f1 fc f8 2d 13 2f 9b b0 18 ca 67 38 a1 9f  .....-./....g8..
7780642ff0  00 00 00 00 00 00 00 00 21 cb 42 b8 90 0f ab 02  ........!.B.....                                                                                                                                                       
7780643000  88 30 64 80 77 00 00 00 88 30 64 80 77 00 00 00  .0d.w....0d.w...
7780643010  c0 c6 41 9c 77 00 00 00 8c 30 64 80 77 00 00 00  ..A.w....0d.w...
7780643020  60 30 64 80 77 00 00 00 c0 49 80 7f 77 00 00 00  `0d.w....I..w...
7780643030  0c 00 00 00 00 00 00 00 e2 53 df 7f 77 00 00 00  .........S..w...
7780643040  b0 33 64 80 77 00 00 00 00 08 4a 9c 77 00 00 00  .3d.w.....J.w...
7780643050  20 ad 1b a5 77 00 00 00 00 08 4a 9c 77 00 00 00   ...w.....J.w...
7780643060  58 31 64 80 77 00 00 00 d8 80 91 7f 77 00 00 00  X1d.w.......w...
7780643070  38 21 cb 25 78 00 00 00 00 00 00 00 00 00 00 00  8!.%x...........
7780643080  03 00 00 00 e8 04 28 1b e0 95 e6 12 00 96 e6 12  ......(.........
7780643090  0e 00 00 00 00 00 00 00 a0 71 fe 8c 77 00 00 00  .........q..w...
77806430a0  00 00 00 00 00 00 f0 3f 00 00 00 00 00 00 f0 3f  .......?.......?
77806430b0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
77806430c0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
77806430d0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
=== context.x0:undefined
====  对比 e807f1fcf82d132f9bb018ca6738a19f
 === aes hook before
=== context:{"pc":"0x777f804920","sp":"0x7780642f50","x0":"0x7780642fb8","x1":"0x10","x2":"0x7780642f50","x3":"0x2ab0f90b842cb00","x4":"0x0","x5":"0x10","x6":"0x1aa0e8fb741c9ff","x7":"0x7fff7fffff7fff7f","x8":"0x101010101010101","x9":"0x2ab0f90b842cb21","x10":"0x54","x11":"0xa0","x12":"0xc","x13":"0x50","x14":"0xab","x15":"0xb","x16":"0x7826c6e000","x17":"0x7780f3e3d0","x18":"0x0","x19":"0x779c4110c8","x20":"0x779c454600","x21":"0x7780645588","x22":"0x779c433130","x23":"0x779c4110c8","x24":"0xc","x25":"0x7780645588","x26":"0x779c4a08a0","x27":"0x7780645588","x28":"0x7780645588","fp":"0x7780643020","lr":"0x777f804914"}
             0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
7780642fb8  0b e6 e8 0d 12 c7 78 0a 10 ac e2 0c 02 72 83 50  ......x......r.P
7780642fc8  00 cb 42 b8 90 0f ab 02 64 74 61 79 79 64 73 21  ..B.....dtayyds!
7780642fd8  64 74 61 79 79 64 73 21 e8 07 f1 fc f8 2d 13 2f  dtayyds!.....-./
7780642fe8  9b b0 18 ca 67 38 a1 9f 00 00 00 00 00 00 00 00  ....g8..........
7780642ff8  21 cb 42 b8 90 0f ab 02 88 30 64 80 77 00 00 00  !.B......0d.w...
7780643008  88 30 64 80 77 00 00 00 c0 c6 41 9c 77 00 00 00  .0d.w.....A.w...
7780643018  8c 30 64 80 77 00 00 00 60 30 64 80 77 00 00 00  .0d.w...`0d.w...
7780643028  c0 49 80 7f 77 00 00 00 0c 00 00 00 00 00 00 00  .I..w...........
7780643038  e2 53 df 7f 77 00 00 00 b0 33 64 80 77 00 00 00  .S..w....3d.w...
7780643048  00 08 4a 9c 77 00 00 00 20 ad 1b a5 77 00 00 00  ..J.w... ...w...
7780643058  00 08 4a 9c 77 00 00 00 58 31 64 80 77 00 00 00  ..J.w...X1d.w...
7780643068  d8 80 91 7f 77 00 00 00 38 21 cb 25 78 00 00 00  ....w...8!.%x...
7780643078  00 00 00 00 00 00 00 00 03 00 00 00 e8 04 28 1b  ..............(.
7780643088  e0 95 e6 12 00 96 e6 12 0e 00 00 00 00 00 00 00  ................
7780643098  a0 71 fe 8c 77 00 00 00 00 00 00 00 00 00 f0 3f  .q..w..........?
77806430a8  00 00 00 00 00 00 f0 3f 00 00 00 00 00 00 00 00  .......?........
=== context.x0:undefined
=== 0be6e80d12c7780a10ace20c02728350
 === base64 hook before
=== context:{"pc":"0x777f80492c","sp":"0x7780642f50","x0":"0x7780642f50","x1":"0x779c4110c8","x2":"0x7780642f50","x3":"0x2ab0f90b842cb00","x4":"0x0","x5":"0x10","x6":"0x1aa0e8fb741c9ff","x7":"0x7fff7fffff7fff7f","x8":"0x41","x9":"0x16","x10":"0x17","x11":"0x3d","x12":"0x1","x13":"0x50","x14":"0x1","x15":"0x14","x16":"0x7826c6e000","x17":"0x7780f3e470","x18":"0x0","x19":"0x779c4110c8","x20":"0x779c454600","x21":"0x7780645588","x22":"0x779c433130","x23":"0x779c4110c8","x24":"0xc","x25":"0x7780645588","x26":"0x779c4a08a0","x27":"0x7780645588","x28":"0x7780645588","fp":"0x7780643020","lr":"0x7778ae7138"}
             0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
7780642f50  43 2b 62 6f 44 52 4c 48 65 41 6f 51 72 4f 49 4d  C+boDRLHeAoQrOIM
7780642f60  41 6e 4b 44 55 41 3d 3d 00 00 00 00 00 00 00 00  AnKDUA==........
7780642f70  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7780642f80  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7780642f90  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7780642fa0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7780642fb0  00 00 00 00 77 00 00 00 0b e6 e8 0d 12 c7 78 0a  ....w.........x.
7780642fc0  10 ac e2 0c 02 72 83 50 00 cb 42 b8 90 0f ab 02  .....r.P..B.....
7780642fd0  64 74 61 79 79 64 73 21 64 74 61 79 79 64 73 21  dtayyds!dtayyds!
7780642fe0  e8 07 f1 fc f8 2d 13 2f 9b b0 18 ca 67 38 a1 9f  .....-./....g8..
7780642ff0  00 00 00 00 00 00 00 00 21 cb 42 b8 90 0f ab 02  ........!.B.....
7780643000  88 30 64 80 77 00 00 00 88 30 64 80 77 00 00 00  .0d.w....0d.w...
7780643010  c0 c6 41 9c 77 00 00 00 8c 30 64 80 77 00 00 00  ..A.w....0d.w...
7780643020  60 30 64 80 77 00 00 00 c0 49 80 7f 77 00 00 00  `0d.w....I..w...
7780643030  0c 00 00 00 00 00 00 00 e2 53 df 7f 77 00 00 00  .........S..w...
7780643040  b0 33 64 80 77 00 00 00 00 08 4a 9c 77 00 00 00  .3d.w.....J.w...

用在线工具对比发现,确实是md5处理后 再aes处理 再base64处理,得到注册码

9 编写注册机

import hashlib
from Crypto.Cipher import AES
import base64
 
input = "1234567890"
hl = hashlib.md5()
hl.update(input.encode("utf-8"))
md5_data = hl.hexdigest()
 
key = '64746179796473216474617979647321'
key = bytes.fromhex(key)
aes = AES.new(key, AES.MODE_ECB)

aes_en = aes.encrypt(bytes.fromhex(md5_data))
l = [hex(int(i)) for i in aes_en]
print(" ".join(l))
encrypted_text = str(base64.encodebytes(aes_en), encoding='utf8').replace('\n', '')
print(encrypted_text)
posted @ 2023-03-01 16:19  明月照江江  阅读(108)  评论(0编辑  收藏  举报