【Android 逆向】【攻防世界】Ph0en1x-100

1. apk 安装到手机，老套路需要输入flag

2. jadx 打开apk，没有加壳

......
    public void onGoClick(View v) {
        String sInput = this.etFlag.getText().toString();
        if (getSecret(getFlag()).equals(getSecret(encrypt(sInput)))) {
            Toast.makeText(this, "Success", 1).show();
        } else {
            Toast.makeText(this, "Failed", 1).show();
        }
    }
......

从这里可以看出 getFlag() 应该是等于 encrypt(sInput) ，那么getSecret只是干扰项就不用看了
这两个方法是native方法， 先用objection 看一下 getFlag返回的是什么

com.ph0en1x.android_crackme on (xiaomi: 8.1.0) [usb] # android hooking watch class_method com.ph0en1x.andr
oid_crackme.MainActivity.getFlag --dump-return
(agent) Attempting to watch class com.ph0en1x.android_crackme.MainActivity and method getFlag.
(agent) Hooking com.ph0en1x.android_crackme.MainActivity.getFlag()
(agent) Registering job 0003115686069. Type: watch-method for: com.ph0en1x.android_crackme.MainActivity.getFlag                                                                                                     
com.ph0en1x.android_crackme on (xiaomi: 8.1.0) [usb] # (agent) [0003115686069] Called com.ph0en1x.android_crackme.MainActivity.getFlag()
(agent) [0003115686069] Return Value: "ek`fz@q2^x/t^fn0mF^6/^rb`qanqntfg^E`hq|"

# 那么知道getFlag 返回的是"ek`fz@q2^x/t^fn0mF^6/^rb`qanqntfg^E`hq|"

3. IDA 打开so 看看 encrypt

jstring __fastcall Java_com_ph0en1x_android_1crackme_MainActivity_encrypt(JNIEnv *env, jobject obj, jstring key)
{
  const char *key_chars; // r4
  const char *i; // r5

  key_chars = (*env)->GetStringUTFChars(env, key, 0);
  for ( i = key_chars; i - key_chars < strlen(key_chars); ++i )
    --*i;
  return (*env)->NewStringUTF(env, key_chars);
}

分析可知， 加密算法位相当于每个字符都减一的字符

4. 写出还原算法

key = 'ek`fz@q2^x/t^fn0mF^6/^rb`qanqntfg^E`hq|'

ret = ''
for char in key:
    tmp = ord(char)
    print(tmp)
    tmp += 1
    t_char = chr(tmp)
    ret += t_char

print(ret)

#日志
flag{Ar3_y0u_go1nG_70_scarborough_Fair}

成功获得flag