1. apk 安装到手机,老套路需要输入flag
2. jadx 打开apk,没有加壳
......
public void onGoClick(View v) {
String sInput = this.etFlag.getText().toString();
if (getSecret(getFlag()).equals(getSecret(encrypt(sInput)))) {
Toast.makeText(this, "Success", 1).show();
} else {
Toast.makeText(this, "Failed", 1).show();
}
}
......
从这里可以看出 getFlag() 应该是等于 encrypt(sInput) ,那么getSecret只是干扰项就不用看了
这两个方法是native方法, 先用objection 看一下 getFlag返回的是什么
com.ph0en1x.android_crackme on (xiaomi: 8.1.0) [usb] # android hooking watch class_method com.ph0en1x.andr
oid_crackme.MainActivity.getFlag --dump-return
(agent) Attempting to watch class com.ph0en1x.android_crackme.MainActivity and method getFlag.
(agent) Hooking com.ph0en1x.android_crackme.MainActivity.getFlag()
(agent) Registering job 0003115686069. Type: watch-method for: com.ph0en1x.android_crackme.MainActivity.getFlag
com.ph0en1x.android_crackme on (xiaomi: 8.1.0) [usb] # (agent) [0003115686069] Called com.ph0en1x.android_crackme.MainActivity.getFlag()
(agent) [0003115686069] Return Value: "ek`fz@q2^x/t^fn0mF^6/^rb`qanqntfg^E`hq|"
# 那么知道getFlag 返回的是"ek`fz@q2^x/t^fn0mF^6/^rb`qanqntfg^E`hq|"
3. IDA 打开so 看看 encrypt
jstring __fastcall Java_com_ph0en1x_android_1crackme_MainActivity_encrypt(JNIEnv *env, jobject obj, jstring key)
{
const char *key_chars; // r4
const char *i; // r5
key_chars = (*env)->GetStringUTFChars(env, key, 0);
for ( i = key_chars; i - key_chars < strlen(key_chars); ++i )
--*i;
return (*env)->NewStringUTF(env, key_chars);
}
分析可知, 加密算法位相当于每个字符都减一的字符
4. 写出还原算法
key = 'ek`fz@q2^x/t^fn0mF^6/^rb`qanqntfg^E`hq|'
ret = ''
for char in key:
tmp = ord(char)
print(tmp)
tmp += 1
t_char = chr(tmp)
ret += t_char
print(ret)
#日志
flag{Ar3_y0u_go1nG_70_scarborough_Fair}
成功获得flag
标签:Ph0en1x,getFlag,ph0en1x,crackme,key,Android,com,100,android From: https://www.cnblogs.com/gradyblog/p/17235725.html