发现bugku上有很多逆向类的题目还没做过,于是开始一道一道刷,希望都能做出来
dextojar
将dex转成jar后,用Androidkiller打开后,看下jdgui反编译出来的代码
MainActivity
这个是MainActivity的代码,感觉用Androidkiller反编译的代码,没jeb的好看,于是又用jeb打开这个程序,可以看到如下几个关键class:
MainActivity
class a
class c
class d
虽然命名很乱,但是从上面慢慢分析,可以把代码的关系理顺(需要耐心),或者动态调试下来跟踪下程序的执行顺序,最后整理可以得到如下结果:
private void getKey(){
try {
InputStream stream = this.getResources().getAssets().open("url.png");
int v = stream.available();
byte[] bs = new byte[v];
stream.read(bs, 0, v);
byte[] keybyte = new byte[16];
System.arraycopy(bs, 144, keybyte, 0, 16);
this.key = new String(keybyte, "utf-8");
}
catch (Exception e){
e.printStackTrace();
}
//code
}
private String handle(String naive){
try {
naive.getBytes("utf-8");
StringBuilder str = new StringBuilder();
for (int i = 0; i < naive.length(); i += 2) {
str.append(naive.charAt(i + 1));
str.append(naive.charAt(i));
}
return str.toString();
}catch (UnsupportedEncodingException e){
e.printStackTrace();
}
return null;
}
protected void Encryption(byte[] key){
try {
if (key == null) {
byte[] bytes = "".getBytes("utf-8");
MessageDigest messageDigest = MessageDigest.getInstance("MD5");
byte[] bytes1 = messageDigest.digest(bytes);
secretKeySpec = new SecretKeySpec(bytes1, "AES");
cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
}
else {
secretKeySpec = new SecretKeySpec(key, "AES");
cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
}
}except{
//...
}
}
在上面可以清楚看到程序用了AES加密方式,在后面分析中可以看出,从url.png中获得key值,然后使用handle函数进行处理(奇偶位互换)作为最终AES加密的key。将输入的内容配合key进行加密,最后得到的值和加密的值作比较:
new String(new byte[]{21, -93, -68, -94, 86, 117, -19, -68, -92, 33, 50, 118, 16, 13, 1, -15, -13, 3, 4, 103, -18, 81, 30, 68, 54, -93, 44, -23, 93, 98, 5, 59}));
解密的时候,从url.png里拿出key
key
写个脚本,变换一下,懒得写就直接从jeb里面copy出来也能用,之后把密文转成base64后,就有了密文和密钥
package test;
import java.io.UnsupportedEncodingException;
import java.util.*;
import java.util.Base64.Encoder;
public class Main{
public static String fun(String arg4){
String v0_2;
try {
arg4.getBytes("utf-8");
StringBuilder v1 = new StringBuilder();
int v0_1;
for(v0_1 = 0; v0_1 < arg4.length(); v0_1 += 2) {
v1.append(arg4.charAt(v0_1 + 1));
v1.append(arg4.charAt(v0_1));
}
v0_2 = v1.toString();
}
catch(UnsupportedEncodingException v0) {
v0.printStackTrace();
v0_2 = null;
}
return v0_2;
}
public static void main(String[] args) {
Encoder encoder= Base64.getEncoder();
String result = encoder.encodeToString(new byte[]{21, -93, -68, -94, 86, 117, -19, -68, -92, 33, 50, 118, 16, 13, 1, -15, -13, 3, 4, 103, -18, 81, 30, 68, 54, -93, 44, -23, 93, 98, 5, 59});
System.out.println(result);
System.out.println(fun("this_is_the_key."));
}
}
结果
直接在线找网站解密:
FaO8olZ17bykITJ2EA0B8fMDBGfuUR5ENqMs6V1iBTs=
htsii__sht_eek.y
结果
网友评论