会用到Android Killer,JEB,以及Android Studio进行动态调试smali汇编(如何搭建环境使用这些工具请看之前写的几个博客:
https://www.jianshu.com/p/7ca677fea8c3
https://www.jianshu.com/p/a6d472af3edf
https://www.jianshu.com/p/2c9ba6a13b2d
https://www.jianshu.com/p/10994a7fccd4
);
先将这个apk拖入Android Killer中反编译,解析:
抛出了一个异常:
image.png
又抛出了一个异常:
image.png
Android killer中反汇编出来的java
M.class
package ctf.bobbydylan;
import android.content.Intent;
import android.os.Bundle;
import android.widget.Button;
import android.widget.TextView;
import java.io.PrintStream;
public class M
extends T
{
public void check(String paramString)
{
int i = 0;
if (paramString.length() != 16) {
throw new RuntimeException();
}
try
{
str1 = getKey();
arrayOfInt = new int[16];
arrayOfInt[0] = 0;
arrayOfInt[12] = 14;
arrayOfInt[10] = 7;
arrayOfInt[14] = 15;
arrayOfInt[15] = 42;
arrayOfInt[1] = 3;
arrayOfInt[5] = 5;
}
catch (Exception localException1)
{
try
{
String str1;
System.out.println();
arrayOfInt[6] = 15;
arrayOfInt[2] = 13;
arrayOfInt[3] = 19;
arrayOfInt[11] = 68;
arrayOfInt[4] = 85;
arrayOfInt[13] = 5;
arrayOfInt[9] = 7;
arrayOfInt[7] = 78;
arrayOfInt[8] = 22;
if (i < paramString.length()) {
if ((arrayOfInt[i] & 0xFF) != ((paramString.charAt(i) ^ str1.charAt(i % str1.length())) & 0xFF))
{
throw new RuntimeException();
localException1 = localException1;
String str2 = getKey();
System.arraycopy(str2, 0, paramString, 5, 5);
}
}
}
catch (Exception localException2)
{
for (;;)
{
int[] arrayOfInt;
arrayOfInt[5] = 37;
arrayOfInt[1] = 85;
continue;
i += 1;
}
}
}
}
public String getKey()
{
return "bobbydylan";
}
public void onCreate(Bundle paramBundle)
{
super.onCreate(paramBundle);
setContentView(2130903040);
startService(new Intent(this, P.class));
((Button)findViewById(2131099649)).setOnClickListener(new a(this, (TextView)findViewById(2131099648)));
}
protected void onPause()
{
stopService(new Intent(this, P.class));
super.onPause();
}
}
要想上面两个异常都不成立,必须满足:
if ((arrayOfInt[i] & 0xFF) != ((paramString.charAt(i) ^ str1.charAt(i % str1.length())) & 0xFF))中
arrayOfInt[i] & 0xFF) == ((paramString.charAt(i) ^ str1.charAt(i % str1.length())) & 0xFF
以及:
if (paramString.length() != 16)中:
paramString.length() == 16
再看看下面的一个类a;
image.png
查看Android killer反编译出来的源代码:
package ctf.bobbydylan;
import android.app.AlertDialog;
import android.app.AlertDialog.Builder;
import android.view.View;
import android.view.View.OnClickListener;
import android.widget.TextView;
class a
implements View.OnClickListener
{
a(M paramM, TextView paramTextView) {}
public void onClick(View paramView)
{
try
{
paramView = this.a.getText().toString();
this.b.check(paramView);
new AlertDialog.Builder(this.b).setMessage("正确").setNeutralButton("OK", null).create().show();
return;
}
catch (Exception paramView)
{
new AlertDialog.Builder(this.b).setMessage("错误").setNeutralButton("OK", null).create().show();
}
}
}
这个应该是最后点击时候弹出了相应窗口
再看看jeb里面的反汇编源代码:
M类:
package ctf.bobbydylan;
import android.content.Context;
import android.content.Intent;
import android.os.Bundle;
public class M extends T {
public M() {
super();
}
public void check(String arg10) {
String v0_1;
int v7 = 15;
int v6 = 7;
int v1 = 0;
int v5 = 5;
if(arg10.length() != 16) {
throw new RuntimeException();
}
try {
v0_1 = this.getKey();
}
catch(Exception v0) {
v0_1 = this.getKey();
System.arraycopy(v0_1, 0, arg10, v5, v5);
}
int[] v2 = new int[16];
v2[0] = 0;
v2[12] = 14;
v2[10] = v6;
v2[14] = v7;
v2[v7] = 42;
int v4 = 3;
try {
v2[1] = v4;
v2[5] = 5;
System.out.println();
}
catch(Exception v3) {
v2[v5] = 37;
v2[1] = 85;
}
v2[6] = v7;
v2[2] = 13;
v2[3] = 19;
v2[11] = 68;
v2[4] = 85;
v2[13] = v5;
v2[9] = v6;
v2[v6] = 78;
v2[8] = 22;
while(v1 < arg10.length()) {
if((v2[v1] & 255) != ((arg10.charAt(v1) ^ v0_1.charAt(v1 % v0_1.length())) & 255)) {
throw new RuntimeException();
}
++v1;
}
}
public String getKey() {
return "bobbydylan";
}
public void onCreate(Bundle arg4) {
super.onCreate(arg4);
this.setContentView(2130903040);
this.startService(new Intent(((Context)this), P.class));
this.findViewById(2131099649).setOnClickListener(new a(this, this.findViewById(2131099648)));
}
protected void onPause() {
this.stopService(new Intent(((Context)this), P.class));
super.onPause();
}
}
P类:
package ctf.bobbydylan;
import android.app.Service;
import android.content.Context;
import android.content.Intent;
import android.media.MediaPlayer;
import android.os.IBinder;
public class P extends Service {
MediaPlayer a;
public P() {
super();
}
public IBinder onBind(Intent arg2) {
return null;
}
public void onDestroy() {
if(this.a != null) {
this.a.stop();
this.a = null;
}
super.onDestroy();
}
public int onStartCommand(Intent arg3, int arg4, int arg5) {
try {
if(this.a != null) {
goto label_10;
}
this.a = MediaPlayer.create(((Context)this), 2130968576);
this.a.start();
this.a.setLooping(true);
}
catch(Exception v0) {
}
label_10:
return super.onStartCommand(arg3, arg4, arg5);
}
}
a类:
package ctf.bobbydylan;
import android.app.AlertDialog$Builder;
import android.content.DialogInterface$OnClickListener;
import android.view.View$OnClickListener;
import android.view.View;
import android.widget.TextView;
class a implements View$OnClickListener {
a(M arg1, TextView arg2) {
this.b = arg1;
this.a = arg2;
super();
}
public void onClick(View arg5) {
DialogInterface$OnClickListener v3 = null;
try {
this.b.check(this.a.getText().toString());
new AlertDialog$Builder(this.b).setMessage("正确").setNeutralButton("OK", null).create().show();
}
catch(Exception v0) {
new AlertDialog$Builder(this.b).setMessage("错误").setNeutralButton("OK", v3).create().show();
}
}
}
T类:
package ctf.bobbydylan;
import android.app.Activity;
public abstract class T extends Activity {
public T() {
super();
}
public String getKey() {
return "bobdylan";
}
}
还要需要动态调试smali汇编
网友评论