1.首先将apk拖入jdx中,找到程序入口点
2.找到关键函数
3.getflag()和getSecret()为native函数,大致意思是getFlag()函数返回的字符串加密字符串经过encrpt()函数进行加密对比
4.这样最少有三种方法,fridaHook,修改弹窗,jeb动态调试。
方法一:jeb动态调试
将apk拖入jeb中,附加进程,在getSecret()函数下断点(ctrl+B),运行apk
此处V1的至为getflag()返回值,将int改为string,得到flag。
返回值为{ek`fz@q2^x/t^fn0mF^6/^rb`qanqntfg^E`hq|}
方法二:修改弹窗
将apk拖入Android Killer,增加如下代码(makeText()的smali代码)
invoke-static {p0, v1, v3}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast;
move-result-object v1
invoke-virtual {v1}, Landroid/widget/Toast;->show()V
保存,重新编译。
修改效果
方法三:fridaHook
import frida, sys
jscode = """
Java.perform(function(){
Interceptor.attach(Module.findExportByName("libphcm.so","Java_com_ph0en1x_android_1crackme_MainActivity_getFlag"),{
onEnter: function(args) {
},
onLeave: function(retval){
var String_java = Java.use('java.lang.String');
var args_4 = Java.cast(retval, String_java);
send("getFlag()==>"+args_4); }
});
});"""
def on_message(message, data):
if message['type'] == 'send':
print("[*] {0}".format(message['payload']))
else:
print(message)
process = frida.get_usb_device().attach('com.ph0en1x.android_crackme')
script = process.create_script(jscode)
script.on('message', on_message)
script.load()
sys.stdin.read()
输出:
方法四:同样是fridaHook,方法三HOOK native,感觉java层同样可以Hook,就试了一下
import frida, sys
jscode = """
Java.perform(function(){
var utils = Java.use('com.ph0en1x.android_crackme.MainActivity');
utils.onGoClick.overload("android.view.View").implementation = function (a) { //"int"表示类型="类型" string类型="java.lang.string"
console.log("Hook Start...");
var ret = this.getFlag();
send(ret);
send("Success!");
}
});
"""
def on_message(message, data):
if message['type'] == 'send':
print("[*] {0}".format(message['payload']))
else:
print(message)
process = frida.get_usb_device().attach('com.ph0en1x.android_crackme')
script = process.create_script(jscode)
script.on('message', on_message)
script.load()
sys.stdin.read()
输出成功:
5.剩下就是解决getSecret(getFlag())了
encrypt()函数是把输入的字符串每位的ASCII码减去1
编写
Flag = 'ek`fz@q2^x/t^fn0mF^6/^rb`qanqntfg^E`hq|'
result = ''
for i in Flag:
result +=chr(ord(i) + 1)
print(result)
获得flag是flag{Ar3_y0u_go1nG_70_scarborough_Fair}