丢个大佬萌秒破的CM
本帖最后由 赤座灯里 于 2020-5-25 18:08 编辑成功:
网上抄的很常见的一种算法,真码是唯一的,请追码哦
无壳无混淆
重载了oncreate方法,楼上看到的算法只是一个幌子,真实算法在so里面。
native-lib拉到IDA分析,找到x函数
int __fastcall Java_androidx_appcompat_app_Activity_x__Ljava_lang_String_2(JNIEnv *a1, int a2, int a3)
{
JNIEnv *v3; // r4
jobject v5; // r11
jobject v6; // r5
jstring v7; // r10
jobjectArray v8; // r8
jobject v9; // r6
jobject v10; // r5
void *v11; // r1
jobject v12; // r8
jobject v13; // r6
jobject v14; // r10
jint v15; // r6
int v16; // r6
jint v17; // r8
jobject v18; // r6
void *v19; // r1
jobject v20; // r8
_jmethodID *v21; // r2
jsize v22; // r5
jboolean v23; // r10
int v24; // r5
jint v26; //
jobject v27; //
jstring v28; //
jobject v29; //
void *v30; //
jobject v31; //
void *v32; //
void *v33; //
jmethodID v34; //
jmethodID v35; //
int v36; //
_jmethodID *v37; //
jmethodID v38; //
jmethodID v39; //
jmethodID v40; //
jmethodID v41; //
jmethodID v42; //
jmethodID v43; //
jmethodID v44; //
jmethodID v45; //
jmethodID v46; //
jmethodID v47; //
jmethodID v48; //
jmethodID v49; //
jclass v50; //
int v51; //
void *v52; //
int v53; //
int v54; //
jclass v55; //
int v56; //
void *v57; //
jclass v58; //
int v59; //
jclass v60; //
jvalue v61; //
jobjectArray v62; //
jint v63; //
int v64; //
v3 = a1;
v60 = 0;
v58 = 0;
v59 = 0;
v56 = 0;
v57 = 0;
v54 = 0;
v55 = 0;
v52 = 0;
v53 = 0;
v50 = 0;
v51 = 0;
v48 = 0;
v49 = 0;
v46 = 0;
v47 = 0;
v44 = 0;
v45 = 0;
v42 = 0;
v43 = 0;
v40 = 0;
v41 = 0;
v38 = 0;
v39 = 0;
v36 = 0;
v37 = 0;
v34 = 0;
v35 = 0;
v5 = (*a1)->NewLocalRef(a1, (jobject)a2);
v6 = (*v3)->NewLocalRef(v3, (jobject)a3);
v7 = (*v3)->NewStringUTF(v3, "%s/%s");
if ( sub_7E90(v3, (int *)&v60, (int)"java/lang/Object") )
goto LABEL_82;
v8 = (*v3)->NewObjectArray(v3, 2, v60, 0);
if ( (*v3)->ExceptionCheck(v3) )
goto LABEL_82;
if ( !v5 )
goto LABEL_81;
if ( sub_7FAC(v3, &v59, &v49, 0, "androidx/appcompat/app/Activity", "getCacheDir", "()Ljava/io/File;") )
goto LABEL_82;
v9 = (*v3)->CallObjectMethodA(v3, v5, v49, &v61);
if ( (*v3)->ExceptionCheck(v3) )
goto LABEL_82;
if ( !v8 )
goto LABEL_81;
(*v3)->SetObjectArrayElement(v3, v8, 0, v9);
if ( ((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )
goto LABEL_82;
(*v3)->SetObjectArrayElement(v3, v8, 1, v6);
if ( ((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )
goto LABEL_82;
if ( sub_7FAC(
v3,
&v58,
&v48,
1,
"java/lang/String",
"format",
"(Ljava/lang/String;[Ljava/lang/Object;)Ljava/lang/String;") )
{
goto LABEL_82;
}
v62 = v8;
v61.i = (jint)v7;
v31 = (*v3)->CallStaticObjectMethodA(v3, v58, v48, &v61);
if ( (*v3)->ExceptionCheck(v3) )
goto LABEL_82;
if ( v6 )
(*v3)->DeleteLocalRef(v3, v6);
if ( sub_7FAC(
v3,
&v59,
&v47,
0,
"androidx/appcompat/app/Activity",
"getResources",
"()Landroid/content/res/Resources;") )
{
goto LABEL_82;
}
v10 = (*v3)->CallObjectMethodA(v3, v5, v47, &v61);
if ( (*v3)->ExceptionCheck(v3) )
goto LABEL_82;
if ( v7 )
(*v3)->DeleteLocalRef(v3, v7);
(*v3)->DeleteLocalRef(v3, v8);
v11 = v57;
if ( !v57 )
{
if ( sub_7E90(v3, (int *)&v57, (int)"java/io/BufferedReader") )
goto LABEL_82;
v11 = v57;
}
v12 = (*v3)->AllocObject(v3, v11);
if ( (*v3)->ExceptionCheck(v3) )
goto LABEL_82;
if ( v9 )
(*v3)->DeleteLocalRef(v3, v9);
if ( !v56 && sub_7E90(v3, &v56, (int)"java/io/InputStreamReader") )
goto LABEL_82;
v32 = (void *)((int (__fastcall *)(JNIEnv *))(*v3)->AllocObject)(v3);
if ( ((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )
goto LABEL_82;
if ( sub_7FAC(v3, &v55, &v46, 1, "java/lang/Runtime", "getRuntime", "()Ljava/lang/Runtime;") )
goto LABEL_82;
v13 = (*v3)->CallStaticObjectMethodA(v3, v55, v46, &v61);
if ( (*v3)->ExceptionCheck(v3) )
goto LABEL_82;
v28 = (*v3)->NewStringUTF(v3, "getprop ro.product.cpu.abi");
if ( !v13 )
goto LABEL_81;
if ( sub_7FAC(v3, &v55, &v45, 0, "java/lang/Runtime", "exec", "(Ljava/lang/String;)Ljava/lang/Process;") )
goto LABEL_82;
v61.i = (jint)v28;
v29 = (*v3)->CallObjectMethodA(v3, v13, v45, &v61);
if ( (*v3)->ExceptionCheck(v3) )
goto LABEL_82;
(*v3)->DeleteLocalRef(v3, v13);
if ( !v29 )
goto LABEL_81;
if ( sub_7FAC(v3, &v54, &v44, 0, "java/lang/Process", "getInputStream", "()Ljava/io/InputStream;") )
goto LABEL_82;
v14 = (*v3)->CallObjectMethodA(v3, v29, v44, &v61);
if ( (*v3)->ExceptionCheck(v3) )
goto LABEL_82;
(*v3)->DeleteLocalRef(v3, v29);
if ( !v32 )
goto LABEL_81;
if ( sub_7FAC(v3, &v56, &v43, 0, "java/io/InputStreamReader", "<init>", "(Ljava/io/InputStream;)V") )
goto LABEL_82;
v61.i = (jint)v14;
(*v3)->CallVoidMethodA(v3, v32, v43, &v61);
if ( (*v3)->ExceptionCheck(v3) )
goto LABEL_82;
if ( !v12 )
goto LABEL_81;
if ( sub_7FAC(v3, &v57, &v42, 0, "java/io/BufferedReader", "<init>", "(Ljava/io/Reader;)V") )
goto LABEL_82;
v61.i = (jint)v32;
(*v3)->CallVoidMethodA(v3, v12, v42, &v61);
if ( ((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )
goto LABEL_82;
if ( sub_7FAC(v3, &v57, &v41, 0, "java/io/BufferedReader", "readLine", "()Ljava/lang/String;") )
goto LABEL_82;
v27 = (*v3)->CallObjectMethodA(v3, v12, v41, &v61);
if ( ((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )
goto LABEL_82;
((void (__fastcall *)(JNIEnv *, jobject))(*v3)->DeleteLocalRef)(v3, v12);
((void (__fastcall *)(JNIEnv *, void *))(*v3)->DeleteLocalRef)(v3, v32);
v15 = ((int (__fastcall *)(JNIEnv *, const char *))(*v3)->NewStringUTF)(v3, "64");
if ( !v27 )
goto LABEL_81;
if ( sub_7FAC(v3, &v58, &v40, 0, "java/lang/String", "contains", "(Ljava/lang/CharSequence;)Z") )
goto LABEL_82;
v61.i = v15;
v16 = (*v3)->CallBooleanMethodA(v3, v27, v40, &v61);
if ( (*v3)->ExceptionCheck(v3) )
goto LABEL_82;
v17 = 2131492865; // y.z
if ( !v16 )
v17 = 2131492864; // x.y
if ( !v10 )
goto LABEL_81;
if ( !sub_7FAC(v3, &v53, &v39, 0, "android/content/res/Resources", "openRawResource", "(I)Ljava/io/InputStream;") )
{
v61.i = v17;
v18 = (*v3)->CallObjectMethodA(v3, v10, v39, &v61);
if ( !((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )
{
(*v3)->DeleteLocalRef(v3, v10);
(*v3)->DeleteLocalRef(v3, v27);
v19 = v52;
if ( !v52 )
{
if ( sub_7E90(v3, (int *)&v52, (int)"java/io/FileOutputStream") )
goto LABEL_82;
v19 = v52;
}
v20 = (*v3)->AllocObject(v3, v19);
if ( !((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )
{
if ( v20 )
{
if ( sub_7FAC(v3, &v52, &v38, 0, "java/io/FileOutputStream", "<init>", "(Ljava/lang/String;)V") )
goto LABEL_82;
v61.i = (jint)v31;
(*v3)->CallVoidMethodA(v3, v20, v38, &v61);
if ( ((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )
goto LABEL_82;
if ( v14 )
((void (__fastcall *)(JNIEnv *, jobject))(*v3)->DeleteLocalRef)(v3, v14);
v33 = (void *)((int (__fastcall *)(JNIEnv *, int))(*v3)->NewByteArray)(v3, 1024);
if ( ((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )
goto LABEL_82;
if ( v18 )
{
v30 = 0;
while ( 1 )
{
v21 = v37;
if ( !v37 )
{
if ( sub_7FAC(v3, &v51, &v37, 0, "java/io/InputStream", "read", "([B)I") )
goto LABEL_82;
v21 = v37;
}
v61.i = (jint)v33;
v26 = (*v3)->CallIntMethodA(v3, v18, v21, &v61);
if ( ((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )
goto LABEL_82;
if ( v26 == -1 )
{
if ( sub_7FAC(v3, &v50, &v35, 1, "java/lang/System", "load", "(Ljava/lang/String;)V") )
goto LABEL_82;
v61.i = (jint)v31;
(*v3)->CallStaticVoidMethodA(v3, v50, v35, &v61);
if ( ((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )
goto LABEL_82;
if ( sub_7FAC(v3, &v59, &v34, 0, "androidx/appcompat/app/Activity", "xx", "(I)V") )
goto LABEL_82;
v61.i = 2131165304;
(*v3)->CallVoidMethodA(v3, v5, v34, &v61);
if ( ((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )
goto LABEL_82;
return _stack_chk_guard - v64;
}
if ( v30 )
((void (__fastcall *)(JNIEnv *, void *))(*v3)->DeleteLocalRef)(v3, v30);
v30 = (void *)((int (__fastcall *)(JNIEnv *, int))(*v3)->NewByteArray)(v3, 1024);
if ( !((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )
{
v22 = 0;
while ( v22 != 1024 )
{
if ( !v33 )
goto LABEL_81;
(*v3)->GetByteArrayRegion(v3, v33, v22, 1, (jbyte *)&v61);
v23 = v61.z;
if ( !((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )
{
if ( !v30 )
goto LABEL_81;
v61.z = v23 ^ 0xA; // 解密raw, xor 0xa
(*v3)->SetByteArrayRegion(v3, v30, v22++, 1, (const jbyte *)&v61);
if ( !((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )
continue;
}
goto LABEL_82;
}
if ( v36 || !sub_7FAC(v3, &v52, &v36, 0, "java/io/FileOutputStream", "write", "([BII)V") )
{
v63 = v26;
v62 = 0;
v61.i = (jint)v30;
((void (__fastcall *)(JNIEnv *, jobject))(*v3)->CallVoidMethodA)(v3, v20);
if ( !((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )
continue;
}
}
goto LABEL_82;
}
}
}
LABEL_81:
sub_7BC4(v3, "java/lang/NullPointerException", "NullPointerException");
goto LABEL_82;
}
}
}
LABEL_82:
v24 = ((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionOccurred)(v3);
((void (__fastcall *)(JNIEnv *))(*v3)->ExceptionClear)(v3);
if ( !sub_7DFC(v3, v24, "java/lang/Exception") )
{
((void (__fastcall *)(JNIEnv *, int))(*v3)->Throw)(v3, v24);
((void (__fastcall *)(JNIEnv *, int))(*v3)->DeleteLocalRef)(v3, v24);
}
return _stack_chk_guard - v64;
}
根据系统位数判断要加载哪个so,解密后再load。那就把res/raw里面的so提取出来解密。
真正的判断函数是这个
__int64 __fastcall sub_CDDC(JNIEnv *a1, __int64 a2, unsigned int a3)
{
const char *v5; // x22
const char *v6; // x23
size_t v8; // w0
__int64 result; // x0
jclass v10; // x0
jmethodID v11; // x0
__int64 v12; // x20
jclass v13; // x0
jmethodID v14; // x21
jstring v15; // x0
jclass v16; // x0
jmethodID v17; // x0
jclass v18; // x0
jmethodID v19; // x2
v5 = (const char *)pbBuf;
v6 = toast;
v8 = strlen(toast);
result = strncmp(v5, v6, v8);
if ( !(_DWORD)result )
{
v10 = (*a1)->FindClass(a1, "com/akari/crackme/MainActivity");
v11 = (*a1)->GetMethodID(a1, v10, "findViewById", "(I)Landroid/view/View;");
v12 = _JNIEnv::CallObjectMethod(a1, a2, v11, a3);
v13 = (*a1)->FindClass(a1, ed);
v14 = (*a1)->GetMethodID(a1, v13, "setText", "(Ljava/lang/CharSequence;)V");
v15 = (*a1)->NewStringUTF(a1, "Congratulations~!");
_JNIEnv::CallVoidMethod(a1, v12, v14, v15);
v16 = (*a1)->FindClass(a1, ed);
v17 = (*a1)->GetMethodID(a1, v16, "setTextColor", "(I)V");
_JNIEnv::CallVoidMethod(a1, v12, v17, 4294901760LL);
v18 = (*a1)->FindClass(a1, ed);
v19 = (*a1)->GetMethodID(a1, v18, "setEnabled", "(Z)V");
result = _JNIEnv::CallVoidMethod(a1, v12, v19, 0LL);
}
return result;
}
就一个strncmp,pbbuf在JNI_OnLoad那里解密,调试一下应该就能拿到,但是minsdkversion太高了,我的手机是7.1的,就不继续了。等其他大佬解开吧。 赤座灯里 发表于 2020-4-23 13:26
调试是拿不到的。。第一个so用输入的key做文件名写出了第二个so,第二个so取自己文件名rc4解密的{:1_887: ...
这样啊,不过调试也能看出算法,伪代码看着难受。解密结果是"WELL_DONE~!",我就只能分析到这里了{:1_937:} 本帖最后由 赤座灯里 于 2020-4-24 01:41 编辑
梦游枪手 发表于 2020-4-23 13:20
重载了oncreate方法,楼上看到的算法只是一个幌子,真实算法在so里面。
调试是拿不到的。。第一个so用输入的key做文件名写出了第二个so,第二个so取自己文件名rc4解密的{:1_887:} huzpsb 发表于 2020-4-23 08:03
public static void check(Context context, String str) {
String s ...
但是是这样的,在文本框里输入的字符 长度为11的时候才进入这个IF判断 stringBuilder.toString()打印出来的值是16位的,实际在程序里输入并点击按钮后并没有成功。这个怎么搞呀{:301_999:} 本帖最后由 huzpsb 于 2020-4-23 09:11 编辑
public static void check(Context context, String str) {
String str2 = "Akari";
if (str != null) {
try {
if (str.length() == 11) {
MessageDigest instance = MessageDigest.getInstance("MD5");
//MD5玩鬼啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊
instance.reset();
instance.update(str2.getBytes());
str2 = toHexString(instance.digest());
StringBuilder stringBuilder = new StringBuilder();
for (int i = 0; i < str2.length(); i += 2) {
stringBuilder.append(str2.charAt(i));
}
//我wjz就是饿死,从这里跳下去摔死,也不会在这里输出stringBuilder.toString()!
if (stringBuilder.toString().equalsIgnoreCase(str)) {
Toast.makeText(context, "Congratulations~!", 0).show();
return;
}
}
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
}
}
Toast.makeText(context, "不给戳~", 0).show();
}
本帖最后由 赤座灯里 于 2020-4-23 10:12 编辑
huzpsb 发表于 2020-4-23 08:03
public static void check(Context context, String str) {
String s ...
试试呗( ̄y▽ ̄)~* 本帖最后由 赤座灯里 于 2020-4-23 10:13 编辑
huzpsb 发表于 2020-4-23 08:03
public static void check(Context context, String str) {
String s ...
成功如图所示哦 a976606645 发表于 2020-4-23 09:31
但是是这样的,在文本框里输入的字符 长度为11的时候才进入这个IF判断 stringBuilder.toString()打印出 ...
布吉岛啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊
我也没搞懂MD5是什么鬼啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊 本帖最后由 赤座灯里 于 2020-4-23 10:31 编辑
huzpsb 发表于 2020-4-23 10:28
布吉岛啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊
我也没搞懂MD5是什么鬼啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊 ...
是可解也是很常见的算法,其他就不说啦 81aaabbf9395c72b 无敌小车 发表于 2020-4-23 13:16
81aaabbf9395c72b
(???ω??`)想看成功的画面