丢个大佬萌秒破的CM

赤座灯里

成功：

网上抄的很常见的一种算法，真码是唯一的，请追码哦
无壳无混淆

梦游枪手

重载了oncreate方法，楼上看到的算法只是一个幌子，真实算法在so里面。



native-lib拉到IDA分析，找到x函数

[C] 纯文本查看 复制代码

?

001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021 022 023 024 025 026 027 028 029 030 031 032 033 034 035 036 037 038 039 040 041 042 043 044 045 046 047 048 049 050 051 052 053 054 055 056 057 058 059 060 061 062 063 064 065 066 067 068 069 070 071 072 073 074 075 076 077 078 079 080 081 082 083 084 085 086 087 088 089 090 091 092 093 094 095 096 097 098 099 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342

int __fastcall Java_androidx_appcompat_app_Activity_x__Ljava_lang_String_2(JNIEnv *a1, int a2, int a3) {   JNIEnv *v3; // r4   jobject v5; // r11   jobject v6; // r5   jstring v7; // r10   jobjectArray v8; // r8   jobject v9; // r6   jobject v10; // r5   void *v11; // r1   jobject v12; // r8   jobject v13; // r6   jobject v14; // r10   jint v15; // r6   int v16; // r6   jint v17; // r8   jobject v18; // r6   void *v19; // r1   jobject v20; // r8   _jmethodID *v21; // r2   jsize v22; // r5   jboolean v23; // r10   int v24; // r5   jint v26; // [sp+20h] [bp-C0h]   jobject v27; // [sp+24h] [bp-BCh]   jstring v28; // [sp+28h] [bp-B8h]   jobject v29; // [sp+28h] [bp-B8h]   void *v30; // [sp+28h] [bp-B8h]   jobject v31; // [sp+2Ch] [bp-B4h]   void *v32; // [sp+34h] [bp-ACh]   void *v33; // [sp+34h] [bp-ACh]   jmethodID v34; // [sp+3Ch] [bp-A4h]   jmethodID v35; // [sp+40h] [bp-A0h]   int v36; // [sp+44h] [bp-9Ch]   _jmethodID *v37; // [sp+48h] [bp-98h]   jmethodID v38; // [sp+4Ch] [bp-94h]   jmethodID v39; // [sp+50h] [bp-90h]   jmethodID v40; // [sp+54h] [bp-8Ch]   jmethodID v41; // [sp+58h] [bp-88h]   jmethodID v42; // [sp+5Ch] [bp-84h]   jmethodID v43; // [sp+60h] [bp-80h]   jmethodID v44; // [sp+64h] [bp-7Ch]   jmethodID v45; // [sp+68h] [bp-78h]   jmethodID v46; // [sp+6Ch] [bp-74h]   jmethodID v47; // [sp+70h] [bp-70h]   jmethodID v48; // [sp+74h] [bp-6Ch]   jmethodID v49; // [sp+78h] [bp-68h]   jclass v50; // [sp+7Ch] [bp-64h]   int v51; // [sp+80h] [bp-60h]   void *v52; // [sp+84h] [bp-5Ch]   int v53; // [sp+88h] [bp-58h]   int v54; // [sp+8Ch] [bp-54h]   jclass v55; // [sp+90h] [bp-50h]   int v56; // [sp+94h] [bp-4Ch]   void *v57; // [sp+98h] [bp-48h]   jclass v58; // [sp+9Ch] [bp-44h]   int v59; // [sp+A0h] [bp-40h]   jclass v60; // [sp+A4h] [bp-3Ch]   jvalue v61; // [sp+A8h] [bp-38h]   jobjectArray v62; // [sp+B0h] [bp-30h]   jint v63; // [sp+B8h] [bp-28h]   int v64; // [sp+C0h] [bp-20h]     v3 = a1;   v60 = 0;   v58 = 0;   v59 = 0;   v56 = 0;   v57 = 0;   v54 = 0;   v55 = 0;   v52 = 0;   v53 = 0;   v50 = 0;   v51 = 0;   v48 = 0;   v49 = 0;   v46 = 0;   v47 = 0;   v44 = 0;   v45 = 0;   v42 = 0;   v43 = 0;   v40 = 0;   v41 = 0;   v38 = 0;   v39 = 0;   v36 = 0;   v37 = 0;   v34 = 0;   v35 = 0;   v5 = (*a1)->NewLocalRef(a1, (jobject)a2);   v6 = (*v3)->NewLocalRef(v3, (jobject)a3);   v7 = (*v3)->NewStringUTF(v3, "%s/%s");   if ( sub_7E90(v3, (int *)&v60, (int)"java/lang/Object") )     goto LABEL_82;   v8 = (*v3)->NewObjectArray(v3, 2, v60, 0);   if ( (*v3)->ExceptionCheck(v3) )     goto LABEL_82;   if ( !v5 )     goto LABEL_81;   if ( sub_7FAC(v3, &v59, &v49, 0, "androidx/appcompat/app/Activity", "getCacheDir", "()Ljava/io/File;") )     goto LABEL_82;   v9 = (*v3)->CallObjectMethodA(v3, v5, v49, &v61);   if ( (*v3)->ExceptionCheck(v3) )     goto LABEL_82;   if ( !v8 )     goto LABEL_81;   (*v3)->SetObjectArrayElement(v3, v8, 0, v9);   if ( ((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )     goto LABEL_82;   (*v3)->SetObjectArrayElement(v3, v8, 1, v6);   if ( ((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )     goto LABEL_82;   if ( sub_7FAC(          v3,          &v58,          &v48,          1,          "java/lang/String",          "format",          "(Ljava/lang/String;[Ljava/lang/Object;)Ljava/lang/String;") )   {     goto LABEL_82;   }   v62 = v8;   v61.i = (jint)v7;   v31 = (*v3)->CallStaticObjectMethodA(v3, v58, v48, &v61);   if ( (*v3)->ExceptionCheck(v3) )     goto LABEL_82;   if ( v6 )     (*v3)->DeleteLocalRef(v3, v6);   if ( sub_7FAC(          v3,          &v59,          &v47,          0,          "androidx/appcompat/app/Activity",          "getResources",          "()Landroid/content/res/Resources;") )   {     goto LABEL_82;   }   v10 = (*v3)->CallObjectMethodA(v3, v5, v47, &v61);   if ( (*v3)->ExceptionCheck(v3) )     goto LABEL_82;   if ( v7 )     (*v3)->DeleteLocalRef(v3, v7);   (*v3)->DeleteLocalRef(v3, v8);   v11 = v57;   if ( !v57 )   {     if ( sub_7E90(v3, (int *)&v57, (int)"java/io/BufferedReader") )       goto LABEL_82;     v11 = v57;   }   v12 = (*v3)->AllocObject(v3, v11);   if ( (*v3)->ExceptionCheck(v3) )     goto LABEL_82;   if ( v9 )     (*v3)->DeleteLocalRef(v3, v9);   if ( !v56 && sub_7E90(v3, &v56, (int)"java/io/InputStreamReader") )     goto LABEL_82;   v32 = (void *)((int (__fastcall *)(JNIEnv *))(*v3)->AllocObject)(v3);   if ( ((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )     goto LABEL_82;   if ( sub_7FAC(v3, &v55, &v46, 1, "java/lang/Runtime", "getRuntime", "()Ljava/lang/Runtime;") )     goto LABEL_82;   v13 = (*v3)->CallStaticObjectMethodA(v3, v55, v46, &v61);   if ( (*v3)->ExceptionCheck(v3) )     goto LABEL_82;   v28 = (*v3)->NewStringUTF(v3, "getprop ro.product.cpu.abi");   if ( !v13 )     goto LABEL_81;   if ( sub_7FAC(v3, &v55, &v45, 0, "java/lang/Runtime", "exec", "(Ljava/lang/String;)Ljava/lang/Process;") )     goto LABEL_82;   v61.i = (jint)v28;   v29 = (*v3)->CallObjectMethodA(v3, v13, v45, &v61);   if ( (*v3)->ExceptionCheck(v3) )     goto LABEL_82;   (*v3)->DeleteLocalRef(v3, v13);   if ( !v29 )     goto LABEL_81;   if ( sub_7FAC(v3, &v54, &v44, 0, "java/lang/Process", "getInputStream", "()Ljava/io/InputStream;") )     goto LABEL_82;   v14 = (*v3)->CallObjectMethodA(v3, v29, v44, &v61);   if ( (*v3)->ExceptionCheck(v3) )     goto LABEL_82;   (*v3)->DeleteLocalRef(v3, v29);   if ( !v32 )     goto LABEL_81;   if ( sub_7FAC(v3, &v56, &v43, 0, "java/io/InputStreamReader", "<init>", "(Ljava/io/InputStream;)V") )     goto LABEL_82;   v61.i = (jint)v14;   (*v3)->CallVoidMethodA(v3, v32, v43, &v61);   if ( (*v3)->ExceptionCheck(v3) )     goto LABEL_82;   if ( !v12 )     goto LABEL_81;   if ( sub_7FAC(v3, &v57, &v42, 0, "java/io/BufferedReader", "<init>", "(Ljava/io/Reader;)V") )     goto LABEL_82;   v61.i = (jint)v32;   (*v3)->CallVoidMethodA(v3, v12, v42, &v61);   if ( ((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )     goto LABEL_82;   if ( sub_7FAC(v3, &v57, &v41, 0, "java/io/BufferedReader", "readLine", "()Ljava/lang/String;") )     goto LABEL_82;   v27 = (*v3)->CallObjectMethodA(v3, v12, v41, &v61);   if ( ((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )     goto LABEL_82;   ((void (__fastcall *)(JNIEnv *, jobject))(*v3)->DeleteLocalRef)(v3, v12);   ((void (__fastcall *)(JNIEnv *, void *))(*v3)->DeleteLocalRef)(v3, v32);   v15 = ((int (__fastcall *)(JNIEnv *, const char *))(*v3)->NewStringUTF)(v3, "64");   if ( !v27 )     goto LABEL_81;   if ( sub_7FAC(v3, &v58, &v40, 0, "java/lang/String", "contains", "(Ljava/lang/CharSequence;)Z") )     goto LABEL_82;   v61.i = v15;   v16 = (*v3)->CallBooleanMethodA(v3, v27, v40, &v61);   if ( (*v3)->ExceptionCheck(v3) )     goto LABEL_82;   v17 = 2131492865;                             // y.z   if ( !v16 )     v17 = 2131492864;                           // x.y   if ( !v10 )     goto LABEL_81;   if ( !sub_7FAC(v3, &v53, &v39, 0, "android/content/res/Resources", "openRawResource", "(I)Ljava/io/InputStream;") )   {     v61.i = v17;     v18 = (*v3)->CallObjectMethodA(v3, v10, v39, &v61);     if ( !((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )     {       (*v3)->DeleteLocalRef(v3, v10);       (*v3)->DeleteLocalRef(v3, v27);       v19 = v52;       if ( !v52 )       {         if ( sub_7E90(v3, (int *)&v52, (int)"java/io/FileOutputStream") )           goto LABEL_82;         v19 = v52;       }       v20 = (*v3)->AllocObject(v3, v19);       if ( !((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )       {         if ( v20 )         {           if ( sub_7FAC(v3, &v52, &v38, 0, "java/io/FileOutputStream", "<init>", "(Ljava/lang/String;)V") )             goto LABEL_82;           v61.i = (jint)v31;           (*v3)->CallVoidMethodA(v3, v20, v38, &v61);           if ( ((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )             goto LABEL_82;           if ( v14 )             ((void (__fastcall *)(JNIEnv *, jobject))(*v3)->DeleteLocalRef)(v3, v14);           v33 = (void *)((int (__fastcall *)(JNIEnv *, int))(*v3)->NewByteArray)(v3, 1024);           if ( ((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )             goto LABEL_82;           if ( v18 )           {             v30 = 0;             while ( 1 )             {               v21 = v37;               if ( !v37 )               {                 if ( sub_7FAC(v3, &v51, &v37, 0, "java/io/InputStream", "read", "([B)I") )                   goto LABEL_82;                 v21 = v37;               }               v61.i = (jint)v33;               v26 = (*v3)->CallIntMethodA(v3, v18, v21, &v61);               if ( ((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )                 goto LABEL_82;               if ( v26 == -1 )               {                 if ( sub_7FAC(v3, &v50, &v35, 1, "java/lang/System", "load", "(Ljava/lang/String;)V") )                   goto LABEL_82;                 v61.i = (jint)v31;                 (*v3)->CallStaticVoidMethodA(v3, v50, v35, &v61);                 if ( ((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )                   goto LABEL_82;                 if ( sub_7FAC(v3, &v59, &v34, 0, "androidx/appcompat/app/Activity", "xx", "(I)V") )                   goto LABEL_82;                 v61.i = 2131165304;                 (*v3)->CallVoidMethodA(v3, v5, v34, &v61);                 if ( ((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )                   goto LABEL_82;                 return _stack_chk_guard - v64;               }               if ( v30 )                 ((void (__fastcall *)(JNIEnv *, void *))(*v3)->DeleteLocalRef)(v3, v30);               v30 = (void *)((int (__fastcall *)(JNIEnv *, int))(*v3)->NewByteArray)(v3, 1024);               if ( !((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )               {                 v22 = 0;                 while ( v22 != 1024 )                 {                   if ( !v33 )                     goto LABEL_81;                   (*v3)->GetByteArrayRegion(v3, v33, v22, 1, (jbyte *)&v61);                   v23 = v61.z;                   if ( !((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )                   {                     if ( !v30 )                       goto LABEL_81;                     v61.z = v23 ^ 0xA;          // 解密raw, xor 0xa                     (*v3)->SetByteArrayRegion(v3, v30, v22++, 1, (const jbyte *)&v61);                     if ( !((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )                       continue;                   }                   goto LABEL_82;                 }                 if ( v36 || !sub_7FAC(v3, &v52, &v36, 0, "java/io/FileOutputStream", "write", "([BII)V") )                 {                   v63 = v26;                   v62 = 0;                   v61.i = (jint)v30;                   ((void (__fastcall *)(JNIEnv *, jobject))(*v3)->CallVoidMethodA)(v3, v20);                   if ( !((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )                     continue;                 }               }               goto LABEL_82;             }           }         } LABEL_81:         sub_7BC4(v3, "java/lang/NullPointerException", "NullPointerException");         goto LABEL_82;       }     }   } LABEL_82:   v24 = ((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionOccurred)(v3);   ((void (__fastcall *)(JNIEnv *))(*v3)->ExceptionClear)(v3);   if ( !sub_7DFC(v3, v24, "java/lang/Exception") )   {     ((void (__fastcall *)(JNIEnv *, int))(*v3)->Throw)(v3, v24);     ((void (__fastcall *)(JNIEnv *, int))(*v3)->DeleteLocalRef)(v3, v24);   }   return _stack_chk_guard - v64; }

根据系统位数判断要加载哪个so，解密后再load。那就把res/raw里面的so提取出来解密。
真正的判断函数是这个

[C] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39

__int64 __fastcall sub_CDDC(JNIEnv *a1, __int64 a2, unsigned int a3) {   const char *v5; // x22   const char *v6; // x23   size_t v8; // w0   __int64 result; // x0   jclass v10; // x0   jmethodID v11; // x0   __int64 v12; // x20   jclass v13; // x0   jmethodID v14; // x21   jstring v15; // x0   jclass v16; // x0   jmethodID v17; // x0   jclass v18; // x0   jmethodID v19; // x2     v5 = (const char *)pbBuf;   v6 = toast[0];   v8 = strlen(toast[0]);   result = strncmp(v5, v6, v8);   if ( !(_DWORD)result )   {     v10 = (*a1)->FindClass(a1, "com/akari/crackme/MainActivity");     v11 = (*a1)->GetMethodID(a1, v10, "findViewById", "(I)Landroid/view/View;");     v12 = _JNIEnv::CallObjectMethod(a1, a2, v11, a3);     v13 = (*a1)->FindClass(a1, ed[0]);     v14 = (*a1)->GetMethodID(a1, v13, "setText", "(Ljava/lang/CharSequence;)V");     v15 = (*a1)->NewStringUTF(a1, "Congratulations~!");     _JNIEnv::CallVoidMethod(a1, v12, v14, v15);     v16 = (*a1)->FindClass(a1, ed[0]);     v17 = (*a1)->GetMethodID(a1, v16, "setTextColor", "(I)V");     _JNIEnv::CallVoidMethod(a1, v12, v17, 4294901760LL);     v18 = (*a1)->FindClass(a1, ed[0]);     v19 = (*a1)->GetMethodID(a1, v18, "setEnabled", "(Z)V");     result = _JNIEnv::CallVoidMethod(a1, v12, v19, 0LL);   }   return result; }

就一个strncmp，pbbuf在JNI_OnLoad那里解密，调试一下应该就能拿到，但是minsdkversion太高了，我的手机是7.1的，就不继续了。等其他大佬解开吧。

梦游枪手

赤座灯里 发表于 2020-4-23 13:26
调试是拿不到的。。第一个so用输入的key做文件名写出了第二个so，第二个so取自己文件名rc4解密的{:1_887: ...

这样啊，不过调试也能看出算法，伪代码看着难受。解密结果是"WELL_DONE~!"，我就只能分析到这里了

赤座灯里

梦游枪手 发表于 2020-4-23 13:20
重载了oncreate方法，楼上看到的算法只是一个幌子，真实算法在so里面。

调试是拿不到的。。第一个so用输入的key做文件名写出了第二个so，第二个so取自己文件名rc4解密的

a976606645

huzpsb 发表于 2020-4-23 08:03
[mw_shl_code=java,true]    public static void check(Context context, String str) {
        String s ...

但是是这样的，在文本框里输入的字符 长度为11的时候才进入这个IF判断   stringBuilder.toString()打印出来的值是16位的，实际在程序里输入并点击按钮后并没有成功。这个怎么搞呀

huzpsb

[Java] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

public static void check(Context context, String str) {         String str2 = "Akari";         if (str != null) {             try {                 if (str.length() == 11) {                     MessageDigest instance = MessageDigest.getInstance("MD5"); //MD5玩鬼啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊                     instance.reset();                     instance.update(str2.getBytes());                     str2 = toHexString(instance.digest());                     StringBuilder stringBuilder = new StringBuilder();                     for (int i = 0; i < str2.length(); i += 2) {                         stringBuilder.append(str2.charAt(i));                     } //我wjz就是饿死,从这里跳下去摔死,也不会在这里输出stringBuilder.toString()!                     if (stringBuilder.toString().equalsIgnoreCase(str)) {                         Toast.makeText(context, "Congratulations~!", 0).show();                         return;                     }                 }             } catch (NoSuchAlgorithmException e) {                 e.printStackTrace();             }         }         Toast.makeText(context, "不给戳～", 0).show();     }

赤座灯里

huzpsb 发表于 2020-4-23 08:03
[mw_shl_code=java,true]    public static void check(Context context, String str) {
        String s ...

试试呗(￣y▽￣)~*

赤座灯里

huzpsb 发表于 2020-4-23 08:03
[mw_shl_code=java,true]    public static void check(Context context, String str) {
        String s ...

成功如图所示哦

huzpsb

a976606645 发表于 2020-4-23 09:31
但是是这样的，在文本框里输入的字符 长度为11的时候才进入这个IF判断   stringBuilder.toString()打印出 ...

布吉岛啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊
我也没搞懂MD5是什么鬼啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊

赤座灯里

huzpsb 发表于 2020-4-23 10:28
布吉岛啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊
我也没搞懂MD5是什么鬼啊啊啊啊啊啊啊啊啊啊啊啊啊啊啊 ...

是可解也是很常见的算法，其他就不说啦

无敌小车

81aaabbf9395c72b

赤座灯里

无敌小车 发表于 2020-4-23 13:16
81aaabbf9395c72b

(???ω??｀)想看成功的画面