好友
阅读权限25
听众
最后登录1970-1-1
|
梦游枪手
发表于 2020-4-23 13:20
重载了oncreate方法,楼上看到的算法只是一个幌子,真实算法在so里面。
native-lib拉到IDA分析,找到x函数
[C] 纯文本查看 复制代码 int __fastcall Java_androidx_appcompat_app_Activity_x__Ljava_lang_String_2(JNIEnv *a1, int a2, int a3)
{
JNIEnv *v3; // r4
jobject v5; // r11
jobject v6; // r5
jstring v7; // r10
jobjectArray v8; // r8
jobject v9; // r6
jobject v10; // r5
void *v11; // r1
jobject v12; // r8
jobject v13; // r6
jobject v14; // r10
jint v15; // r6
int v16; // r6
jint v17; // r8
jobject v18; // r6
void *v19; // r1
jobject v20; // r8
_jmethodID *v21; // r2
jsize v22; // r5
jboolean v23; // r10
int v24; // r5
jint v26; // [sp+20h] [bp-C0h]
jobject v27; // [sp+24h] [bp-BCh]
jstring v28; // [sp+28h] [bp-B8h]
jobject v29; // [sp+28h] [bp-B8h]
void *v30; // [sp+28h] [bp-B8h]
jobject v31; // [sp+2Ch] [bp-B4h]
void *v32; // [sp+34h] [bp-ACh]
void *v33; // [sp+34h] [bp-ACh]
jmethodID v34; // [sp+3Ch] [bp-A4h]
jmethodID v35; // [sp+40h] [bp-A0h]
int v36; // [sp+44h] [bp-9Ch]
_jmethodID *v37; // [sp+48h] [bp-98h]
jmethodID v38; // [sp+4Ch] [bp-94h]
jmethodID v39; // [sp+50h] [bp-90h]
jmethodID v40; // [sp+54h] [bp-8Ch]
jmethodID v41; // [sp+58h] [bp-88h]
jmethodID v42; // [sp+5Ch] [bp-84h]
jmethodID v43; // [sp+60h] [bp-80h]
jmethodID v44; // [sp+64h] [bp-7Ch]
jmethodID v45; // [sp+68h] [bp-78h]
jmethodID v46; // [sp+6Ch] [bp-74h]
jmethodID v47; // [sp+70h] [bp-70h]
jmethodID v48; // [sp+74h] [bp-6Ch]
jmethodID v49; // [sp+78h] [bp-68h]
jclass v50; // [sp+7Ch] [bp-64h]
int v51; // [sp+80h] [bp-60h]
void *v52; // [sp+84h] [bp-5Ch]
int v53; // [sp+88h] [bp-58h]
int v54; // [sp+8Ch] [bp-54h]
jclass v55; // [sp+90h] [bp-50h]
int v56; // [sp+94h] [bp-4Ch]
void *v57; // [sp+98h] [bp-48h]
jclass v58; // [sp+9Ch] [bp-44h]
int v59; // [sp+A0h] [bp-40h]
jclass v60; // [sp+A4h] [bp-3Ch]
jvalue v61; // [sp+A8h] [bp-38h]
jobjectArray v62; // [sp+B0h] [bp-30h]
jint v63; // [sp+B8h] [bp-28h]
int v64; // [sp+C0h] [bp-20h]
v3 = a1;
v60 = 0;
v58 = 0;
v59 = 0;
v56 = 0;
v57 = 0;
v54 = 0;
v55 = 0;
v52 = 0;
v53 = 0;
v50 = 0;
v51 = 0;
v48 = 0;
v49 = 0;
v46 = 0;
v47 = 0;
v44 = 0;
v45 = 0;
v42 = 0;
v43 = 0;
v40 = 0;
v41 = 0;
v38 = 0;
v39 = 0;
v36 = 0;
v37 = 0;
v34 = 0;
v35 = 0;
v5 = (*a1)->NewLocalRef(a1, (jobject)a2);
v6 = (*v3)->NewLocalRef(v3, (jobject)a3);
v7 = (*v3)->NewStringUTF(v3, "%s/%s");
if ( sub_7E90(v3, (int *)&v60, (int)"java/lang/Object") )
goto LABEL_82;
v8 = (*v3)->NewObjectArray(v3, 2, v60, 0);
if ( (*v3)->ExceptionCheck(v3) )
goto LABEL_82;
if ( !v5 )
goto LABEL_81;
if ( sub_7FAC(v3, &v59, &v49, 0, "androidx/appcompat/app/Activity", "getCacheDir", "()Ljava/io/File;") )
goto LABEL_82;
v9 = (*v3)->CallObjectMethodA(v3, v5, v49, &v61);
if ( (*v3)->ExceptionCheck(v3) )
goto LABEL_82;
if ( !v8 )
goto LABEL_81;
(*v3)->SetObjectArrayElement(v3, v8, 0, v9);
if ( ((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )
goto LABEL_82;
(*v3)->SetObjectArrayElement(v3, v8, 1, v6);
if ( ((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )
goto LABEL_82;
if ( sub_7FAC(
v3,
&v58,
&v48,
1,
"java/lang/String",
"format",
"(Ljava/lang/String;[Ljava/lang/Object;)Ljava/lang/String;") )
{
goto LABEL_82;
}
v62 = v8;
v61.i = (jint)v7;
v31 = (*v3)->CallStaticObjectMethodA(v3, v58, v48, &v61);
if ( (*v3)->ExceptionCheck(v3) )
goto LABEL_82;
if ( v6 )
(*v3)->DeleteLocalRef(v3, v6);
if ( sub_7FAC(
v3,
&v59,
&v47,
0,
"androidx/appcompat/app/Activity",
"getResources",
"()Landroid/content/res/Resources;") )
{
goto LABEL_82;
}
v10 = (*v3)->CallObjectMethodA(v3, v5, v47, &v61);
if ( (*v3)->ExceptionCheck(v3) )
goto LABEL_82;
if ( v7 )
(*v3)->DeleteLocalRef(v3, v7);
(*v3)->DeleteLocalRef(v3, v8);
v11 = v57;
if ( !v57 )
{
if ( sub_7E90(v3, (int *)&v57, (int)"java/io/BufferedReader") )
goto LABEL_82;
v11 = v57;
}
v12 = (*v3)->AllocObject(v3, v11);
if ( (*v3)->ExceptionCheck(v3) )
goto LABEL_82;
if ( v9 )
(*v3)->DeleteLocalRef(v3, v9);
if ( !v56 && sub_7E90(v3, &v56, (int)"java/io/InputStreamReader") )
goto LABEL_82;
v32 = (void *)((int (__fastcall *)(JNIEnv *))(*v3)->AllocObject)(v3);
if ( ((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )
goto LABEL_82;
if ( sub_7FAC(v3, &v55, &v46, 1, "java/lang/Runtime", "getRuntime", "()Ljava/lang/Runtime;") )
goto LABEL_82;
v13 = (*v3)->CallStaticObjectMethodA(v3, v55, v46, &v61);
if ( (*v3)->ExceptionCheck(v3) )
goto LABEL_82;
v28 = (*v3)->NewStringUTF(v3, "getprop ro.product.cpu.abi");
if ( !v13 )
goto LABEL_81;
if ( sub_7FAC(v3, &v55, &v45, 0, "java/lang/Runtime", "exec", "(Ljava/lang/String;)Ljava/lang/Process;") )
goto LABEL_82;
v61.i = (jint)v28;
v29 = (*v3)->CallObjectMethodA(v3, v13, v45, &v61);
if ( (*v3)->ExceptionCheck(v3) )
goto LABEL_82;
(*v3)->DeleteLocalRef(v3, v13);
if ( !v29 )
goto LABEL_81;
if ( sub_7FAC(v3, &v54, &v44, 0, "java/lang/Process", "getInputStream", "()Ljava/io/InputStream;") )
goto LABEL_82;
v14 = (*v3)->CallObjectMethodA(v3, v29, v44, &v61);
if ( (*v3)->ExceptionCheck(v3) )
goto LABEL_82;
(*v3)->DeleteLocalRef(v3, v29);
if ( !v32 )
goto LABEL_81;
if ( sub_7FAC(v3, &v56, &v43, 0, "java/io/InputStreamReader", "<init>", "(Ljava/io/InputStream;)V") )
goto LABEL_82;
v61.i = (jint)v14;
(*v3)->CallVoidMethodA(v3, v32, v43, &v61);
if ( (*v3)->ExceptionCheck(v3) )
goto LABEL_82;
if ( !v12 )
goto LABEL_81;
if ( sub_7FAC(v3, &v57, &v42, 0, "java/io/BufferedReader", "<init>", "(Ljava/io/Reader;)V") )
goto LABEL_82;
v61.i = (jint)v32;
(*v3)->CallVoidMethodA(v3, v12, v42, &v61);
if ( ((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )
goto LABEL_82;
if ( sub_7FAC(v3, &v57, &v41, 0, "java/io/BufferedReader", "readLine", "()Ljava/lang/String;") )
goto LABEL_82;
v27 = (*v3)->CallObjectMethodA(v3, v12, v41, &v61);
if ( ((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )
goto LABEL_82;
((void (__fastcall *)(JNIEnv *, jobject))(*v3)->DeleteLocalRef)(v3, v12);
((void (__fastcall *)(JNIEnv *, void *))(*v3)->DeleteLocalRef)(v3, v32);
v15 = ((int (__fastcall *)(JNIEnv *, const char *))(*v3)->NewStringUTF)(v3, "64");
if ( !v27 )
goto LABEL_81;
if ( sub_7FAC(v3, &v58, &v40, 0, "java/lang/String", "contains", "(Ljava/lang/CharSequence;)Z") )
goto LABEL_82;
v61.i = v15;
v16 = (*v3)->CallBooleanMethodA(v3, v27, v40, &v61);
if ( (*v3)->ExceptionCheck(v3) )
goto LABEL_82;
v17 = 2131492865; // y.z
if ( !v16 )
v17 = 2131492864; // x.y
if ( !v10 )
goto LABEL_81;
if ( !sub_7FAC(v3, &v53, &v39, 0, "android/content/res/Resources", "openRawResource", "(I)Ljava/io/InputStream;") )
{
v61.i = v17;
v18 = (*v3)->CallObjectMethodA(v3, v10, v39, &v61);
if ( !((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )
{
(*v3)->DeleteLocalRef(v3, v10);
(*v3)->DeleteLocalRef(v3, v27);
v19 = v52;
if ( !v52 )
{
if ( sub_7E90(v3, (int *)&v52, (int)"java/io/FileOutputStream") )
goto LABEL_82;
v19 = v52;
}
v20 = (*v3)->AllocObject(v3, v19);
if ( !((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )
{
if ( v20 )
{
if ( sub_7FAC(v3, &v52, &v38, 0, "java/io/FileOutputStream", "<init>", "(Ljava/lang/String;)V") )
goto LABEL_82;
v61.i = (jint)v31;
(*v3)->CallVoidMethodA(v3, v20, v38, &v61);
if ( ((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )
goto LABEL_82;
if ( v14 )
((void (__fastcall *)(JNIEnv *, jobject))(*v3)->DeleteLocalRef)(v3, v14);
v33 = (void *)((int (__fastcall *)(JNIEnv *, int))(*v3)->NewByteArray)(v3, 1024);
if ( ((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )
goto LABEL_82;
if ( v18 )
{
v30 = 0;
while ( 1 )
{
v21 = v37;
if ( !v37 )
{
if ( sub_7FAC(v3, &v51, &v37, 0, "java/io/InputStream", "read", "([B)I") )
goto LABEL_82;
v21 = v37;
}
v61.i = (jint)v33;
v26 = (*v3)->CallIntMethodA(v3, v18, v21, &v61);
if ( ((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )
goto LABEL_82;
if ( v26 == -1 )
{
if ( sub_7FAC(v3, &v50, &v35, 1, "java/lang/System", "load", "(Ljava/lang/String;)V") )
goto LABEL_82;
v61.i = (jint)v31;
(*v3)->CallStaticVoidMethodA(v3, v50, v35, &v61);
if ( ((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )
goto LABEL_82;
if ( sub_7FAC(v3, &v59, &v34, 0, "androidx/appcompat/app/Activity", "xx", "(I)V") )
goto LABEL_82;
v61.i = 2131165304;
(*v3)->CallVoidMethodA(v3, v5, v34, &v61);
if ( ((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )
goto LABEL_82;
return _stack_chk_guard - v64;
}
if ( v30 )
((void (__fastcall *)(JNIEnv *, void *))(*v3)->DeleteLocalRef)(v3, v30);
v30 = (void *)((int (__fastcall *)(JNIEnv *, int))(*v3)->NewByteArray)(v3, 1024);
if ( !((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )
{
v22 = 0;
while ( v22 != 1024 )
{
if ( !v33 )
goto LABEL_81;
(*v3)->GetByteArrayRegion(v3, v33, v22, 1, (jbyte *)&v61);
v23 = v61.z;
if ( !((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )
{
if ( !v30 )
goto LABEL_81;
v61.z = v23 ^ 0xA; // 解密raw, xor 0xa
(*v3)->SetByteArrayRegion(v3, v30, v22++, 1, (const jbyte *)&v61);
if ( !((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )
continue;
}
goto LABEL_82;
}
if ( v36 || !sub_7FAC(v3, &v52, &v36, 0, "java/io/FileOutputStream", "write", "([BII)V") )
{
v63 = v26;
v62 = 0;
v61.i = (jint)v30;
((void (__fastcall *)(JNIEnv *, jobject))(*v3)->CallVoidMethodA)(v3, v20);
if ( !((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionCheck)(v3) )
continue;
}
}
goto LABEL_82;
}
}
}
LABEL_81:
sub_7BC4(v3, "java/lang/NullPointerException", "NullPointerException");
goto LABEL_82;
}
}
}
LABEL_82:
v24 = ((int (__fastcall *)(JNIEnv *))(*v3)->ExceptionOccurred)(v3);
((void (__fastcall *)(JNIEnv *))(*v3)->ExceptionClear)(v3);
if ( !sub_7DFC(v3, v24, "java/lang/Exception") )
{
((void (__fastcall *)(JNIEnv *, int))(*v3)->Throw)(v3, v24);
((void (__fastcall *)(JNIEnv *, int))(*v3)->DeleteLocalRef)(v3, v24);
}
return _stack_chk_guard - v64;
}
根据系统位数判断要加载哪个so,解密后再load。那就把res/raw里面的so提取出来解密。
真正的判断函数是这个
[C] 纯文本查看 复制代码 __int64 __fastcall sub_CDDC(JNIEnv *a1, __int64 a2, unsigned int a3)
{
const char *v5; // x22
const char *v6; // x23
size_t v8; // w0
__int64 result; // x0
jclass v10; // x0
jmethodID v11; // x0
__int64 v12; // x20
jclass v13; // x0
jmethodID v14; // x21
jstring v15; // x0
jclass v16; // x0
jmethodID v17; // x0
jclass v18; // x0
jmethodID v19; // x2
v5 = (const char *)pbBuf;
v6 = toast[0];
v8 = strlen(toast[0]);
result = strncmp(v5, v6, v8);
if ( !(_DWORD)result )
{
v10 = (*a1)->FindClass(a1, "com/akari/crackme/MainActivity");
v11 = (*a1)->GetMethodID(a1, v10, "findViewById", "(I)Landroid/view/View;");
v12 = _JNIEnv::CallObjectMethod(a1, a2, v11, a3);
v13 = (*a1)->FindClass(a1, ed[0]);
v14 = (*a1)->GetMethodID(a1, v13, "setText", "(Ljava/lang/CharSequence;)V");
v15 = (*a1)->NewStringUTF(a1, "Congratulations~!");
_JNIEnv::CallVoidMethod(a1, v12, v14, v15);
v16 = (*a1)->FindClass(a1, ed[0]);
v17 = (*a1)->GetMethodID(a1, v16, "setTextColor", "(I)V");
_JNIEnv::CallVoidMethod(a1, v12, v17, 4294901760LL);
v18 = (*a1)->FindClass(a1, ed[0]);
v19 = (*a1)->GetMethodID(a1, v18, "setEnabled", "(Z)V");
result = _JNIEnv::CallVoidMethod(a1, v12, v19, 0LL);
}
return result;
}
就一个strncmp,pbbuf在JNI_OnLoad那里解密,调试一下应该就能拿到,但是minsdkversion太高了,我的手机是7.1的,就不继续了。等其他大佬解开吧。 |
免费评分
-
查看全部评分
|
|
发表于 2020-4-23 13:26
