[原创]第一题，AliCrackme_1.apk破解思路-9）移动安全挑战赛（MSC）-看雪-安全社区|安全招聘|kanxue.com

[原创]第一题，AliCrackme_1.apk破解思路

2015-1-26 11:02 2527

[原创]第一题，AliCrackme_1.apk破解思路

sixfor

2015-1-26 11:02

2527

1、修改AliCrackme_1.apk扩展名为zip解压后获取classes.dex文件。
2、通过dex2jar解压classes.dex后获得classes_dex2jar.jar文件。如：dex2jar classes.dex
3、用winrar解压classes_dex2jar.jar文件后获得包内MainActivity.class文件
4、通过DJ.Java.Decompiler反编译获取了MainActivity.java文件
5、通过分析MainActivity.java文件中的aliCodeToBytes和bytesToAliSmsCode，发现bytesToAliSmsCode是参与加密的函数，aliCodeToBytes为解密函数。
6、通过eclipse重写代码aliCodeToBytes函数的执行结果为最终答案
代码如下：
import java.io.BufferedInputStream;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.io.UnsupportedEncodingException;

public class MainClasses {

public static String sourceFile="D:\\Person\\Java\\workspace\\UFO-1\\bin\\logo.png";

public static void main(String[] args) {
// TODO Auto-generated method stub
try {
String s="";
String s1 = getTableFromPic();
         String s2 = getPwdFromPic();
byte abyte[] =aliCodeToBytes(s1,s2) ;
s= new String(abyte, "utf-8");
System.out.println(s);//正确密码，即581026
String s3 = bytesToAliSmsCode(s1, s.getBytes("utf-8"));
//System.out.println(s1);//未解密密码
//System.out.println(s2);//密码表
//System.out.println(s3);//验证输入密码是否正确

} catch (UnsupportedEncodingException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}

}

public static String getPwdFromPic(){//根据logo.png获取未解密密码
String s1="";
try {
   InputStream inputstream= new BufferedInputStream(new FileInputStream(sourceFile));
   int i = inputstream.available();
   byte abyte0[] = new byte[i];
   inputstream.read(abyte0, 0, i);
   byte abyte1[] = new byte[18];
   System.arraycopy(abyte0, 0x16481, abyte1, 0, 18);
   s1 = new String(abyte1, "utf-8");
} catch (FileNotFoundException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
return s1;

}

public static String getTableFromPic(){//根据logo.png获取密码表
String s1="";
      int i;
try {
InputStream inputstream= new BufferedInputStream(new FileInputStream(sourceFile));
i = inputstream.available();
byte abyte0[] = new byte[i];
inputstream.read(abyte0, 0, i);
byte abyte1[] = new byte[768];
System.arraycopy(abyte0, 0x15d81, abyte1, 0, 768);
s1 = new String(abyte1, "utf-8");
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}

return s1;
}

public static String bytesToAliSmsCode(String s, byte abyte0[]){//通过输入的密码获取加密后的密码，即getTableFromPic获取的密码
      StringBuilder stringbuilder = new StringBuilder();
      int i = 0;
      do
      {
         if(i >= abyte0.length)
            return stringbuilder.toString();
         stringbuilder.append(s.charAt(0xff & abyte0[i]));
         i++;
      } while(true);
}

   private static byte[] aliCodeToBytes(String s, String s1)//通过getTableFromPic获取的未解密密码获取正确密码
      {
         byte abyte0[] = new byte[s1.length()];
         int i = 0;
         do
         {
            if(i >= s1.length())
                  return abyte0;
            abyte0[i] = (byte)s.indexOf(s1.charAt(i));
            i++;
         } while(true);
      }

}

[培训]《安卓高级研修班(网课)》月薪三万计划，掌握调试、分析还原ollvm、vmp的方法，定制art虚拟机自动化脱壳的方法

收藏・1

点赞・0

打赏