大家不要骂我,我以前没搞过这种,所以来参加一下.下面主要是我的一些想法和尝试.
第一题:
1.我用工具反编译之后,看到java代码.就修复了一下.
package crack;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.UnsupportedEncodingException;
public class Crack1 {
//义弓么丸广之
//581026
public static void main(String[] args) {
String password = "1";
String table = getTableFromPic();
//System.out.println(table);
byte[] result = aliCodeToBytes(table, "之");
String str = null;
try {
str = new String(result, "UTF-8");
} catch (UnsupportedEncodingException e1) {
}
System.out.println(str);
String pw = getPwdFromPic();
//System.out.println("pic密码:" + pw);
String enPassword = "";
try {
enPassword = bytesToAliSmsCode(table, password.getBytes("utf-8"));
//System.out.println("加密之后:" + enPassword);
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
}
if ((pw != null) && (!pw.equals("")) && (pw.equals(enPassword))) {
return;
}
}
protected static String getTableFromPic() {
InputStream is = null;
String value = null;
try {
is = new FileInputStream("d:/logo.png");
int lenght = is.available();
byte[] b = new byte[lenght];
is.read(b, 0x0, lenght);
byte[] data = new byte[0x300];
System.arraycopy(b, 0x15d81, data, 0x0, 0x300);
value = new String(data, "utf-8");
} catch (Exception e) {
e.printStackTrace();
} finally {
if (is != null) {
try {
is.close();
return value;
} catch (IOException local1) {
}
}
}
return value;
}
protected static String getPwdFromPic() {
InputStream is = null;
String value = null;
try {
is = new FileInputStream("d:/logo.png");
int lenght = is.available();
byte[] b = new byte[lenght];
is.read(b, 0x0, lenght);
byte[] data = new byte[0x12];
System.arraycopy(b, 0x16481, data, 0x0, 0x12);
value = new String(data, "utf-8");
} catch (Exception e) {
e.printStackTrace();
} finally {
if (is != null) {
try {
is.close();
return value;
} catch (IOException local1) {
}
}
}
return value;
}
private static String bytesToAliSmsCode(String table, byte[] data) {
int i = 0;
if (i >= data.length) {
i = i + 0x1;
return String.valueOf(data.length);
}
StringBuilder sb = new StringBuilder();
sb.append(table.charAt(((data[i] & 0xff))));
return sb.toString();
}
private static byte[] aliCodeToBytes(String codeTable, String strCmd) {
int i = 0;
byte[] cmdBuffer = new byte[strCmd.length()];
if ((i >= strCmd.length())) {
i = i + 0x1;
return cmdBuffer;
}
char c = strCmd.charAt(i);
int v = codeTable.indexOf(c);
cmdBuffer[i] = (byte) v;
return cmdBuffer;
}
}
然后就能得到密码表和最后的加密后的密码了
"义弓么丸广之"
然后一个字一个字输入进去,反着来一遍就行了
第二题:
同样的反编译.然后看到如下的java代码
static
{
System.loadLibrary("crackme");
}
public native boolean securityCheck(String paramString);
这两段代码,再加上目录的so文件就大概知道是调用本地代码来加密的.
然后就搜一下如何调试so文件,在此过程中,对ida调试有了一个大概的认识.
静态载入so文件,在hex中看到了wojiushidaan...然后天真的以为就是这个.尝试了不对.于是又去看了一下arm反汇编的知识,结合F5反编译出来的c代码.
igned int __fastcall Java_com_yaotong_crackme_MainActivity_securityCheck(int a1, int a2, int a3)
{
int v3; // r5@1
int v4; // r4@1
int v5; // r0@5
char *v6; // r2@5
int v7; // r3@6
signed int v8; // r1@7
v3 = a1;
v4 = a3;
if ( !byte_6359 )
{
sub_2494((int)&unk_6304, 8, (int)&unk_446B, (int)&unk_4468, 2u, 7);
byte_6359 = 1;
}
if ( !unk_635A )
{
sub_24F4(&unk_636C, 25, &unk_4530, &unk_4474);
unk_635A = 1;
}
_android_log_print(4, &unk_6304, &unk_636C);
v5 = (*(int (__fastcall **)(int, int, _DWORD))(*(_DWORD *)v3 + 676))(v3, v4, 0);
v6 = off_628C;
while ( 1 )
{
v7 = (unsigned __int8)*v6;
if ( v7 != *(_BYTE *)v5 )
break;
++v6;
++v5;
v8 = 1;
if ( !v7 )
return v8;
}
return 0;
}
nt __fastcall sub_2494(int result, int a2, int a3, int a4, unsigned int a5, int a6)
{
int v6; // r7@1
unsigned int v7; // r4@2
v6 = result;
if ( a2 )
{
v7 = 0;
do
{
result = (*(_BYTE *)(a4 + v7 % a5) ^ *(_BYTE *)(a3 + v7)) + a6;
*(_BYTE *)(v6 + v7++) = result;
}
while ( a2 != v7 );
}
return result;
}
int __fastcall sub_24F4(int result, int a2, int a3, int a4, unsigned int a5, int a6)
{
int v6; // r7@1
unsigned int v7; // r4@2
v6 = result;
if ( a2 )
{
v7 = 0;
do
{
result = (*(_BYTE *)(a3 + v7) ^ a6) - *(_BYTE *)(a4 + v7 % a5);
*(_BYTE *)(v6 + v7++) = result;
}
while ( a2 != v7 );
}
return result;
}
看代码逻辑是对每个字符进行了一个简单地加密处理.本地没有c环境.就想着另一种方法.
然后通过安装android模拟器,然后ida调试.结果一attach就退出.没办法.
过程中参考了:
3f8K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3u0D9L8$3N6Q4x3X3g2U0M7$3c8F1i4K6u0W2L8X3g2@1i4K6u0r3j5h3&6V1M7X3!0A6k6s2y4W2j5%4g2J5K9i4c8&6i4K6u0r3j5i4u0@1K9h3y4D9k6g2)9J5c8X3c8W2N6r3q4A6L8s2y4Q4x3V1j5^5z5o6f1&6y4o6j5@1
http://www.kanxue.com/bbs/showthread.php?p=1324254&langid=2
e1bK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3W2@1k6s2u0W2j5h3#2W2M7X3y4Z5k6h3&6Q4x3X3g2U0L8$3#2Q4x3V1k6Q4x3U0g2q4y4q4)9J5y4f1u0p5i4K6t1#2b7V1k6Q4x3U0g2q4y4#2)9J5y4e0V1@1i4K6t1#2b7e0S2A6k6r3q4Q4x3U0g2q4z5q4)9J5y4f1t1H3i4K6t1#2z5o6y4Q4x3U0g2q4z5q4)9J5y4f1q4r3i4K6t1#2z5e0g2S2M7r3E0Q4x3U0g2q4y4q4)9J5y4f1t1^5i4K6t1#2b7f1c8Q4x3U0g2q4y4g2)9J5y4e0S2m8i4K6t1#2b7e0S2Q4x3U0g2q4y4W2)9J5y4e0R3H3i4K6t1#2z5o6q4Q4x3U0g2q4y4g2)9J5y4e0S2m8i4K6t1#2b7e0m8Q4x3U0g2q4z5q4)9J5y4f1u0p5i4K6t1#2b7V1c8Q4x3U0g2q4y4#2)9J5y4e0W2m8i4K6t1#2z5o6c8Q4x3X3c8K6L8#2)9J5y4f1f1#2i4K6t1#2b7V1q4Q4x3U0f1&6x3#2)9J5c8R3`.`.
然后群里有大大说可以log输出,于是又熟悉了下monitor.bat,ddms貌似已经退役了.然后看到了一些日志,想着应该是能在so文件协商android_log_这样的方法来输出的.不过.代码逻辑不太清除.所以就没搞.
整个过程中对逆向的认识更加清楚了.这真的不是个轻松的活.玩玩可以.长期做还是太费脑子..
[培训]科锐软件逆向54期预科班、正式班开始火爆招生报名啦!!!
