360加壳的apk..(不是不能用第三方壳吗?)
脱360的壳(略, 这题不用去恢复onCreate)
APPKEY=dcc499621c96447f
SdkEntry=1
activityName=com.kanxue.crackme.MainActivity
allowedSig=-500187489
analyse=1
apk-md5=adff65d9b74bf7c4715b672d88cc75cc
binderHook=1
checkSum=4057935799
customization=0
edh=1
envcheck=1
fastLevel=0
jcrash=1
jiaguVersion=1.3.9.0
location=0
ls=13356
mark=0
mpv=166
ncrash=1
official=1
opt=1
pkg=com.kanxue.crackme
pkl=0
protect-time=2020-11-14 11:19:34
pts=1605323974
rrs=1
sig=-672009692
sign=d3534d5b13cae9e310be0bb41c2fc528
stubAppName=com/stub/StubApp
versionCode=1
versionName=1.0
x86=1
classes.dex
public class MainActivity extends AppCompatActivity {
public void init() {
MainActivity.copyAssetAndWrite("b.txt");
MainActivity.testDexClassLoader(MainActivity.appContext, new File(MainActivity.appContext.getCacheDir(),
"b.txt").getAbsolutePath());
}
}
class com.kanxue.crackme.MainActivity$3 implements View$OnClickListener {
public void onClick(View view) {
// invoke com.kanxue.crackme.Crack->check
MainActivity.this.check(this.val$inputEditText.getText().toString());
}
}
public class MyCrack {
public static String crypt;
static {
MyCrack.crypt = "otVvmpP4ZI58pqB26OTaYw=="; // fake
}
public static native byte[] crackjni(MyCrack this, byte[] arg1);
}
assets/b.txt
public class Crack {
public static boolean check(String content) {
// content.length() == 16
byte[] buf = rc4(content.getBytes());
buf = crackjni(buf);
buf = rc4(buf);
return Base64.encodeToString(buf, 0) == GetStaticFieldValue("com.kanxue.crackme.MyCrack", "crypt");
}
// key="kaokaonio", 后面so中会修改为"keepGoing"
// 00000000 1A 00 CF 3D const-string v0, "kaokaonio"
// 0x3DCF是StringId, 文件偏移: 0x16D3A6
public static byte[] rc4(byte[] buf);
}
lib/armeabi-v7a/libcrack.so
jbyteArray Java_com_kanxue_crackme_MyCrack_crackjni(JNIEnv *env, jobject object, jbyteArray buf)
{
unsigned char *src = FromByteArray(buf);
unsigned char *dst = New(src_len);
// aes_key = "kaokaonikaokaoni";
AesEncrypt(src, aes_key, dst);
SetWord(b.txt + 0x16D3A6, 0x3DD3); // dexStringById(0x3DD3)="keepGoing"
SetStaticFieldValue("com.kanxue.crackme.MyCrack", "crypt", "l+x7fKd2FBaaEY4NV4309A==");
return ToByteArray(dst);
}
计算得到flag
public static void test() throws Exception {
String expected = "l+x7fKd2FBaaEY4NV4309A==";
String k1 = "kaokaonio";
String k2 = "keepGoing";
byte[] buf = Base64.decode(expected);
buf = rc4(k2, buf);
Cipher cipher = Cipher.getInstance("AES/ECB/NoPadding");
cipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec("kaokaonikaokaoni".getBytes(), "AES"));
buf = cipher.doFinal(buf);
buf = rc4(k1, buf);
System.out.println(new String(buf));
}
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
最后于 2020-11-22 17:35
被风间仁编辑
,原因:
