-
-
[原创]frida基础 闯关训练 七层关卡
-
发表于: 2023-7-14 18:23
-
打开app首先映入眼前是一个常规的登录界面,输入用户名和密码,提示Login filed.显然用户名和密码随便输入肯定是不行了。
首先我们用objection定位到他的页面位置activity,再结合反编译工具对源码进行分析。
可以发现当前类的类已经找到了,objection hook这个类,再触发按钮,观察情况,打印出调用的方法,再hook之。
通过返回值可以大胆猜测,密码经过了加密,将返回值输入的确通过了第一关,不过还需要结合源码分析下。
发现是 HmacSHA256 加密,然后我们可以hmac在线加密输入加密对比下结果没问题,输入密码进入下一关。
界面提示点击进入下一关,肯定没那么简单,不出意外提示报错了。
这里只能结合源码分析了。
将 R4jSLLLLLLLLLLOrLE7/5B+Z6fsl65yj6BgC6YWz66gO6g2t65Pk6a+P65NK44NNROl0wNOLLLL= 反向还原得到输入的密码,再用frida hook住b方法,则可进入到下一题。
a()b()方法的源码:
正规的算法还原,这里直接Hook通过了,后续在还原这个算法。
修改 静态成员变量和非静态成员变量的值 即可通过,但是给出来了2个函数,出题人的想法应该是让我们触发按钮的时候,主动调用这2个函数,来改变成员变量的值。
观察代码:
只要将三个成员变量的值改为true 即可通向下一关。
看源码:
将check的值全部改为 true,即可通过下一关。
代码:
代码:
将调用的三个class的方法改成true,即可通关。
adb shell dumpsys window | grep CurrentFocus#返回mCurrentFocus=Window{5b2914b u0 com.example.androiddemo/com.example.androiddemo.Activity.LoginActivity}
adb shell dumpsys window | grep CurrentFocus#返回mCurrentFocus=Window{5b2914b u0 com.example.androiddemo/com.example.androiddemo.Activity.LoginActivity}
android hooking list activities
#返回 com.example.androiddemo.Activity.BaseFridaActivitycom.example.androiddemo.Activity.FridaActivity1com.example.androiddemo.Activity.FridaActivity2com.example.androiddemo.Activity.FridaActivity3com.example.androiddemo.Activity.FridaActivity4com.example.androiddemo.Activity.FridaActivity5com.example.androiddemo.Activity.FridaActivity6com.example.androiddemo.Activity.FridaActivity7com.example.androiddemo.Activity.LoginActivitycom.example.androiddemo.MainActivityandroid hooking watch class com.example.androiddemo.Activity.LoginActivity --dump-args --dump-backtrace --dump-return
#返回(agent) [vv23m49gobd] Called com.example.androiddemo.Activity.LoginActivity.access$100(java.lang.Strinjava.lang.String)
(agent) [vv23m49gobd] Called com.example.androiddemo.Activity.LoginActivity.a(java.lang.String, java.lang.String)(agent) [vv23m49gobd] Called com.example.androiddemo.Activity.LoginActivity.a([B)(agent) [vv23m49gobd] Called com.example.androiddemo.Activity.LoginActivity.access$000(com.example.androiddemo.Activity.LoginActivity)
android hooking watch class_method com.example.androiddemo.Activity.LoginActivity.a --dump-args --dump-return
#返回:(agent) [810lsp00gmj] Arguments com.example.androiddemo.Activity.LoginActivity.a([object Object])
(agent) [810lsp00gmj] Return Value: 82d476df642d6c882dcc438e028c6e0908af286439b7cd18975dc971387eb33a
(agent) [810lsp00gmj] Return Value: 82d476df642d6c882dcc438e028c6e0908af286439b7cd18975dc971387eb33a
android hooking list activities
#返回 com.example.androiddemo.Activity.BaseFridaActivitycom.example.androiddemo.Activity.FridaActivity1com.example.androiddemo.Activity.FridaActivity2com.example.androiddemo.Activity.FridaActivity3com.example.androiddemo.Activity.FridaActivity4com.example.androiddemo.Activity.FridaActivity5com.example.androiddemo.Activity.FridaActivity6com.example.androiddemo.Activity.FridaActivity7com.example.androiddemo.Activity.LoginActivitycom.example.androiddemo.MainActivityandroid hooking watch class com.example.androiddemo.Activity.LoginActivity --dump-args --dump-backtrace --dump-return
#返回(agent) [vv23m49gobd] Called com.example.androiddemo.Activity.LoginActivity.access$100(java.lang.Strinjava.lang.String)
(agent) [vv23m49gobd] Called com.example.androiddemo.Activity.LoginActivity.a(java.lang.String, java.lang.String)(agent) [vv23m49gobd] Called com.example.androiddemo.Activity.LoginActivity.a([B)(agent) [vv23m49gobd] Called com.example.androiddemo.Activity.LoginActivity.access$000(com.example.androiddemo.Activity.LoginActivity)
android hooking watch class_method com.example.androiddemo.Activity.LoginActivity.a --dump-args --dump-return
#返回:(agent) [810lsp00gmj] Arguments com.example.androiddemo.Activity.LoginActivity.a([object Object])
(agent) [810lsp00gmj] Return Value: 82d476df642d6c882dcc438e028c6e0908af286439b7cd18975dc971387eb33a
(agent) [810lsp00gmj] Return Value: 82d476df642d6c882dcc438e028c6e0908af286439b7cd18975dc971387eb33a
public static String a(byte[] bArr) throws Exception { StringBuilder sb = new StringBuilder();
for (int i = 0; i <= bArr.length - 1; i += 3) {
byte[] bArr2 = new byte[4];
byte b = 0;
for (int i2 = 0; i2 <= 2; i2++) {
int i3 = i + i2;
if (i3 <= bArr.length - 1) {
bArr2[i2] = (byte) (b | ((bArr[i3] & 255) >>> ((i2 * 2) + 2)));
b = (byte) ((((bArr[i3] & 255) << (((2 - i2) * 2) + 2)) & 255) >>> 2);
} else {
bArr2[i2] = b;
b = 64;
}
}
bArr2[3] = b;
for (int i4 = 0; i4 <= 3; i4++) {
if (bArr2[i4] <= 63) {
sb.append(table[bArr2[i4]]);
} else {
sb.append('=');
}
}
}
return sb.toString();
}
public static byte[] b(String str) {
try {
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
GZIPOutputStream gZIPOutputStream = new GZIPOutputStream(byteArrayOutputStream);
gZIPOutputStream.write(str.getBytes());
gZIPOutputStream.finish();
gZIPOutputStream.close();
byte[] byteArray = byteArrayOutputStream.toByteArray();
try {
byteArrayOutputStream.close();
return byteArray;
} catch (Exception e) {
e.printStackTrace();
return byteArray;
}
} catch (Exception unused) {
return null;
}
}
public static String a(byte[] bArr) throws Exception { StringBuilder sb = new StringBuilder();
for (int i = 0; i <= bArr.length - 1; i += 3) {
byte[] bArr2 = new byte[4];
byte b = 0;
for (int i2 = 0; i2 <= 2; i2++) {
int i3 = i + i2;
if (i3 <= bArr.length - 1) {
bArr2[i2] = (byte) (b | ((bArr[i3] & 255) >>> ((i2 * 2) + 2)));
b = (byte) ((((bArr[i3] & 255) << (((2 - i2) * 2) + 2)) & 255) >>> 2);
} else {
bArr2[i2] = b;
b = 64;
}
}
bArr2[3] = b;
for (int i4 = 0; i4 <= 3; i4++) {
if (bArr2[i4] <= 63) {
sb.append(table[bArr2[i4]]);
} else {
sb.append('=');
}
}
}
return sb.toString();
}
public static byte[] b(String str) {
try {
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
GZIPOutputStream gZIPOutputStream = new GZIPOutputStream(byteArrayOutputStream);
gZIPOutputStream.write(str.getBytes());
gZIPOutputStream.finish();
gZIPOutputStream.close();
byte[] byteArray = byteArrayOutputStream.toByteArray();
try {
byteArrayOutputStream.close();
return byteArray;
} catch (Exception e) {
e.printStackTrace();
return byteArray;
}
} catch (Exception unused) {
return null;
}
}
var FridaActivity1 = Java.use("com.example.androiddemo.Activity.FridaActivity1");
FridaActivity1["b"].implementation = function (str) {
console.log("FridaActivity1.b is called: str=${str}", str);
var result = this["b"](str);
console.log("FridaActivity1.b result=${result}", JSON.stringify(result));
return result;
};FridaActivity1["a"].implementation = function (bArr) {
console.log("FridaActivity1.a is called: bArr=${bArr}", JSON.stringify(bArr));
var result = this["a"](bArr);
console.log("FridaActivity1.a result=${result}", result);
result = 'R4jSLLLLLLLLLLOrLE7/5B+Z6fsl65yj6BgC6YWz66gO6g2t65Pk6a+P65NK44NNROl0wNOLLLL='
return result;
};var FridaActivity1 = Java.use("com.example.androiddemo.Activity.FridaActivity1");
FridaActivity1["b"].implementation = function (str) {
console.log("FridaActivity1.b is called: str=${str}", str);
var result = this["b"](str);
console.log("FridaActivity1.b result=${result}", JSON.stringify(result));
return result;
};FridaActivity1["a"].implementation = function (bArr) {
console.log("FridaActivity1.a is called: bArr=${bArr}", JSON.stringify(bArr));
var result = this["a"](bArr);
console.log("FridaActivity1.a result=${result}", result);
result = 'R4jSLLLLLLLLLLOrLE7/5B+Z6fsl65yj6BgC6YWz66gO6g2t65Pk6a+P65NK44NNROl0wNOLLLL='
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
最后于 2023-7-17 18:19
被kanxue编辑
,原因: 将百度网盘附件转本地
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
链接:https://pan.baidu.com/s/1zTZ5p5-dtdHxQea4FYaRPw 提取码:a5ho --来自百度网盘超级会员V1的分享 |
|
|
|
|
|
|
|
|
感谢分享
|
|
|
|
|
|
|
|
|
|
|
|
是因为same_name_bool_var字段名与same_name_bool_var函数名相同,所以需要在前面加个下划线 |
