标签:返回 open 函数 rar his pre 回调 [] 包名
0x00
题目链接:https://pan.baidu.com/s/12RGpSCcRVSu-tyreTqecaA
提取码:9xyv
0x01
Java层分析
1)messageMe方法先获取包名,之后与51进行迭代亦或。
1 public String messageMe() { 2 String v3 = ""; 3 int v4 = 51; 4 String[] v1 = this.getApplicationContext().getPackageName().split("\\."); 5 char[] v6 = v1[v1.length - 1].toCharArray(); 6 int v7 = v6.length; 7 int v5; 8 for(v5 = 0; v5 < v7; ++v5) { 9 v4 ^= v6[v5]; 10 v3 = v3 + (((char)v4)); 11 } 12 13 return v3; 14 }
2)parseText为native层函数,传入的参数为输入的字符串。
0x02
Natice层分析
1)
1 v4 = (*(int (__cdecl **)(int, const char *))(*(_DWORD *)a1 + 24))(a1, "com/njctf/mobile/easycrack/MainActivity"); 2 v5 = (*(int (__cdecl **)(int, int, const char *))(*(_DWORD *)v3 + 132))(v3, v4, "messageMe"); 3 v6 = _JNIEnv::CallObjectMethod(a1, a2, v5, (unsigned int)"()Ljava/lang/String;");
此处为回调Java层的messageMe方法获得返回的字符串。
2)
接着传入native层函数输入的字符串与messageMe方法返回的字符串进行亦或操作。
3)
接着根据多个%256可以分析是rc4加密,密钥为"I_am_the_key",明文为2)中操作后的结果,密文为"C8E4EF0E4DCCA683088134F8635E970EEAD9E277F314869F7EF5198A2AA4"。
0x03
进行算法逆向,写出解密脚本
1 def re0(): 2 """reverse algorithm""" 3 str0 = "easycrack" 4 str1 = [ord(i) for i in str0] 5 num = 51 6 7 for i in range(len(str1)): 8 num ^= str1[i] 9 str1[i] = num; 10 str1 *= 10 11 return str1 12 13 def rc4(data,key): 14 """RC4 algorithm""" 15 x = 0 16 box = range(256) 17 for i in range(256): 18 x = (x + box[i] + ord(key[i % len(key)])) % 256 19 box[i], box[x] = box[x], box[i] 20 x = y = 0 21 out = [] 22 for char in data: 23 x = (x + 1) % 256 24 y = (y + box[x]) % 256 25 box[x], box[y] = box[y], box[x] 26 out.append(chr(ord(char) ^ box[(box[x] + box[y]) % 256])) 27 return ‘‘.join(out) 28 29 """main algorithm""" 30 res = ‘C8E4EF0E4DCCA683088134F8635E970EEAD9E277F314869F7EF5198A2AA4‘ 31 key = ‘I_am_the_key‘ 32 ciphertext = res.decode(‘hex‘) 33 str0 = re0() 34 str1 = rc4(ciphertext,key) 35 str2 = [ord(i) for i in str1] 36 flag = ‘‘ 37 for i in range(len(str1)): 38 str2[i] ^= str0[i] 39 flag += chr(str2[i]) 40 print flag
18/09/28-3-BugKu-逆向-easycrack-100(NJCTF)
标签:返回 open 函数 rar his pre 回调 [] 包名
原文地址:https://www.cnblogs.com/Fingerprint/p/9744053.html