一:Android反调试
主要是用来防止IDA进行附加的,主要的方法思路就是,判断自身是否有父进程,判断是否端口被监听,然后通过调用so文件中的线程进行监视,这个线程开启一般JNI_OnLoad中进行开启的。但是这个是在这个之前断开的。思路→过反调试的话呢,就要把相关的函数进行NOP掉,直接将这几个字节改为00就可以了。
反编译截图:
我们可以fax1这个软件是不可以调试的,要想调试这个软件,我们有俩个方法。
其一:我们给他增加上:android:debuggable="true"在application的节点中,然后进行编译,签名,安装。
其二:我们有magisk面具,刷入MagiskHideProsp Config模块
调试软件的时候执行以下命令,就可以调试软件了
adb shell
su
magisk resetprop ro.debuggable 1
stop
start
然后打开IDA进行附加:
- 常规的运行服务器,转发端口
adb forward tcp:23946 tcp:23946
- 然后使用调试模式进行运行:
adb shell am start -D -n com.ctf.mobile/com.ctf.mobile.MainActivity
- 查看我们软件的进程,并进行转发
adb shell ps | findstr ctf
adb forward tcp:8700 jdwp:
- 运行之后,使用IDA进行附加,附加的时候正常操作,但是进去之后我们需要选择一下:
在调试器的调试器选项中设置:
- 然后点击运行,之后就会不动,这个时候我们用jdb绑定端口(ddms需要打开的情况下使用8700端口),使用命令:
jdb -connect com.sun.jdi.SocketAttach:hostname=127.0.0.1,port=8700然后程序就会断下,因为在加载so文件。
-
我们一次运行就查看是否是我们的so被载入,我们的so文件名是:libmobile.so
-
当被载入的时候,我们就选择在JNI_OnLoad中进行下断点。然后破除反调试
(不会/(ㄒoㄒ)/~~)
参考文章
https://www.cnblogs.com/bmjoker/p/11962585.html
二:java分析
package com.ctf.mobile;import android.os.Bundle;
import android.view.View;
import android.widget.Button;
import android.widget.EditText;
import android.widget.Toast;
import androidx.appcompat.app.AppCompatActivity;
import com.ctf.mobile.databinding.ActivityMainBinding;public class MainActivity extends AppCompatActivity {private ActivityMainBinding binding;private Button button;private EditText flagText;public native boolean check(String str);static {System.loadLibrary("mobile");}/* access modifiers changed from: protected */@Override // androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, androidx.fragment.app.FragmentActivitypublic void onCreate(Bundle bundle) {super.onCreate(bundle);ActivityMainBinding inflate = ActivityMainBinding.inflate(getLayoutInflater());this.binding = inflate;setContentView(inflate.getRoot());final op opVar = new op();this.button = (Button) findViewById(R.id.button);this.flagText = (EditText) findViewById(R.id.editText);this.button.setOnClickListener(new View.OnClickListener() {/* class com.ctf.mobile.MainActivity.AnonymousClass1 */public void onClick(View view) {if (MainActivity.this.flagText.getText().toString().trim().length() < 50) {MainActivity mainActivity = MainActivity.this;if (mainActivity.check(mainActivity.flagText.getText().toString().trim())) {Toast.makeText(MainActivity.this, op.flagRight, 0).show();return;}}Toast.makeText(MainActivity.this, op.flagWrong, 0).show();}});}
}
载入时候的,发现按钮被点击之后,调用了Check这个方法,这是个本地函数,我们在IDA中进行寻找:
看一下IDA给我们的伪代码:
__int64 __fastcall Java_com_ctf_mobile_MainActivity_check(__int64 a1, __int64 a2, __int64 a3)
{__int64 v4; // x0v4 = (*(__int64 (__fastcall **)(__int64, __int64, _QWORD))(*(_QWORD *)a1 + 1352LL))(a1, a3, 0LL);return sub_EF0(a1, v4) & 1;
}
sub_EF0
bool __fastcall sub_EF0(__int64 a1, const char *a2)
{__int64 v3; // x25__int64 v4; // x0__int64 v5; // x24__int64 v6; // x0__int64 v7; // x8__int64 v8; // x26__int64 v9; // x25unsigned __int8 v10; // w0unsigned int v11; // w27char v12; // w0__int64 v13; // x22__int64 v14; // x26char v15; // w0const char *v16; // x24__int64 v17; // x23__int64 v18; // x0__int64 v19; // x8unsigned int v20; // w0unsigned int v21; // w0int v22; // w25bool v23; // ccconst char *v24; // x8__int64 v25; // x25__int64 v26; // x0__int64 v27; // x21__int64 v28; // x23__int64 v29; // x26__int64 v30; // x25unsigned int v31; // w27const char *v32; // x24__int64 v33; // x0unsigned int v34; // w0unsigned int v35; // w0__int64 v36; // x17__int64 v37; // x1__int64 v38; // x0__int64 i; // x8__int64 v40; // x9unsigned int v41; // w10char v42; // w14char v43; // w13_BYTE *v44; // x16_BYTE *v45; // x15char v46; // w11int v47; // w22_BYTE *v48; // x23int v49; // w24__int64 v50; // x8int v51; // w20FILE *v52; // x0FILE *v53; // x28int v58; // w8int v59; // w20FILE *v60; // x0FILE *v61; // x28__int64 v62; // x24FILE *v63; // x0FILE *v64; // x28FILE *v65; // x0FILE *v66; // x28__int64 v67; // x26__int64 v68; // x28__int64 v69; // x27__int64 v70; // x20int v71; // w22int v72; // w23int v73; // w9__int64 v74; // x3__int64 v75; // x25unsigned __int64 v76; // x24_BOOL4 v77; // w21FILE *v78; // x0FILE *v79; // x23_BYTE v81[256]; // [xsp-630h] [xbp-8A0h] BYREF__int64 v82; // [xsp-530h] [xbp-7A0h] BYREF_BYTE v83[48]; // [xsp-430h] [xbp-6A0h] BYREF_BYTE v84[256]; // [xsp-400h] [xbp-670h] BYREF_BYTE v85[12]; // [xsp-300h] [xbp-570h] BYREF__int128 v86; // [xsp-2F4h] [xbp-564h]__int128 v87; // [xsp-2E4h] [xbp-554h]__int128 v88; // [xsp-2D4h] [xbp-544h]__int128 v89; // [xsp-2C4h] [xbp-534h]__int128 v90; // [xsp-2B4h] [xbp-524h]__int128 v91; // [xsp-2A4h] [xbp-514h]__int128 v92; // [xsp-294h] [xbp-504h]__int128 v93; // [xsp-284h] [xbp-4F4h]__int128 v94; // [xsp-274h] [xbp-4E4h]__int128 v95; // [xsp-264h] [xbp-4D4h]__int128 v96; // [xsp-254h] [xbp-4C4h]__int128 v97; // [xsp-244h] [xbp-4B4h]__int128 v98; // [xsp-234h] [xbp-4A4h]__int128 v99; // [xsp-224h] [xbp-494h]__int128 v100; // [xsp-214h] [xbp-484h]int v101; // [xsp-204h] [xbp-474h]_BYTE v102[520]; // [xsp-200h] [xbp-470h] BYREF__int64 v103; // [xsp+8h] [xbp-268h]__int64 v104; // [xsp+10h] [xbp-260h]unsigned __int64 StatusReg; // [xsp+18h] [xbp-258h]_BYTE *v106; // [xsp+20h] [xbp-250h]_BYTE *v107; // [xsp+28h] [xbp-248h]__int64 *v108; // [xsp+30h] [xbp-240h]const char *v109; // [xsp+38h] [xbp-238h]_BYTE *v110; // [xsp+40h] [xbp-230h]__int64 v111; // [xsp+48h] [xbp-228h]_BYTE *v112; // [xsp+50h] [xbp-220h]const char *v113; // [xsp+58h] [xbp-218h]char v114[10]; // [xsp+60h] [xbp-210h] BYREF_BYTE v115[6]; // [xsp+6Ah] [xbp-206h] BYREFchar v116[256]; // [xsp+160h] [xbp-110h] BYREF__int64 v117; // [xsp+260h] [xbp-10h]v109 = a2;StatusReg = _ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2));v117 = *(StatusReg + 40);if ( y >= 10 && (((x - 1) * x) & 1) != 0 )goto LABEL_5;while ( 1 ){v106 = v85;v112 = v84;v110 = v84;v107 = v83;v113 = v83;v108 = &v82;v3 = (*(*a1 + 48LL))(a1, &xmmword_4350);v4 = (*(*a1 + 264LL))(a1, v3, &byte_4364, &byte_436C);v5 = sub_1B58(a1, v3, v4);v6 = (*(*a1 + 264LL))(a1, v3, &byte_4370, &byte_4374);v7 = *a1;v111 = v6;v8 = (*(v7 + 264))(a1, v3, &byte_437C, &byte_4374);v9 = (*(*a1 + 264LL))(a1, v3, &byte_4380, &byte_4374);v101 = 0;memset(v102, 0, 256);v100 = 0u;v99 = 0u;v98 = 0u;v97 = 0u;v96 = 0u;v95 = 0u;v94 = 0u;v93 = 0u;v92 = 0u;v91 = 0u;v90 = 0u;v89 = 0u;v88 = 0u;v87 = 0u;v86 = 0u;v10 = sub_1BF4(a1, v5, v8, 20LL, 28LL);v11 = v10;v85[0] = v10;v85[1] = sub_1BF4(a1, v5, v8, v10, 72LL);v85[2] = sub_1BF4(a1, v5, v8, v11, 1LL);v85[3] = sub_1BF4(a1, v5, v8, v11, 2LL);v85[4] = sub_1BF4(a1, v5, v8, v11, 3LL);v85[5] = sub_1BF4(a1, v5, v8, v11, 4LL);v85[6] = sub_1BF4(a1, v5, v8, v11, 5LL);v85[7] = sub_1BF4(a1, v5, v8, v11, 6LL);v85[8] = sub_1BF4(a1, v5, v8, v11, 7LL);v12 = sub_1BF4(a1, v5, v8, v11, 8LL);v13 = v112;v85[9] = v12;v85[10] = sub_1BF4(a1, v5, v8, v11, 9LL);v14 = v5;v15 = sub_1BF4(a1, v5, v9, v11, v11);v16 = v109;v85[11] = v15;v17 = v111;memset(v84, 0, sizeof(v84));v18 = strlen(v109);__memcpy_chk(v13, v16, v18 + 1, 256LL);v19 = v110;*(v110 - 3) = unk_980;*(v19 - 32) = unk_990;*(v19 - 19) = unk_99D;*(v19 - 48) = sub_1BF4(a1, v14, v17, 6LL, 115LL);v20 = sub_1BF4(a1, v14, v17, 42LL, 189LL);v21 = sub_1BF4(a1, v14, v9, 226LL, v20);v22 = sub_1BF4(a1, v14, v17, v21, 331LL);v23 = y < 10;v24 = v113;*(v113 - 16) = 0u;*(v24 - 15) = 0u;*(v24 - 14) = 0u;*(v24 - 13) = 0u;*(v24 - 12) = 0u;*(v24 - 11) = 0u;*(v24 - 10) = 0u;*(v24 - 9) = 0u;*(v24 - 8) = 0u;*(v24 - 7) = 0u;*(v24 - 6) = 0u;*(v24 - 5) = 0u;*(v24 - 4) = 0u;*(v24 - 3) = 0u;*(v24 - 2) = 0u;*(v24 - 1) = 0u;if ( v23 || (((x - 1) * x) & 1) == 0 )break;
LABEL_5:v25 = (*(*a1 + 48LL))(a1, &xmmword_4350);v26 = (*(*a1 + 264LL))(a1, v25, &byte_4364, &byte_436C);v27 = sub_1B58(a1, v25, v26);v28 = (*(*a1 + 264LL))(a1, v25, &byte_4370, &byte_4374);v29 = (*(*a1 + 264LL))(a1, v25, &byte_437C, &byte_4374);v30 = (*(*a1 + 264LL))(a1, v25, &byte_4380, &byte_4374);v31 = sub_1BF4(a1, v27, v29, 20LL, 28LL);sub_1BF4(a1, v27, v29, v31, 72LL);sub_1BF4(a1, v27, v29, v31, 1LL);sub_1BF4(a1, v27, v29, v31, 2LL);sub_1BF4(a1, v27, v29, v31, 3LL);sub_1BF4(a1, v27, v29, v31, 4LL);sub_1BF4(a1, v27, v29, v31, 5LL);sub_1BF4(a1, v27, v29, v31, 6LL);sub_1BF4(a1, v27, v29, v31, 7LL);sub_1BF4(a1, v27, v29, v31, 8LL);sub_1BF4(a1, v27, v29, v31, 9LL);sub_1BF4(a1, v27, v30, v31, v31);memset(v81, 0, sizeof(v81));v32 = v109;v33 = strlen(v109);__memcpy_chk(v81, v32, v33 + 1, 256LL);sub_1BF4(a1, v27, v28, 6LL, 115LL);v34 = sub_1BF4(a1, v27, v28, 42LL, 189LL);v35 = sub_1BF4(a1, v27, v30, 226LL, v34);sub_1BF4(a1, v27, v28, v35, 331LL);}v103 = v14;v104 = a1;if ( v22 < 1 ){v36 = v108;v37 = 0LL;goto LABEL_14;}v36 = v108;v37 = v22;if ( v22 == 1 ){v38 = v106;for ( i = 0LL; i != v22; *(v36 + i++) = v46 ){
LABEL_13:v46 = *(v38 + i % 0x2A);v102[i] = i;}goto LABEL_14;}v38 = v106;v40 = 0LL;i = v22 & 0xFFFFFFFE;v41 = 1;do{v42 = *(v38 + v40 % 0x2A);v43 = *(v38 + v40 + ((-42 * (v41 / 0x2A)) | 1));v44 = &v102[v40];v44[1] = v40 | 1;v45 = (v36 + v40);*v44 = v40;v40 += 2LL;v41 += 2;*v45 = v42;v45[1] = v43;}while ( i != v40 );if ( i != v22 )goto LABEL_13;
LABEL_14:v113 = v115;if ( v37 ){v47 = 0;v48 = 0LL;v110 = v37;do{v49 = v48[v36];while ( 1 ){v51 = v102[v48];getpid();sub_1C90(v116, 256LL);v52 = fopen(v116, &byte_43A0);if ( v52 ){v53 = v52;while ( fgets(v114, 256, v53) ){if ( strstr(v114, &qword_43A8) ){if ( atoi(v113) )__asm { SVC 0x80 }break;}}fclose(v53);}v58 = (v47 + v51 + v49) % v22;v23 = y < 10;v102[v48] = v102[v58];v102[v58] = v51;if ( v23 || (((x - 1) * x) & 1) == 0 )break;v59 = v102[v48];getpid();sub_1C90(v116, 256LL);v60 = fopen(v116, &byte_43A0);if ( v60 ){v61 = v60;while ( fgets(v114, 256, v61) ){if ( strstr(v114, &qword_43A8) ){if ( atoi(v113) )__asm { SVC 0x80 }break;}}fclose(v61);}v50 = (v47 + v59 + v49) % v22;v102[v48] = v102[v50];v102[v50] = v59;}v36 = v108;++v48;v47 = (v47 + v51 + v49) % v22;}while ( v48 != v110 );}v62 = v104;while ( 1 ){getpid();sub_1C90(v116, 256LL);v63 = fopen(v116, &byte_43A0);if ( v63 ){v64 = v63;while ( fgets(v114, 256, v64) ){if ( strstr(v114, &qword_43A8) ){if ( atoi(v113) )__asm { SVC 0x80 }break;}}fclose(v64);}if ( y < 10 || (((x - 1) * x) & 1) == 0 )break;getpid();sub_1C90(v116, 256LL);v65 = fopen(v116, &byte_43A0);if ( v65 ){v66 = v65;while ( fgets(v114, 256, v66) ){if ( strstr(v114, &qword_43A8) ){if ( atoi(v113) )__asm { SVC 0x80 }break;}}fclose(v66);}}v68 = v111;v67 = v112;v69 = v103;v70 = 0LL;v71 = 0;v72 = 0;do{v72 = (v72 + 1) % v22;v73 = v102[v72];v74 = *(v67 + v70);v71 = (v71 + v73) % v22;v102[v72] = v102[v71];v102[v71] = v73;*(v67 + v70++) = sub_1BF4(v62, v69, v68, v74, v102[(v102[v72] + v73) % v22]);}while ( v70 != 42 );v75 = v107;v76 = 0LL;v77 = 1;do{getpid();sub_1C90(v116, 256LL);v78 = fopen(v116, &byte_43A0);if ( v78 ){v79 = v78;while ( fgets(v114, 256, v79) ){if ( strstr(v114, &qword_43A8) ){if ( atoi(v113) )__asm { SVC 0x80 }break;}}fclose(v79);}if ( *(v67 + v76) != *(v75 + v76) )break;_CF = v76++ >= 0x29;v77 = !_CF;}while ( v76 != 42 );return !v77;
}
最重要的一部分
我们发现最后返回的是根据V67和V76,V75进行判断的,在java层我们也分析道我们要的就是返回值,看最后的循环语句,可以清楚的发现,其实就是就是一个类似于strcmp的一个函数,每一个字符进行比较,如果有一处不一样,就跳出循环,否则都一样的话呢,返回v77,这个是1,需要获取到值,这个就是注册码,或者试试将这个返回修改一下也是可以的。
然后尝试分析流程图(不会/(ㄒoㄒ)/~~
![re题(38)BUUCTF-[FlareOn6]Overlong](https://i-blog.csdnimg.cn/direct/9b47ac03866f4faab77c654e413bf047.png)
