初步了解安卓逆向目的了解so层和java层然后了解安卓逆向题目so文件它相当于Windows下的.dll动态链接库一种共享库文件包含了程序所需的代码和数据它的优势是使得程序的内存占用更小同时也方便了程序的更新和维护native原生层作为C/C 编译后的二进制文件那么就可以拖到ida里面进行分析在这个so文件下在ctf里面是经常会夹杂一些安全性手段的比如加密加壳反调试JAVA层可读性高进行交互的层而它是裸露的会加杂安全手段但是一般ctf不会为难而到真实的小程序或者软件就会有混淆等先从例题入手复习一下[HZNUCTF 2023 preliminary]easyAPK还是拖入jadx按照常规操作进行分析锁定了在这两个函数点击在example.easyapk.llooggiinnlogin其实就是登录那么这个就是入口得到了具体的加密逻辑packagecom.example.easyapk;importandroid.content.Intent;importandroid.os.Bundle;importandroid.view.View;importandroid.widget.Button;importandroid.widget.EditText;importandroid.widget.Toast;importandroidx.appcompat.app.AppCompatActivity;importjava.security.InvalidAlgorithmParameterException;importjava.security.InvalidKeyException;importjava.security.NoSuchAlgorithmException;importjava.util.Base64;importjavax.crypto.BadPaddingException;importjavax.crypto.Cipher;importjavax.crypto.IllegalBlockSizeException;importjavax.crypto.NoSuchPaddingException;importjavax.crypto.spec.IvParameterSpec;importjavax.crypto.spec.SecretKeySpec;/* loaded from: classes3.dex */publicclassllooggiinnextendsAppCompatActivity{staticStringstr1admin;staticStringstr2;ButtonloginBtn;EditTextpasswdEt;ButtonsignBtn;EditTextuserEt;Override// androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.ActivityprotectedvoidonCreate(BundlesavedInstanceState){super.onCreate(savedInstanceState);setContentView(R.layout.activity_login);this.userEt(EditText)findViewById(R.id.user);this.passwdEt(EditText)findViewById(R.id.passwd);this.loginBtn(Button)findViewById(R.id.loginBtn);this.signBtn(Button)findViewById(R.id.signBtn);try{StringkeygetString(R.string.keyishere);byte[]ciphertextBase64.getDecoder().decode(Lz49p2OjPZzUMXakynHQuw);byte[]plaintextdecrypt(ciphertext,key.getBytes(),iviviviviviviviv.getBytes());str2newString(plaintext);}catch(InvalidAlgorithmParameterException|InvalidKeyException|NoSuchAlgorithmException|BadPaddingException|IllegalBlockSizeException|NoSuchPaddingExceptione){e.printStackTrace();}this.loginBtn.setOnClickListener(newView.OnClickListener(){// from class: com.example.easyapk.llooggiinn.1Override// android.view.View.OnClickListenerpublicvoidonClick(Viewview){Stringusernamellooggiinn.this.userEt.getText().toString();Stringpasswdllooggiinn.this.passwdEt.getText().toString();if(passwd.equals()|username.equals()){Toast.makeText(llooggiinn.this,想空手套白狼没门,0).show();return;}if(!username.equals(llooggiinn.str1)||!passwd.equals(llooggiinn.str2)){Toast.makeText(llooggiinn.this,用户名或密码不正确,0).show();return;}IntentintentnewIntent(llooggiinn.this,(Class?)ffuucc.class);llooggiinn.this.startActivity(intent);Toast.makeText(llooggiinn.this,恭喜你离成功又进一步,0).show();}});this.signBtn.setOnClickListener(newView.OnClickListener(){// from class: com.example.easyapk.llooggiinn.2Override// android.view.View.OnClickListenerpublicvoidonClick(Viewview){Toast.makeText(llooggiinn.this,不支持注册喵\n快去找登录名和密码,0).show();}});}Override// androidx.appcompat.app.AppCompatActivity, androidx.fragment.app.FragmentActivity, android.app.ActivityprotectedvoidonStart(){super.onStart();}publicstaticbyte[]decrypt(byte[]data,byte[]key,byte[]iv)throwsBadPaddingException,NoSuchPaddingException,IllegalBlockSizeException,NoSuchAlgorithmException,InvalidKeyException,InvalidAlgorithmParameterException{CiphercipherCipher.getInstance(AES/CBC/PKCS5Padding);cipher.init(2,newSecretKeySpec(key,AES),newIvParameterSpec(iv));byte[]resultcipher.doFinal(data);returnresult;}}明文先经过base64加密给到key(要点击keyishere前期我犯了错误忘记了key应该是16位所以进行搜索得到了正解key然后key经过AES加密得到新的key而密文又经过了一轮AES/CBC/PKCS5Pading这里需要回顾一下AES加密总结一下思路线索1.AES-CBC模式keykkkeyyy4044044刚好16位2.base64加密明文Lz49p2OjPZzUMXakynHQuw3.偏移值iviviviviviviviviv(也是刚好16位)fromCrypto.CipherimportAESimportbase64 keybkkkeyyy404404404ivbivivivivivivivivct_b64Lz49p2OjPZzUMXakynHQuwctbase64.b64decode(ct_b64)cipherAES.new(key,AES.MODE_CBC,iv)ptcipher.decrypt(ct)# 先打印原始结果方便判断print(解密原始数据:,pt)# 尝试不同的去除填充方式try:fromCrypto.Util.Paddingimportunpad pt_pkcs7unpad(pt,AES.block_size)print(PKCS7去除填充成功:,pt_pkcs7.decode(utf-8))except:print(PKCS7去除填充失败尝试ZeroPadding...)pt_zeropt.rstrip(b\x00)print(ZeroPadding去除后:,pt_zero.decode(utf-8,errorsignore))根据这个脚本我们得到了卡了因为我得到的并不知道该怎么用回到题目本身打开它这里用到雷电模拟器打开它用户名这里得到admin加上上面得到的密钥得到这一串得到flagezandroid.pro又重新刷上了moectf的题目害还是不牢固啊啊啊啊啊打开可以看到是一个flag验证的程序然后拖入jadx去找主入口packagecom.example.ezandroidpro;importandroid.os.Bundle;importandroid.view.View;importandroid.widget.Button;importandroid.widget.EditText;importandroid.widget.TextView;importandroidx.appcompat.app.AppCompatActivity;/* loaded from: classes.dex */publicclassMainActivityextendsAppCompatActivity{privateEditTextinputEditText;privateTextViewresultTextView;publicnativebooleancheck(Stringstr);static{System.loadLibrary(ezandroidpro);}Override// androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.ActivityprotectedvoidonCreate(Bundlebundle){super.onCreate(bundle);setContentView(R.layout.activity_main);this.inputEditText(EditText)findViewById(R.id.inputEditText);this.resultTextView(TextView)findViewById(R.id.resultTextView);((Button)findViewById(R.id.checkButton)).setOnClickListener(newView.OnClickListener(){// from class: com.example.ezandroidpro.MainActivity.1Override// android.view.View.OnClickListenerpublicvoidonClick(Viewview){StringstrTrimMainActivity.this.inputEditText.getText().toString().trim();if(strTrim.length()!32){MainActivity.this.resultTextView.setText(flag长度不对,请重新输入);MainActivity.this.resultTextView.setTextColor(MainActivity.this.getResources().getColor(android.R.color.holo_red_dark));}elseif(MainActivity.this.check(strTrim)){MainActivity.this.resultTextView.setText(Congratulations!);MainActivity.this.resultTextView.setTextColor(MainActivity.this.getResources().getColor(android.R.color.holo_green_dark));}else{MainActivity.this.resultTextView.setText(Incorrect);MainActivity.this.resultTextView.setTextColor(MainActivity.this.getResources().getColor(android.R.color.holo_red_dark));}}});}}只有对程序运行结果的评判以及flag的长度为32没有看到什么加密逻辑或者明文什么的这时候就要去研究so文件bool __fastcallJava_com_example_ezandroidpro_MainActivity_check(inta1,inta2,inta3){_BOOL4 v5;// r5constchar*s;// r0constchar*src;// r4size_t n0xB;// r0size_t n;// r5char*dest;// r9unsignedintv11;// r10char*_4EEB1EEF2914D79BFA8C5006332097ED2EF06C4A59CAE31C827A08D45CC649C;// r4intn96;// r2intv14;// r0unsigned __int8*v15;// r2intv16;// r1char*_4EEB1EEF2914D79BFA8C5006332097ED2EF06C4A59CAE31C827A08D45CC649;// r3void*s1_1;// r6unsigned __int8 v20;// [sp4h] [bp-44h] BYREF_BYTE v21[7];// [sp5h] [bp-43h] BYREFvoid*s1;// [spCh] [bp-3Ch]_DWORD v23[2];// [sp10h] [bp-38h] BYREFvoid*moectf2025______;// [sp18h] [bp-30h]_DWORD v25[2];// [sp1Ch] [bp-2Ch] BYREFvoid*dest_1;// [sp24h] [bp-24h]v50;s(constchar*)(*(int(__fastcall**)(int,int,_DWORD))(*(_DWORD*)a1676))(a1,a3,0);if(!s)returnv5;srcs;n0xBstrlen(s);if(n0xB0xFFFFFFF0)std::__basic_string_commontrue::__throw_length_error(v25);nn0xB;if(n0xB0xB){v11(n0xB16)0xFFFFFFF0;dest(char*)operatornew(v11);v25[1]n;dest_1dest;v25[0]v111;gotoLABEL_7;}LOBYTE(v25[0])2*n0xB;dest(char*)v251;if(n0xB)LABEL_7:j_memcpy(dest,src,n);dest[n]0;(*(void(__fastcall**)(int,int,constchar*))(*(_DWORD*)a1680))(a1,a3,src);moectf2025______(void*)operatornew(0x20u);strcpy((char*)moectf2025______,moectf2025!!!!!!);v23[1]16;v23[0]33;_4EEB1EEF2914D79BFA8C5006332097ED2EF06C4A59CAE31C827A08D45CC649C(char*)operatornew(0x70u);strcpy(_4EEB1EEF2914D79BFA8C5006332097ED2EF06C4A59CAE31C827A08D45CC649C,4EEB1EEF2914D79BFA8C5006332097ED2EF06C4A59CAE31C827A08D45CC649C0B971BF2EFBCB160E531A646DF7A6AC0B);sm4Encrypt(v20,v25,v23);n96*(_DWORD*)v21[3];v14v201;if(!v14)n96v201;if(n9696){if(v14){s1_1s1;v5memcmp(s1,_4EEB1EEF2914D79BFA8C5006332097ED2EF06C4A59CAE31C827A08D45CC649C,0x60u)0;gotoLABEL_20;}v15v21;v16v201;_4EEB1EEF2914D79BFA8C5006332097ED2EF06C4A59CAE31C827A08D45CC649_4EEB1EEF2914D79BFA8C5006332097ED2EF06C4A59CAE31C827A08D45CC649C;do{v5*v15(unsigned __int8)*_4EEB1EEF2914D79BFA8C5006332097ED2EF06C4A59CAE31C827A08D45CC649;if(*v15!(unsigned __int8)*_4EEB1EEF2914D79BFA8C5006332097ED2EF06C4A59CAE31C827A08D45CC649)break;_4EEB1EEF2914D79BFA8C5006332097ED2EF06C4A59CAE31C827A08D45CC649;v15;--v16;}while(v16);}else{v50;}if(v14){s1_1s1;LABEL_20:operatordelete(s1_1);}operatordelete(_4EEB1EEF2914D79BFA8C5006332097ED2EF06C4A59CAE31C827A08D45CC649C);if(LOBYTE(v23[0])31)operatordelete(moectf2025______);if(LOBYTE(v25[0])31)operatordelete(dest_1);returnv5;}好的上面就是隐含了加密以及密钥然后会看可以发现是check函数下的伪代码也就是以后在java层看不到就去看核心的调用函数再从ida分析出来的so文件去定位密钥moectf2025!!!16位加密方式是SM4-ECB模式这里又已知了一个加密手段已知密文4EEB1EEF2914D79BFA8C5006332097ED2EF06C4A59CAE31C827A08D45CC649C0B971BF2EFBCB160E531A646DF7A6AC0Bexp# SM4-ECB-PKCS7 解密脚本 - 适配你逆向的代码fromcryptography.hazmat.primitives.ciphersimportCipher,algorithms,modesfromcryptography.hazmat.backendsimportdefault_backenddefsm4_ecb_decrypt(key:bytes,cipher_hex:str)-str:# 1. 密钥处理必须16字节keykey.encode(utf-8)iflen(key)!16:raiseValueError(密钥必须是16字节)# 2. 密文十六进制 → 二进制ciphertextbytes.fromhex(cipher_hex)# 3. SM4-ECB 解密cipherCipher(algorithms.SM4(key),modes.ECB(),backenddefault_backend())decryptorcipher.decryptor()padded_plaindecryptor.update(ciphertext)decryptor.finalize()# 4. PKCS7 去填充你逆向代码的填充方式pad_lenpadded_plain[-1]plainpadded_plain[:-pad_len]try:returnplain.decode(utf-8)except:returnplain.hex()# 你的题目数据 KEYmoectf2025!!!!!!# 题目给的16字节密钥CIPHER_TEXT4EEB1EEF2914D79BFA8C5006332097ED2EF06C4A59CAE31C827A08D45CC649C0B971BF2EFBCB160E531A646DF7A6AC0B# 解密resultsm4_ecb_decrypt(KEY,CIPHER_TEXT)print(✅ 解密成功)print(明文 ,result)总结流程就是1.先看下程序吧拖入模拟器里面因为前面不是遇到了输入用户名和密码的界面嘛方便理解java代码→2.再拖入jadx里面去查找主入口不一定每个都是mainactivity向上面就有login为主入口的→3.点进去看有无主要的加密逻辑→4.如果没有说明java层并没有就是隐藏在so层了直接解包拿到so文件拖入ida进行分析