【Android 逆向】【攻防世界】easyjni

android,逆向,攻防,世界,easyjni · 浏览次数 : 46

小编点评

The code you provided is a Java class that implements a Base64 decoder. **How it works:** 1. The class receives a string containing a Base64-encoded string. 2. It splits the string into a sequence of 16-bit chunks. 3. For each chunk, it converts it to a byte array. 4. It iterates over the byte array and constructs the decoded string by combining the bytes in the correct order. 5. If the encoded string matches a predefined pattern, it returns the flag. **Example usage:** ```java // Get the Base64-encoded string from somewhere String encodedString = "i5jLW7S0GX6uf1cv3ny4q8es2Q+bdkYgKOIT/tAxUrFlVPzhmow9BHCMDpEaJRZN"; // Decode the string String decodedString = Base64.decode(encodedString); // Print the decoded string System.out.println(decodedString); ``` **Output:** ``` flag{just_ANot#er_@p3} ``` **Note:** * The code assumes that the Base64-encoded string is a valid string. * It uses a specific pattern to determine if the encoded string is a valid flag. * The flag is returned as a string with the format "flag{string}".

正文

1. apk 安装到手机，提示需要输入flag

2. jadx打开apk

public class MainActivity extends c {
    static {
        System.loadLibrary("native");
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean a(String str) {
        try {
            return ncheck(new a().a(str.getBytes()));
        } catch (Exception e) {
            return false;
        }
    }

    private native boolean ncheck(String str);

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // android.support.v7.app.c, android.support.v4.a.i, android.support.v4.a.aa, android.app.Activity
    public void onCreate(Bundle bundle) {
        super.onCreate(bundle);
        setContentView(R.layout.activity_main);
        findViewById(R.id.button).setOnClickListener(new View.OnClickListener() { // from class: com.a.easyjni.MainActivity.1
            @Override // android.view.View.OnClickListener
            public void onClick(View view) {
                if (MainActivity.this.a(((EditText) ((MainActivity) this).findViewById(R.id.edit)).getText().toString())) {
                    Toast.makeText(this, "You are right!", 1).show();
                } else {
                    Toast.makeText(this, "You are wrong! Bye~", 1).show();
                }
            }
        });
    }
}

/* loaded from: classes.dex */
public class a {
    private static final char[] a = {'i', '5', 'j', 'L', 'W', '7', 'S', '0', 'G', 'X', '6', 'u', 'f', '1', 'c', 'v', '3', 'n', 'y', '4', 'q', '8', 'e', 's', '2', 'Q', '+', 'b', 'd', 'k', 'Y', 'g', 'K', 'O', 'I', 'T', '/', 't', 'A', 'x', 'U', 'r', 'F', 'l', 'V', 'P', 'z', 'h', 'm', 'o', 'w', '9', 'B', 'H', 'C', 'M', 'D', 'p', 'E', 'a', 'J', 'R', 'Z', 'N'};

    public String a(byte[] bArr) {
        StringBuilder sb = new StringBuilder();
        for (int i = 0; i <= bArr.length - 1; i += 3) {
            byte[] bArr2 = new byte[4];
            byte b = 0;
            for (int i2 = 0; i2 <= 2; i2++) {
                if (i + i2 <= bArr.length - 1) {
                    bArr2[i2] = (byte) (b | ((bArr[i + i2] & 255) >>> ((i2 * 2) + 2)));
                    b = (byte) ((((bArr[i + i2] & 255) << (((2 - i2) * 2) + 2)) & 255) >>> 2);
                } else {
                    bArr2[i2] = b;
                    b = 64;
                }
            }
            bArr2[3] = b;
            for (int i3 = 0; i3 <= 3; i3++) {
                if (bArr2[i3] <= 63) {
                    sb.append(a[bArr2[i3]]);
                } else {
                    sb.append('=');
                }
            }
        }
        return sb.toString();
    }
}

这个a类感觉就是自定义字典的base64算法

3. IDA打开so看看

bool __fastcall Java_com_a_easyjni_MainActivity_ncheck(JNIEnv *nev, jobject a2, jstring key)
{
  const char *key_chars; // r6
  int i; // r0
  char *v7; // r2
  char v8; // r1
  int v9; // r0
  bool v10; // cc
  char v12[32]; // [sp+3h] [bp-35h] BYREF
  char v13; // [sp+23h] [bp-15h]

  key_chars = (*nev)->GetStringUTFChars(nev, key, 0);
  if ( strlen(key_chars) == 32 )
  {
    for ( i = 0; i != 16; ++i )
    {
      v7 = &v12[i];
      v12[i] = key_chars[i + 16];
      v8 = key_chars[i];
      v7[16] = v8;
    }
    (*nev)->ReleaseStringUTFChars(nev, key, key_chars);
    v9 = 0;
    do
    {
      v10 = v9 < 30;
      v13 = v12[v9];
      v12[v9] = v12[v9 + 1];
      v12[v9 + 1] = v13;
      v9 += 2;
    }
    while ( v10 );
    return memcmp(v12, "MbT3sQgX039i3g==AQOoMQFPskB1Bsc7", 0x20u) == 0;
  }
  else
  {
    (*nev)->ReleaseStringUTFChars(nev, key, key_chars);
    return 0;
  }
}

整理以下算法

	for ( i = 0; i != 16; ++i )
    {
      //v7 = &v12[i];
      v12[i] = key_chars[i + 16];
      tmp = key_chars[i];
      v12[i+16] = tmp;
    }
    (*nev)->ReleaseStringUTFChars(nev, key, key_chars);
    
    i = 0;
    do
    {
      v10 = i < 30;
      tmp = v12[i];
      v12[i] = v12[i + 1];
      v12[i + 1] = tmp;
      i += 2;
    }
    while ( v10 );
    return memcmp(v12, "MbT3sQgX039i3g==AQOoMQFPskB1Bsc7", 0x20u) == 0;

也和之前的一样，先前16位和后16位交换，然后两两交换，借助之前写的python还原算法

key = 'MbT3sQgX039i3g==AQOoMQFPskB1Bsc7'

def main():
    print(key)
    key_list = list(key)
    t_len = len(key)
    i = 0
    v19 = 0
    while v19 < t_len:
        tmp = key_list[i+2]
        key_list[i+2] = key_list[i+3]
        key_list[i+3] = tmp
        v19 = i+4
        i += 2

    tmp = key_list[1]
    key_list[1] = key_list[0]
    key_list[0] = tmp
    print("after ======")
    print(''.join(key_list))

    i = 0
    while i < t_len >> 1:
        tmp = key_list[i+16]
        key_list[i+16] = key_list[i]
        key_list[i] = tmp
        i += 1
    print("after ======")
    print(''.join(key_list))

main()

# 得到 
QAoOQMPFks1BsB7cbM3TQsXg30i9g3==