直接把APK拖进JEB里边分析,发现要调用so库,并且有三个so文件:
其中,mips、armeabi、armeabi-v7a和x86都表示CPU的类型。一般的手机或平板都是用arm的cpu。不同的cpu的特性不一样。
armeabi 是针对普通的或旧的arm v5 cpu,32位
armeabi-v7a 是针对有浮点运算或高级扩展功能的arm v7 cpu,32位
arm64-v8a 针对64位的
mips 是一种采取精简指令集(RISC)的处理器架构,32位
mips64 64位
x86 IA-32位指令集
x86_64 64位
通常采用armeabi-v7a的so文件,下面对Java的Main进行分析:
发现了调用了hello-libs的stringFromJNI函数,下面开始对so文件逆向:
其中gpower函数是求2^k,感觉在这里不知道什么用,GetTicks是一个获取当前精确时间相关的函数,所以我们队19行的函数进行分析,一路跟踪下去,发现:
看起来memcpy函数像是对flag进行复制的函数,我们直接写个程序改写这里的函数,把a1输出,意外地拿到了flag:
#include <iostream>
#include <cstdio>
#include <cstring>
using namespace std;
int byte1[182] ={0xD8,0xC2,0x6B,0x42,0x82,0x67,0xC8,0x4D,0x7A,0x95,0xE8,0x81,0x48,0xC1,0x9E,0x40,0xE8,0xFB,0xCF,0xE6,
0x4F,0xBA,0xE6,0xAF,0x78,0x19,0x6F,0x9C,0xE9,0xF7,0x7A,0xDD,0x42,0xCE,0x8C,0x3,0xB8,0x66,0xD3,0xAB,0x0,0x7E,0xDE,
0x3E,0x53,0xDE,0x30,0x91,0x3D,0xF7,0xCD,0x72,0x14,0x51,0x82,0xEE,0x1B,0x8D,0xB4,0x8C,0xD0,0x8A,0xF6,0x9A,0x96,0x71,
0x98,0x62,0x93,0x4A,0x30,0x2F,0x9C,0xA8,0x79,0x16,0xC1,0xE0,0xEC,0xD7,0xE5,0xEC,0x8A,0x64,0xB4,0x46,0xCF,0xD9,0xE5,
0x96,0xF3,0x94,0x73,0xA9,0xFF,0xEA,0xCB,0x15,0x9C,0x7C,0xA1,0xD8,0x3E,0xBB,0x1D,0x38,0xCB,0x55,0xD0,0x19,0x25,0xB2,
0xB,0x92,0xE8,0x88,0xAE,0x6,0xA2,0x9B,0x93,0x64,0x5E,0xFB,0x9,0x5,0xF6,0x2F,0x1F,0x35,0xCC,0xEF,0x5,0x6C,0x19,0x42,
0x38,0xA5,0x59,0x2E,0x80,0xA,0x19,0xFC,0x33,0x5B,0xBB,0xD6,0xEB,0x2B,0xAC,0xF7,0xE,0xAD,0xD8,0x57,0x40,0x98,0x71,
0x2C,0x78,0x68,0x91,0x82,0x4F,0x5B,0xD6,0x40,0x8F,0x3,0xBD,0x55,0xB,0x47,0x3D,0xF4,0x5A,0x49,0x5B,0xF2,0xA2,0x9E};
int byte2[182] ={0xE1,0xA1,0x1,0xE4,0x82,0x56,0x9D,0x70,0xD9,0xF5,0x8,0x10,0x22,0xA7,0x2D,0x2B,0x41,0xF0,0xBD,0xA4,
0x67,0x3D,0x9A,0x20,0xB9,0xFB,0x11,0xD3,0xAD,0xB3,0x39,0x89,0x4,0xE3,0xBF,0x3A,0x8F,0x7,0xEA,0x9B,0x61,0x4D,0xEC,
0x8,0x64,0xE8,0x4,0xA0,0xB,0xC2,0xF5,0x10,0x76,0x32,0xBB,0xD9,0x2E,0xBE,0x86,0xBA,0xE7,0xBA,0xC6,0xFC,0xA2,0x13,
0xD8,0x6,0xFA,0x2E,0x59,0x4C,0xF4,0xDD,0x1,0x7F,0xAF,0x87,0xC2,0xB4,0x8A,0x81,0x8A,0xF2,0xB6,0x60,0x9A,0x13,0x52,
0xC0,0x6D,0x9E,0x5A,0x52,0xB5,0x8F,0x47,0x5E,0xE6,0x41,0xAD,0xF5,0xBB,0xA9,0x7A,0x6C,0xA1,0x4C,0x38,0x60,0xF2,0x4B,
0x5C,0xE8,0x5B,0xE5,0xE3,0xBA,0x46,0x70,0x33,0x4,0xA7,0x58,0x19,0x10,0x49,0x20,0x1D,0x51,0x48,0x9D,0x78,0xF9,0xB4,
0x2E,0x66,0x58,0x1B,0xE8,0xEE,0x51,0x9,0x21,0x80,0xBC,0xC8,0x7B,0xF5,0x4E,0x99,0xFD,0xFC,0x9A,0xFD,0x65,0x20,0x13,
0x57,0xD1,0x83,0x4D,0xF6,0x2C,0xAF,0x25,0x3C,0x12,0xF0,0x7C,0x16,0x66,0x97,0x7F,0x6A,0x2,0xBC,0x98,0x52,0xD7,0xE3,0x56};
char v8[182];
char a1[182];
int main() {
for(inti = 0; i < 182; i++) {
v8[i]= byte1[i]^byte2[i];
}
int v4;
int v3= 0;
do {
v4 = (unsigned __int8)v8[((unsigned int)(unsigned__int8)v8[0] >> 1) + v3++];
} while ( v4 );
int v5 = v3 - 1;
int v6 = 0;
if ( v3 - 1 >= 1 ) {
memcpy(a1, &v8[(unsigned int)(unsigned__int8)v8[0] >> 1], v3 - 1);
v6 = v5;
}
printf("%s\n", a1);
return0;
}