Android SO逆向分析教学：CISCN2024 androidso_re题目解析<\/h1>

1. 题目概述<\/h2>
这是一个来自CISCN2024比赛的Android逆向题目，主要考察对Android原生库(SO文件)的分析能力。题目要求输入一个flag，格式为`flag{32位字符}<\/code>，并通过native层的DES加密校验。<\/p>`

2. 初始分析<\/h2>
2.1 APK界面分析<\/h3>

入口Activity: com.example.re11113.MainActivity<\/code><\/li>
功能: 要求用户输入flag进行校验<\/li>
<\/ul>
2.2 Java层分析<\/h3>
使用jadx反编译APK，发现关键校验函数legal<\/code>:<\/p>
private<\/span> boolean<\/span> legal<\/span>(<\/span>String paramString)<\/span> {<\/span>
<\/span><\/span>    return<\/span> paramString.<\/span>length<\/span>()<\/span> ==<\/span> 38<\/span> 
<\/span><\/span>        &&<\/span> paramString.<\/span>startsWith<\/span>(<\/span>"flag{"<\/span>)<\/span> 
<\/span><\/span>        &&<\/span> paramString.<\/span>charAt<\/span>(<\/span>paramString.<\/span>length<\/span>()<\/span> -<\/span> 1<\/span>)<\/span> ==<\/span> '}'<\/span> 
<\/span><\/span>        &&<\/span> !<\/span>inspect.<\/span>inspect<\/span>(<\/span>paramString.<\/span>substring<\/span>(<\/span>5<\/span>,<\/span> paramString.<\/span>length<\/span>()<\/span> -<\/span> 1<\/span>));<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>校验逻辑:<\/p>

长度必须为38<\/li>
以"flag{"开头<\/li>
以"}"结尾<\/li>
括号内32位内容通过inspect<\/code>校验<\/li>
<\/ol>
2.3 inspect函数分析<\/h3>
inspect<\/code>函数调用原生库进行DES加密，然后与固定字符串比较:<\/p>
"JqslHrdvtgJrRs2QAp+FEVdwRPNLswrnykD\/sZMivmjGRKUMVIC\/rw=="
<\/code><\/pre>
3. 关键点：获取DES的IV和Key<\/h2>
题目通过jni.getiv()<\/code>和jni.getkey()<\/code>获取DES加密的IV和Key。<\/p>
3.1 Frida Hook尝试<\/h3>
初始Hook代码:<\/p>
function<\/span> hook_jni<\/span>() {
<\/span><\/span>    Java<\/span>.perform<\/span>(function<\/span>() {
<\/span><\/span>        var<\/span> jniClass<\/span> =<\/span> Java<\/span>.use<\/span>("com.example.re11113.jni"<\/span>);
<\/span><\/span>        jniClass<\/span>.getiv<\/span>.implementation<\/span> =<\/span> function<\/span>() {
<\/span><\/span>            var<\/span> ret<\/span> =<\/span> this<\/span>.getiv<\/span>();
<\/span><\/span>            console<\/span>.log<\/span>("getiv: "<\/span> +<\/span> ret<\/span>);
<\/span><\/span>            return<\/span> ret<\/span>;
<\/span><\/span>        }
<\/span><\/span>        jniClass<\/span>.getkey<\/span>.implementation<\/span> =<\/span> function<\/span>() {
<\/span><\/span>            var<\/span> ret<\/span> =<\/span> this<\/span>.getkey<\/span>();
<\/span><\/span>            console<\/span>.log<\/span>("getkey: "<\/span> +<\/span> ret<\/span>);
<\/span><\/span>            return<\/span> ret<\/span>;
<\/span><\/span>        }
<\/span><\/span>    })
<\/span><\/span>}
<\/span><\/span>setImmediate<\/span>(hook_jni<\/span>);
<\/span><\/span><\/code><\/pre>发现问题:<\/p>

单独Hook getiv()<\/code> 成功<\/li>
同时Hook getkey()<\/code> 会导致应用崩溃<\/li>
<\/ul>
3.2 崩溃原因分析<\/h3>
通过Logcat发现崩溃原因是:<\/p>

getkey()<\/code>返回了非UTF-8编码的字符串<\/li>
Native层使用NewStringUTF()<\/code>创建Java字符串时失败<\/li>
<\/ul>
尝试Hook NewStringUTF<\/code>:<\/p>
function<\/span> hook_newStringUTF<\/span>() {
<\/span><\/span>    Java<\/span>.perform<\/span>(function<\/span>() {
<\/span><\/span>        var<\/span> modules<\/span> =<\/span> Process<\/span>.enumerateModules<\/span>();
<\/span><\/span>        var<\/span> newStringUTFAddr<\/span> =<\/span> null<\/span>;
<\/span><\/span>        for<\/span> (var<\/span> i<\/span> =<\/span> 0<\/span>; i<\/span> <<\/span> modules<\/span>.length<\/span>; i<\/span>++<\/span>) {
<\/span><\/span>            var<\/span> module<\/span> =<\/span> modules<\/span>[i<\/span>];
<\/span><\/span>            try<\/span> {
<\/span><\/span>                var<\/span> symbols<\/span> =<\/span> module<\/span>.enumerateSymbols<\/span>();
<\/span><\/span>                for<\/span> (var<\/span> j<\/span> =<\/span> 0<\/span>; j<\/span> <<\/span> symbols<\/span>.length<\/span>; j<\/span>++<\/span>) {
<\/span><\/span>                    if<\/span> (symbols<\/span>[j<\/span>].name<\/span>.indexOf<\/span>("NewStringUTF"<\/span>) >=<\/span> 0<\/span>) {
<\/span><\/span>                        newStringUTFAddr<\/span> =<\/span> symbols<\/span>[j<\/span>].address<\/span>;
<\/span><\/span>                        console<\/span>.log<\/span>("Found NewStringUTF in module: "<\/span> +<\/span> module<\/span>.name<\/span> +<\/span> " at: "<\/span> +<\/span> newStringUTFAddr<\/span> +<\/span> " with name: "<\/span> +<\/span> symbols<\/span>[j<\/span>].name<\/span>);
<\/span><\/span>                        break<\/span>;
<\/span><\/span>                    }
<\/span><\/span>                }
<\/span><\/span>            } catch<\/span> (e<\/span>) {
<\/span><\/span>                console<\/span>.warn<\/span>("Failed to enumerate symbols for module: "<\/span> +<\/span> module<\/span>.name<\/span>);
<\/span><\/span>            }
<\/span><\/span>            if<\/span> (newStringUTFAddr<\/span>) break<\/span>;
<\/span><\/span>        }
<\/span><\/span>        
<\/span><\/span>        if<\/span> (newStringUTFAddr<\/span>) {
<\/span><\/span>            Interceptor<\/span>.attach<\/span>(newStringUTFAddr<\/span>, {
<\/span><\/span>                onEnter<\/span>:<\/span> function<\/span>(args<\/span>) {
<\/span><\/span>                    var<\/span> inputStr<\/span> =<\/span> args<\/span>[1<\/span>].readCString<\/span>();
<\/span><\/span>                    console<\/span>.log<\/span>("NewStringUTF called with: "<\/span> +<\/span> inputStr<\/span>);
<\/span><\/span>                },
<\/span><\/span>                onLeave<\/span>:<\/span> function<\/span>(retval<\/span>) {
<\/span><\/span>                    console<\/span>.log<\/span>("NewStringUTF returning: "<\/span> +<\/span> retval<\/span>);
<\/span><\/span>                }
<\/span><\/span>            });
<\/span><\/span>        } else<\/span> {
<\/span><\/span>            console<\/span>.log<\/span>("NewStringUTF address not found!"<\/span>);
<\/span><\/span>        }
<\/span><\/span>    });
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3.3 替代方案：Unidbg模拟执行<\/h3>
使用Unidbg模拟执行获取IV和Key:<\/p>
package<\/span> com.re11113;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> com.github.unidbg.AndroidEmulator;<\/span>
<\/span><\/span>import<\/span> com.github.unidbg.LibraryResolver;<\/span>
<\/span><\/span>import<\/span> com.github.unidbg.arm.backend.DynarmicFactory;<\/span>
<\/span><\/span>import<\/span> com.github.unidbg.linux.android.AndroidEmulatorBuilder;<\/span>
<\/span><\/span>import<\/span> com.github.unidbg.linux.android.AndroidResolver;<\/span>
<\/span><\/span>import<\/span> com.github.unidbg.linux.android.dvm.DalvikModule;<\/span>
<\/span><\/span>import<\/span> com.github.unidbg.linux.android.dvm.DvmClass;<\/span>
<\/span><\/span>import<\/span> com.github.unidbg.linux.android.dvm.DvmObject;<\/span>
<\/span><\/span>import<\/span> com.github.unidbg.linux.android.dvm.VM;<\/span>
<\/span><\/span>import<\/span> com.github.unidbg.memory.Memory;<\/span>
<\/span><\/span>import<\/span> java.io.File;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> MainActivity<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> {<\/span>
<\/span><\/span>        long<\/span> start =<\/span> System.<\/span>currentTimeMillis<\/span>();<\/span>
<\/span><\/span>        com.<\/span>re11113<\/span>.<\/span>MainActivity<\/span> mainActivity =<\/span> new<\/span> com.<\/span>re11113<\/span>.<\/span>MainActivity<\/span>();<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"load offset="<\/span> +<\/span> (<\/span>System.<\/span>currentTimeMillis<\/span>()<\/span> -<\/span> start)<\/span> +<\/span> "ms"<\/span>);<\/span>
<\/span><\/span>        mainActivity.<\/span>getIvAndKey<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>    private<\/span> final<\/span> AndroidEmulator emulator;<\/span>
<\/span><\/span>    private<\/span> final<\/span> DvmClass dvmClass;<\/span>
<\/span><\/span>    private<\/span> final<\/span> VM vm;<\/span>
<\/span><\/span>
<\/span><\/span>    private<\/span> MainActivity<\/span>()<\/span> {<\/span>
<\/span><\/span>        emulator =<\/span> AndroidEmulatorBuilder.<\/span>for64Bit<\/span>()<\/span>
<\/span><\/span>                .<\/span>addBackendFactory<\/span>(<\/span>new<\/span> DynarmicFactory(<\/span>true<\/span>))<\/span>
<\/span><\/span>                .<\/span>build<\/span>();<\/span>
<\/span><\/span>        Memory memory =<\/span> emulator.<\/span>getMemory<\/span>();<\/span>
<\/span><\/span>        LibraryResolver resolver =<\/span> new<\/span> AndroidResolver(<\/span>23<\/span>);<\/span> \/\/ 自带 sdk 23 版本
<\/span><\/span><\/span><\/span>        memory.<\/span>setLibraryResolver<\/span>(<\/span>resolver);<\/span>
<\/span><\/span>        vm =<\/span> emulator.<\/span>createDalvikVM<\/span>(<\/span>new<\/span> File(<\/span>"C:\\Users\\33739\\Downloads\\app-debug (1).apk"<\/span>));<\/span>
<\/span><\/span>        vm.<\/span>setVerbose<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        DalvikModule dm =<\/span> vm.<\/span>loadLibrary<\/span>(<\/span>new<\/span> File(<\/span>"E:\\unidbg-0.9.7\\so\\re11113\\libSecret_entrance.so"<\/span>),<\/span> true<\/span>);<\/span>
<\/span><\/span>        dm.<\/span>callJNI_OnLoad<\/span>(<\/span>emulator);<\/span>
<\/span><\/span>        dvmClass =<\/span> vm.<\/span>resolveClass<\/span>(<\/span>"com\/example\/re11113\/jni"<\/span>);<\/span> \/\/ jni 函数所在的类
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>    private<\/span> void<\/span> getIvAndKey<\/span>()<\/span> {<\/span>
<\/span><\/span>        DvmObject<?><\/span> result =<\/span> dvmClass.<\/span>callStaticJniMethodObject<\/span>(<\/span>emulator,<\/span> "getkey()Ljava\/lang\/String;"<\/span>);<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"result is => "<\/span> +<\/span> result.<\/span>getValue<\/span>());<\/span>
<\/span><\/span>        result =<\/span> dvmClass.<\/span>callStaticJniMethodObject<\/span>(<\/span>emulator,<\/span> "getiv()Ljava\/lang\/String;"<\/span>);<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"result is => "<\/span> +<\/span> result.<\/span>getValue<\/span>());<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>成功获取:<\/p>

IV: Wf3DLups<\/code><\/li>
Key: A8UdWaeq<\/code><\/li>
<\/ul>
4. SO文件逆向分析<\/h2>
4.1 getkey函数分析<\/h3>


返回值分析:<\/p>

返回的Java字符串由v14<\/code>转换而来<\/li>
v14<\/code>来自v18<\/code>经过处理<\/li>
<\/ul>
<\/li>

关键字符串:<\/p>

"YourRC4Key"<\/code> - 可能是RC4加密的密钥<\/li>
"TFSecret_Key"<\/code> - 可能用于其他处理<\/li>
<\/ul>
<\/li>

处理流程:<\/p>

调用jiejie<\/code>函数(实际是RC4加密)<\/li>
对结果前8位进行异或操作<\/li>
<\/ul>
<\/li>
<\/ol>
4.2 jiejie函数(RC4实现)<\/h3>


S盒初始化:<\/p>

创建256字节的vector<\/li>
填充0-255的初始值<\/li>
<\/ul>
<\/li>

S盒置换:<\/p>

使用密钥进行置换操作<\/li>
<\/ul>
<\/li>

加密流程:<\/p>

从S盒中取值进行计算<\/li>
<\/ul>
<\/li>
<\/ol>
4.3 最终处理<\/h3>
对RC4加密结果的前8位进行异或操作，得到最终的Key:

A8UdWaeq<\/code><\/p>
5. 解密流程<\/h2>

加密算法: DES<\/li>
参数:

Key: A8UdWaeq<\/code><\/li>
IV: Wf3DLups<\/code><\/li>
<\/ul>
<\/li>
密文: JqslHrdvtgJrRs2QAp+FEVdwRPNLswrnykD\/sZMivmjGRKUMVIC\/rw==<\/code><\/li>
<\/ol>
使用DES解密工具，输入以上参数即可得到flag的中间32位内容。<\/p>
6. 总结<\/h2>


解题步骤:<\/p>

分析Java层校验逻辑<\/li>
识别native层加密方式(DES)<\/li>
获取DES的IV和Key<\/li>
解密得到flag<\/li>
<\/ul>
<\/li>

技术要点:<\/p>

Frida Hook技巧<\/li>
Unidbg模拟执行<\/li>
SO文件逆向分析<\/li>
RC4算法识别<\/li>
DES加密参数获取<\/li>
<\/ul>
<\/li>

难点:<\/p>

getkey()<\/code> Hook崩溃问题<\/li>
Native层字符串编码问题<\/li>
RC4算法的识别与分析<\/li>
<\/ul>
<\/li>
<\/ol>
7. 参考工具<\/h2>


反编译工具:<\/p>

jadx<\/li>
IDA Pro<\/li>
<\/ul>
<\/li>

动态分析工具:<\/p>

Frida<\/li>
Objection<\/li>
<\/ul>
<\/li>

模拟执行:<\/p>

Unidbg<\/li>
<\/ul>
<\/li>

加密解密工具:<\/p>

CyberChef<\/li>
在线DES解密工具<\/li>
<\/ul>
<\/li>
<\/ol>

Android SO逆向分析教学：CISCN2024 androidso_re题目解析<\/h1>

1. 题目概述<\/h2>
这是一个来自CISCN2024比赛的Android逆向题目，主要考察对Android原生库(SO文件)的分析能力。题目要求输入一个flag，格式为`flag{32位字符}<\/code>，并通过native层的DES加密校验。<\/p>`

3. 关键点：获取DES的IV和Key<\/h2>
题目通过`jni.getiv()<\/code>和jni.getkey()<\/code>获取DES加密的IV和Key。<\/p>`

4. SO文件逆向分析<\/h2>

4.3 最终处理<\/h3>
对RC4加密结果的前8位进行异或操作，得到最终的Key:
`A8UdWaeq<\/code><\/p>`

7. 参考工具<\/h2>

反编译工具:<\/p>

jadx<\/li>
IDA Pro<\/li> <\/ul> <\/li>

动态分析工具:<\/p>

Frida<\/li>
Objection<\/li> <\/ul> <\/li>

模拟执行:<\/p>

Unidbg<\/li> <\/ul> <\/li>

加密解密工具:<\/p>

CyberChef<\/li>
在线DES解密工具<\/li> <\/ul> <\/li> <\/ol>

Android SO逆向分析教学：CISCN2024 androidso_re题目解析<\/h1>

1. 题目概述<\/h2> 这是一个来自CISCN2024比赛的Android逆向题目，主要考察对Android原生库(SO文件)的分析能力。题目要求输入一个flag，格式为flag{32位字符}<\/code>，并通过native层的DES加密校验。<\/p>

3. 关键点：获取DES的IV和Key<\/h2> 题目通过jni.getiv()<\/code>和jni.getkey()<\/code>获取DES加密的IV和Key。<\/p>

4. SO文件逆向分析<\/h2>

4.3 最终处理<\/h3> 对RC4加密结果的前8位进行异或操作，得到最终的Key: A8UdWaeq<\/code><\/p>

7. 参考工具<\/h2> 反编译工具:<\/p> jadx<\/li> IDA Pro<\/li> <\/ul> <\/li> 动态分析工具:<\/p> Frida<\/li> Objection<\/li> <\/ul> <\/li> 模拟执行:<\/p> Unidbg<\/li> <\/ul> <\/li> 加密解密工具:<\/p> CyberChef<\/li> 在线DES解密工具<\/li> <\/ul> <\/li> <\/ol>

1. 题目概述<\/h2>
这是一个来自CISCN2024比赛的Android逆向题目，主要考察对Android原生库(SO文件)的分析能力。题目要求输入一个flag，格式为`flag{32位字符}<\/code>，并通过native层的DES加密校验。<\/p>`

3. 关键点：获取DES的IV和Key<\/h2>
题目通过`jni.getiv()<\/code>和jni.getkey()<\/code>获取DES加密的IV和Key。<\/p>`

4.3 最终处理<\/h3>
对RC4加密结果的前8位进行异或操作，得到最终的Key:
`A8UdWaeq<\/code><\/p>`

7. 参考工具<\/h2>

反编译工具:<\/p>

jadx<\/li>
IDA Pro<\/li> <\/ul> <\/li>

动态分析工具:<\/p>

Frida<\/li>
Objection<\/li> <\/ul> <\/li>

模拟执行:<\/p>

Unidbg<\/li> <\/ul> <\/li>

加密解密工具:<\/p>

CyberChef<\/li>
在线DES解密工具<\/li> <\/ul> <\/li> <\/ol>