Android逆向分析入门教学：从吾爱破解2024春节解题实践<\/h1>

一、Android逆向基础准备<\/h2>

1.1 工具准备<\/h3>

MT管理器\/NP管理器<\/strong>：用于查看APK文件结构、修改smali代码、查看文件内容等<\/li>
Jadx<\/strong>：将APK反编译为Java代码，便于分析逻辑<\/li>

Android设备或模拟器<\/strong>：用于安装和测试修改后的APK<\/li> <\/ul>
1.2 基础分析步骤<\/h3>

检查APK是否加固（本题两个APK均无加固）<\/li>
查看包名、签名等基本信息<\/li>
安装APK并了解基本功能逻辑<\/li>
使用Jadx反编译查看源码<\/li> <\/ol>
二、初级题一：圈小猫游戏分析<\/h2>
2.1 题目概述<\/h3>

游戏目标：围堵小猫使其无法移动<\/li>
成功条件：围堵成功后播放视频并显示flag<\/li> <\/ul>
2.2 静态分析<\/h3>

MainActivity分析<\/strong>：<\/p>

主界面使用WebView加载本地HTML文件(file:\/\/\/android_asset\/index.html<\/code>)<\/li>
游戏逻辑主要在HTML和JavaScript中实现<\/li> <\/ul> <\/li>
关键函数分析<\/strong>：<\/p> extractDataFromFile(String filePath)<\/code>：从视频文件中提取flag数据<\/li> 调用时机：视频播放完成后(OnCompletionListener<\/code>)<\/li> <\/ul> <\/li> <\/ol> videoView.<\/span>setOnCompletionListener<\/span>(<\/span>new<\/span> MediaPlayer.<\/span>OnCompletionListener<\/span>()<\/span> {<\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> void<\/span> onCompletion<\/span>(<\/span>MediaPlayer mediaPlayer)<\/span> {<\/span> <\/span><\/span> YSQDActivity.<\/span>this<\/span>.<\/span>tv<\/span>.<\/span>setText<\/span>(<\/span>YSQDActivity.<\/span>extractDataFromFile<\/span>(<\/span>YSQDActivity.<\/span>this<\/span>.<\/span>filePath<\/span>));<\/span> <\/span><\/span> }<\/span> <\/span><\/span>});<\/span> <\/span><\/span><\/code><\/pre>2.3 解题方法<\/h3> 方法一：直接提取flag<\/h4> 定位视频文件路径：\/data\/data\/<package_name>\/files\/<\/code>目录下<\/li> 使用MT管理器以文本方式打开MP4文件<\/li> 搜索flag{<\/code>格式字符串直接获取flag<\/li> <\/ol> 方法二：修改游戏难度<\/h4> 修改HTML文件中的initialWallCount<\/code>参数（如从默认值改为80）<\/li> 增加初始障碍物数量，使围堵小猫更容易<\/li> 成功围堵后触发视频播放和flag显示<\/li> <\/ol> 方法三：绕过游戏逻辑（未成功）<\/h4> 尝试修改smali代码，改变调用YSQDActivity的条件<\/li> 修改if-eq p1, v0<\/code>判断条件或删除判断<\/li> 本方法未成功，因涉及更复杂的调用逻辑<\/li> <\/ol> 三、初级题二：抽奖游戏分析<\/h2> 3.1 题目概述<\/h3> 游戏机制：等待时间积累"宝石"，10个宝石可抽奖一次<\/li> 90抽保底出金（flag）<\/li> 出题者提示：诚实等待抽奖可获得flag<\/li> <\/ul> 3.2 静态分析<\/h3> 关键代码逻辑<\/strong>：未修改APK时进入honest<\/code>分支，较容易抽中flag<\/li> flag存储在静态字节数组o<\/code>中<\/li> <\/ul> <\/li> <\/ol> public<\/span> static<\/span> byte<\/span>[]<\/span> o =<\/span> {<\/span>86<\/span>,<\/span> -<\/span>18<\/span>,<\/span> 98<\/span>,<\/span> 103<\/span>,<\/span> 75<\/span>,<\/span> -<\/span>73<\/span>,<\/span> 51<\/span>,<\/span> -<\/span>104<\/span>,<\/span> 104<\/span>,<\/span> 94<\/span>,<\/span> 73<\/span>,<\/span> 81<\/span>,<\/span> 125<\/span>,<\/span> 118<\/span>,<\/span> 112<\/span>,<\/span> 100<\/span>,<\/span> -<\/span>29<\/span>,<\/span> 63<\/span>,<\/span> -<\/span>33<\/span>,<\/span> -<\/span>110<\/span>,<\/span> 108<\/span>,<\/span> 115<\/span>,<\/span> 51<\/span>,<\/span> 59<\/span>,<\/span> 55<\/span>,<\/span> 52<\/span>,<\/span> 77<\/span>};<\/span> <\/span><\/span><\/code><\/pre> flag生成机制<\/strong>：需要验证APK签名信息<\/li> 修改APK后签名验证失败，即使抽中也会得到错误flag<\/li> <\/ul> <\/li> <\/ol> 3.3 解题方法<\/h3> 方法一：诚实等待<\/h4> 不修改APK，等待积累足够宝石<\/li> 进行抽奖，90抽内必出flag<\/li> 这是最简单有效的方法<\/li> <\/ol> 方法二：修改初始资源（不推荐）<\/h4> 修改WishActivity<\/code>中的初始宝石数量找到0xa<\/code>（十六进制10）改为更大值<\/li> <\/ul> <\/li> 虽然可以快速抽奖，但因签名验证失败无法获取正确flag<\/li> <\/ol> 方法三：直接解析flag<\/h4> 将字节数组o<\/code>转换为字符串<\/li> 注意处理负值（Java字节范围为-128~127）<\/li> 示例转换代码：<\/li> <\/ol> byte<\/span>[]<\/span> o =<\/span> {<\/span>86<\/span>,<\/span> -<\/span>18<\/span>,<\/span> 98<\/span>,<\/span> 103<\/span>,<\/span> 75<\/span>,<\/span> -<\/span>73<\/span>,<\/span> 51<\/span>,<\/span> -<\/span>104<\/span>,<\/span> 104<\/span>,<\/span> 94<\/span>,<\/span> 73<\/span>,<\/span> 81<\/span>,<\/span> 125<\/span>,<\/span> 118<\/span>,<\/span> 112<\/span>,<\/span> 100<\/span>,<\/span> -<\/span>29<\/span>,<\/span> 63<\/span>,<\/span> -<\/span>33<\/span>,<\/span> -<\/span>110<\/span>,<\/span> 108<\/span>,<\/span> 115<\/span>,<\/span> 51<\/span>,<\/span> 59<\/span>,<\/span> 55<\/span>,<\/span> 52<\/span>,<\/span> 77<\/span>};<\/span> <\/span><\/span>String flag =<\/span> new<\/span> String(<\/span>o,<\/span> StandardCharsets.<\/span>UTF_8<\/span>);<\/span> <\/span><\/span>System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>flag);<\/span> <\/span><\/span><\/code><\/pre>四、逆向技巧总结<\/h2> 4.1 常见分析点<\/h3> 资源文件<\/strong>：HTML、图片、视频等可能包含关键信息<\/li> 字符串搜索<\/strong>：直接搜索flag{<\/code>等格式字符串<\/li> 网络权限<\/strong>：无网络权限的APK通常flag存储在本地<\/li> 关键监听器<\/strong>：如OnCompletionListener<\/code>等事件触发点<\/li> <\/ol> 4.2 修改技巧<\/h3> smali修改<\/strong>：<\/p> 定位关键判断语句（如if-eq<\/code>）<\/li> 修改或删除判断条件<\/li> 需重新编译签名APK测试效果<\/li> <\/ul> <\/li> 资源修改<\/strong>：<\/p> 修改HTML\/XML中的初始参数<\/li> 修改图片等资源文件<\/li> <\/ul> <\/li> <\/ol> 4.3 注意事项<\/h3> 签名验证机制可能导致修改后功能异常<\/li> 动态加载的资源可能需要运行时分析<\/li> 简单的题目往往flag直接存储在代码或资源中<\/li> <\/ol> 五、扩展学习<\/h2> 5.1 推荐学习资源<\/h3> 吾爱破解《安卓逆向这档事》教程系列<\/li> Jadx、MT管理器官方文档<\/li> smali语法学习资料<\/li> <\/ul> 5.2 进阶方向<\/h3> 加固APK的分析与脱壳<\/li> 动态调试技术（Frida、Xposed等）<\/li> 原生库（so文件）逆向分析<\/li> 协议分析与加密算法逆向<\/li> <\/ol> 通过这两个初级题目的实践，可以掌握Android逆向分析的基本流程和方法，为进一步学习更复杂的逆向技术打下坚实基础。<\/p>