Android逆向分析：2024Hgame-babyAndroid解题详解<\/h1>

1. 题目概述<\/h2>
这是一个来自2024年Hgame比赛的Android逆向题目，包含Java层和Native层（so）的验证逻辑。题目要求输入用户名和密码，通过两层验证后会显示"Congratulate!!!^_^"的成功提示。<\/p>

2. Java层分析<\/h2>

2.1 MainActivity分析<\/h3>
MainActivity的主要逻辑在onClick<\/code>方法中：<\/p>
public<\/span> void<\/span> onClick<\/span>(<\/span>View view)<\/span> {<\/span>
<\/span><\/span>    byte<\/span>[]<\/span> bytes =<\/span> this<\/span>.<\/span>username<\/span>.<\/span>getText<\/span>().<\/span>toString<\/span>().<\/span>getBytes<\/span>();<\/span>
<\/span><\/span>    byte<\/span>[]<\/span> bytes2 =<\/span> this<\/span>.<\/span>password<\/span>.<\/span>getText<\/span>().<\/span>toString<\/span>().<\/span>getBytes<\/span>();<\/span>
<\/span><\/span>    
<\/span><\/span>    if<\/span> (<\/span>new<\/span> Check1(<\/span>getResources().<\/span>getString<\/span>(<\/span>R.<\/span>string<\/span>.<\/span>key<\/span>).<\/span>getBytes<\/span>()).<\/span>check<\/span>(<\/span>bytes))<\/span> {<\/span>
<\/span><\/span>        if<\/span> (<\/span>check2(<\/span>bytes,<\/span> bytes2))<\/span> {<\/span>
<\/span><\/span>            Toast.<\/span>makeText<\/span>(<\/span>this<\/span>,<\/span> "Congratulate!!!^_^"<\/span>,<\/span> 0<\/span>).<\/span>show<\/span>();<\/span>
<\/span><\/span>            return<\/span>;<\/span>
<\/span><\/span>        }<\/span> else<\/span> {<\/span>
<\/span><\/span>            Toast.<\/span>makeText<\/span>(<\/span>this<\/span>,<\/span> "password wrong!!!>_<"<\/span>,<\/span> 0<\/span>).<\/span>show<\/span>();<\/span>
<\/span><\/span>            return<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    Toast.<\/span>makeText<\/span>(<\/span>this<\/span>,<\/span> "username wrong!!!>_<"<\/span>,<\/span> 0<\/span>).<\/span>show<\/span>();<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>验证流程分为两步：<\/p>

Check1<\/code>类验证用户名<\/li>
check2<\/code>本地方法验证密码<\/li>
<\/ol>
2.2 Check1类分析<\/h3>
Check1类实现了RC4加密算法：<\/p>
public<\/span> class<\/span> Check1<\/span> {<\/span>
<\/span><\/span>    private<\/span> byte<\/span>[]<\/span> S =<\/span> new<\/span> byte<\/span>[<\/span>256<\/span>];<\/span>
<\/span><\/span>    private<\/span> int<\/span> i;<\/span>
<\/span><\/span>    private<\/span> int<\/span> j;<\/span>
<\/span><\/span>
<\/span><\/span>    public<\/span> Check1<\/span>(<\/span>byte<\/span>[]<\/span> bArr)<\/span> {<\/span>
<\/span><\/span>        \/\/ RC4密钥调度算法(KSA)
<\/span><\/span><\/span><\/span>        for<\/span> (<\/span>int<\/span> i =<\/span> 0<\/span>;<\/span> i <<\/span> 256<\/span>;<\/span> i++)<\/span> {<\/span>
<\/span><\/span>            this<\/span>.<\/span>S<\/span>[<\/span>i]<\/span> =<\/span> (<\/span>byte<\/span>)<\/span> i;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        int<\/span> i2 =<\/span> 0<\/span>;<\/span>
<\/span><\/span>        for<\/span> (<\/span>int<\/span> i3 =<\/span> 0<\/span>;<\/span> i3 <<\/span> 256<\/span>;<\/span> i3++)<\/span> {<\/span>
<\/span><\/span>            byte<\/span>[]<\/span> bArr2 =<\/span> this<\/span>.<\/span>S<\/span>;<\/span>
<\/span><\/span>            i2 =<\/span> (<\/span>i2 +<\/span> bArr2[<\/span>i3]<\/span> +<\/span> bArr[<\/span>i3 %<\/span> bArr.<\/span>length<\/span>])<\/span> &<\/span> 255<\/span>;<\/span>
<\/span><\/span>            swap(<\/span>bArr2,<\/span> i3,<\/span> i2);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        this<\/span>.<\/span>i<\/span> =<\/span> 0<\/span>;<\/span>
<\/span><\/span>        this<\/span>.<\/span>j<\/span> =<\/span> 0<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>    private<\/span> void<\/span> swap<\/span>(<\/span>byte<\/span>[]<\/span> bArr,<\/span> int<\/span> i,<\/span> int<\/span> i2)<\/span> {<\/span>
<\/span><\/span>        byte<\/span> b =<\/span> bArr[<\/span>i];<\/span>
<\/span><\/span>        bArr[<\/span>i]<\/span> =<\/span> bArr[<\/span>i2];<\/span>
<\/span><\/span>        bArr[<\/span>i2]<\/span> =<\/span> b;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>    public<\/span> byte<\/span>[]<\/span> encrypt<\/span>(<\/span>byte<\/span>[]<\/span> bArr)<\/span> {<\/span>
<\/span><\/span>        \/\/ RC4伪随机生成算法(PRGA)
<\/span><\/span><\/span><\/span>        byte<\/span>[]<\/span> bArr2 =<\/span> new<\/span> byte<\/span>[<\/span>bArr.<\/span>length<\/span>];<\/span>
<\/span><\/span>        for<\/span> (<\/span>int<\/span> i =<\/span> 0<\/span>;<\/span> i <<\/span> bArr.<\/span>length<\/span>;<\/span> i++)<\/span> {<\/span>
<\/span><\/span>            int<\/span> i2 =<\/span> (<\/span>this<\/span>.<\/span>i<\/span> +<\/span> 1<\/span>)<\/span> &<\/span> 255<\/span>;<\/span>
<\/span><\/span>            this<\/span>.<\/span>i<\/span> =<\/span> i2;<\/span>
<\/span><\/span>            int<\/span> i3 =<\/span> this<\/span>.<\/span>j<\/span>;<\/span>
<\/span><\/span>            byte<\/span>[]<\/span> bArr3 =<\/span> this<\/span>.<\/span>S<\/span>;<\/span>
<\/span><\/span>            int<\/span> i4 =<\/span> (<\/span>i3 +<\/span> bArr3[<\/span>i2])<\/span> &<\/span> 255<\/span>;<\/span>
<\/span><\/span>            this<\/span>.<\/span>j<\/span> =<\/span> i4;<\/span>
<\/span><\/span>            swap(<\/span>bArr3,<\/span> i2,<\/span> i4);<\/span>
<\/span><\/span>            byte<\/span>[]<\/span> bArr4 =<\/span> this<\/span>.<\/span>S<\/span>;<\/span>
<\/span><\/span>            bArr2[<\/span>i]<\/span> =<\/span> (<\/span>byte<\/span>)<\/span> (<\/span>bArr4[(<\/span>bArr4[<\/span>this<\/span>.<\/span>i<\/span>]<\/span> +<\/span> bArr4[<\/span>this<\/span>.<\/span>j<\/span>])<\/span> &<\/span> 255<\/span>]<\/span> ^<\/span> bArr[<\/span>i]);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        return<\/span> bArr2;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>    public<\/span> boolean<\/span> check<\/span>(<\/span>byte<\/span>[]<\/span> bArr)<\/span> {<\/span>
<\/span><\/span>        return<\/span> Arrays.<\/span>equals<\/span>(<\/span>new<\/span> byte<\/span>[]{-<\/span>75<\/span>,<\/span> 80<\/span>,<\/span> 80<\/span>,<\/span> 48<\/span>,<\/span> -<\/span>88<\/span>,<\/span> 75<\/span>,<\/span> 103<\/span>,<\/span> 45<\/span>,<\/span> -<\/span>91<\/span>,<\/span> 89<\/span>,<\/span> -<\/span>60<\/span>,<\/span> 91<\/span>,<\/span> -<\/span>54<\/span>,<\/span> 5<\/span>,<\/span> 6<\/span>,<\/span> -<\/span>72<\/span>},<\/span> encrypt(<\/span>bArr));<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.3 获取RC4密钥<\/h3>
密钥通过getResources().getString(R.string.key).getBytes()<\/code>获取，可以使用Frida进行Hook：<\/p>
function<\/span> hook_key<\/span>() {
<\/span><\/span>    var<\/span> targetClass<\/span> =<\/span> Java<\/span>.use<\/span>("android.content.res.Resources"<\/span>);
<\/span><\/span>    var<\/span> targetMethod<\/span> =<\/span> "getString"<\/span>;
<\/span><\/span>    
<\/span><\/span>    targetClass<\/span>[targetMethod<\/span>].overload<\/span>("int"<\/span>).implementation<\/span> =<\/span> function<\/span>(resourceId<\/span>) {
<\/span><\/span>        console<\/span>.log<\/span>("getResources().getString called with resource ID: "<\/span> +<\/span> resourceId<\/span>);
<\/span><\/span>        var<\/span> result<\/span> =<\/span> this<\/span>.getString<\/span>(resourceId<\/span>);
<\/span><\/span>        console<\/span>.log<\/span>("Result of getResources().getString: "<\/span> +<\/span> result<\/span>);
<\/span><\/span>        return<\/span> result<\/span>;
<\/span><\/span>    };
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>Hook后获取到密钥为：3e1fel<\/code><\/p>
2.4 解密用户名<\/h3>
使用Python实现RC4算法解密用户名：<\/p>
class<\/span> RC4<\/span>:
<\/span><\/span>    def<\/span> __init__(self, key):
<\/span><\/span>        self.<\/span>S =<\/span> list(range(256<\/span>))
<\/span><\/span>        self.<\/span>key =<\/span> key
<\/span><\/span>        self.<\/span>key_schedule()
<\/span><\/span>    
<\/span><\/span>    def<\/span> key_schedule<\/span>(self):
<\/span><\/span>        j =<\/span> 0<\/span>
<\/span><\/span>        for<\/span> i in<\/span> range(256<\/span>):
<\/span><\/span>            j =<\/span> (j +<\/span> self.<\/span>S[i] +<\/span> self.<\/span>key[i %<\/span> len(self.<\/span>key)]) %<\/span> 256<\/span>
<\/span><\/span>            self.<\/span>S[i], self.<\/span>S[j] =<\/span> self.<\/span>S[j], self.<\/span>S[i]
<\/span><\/span>    
<\/span><\/span>    def<\/span> encrypt<\/span>(self, data):
<\/span><\/span>        i =<\/span> 0<\/span>
<\/span><\/span>        j =<\/span> 0<\/span>
<\/span><\/span>        output =<\/span> []
<\/span><\/span>        for<\/span> byte in<\/span> data:
<\/span><\/span>            i =<\/span> (i +<\/span> 1<\/span>) %<\/span> 256<\/span>
<\/span><\/span>            j =<\/span> (j +<\/span> self.<\/span>S[i]) %<\/span> 256<\/span>
<\/span><\/span>            self.<\/span>S[i], self.<\/span>S[j] =<\/span> self.<\/span>S[j], self.<\/span>S[i]
<\/span><\/span>            output.<\/span>append((byte ^<\/span> self.<\/span>S[(self.<\/span>S[i] +<\/span> self.<\/span>S[j]) %<\/span> 256<\/span>]) %<\/span> 256<\/span>)
<\/span><\/span>        return<\/span> output
<\/span><\/span>    
<\/span><\/span>    def<\/span> decrypt<\/span>(self, data):
<\/span><\/span>        return<\/span> self.<\/span>encrypt(data)
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> "__main__"<\/span>:
<\/span><\/span>    key =<\/span> b<\/span>"3e1fel"<\/span>
<\/span><\/span>    rc4 =<\/span> RC4(key)
<\/span><\/span>    ciphertext =<\/span> [-<\/span>75<\/span>, 80<\/span>, 80<\/span>, 48<\/span>, -<\/span>88<\/span>, 75<\/span>, 103<\/span>, 45<\/span>, -<\/span>91<\/span>, 89<\/span>, -<\/span>60<\/span>, 91<\/span>, -<\/span>54<\/span>, 5<\/span>, 6<\/span>, -<\/span>72<\/span>]
<\/span><\/span>    decrypted_text =<\/span> rc4.<\/span>decrypt(ciphertext)
<\/span><\/span>    print("Decrypted Text:"<\/span>, decrypted_text)
<\/span><\/span>    print("As String:"<\/span>, bytes(decrypted_text).<\/span>decode('utf-8'<\/span>))
<\/span><\/span><\/code><\/pre>解密得到用户名：G>IkH<aHu5FE3GSV<\/code><\/p>
3. Native层分析<\/h2>
3.1 动态注册函数定位<\/h3>
使用Frida Hook RegisterNatives<\/code>来定位check2<\/code>函数：<\/p>
function<\/span> hook_jni_7<\/span>() {
<\/span><\/span>    Java<\/span>.perform<\/span>(function<\/span>() {
<\/span><\/span>        var<\/span> symbols<\/span> =<\/span> Process<\/span>.getModuleByName<\/span>("libart.so"<\/span>).enumerateSymbols<\/span>();
<\/span><\/span>        var<\/span> RegisterNatives_addr<\/span> =<\/span> NULL<\/span>;
<\/span><\/span>        
<\/span><\/span>        for<\/span> (var<\/span> index<\/span> =<\/span> 0<\/span>; index<\/span> <<\/span> symbols<\/span>.length<\/span>; index<\/span>++<\/span>) {
<\/span><\/span>            const<\/span> symbol<\/span> =<\/span> symbols<\/span>[index<\/span>];
<\/span><\/span>            if<\/span> (symbol<\/span>.name<\/span>.indexOf<\/span>("CheckJNI"<\/span>) ==<\/span> -<\/span>1<\/span> &&<\/span> 
<\/span><\/span>                symbol<\/span>.name<\/span>.indexOf<\/span>("RegisterNatives"<\/span>) >=<\/span> 0<\/span>) {
<\/span><\/span>                RegisterNatives_addr<\/span> =<\/span> symbol<\/span>.address<\/span>;
<\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>        
<\/span><\/span>        console<\/span>.log<\/span>("RegisterNatives_addr :"<\/span>, RegisterNatives_addr<\/span>);
<\/span><\/span>        
<\/span><\/span>        Interceptor<\/span>.attach<\/span>(RegisterNatives_addr<\/span>, {
<\/span><\/span>            onEnter<\/span>:<\/span> function<\/span>(args<\/span>) {
<\/span><\/span>                var<\/span> env<\/span> =<\/span> Java<\/span>.vm<\/span>.tryGetEnv<\/span>();
<\/span><\/span>                var<\/span> class_name<\/span> =<\/span> env<\/span>.getClassName<\/span>(args<\/span>[1<\/span>]);
<\/span><\/span>                console<\/span>.log<\/span>("class_name "<\/span>, class_name<\/span>)
<\/span><\/span>                
<\/span><\/span>                var<\/span> method_count<\/span> =<\/span> args<\/span>[3<\/span>].toInt32<\/span>();
<\/span><\/span>                for<\/span> (var<\/span> index<\/span> =<\/span> 0<\/span>; index<\/span> <<\/span> method_count<\/span>; index<\/span>++<\/span>) {
<\/span><\/span>                    var<\/span> method_name<\/span> =<\/span> args<\/span>[2<\/span>].add<\/span>(Process<\/span>.pointerSize<\/span> *<\/span> 3<\/span> *<\/span> index<\/span>).readPointer<\/span>().readCString<\/span>();
<\/span><\/span>                    console<\/span>.log<\/span>("method_name "<\/span>, method_name<\/span>);
<\/span><\/span>                    
<\/span><\/span>                    var<\/span> signature<\/span> =<\/span> args<\/span>[2<\/span>].add<\/span>(Process<\/span>.pointerSize<\/span> *<\/span> 3<\/span> *<\/span> index<\/span>).add<\/span>(Process<\/span>.pointerSize<\/span>).readPointer<\/span>().readCString<\/span>();
<\/span><\/span>                    console<\/span>.log<\/span>("signature "<\/span>, signature<\/span>);
<\/span><\/span>                    
<\/span><\/span>                    var<\/span> fnPtr<\/span> =<\/span> args<\/span>[2<\/span>].add<\/span>(Process<\/span>.pointerSize<\/span> *<\/span> 3<\/span> *<\/span> index<\/span>).add<\/span>(Process<\/span>.pointerSize<\/span> *<\/span> 2<\/span>).readPointer<\/span>();
<\/span><\/span>                    console<\/span>.log<\/span>("fnPtr "<\/span>, fnPtr<\/span>);
<\/span><\/span>                    
<\/span><\/span>                    var<\/span> modeule<\/span> =<\/span> Process<\/span>.findModuleByAddress<\/span>(fnPtr<\/span>);
<\/span><\/span>                    console<\/span>.log<\/span>("modeule "<\/span>, JSON<\/span>.stringify<\/span>(modeule<\/span>))
<\/span><\/span>                    console<\/span>.log<\/span>(" func in IDA addr 32 :"<\/span>, fnPtr<\/span>.sub<\/span>(modeule<\/span>.base<\/span>).sub<\/span>(1<\/span>))
<\/span><\/span>                    console<\/span>.log<\/span>(" func in IDA addr 64 :"<\/span>, fnPtr<\/span>.sub<\/span>(modeule<\/span>.base<\/span>))
<\/span><\/span>                }
<\/span><\/span>            },
<\/span><\/span>            onLeave<\/span>:<\/span> function<\/span>(retval<\/span>) {}
<\/span><\/span>        });
<\/span><\/span>    });
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>输出结果：<\/p>
RegisterNatives_addr : 0x7393c3968c
class_name com.feifei.babyandroid.MainActivity
method_name check2
signature ([B[B)Z
fnPtr 0x737bc9ab18
modeule {"name":"libbabyandroid.so","base":"0x737bc9a000","size":16384,"path":"\/data\/app\/com.feifei.babyandroid-7xPEumuUSZXKdqoEsZ28zQ==\/base.apk!\/lib\/arm64-v8a\/libbabyandroid.so"}
 func in IDA addr 32 : 0xb17
 func in IDA addr 64 : 0xb18
<\/code><\/pre>
3.2 IDA逆向分析<\/h3>
在IDA中定位到check2<\/code>函数（偏移0xB18），分析发现是AES加密算法。<\/p>
4. 解题步骤总结<\/h2>


获取RC4密钥<\/strong>：<\/p>

使用Frida Hook getResources().getString()<\/code>获取密钥3e1fel<\/code><\/li>
<\/ul>
<\/li>

解密用户名<\/strong>：<\/p>

实现RC4算法解密密文[-75, 80, 80, 48, -88, 75, 103, 45, -91, 89, -60, 91, -54, 5, 6, -72]<\/code><\/li>
得到用户名G>IkH<aHu5FE3GSV<\/code><\/li>
<\/ul>
<\/li>

分析密码验证<\/strong>：<\/p>

定位check2<\/code> native函数<\/li>
逆向分析so文件，发现是AES加密<\/li>
根据AES特征还原密码验证逻辑<\/li>
<\/ul>
<\/li>

获取完整flag<\/strong>：<\/p>

结合用户名和密码验证通过后，获取完整flag<\/li>
<\/ul>
<\/li>
<\/ol>
5. 关键知识点<\/h2>


RC4算法<\/strong>：<\/p>

密钥调度算法(KSA)<\/li>
伪随机生成算法(PRGA)<\/li>
加密解密使用相同操作<\/li>
<\/ul>
<\/li>

Frida使用技巧<\/strong>：<\/p>

Hook Java方法获取关键数据<\/li>
Hook JNI RegisterNatives定位native函数<\/li>
<\/ul>
<\/li>

Android逆向工具链<\/strong>：<\/p>

Jadx: Java层反编译<\/li>
IDA Pro: Native层逆向分析<\/li>
Frida: 动态分析Hook<\/li>
<\/ul>
<\/li>

加密算法识别<\/strong>：<\/p>

RC4特征：256字节S盒，密钥调度，异或操作<\/li>
AES特征：固定块大小，轮密钥扩展，S盒替换<\/li>
<\/ul>
<\/li>
<\/ol>
通过以上分析步骤，可以完整还原题目验证逻辑并获取flag。<\/p>
Android逆向分析：2024Hgame-babyAndroid解题详解<\/h1>

1. 题目概述<\/h2> 这是一个来自2024年Hgame比赛的Android逆向题目，包含Java层和Native层（so）的验证逻辑。题目要求输入用户名和密码，通过两层验证后会显示"Congratulate!!!^_^"的成功提示。<\/p>

2. Java层分析<\/h2>

3.2 IDA逆向分析<\/h3> 在IDA中定位到check2<\/code>函数（偏移0xB18），分析发现是AES加密算法。<\/p>

1. 题目概述<\/h2>
这是一个来自2024年Hgame比赛的Android逆向题目，包含Java层和Native层（so）的验证逻辑。题目要求输入用户名和密码，通过两层验证后会显示"Congratulate!!!^_^"的成功提示。<\/p>

3.2 IDA逆向分析<\/h3>
在IDA中定位到`check2<\/code>函数（偏移0xB18），分析发现是AES加密算法。<\/p>`
