Android逆向分析实战教学文档<\/h1>

一、基础逆向分析方法<\/h2>

1.1 工具准备<\/h3>

静态分析工具<\/strong>：JADX、JEB、Android Killer<\/li>
动态分析工具<\/strong>：Frida、Xposed<\/li>

辅助工具<\/strong>：apktool、smali2java<\/li> <\/ul>
1.2 基本分析流程<\/h3>

APK解包<\/strong>：使用apktool或直接拖入分析工具<\/li>
代码查看<\/strong>：

使用JADX\/JEB查看Java代码<\/li>
使用Android Killer查看smali代码<\/li> <\/ul> <\/li>
关键点定位<\/strong>：

查找MainActivity<\/li>
查找按钮点击事件<\/li>
查找字符串比较逻辑<\/li> <\/ul> <\/li> <\/ol>
二、CTF题目实战分析<\/h2>
2.1 Ph0en1x-100题目分析<\/h3>
关键代码：<\/h4>
getSecret(<\/span>getFlag()).<\/span>equals<\/span>(<\/span>getSecret(<\/span>encrypt(<\/span>sInput)))<\/span> <\/span><\/span><\/code><\/pre>解题步骤：<\/h4> 使用Frida hook getSecret<\/code>方法：<\/li> <\/ol> Java<\/span>.perform<\/span>(function<\/span>() { <\/span><\/span> let<\/span> MainActivity<\/span> =<\/span> Java<\/span>.use<\/span>("com.ph0en1x.android_crackme.MainActivity"<\/span>); <\/span><\/span> MainActivity<\/span>["getSecret"<\/span>].implementation<\/span> =<\/span> function<\/span> (string<\/span>) { <\/span><\/span> console<\/span>.log<\/span>('getSecret is called, string: '<\/span> +<\/span> string<\/span>); <\/span><\/span> let<\/span> ret<\/span> =<\/span> this<\/span>.getSecret<\/span>(string<\/span>); <\/span><\/span> console<\/span>.log<\/span>('getSecret ret value is '<\/span> +<\/span> ret<\/span>); <\/span><\/span> return<\/span> ret<\/span>; <\/span><\/span> }; <\/span><\/span>}); <\/span><\/span><\/code><\/pre> 分析发现getSecret<\/code>是MD5加密<\/li> 逆向逻辑：getFlag()<\/code>和encrypt(sInput)<\/code>需要相等<\/li> encrypt<\/code>函数是ASCII减一操作，逆向处理：<\/li> <\/ol> s =<\/span> 'ek`fz@q2^x\/t^fn0mF^6\/^rb`qanqntfg^E`hq|'<\/span> <\/span><\/span>for<\/span> i in<\/span> range(0<\/span>, len(s)): <\/span><\/span> print(chr(ord(s[i])+<\/span>1<\/span>), end=<\/span>''<\/span>) <\/span><\/span><\/code><\/pre>2.2 ill-intentions题目分析<\/h3> 关键点：<\/h4> 广播接收器处理：<\/li> <\/ol> if<\/span> (<\/span>msgText.<\/span>equalsIgnoreCase<\/span>(<\/span>"ThisIsTheRealOne"<\/span>))<\/span> {<\/span> <\/span><\/span> \/\/ 启动对应Activity <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre> 正确的Activity包含native方法：<\/li> <\/ol> public<\/span> native<\/span> String perhapsThis<\/span>(<\/span>String str,<\/span> String str2,<\/span> String str3);<\/span> <\/span><\/span><\/code><\/pre> 字符串处理逻辑：<\/li> <\/ol> def<\/span> doBoth<\/span>(input): <\/span><\/span> return<\/span> translate(customEncodeValue(input)) <\/span><\/span> <\/span><\/span>def<\/span> translate<\/span>(input): <\/span><\/span> # 数字替换逻辑<\/span> <\/span><\/span> table =<\/span> {1<\/span>:'W'<\/span>, 2<\/span>:'h'<\/span>, 3<\/span>:'a'<\/span>, 4<\/span>:'t'<\/span>, 5<\/span>:'i'<\/span>, 6<\/span>:'s'<\/span>, 7<\/span>:'d'<\/span>, 8<\/span>:'o'<\/span>, 9<\/span>:'n'<\/span>, 0<\/span>:'e'<\/span>} <\/span><\/span> # ...<\/span> <\/span><\/span><\/code><\/pre>解决方案：<\/h4> 修改smali添加日志输出：<\/li> <\/ol> const-string v0, "Message-" invoke-static {v0, v6}, Landroid\/util\/Log;->d(Ljava\/lang\/String;Ljava\/lang\/String;)I <\/code><\/pre> 使用adb触发广播：<\/li> <\/ol> adb shell am start -n com.example.hellojni\/com.example.application.IsThisTheRealOne <\/span><\/span><\/code><\/pre>2.3 ERROR404题目分析<\/h3> 关键加密逻辑：<\/h4> public<\/span> String a<\/span>()<\/span> {<\/span> <\/span><\/span> byte<\/span>[]<\/span> mid_flag =<\/span> new<\/span> byte<\/span>[<\/span>0x23<\/span>];<\/span> <\/span><\/span> byte<\/span>[]<\/span> fake_flag =<\/span> flag.<\/span>getBytes<\/span>();<\/span> <\/span><\/span> for<\/span>(<\/span>int<\/span> i =<\/span> 0x0<\/span>;<\/span> i <<\/span> fake_flag.<\/span>length<\/span>;<\/span> i =<\/span> i +<\/span> 0x1<\/span>)<\/span> {<\/span> <\/span><\/span> fake_flag[<\/span>i]<\/span> =<\/span> (<\/span>byte<\/span>)((<\/span>fake_flag[<\/span>i]<\/span> +<\/span> 0x14<\/span>)<\/span> ^<\/span> (<\/span>fake_flag[<\/span>i]<\/span> +<\/span> 0x12<\/span>));<\/span> <\/span><\/span> mid_flag[<\/span>i]<\/span> =<\/span> (<\/span>byte<\/span>)((<\/span>enc_flag[<\/span>i]<\/span> ^<\/span> (<\/span>fake_flag[<\/span>i]<\/span> +<\/span> 0x11<\/span>))<\/span> -<\/span> 0xb<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>2.4 CTF-easy题目分析<\/h3> 关键点：<\/h4> 直接比较：<\/li> <\/ol> if<\/span>(<\/span>this<\/span>.<\/span>n<\/span>.<\/span>getText<\/span>().<\/span>toString<\/span>().<\/span>equals<\/span>(<\/span>this<\/span>.<\/span>i<\/span>()))<\/span> {<\/span> <\/span><\/span> \/\/ 正确 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre> 解密脚本：<\/li> <\/ol> p =<\/span> [-<\/span>40<\/span>, -<\/span>62<\/span>, 107<\/span>, 66<\/span>, 0x82<\/span>, ...<\/span>] <\/span><\/span>q =<\/span> [-<\/span>57<\/span>, -<\/span>90<\/span>, 53<\/span>, -<\/span>71<\/span>, 0x8B<\/span>, ...<\/span>] <\/span><\/span>v2=<\/span>[] <\/span><\/span>v4=<\/span>[] <\/span><\/span>for<\/span> i in<\/span> range(len(p)): <\/span><\/span> v2.<\/span>append(p[i]^<\/span>q[i]) <\/span><\/span>v3 =<\/span> v2[0<\/span>] <\/span><\/span># ...后续处理<\/span> <\/span><\/span><\/code><\/pre>2.5 献给最好的你题目分析<\/h3> 加密流程：<\/h4> 输入密码 → Base64编码<\/li> 大小写转换<\/li> 与AgfJA2vYz2fTztiWmtL3AxrOzNvUiq==<\/code>比较<\/li> <\/ol> 解密方法：<\/h4> 将目标字符串再次大小写转换后Base64解码<\/p> 2.6 Easy-apk1题目分析<\/h3> 验证逻辑：<\/h4> if<\/span> (<\/span>v0.<\/span>length<\/span> ==<\/span> 4<\/span> &&<\/span> v14.<\/span>length<\/span>()<\/span> ==<\/span> 19<\/span> <\/span><\/span> &&<\/span> Long.<\/span>parseLong<\/span>(<\/span>xx1(<\/span>v0[<\/span>0<\/span>]),<\/span>16<\/span>)<\/span> +<\/span> Long.<\/span>parseLong<\/span>(<\/span>xx1(<\/span>v0[<\/span>1<\/span>]),<\/span>16<\/span>)<\/span> -<\/span> Long.<\/span>parseLong<\/span>(<\/span>xx1(<\/span>v0[<\/span>2<\/span>]),<\/span>16<\/span>)<\/span> ==<\/span> 0x11337452L<\/span> <\/span><\/span> &&<\/span> Long.<\/span>parseLong<\/span>(<\/span>xx1(<\/span>v0[<\/span>0<\/span>]),<\/span>16<\/span>)<\/span> *<\/span> Long.<\/span>parseLong<\/span>(<\/span>xx1(<\/span>v0[<\/span>1<\/span>]),<\/span>16<\/span>)<\/span> ==<\/span> 0x10E02D1DAE11BF3CL<\/span> <\/span><\/span> &&<\/span> Long.<\/span>parseLong<\/span>(<\/span>xx1(<\/span>v0[<\/span>2<\/span>]),<\/span>16<\/span>)<\/span> -<\/span> Long.<\/span>parseLong<\/span>(<\/span>xx1(<\/span>v0[<\/span>1<\/span>]),<\/span>16<\/span>)<\/span> ==<\/span> 0x1F3CBF1CL<\/span> <\/span><\/span> &&<\/span> md5(<\/span>v0[<\/span>3<\/span>]).<\/span>equals<\/span>(<\/span>"b7e20e3e9d02209c9f3284cb29ed719d"<\/span>))<\/span> <\/span><\/span><\/code><\/pre>xx1函数分析：<\/h4> public<\/span> static<\/span> String xx1<\/span>(<\/span>String arg4)<\/span> {<\/span> <\/span><\/span> char<\/span>[]<\/span> v0 =<\/span> "0123456789ABCDEF"<\/span>.<\/span>toCharArray<\/span>();<\/span> <\/span><\/span> StringBuilder v1 =<\/span> new<\/span> StringBuilder(<\/span>""<\/span>);<\/span> <\/span><\/span> byte<\/span>[]<\/span> v4 =<\/span> arg4.<\/span>getBytes<\/span>();<\/span> <\/span><\/span> for<\/span>(<\/span>int<\/span> v2 =<\/span> 0<\/span>;<\/span> v2 <<\/span> v4.<\/span>length<\/span>;<\/span> ++<\/span>v2)<\/span> {<\/span> <\/span><\/span> v1.<\/span>append<\/span>(<\/span>v0[(<\/span>v4[<\/span>v2]<\/span> &<\/span> 0xF0<\/span>)<\/span> >><\/span> 4<\/span>]);<\/span> <\/span><\/span> v1.<\/span>append<\/span>(<\/span>v0[<\/span>v4[<\/span>v2]<\/span> &<\/span> 15<\/span>]);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> v1.<\/span>toString<\/span>().<\/span>trim<\/span>();<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>实际功能：将字符串转换为16进制表示<\/p> 2.7 AreYouRich题目分析<\/h3> 密码生成逻辑：<\/h4> byte<\/span>[]<\/span> v1 =<\/span> new<\/span> byte<\/span>[]{<\/span>0x40<\/span>,<\/span> 0x30<\/span>,<\/span> 0x30<\/span>,<\/span> 49<\/span>};<\/span> <\/span><\/span>String v8 =<\/span> "abcdefghij"<\/span>;<\/span> <\/span><\/span>byte<\/span>[]<\/span> v3 =<\/span> v8.<\/span>getBytes<\/span>();<\/span> <\/span><\/span>for<\/span> (<\/span>v5 =<\/span> 0<\/span>;<\/span> v5 <<\/span> v3.<\/span>length<\/span>;<\/span> v5++)<\/span> {<\/span> <\/span><\/span> v3[<\/span>v5]<\/span> =<\/span> (<\/span>byte<\/span>)(<\/span>v3[<\/span>v5]<\/span> ^<\/span> 34<\/span>);<\/span> <\/span><\/span>}<\/span> <\/span><\/span>String a1 =<\/span> new<\/span> String(<\/span>v3);<\/span> <\/span><\/span>String a2 =<\/span> new<\/span> String(<\/span>v1);<\/span> <\/span><\/span>String password =<\/span> a1 +<\/span> a2;<\/span> <\/span><\/span><\/code><\/pre>解决方案：<\/h4> 修改smali代码绕过金钱检查<\/li> 或逆向找到正确的用户名密码组合<\/li> <\/ol> 三、高级技巧总结<\/h2> 3.1 Frida高级用法<\/h3> Hook构造函数：<\/li> <\/ol> Java<\/span>.use<\/span>("com.example.Class"<\/span>).$init<\/span>.overload<\/span>(...).implementation<\/span> =<\/span> ... <\/span><\/span><\/code><\/pre> 修改返回值：<\/li> <\/ol> let<\/span> ret<\/span> =<\/span> this<\/span>.method<\/span>(args<\/span>); <\/span><\/span>return<\/span> modified_ret<\/span>; <\/span><\/span><\/code><\/pre>3.2 Smali修改技巧<\/h3> 条件判断修改：<\/li> <\/ol> # 原始 if-eqz v0, :cond_0 # 修改为 if-nez v0, :cond_0 <\/code><\/pre> 常量修改：<\/li> <\/ol> const\/4 v0, 0x0 # 改为0x1 <\/code><\/pre> 3.3 动态调试技巧<\/h3> 使用adb logcat查看日志<\/li> IDA Pro动态调试so文件<\/li> 注入代码打印关键变量<\/li> <\/ol> 四、常见加密算法识别<\/h2> MD5<\/strong>：32位哈希，常见于MessageDigest.getInstance("MD5")<\/code><\/li> SHA<\/strong>：MessageDigest.getInstance("SHA-1\/SHA-256")<\/code><\/li> Base64<\/strong>：特征字符集A-Za-z0-9+\/<\/code>，常以=<\/code>结尾<\/li> 异或加密<\/strong>：常见^<\/code>运算符<\/li> AES\/DES<\/strong>：Cipher.getInstance("AES\/DES")<\/code><\/li> <\/ol> 五、实战注意事项<\/h2> 注意字符串编码问题（UTF-8\/GBK）<\/li> 注意大小端问题（尤其在so逆向中）<\/li> 注意加解密顺序（如先Base64再异或）<\/li> 注意代码混淆（名称混淆、控制流混淆）<\/li> 多尝试不同工具交叉验证分析结果<\/li> <\/ol> 六、附录：常用工具命令<\/h2> apktool<\/strong>：<\/li> <\/ol> apktool d app.apk -o output_dir <\/span><\/span>apktool b output_dir -o new.apk <\/span><\/span><\/code><\/pre> adb<\/strong>：<\/li> <\/ol> adb install app.apk <\/span><\/span>adb shell am start -n package\/activity <\/span><\/span>adb logcat | grep "keyword"<\/span> <\/span><\/span><\/code><\/pre> Frida<\/strong>：<\/li> <\/ol> frida -U -f package -l script.js <\/span><\/span>frida-ps -U <\/span><\/span><\/code><\/pre> jarsigner<\/strong>：<\/li> <\/ol> jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my.keystore app.apk alias_name <\/span><\/span><\/code><\/pre>