下面介绍两个反编译工具
对于so文件的逆向工具选择
Objection是一款移动设备运行时漏洞利用工具,该工具由Frida驱动,可以帮助研究人员访问移动端应用程序,并在无需越狱或root操作的情况下对移动端应用程序的安全进行评估检查。
安装命令
pip3 install objection
frida是一款便携的、自由的、支持全平台的hook框架,可以通过编写JavaScript、Python代码来和frida_server端进行交互
frida的安装可以参考:https://www.jianshu.com/p/60cfd3f6afde
搜索再接
字符串
找到源码
package com.example.yaphetshan.tencentgreat;
import android.content.pm.PackageInfo;
import android.content.pm.PackageManager;
import android.os.Bundle;
import android.support.v7.app.AppCompatActivity;
import android.view.View;
import android.widget.Button;
import android.widget.EditText;
import android.widget.Toast;
/* loaded from: classes.dex */
public class MainActivity extends AppCompatActivity {
Button btn;
public final String pName = BuildConfig.APPLICATION_ID;
EditText text;
/* JADX INFO: Access modifiers changed from: protected */
@Override // android.support.v7.app.AppCompatActivity, android.support.v4.app.FragmentActivity, android.support.v4.app.BaseFragmentActivityGingerbread, android.app.Activity
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
this.btn = (Button) findViewById(R.id.checBtn);
this.text = (EditText) findViewById(R.id.input);
this.btn.setOnClickListener(new View.OnClickListener() { // from class: com.example.yaphetshan.tencentgreat.MainActivity.1
@Override // android.view.View.OnClickListener
public void onClick(View v) {
try {
String inputString = MainActivity.this.text.getText().toString();
PackageInfo pinfo = MainActivity.this.getPackageManager().getPackageInfo(BuildConfig.APPLICATION_ID, 16384);
String versionCode = pinfo.versionName;
int versionName = pinfo.versionCode;
int i = 0;
while (i < inputString.length() && i < versionCode.length()) {
if (inputString.charAt(i) != (versionCode.charAt(i) ^ versionName)) {
Toast.makeText(MainActivity.this, "再接再厉,加油~", 1).show();
return;
}
i++;
}
if (inputString.length() == versionCode.length()) {
Toast.makeText(MainActivity.this, "恭喜开启闯关之门!", 1).show();
return;
}
} catch (PackageManager.NameNotFoundException e) {
}
Toast.makeText(MainActivity.this, "年轻人不要耍小聪明噢", 1).show();
}
});
}
}
点击BuildConfig文件,得到这两个参数的值,如下图所示:
package com.example.yaphetshan.tencentgreat;
/* loaded from: classes.dex */
public final class BuildConfig {
public static final String APPLICATION_ID = "com.example.yaphetshan.tencentgreat";
public static final String BUILD_TYPE = "debug";
public static final boolean DEBUG = Boolean.parseBoolean("true");
public static final String FLAVOR = "";
public static final int VERSION_CODE = 15;
public static final String VERSION_NAME = "X<cP[?PHNB<P?aj";
}
看源码得知事进行异或运算上脚本
str = "X<cP[?PHNB<P?aj" #传入版本名
for i in str: #对版本名进行循环
sum = ord(i)^15 #sum接收i的每个字符串转ASCII数值并与版本号进行异或的值
print(chr(sum),end='') #把sum的值转字符串并拼接
得到flag:W3l_T0_GAM3_0ne
反编译技巧 + 读代码 + 异或代码运算