![\"|600\"](\"https:\/\/pic1.imgdb.cn\/item\/6838703c58cb8da5c81ae771.png\")
<\/p>\n\u6700\u8fd1\u521a\u597d\u5728\u5b66\u4e60\u5b89\u5353\u9006\u5411,\u53c8\u78b0\u5de7\u5728\u5b66\u4e60frida\u7684\u4f7f\u7528\u65b9\u6cd5,\u505a\u5230\u4e00\u9053\u653b\u9632\u4e16\u754c\u4e0a\u9762\u7684\u9898\u76ee,\u60f3\u7740\u662f\u5426\u80fd\u591f\u501f\u52a9\u8fd9\u6b21\u673a\u4f1a\u6765\u5b66\u4e60\u4e00\u4e0bFrida\u7684\u4f7f\u7528\u65b9\u6cd5<\/p>\n
\u4e00\u4e9b\u53c2\u8003\u94fe\u63a5: todo<\/p>\n
\u9996\u5148\u662f\u8fd0\u884c\u4e00\u4e0b\u770b\u770b\u5b83\u7684\u5b9e\u73b0\u65b9\u5f0f,\u53d1\u73b0\u662finput\u52a0\u9a8c\u8bc1\u7684\u65b9\u5f0f<\/p>\n
<\/p>\n
\u6211\u4eec\u63a5\u7740\u53cd\u6c47\u7f16\u5b83\u7684\u4ee3\u7801<\/p>\n
package com.ph0en1x.android_crackme;\n\nimport android.os.Bundle;\nimport android.support.v7.app.AppCompatActivity;\nimport android.view.View;\nimport android.widget.EditText;\nimport android.widget.Toast;\nimport java.io.UnsupportedEncodingException;\nimport java.security.MessageDigest;\nimport java.security.NoSuchAlgorithmException;\n\n\/* loaded from: classes.dex *\/\npublic class MainActivity extends AppCompatActivity {\n EditText etFlag;\n\n public native String encrypt(String str);\n\n public native String getFlag();\n\n static {\n System.loadLibrary("phcm");\n }\n\n \/* JADX INFO: Access modifiers changed from: protected *\/\n @Override \/\/ android.support.v7.app.AppCompatActivity, android.support.v4.app.FragmentActivity, android.app.Activity\n public void onCreate(Bundle savedInstanceState) {\n super.onCreate(savedInstanceState);\n setContentView(R.layout.activity_main);\n this.etFlag = (EditText) findViewById(R.id.flag_edit);\n }\n\n public void onGoClick(View v) {\n String sInput = this.etFlag.getText().toString();\n if (getSecret(getFlag()).equals(getSecret(encrypt(sInput)))) {\n Toast.makeText(this, "Success", 1).show();\n } else {\n Toast.makeText(this, "Failed", 1).show();\n }\n }\n\n public String getSecret(String string) {\n try {\n byte[] hash = MessageDigest.getInstance(encrypt("KE3TLNE6M43EK4GM34LKMLETG").substring(5, 8)).digest(string.getBytes("UTF-8"));\n if (hash != null) {\n StringBuilder hex = new StringBuilder(hash.length * 2);\n for (byte b : hash) {\n if ((b & 255) < 16) {\n hex.append("0");\n }\n hex.append(Integer.toHexString(b & 255));\n }\n return hex.toString();\n }\n } catch (UnsupportedEncodingException e) {\n e.printStackTrace();\n } catch (NoSuchAlgorithmException e2) {\n e2.printStackTrace();\n }\n return null;\n }\n}\n<\/code><\/pre>\n\u6211\u4eec\u53ef\u4ee5\u770b\u5230\u4e24\u4e2a\u5173\u952e\u7684\u5730\u65b9,\u4e00\u4e2a\u662fOnGoClick\u51fd\u6570,\u53e6\u4e00\u4e2a\u662fgetSecret\u51fd\u6570<\/p>\n
public void onGoClick(View v) {\n String sInput = this.etFlag.getText().toString();\n if (getSecret(getFlag()).equals(getSecret(encrypt(sInput)))) {\n Toast.makeText(this, "Success", 1).show();\n } else {\n Toast.makeText(this, "Failed", 1).show();\n }\n }\n\n public String getSecret(String string) {\n try {\n byte[] hash = MessageDigest.getInstance(encrypt("KE3TLNE6M43EK4GM34LKMLETG").substring(5, 8)).digest(string.getBytes("UTF-8"));\n if (hash != null) {\n StringBuilder hex = new StringBuilder(hash.length * 2);\n for (byte b : hash) {\n if ((b & 255) < 16) {\n hex.append("0");\n }\n hex.append(Integer.toHexString(b & 255));\n }\n return hex.toString();\n }\n } catch (UnsupportedEncodingException e) {\n e.printStackTrace();\n } catch (NoSuchAlgorithmException e2) {\n e2.printStackTrace();\n }\n return null;\n }\n<\/code><\/pre>\n\u4f46\u662f\u6211\u4eec\u4ed4\u7ec6\u5206\u6790\u4e00\u4e0b\u8fd9\u6bb5\u4ee3\u7801<\/p>\n
if (getSecret(getFlag()).equals(getSecret(encrypt(sInput)))) {\n Toast.makeText(this, "Success", 1).show();\n } else {\n Toast.makeText(this, "Failed", 1).show();\n }\n<\/code><\/pre>\n\u53ef\u4ee5\u53d1\u73b0,\u7a0b\u5e8f\u5c06\u6211\u4eec\u7684\u7531\u4e8e\u4e24\u8fb9\u90fd\u6709getSecret\u51fd\u6570,\u6240\u4ee5\u6211\u4eec\u53ea\u9700\u8981\u8fdb\u884cgetflag()\u548cencrypt(sInput)\u7684\u6bd4\u8f83\u5c31\u53ef\u4ee5\u4e86.<\/p>\n
Step2<\/h3>\n
\u901a\u8fc7\u5206\u6790so\u6587\u4ef6,\u6211\u4eec\u53ef\u4ee5\u5f97\u77e5encrypt()\u51fd\u6570\u5c31\u662f\u7b80\u5355\u7684\u628asInput\u7684\u6bcf\u4e00\u4e2aascll\u7801\u52a0\u4e0a\u4e861,\u6240\u4ee5\u73b0\u5728\u6211\u4eec\u53ea\u9700\u8981\u5f97\u5230getflag()\u7684\u8fd4\u56de\u503c\u5c31\u597d\u4e86.<\/p>\n
\u6211\u4eec\u63a5\u4e0b\u6765\u53ef\u4ee5\u5c1d\u8bd5\u4f7f\u7528frida\u6765hook\u8fd9\u4e2a\u51fd\u6570.<\/p>\n
function firethehome(){\n Java.perform(function(){\n var MainAct = Java.use("com.ph0en1x.android_crackme.MainActivity");\n\n MainAct.getFlag.implementation = function(){\n var result = this.getFlag();\n console.log("[*] getFlag() called. Original return: " + result);\n\n \/\/ \u4fee\u6539\u6bcf\u4e2a\u5b57\u7b26\uff1aASCII + 1\n var modified = "";\n for (var i = 0; i < result.length; i++) {\n var c = result.charCodeAt(i); \/\/ \u83b7\u53d6 ASCII \u7801\n modified += String.fromCharCode(c + 1); \/\/ \u8f6c\u6210\u65b0\u5b57\u7b26\n }\n\n console.log("[*] Modified return: " + modified);\n return modified;\n };\n });\n}\n\nsetImmediate(firethehome);\n<\/code><\/pre>\n\u6700\u540e\u5c31\u53ef\u4ee5\u6210\u529f\u5f97\u5230flag\u4e86<\/p>\n
[*] Modified return: flag{Ar3_y0u_go1nG_70_scarborough_Fair}<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"\u524d\u8a00 \u6700\u8fd1\u521a\u597d\u5728\u5b66\u4e60\u5b89\u5353\u9006\u5411,\u53c8\u78b0\u5de7\u5728\u5b66\u4e60frida\u7684\u4f7f\u7528\u65b9\u6cd5,\u505a\u5230\u4e00\u9053\u653b\u9632\u4e16\u754c\u4e0a\u9762\u7684\u9898\u76ee,\u60f3\u7740\u662f\u5426\u80fd\u591f\u501f\u52a9\u8fd9 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-22","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/posts\/22","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/comments?post=22"}],"version-history":[{"count":1,"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/posts\/22\/revisions"}],"predecessor-version":[{"id":23,"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/posts\/22\/revisions\/23"}],"wp:attachment":[{"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/media?parent=22"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/categories?post=22"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/tags?post=22"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}