Attack and defense world mobile--ph0en1x-100

1. First of all, will apk Drag in jdx in , Find the program entry point

2. Find the key function

3.getflag() and getSecret() by native function , Roughly speaking getFlag() The string returned by the function encrypts the string after encrpt() Function for encryption comparison

4. There are at least three ways ,fridaHook, Modify pop-up window ,jeb Dynamic debugging .

Method 1 ：jeb Dynamic debugging

take apk Drag in jeb in , Additional processes , stay getSecret() Function breakpoint （ctrl+B）, function apk

  here V1 The supreme act of getflag() Return value , take int Change it to string, obtain flag.

  The return value is {ek`[email protected]^x/t^fn0mF^6/^rb`qanqntfg^E`hq|}

        Method 2 ： Modify pop-up window

take apk Drag in Android Killer, Add the following code （makeText() Of smali Code ）

   invoke-static {p0, v1, v3}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast;

    move-result-object v1

    invoke-virtual {v1}, Landroid/widget/Toast;->show()V

preservation , recompile .

Modification effect

        Method 3 ：fridaHook

import frida, sys

jscode = """
Java.perform(function(){
    Interceptor.attach(Module.findExportByName("libphcm.so","Java_com_ph0en1x_android_1crackme_MainActivity_getFlag"),{ 
        onEnter: function(args) {
            },       
        onLeave: function(retval){      
            var String_java = Java.use('java.lang.String');      
            var args_4 = Java.cast(retval, String_java);       
            send("getFlag()==>"+args_4);        }   
        });
    });"""

def on_message(message, data):
    if message['type'] == 'send':
        print("[*] {0}".format(message['payload']))
    else:
        print(message)

process = frida.get_usb_device().attach('com.ph0en1x.android_crackme')
script = process.create_script(jscode)
script.on('message', on_message)
script.load()
sys.stdin.read()

Output ：

         Method four ： The same is fridaHook, Method 3 HOOK native, Feeling java Layers can also Hook, Just try

import frida, sys

jscode = """
Java.perform(function(){
   var utils = Java.use('com.ph0en1x.android_crackme.MainActivity');
    utils.onGoClick.overload("android.view.View").implementation = function (a) {   //"int" Indicates the type =" type "    string type ="java.lang.string"
        console.log("Hook Start...");
		var ret = this.getFlag();
		send(ret);
        send("Success!");
		
    }
        });
    """

def on_message(message, data):
    if message['type'] == 'send':
        print("[*] {0}".format(message['payload']))
    else:
        print(message)

process = frida.get_usb_device().attach('com.ph0en1x.android_crackme')
script = process.create_script(jscode)
script.on('message', on_message)
script.load()
sys.stdin.read()

  Output success ：

 5. The rest is the solution getSecret(getFlag()) 了

encrypt() The function is to put each of the input strings ASCII Code subtraction 1

To write

Flag = 'ek`[email protected]^x/t^fn0mF^6/^rb`qanqntfg^E`hq|'
result = ''
for i in Flag:    
 result +=chr(ord(i) + 1)
print(result)

get flag yes flag{Ar3_y0u_go1nG_70_scarborough_Fair}