本文讲的是
安卓APP破解利器Frida之破解实战,
在第一篇博文中,我对Frida做了一些简单的介绍,现在,我们就使用 Frida 来进行一个安卓APP的破解实战吧。通过之前我们对Frida用法的了解和掌握,破解一个简单的crackme 就变得非常简单了。如果你想跟着我一起操作,你需要下载下面几个文件:
adb install sg.vantagepoint.uncrackable1.apk
michael@sixtyseven:/opt/dex2jar/dex2jar-2.0$ ./d2j-dex2jar.sh -o /home/michael/UnCrackable-Level1.jar /home/michael/UnCrackable-Level1.apk dex2jar /home/michael/UnCrackable-Level1.apk -> /home/michael/UnCrackable-Level1.jar
package sg.vantagepoint.uncrackable1; import android.app.Activity; import android.app.AlertDialog; import android.content.Context; import android.content.DialogInterface; import android.os.Bundle; import android.text.Editable; import android.view.View; import android.widget.EditText; import sg.vantagepoint.uncrackable1.a; import sg.vantagepoint.uncrackable1.b; import sg.vantagepoint.uncrackable1.c; public class MainActivity extends Activity { private void a(String string) { AlertDialog alertDialog = new AlertDialog.Builder((Context)this).create(); alertDialog.setTitle((CharSequence)string); alertDialog.setMessage((CharSequence)"This in unacceptable. The app is now going to exit."); alertDialog.setButton(-3, (CharSequence)"OK", (DialogInterface.OnClickListener)new b(this)); alertDialog.show(); } protected void onCreate(Bundle bundle) { if (sg.vantagepoint.a.c.a() || sg.vantagepoint.a.c.b() || sg.vantagepoint.a.c.c()) { this.a("Root detected!"); //This is the message we are looking for } if (sg.vantagepoint.a.b.a((Context)this.getApplicationContext())) { this.a("App is debuggable!"); } super.onCreate(bundle); this.setContentView(2130903040); } public void verify(View object) { object = ((EditText)this.findViewById(2131230720)).getText().toString(); AlertDialog alertDialog = new AlertDialog.Builder((Context)this).create(); if (a.a((String)object)) { alertDialog.setTitle((CharSequence)"Success!"); alertDialog.setMessage((CharSequence)"This is the correct secret."); } else { alertDialog.setTitle((CharSequence)"Nope..."); alertDialog.setMessage((CharSequence)"That's not it. Try again."); } alertDialog.setButton(-3, (CharSequence)"OK", (DialogInterface.OnClickListener)new c(this)); alertDialog.show(); } }
if (sg.vantagepoint.a.c.a() || sg.vantagepoint.a.c.b() || sg.vantagepoint.a.c.c())
public static boolean a() { String[] a = System.getenv("PATH").split(":"); int i = a.length; int i0 = 0; while(true) { boolean b = false; if (i0 >= i) { b = false; } else { if (!new java.io.File(a[i0], "su").exists()) { i0 = i0 + 1; continue; } b = true; } return b; } } public static boolean b() { String s = android.os.Build.TAGS; if (s != null && s.contains((CharSequence)(Object)"test-keys")) { return true; } return false; } public static boolean c() { String[] a = new String[7]; a[0] = "/system/app/Superuser.apk"; a[1] = "/system/xbin/daemonsu"; a[2] = "/system/etc/init.d/99SuperSUDaemon"; a[3] = "/system/bin/.ext/.su"; a[4] = "/system/etc/.has_su_daemon"; a[5] = "/system/etc/.installed_su_daemon"; a[6] = "/dev/com.koushikdutta.superuser.daemon/"; int i = a.length; int i0 = 0; while(i0 < i) { if (new java.io.File(a[i0]).exists()) { return true; } i0 = i0 + 1; } return false; }
alertDialog.setButton(-3, (CharSequence)"OK", (DialogInterface.OnClickListener)new b(this));
package sg.vantagepoint.uncrackable1; class b implements android.content.DialogInterface$OnClickListener { final sg.vantagepoint.uncrackable1.MainActivity a; b(sg.vantagepoint.uncrackable1.MainActivity a0) { this.a = a0; super(); } public void onClick(android.content.DialogInterface a0, int i) { System.exit(0); } }
setImmediate(function() { //prevent timeout console.log("[*] Starting script"); Java.perform(function() { bClass = Java.use("sg.vantagepoint.uncrackable1.b"); bClass.onClick.implementation = function(v) { console.log("[*] onClick called"); } console.log("[*] onClick handler modified") }) })
frida -U -l uncrackable1.js sg.vantagepoint.uncrackable1
public void verify(View object) {
if (a.a((String)object)) {
package sg.vantagepoint.uncrackable1; import android.util.Base64; import android.util.Log; /* * Exception performing whole class analysis ignored. */ public class a { public static boolean a(String string) { byte[] arrby = Base64.decode((String)"5UJiFctbmgbDoLXmpL12mkno8HT4Lv8dlat8FxR2GOc=", (int)0); byte[] arrby2 = new byte[]{}; try { arrby2 = arrby = sg.vantagepoint.a.a.a((byte[])a.b((String)"8d127684cbc37c17616d806cf50473cc"), (byte[])arrby); } catch (Exception var2_2) { Log.d((String)"CodeCheck", (String)("AES error:" + var2_2.getMessage())); } if (!string.equals(new String(arrby2))) return false; return true; } public static byte[] b(String string) { int n = string.length(); byte[] arrby = new byte[n / 2]; int n2 = 0; while (n2 < n) { arrby[n2 / 2] = (byte)((Character.digit(string.charAt(n2), 16) << 4) + Character.digit(string.charAt(n2 + 1), 16)); n2 += 2; } return arrby; } }
aaClass = Java.use("sg.vantagepoint.a.a"); aaClass.a.implementation = function(arg1, arg2) { retval = this.a(arg1, arg2); password = '' for(i = 0; i < retval.length; i++) { password += String.fromCharCode(retval[i]); } console.log("[*] Decrypted: " + password); return retval; } console.log("[*] sg.vantagepoint.a.a.a modified");
setImmediate(function() { console.log("[*] Starting script"); Java.perform(function() { bClass = Java.use("sg.vantagepoint.uncrackable1.b"); bClass.onClick.implementation = function(v) { console.log("[*] onClick called."); } console.log("[*] onClick handler modified") aaClass = Java.use("sg.vantagepoint.a.a"); aaClass.a.implementation = function(arg1, arg2) { retval = this.a(arg1, arg2); password = '' for(i = 0; i < retval.length; i++) { password += String.fromCharCode(retval[i]); } console.log("[*] Decrypted: " + password); return retval; } console.log("[*] sg.vantagepoint.a.a.a modified"); }); });
frida -U -l uncrackable1.js sg.vantagepoint.uncrackable1
michael@sixtyseven:~/Development/frida$ frida -U -l uncrackable1.js sg.vantagepoint.uncrackable1 ____ / _ | Frida 9.1.16 - A world-class dynamic instrumentation framework | (_| | > _ | Commands: /_/ |_| help -> Displays the help system . . . . object? -> Display information about 'object' . . . . exit/quit -> Exit . . . . . . . . More info at http://www.frida.re/docs/home/ [*] Starting script [USB::Android Emulator 5554::sg.vantagepoint.uncrackable1]-> [*] onClick handler modified [*] sg.vantagepoint.a.a.a modified [*] onClick called. [*] Decrypted: I want to believe
原文发布时间为:2017年4月19日
本文作者:丝绸之路
本文来自云栖社区合作伙伴嘶吼,了解相关信息可以关注嘶吼网站。