【攻防世界】Moblie系列之基础app2

【攻防世界】Mobile系列之app2

点击登录后，显示”Waiting fot you!”

反编译打开该app，定位程序入口

@SuppressLint({"ShowToast"})
public class MainActivity extends Activity implements View.OnClickListener {
    private Button a;
    private Handler b = null;
    private EditText c;
    private EditText d;

    /* access modifiers changed from: protected */
    public void onCreate(Bundle bundle) {
        super.onCreate(bundle);
        setContentView(R.layout.activity_main);
        this.a = (Button) findViewById(R.id.button1);
        this.a.setOnClickListener(this);
        this.c = (EditText) findViewById(R.id.editText1);
        this.d = (EditText) findViewById(R.id.editText2);
        SharedPreferences.Editor edit = getSharedPreferences("test", 0).edit();
        edit.putLong("ili", System.currentTimeMillis());
        edit.commit();
        Log.d("hashcode", SignatureTool.getSignature(this) + "");
    }

    public boolean onCreateOptionsMenu(Menu menu) {
        getMenuInflater().inflate(R.menu.main, menu);
        return true;
    }

    public boolean onOptionsItemSelected(MenuItem menuItem) {
        if (menuItem.getItemId() == R.id.action_settings) {
            return true;
        }
        return super.onOptionsItemSelected(menuItem);
    }

    public void onClick(View view) {
        switch (view.getId()) {
            case R.id.button1 /*{ENCODED_INT: 2131165187}*/:
                if (this.c.getText().length() == 0 || this.d.getText().length() == 0) {
                    Toast.makeText(this, "不能为空", 1).show();
                    return;
                }
                String obj = this.c.getText().toString();
                String obj2 = this.d.getText().toString();
                Log.e("test", obj + " test2 = " + obj2);
                Intent intent = new Intent(this, SecondActivity.class);
                intent.putExtra("ili", obj);
                intent.putExtra("lil", obj2);
                startActivity(intent);
                return;
            default:
                return;
        }
    }
}

这里**Intent intent = new Intent(this, SecondActivity.class);**调用了SecondActivity类，我们继续跟踪

public class SecondActivity extends a {
    private BroadcastReceiver c = new BroadcastReceiver() {
        /* class com.tencent.testvuln.SecondActivity.AnonymousClass1 */

        public void onReceive(Context context, Intent intent) {
            Toast.makeText(context, "myReceiver receive", 0).show();
            if (context.getPackageName().equals(intent.getAction())) {
            }
        }
    };

    /* access modifiers changed from: protected */
    @Override // com.tencent.testvuln.a
    public void onCreate(Bundle bundle) {
        super.onCreate(bundle);
        setContentView(R.layout.activity_main2);
        Intent intent = getIntent();
        String stringExtra = intent.getStringExtra("ili");
        String stringExtra2 = intent.getStringExtra("lil");
        if (Encryto.doRawData(this, stringExtra + stringExtra2).equals("VEIzd/V2UPYNdn/bxH3Xig==")) {
            intent.setAction("android.test.action.MoniterInstallService");
            intent.setClass(this, MoniterInstallService.class);
            intent.putExtra("company", "tencent");
            intent.putExtra("name", "hacker");
            intent.putExtra("age", 18);
            startActivity(intent);
            startService(intent);
        }
        SharedPreferences.Editor edit = getSharedPreferences("test", 0).edit();
        edit.putString("ilil", stringExtra);
        edit.putString("lili", stringExtra2);
        edit.commit();
    }

    public boolean onCreateOptionsMenu(Menu menu) {
        getMenuInflater().inflate(R.menu.main, menu);
        return true;
    }

    public boolean onOptionsItemSelected(MenuItem menuItem) {
        if (menuItem.getItemId() == R.id.action_settings) {
            return true;
        }
        return super.onOptionsItemSelected(menuItem);
    }
}

这里注意到这行代码**Encryto.doRawData(this, stringExtra + stringExtra2).equals(“VEIzd/V2UPYNdn/bxH3Xig==”)**将输入的两个字符串拼接然后使用Encryto.doRawData()对其进行处理后与”VEIzd/V2UPYNdn/bxH3Xig==”作对比

我们继续跟踪Encryto.doRawData()，这是一个native层的so文件，我们使用IDA打开该文件定位到doRawData函数

伪代码如下

int __cdecl doRawData(int a1, int a2, int a3, int a4)
{
  char *v4; // esi
  int result; // eax
  char *v6; // esi
  size_t v7; // eax
  int v8; // [esp+0h] [ebp-2Ch]
  int (__cdecl *v9)(int, char *, size_t); // [esp+0h] [ebp-2Ch]
  char v10[20]; // [esp+4h] [ebp-28h] BYREF
  unsigned int v11; // [esp+18h] [ebp-14h]

  v11 = __readgsdword(0x14u);
  if ( checkSignature(a1, a2, a3) == 1 )
  {
    strcpy(v10, "thisisatestkey==");
    v4 = (char *)(*(int (__cdecl **)(int, int, _DWORD))(*(_DWORD *)a1 + 676))(a1, a4, 0);
    v8 = AES_128_ECB_PKCS5Padding_Encrypt(v4, (int)v10);
    (*(void (__cdecl **)(int, int, char *))(*(_DWORD *)a1 + 680))(a1, a4, v4);
    result = (*(int (__cdecl **)(int, int))(*(_DWORD *)a1 + 668))(a1, v8);
  }
  else
  {
    v6 = UNSIGNATURE[0];
    v9 = *(int (__cdecl **)(int, char *, size_t))(*(_DWORD *)a1 + 652);
    v7 = strlen(UNSIGNATURE[0]);
    result = v9(a1, v6, v7);
  }
  return result;
}

上面那一段程序是一个AES加密算法，使用CBC模式，密钥为”thisisatestkey==”，如果想要获取明文的账号和密码，只需要对其进行AES解密操作获取明文。

import base64
from Crypto.Cipher import AES

key = 'thisisatestkey=='
aes = AES.new(key,AES.MOOD_ECB)
text = base64.b64decode('VEIzd/V2UPYNdn/bxH3Xig==')
print(aes.decrypt(test))

得出如下结果

aimage/tencent

再次对反编译后的代码进行分析，在FileDataActivity中发现新的字符串

然后对字符串”9YuQ2dk8CSaCe7DTAmaqAA==”进行解密

import base64
from Crypto.Cipher import AES

key = '9YuQ2dk8CSaCe7DTAmaqAA=='
aes = AES.new(key,AES.MOOD_ECB)
text = base64.b64decode('VEIzd/V2UPYNdn/bxH3Xig==')
print(aes.decrypt(test))

得到Cas3_0f_A_CAK3

打赏