easy-dex
雷电模拟器打开黑屏
JEB打开
反编译没有有效内容,查看Manifest,找到了NativeActivity和MainActivity
So层分析
android_main类分析
有两组数据filename和name加密
*(_DWORD *)filename = 0x9D888D2F;
v45 = 0x888DC688;
v46 = 0x8AC6889D;
v47 = 0x88C78486;
v48 = 0x84889AC7;
v49 = 0xC78C8599;
v50 = 0x8D87808F;
v51 = 0x8C8D9084;
v52 = 0x808FC691;
v53 = 0xC69A8C85;
v54 = 0x9A88858A;
v55 = 0xC79A8C9A;
v56 = 0xE9918C8D;
v57 = 0;
*(_DWORD *)name = 0x9D888DC6;
v32 = 0x888DC688;
v33 = 0x8AC6889D;
v34 = 0x88C78486;
v35 = -2071422265;
v36 = 0xC78C8599;
v37 = 0x8D87808F;
v38 = 0x8C8D9084;
v39 = 0x808FC691;
v40 = 0xC69A8C85;
v41 = 0x918C8D86;
v43 = 0;
v4 = 1;
v42 = 0xE9C6;
do
filename[v4++] ^= 0xE9u;
while ( v4 != 53 );
v5 = 1;
name[0] = 47;
do
name[v5++] ^= 0xE9u;
先写脚本解密
#filename
list1=[0x9D888D2F,0x888DC688,0x8AC6889D,0x88C78486,0x84889AC7,0xC78C8599,0x8D87808F,0x8C8D9084,0x808FC691, 0xC69A8C85,0x9A88858A,0xC79A8C9A,0xE9918C8D]
flag=''
for i in list1:
#使用 to_bytes() 转换成定长bytes
re1=(i).to_bytes(4, 'little')
for j in re1:
flag+=chr(j^0xe9)
print(flag)
运行得
data/data/com.a.sample.findmydex/files/classes.dex
#name
list1=[0x9D888DC6,0x888DC688,0x8AC6889D,0x88C78486,0x84889AC7,0xC78C8599,0x8D87808F,0x8C8D9084,0x808FC691, 0xC69A8C85,0x918C8D86]
flag=''
for i in list1:
#使用 to_bytes() 转换成定长bytes
re1=(i).to_bytes(4, 'little')
for j in re1:
flag+=chr(j^0xe9)
print(flag)
运行得
/data/data/com.a.sample.findmydex/files/odex
接着dump下内存
import os
import zlib
f=open("dump",'rb').read()
print(hex(len(f)))