easy-dex
程序没有dex文件发现,android有两个Activity其中的一个Activity名称为android.app.NativeActivity且android:hasCode="false"表面该应用不包含java代码。
<activity android:configChanges="0xa0" android:label="@string/app_name" android:name="android.app.NativeActivity">
<meta-data android:name="android.app.lib_name" android:value="native" />
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
此so的函数入口为Android_main函数
看到入口有个加密尝试进行解密
import struct
a = [0x9D888DC6, 0x888DC688, -1966700387, -2000190330, -2071422265, -947092071, -1920499569, -1936879484
, -2138061167
, -962950011
, -1702328950
, -946172774
, -376337267]
n = 0
d = ""
while n < len(a):
num = a[n] ^ 0xe9e9e9e9
d += struct.pack('n', num)[0:4].decode()
n = n + 1
print(d)
解码得到如下/data/data/com.a.sample.findmydex/files/classes.dex
/data/data/com.a.sample.findmydex/files/odex dex文件的优化
找到解密dex的地方进行解密
首先dump内存
auto i,fp;
fp = fopen("d:\\dump.dex","wb");
for(i=0x7004;i<0x7004+0x3ca10;i++)
fputc(Byte(i),fp);
进行解密
import struct
import zlib
f = open('dump.dex', 'rb')
a = ""
a = f.read()
key = 0x3ca10
with open('dec.dex', 'wb') as fp:
n = 0
for i in range(99):
if i % 10 == 9:
v17 = key // 10
v15 = i // 10
v18 = (v15 + 1) * (key // 10)
index = v17 * v15
while v17:
data = a[index] ^ i
d = struct.pack('B', data)
fp.write(d)
index = index + 1
v17 = v17 - 1
if i == 89:
while v18 < key:
data = a[v18] ^ i
v18 = v18 + 1
d = struct.pack('B', data)
fp.write(d)
dec = open('dec.dex', 'rb')
b = dec.read()
with open('dec_decompress.dex', 'wb') as fp:
m = zlib.decompress(b)
fp.write(m)
代码分析
if(Arrays.equals(MainActivity.a(this.a.getText().toString(), "I have a male fish and a female fish."), MainActivity.i())) {
Toast.makeText(this.b, this.c.getString(0x7F060025), 1).show();
}
else {
Toast.makeText(this.b, this.c.getString(0x7F060022), 1).show();
用了two_fish算法进行解密即可