看雪上看到的一个https://bbs.pediy.com/thread-255468.htm
- 运行界面
- 代码分析
public class MainActivity extends Activity implements View$OnClickListener {
EditText answerText;
Button submitButton;
public MainActivity() {
super();
}
public native int check(String arg1) { //native函数判断
}
public void onClick(View arg6) {
if(this.check(this.answerText.getText().toString()) != 0) {
this.startActivity(new Intent(((Context)this), SuccessActivity.class));
}
else {
Toast.makeText(((Context)this), "Wrong value!", 1).show();
}
}
public void onCreate(Bundle arg2) {
super.onCreate(arg2);
this.setContentView(0x7F030001);
System.loadLibrary("native");
this.answerText = this.findViewById(0x7F070002);
this.submitButton = this.findViewById(0x7F070003);
this.submitButton.setOnClickListener(((View$OnClickListener)this));
}
}
- 看了下so逻辑比较简单:直接分析代码就可以得到结果
bool __fastcall Java_com_AppSecLabs_HackMeNative_MainActivity_check(JNIEnv *a1, int a2, int a3)
{
JNIEnv *v3; // ST0C_4
int v4; // ST04_4
const char *v5; // ST14_4
const char *v6; // ST18_4
_BOOL4 v7; // ST1C_4
v3 = a1;
v4 = a3;
v5 = ((*a1)->GetStringUTFChars)(a1, a3, 0);
v6 = createSecret(); //创建密码
v7 = checkSecret(v5, v6); //比较输入字符和密码是否一致
((*v3)->ReleaseStringUTFChars)(v3, v4, v5);
return v7;
}
BYTE *createSecret()
{
signed int i; // [sp+0h] [bp-Ch]
_BYTE *v2; // [sp+4h] [bp-8h]
v2 = malloc(10u);
for ( i = 0; i <= 9; ++i )
v2[i] = i + 48; //48对应字符就是0,然后0-9的循环,输出结果就是字符0-9;
v2[10] = 0;
return v2;
}
- 或者用ida动态调试
R0是用户输入的值这里随便输入的12355,R1就是密码值就是0-9;