安卓逆向学习

1

@powershell -NoProfile -ExecutionPolicy unrestricted -Command "iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))" && SET PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

package com.example.re;

import androidx.appcompat.app.AppCompatActivity;

import android.os.Bundle;
import android.widget.Button;
import android.widget.EditText;
import android.widget.TextView;
import android.widget.Toast;

public class MainActivity extends AppCompatActivity {
    private Button mBtnVerify;
    private EditText mEtInput;

    static {
        System.loadLibrary("test");//加载libtest.so
    }

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);

        mBtnVerify = findViewById(R.id.btn_verify);//确认键
        mEtInput = findViewById(R.id.et_input);//输出的内容
        mBtnVerify.setOnClickListener(view -> {//按下确认键之后的操作
            String input = mEtInput.getText().toString();//获取输入的字符串
            if (test.Hello(input)) {//调用native层函数
                Toast.makeText(MainActivity.this, "成功", Toast.LENGTH_SHORT).show();
            } else {
                Toast.makeText(MainActivity.this, "错误", Toast.LENGTH_SHORT).show();
            }
        });
    }
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

<?xml version="1.0" encoding="utf-8"?>
<androidx.constraintlayout.widget.ConstraintLayout xmlns:android="http://schemas.android.com/apk/res/android"
    xmlns:app="http://schemas.android.com/apk/res-auto"
    xmlns:tools="http://schemas.android.com/tools"
    android:layout_width="match_parent"
    android:layout_height="match_parent"
    tools:context=".MainActivity">

    <EditText
        android:id="@+id/et_input"
        android:layout_width="266dp"
        android:layout_height="150dp"
        android:hint="请输入数据"
        tools:layout_editor_absoluteX="89dp"
        tools:layout_editor_absoluteY="215dp" />

    <Button
        android:id="@+id/btn_verify"
        android:layout_width="wrap_content"
        android:layout_height="wrap_content"
        android:text="确定"
        tools:layout_editor_absoluteX="161dp"
        tools:layout_editor_absoluteY="393dp" />

</androidx.constraintlayout.widget.ConstraintLayout>

1
2
3
4
5
6
7
8

package com.example.re;

public class test {
    static {
        System.loadLibrary("test");//加载libtest.so
    }
    public static native boolean Hello(String input);//定义函数
}

1

javac test.java

1

javah com.example.re.test

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

# For more information about using CMake with Android Studio, read the
# documentation: https://d.android.com/studio/projects/add-native-code.html

# Sets the minimum version of CMake required to build the native library.

cmake_minimum_required(VERSION 3.22.1)

# Declares and names the project.

project("re")

# Creates and names a library, sets it as either STATIC
# or SHARED, and provides the relative paths to its source code.
# You can define multiple libraries, and CMake builds them for you.
# Gradle automatically packages shared libraries with your APK.

add_library( # Sets the name of the library.
        test

        # Sets the library as a shared library.
        SHARED

        # Provides a relative path to your source file(s).
        main.c)

# Searches for a specified prebuilt library and stores the path as a
# variable. Because CMake includes system libraries in the search path by
# default, you only need to specify the name of the public NDK library
# you want to add. CMake verifies that the library exists before
# completing its build.

find_library( # Sets the name of the path variable.
        test

        # Specifies the name of the NDK library that
        # you want CMake to locate.
        log)

# Specifies libraries CMake should link to your target library. You
# can link multiple libraries, such as libraries you define in this
# build script, prebuilt third-party libraries, or system libraries.

target_link_libraries( # Specifies the target library.
        test

        # Links the target library to the log library
        # included in the NDK.
        ${log-lib})

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74

#include "com_example_re_test.h"
#include <jni.h>
#include <string.h>
#include <android/log.h>
#include <stdlib.h>
#include "base64.h"
//static const char *BASE64_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
static const char *BASE64_ALPHABET = "AB+/abcdefg0123456789OPQRSTUVWXYZCDEFGhijklmnopqrstuvwxyzHIJKLMN";

size_t base64_encoded_size(size_t input_len) {
    return 4 * ((input_len + 2) / 3);
}

size_t base64_decoded_size(const char *input_data, size_t input_len) {
    size_t padding = 0;

    if (input_len > 0 && input_data[input_len - 1] == '=') {
        padding++;

        if (input_len > 1 && input_data[input_len - 2] == '=') {
            padding++;
        }
    }

    return 3 * ((input_len + 3) / 4) - padding;
}

void base64_encode(char *output_data, const char *input_data, size_t input_len) {
    size_t i, j;
    unsigned char b0, b1, b2;
    unsigned int triple;

    for (i = 0, j = 0; i < input_len; i += 3, j += 4) {
        b0 = input_data[i];
        b1 = i + 1 < input_len ? input_data[i + 1] : 0;
        b2 = i + 2 < input_len ? input_data[i + 2] : 0;

        triple = (b0 << 16) | (b1 << 8) | b2;

        output_data[j] = BASE64_ALPHABET[(triple >> 18) & 0x3F];
        output_data[j + 1] = BASE64_ALPHABET[(triple >> 12) & 0x3F];
        output_data[j + 2] = BASE64_ALPHABET[(triple >> 6) & 0x3F];
        output_data[j + 3] = BASE64_ALPHABET[triple & 0x3F];
    }

    for (i = 1; i < (input_len % 3); i++) {
        output_data[j - i] = '=';
    }

    output_data[j] = '\0';
}
JNIEXPORT jboolean JNICALL Java_com_example_re_test_Hello(JNIEnv *env, jclass, jstring data){
    const char *data_str = (*env)->GetStringUTFChars(env, data, NULL);

    // Encode the input data as base64
    size_t input_len = strlen(data_str);
    size_t output_len = base64_encoded_size(input_len);
    char *encoded_data = (char*) malloc(output_len + 1);
    base64_encode(encoded_data, data_str, input_len);
    //encoded_data[output_len] = '\0';
//    return encoded_data;
//
    // Compare the encoded data to the expected value
    char *expected_data = "ShsCSyoDREau3/5zSh9v3caw18RH2hat3PeHSEeySh6C2PRwSQv=";
    int result = strncmp(encoded_data, expected_data,strlen(expected_data));

    // Free the memory allocated for the encoded data
    free(encoded_data);
    if (result == 0) {
        return JNI_TRUE;
    } else {
        return JNI_FALSE;
    }
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

#ifndef BASE64_H
#define BASE64_H

#include <stddef.h>

size_t base64_encoded_size(size_t input_len);
size_t base64_decoded_size(const char *input_data, size_t input_len);
void base64_encode(char *output_data, const char *input_data, size_t input_len);
size_t base64_decode(char *output_data, const char *input_data, size_t input_len);

#endif /* BASE64_H */

1
2
3
4
5
6
7

nox_adb connect 127.0.0.1:62001
nox_adb push ".\android_x86_server" /data/local/tmp
nox_adb shell
pm list packages -3 #列出包
am start -D -n 列出的packages/.MainActivity
cd /data/local/tmp/
chmod 777 android_x86_server && ./android_x86_server

1

nox_adb forward tcp:23946 tcp:23946

1

nox_adb forward tcp:1234 tcp:23946