Presumably all the CTF guys have touched the Android converse more or less, so Big Brother is going to give you a whole series of static and dynamic analysis of the Android converse. This installment begins with a static analysis of the Android reverse, including the use of reverse tools, file descriptions, example parsing, and so on..
AndroidReverse is the process of decompilation, because you do not understand the Android forward compiled results, so the premise of static analysis in CTF is to decompile the file appears to us to understand a layer of source code, static analysis.
0X01 Basic explanation
AndroidThe application logic code is developed by Java, so the first level is java code.
JavaThe virtual machine JVM runs the class file compiled after the java file is compiled.
AndroidThe virtual machine Dalvik is not a class file generated by compiling the Java virtual machine JVM, but a SmalI file compiled from the DEX file generated by recombination
APK:Is the Android application installation package completed after compilation.
dexFile: package file for class file.
smaliFile: Dalvik bytecode file
classFile: JVM bytecode file
0X02 Tool use
The Android title in CTF does not necessarily give you a fully compiled APK, it may be any file type in the compilation process. The following file types use tools to get the Java source code that Doug can understand
Type 1: class file
This situation is relatively simple, the recommendation tool jd-gui
Directly pull the class file into it, you can see the Java source code.
Type two: APK program
AndroidThe compilation of the project will get the APK installation package we want, and the APK file is actually a compressed package.
After modifying the suffix named zip, decompress the file after decompression.
META-INFFolder:
Apk signature information is stored to ensure the integrity of the APK package and the security of the system.
resFolder:
Store resource files, including icon, XML files.
AndroidManifest.xmlDocument:
The application configuration file, which each application must define and contain, describes the application’s name, version, permissions, referenced library files, and so on.
classes.dexDocument:
You can load the files running directly on the Dalvik virtual machine, and are generated by the java file after IDE compilation.
resources.arscDocument >
Binary resource file, including string and so on.
Decompile APK recommendation tool ApkIDE, JEB
1. JEBUse:
JEBDirectly import APK, decompile and finish the SmalI file.
Many Android reverse tools are decomposed to SmalI files.
JEBSelect the SmalI file, press Q, you can see the java file.
Advantages: the java file compiled from the SmalI file has a clear code structure.
Disadvantages: cannot be modified.
2. ApkIDEUse:
Project -> open Apk
Wait for decompile to complete.
See the SmalI file.
Select the SmalI file to Java source code, click the button below, and open the Java source code.
ApkIDEAssociated with jd-gui, clicking will jump to jd-gui.
ApkIDEIt is to decompile the APK to class and use jd-gui to get the Java source code.
Under the ApkIDE_v3.3\ApkIDE\Worksrc directory of ApkIDE, you can see the decomposed class file.
Advantages: powerful, can modify the decompressed SmalI file, recompile and generate APK.
Disadvantages: compiled Java code is not clear enough.
3.Decompile difference
SmaliThe file is written by Smali grammar, and Smali grammar is loose.
So decompile process is different, tools are different, java source code is different.
Here is the reverse result of the same APK with the above two tools:
As a Java developer, Dou brother likes JEB’s reverse results and looks comfortable.
Type three: DEX file
Recommendation tool dex2.jar
classes.dexFile, this is a bytecode package compiled by Android source code.
Try using the dex2.jar tool to get the Java source code as follows
.\d2j-dex2jar.bat C:\Users\lin\Desktop\classes.dex
jarFiles can be understood as compressed files of classes files, and Java virtual machines can run directly.
Using Jd-gui to open classes-dex2jar.jar, you can see the Java source code.
Type four: SmalI file
When there is only a single SmalI file, it is impossible to decompile directly with the tools mentioned above.
Big Brother thought ApkIDE could decompile an APK to a SmalI file, add, delete, and check the SmalI file
So open any full APK with ApkIDE and add the SmalI file (APK can be developed by yourself)
Add the SmalI file to the ApkIDE project.
Recompile and generate APK.
After the compilation is successful, a APK will be generated in the original APK directory.
Use JEB and other tools to open and see the Ezreal.smali file.
Other tools:
Editor: notepad++, Sublime, etc.
AndroidSimulator: night spirit simulator, etc.
0X04 Analysis of examples
Install the application to the simulator to see if there is any hint on the interface.
Enter characters in text box, click button prompt error, guess whether to judge the correct flag.
Using JEB tools compiled into Java files, Android files under the SDK file, we want to analyze the source files under the com package.
There are three kinds of code size. First, we analyze the program entry MainActivity to find the key code block.
This sentence is if to determine whether flag is correct.
|
1
2
3
|
if(!"flag{" + v5.toString() + "}".equalsIgnoreCase(arg12)) { return v7;} |
The search class looks at where to invoke this method.
The analysis shows that arg12 is the input parameter of the interface, and then we know that the value of V5 is the flag we want.
onCreateThe function calls the checkSN method and passes in two parameters:
MainActivity.this.edit_userName.trim()
MainActivity.this.edit_sn.getText().toString().trim()
|
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
//OnCreateIt is a special function in Android, which is used to indicate that a window is being generated.//It does not generate windows, but only sets the properties of windows such as style, location and color before window display.public void onCreate(Bundle arg3) { super.onCreate(arg3); this.setContentView(0x7F040019); this.setTitle(0x7F06001D); this.edit_userName = "Tenshine"; this.edit_sn = this.findViewById(0x7F0C0051); this.btn_register = this.findViewById(0x7F0C0052); this.btn_register.setOnClickListener(new View$OnClickListener() { public void onClick(View arg5) { if(!MainActivity.this.checkSN(MainActivity.this.edit_userName.trim(), MainActivity.this.edit_sn.getText().toString().trim())) { Toast.makeText(MainActivity.this, 0x7F06001E, 0).show(); } else { Toast.makeText(MainActivity.this, 0x7F06001B, 0).show(); MainActivity.this.btn_register.setEnabled(false); MainActivity.this.setTitle(0x7F060019); } } });} |
Analyze the value of v5, V5 is generated by V3 and v4, V4 is an int and assigns a value of 0 directly for the loop to use directly
V3 is the return value of the toHexString method, and it will be passed in. V1 is v1.update (arg11.getBytes ());
arg11The incoming parameter “Tenshine”.
|
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
|
private boolean checkSN(String arg11, String arg12) { boolean v7 = false; if(arg11 != null) { try { if(arg11.length() == 0) { return v7; } if(arg12 == null) { return v7; } if(arg12.length() != 22) { return v7; } MessageDigest v1 = MessageDigest.getInstance("MD5"); v1.reset(); v1.update(arg11.getBytes()); String v3 = MainActivity.toHexString(v1.digest(), ""); StringBuilder v5 = new StringBuilder(); int v4; for(v4 = 0; v4 < v3.length(); v4 += 2) { v5.append(v3.charAt(v4)); } if(!"flag{" + v5.toString() + "}".equalsIgnoreCase(arg12)) { return v7; } } catch(NoSuchAlgorithmException v2) { goto label_40; } v7 = true; } return v7;label_40: v2.printStackTrace(); return v7;} |
Take the above analysis results out of the relational code to generate V5.
They are all pure Java codes, and do not require the introduction of Android packages. They only need to introduce Java dependent packages.
|
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
import java.security.MessageDigest;import java.security.NoSuchAlgorithmException;public class Code { static String toHexString(byte[] arg8, String arg9) { StringBuilder v3 = new StringBuilder(); byte[] v0 = arg8; int v5 = v0.length; int v4; for(v4 = 0; v4 < v5; ++v4) { String v2 = Integer.toHexString(v0[v4] & 255); if(v2.length() == 1) { v3.append('0'); } v3.append(v2).append(arg9); } return v3.toString(); } public static void main(String[] args)throws NoSuchAlgorithmException{ MessageDigest v1 = MessageDigest.getInstance("MD5"); v1.reset(); v1.update("Tenshine".getBytes()); String v3 = Code.toHexString(v1.digest(), ""); StringBuilder v5 = new StringBuilder(); int v4; for(v4 = 0; v4 < v3.length(); v4 += 2) { v5.append(v3.charAt(v4)); } System.out.println("flag{" + v5.toString() + "}"); }} |
Edit and run with IDEA and get flag.
0X05 A small summary
The next installment will bring a dynamic analysis of Android’s backwards, introducing Android development, SmalI syntax parsing, and dynamically tuned SmalI files.