当前位置：首页 > news >正文

Writeup：看雪AliCrackme_1

news 2026/5/12 1:12:09

打开App

需要输入密码，没加固直接看代码

//从图片中提取加密映射表
protected String getTableFromPic() throws IOException {InputStream is = null;String value = "";try {try {is = getResources().getAssets().open("logo.png");int lenght = is.available();byte[] b = new byte[lenght];is.read(b, 0, lenght);byte[] data = new byte[768];System.arraycopy(b, 89473, data, 0, 768);String value2 = new String(data, "utf-8");if (is != null) {try {is.close();value = value2;} catch (IOException e) {value = value2;}} else {value = value2;}} catch (Exception e2) {e2.printStackTrace();if (is != null) {try {is.close();} catch (IOException e3) {}}}return value;} catch (Throwable th) {if (is != null) {try {is.close();} catch (IOException e4) {}}throw th;}}

//从图片中提取预设密码
protected String getPwdFromPic() throws IOException {InputStream is = null;String value = "";try {try {is = getResources().getAssets().open("logo.png");int lenght = is.available();byte[] b = new byte[lenght];is.read(b, 0, lenght);byte[] data = new byte[18];System.arraycopy(b, 91265, data, 0, 18);String value2 = new String(data, "utf-8");if (is != null) {try {is.close();value = value2;} catch (IOException e) {value = value2;}} else {value = value2;}} catch (Exception e2) {e2.printStackTrace();if (is != null) {try {is.close();} catch (IOException e3) {}}}return value;} catch (Throwable th) {if (is != null) {try {is.close();} catch (IOException e4) {}}throw th;}}

//通过加密映射表进行加密
public static String bytesToAliSmsCode(String table, byte[] data) {StringBuilder sb = new StringBuilder();for (byte b : data) {sb.append(table.charAt(b & 255));}return sb.toString();}

//通过加密映射表反向解密
private static byte[] aliCodeToBytes(String codeTable, String strCmd) {byte[] cmdBuffer = new byte[strCmd.length()];for (int i = 0; i < strCmd.length(); i++) {char c = strCmd.charAt(i);int v = codeTable.indexOf(c);cmdBuffer[i] = (byte) v;}return cmdBuffer;}

public class MainActivity extends Activity {@Override // android.app.Activityprotected void onCreate(Bundle savedInstanceState) {super.onCreate(savedInstanceState);requestWindowFeature(1);setContentView(R.layout.activity_main);final EditText edit = (EditText) findViewById(R.id.edit);Button button = (Button) findViewById(R.id.button);button.setOnClickListener(new View.OnClickListener() { // from class: com.example.simpleencryption.MainActivity.1@Override // android.view.View.OnClickListenerpublic void onClick(View v) throws IOException {String password = edit.getText().toString();//获取加密映射表String table = MainActivity.this.getTableFromPic();//获取预设密码String pw = MainActivity.this.getPwdFromPic();Log.i("lil", "table:" + table);Log.i("lil", "pw:" + pw);String enPassword = "";try {//对输入内容进行加密enPassword = MainActivity.bytesToAliSmsCode(table, password.getBytes("utf-8"));Log.i("lil", "enPassword:" + enPassword);} catch (UnsupportedEncodingException e) {e.printStackTrace();}//比较加密后的输入内容与预设密码if (pw == null || pw.equals("") || !pw.equals(enPassword)) {AlertDialog.Builder builder = new AlertDialog.Builder(MainActivity.this);builder.setMessage(R.string.dialog_error_tips);builder.setTitle(R.string.dialog_title);builder.setPositiveButton(R.string.dialog_ok, new DialogInterface.OnClickListener() { // from class: com.example.simpleencryption.MainActivity.1.1@Override // android.content.DialogInterface.OnClickListenerpublic void onClick(DialogInterface dialog, int which) {dialog.dismiss();}});builder.show();return;}MainActivity.this.showDialog();}});}

hook代码

方法一：根据加密逻辑直接进行解密

Java.perform(function() {var mainActivity = Java.use("com.example.simpleencryption.MainActivity");var globalTable = ""; // 全局变量存储表//获取加密映射表mainActivity.getTableFromPic.implementation = function() {var table = this.getTableFromPic();globalTable = table; // 存储到全局变量console.log("[+] 表: " + table);return table;};//解密mainActivity.getPwdFromPic.implementation = function() {//获取预设密码var pwd = this.getPwdFromPic();console.log("[+] 加密密码: " + pwd);//根据加密逻辑直接进行解密var original = "";for(var i = 0; i < pwd.length; i++) {original += String.fromCharCode(globalTable.indexOf(pwd[i]));}console.log("[+] 原始密码: " + original);return pwd;};
});

方法二：主动调用解密函数

Java.perform(function() {var mainActivity = Java.use("com.example.simpleencryption.MainActivity");var globalTable = ""; // 全局变量存储表var globalPwd = ""; // 全局变量预设密码//获取加密映射表mainActivity.getTableFromPic.implementation = function() {var table = this.getTableFromPic();globalTable = table; // 存储到全局变量console.log("[+] 表: " + table);return table;};//解密mainActivity.getPwdFromPic.implementation = function() {//获取预设密码var pwd = this.getPwdFromPic();globalPwd = pwd;console.log("[+] 加密密码: " + pwd);return pwd;};//主动调用aliCodeToBytessetTimeout(function() {try {// 构造Java字符串参数var tableStr = Java.use("java.lang.String").$new(globalTable);var pwdStr = Java.use("java.lang.String").$new(globalPwd);var result = mainActivity.aliCodeToBytes(tableStr, pwdStr);var resultStr = Java.use("java.lang.String").$new(result, 0, result.length);console.log("[*] 解密结果: " + resultStr);} catch(e) {console.error("[-] 解密失败: " + e);}}, 3000); // 延迟3秒确保初始化完成
});