VCTF ez_app 安卓逆向分析教学文档<\/h1>

概述<\/h2>
本文详细分析VCTF ez_app题目的安卓逆向过程，涵盖Native层代码分析、签名校验、动态加载解密等关键技术点。<\/p>

知识点梳理<\/h2>

1. 安卓逆向基本流程<\/h3>

Java层分析<\/strong>：首先分析Java代码，定位关键方法<\/li>
Native层分析<\/strong>：针对JNI方法进行深入分析<\/li>
检测绕过<\/strong>：注意虚拟机检测、调试器检测、签名检测等防护措施<\/li>

工具使用<\/strong>：熟练使用Apktool、Frida、IDA Pro等工具<\/li> <\/ul>
2. JNI执行流程详解<\/h3>
2.1 加载流程<\/h4>
\/\/ 典型加载顺序 <\/span><\/span><\/span><\/span>System.loadLibrary("xxx"<\/span>) →<\/span> dlopen() →<\/span> JNI_OnLoad() <\/span><\/span><\/code><\/pre>2.2 JNI_OnLoad函数<\/h4> JNIEXPORT jint JNICALL JNI_OnLoad<\/span>(JavaVM*<\/span> vm, void<\/span>*<\/span> reserved) { <\/span><\/span> \/\/ 主要功能： <\/span><\/span><\/span><\/span> \/\/ 1. 缓存JavaVM指针 <\/span><\/span><\/span><\/span> \/\/ 2. 获取JNIEnv环境 <\/span><\/span><\/span><\/span> \/\/ 3. 注册Native函数 <\/span><\/span><\/span><\/span> \/\/ 4. 执行解密和初始化逻辑 <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>2.3 Native函数注册方式<\/h4> 静态绑定<\/h5> 特征<\/strong>：函数名遵循Java_包名_类名_方法名<\/code>格式<\/li> IDA识别<\/strong>：函数名较长且包含完整包名路径<\/li> 执行流程<\/strong>：JVM自动定位对应JNI函数<\/li> <\/ul> 示例：<\/p> __int64<\/span> Java_com_qwq_myapplication_MainActivity_checkFlag() <\/span><\/span><\/code><\/pre>动态绑定<\/h5> 实现方式<\/strong>：在JNI_OnLoad<\/code>中调用RegisterNatives<\/code><\/li> 关键结构<\/strong>：JNINativeMethod<\/code>数组<\/li> 逆向重点<\/strong>：找到注册表，建立Java方法与Native函数映射<\/li> <\/ul> 示例：<\/p> env-><\/span>RegisterNatives(clazz, methods, count); <\/span><\/span><\/code><\/pre>2.4 JNIEnv常用操作<\/h4> (*<\/span>env)-><\/span>NewStringUTF() \/\/ 创建字符串 <\/span><\/span><\/span><\/span>(*<\/span>env)-><\/span>GetStringUTFChars() \/\/ 获取字符串内容 <\/span><\/span><\/span><\/span>(*<\/span>env)-><\/span>CallObjectMethod() \/\/ 调用Java方法 <\/span><\/span><\/span><\/code><\/pre>题目具体分析<\/h2> 1. Java层分析<\/h3> 发现调用native checkFlag()<\/code>方法<\/li> 存在initNative()<\/code>在onCreate<\/code>中调用，先于checkFlag<\/code>执行<\/li> <\/ul> 2. Native层分析<\/h3> 2.1 关键函数定位<\/h4> 入口点<\/strong>：JNI_OnLoad<\/code>函数<\/li> 核心逻辑<\/strong>：sub_18BC<\/code>函数（解密加载逻辑）<\/li> <\/ul> 2.2 动态加载保护机制<\/h4> 解密流程<\/strong>：<\/p> 从assets加载加密so文件（"qwqer1"）<\/li> 使用密钥"p0l1st"进行魔改AES解密<\/li> 写入临时文件并设置权限<\/li> 通过dlopen<\/code>动态加载解密后的so<\/li> 查找MainActivity.checkFlag<\/code>函数地址<\/li> <\/ol> 3. 绕过防护技术<\/h3> 3.1 签名校验绕过<\/h4> 问题<\/strong>：应用存在签名校验，直接修改APK会导致安装失败<\/li> 解决方案<\/strong>：本地patch so文件<\/li> 修改文件后缀避免系统检测<\/li> 在模拟器中重命名为apk安装<\/li> <\/ol> <\/li> <\/ul> 3.2 文件提取技术<\/h4> IDA Patch步骤<\/strong>：<\/p> 定位需要修改的指令<\/li> 使用Edit → Patch program功能<\/li> 确认patch成功应用<\/li> <\/ol> 文件提取命令<\/strong>：<\/p> # 复制到SD卡<\/span> <\/span><\/span>cp \/data\/data\/com.qwq.myapplication\/validator_decrypted_4621.so \/sdcard\/ <\/span><\/span> <\/span><\/span># 拉取到本地<\/span> <\/span><\/span>adb pull \/sdcard\/validator_decrypted_4621.so <\/span><\/span><\/code><\/pre>4. 解密so分析<\/h3> 4.1 算法识别<\/h4> 加密算法<\/strong>：TEA算法变种<\/li> 密钥<\/strong>：0xa56babcd, 0x1f1234f1, 0x12345678, 0xfedcba98<\/code><\/li> <\/ul> 4.2 TEA解密实现<\/h4> #include<\/span> <stdint.h><\/span> <\/span><\/span><\/span>#include<\/span> <string.h><\/span> <\/span><\/span><\/span>#include<\/span> <stdio.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>void<\/span> tea_decrypt<\/span>(uint32_t<\/span> v[2<\/span>], const<\/span> uint32_t<\/span> k[4<\/span>]) { <\/span><\/span> uint32_t<\/span> v0 =<\/span> v[0<\/span>], v1 =<\/span> v[1<\/span>], sum =<\/span> 0xC6EF3720<\/span>; <\/span><\/span> const<\/span> uint32_t<\/span> delta =<\/span> 0x9e3779b9<\/span>; <\/span><\/span> <\/span><\/span> for<\/span> (int<\/span> i =<\/span> 0<\/span>; i <<\/span> 32<\/span>; i++<\/span>) { <\/span><\/span> v1 -=<\/span> ((v0 <<<\/span> 4<\/span>) +<\/span> k[2<\/span>]) ^<\/span> (v0 +<\/span> sum) ^<\/span> ((v0 >><\/span> 5<\/span>) +<\/span> k[3<\/span>]); <\/span><\/span> v0 -=<\/span> ((v1 <<<\/span> 4<\/span>) +<\/span> k[0<\/span>]) ^<\/span> (v1 +<\/span> sum) ^<\/span> ((v1 >><\/span> 5<\/span>) +<\/span> k[1<\/span>]); <\/span><\/span> sum -=<\/span> delta; <\/span><\/span> } <\/span><\/span> v[0<\/span>] =<\/span> v0; v[1<\/span>] =<\/span> v1; <\/span><\/span>} <\/span><\/span> <\/span><\/span>void<\/span> decrypt_string<\/span>(uint32_t<\/span>*<\/span> blocks, int<\/span> block_count, uint32_t<\/span> key[4<\/span>], char<\/span>*<\/span> output) { <\/span><\/span> uint32_t<\/span> temp_blocks[16<\/span>]; <\/span><\/span> <\/span><\/span> \/\/ 复制数据 <\/span><\/span><\/span><\/span> for<\/span> (int<\/span> i =<\/span> 0<\/span>; i <<\/span> block_count *<\/span> 2<\/span>; i++<\/span>) { <\/span><\/span> temp_blocks[i] =<\/span> blocks[i]; <\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 解密每个块 <\/span><\/span><\/span><\/span> for<\/span> (int<\/span> i =<\/span> 0<\/span>; i <<\/span> block_count; i++<\/span>) { <\/span><\/span> tea_decrypt(&<\/span>temp_blocks[i *<\/span> 2<\/span>], key); <\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 输出结果 <\/span><\/span><\/span><\/span> memcpy(output, temp_blocks, block_count *<\/span> 8<\/span>); <\/span><\/span> output[block_count *<\/span> 8<\/span>] =<\/span> '\0'<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>逆向技巧总结<\/h2> 1. 分析路径建议<\/h3> 定位JNI_OnLoad<\/code>入口点<\/li> 查找动态注册信息<\/li> 根据Java调用关系定位实际入口<\/li> 追踪Native层调用链<\/li> 注意隐藏入口和字符串解密<\/li> <\/ol> 2. 文件系统知识<\/h3> \/data\/data\/目录结构<\/strong>：<\/p> files\/ # 应用内部数据 databases\/ # SQLite数据库 shared_prefs\/ # 配置文件 cache\/ # 缓存文件 lib\/ # 加载的.so库 code_cache\/ # JIT\/ART缓存 <\/code><\/pre> 3. 对抗技术<\/h3> 反调试检测<\/strong>：注意ptrace等检测手段<\/li> 代码混淆<\/strong>：控制流混淆(CFO)处理<\/li> 加密算法<\/strong>：识别AES\/RC4\/XXTEA等常见算法<\/li> 签名校验<\/strong>：魔改签名校验机制分析<\/li> <\/ul> 总结<\/h2> 本题考察了安卓逆向的完整流程，重点在于：<\/p> 理解JNI动态加载机制<\/li> 掌握动态绑定函数的定位方法<\/li> 熟悉文件解密和提取技术<\/li> 具备绕过各种检测的能力<\/li> <\/ol> 通过此题可以全面提升安卓Native层逆向分析能力，为更复杂的安卓应用逆向打下坚实基础。<\/p>

VCTF ez_app 安卓逆向分析教学文档<\/h1>

概述<\/h2> 本文详细分析VCTF ez_app题目的安卓逆向过程，涵盖Native层代码分析、签名校验、动态加载解密等关键技术点。<\/p>

知识点梳理<\/h2>

2. JNI执行流程详解<\/h3>

2.3 Native函数注册方式<\/h4>

题目具体分析<\/h2>

2. Native层分析<\/h3>

3. 绕过防护技术<\/h3>

4. 解密so分析<\/h3>

逆向技巧总结<\/h2>

概述<\/h2>
本文详细分析VCTF ez_app题目的安卓逆向过程，涵盖Native层代码分析、签名校验、动态加载解密等关键技术点。<\/p>