├── 2023安卓Hook框架源码入门 ├── 2023安卓Hook框架源码入门(一YAHFA框架) │ ├── 2023安卓Hook框架源码入门(一YAHFA框架).md │ ├── ArtMethod方法执行过程.txt │ ├── TestXposedYAHFA.zip │ └── testforyahfahook.apk └── 2023安卓Hook框架源码入门(番外篇之dlopen限制与反射限制) │ ├── 2023安卓Hook框架源码入门(番外篇 so格式之一windows编译so的三种方式).md │ ├── 2023安卓Hook框架源码入门(番外篇之dlopen限制与反射限制).md │ └── jni │ ├── Android.mk │ ├── Application.mk │ └── hello.c ├── 2023安卓逆向CTF系列视频 ├── 2023安卓逆向CTF系列视频(一) │ └── 讲义 │ │ ├── 2023安卓逆向CTF系列视频(一).md │ │ ├── Crakeme01.apk │ │ ├── First.c │ │ ├── defs.h │ │ ├── hook.js │ │ ├── hook_RegisterNativeMethod.js │ │ ├── out.log │ │ ├── out2.log │ │ ├── rc4.py │ │ └── 封面图.pptx ├── 2023安卓逆向CTF系列视频(三) │ └── 讲义 │ │ ├── 2023安卓逆向CTF系列视频(三).md │ │ ├── hook.js │ │ └── robust.apk ├── 2023安卓逆向CTF系列视频(二) │ └── 讲义 │ │ ├── 2023安卓逆向CTF系列视频(二).md │ │ ├── 3.apk │ │ └── hook.js ├── 2023安卓逆向CTF系列视频(四) │ ├── 2023安卓逆向CTF系列视频(四).md │ ├── 2023安卓逆向CTF系列视频(四)(二Xposed之Rpc).md │ ├── LoopAndLoop.apk │ ├── agent.js │ ├── frida_rpc_new.js │ ├── frida_server.py │ ├── frida_server_new.py │ ├── hook_4_crack.js │ ├── out.log │ └── test_post.py ├── 2023安卓逆向CTF网站收集 │ ├── 2023安卓逆向CTF网站收集.md │ └── ~$封面图.pptx └── 2023安卓逆向工具篇 │ ├── 2023安卓逆向工具篇(Frida的基本使用).md │ ├── 2023安卓逆向工具篇(Windows下python虚拟环境)(Frida多版本安装).md │ ├── 2023安卓逆向工具篇(windows下ollvm的使用).md │ ├── 2023安卓逆向工具篇(xposed7-12的安装).md │ ├── inject-gadget.py │ ├── myollvm13.0.1.zip │ ├── script.sh │ ├── xposed-sdk25-x86_64.zip │ └── xposed-v89-sdk25-x86.zip ├── 2023安卓逆向红包题 ├── First.png ├── HappyNewYear2023-no-ollvm-new1.1.apk ├── HappyNewYear2023-ollvm-new1.1.apk ├── Readme.md └── Second.png ├── 2024安卓Flutter开发与抓包学习 ├── flutter-sslpinning-easy.apk ├── flutter-sslpinning-medium.apk ├── main.dart ├── pubspec.yaml ├── redmi └── 番外篇之flutter开发与抓包示例.md ├── 2024安卓逆向与安全 └── mydetectstack-20240628.apk └── Readme.md /2023安卓Hook框架源码入门/2023安卓Hook框架源码入门(一YAHFA框架)/2023安卓Hook框架源码入门(一YAHFA框架).md: -------------------------------------------------------------------------------- 1 | ## [YAHFA框架](https://github.com/PAGalaxyLab/YAHFA) 2 | 3 | ### 0. 学习的整体介绍 4 | 5 | ### 1. YAHFA的两种安装使用方式 6 | #### a. implementation 7 | 8 | #### b. 源码方式 9 | 10 | #### c. 具体使用 11 | 12 | ### 2. YAHFA的限制与多版本执行流程差异 13 | 14 | ### 3. 安卓的解释执行与机器码执行(核心) 15 | 16 | ### 4. YAHFA的原理源码拆解(核心) 17 | 18 | ### 5. YAHFA的简单对抗与检测 19 | 20 | 21 | ## 参考资料 22 | 1. [YAHFA--ART环境下的Hook框架](http://rk700.github.io/2017/03/30/YAHFA-introduction/) 23 | 2. [ART hook 框架 - YAHFA 源码分析](https://www.jianshu.com/p/994db0f1c8c9) 24 | 3. [[原创]记录一下YAHFA相关](https://bbs.pediy.com/thread-267606.htm) 25 | 4. [Android ART执行类方法的过程](https://www.jianshu.com/p/2ff1b63f686b) 26 | 5. [(原创)基于Android R之了解下ArtField、ArtMethod、DexCache和Class](https://blog4jimmy.com/2021/02/898.html) 27 | 6. [一种通用超简单的Android Java Native方法Hook](https://sanfengandroid.github.io/2021/02/28/simple-java-native-hook/) 28 | 7. [Android热修复升级探索——追寻极致的代码热替换](https://developer.aliyun.com/article/74598) 29 | 8. [深入理解Android虚拟机及编译系统](https://shusheng007.top/2021/09/09/002-2/) 30 | 9. [脱了马甲我也认识你: 聊聊 Android 中类的真实形态](https://github.com/5A59/android-training/blob/master/jvm-art/ART%E4%B8%AD%E7%B1%BB%E7%9A%84%E7%9C%9F%E5%AE%9E%E5%BD%A2%E6%80%81.md) 31 | 10. [Android运行时ART执行类方法的过程分析](https://blog.csdn.net/Luoshengyang/article/details/40289405) -------------------------------------------------------------------------------- /2023安卓Hook框架源码入门/2023安卓Hook框架源码入门(一YAHFA框架)/ArtMethod方法执行过程.txt: -------------------------------------------------------------------------------- 1 | =>http://androidxref.com/8.1.0_r33/xref/art/runtime/jni_internal.cc#1728 CallStaticVoidMethodV 2 | =>http://androidxref.com/8.1.0_r33/xref/art/runtime/reflection.cc#457 InvokeWithVarArgs 3 | =>http://androidxref.com/8.1.0_r33/xref/art/runtime/reflection.cc#446 InvokeWithArgArray 4 | =>http://androidxref.com/8.1.0_r33/xref/art/runtime/art_method.cc#311 5 | =>http://androidxref.com/8.1.0_r33/xref/art/runtime/arch/arm/quick_entrypoints_cc_arm.cc#104 6 | =>http://androidxref.com/8.1.0_r33/xref/art/runtime/arch/arm/quick_entrypoints_arm.S#548 7 | ldr ip, [r0, #ART_METHOD_QUICK_CODE_OFFSET_32] @ get pointer to the code 8 | =>http://androidxref.com/8.1.0_r33/xref/art/runtime/generated/asm_support_gen.h#67 9 | 10 | 11 | =>http://androidxref.com/8.1.0_r33/xref/art/runtime/class_linker.cc#3172 LinkCode 12 | =>http://androidxref.com/8.1.0_r33/xref/art/runtime/entrypoints/runtime_asm_entrypoints.h#41 13 | =>http://androidxref.com/8.1.0_r33/xref/art/runtime/arch/arm64/quick_entrypoints_arm64.S#2301 14 | =>http://androidxref.com/8.1.0_r33/xref/art/runtime/entrypoints/quick/quick_trampoline_entrypoints.cc#700 15 | =>http://androidxref.com/8.1.0_r33/xref/art/runtime/interpreter/interpreter.cc#586 16 | =>http://androidxref.com/8.1.0_r33/xref/art/runtime/interpreter/interpreter_switch_impl.cc#154 17 | =>http://androidxref.com/8.1.0_r33/xref/art/runtime/interpreter/interpreter_common.h#163 DoInvoke 18 | =>http://androidxref.com/8.1.0_r33/xref/art/runtime/interpreter/interpreter_common.cc#1140 19 | =>http://androidxref.com/8.1.0_r33/xref/art/runtime/common_dex_operations.h#44 20 | =>http://androidxref.com/8.1.0_r33/xref/art/runtime/interpreter/interpreter.cc#602 21 | =>http://androidxref.com/8.1.0_r33/xref/art/runtime/interpreter/interpreter_common.cc#475 ArtInterpreterToCompiledCodeBridge -------------------------------------------------------------------------------- /2023安卓Hook框架源码入门/2023安卓Hook框架源码入门(一YAHFA框架)/TestXposedYAHFA.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xyxdaily/lessons/01ed7cbe956194916ae1b0506ccfadcbbba44eee/2023安卓Hook框架源码入门/2023安卓Hook框架源码入门(一YAHFA框架)/TestXposedYAHFA.zip -------------------------------------------------------------------------------- /2023安卓Hook框架源码入门/2023安卓Hook框架源码入门(一YAHFA框架)/testforyahfahook.apk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xyxdaily/lessons/01ed7cbe956194916ae1b0506ccfadcbbba44eee/2023安卓Hook框架源码入门/2023安卓Hook框架源码入门(一YAHFA框架)/testforyahfahook.apk -------------------------------------------------------------------------------- /2023安卓Hook框架源码入门/2023安卓Hook框架源码入门(番外篇之dlopen限制与反射限制)/2023安卓Hook框架源码入门(番外篇 so格式之一windows编译so的三种方式).md: -------------------------------------------------------------------------------- 1 | ## 使用android studio 2 | 在app项目下的build.gradle文件中加 3 | ``` 4 | ndk{ 5 | abiFilters "armeabi-v7a","arm64-v8a","x86","x86_64" 6 | } 7 | ``` 8 | 9 | ```cpp 10 | #include 11 | #include 12 | 13 | extern "C" JNIEXPORT jstring JNICALL 14 | Java_com_lovexyx2020_buildso_MainActivity_stringFromJNI( 15 | JNIEnv* env, 16 | jobject /* this */) { 17 | std::string hello = "Hello from C++"; 18 | return env->NewStringUTF(hello.c_str()); 19 | } 20 | ``` 21 | 22 | ```c 23 | #include 24 | JNIEXPORT jstring JNICALL 25 | Java_com_lovexyx2020_buildso_MainActivity_stringFromJNI( 26 | JNIEnv* env, 27 | jobject /* this */) { 28 | char* hello = "Hello from C++"; 29 | return (*env)->NewStringUTF(env,hello); 30 | } 31 | ``` 32 | 33 | ## 使用clang 34 | ### 设置环境变量 35 | 1. 临时环境变量 36 | set path=X:\android-config-files\Sdk\ndk\25.0.8775105\toolchains\llvm\prebuilt\windows-x86_64\bin 37 | set path=%path%;X:\android-config-files\Sdk\ndk\25.0.8775105\toolchains\llvm\prebuilt\windows-x86_64\bin 38 | aarch64-linux-android31-clang++ hello.cpp -o hello 39 | aarch64-linux-android26-clang++ hello.cpp -shared -o hello 40 | aarch64-linux-android26-clang hello.c -shared -o hello.so 41 | aarch64-linux-android26-clang hello.c -o hello_c 42 | 43 | 2. 永久环境变量 44 | 45 | ## 使用ndk-build 46 | 47 | 1. 配置Android.mk 48 | ```makefile 49 | # # 一个Android.mk file首先必须定义好LOCAL_PATH变量。 50 | # # 它用于在开发树中查找源文件。在这个例子中,宏函数’my-dir’, 51 | # # 由编译系统提供,用于返回当前路径(即包含Android.mk file文件的目录)。 52 | # LOCAL_PATH := $(call my-dir) 53 | # # CLEAR_VARS由编译系统提供, 54 | # # 指定让GNU MAKEFILE为你清除许多LOCAL_XXX变量(例如 LOCAL_MODULE, LOCAL_SRC_FILES, LOCAL_STATIC_LIBRARIES, 等等...),除LOCAL_PATH 。这是必要的, 55 | # # 因为所有的编译控制文件都在同一个GNU MAKE执行环境中,所有的变量都是全局的。 56 | # include $(CLEAR_VARS) 57 | # # LOCAL_MODULE变量必须定义,以标识你在Android.mk文件中描述的每个模块。名称必须是唯一的,而且不包含任何空格。 58 | # # 注意编译系统会自动产生合适的前缀和后缀,换句话说,一个被命名为'foo'的共享库模块,将会生成'libfoo.so'文件。 59 | # LOCAL_MODULE := inject 60 | # # LOCAL_SRC_FILES变量必须包含将要编译打包进模块中的C或C++源代码文件。注意,你不用在这里列出头文件和包含文件, 61 | # # 因为编译系统将会自动为你找出依赖型的文件;仅仅列出直接传递给编译器的源代码文件就好。 62 | # LOCAL_SRC_FILES := inject.c 63 | # # BUILD_EXECUTABLE 表示以一个可执行程序的方式进行编译 64 | # # BUILD_SHARED_LIBRARY 表示动态链接库的方式进行编译 65 | # include $(BUILD_EXECUTABLE) 66 | 67 | LOCAL_PATH := $(call my-dir) 68 | 69 | include $(CLEAR_VARS) 70 | LOCAL_MODULE := native-lib 71 | LOCAL_SRC_FILES := native-lib.c 72 | 73 | #shellcode.s 74 | # LOCAL_LDLIBS += -L$(SYSROOT)/usr/lib -llog 75 | 76 | #LOCAL_FORCE_STATIC_EXECUTABLE := true 77 | 78 | include $(BUILD_SHARED_LIBRARY) 79 | ``` 80 | 81 | 2. 配置Application.mk 82 | -------------------------------------------------------------------------------- /2023安卓Hook框架源码入门/2023安卓Hook框架源码入门(番外篇之dlopen限制与反射限制)/2023安卓Hook框架源码入门(番外篇之dlopen限制与反射限制).md: -------------------------------------------------------------------------------- 1 | 2 | ## so文件格式 3 | 1. [Android逆向之旅—SO(ELF)文件格式详解](http://www.520monkey.com/archives/559) 4 | 2. [【Android NDK】(三)使用c++ 解析so文件结构](https://juejin.cn/post/6916899192942100493) 5 | 3. [[原创]Android so(ELF)文件解析](https://bbs.kanxue.com/thread-272077.htm) 6 | 4. [lief parse so](https://lief-project.github.io//doc/latest/api/python/index.html) 7 | 5. [unidbg](https://github.com/zhkl0228/unidbg) 8 | 6. [Android So动态加载 优雅实现与原理分析](https://anymarvel.github.io/AndroidSummary/book/manpin/shipinzhuanmanhua/sodynamicload.html) 9 | 7. [[原创] 细说So动态库的加载流程](https://bbs.kanxue.com/thread-255674.htm) 10 | 8. [Android JNI SO 加载原理](https://www.bmabk.com/index.php/post/24015.html) 11 | 12 | ## dlopen限制 13 | 1. [android的链接器命名空间](https://www.cnblogs.com/revercc/p/17019321.html) 14 | 2. [绕过链接器命名空间限制访问libart.so](https://www.cnblogs.com/revercc/p/17020902.html) 15 | 3. [Android dlopen 方法的使用限制及解决方案](https://www.sunmoonblog.com/2019/06/04/fake-dlopen/) 16 | 4. [分享一个绕过移动端系统限制的增强版dlfunctions库](https://cloud.tencent.com/developer/article/1658078) 17 | 5. [另一种绕过Android系统库访问限制的方法](https://juejin.cn/post/6966292316684288007) 18 | 6. [一个绕过移动端系统限制的dlopen库: byOpen](https://zhuanlan.zhihu.com/p/156127953) 19 | 7. [Android 8.0 - 基于命名空间的动态链接—— 隔离 Android 中应用程序和系统的本地库 ](https://blog.51cto.com/u_847102/5235359) 20 | 8. [Nougat_dlfunctions](https://github.com/avs333/Nougat_dlfunctions) 21 | 9. [ndk_dlopen](https://github.com/Rprop/ndk_dlopen) 22 | 10. [bypass_dlfunctions](https://github.com/WindySha/bypass_dlfunctions) 23 | 11. [byopen](https://github.com/hack0z/byopen) 24 | 25 | ## 反射限制 26 | 1. [针对非 SDK 接口的限制](https://developer.android.com/guide/app-compatibility/restrictions-non-sdk-interfaces?hl=zh-cn) 27 | 2. [另一种绕过 Android P以上非公开API限制的办法](https://zhuanlan.zhihu.com/p/59455212) 28 | 3. [Android R上的隐藏API限制学习笔记](https://blog.canyie.top/2020/06/10/hiddenapi-restriction-policy-on-android-r/) 29 | 4. [小花招解决Android 9 Pie 不能反射隐藏API限制](https://www.jianshu.com/p/f98fe21cea80) 30 | 5. [AndroidHiddenApiBypass](https://github.com/LSPosed/AndroidHiddenApiBypass) 31 | 6. [FreeReflection](https://github.com/tiann/FreeReflection) 32 | 33 | -------------------------------------------------------------------------------- /2023安卓Hook框架源码入门/2023安卓Hook框架源码入门(番外篇之dlopen限制与反射限制)/jni/Android.mk: -------------------------------------------------------------------------------- 1 | # # 一个Android.mk file首先必须定义好LOCAL_PATH变量。 2 | # # 它用于在开发树中查找源文件。在这个例子中,宏函数’my-dir’, 3 | # # 由编译系统提供,用于返回当前路径(即包含Android.mk file文件的目录)。 4 | # LOCAL_PATH := $(call my-dir) 5 | # # CLEAR_VARS由编译系统提供, 6 | # # 指定让GNU MAKEFILE为你清除许多LOCAL_XXX变量(例如 LOCAL_MODULE, LOCAL_SRC_FILES, LOCAL_STATIC_LIBRARIES, 等等...),除LOCAL_PATH 。这是必要的, 7 | # # 因为所有的编译控制文件都在同一个GNU MAKE执行环境中,所有的变量都是全局的。 8 | # include $(CLEAR_VARS) 9 | # # LOCAL_MODULE变量必须定义,以标识你在Android.mk文件中描述的每个模块。名称必须是唯一的,而且不包含任何空格。 10 | # # 注意编译系统会自动产生合适的前缀和后缀,换句话说,一个被命名为'foo'的共享库模块,将会生成'libfoo.so'文件。 11 | # LOCAL_MODULE := inject 12 | # # LOCAL_SRC_FILES变量必须包含将要编译打包进模块中的C或C++源代码文件。注意,你不用在这里列出头文件和包含文件, 13 | # # 因为编译系统将会自动为你找出依赖型的文件;仅仅列出直接传递给编译器的源代码文件就好。 14 | # LOCAL_SRC_FILES := inject.c 15 | # # BUILD_EXECUTABLE 表示以一个可执行程序的方式进行编译 16 | # # BUILD_SHARED_LIBRARY 表示动态链接库的方式进行编译 17 | # include $(BUILD_EXECUTABLE) 18 | 19 | LOCAL_PATH := $(call my-dir) 20 | 21 | include $(CLEAR_VARS) 22 | LOCAL_MODULE := hello_c_ndk 23 | LOCAL_SRC_FILES := hello.c 24 | 25 | #shellcode.s 26 | # LOCAL_LDLIBS += -L$(SYSROOT)/usr/lib -llog 27 | 28 | #LOCAL_FORCE_STATIC_EXECUTABLE := true 29 | 30 | include $(BUILD_EXECUTABLE) -------------------------------------------------------------------------------- /2023安卓Hook框架源码入门/2023安卓Hook框架源码入门(番外篇之dlopen限制与反射限制)/jni/Application.mk: -------------------------------------------------------------------------------- 1 | APP_ABI := arm64-v8a,armeabi-v7a -------------------------------------------------------------------------------- /2023安卓Hook框架源码入门/2023安卓Hook框架源码入门(番外篇之dlopen限制与反射限制)/jni/hello.c: -------------------------------------------------------------------------------- 1 | #include 2 | JNIEXPORT jstring JNICALL 3 | Java_com_lovexyx2020_buildso_MainActivity_stringFromJNI( 4 | JNIEnv* env, 5 | jobject /* this */) { 6 | char* hello = "Hello from C++"; 7 | return (*env)->NewStringUTF(env,hello); 8 | } 9 | 10 | int main(){ 11 | printf("hello from hello.cpp\n"); 12 | return 0; 13 | } -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向CTF系列视频(一)/讲义/2023安卓逆向CTF系列视频(一).md: -------------------------------------------------------------------------------- 1 | ## 查看安卓源码的地址 http://androidxref.com/ 2 | 3 | ## 动态注册的脚本 4 | https://blog.csdn.net/lyz_zyx/article/details/88690930 5 | ```js 6 | function readStdString(str) { 7 | const isTiny = (str.readU8() & 1) == 0; 8 | if (isTiny) { 9 | return str.add(1).readUtf8String(); 10 | } 11 | return str.add(2 * Process.pointerSize).readPointer().readUtf8String(); 12 | } 13 | 14 | function callPrettyMethod(ArtMethodptr) { 15 | // _ZN3art9ArtMethod12PrettyMethodEPS0_b 16 | var PrettyMethod_addr = Module.findExportByName("libart.so", "_ZN3art9ArtMethod12PrettyMethodEPS0_b"); 17 | var PrettyMethodfunc = new NativeFunction(PrettyMethod_addr, ["pointer", "pointer", "pointer"], ["pointer", "int"]); 18 | var result = PrettyMethodfunc(ArtMethodptr, 1); 19 | var stdstring = Memory.alloc(3 * Process.pointerSize); 20 | ptr(stdstring).writePointer(result[0]); 21 | ptr(stdstring).add(1 * Process.pointerSize).writePointer(result[1]); 22 | ptr(stdstring).add(2 * Process.pointerSize).writePointer(result[2]); 23 | var result = readStdString(stdstring) 24 | return result 25 | } 26 | 27 | function hook_RegisterNativeMethod() { 28 | var RegisterNativeMethod_addr = Module.findExportByName("libart.so", "_ZN3art16RuntimeCallbacks20RegisterNativeMethodEPNS_9ArtMethodEPKvPPv"); 29 | console.log("RegisterNativeMethod_addr=",RegisterNativeMethod_addr) 30 | // art::RuntimeCallbacks::RegisterNativeMethod(art::ArtMethod*, void const*, void**) 31 | Interceptor.attach(RegisterNativeMethod_addr, { 32 | onEnter: function (args) { 33 | this.artmethod = args[1]; 34 | var methodname = callPrettyMethod(ptr(this.artmethod)); 35 | var address = args[2]; 36 | this.dex_method_index_ = ptr(this.artmethod).add(12).readU32(); 37 | var current_module = Process.getModuleByAddress(address) 38 | var modulename = current_module.name 39 | var base = current_module.base 40 | var offset = address.sub(base) 41 | console.log("go into RegisterNativeMethod ---" + "artmethodptr:" + ptr(this.artmethod) + "---methodidx:" + this.dex_method_index_ + "--addr:" + address + "----name:" + methodname + "---modulename:" + modulename + "---offset:" + offset); 42 | return; 43 | }, onLeave: function (retval) { 44 | } 45 | }) 46 | } 47 | setImmediate(hook_RegisterNativeMethod) 48 | // frida -U -f com.wolf.ndktest -l hook_RegisterNativeMethod.js --no-pause -o out.log 49 | // frida -U -f com.wolf.ndktest -l hook_RegisterNativeMethod.js -o out.log 50 | ``` 51 | 52 | ## 查看包名 53 | 1. dumpsys activity top | grep TASK 54 | 2. am monitor 55 | 56 | ## ida的一些操作 57 | 1. g 跳转地址 58 | 59 | 2. operator new[] ==> malloc 60 | 61 | 62 | ## 在线加解密工具 63 | https://gchq.github.io/CyberChef/ 64 | 65 | ## rc4 66 | https://github.com/bozhu/RC4-Python/blob/master/rc4.py 67 | 68 | ## so代码的运行顺序 69 | 70 | .init init_array JNI_OnLoad 71 | 72 | -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向CTF系列视频(一)/讲义/Crakeme01.apk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xyxdaily/lessons/01ed7cbe956194916ae1b0506ccfadcbbba44eee/2023安卓逆向CTF系列视频/2023安卓逆向CTF系列视频(一)/讲义/Crakeme01.apk -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向CTF系列视频(一)/讲义/First.c: -------------------------------------------------------------------------------- 1 | // 2 | // Created by Admin on 2023-01-16. 3 | // 4 | #include "defs.h" 5 | #include 6 | #include 7 | #include 8 | 9 | int __fastcall GetKey(const unsigned __int8 *a1, int a2, unsigned __int8 *a3) 10 | { 11 | bool v4; // zf 12 | int result; // r0 13 | int v7; // r5 14 | int i; // r7 15 | int v9; // r1 16 | 17 | v4 = a1 == 0; 18 | result = 0; 19 | if ( !v4 ) 20 | v4 = a3 == 0; 21 | if ( !v4 ) 22 | { 23 | do 24 | { 25 | a3[result] = result; 26 | ++result; 27 | } 28 | while ( result != 256 ); 29 | v7 = 0; 30 | for ( i = 0; i != 256; ++i ) 31 | { 32 | v9 = a3[i]; 33 | v7 = (a1[i % a2] + v7 + v9) % 256; 34 | a3[i] = a3[v7]; 35 | a3[v7] = v9; 36 | } 37 | result = -1; 38 | } 39 | return result; 40 | } 41 | 42 | int __fastcall RC4(const unsigned __int8 *a1, int a2, const unsigned __int8 *a3, int a4, unsigned __int8 *a5, int *a6) 43 | { 44 | unsigned __int8 *v6; // r7 45 | int result; // r0 46 | bool v12; // zf 47 | _BYTE *v13; // r6 48 | int v14; // r1 49 | int v15; // r0 50 | int v16; // r2 51 | int v17; // r3 52 | char v18; // t1 53 | 54 | result = 0; 55 | if ( a1 ) 56 | { 57 | v12 = a3 == 0; 58 | if ( a3 ) 59 | { 60 | v6 = a5; 61 | v12 = a5 == 0; 62 | } 63 | if ( !v12 ) 64 | { 65 | v13 = (_BYTE *)malloc(0x100u); 66 | if ( GetKey(a3, a4, v13) ) 67 | { 68 | if ( a2 >= 1 ) 69 | { 70 | v14 = 0; 71 | v15 = a2; 72 | v16 = 0; 73 | do 74 | { 75 | --v15; 76 | v16 = (v16 + 1) % 256; 77 | v17 = (unsigned __int8)v13[v16]; 78 | v14 = (v14 + v17) % 256; 79 | v13[v16] = v13[v14]; 80 | v13[v14] = v17; 81 | v18 = *a1++; 82 | *v6++ = v13[(unsigned __int8)(v17 + v13[v16])] ^ v18; 83 | } 84 | while ( v15 ); 85 | } 86 | *a6 = a2; 87 | free(v13); 88 | result = -1; 89 | } 90 | else 91 | { 92 | result = 0; 93 | } 94 | } 95 | } 96 | return result; 97 | } 98 | 99 | char* __fastcall HexToByte(const char *s) 100 | { 101 | signed int v2; // r5 102 | char* result; // r0 103 | int v4; // r6 104 | int v5; // r1 105 | unsigned int v6; // r2 106 | int v7; // r3 107 | int v8; // r2 108 | int v9; // r5 109 | unsigned int v10; // r3 110 | int v11; // r3 111 | 112 | if ( !s ) 113 | return 0; 114 | v2 = strlen(s); 115 | result = 0; 116 | if ( v2 >= 1 && (v2 & 1) == 0 ) 117 | { 118 | v4 = v2 / 2; 119 | result = (char*)malloc(v2 / 2); 120 | if ( v2 >= 2 ) 121 | { 122 | v5 = 0; 123 | while ( 1 ) 124 | { 125 | v6 = (unsigned __int8)s[2 * v5]; 126 | v7 = 48; 127 | if ( v6 > 0x40 ) 128 | v7 = 55; 129 | v8 = v6 - v7; 130 | if ( v8 > 15 ) 131 | break; 132 | v9 = 48; 133 | v10 = (unsigned __int8)s[2 * v5 + 1]; 134 | if ( v10 > 0x40 ) 135 | v9 = 55; 136 | v11 = v10 - v9; 137 | if ( v11 > 15 ) 138 | break; 139 | *(_BYTE *)(result + v5++) = v11 + 16 * v8; 140 | if ( v5 >= v4 ) 141 | return result; 142 | } 143 | return 0; 144 | } 145 | } 146 | return result; 147 | } 148 | 149 | // 需要导入ida的头文件 150 | unsigned __int8 *__fastcall Decrypt(const char *str, const char *a2) 151 | { 152 | unsigned __int8 *v4; // r5 153 | const unsigned __int8 *v5; // r8 154 | size_t v6; // r0 155 | unsigned __int8 *v7; // r7 156 | size_t v8; // r6 157 | int v9; // r0 158 | int v11; // [sp+Ch] [bp-1Ch] BYREF 159 | 160 | if ( !str ) 161 | return 0; 162 | v4 = 0; 163 | if ( (strlen(str) & 1) == 0 ) 164 | { 165 | if ( a2 ) 166 | { 167 | v5 = (const unsigned __int8 *)HexToByte(str); 168 | v6 = strlen(str); 169 | v7 = (unsigned __int8 *)malloc((v6 >> 1) + 1); 170 | v4 = 0; 171 | v11 = 0; 172 | v8 = strlen(str); 173 | v9 = strlen(a2); 174 | if ( RC4(v5, v8 >> 1, (const unsigned __int8 *)a2, v9, v7, &v11) ) 175 | { 176 | v7[v11] = 0; 177 | v4 = v7; 178 | } 179 | } 180 | } 181 | return v4; 182 | } 183 | 184 | 185 | int main(){ 186 | char* input_str = "636D55B2AA8609CB"; 187 | char key[12] = {0x05,0x08,0x41,0x08,0x06,0x03,0x01,0x4e,0x61,0x44,0x80,0x0}; 188 | char* ret = Decrypt(input_str, key); 189 | printf("ret = %s",ret); 190 | 191 | 192 | return 0; 193 | } -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向CTF系列视频(一)/讲义/defs.h: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | This file contains definitions used in the Hex-Rays decompiler output. 4 | It has type definitions and convenience macros to make the 5 | output more readable. 6 | 7 | Copyright (c) 2007-2020 Hex-Rays 8 | 9 | */ 10 | 11 | #ifndef HEXRAYS_DEFS_H 12 | #define HEXRAYS_DEFS_H 13 | 14 | #if defined(__GNUC__) 15 | typedef long long ll; 16 | typedef unsigned long long ull; 17 | #define __int64 long long 18 | #define __int32 int 19 | #define __int16 short 20 | #define __int8 char 21 | #define MAKELL(num) num ## LL 22 | #define FMT_64 "ll" 23 | #elif defined(_MSC_VER) 24 | typedef __int64 ll; 25 | typedef unsigned __int64 ull; 26 | #define MAKELL(num) num ## i64 27 | #define FMT_64 "I64" 28 | #elif defined (__BORLANDC__) 29 | typedef __int64 ll; 30 | typedef unsigned __int64 ull; 31 | #define MAKELL(num) num ## i64 32 | #define FMT_64 "L" 33 | #else 34 | #error "unknown compiler" 35 | #endif 36 | typedef unsigned int uint; 37 | typedef unsigned char uchar; 38 | typedef unsigned short ushort; 39 | typedef unsigned long ulong; 40 | 41 | typedef char int8; 42 | typedef signed char sint8; 43 | typedef unsigned char uint8; 44 | typedef short int16; 45 | typedef signed short sint16; 46 | typedef unsigned short uint16; 47 | typedef int int32; 48 | typedef signed int sint32; 49 | typedef unsigned int uint32; 50 | typedef ll int64; 51 | typedef ll sint64; 52 | typedef ull uint64; 53 | 54 | // Partially defined types. They are used when the decompiler does not know 55 | // anything about the type except its size. 56 | #define _BYTE uint8 57 | #define _WORD uint16 58 | #define _DWORD uint32 59 | #define _QWORD uint64 60 | #if !defined(_MSC_VER) 61 | #define _LONGLONG __int128 62 | #endif 63 | 64 | // Non-standard boolean types. They are used when the decompiler cannot use 65 | // the standard "bool" type because of the size mistmatch but the possible 66 | // values are only 0 and 1. See also 'BOOL' type below. 67 | typedef int8 _BOOL1; 68 | typedef int16 _BOOL2; 69 | typedef int32 _BOOL4; 70 | typedef int64 _BOOL8; 71 | 72 | #ifndef _WINDOWS_ 73 | typedef int8 BYTE; 74 | typedef int16 WORD; 75 | typedef int32 DWORD; 76 | typedef int32 LONG; 77 | typedef int BOOL; // uppercase BOOL is usually 4 bytes 78 | #endif 79 | typedef int64 QWORD; 80 | #ifndef __cplusplus 81 | typedef int bool; // we want to use bool in our C programs 82 | #endif 83 | 84 | #define __pure // pure function: 85 | // when given the same arguments, always returns the same value 86 | // has no side effects 87 | 88 | // Non-returning function 89 | #if defined(__GNUC__) 90 | #define __noreturn __attribute__((noreturn)) 91 | #else 92 | #define __noreturn __declspec(noreturn) 93 | #endif 94 | 95 | 96 | #ifndef NULL 97 | #define NULL 0 98 | #endif 99 | 100 | // Some convenience macros to make partial accesses nicer 101 | #define LAST_IND(x,part_type) (sizeof(x)/sizeof(part_type) - 1) 102 | #if defined(__BYTE_ORDER) && __BYTE_ORDER == __BIG_ENDIAN 103 | # define LOW_IND(x,part_type) LAST_IND(x,part_type) 104 | # define HIGH_IND(x,part_type) 0 105 | #else 106 | # define HIGH_IND(x,part_type) LAST_IND(x,part_type) 107 | # define LOW_IND(x,part_type) 0 108 | #endif 109 | // first unsigned macros: 110 | #define BYTEn(x, n) (*((_BYTE*)&(x)+n)) 111 | #define WORDn(x, n) (*((_WORD*)&(x)+n)) 112 | #define DWORDn(x, n) (*((_DWORD*)&(x)+n)) 113 | 114 | #define LOBYTE(x) BYTEn(x,LOW_IND(x,_BYTE)) 115 | #define LOWORD(x) WORDn(x,LOW_IND(x,_WORD)) 116 | #define LODWORD(x) DWORDn(x,LOW_IND(x,_DWORD)) 117 | #define HIBYTE(x) BYTEn(x,HIGH_IND(x,_BYTE)) 118 | #define HIWORD(x) WORDn(x,HIGH_IND(x,_WORD)) 119 | #define HIDWORD(x) DWORDn(x,HIGH_IND(x,_DWORD)) 120 | #define BYTE1(x) BYTEn(x, 1) // byte 1 (counting from 0) 121 | #define BYTE2(x) BYTEn(x, 2) 122 | #define BYTE3(x) BYTEn(x, 3) 123 | #define BYTE4(x) BYTEn(x, 4) 124 | #define BYTE5(x) BYTEn(x, 5) 125 | #define BYTE6(x) BYTEn(x, 6) 126 | #define BYTE7(x) BYTEn(x, 7) 127 | #define BYTE8(x) BYTEn(x, 8) 128 | #define BYTE9(x) BYTEn(x, 9) 129 | #define BYTE10(x) BYTEn(x, 10) 130 | #define BYTE11(x) BYTEn(x, 11) 131 | #define BYTE12(x) BYTEn(x, 12) 132 | #define BYTE13(x) BYTEn(x, 13) 133 | #define BYTE14(x) BYTEn(x, 14) 134 | #define BYTE15(x) BYTEn(x, 15) 135 | #define WORD1(x) WORDn(x, 1) 136 | #define WORD2(x) WORDn(x, 2) // third word of the object, unsigned 137 | #define WORD3(x) WORDn(x, 3) 138 | #define WORD4(x) WORDn(x, 4) 139 | #define WORD5(x) WORDn(x, 5) 140 | #define WORD6(x) WORDn(x, 6) 141 | #define WORD7(x) WORDn(x, 7) 142 | 143 | // now signed macros (the same but with sign extension) 144 | #define SBYTEn(x, n) (*((int8*)&(x)+n)) 145 | #define SWORDn(x, n) (*((int16*)&(x)+n)) 146 | #define SDWORDn(x, n) (*((int32*)&(x)+n)) 147 | 148 | #define SLOBYTE(x) SBYTEn(x,LOW_IND(x,int8)) 149 | #define SLOWORD(x) SWORDn(x,LOW_IND(x,int16)) 150 | #define SLODWORD(x) SDWORDn(x,LOW_IND(x,int32)) 151 | #define SHIBYTE(x) SBYTEn(x,HIGH_IND(x,int8)) 152 | #define SHIWORD(x) SWORDn(x,HIGH_IND(x,int16)) 153 | #define SHIDWORD(x) SDWORDn(x,HIGH_IND(x,int32)) 154 | #define SBYTE1(x) SBYTEn(x, 1) 155 | #define SBYTE2(x) SBYTEn(x, 2) 156 | #define SBYTE3(x) SBYTEn(x, 3) 157 | #define SBYTE4(x) SBYTEn(x, 4) 158 | #define SBYTE5(x) SBYTEn(x, 5) 159 | #define SBYTE6(x) SBYTEn(x, 6) 160 | #define SBYTE7(x) SBYTEn(x, 7) 161 | #define SBYTE8(x) SBYTEn(x, 8) 162 | #define SBYTE9(x) SBYTEn(x, 9) 163 | #define SBYTE10(x) SBYTEn(x, 10) 164 | #define SBYTE11(x) SBYTEn(x, 11) 165 | #define SBYTE12(x) SBYTEn(x, 12) 166 | #define SBYTE13(x) SBYTEn(x, 13) 167 | #define SBYTE14(x) SBYTEn(x, 14) 168 | #define SBYTE15(x) SBYTEn(x, 15) 169 | #define SWORD1(x) SWORDn(x, 1) 170 | #define SWORD2(x) SWORDn(x, 2) 171 | #define SWORD3(x) SWORDn(x, 3) 172 | #define SWORD4(x) SWORDn(x, 4) 173 | #define SWORD5(x) SWORDn(x, 5) 174 | #define SWORD6(x) SWORDn(x, 6) 175 | #define SWORD7(x) SWORDn(x, 7) 176 | 177 | // Generate a pair of operands. S stands for 'signed' 178 | #define __SPAIR16__(high, low) (((int16) (high) << 8) | (uint8) (low)) 179 | #define __SPAIR32__(high, low) (((int32) (high) << 16) | (uint16)(low)) 180 | #define __SPAIR64__(high, low) (((int64) (high) << 32) | (uint32)(low)) 181 | #define __SPAIR128__(high, low) (((int128) (high) << 64) | (uint64)(low)) 182 | #define __PAIR16__(high, low) (((uint16) (high) << 8) | (uint8) (low)) 183 | #define __PAIR32__(high, low) (((uint32) (high) << 16) | (uint16)(low)) 184 | #define __PAIR64__(high, low) (((uint64) (high) << 32) | (uint32)(low)) 185 | #define __PAIR128__(high, low) (((uint128)(high) << 64) | (uint64)(low)) 186 | 187 | // Helper functions to represent some assembly instructions. 188 | 189 | #ifdef __cplusplus 190 | 191 | // compile time assertion 192 | #define __CASSERT_N0__(l) COMPILE_TIME_ASSERT_ ## l 193 | #define __CASSERT_N1__(l) __CASSERT_N0__(l) 194 | #define CASSERT(cnd) typedef char __CASSERT_N1__(__LINE__) [(cnd) ? 1 : -1] 195 | 196 | // check that unsigned multiplication does not overflow 197 | template bool is_mul_ok(T count, T elsize) 198 | { 199 | CASSERT(T(-1) > 0); // make sure T is unsigned 200 | if ( elsize == 0 || count == 0 ) 201 | return true; 202 | return count <= T(-1) / elsize; 203 | } 204 | 205 | // multiplication that saturates (yields the biggest value) instead of overflowing 206 | // such a construct is useful in "operator new[]" 207 | template bool saturated_mul(T count, T elsize) 208 | { 209 | return is_mul_ok(count, elsize) ? count * elsize : T(-1); 210 | } 211 | 212 | #include // for size_t 213 | 214 | // memcpy() with determined behavoir: it always copies 215 | // from the start to the end of the buffer 216 | // note: it copies byte by byte, so it is not equivalent to, for example, rep movsd 217 | inline void *qmemcpy(void *dst, const void *src, size_t cnt) 218 | { 219 | char *out = (char *)dst; 220 | const char *in = (const char *)src; 221 | while ( cnt > 0 ) 222 | { 223 | *out++ = *in++; 224 | --cnt; 225 | } 226 | return dst; 227 | } 228 | 229 | // rotate left 230 | template T __ROL__(T value, int count) 231 | { 232 | const uint nbits = sizeof(T) * 8; 233 | 234 | if ( count > 0 ) 235 | { 236 | count %= nbits; 237 | T high = value >> (nbits - count); 238 | if ( T(-1) < 0 ) // signed value 239 | high &= ~((T(-1) << count)); 240 | value <<= count; 241 | value |= high; 242 | } 243 | else 244 | { 245 | count = -count % nbits; 246 | T low = value << (nbits - count); 247 | value >>= count; 248 | value |= low; 249 | } 250 | return value; 251 | } 252 | 253 | inline uint8 __ROL1__(uint8 value, int count) { return __ROL__((uint8)value, count); } 254 | inline uint16 __ROL2__(uint16 value, int count) { return __ROL__((uint16)value, count); } 255 | inline uint32 __ROL4__(uint32 value, int count) { return __ROL__((uint32)value, count); } 256 | inline uint64 __ROL8__(uint64 value, int count) { return __ROL__((uint64)value, count); } 257 | inline uint8 __ROR1__(uint8 value, int count) { return __ROL__((uint8)value, -count); } 258 | inline uint16 __ROR2__(uint16 value, int count) { return __ROL__((uint16)value, -count); } 259 | inline uint32 __ROR4__(uint32 value, int count) { return __ROL__((uint32)value, -count); } 260 | inline uint64 __ROR8__(uint64 value, int count) { return __ROL__((uint64)value, -count); } 261 | 262 | // the carry flag of a left shift 263 | template int8 __MKCSHL__(T value, uint count) 264 | { 265 | const uint nbits = sizeof(T) * 8; 266 | count %= nbits; 267 | 268 | return (value >> (nbits-count)) & 1; 269 | } 270 | 271 | // the carry flag of a right shift 272 | template int8 __MKCSHR__(T value, uint count) 273 | { 274 | return (value >> (count-1)) & 1; 275 | } 276 | 277 | // sign flag 278 | template int8 __SETS__(T x) 279 | { 280 | if ( sizeof(T) == 1 ) 281 | return int8(x) < 0; 282 | if ( sizeof(T) == 2 ) 283 | return int16(x) < 0; 284 | if ( sizeof(T) == 4 ) 285 | return int32(x) < 0; 286 | return int64(x) < 0; 287 | } 288 | 289 | // overflow flag of subtraction (x-y) 290 | template int8 __OFSUB__(T x, U y) 291 | { 292 | if ( sizeof(T) < sizeof(U) ) 293 | { 294 | U x2 = x; 295 | int8 sx = __SETS__(x2); 296 | return (sx ^ __SETS__(y)) & (sx ^ __SETS__(U(x2-y))); 297 | } 298 | else 299 | { 300 | T y2 = y; 301 | int8 sx = __SETS__(x); 302 | return (sx ^ __SETS__(y2)) & (sx ^ __SETS__(T(x-y2))); 303 | } 304 | } 305 | 306 | // overflow flag of addition (x+y) 307 | template int8 __OFADD__(T x, U y) 308 | { 309 | if ( sizeof(T) < sizeof(U) ) 310 | { 311 | U x2 = x; 312 | int8 sx = __SETS__(x2); 313 | return ((1 ^ sx) ^ __SETS__(y)) & (sx ^ __SETS__(U(x2+y))); 314 | } 315 | else 316 | { 317 | T y2 = y; 318 | int8 sx = __SETS__(x); 319 | return ((1 ^ sx) ^ __SETS__(y2)) & (sx ^ __SETS__(T(x+y2))); 320 | } 321 | } 322 | 323 | // https://en.wikipedia.org/wiki/Carry_flag#Carry_flag_vs._borrow_flag 324 | #if defined(__ARM__) || defined(__PPC__) 325 | #define SUB_WITH_CARRY 1 326 | #else 327 | #define SUB_WITH_CARRY 0 328 | #endif 329 | 330 | // carry flag of subtraction (x-y) 331 | template int8 __CFSUB__(T x, U y) 332 | { 333 | int size = sizeof(T) > sizeof(U) ? sizeof(T) : sizeof(U); 334 | bool res; 335 | if ( size == 1 ) 336 | res = uint8(x) < uint8(y); 337 | else if ( size == 2 ) 338 | res = uint16(x) < uint16(y); 339 | else if ( size == 4 ) 340 | res = uint32(x) < uint32(y); 341 | else 342 | res = uint64(x) < uint64(y); 343 | #if SUB_WITH_CARRY 344 | res = !res; 345 | #endif 346 | return res; 347 | } 348 | 349 | // carry flag of addition (x+y) 350 | template int8 __CFADD__(T x, U y) 351 | { 352 | int size = sizeof(T) > sizeof(U) ? sizeof(T) : sizeof(U); 353 | if ( size == 1 ) 354 | return uint8(x) > uint8(x+y); 355 | if ( size == 2 ) 356 | return uint16(x) > uint16(x+y); 357 | if ( size == 4 ) 358 | return uint32(x) > uint32(x+y); 359 | return uint64(x) > uint64(x+y); 360 | } 361 | 362 | // carry flag of subtraction with carry 363 | template int8 __CFSUB__(T x, U y, int8 cf) 364 | { 365 | #if SUB_WITH_CARRY 366 | cf = !cf; 367 | #endif 368 | return __CFADD__(y, cf) ^ __CFSUB(x, y + cf); 369 | } 370 | 371 | // overflow flag of subtraction with carry 372 | template int8 __OFSUB__(T x, U y, int8 cf) 373 | { 374 | #if SUB_WITH_CARRY 375 | cf = !cf; 376 | #endif 377 | return __OFADD__(y, cf) ^ __OFSUB(x, y + cf); 378 | } 379 | 380 | inline uint8 abs8(int8 x) { return x >= 0 ? x : -x; } 381 | inline uint16 abs16(int16 x) { return x >= 0 ? x : -x; } 382 | inline uint32 abs32(int32 x) { return x >= 0 ? x : -x; } 383 | inline uint64 abs64(int64 x) { return x >= 0 ? x : -x; } 384 | //inline uint128 abs128(int128 x) { return x >= 0 ? x : -x; } 385 | 386 | #include // for memcpy 387 | #include // for enable_if 388 | 389 | template 390 | inline typename std::enable_if::type __coerce(F f) 391 | { 392 | T t; 393 | memcpy(&t, &f, sizeof(T)); 394 | return t; 395 | } 396 | #define COERCE_FLOAT(v) __coerce(v) 397 | #define COERCE_DOUBLE(v) __coerce(v) 398 | #define COERCE_LONG_DOUBLE(v) __coerce(v) 399 | #define COERCE_UNSIGNED_INT(v) __coerce(v) 400 | #define COERCE_UNSIGNED_INT64(v) __coerce(v) 401 | 402 | #else // C++ 403 | // For C, we just provide macros, they are not quite correct. 404 | #define __ROL__(x, y) __rotl__(x, y) // Rotate left 405 | #define __ROR__(x, y) __rotr__(x, y) // Rotate right 406 | #define __CFSHL__(x, y) invalid_operation // Generate carry flag for (x<>y) 408 | #define __CFADD__(x, y) invalid_operation // Generate carry flag for (x+y) 409 | #define __CFSUB__(x, y) invalid_operation // Generate carry flag for (x-y) 410 | #define __OFADD__(x, y) invalid_operation // Generate overflow flag for (x+y) 411 | #define __OFSUB__(x, y) invalid_operation // Generate overflow flag for (x-y) 412 | 413 | #define abs8(x) (int8) ((int8) (x) >= 0 ? (x) : -(x)) 414 | #define abs16(x) (int16) ((int16) (x) >= 0 ? (x) : -(x)) 415 | #define abs32(x) (int32) ((int32) (x) >= 0 ? (x) : -(x)) 416 | #define abs64(x) (int64) ((int64) (x) >= 0 ? (x) : -(x)) 417 | #define abs128(x) (int128)((int128)(x) >= 0 ? (x) : -(x)) 418 | 419 | #endif // C++ 420 | 421 | #if defined(__MIPS__) 422 | // traps for MIPS arithmetic operation 423 | void __noreturn __integer_oveflow(void); // SIGFPE/FPE_INTOVF 424 | void __noreturn __divide_by_zero(void); // SIGFPE/FPE_INTDIV 425 | void __noreturn __trap(uint16 trapcode); // SIGTRAP 426 | void __noreturn __break(uint16 code, uint16 subcode); 427 | #endif 428 | 429 | // No definition for rcl/rcr because the carry flag is unknown 430 | #define __RCL__(x, y) invalid_operation // Rotate left thru carry 431 | #define __RCR__(x, y) invalid_operation // Rotate right thru carry 432 | #define __MKCRCL__(x, y) invalid_operation // Generate carry flag for a RCL 433 | #define __MKCRCR__(x, y) invalid_operation // Generate carry flag for a RCR 434 | #define __SETP__(x, y) invalid_operation // Generate parity flag for (x-y) 435 | 436 | // In the decompilation listing there are some objects declared as _UNKNOWN 437 | // because we could not determine their types. Since the C compiler does not 438 | // accept void item declarations, we replace them by anything of our choice, 439 | // for example a char: 440 | 441 | #define _UNKNOWN char 442 | 443 | #ifdef _MSC_VER 444 | #define snprintf _snprintf 445 | #define vsnprintf _vsnprintf 446 | #endif 447 | 448 | // The ADJ() macro is used for shifted pointers. 449 | // While compilers do not understand it, it makes the code more readable. 450 | // A shifted pointer is declared like this, for example: 451 | // char *__shifted(mystruct,8) p; 452 | // It means: while 'p' points to 'char', it also points to the middle of 'mystruct'. 453 | // More precisely, it is at the offset of 8 bytes from the beginning of 'mystruct'. 454 | // 455 | // The ADJ() macro performs the necessary adjustment. 456 | // The __parentof() and __deltaof() functions are made up, they do not exist. 457 | // __parentof() returns the parent structure type. 458 | // __deltaof() returns the shift amount. 459 | 460 | #define ADJ(p) (__parentof(p) *)(p-__deltaof(p)) 461 | 462 | #endif // HEXRAYS_DEFS_H 463 | -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向CTF系列视频(一)/讲义/hook.js: -------------------------------------------------------------------------------- 1 | 2 | 3 | function hook(){ 4 | // 1. 拿到目标so的基址 5 | // https://frida.re/docs/javascript-api/ 6 | var base = Module.findBaseAddress("libwolf.so") 7 | console.log("base = ",base); 8 | // 由于该so是arm架构,所以偏移要加1 9 | var bc = base.add(0x14074).add(0x1) 10 | Interceptor.attach(bc,{ 11 | onEnter:function(args){ 12 | var arg3 = args[3] // jstring 13 | // https://github.com/frida/frida-java-bridge 14 | var arg3_c = Java.vm.getEnv().getStringUtfChars(arg3) 15 | // console.log("arg3="+hexdump(arg3_c)) 16 | console.log("enter bc arg3="+arg3_c.readCString()) 17 | }, 18 | onLeave:function(retval){ 19 | 20 | } 21 | }) 22 | 23 | var dc = base.add(0x14508).add(0x1) 24 | Interceptor.attach(dc,{ 25 | onEnter:function(args){ 26 | var arg2 = args[2] // 27 | console.log("enter dc arg2="+arg2.readCString()); 28 | }, 29 | onLeave:function(retval){ 30 | console.log("leave dc retval = "+retval); 31 | // retval.replace(0x1) 32 | } 33 | }) 34 | 35 | var Decrypt = base.add(0x13F34).add(0x1) 36 | Interceptor.attach(Decrypt,{ 37 | onEnter:function(args){ 38 | var arg0 = args[0] // 39 | var arg1 = args[1] 40 | console.log("enter Decrypt arg0="+arg0.readCString()+"---arg1="+hexdump(arg1)); 41 | }, 42 | onLeave:function(retval){ 43 | console.log("leave Decrypt retval = "+hexdump(retval)); 44 | // retval.replace(0x1) 45 | } 46 | }) 47 | } 48 | 49 | setImmediate(hook) 50 | // frida -UF -l hook.js -o out2.log -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向CTF系列视频(一)/讲义/hook_RegisterNativeMethod.js: -------------------------------------------------------------------------------- 1 | function readStdString(str) { 2 | const isTiny = (str.readU8() & 1) == 0; 3 | if (isTiny) { 4 | return str.add(1).readUtf8String(); 5 | } 6 | return str.add(2 * Process.pointerSize).readPointer().readUtf8String(); 7 | } 8 | 9 | function callPrettyMethod(ArtMethodptr) { 10 | // _ZN3art9ArtMethod12PrettyMethodEPS0_b 11 | var PrettyMethod_addr = Module.findExportByName("libart.so", "_ZN3art9ArtMethod12PrettyMethodEPS0_b"); 12 | var PrettyMethodfunc = new NativeFunction(PrettyMethod_addr, ["pointer", "pointer", "pointer"], ["pointer", "int"]); 13 | var result = PrettyMethodfunc(ArtMethodptr, 1); 14 | var stdstring = Memory.alloc(3 * Process.pointerSize); 15 | ptr(stdstring).writePointer(result[0]); 16 | ptr(stdstring).add(1 * Process.pointerSize).writePointer(result[1]); 17 | ptr(stdstring).add(2 * Process.pointerSize).writePointer(result[2]); 18 | var result = readStdString(stdstring) 19 | return result 20 | } 21 | 22 | function hook_RegisterNativeMethod() { 23 | var RegisterNativeMethod_addr = Module.findExportByName("libart.so", "_ZN3art16RuntimeCallbacks20RegisterNativeMethodEPNS_9ArtMethodEPKvPPv"); 24 | console.log("RegisterNativeMethod_addr=",RegisterNativeMethod_addr) 25 | // art::RuntimeCallbacks::RegisterNativeMethod(art::ArtMethod*, void const*, void**) 26 | Interceptor.attach(RegisterNativeMethod_addr, { 27 | onEnter: function (args) { 28 | this.artmethod = args[1]; 29 | var methodname = callPrettyMethod(ptr(this.artmethod)); 30 | var address = args[2]; 31 | this.dex_method_index_ = ptr(this.artmethod).add(12).readU32(); 32 | var current_module = Process.getModuleByAddress(address) 33 | var modulename = current_module.name 34 | var base = current_module.base 35 | var offset = address.sub(base) 36 | console.log("go into RegisterNativeMethod ---" + "artmethodptr:" + ptr(this.artmethod) + "---methodidx:" + this.dex_method_index_ + "--addr:" + address + "----name:" + methodname + "---modulename:" + modulename + "---offset:" + offset); 37 | return; 38 | }, onLeave: function (retval) { 39 | } 40 | }) 41 | } 42 | setImmediate(hook_RegisterNativeMethod) 43 | // frida -U -f com.lingzhiyi.testgo -l hook_RegisterNativeMethod.js --no-pause -o out.log -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向CTF系列视频(一)/讲义/out.log: -------------------------------------------------------------------------------- 1 | RegisterNativeMethod_addr= 0xeabec65d 2 | go into RegisterNativeMethod ---artmethodptr:0xe1b9486c---methodidx:9--addr:0xd88255f5----name:void android.util.StatsLog.writeImpl(byte[], int, int)---modulename:libstats_jni.so---offset:0x15f5 3 | go into RegisterNativeMethod ---artmethodptr:0xd864fdcc---methodidx:1--addr:0xd8119075----name:void com.wolf.n.NI.greywolf(android.content.Context, java.lang.String)---modulename:libwolf.so---offset:0x14075 4 | -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向CTF系列视频(一)/讲义/out2.log: -------------------------------------------------------------------------------- 1 | base = 0xd8105000 2 | -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向CTF系列视频(一)/讲义/rc4.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | """ 4 | Copyright (C) 2012 Bo Zhu http://about.bozhu.me 5 | Permission is hereby granted, free of charge, to any person obtaining a 6 | copy of this software and associated documentation files (the "Software"), 7 | to deal in the Software without restriction, including without limitation 8 | the rights to use, copy, modify, merge, publish, distribute, sublicense, 9 | and/or sell copies of the Software, and to permit persons to whom the 10 | Software is furnished to do so, subject to the following conditions: 11 | The above copyright notice and this permission notice shall be included in 12 | all copies or substantial portions of the Software. 13 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 14 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 15 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL 16 | THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 17 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 18 | FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER 19 | DEALINGS IN THE SOFTWARE. 20 | """ 21 | 22 | 23 | def KSA(key): 24 | keylength = len(key) 25 | S = list(range(256)) 26 | j = 0 27 | for i in list(range(256)): 28 | j = (j + S[i] + key[i % keylength]) % 256 29 | S[i], S[j] = S[j], S[i] # swap 30 | return S 31 | 32 | def PRGA(S): 33 | i = 0 34 | j = 0 35 | while True: 36 | i = (i + 1) % 256 37 | j = (j + S[i]) % 256 38 | S[i], S[j] = S[j], S[i] # swap 39 | 40 | K = S[(S[i] + S[j]) % 256] 41 | yield K 42 | 43 | def RC4(key): 44 | S = KSA(key) 45 | return PRGA(S) 46 | 47 | if __name__ == '__main__': 48 | # test vectors are from http://en.wikipedia.org/wiki/RC4 49 | 50 | # ciphertext should be BBF316E8D940AF0AD3 51 | key = 'Key' 52 | plaintext = 'Plaintext' 53 | 54 | # ciphertext should be 1021BF0420 55 | #key = 'Wiki' 56 | #plaintext = 'pedia' 57 | 58 | # ciphertext should be 45A01F645FC35B383552544B9BF5 59 | #key = 'Secret' 60 | #plaintext = 'Attack at dawn' 61 | 62 | def convert_key(s): 63 | return [ord(c) for c in s] 64 | key = convert_key(key) 65 | key = [0x05,0x08,0x41,0x08,0x06,0x03,0x01,0x4e,0x61,0x44,0x80] 66 | plaintext = [0x63,0x6D,0x55,0xB2,0xAA,0x86,0x09,0xCB] 67 | keystream = RC4(key) 68 | 69 | result = "" 70 | for c in plaintext: 71 | result += "%02x" % (c ^ keystream.__next__()) 72 | 73 | import binascii 74 | print(result,binascii.unhexlify(result)) 75 | 76 | 77 | # import sys 78 | # for c in plaintext: 79 | # sys.stdout.write("%02X" % (ord(c) ^ keystream.__next__())) 80 | -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向CTF系列视频(一)/讲义/封面图.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xyxdaily/lessons/01ed7cbe956194916ae1b0506ccfadcbbba44eee/2023安卓逆向CTF系列视频/2023安卓逆向CTF系列视频(一)/讲义/封面图.pptx -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向CTF系列视频(三)/讲义/2023安卓逆向CTF系列视频(三).md: -------------------------------------------------------------------------------- 1 | # apk地址 2 | https://github.com/LeadroyaL/attachment_repo/tree/master/didictf_2018/level2 3 | 4 | ## 补充一个大佬的教程 5 | [[原创]进阶Frida--Android逆向之动态加载dex Hook(三)(上篇)](https://bbs.kanxue.com/thread-229597.htm) -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向CTF系列视频(三)/讲义/hook.js: -------------------------------------------------------------------------------- 1 | function hook(){ 2 | Java.perform(function(){ 3 | // Java.use("java.lang.String").equals.implementation = function(str){ 4 | // var result = this.equals(str) 5 | // console.log("str = "+str); 6 | // return result 7 | // } 8 | // Java.use("cn.chaitin.geektan.crackme.MainActivityPatch").Joseph.implementation = function(i,i2){ 9 | // var result = this.Joseph(i,i2); 10 | // console.log("i = "+i+"---i2="+i2+"---result = "+result) 11 | // return result; 12 | // } 13 | 14 | // console.log(Java.enumerateClassLoadersSync()) 15 | Java.enumerateClassLoadersSync().forEach(function(loader){ 16 | // console.log(loader) 17 | try{ 18 | if(loader.loadClass("cn.chaitin.geektan.crackme.MainActivityPatch")){ 19 | console.log("find class " ,loader) 20 | Java.classFactory.loader = loader 21 | Java.use("cn.chaitin.geektan.crackme.MainActivityPatch").Joseph.implementation = function(i,i2){ 22 | var result = this.Joseph(i,i2); 23 | console.log("i = "+i+"---i2="+i2+"---result = "+result) 24 | return result; 25 | } 26 | } 27 | }catch{ 28 | 29 | } 30 | }) 31 | }) 32 | } 33 | 34 | setImmediate(hook) 35 | 36 | // frida -UF -l hook.js -o out.log 37 | // frida -U -f cn.chaitin.geektan.crackme -l hook.js -o out.log -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向CTF系列视频(三)/讲义/robust.apk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xyxdaily/lessons/01ed7cbe956194916ae1b0506ccfadcbbba44eee/2023安卓逆向CTF系列视频/2023安卓逆向CTF系列视频(三)/讲义/robust.apk -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向CTF系列视频(二)/讲义/2023安卓逆向CTF系列视频(二).md: -------------------------------------------------------------------------------- 1 | ## [【2021春节】解题领红包](https://www.52pojie.cn/thread-1369661-1-1.html) 2 | [apk下载地址](https://down.52pojie.cn/Challenge/Happy_New_Year_2021_Challenge.rar) 3 | 4 | ## 一 通用分析描述 5 | 6 | ## 使用frida进行快速调试分析 7 | 1. frida的优势与劣势 8 | 2. frida native hook 与 inlinehook 打印寄存器 9 | ```js 10 | function hook(){ 11 | // 1. 拿到基址 12 | var base = Module.findBaseAddress("libnative-lib.so") 13 | console.log("base = ",base); 14 | 15 | var check = base.add(0x7FC).add(0x0); 16 | Interceptor.attach(check,{ 17 | onEnter:function(args){ 18 | var input_str = args[2] 19 | var input_str_c = Java.vm.getEnv().getStringUtfChars(input_str) 20 | // console.log("called enter check input_str_c = ",hexdump(input_str_c)) 21 | }, 22 | onLeave:function(retval){ 23 | // console.log("called leave check retval = "+retval) 24 | } 25 | }) 26 | 27 | var sub_B90 = base.add(0xB90).add(0x0) 28 | Interceptor.attach(sub_B90,{ 29 | onEnter:function(args){ 30 | this.arg0 = args[0] 31 | this.arg1 = args[1] 32 | this.arg2 = args[2] 33 | 34 | console.log("called enter sub_B90 this.arg0 = "+hexdump(this.arg0)+"\nthis.arg1="+this.arg1+"\nthis.arg2"+hexdump(this.arg2)) 35 | }, 36 | onLeave:function(retval){ 37 | console.log("called leave sub_B90 retval = "+retval) 38 | console.log("called leave sub_B90 this.arg0 = "+hexdump(this.arg0)+"\nthis.arg1="+this.arg1+"\nthis.arg2"+hexdump(this.arg2)) 39 | } 40 | }) 41 | 42 | var sub_D90 = base.add(0xD90).add(0x0) 43 | Interceptor.attach(sub_D90,{ 44 | onEnter:function(args){ 45 | this.arg0 = args[0] 46 | this.arg1 = args[1] 47 | 48 | console.log("called enter sub_D90 this.arg0 = "+hexdump(this.arg0)+"\nthis.arg1="+this.arg1) 49 | }, 50 | onLeave:function(retval){ 51 | // console.log("called leave sub_D90 this.arg0 = "+hexdump(this.arg0)+"\nthis.arg1="+this.arg1) 52 | console.log("called leave sub_D90 retval = "+(retval).readCString()) 53 | } 54 | }) 55 | 56 | var inline_B34 = base.add(0xB34).add(0x0) 57 | Interceptor.attach(inline_B34,{ 58 | onEnter:function(args){ 59 | // console.log("called enter inline_B34 = " + JSON.stringify(this.context)) 60 | console.log("called enter inline_B34 = " +hexdump(this.context.x0)) 61 | console.log("called enter inline_B34 = " +hexdump(this.context.x9)) 62 | }, 63 | onLeave:function(retval){ 64 | // console.log("called leave inline_B34 this.arg0 = "+hexdump(this.arg0)+"\nthis.arg1="+this.arg1) 65 | // console.log("called leave sub_D90 retval = "+(retval).readCString()) 66 | } 67 | }) 68 | } 69 | setImmediate(hook); 70 | // frida -UF -l hook.js -o out.log 71 | // xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 72 | ``` 73 | 74 | ## 学习使用ida调试安卓app的常规步骤 75 | 76 | 查看apk的安装目录:pm path cn.pojie52.cm01 77 | 78 | 79 | ### 0. ida找不到so的情况 80 | 因为APK设置了该属性android:extractNativeLibs="false" 81 | 82 | ### 1. attach模式 83 | 1. 注意端口转发 adb forward tcp:23946 tcp:23946 84 | 2. 找到base.apk的基址 85 | `/data/app/~~UbqwoOpDOTfYTfwZ1Ty9pA==/cn.pojie52.cm01-Fu70kSLImy0Ji7ekdGzWFQ==/base.apk 00000076282C6000 00000002CB5FA000` 86 | 3. 修改静态分析的基址,方便我们查找函数的偏移 87 | 4. f2下断点,f9运行,f8单步运行,命令C创建代码 88 | 89 | 90 | ### 2. spawn模式 91 | 92 | 93 | ### 3. 安卓高版本(android10及以上)与低版本的差异 94 | 高版本因为libc.so的路径改变了,所以显示不出其它的线程。IDA_LIBC_PATH=/apex/com.android.runtime/lib64/bionic/libc.so ./android_server64 95 | 96 | 1. [arm64指令](https://www.jianshu.com/p/08c0078c512b) 97 | 98 | ## c代码扣取运行 99 | 有异常 100 | 101 | ## 在线标准算法快速验证 102 | https://gchq.github.io/CyberChef/ 103 | 104 | -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向CTF系列视频(二)/讲义/3.apk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xyxdaily/lessons/01ed7cbe956194916ae1b0506ccfadcbbba44eee/2023安卓逆向CTF系列视频/2023安卓逆向CTF系列视频(二)/讲义/3.apk -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向CTF系列视频(二)/讲义/hook.js: -------------------------------------------------------------------------------- 1 | function hook(){ 2 | // 1. 拿到基址 3 | var base = Module.findBaseAddress("libnative-lib.so") 4 | console.log("base = ",base); 5 | 6 | var check = base.add(0x7FC).add(0x0); 7 | Interceptor.attach(check,{ 8 | onEnter:function(args){ 9 | var input_str = args[2] 10 | var input_str_c = Java.vm.getEnv().getStringUtfChars(input_str) 11 | // console.log("called enter check input_str_c = ",hexdump(input_str_c)) 12 | }, 13 | onLeave:function(retval){ 14 | // console.log("called leave check retval = "+retval) 15 | } 16 | }) 17 | 18 | var sub_B90 = base.add(0xB90).add(0x0) 19 | Interceptor.attach(sub_B90,{ 20 | onEnter:function(args){ 21 | this.arg0 = args[0] 22 | this.arg1 = args[1] 23 | this.arg2 = args[2] 24 | 25 | console.log("called enter sub_B90 this.arg0 = "+hexdump(this.arg0)+"\nthis.arg1="+this.arg1+"\nthis.arg2"+hexdump(this.arg2)) 26 | }, 27 | onLeave:function(retval){ 28 | console.log("called leave sub_B90 retval = "+retval) 29 | console.log("called leave sub_B90 this.arg0 = "+hexdump(this.arg0)+"\nthis.arg1="+this.arg1+"\nthis.arg2"+hexdump(this.arg2)) 30 | } 31 | }) 32 | 33 | var sub_D90 = base.add(0xD90).add(0x0) 34 | Interceptor.attach(sub_D90,{ 35 | onEnter:function(args){ 36 | this.arg0 = args[0] 37 | this.arg1 = args[1] 38 | 39 | console.log("called enter sub_D90 this.arg0 = "+hexdump(this.arg0)+"\nthis.arg1="+this.arg1) 40 | }, 41 | onLeave:function(retval){ 42 | // console.log("called leave sub_D90 this.arg0 = "+hexdump(this.arg0)+"\nthis.arg1="+this.arg1) 43 | console.log("called leave sub_D90 retval = "+(retval).readCString()) 44 | } 45 | }) 46 | 47 | var inline_B34 = base.add(0xB34).add(0x0) 48 | Interceptor.attach(inline_B34,{ 49 | onEnter:function(args){ 50 | // console.log("called enter inline_B34 = " + JSON.stringify(this.context)) 51 | console.log("called enter inline_B34 = " +hexdump(this.context.x0)) 52 | console.log("called enter inline_B34 = " +hexdump(this.context.x9)) 53 | }, 54 | onLeave:function(retval){ 55 | // console.log("called leave inline_B34 this.arg0 = "+hexdump(this.arg0)+"\nthis.arg1="+this.arg1) 56 | // console.log("called leave sub_D90 retval = "+(retval).readCString()) 57 | } 58 | }) 59 | 60 | 61 | 62 | 63 | } 64 | 65 | setImmediate(hook); 66 | 67 | // frida -UF -l hook.js -o out.log 68 | // xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向CTF系列视频(四)/2023安卓逆向CTF系列视频(四).md: -------------------------------------------------------------------------------- 1 | https://ctf.bugku.com/challenges/detail/id/120.html 2 | 3 | ## 一、frida 暴力破解与rpc 4 | 5 | ## 二、unidbg 暴力破解与rpc 6 | 7 | ## 三、androidnativeemu 暴力破解与rpc 8 | 9 | ## 四、xposed 暴力破解与rpc 10 | 11 | -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向CTF系列视频(四)/2023安卓逆向CTF系列视频(四)(二Xposed之Rpc).md: -------------------------------------------------------------------------------- 1 | https://ctf.bugku.com/challenges/detail/id/120.html 2 | 3 | https://github.com/koush/AndroidAsync 4 | 5 | implementation 'com.koushikdutta.async:androidasync:2.+' 6 | 7 | ```java 8 | AsyncHttpServer server = new AsyncHttpServer(); 9 | 10 | server.get("/", new HttpServerRequestCallback() { 11 | @Override 12 | public void onRequest(AsyncHttpServerRequest request, AsyncHttpServerResponse response) { 13 | response.send("Hello!!!"); 14 | } 15 | }); 16 | 17 | server.post("/post", new HttpServerRequestCallback() { 18 | @Override 19 | public void onRequest(AsyncHttpServerRequest request, AsyncHttpServerResponse response) { 20 | // response.send("Hello!!!"); 21 | AsyncHttpRequestBody body = request.getBody(); 22 | Object body_ = body.get(); 23 | String arg0_value = ((Multimap)body_).get("arg0").get(0); 24 | String arg1_value = ((Multimap)body_).get("arg1").get(0); 25 | Log.e("xposedcrackloop","arg0="+arg0_value); 26 | response.send(arg0_value+arg1_value); 27 | 28 | } 29 | }); 30 | server.post("/post2", new HttpServerRequestCallback() { 31 | @Override 32 | public void onRequest(AsyncHttpServerRequest request, AsyncHttpServerResponse response) { 33 | response.send("Hello!!!"); 34 | } 35 | }); 36 | 37 | // listen on port 5000 38 | server.listen(5000); 39 | ``` -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向CTF系列视频(四)/LoopAndLoop.apk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xyxdaily/lessons/01ed7cbe956194916ae1b0506ccfadcbbba44eee/2023安卓逆向CTF系列视频/2023安卓逆向CTF系列视频(四)/LoopAndLoop.apk -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向CTF系列视频(四)/agent.js: -------------------------------------------------------------------------------- 1 | function myadd2(a,b){ 2 | return a+b 3 | } 4 | 5 | 6 | 7 | 8 | 9 | function mychec(a,b){ 10 | var result = a+b+1; 11 | send("called in mychec") 12 | // return 13 | // Java.choose("net.bluelotus.tomorrow.easyandroid.MainActivity",{ 14 | // onMatch:function(ins){ 15 | // result = ins.check(i,99) 16 | // }, 17 | // onComplete:function(){ 18 | // // console.log("search onComplete") 19 | // } 20 | // }) 21 | return result; 22 | } 23 | 24 | rpc.exports = { 25 | add(a, b) { 26 | return a + b; 27 | }, 28 | add2:myadd2, 29 | chec:mychec 30 | }; 31 | 32 | -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向CTF系列视频(四)/frida_rpc_new.js: -------------------------------------------------------------------------------- 1 | 2 | var myins = null; 3 | Java.perform(function(){ 4 | // 1. 查找实例然后去调用 5 | Java.choose("net.bluelotus.tomorrow.easyandroid.MainActivity",{ 6 | onMatch:function(ins){ 7 | // result = ins.check(i,99) 8 | myins = ins; 9 | }, 10 | onComplete:function(){ 11 | // console.log("search onComplete") 12 | } 13 | }) 14 | }) 15 | 16 | function mychec(i){ 17 | var result = null; 18 | console.log(typeof i) 19 | i = parseInt(i) 20 | result = myins.chec(i,99) 21 | console.log("called in frida_rpc_new.js result = "+result) 22 | return result.toString() 23 | } 24 | 25 | rpc.exports = { 26 | chec:mychec 27 | }; 28 | -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向CTF系列视频(四)/frida_server.py: -------------------------------------------------------------------------------- 1 | import codecs 2 | import frida 3 | 4 | def on_message(message, data): 5 | if message['type'] == 'send': 6 | print("message type send =>",message['payload']) 7 | elif message['type'] == 'error': 8 | print(message['stack']) 9 | 10 | # dumpsys activity top | grep TASK 11 | session = frida.get_usb_device(timeout=10).attach('LoopAndLoop') #net.bluelotus.tomorrow.easyandroid 12 | # session = frida.attach('LoopAndLoop') #net.bluelotus.tomorrow.easyandroid 13 | # print(session) 14 | with codecs.open('./agent.js', 'r', 'utf-8') as f: 15 | source = f.read() 16 | script = session.create_script(source) 17 | script.on('message', on_message) 18 | script.load() 19 | print(script.exports.add(2, 3)) 20 | print(script.exports.chec(1, 99)) 21 | # print(script.exports.sub(5, 3)) 22 | session.detach() -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向CTF系列视频(四)/frida_server_new.py: -------------------------------------------------------------------------------- 1 | ''' 2 | pip install flask 3 | https://flask.palletsprojects.com/en/2.2.x/quickstart/#a-minimal-application 4 | set FLASK_APP=frida_server_new.py 5 | flask run --host=0.0.0.0 --port=5004 6 | ''' 7 | from flask import Flask,request 8 | import frida 9 | app = Flask(__name__) 10 | 11 | def session_scrypt_init(): 12 | global script, session 13 | # 1. attach 14 | # session = frida.get_usb_device(timeout=10).attach("LoopAndLoop") # 通过本地方式链接,适合默认端口 15 | # session = frida.get_remote_device("192.168.7.103:27045").attach("LoopAndLoop") 16 | # session = frida.get_device_manager().add_remote_device("192.168.0.125:27043").attach("com.sankuai.meituan.takeoutnew") # 通过ip链接更灵活 17 | 18 | # 2. spawn 19 | device = frida.get_usb_device(timeout=10) 20 | pid = device.spawn(["net.bluelotus.tomorrow.easyandroid"]) 21 | session = device.attach(pid) 22 | device.resume(pid) 23 | 24 | with open("frida_rpc_new.js", "r",encoding="utf-8") as f: 25 | source = f.read() 26 | 27 | script = session.create_script(source) 28 | script.load() 29 | 30 | 31 | # input("....") 32 | 33 | def session_scrypt_finish(): 34 | session.detach() 35 | 36 | def mychec(i): 37 | result = script.exports.chec(i,99) 38 | print(result) 39 | return result 40 | 41 | @app.route("/chec",methods=['POST', 'GET']) 42 | def chec(): 43 | if request.method == "POST": 44 | print(request) 45 | print(request.form) 46 | i = request.form["i"] 47 | print("data=",i," typeof i in python",type(i)) 48 | result = mychec(int(i)) 49 | print("check result=",result) 50 | return result 51 | else: 52 | return "you need a POST method" 53 | # result = mychec(i) 54 | # return "called chec" + str(result) 55 | 56 | @app.route("/") 57 | def hello_world(): 58 | return "

Hello, World!

" 59 | 60 | @app.route("/hello") 61 | def hello(): 62 | return "hello" 63 | 64 | # if __name__=="__main__": 65 | session_scrypt_init() -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向CTF系列视频(四)/hook_4_crack.js: -------------------------------------------------------------------------------- 1 | // 2 | 3 | function hook(){ 4 | Java.perform(function(){ 5 | // 1. 查找实例然后去调用 6 | // Java.choose("net.bluelotus.tomorrow.easyandroid.MainActivity",{ 7 | // onMatch:function(ins){ 8 | // console.log(ins) 9 | // for(var i = 236491408;i<236493408;i++){ 10 | // var result = ins.check(i,99) 11 | // // 0 1599503850 12 | // // 1 1599503851 13 | // // 100 1599503950 14 | // // ? 1835996258 => 236492408 15 | // if(result==1835996258){ 16 | // console.log("result = ",result," i=",i) 17 | // break; 18 | // } 19 | // // else{ 20 | // // console.log("i = ",i) 21 | // // } 22 | 23 | // } 24 | 25 | // }, 26 | // onComplete:function(){ 27 | // // console.log("search onComplete") 28 | // } 29 | // }) 30 | 31 | // 2. 创建一个实例 然后去调用 32 | // var MainActivity = Java.use("net.bluelotus.tomorrow.easyandroid.MainActivity"); 33 | // var ins = MainActivity.$new() 34 | // MainActivity.check() // 如果是静态方法,直接掉 35 | console.log(Java.use("android.util.Base64").encodeToString(Java.use("java.lang.String").$new("hello").getBytes(),0)) 36 | // console.log(ins.check(1,99)) 37 | }) 38 | } 39 | 40 | setImmediate(hook) 41 | 42 | // frida -UF -l hook_4_crack.js -o out.log -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向CTF系列视频(四)/out.log: -------------------------------------------------------------------------------- 1 | net.bluelotus.tomorrow.easyandroid.MainActivity@4b91a65 2 | result = 1835996258 i= 236492408 3 | Error: java.lang.RuntimeException: Can't create handler inside thread that has not called Looper.prepare() 4 | at (frida/node_modules/frida-java-bridge/lib/env.js:124) 5 | at value (frida/node_modules/frida-java-bridge/lib/class-factory.js:1064) 6 | at e (frida/node_modules/frida-java-bridge/lib/class-factory.js:585) 7 | at apply (native) 8 | at value (frida/node_modules/frida-java-bridge/lib/class-factory.js:969) 9 | at e (frida/node_modules/frida-java-bridge/lib/class-factory.js:552) 10 | at (X:\2023安卓逆向CTF系列视频\2023安卓逆向CTF系列视频(四)\讲义\hook_4_crack.js:33) 11 | at (frida/node_modules/frida-java-bridge/lib/vm.js:12) 12 | at _performPendingVmOps (frida/node_modules/frida-java-bridge/index.js:250) 13 | at (frida/node_modules/frida-java-bridge/index.js:225) 14 | at (frida/node_modules/frida-java-bridge/lib/vm.js:12) 15 | at _performPendingVmOpsWhenReady (frida/node_modules/frida-java-bridge/index.js:244) 16 | at perform (frida/node_modules/frida-java-bridge/index.js:204) 17 | at hook (X:\2023安卓逆向CTF系列视频\2023安卓逆向CTF系列视频(四)\讲义\hook_4_crack.js:35) 18 | at apply (native) 19 | at (frida/runtime/core.js:51) 20 | Error: java.lang.RuntimeException: Can't create handler inside thread that has not called Looper.prepare() 21 | at (frida/node_modules/frida-java-bridge/lib/env.js:124) 22 | at value (frida/node_modules/frida-java-bridge/lib/class-factory.js:1064) 23 | at e (frida/node_modules/frida-java-bridge/lib/class-factory.js:585) 24 | at apply (native) 25 | at value (frida/node_modules/frida-java-bridge/lib/class-factory.js:969) 26 | at e (frida/node_modules/frida-java-bridge/lib/class-factory.js:552) 27 | at (X:\2023安卓逆向CTF系列视频\2023安卓逆向CTF系列视频(四)\讲义\hook_4_crack.js:33) 28 | at (frida/node_modules/frida-java-bridge/lib/vm.js:12) 29 | at _performPendingVmOps (frida/node_modules/frida-java-bridge/index.js:250) 30 | at (frida/node_modules/frida-java-bridge/index.js:225) 31 | at (frida/node_modules/frida-java-bridge/lib/vm.js:12) 32 | at _performPendingVmOpsWhenReady (frida/node_modules/frida-java-bridge/index.js:244) 33 | at perform (frida/node_modules/frida-java-bridge/index.js:204) 34 | at hook (X:\2023安卓逆向CTF系列视频\2023安卓逆向CTF系列视频(四)\讲义\hook_4_crack.js:35) 35 | at apply (native) 36 | at (frida/runtime/core.js:51) 37 | Error: java.lang.RuntimeException: Can't create handler inside thread that has not called Looper.prepare() 38 | at (frida/node_modules/frida-java-bridge/lib/env.js:124) 39 | at value (frida/node_modules/frida-java-bridge/lib/class-factory.js:1064) 40 | at e (frida/node_modules/frida-java-bridge/lib/class-factory.js:585) 41 | at apply (native) 42 | at value (frida/node_modules/frida-java-bridge/lib/class-factory.js:969) 43 | at e (frida/node_modules/frida-java-bridge/lib/class-factory.js:552) 44 | at (X:\2023安卓逆向CTF系列视频\2023安卓逆向CTF系列视频(四)\讲义\hook_4_crack.js:33) 45 | at (frida/node_modules/frida-java-bridge/lib/vm.js:12) 46 | at _performPendingVmOps (frida/node_modules/frida-java-bridge/index.js:250) 47 | at (frida/node_modules/frida-java-bridge/index.js:225) 48 | at (frida/node_modules/frida-java-bridge/lib/vm.js:12) 49 | at _performPendingVmOpsWhenReady (frida/node_modules/frida-java-bridge/index.js:244) 50 | at perform (frida/node_modules/frida-java-bridge/index.js:204) 51 | at hook (X:\2023安卓逆向CTF系列视频\2023安卓逆向CTF系列视频(四)\讲义\hook_4_crack.js:37) 52 | at apply (native) 53 | at (frida/runtime/core.js:51) 54 | Error: java.lang.RuntimeException: Can't create handler inside thread that has not called Looper.prepare() 55 | at (frida/node_modules/frida-java-bridge/lib/env.js:124) 56 | at value (frida/node_modules/frida-java-bridge/lib/class-factory.js:1064) 57 | at e (frida/node_modules/frida-java-bridge/lib/class-factory.js:585) 58 | at apply (native) 59 | at value (frida/node_modules/frida-java-bridge/lib/class-factory.js:969) 60 | at e (frida/node_modules/frida-java-bridge/lib/class-factory.js:552) 61 | at (X:\2023安卓逆向CTF系列视频\2023安卓逆向CTF系列视频(四)\讲义\hook_4_crack.js:33) 62 | at (frida/node_modules/frida-java-bridge/lib/vm.js:12) 63 | at _performPendingVmOps (frida/node_modules/frida-java-bridge/index.js:250) 64 | at (frida/node_modules/frida-java-bridge/index.js:225) 65 | at (frida/node_modules/frida-java-bridge/lib/vm.js:12) 66 | at _performPendingVmOpsWhenReady (frida/node_modules/frida-java-bridge/index.js:244) 67 | at perform (frida/node_modules/frida-java-bridge/index.js:204) 68 | at hook (X:\2023安卓逆向CTF系列视频\2023安卓逆向CTF系列视频(四)\讲义\hook_4_crack.js:37) 69 | at apply (native) 70 | at (frida/runtime/core.js:51) 71 | Error: java.lang.RuntimeException: Can't create handler inside thread that has not called Looper.prepare() 72 | at (frida/node_modules/frida-java-bridge/lib/env.js:124) 73 | at value (frida/node_modules/frida-java-bridge/lib/class-factory.js:1064) 74 | at e (frida/node_modules/frida-java-bridge/lib/class-factory.js:585) 75 | at apply (native) 76 | at value (frida/node_modules/frida-java-bridge/lib/class-factory.js:969) 77 | at e (frida/node_modules/frida-java-bridge/lib/class-factory.js:552) 78 | at (X:\2023安卓逆向CTF系列视频\2023安卓逆向CTF系列视频(四)\讲义\hook_4_crack.js:33) 79 | at (frida/node_modules/frida-java-bridge/lib/vm.js:12) 80 | at _performPendingVmOps (frida/node_modules/frida-java-bridge/index.js:250) 81 | at (frida/node_modules/frida-java-bridge/index.js:225) 82 | at (frida/node_modules/frida-java-bridge/lib/vm.js:12) 83 | at _performPendingVmOpsWhenReady (frida/node_modules/frida-java-bridge/index.js:244) 84 | at perform (frida/node_modules/frida-java-bridge/index.js:204) 85 | at hook (X:\2023安卓逆向CTF系列视频\2023安卓逆向CTF系列视频(四)\讲义\hook_4_crack.js:37) 86 | at apply (native) 87 | at (frida/runtime/core.js:51) 88 | Error: java.lang.RuntimeException: Can't create handler inside thread that has not called Looper.prepare() 89 | at (frida/node_modules/frida-java-bridge/lib/env.js:124) 90 | at value (frida/node_modules/frida-java-bridge/lib/class-factory.js:1064) 91 | at e (frida/node_modules/frida-java-bridge/lib/class-factory.js:585) 92 | at apply (native) 93 | at value (frida/node_modules/frida-java-bridge/lib/class-factory.js:969) 94 | at e (frida/node_modules/frida-java-bridge/lib/class-factory.js:552) 95 | at (X:\2023安卓逆向CTF系列视频\2023安卓逆向CTF系列视频(四)\讲义\hook_4_crack.js:33) 96 | at (frida/node_modules/frida-java-bridge/lib/vm.js:12) 97 | at _performPendingVmOps (frida/node_modules/frida-java-bridge/index.js:250) 98 | at (frida/node_modules/frida-java-bridge/index.js:225) 99 | at (frida/node_modules/frida-java-bridge/lib/vm.js:12) 100 | at _performPendingVmOpsWhenReady (frida/node_modules/frida-java-bridge/index.js:244) 101 | at perform (frida/node_modules/frida-java-bridge/index.js:204) 102 | at hook (X:\2023安卓逆向CTF系列视频\2023安卓逆向CTF系列视频(四)\讲义\hook_4_crack.js:37) 103 | at apply (native) 104 | at (frida/runtime/core.js:51) 105 | ReferenceError: 'consoel' is not defined 106 | at (X:\2023安卓逆向CTF系列视频\2023安卓逆向CTF系列视频(四)\讲义\hook_4_crack.js:35) 107 | at (frida/node_modules/frida-java-bridge/lib/vm.js:12) 108 | at _performPendingVmOps (frida/node_modules/frida-java-bridge/index.js:250) 109 | at (frida/node_modules/frida-java-bridge/index.js:225) 110 | at (frida/node_modules/frida-java-bridge/lib/vm.js:12) 111 | at _performPendingVmOpsWhenReady (frida/node_modules/frida-java-bridge/index.js:244) 112 | at perform (frida/node_modules/frida-java-bridge/index.js:204) 113 | at hook (X:\2023安卓逆向CTF系列视频\2023安卓逆向CTF系列视频(四)\讲义\hook_4_crack.js:37) 114 | at apply (native) 115 | at (frida/runtime/core.js:51) 116 | ReferenceError: 'consoel' is not defined 117 | at (X:\2023安卓逆向CTF系列视频\2023安卓逆向CTF系列视频(四)\讲义\hook_4_crack.js:35) 118 | at (frida/node_modules/frida-java-bridge/lib/vm.js:12) 119 | at _performPendingVmOps (frida/node_modules/frida-java-bridge/index.js:250) 120 | at (frida/node_modules/frida-java-bridge/index.js:225) 121 | at (frida/node_modules/frida-java-bridge/lib/vm.js:12) 122 | at _performPendingVmOpsWhenReady (frida/node_modules/frida-java-bridge/index.js:244) 123 | at perform (frida/node_modules/frida-java-bridge/index.js:204) 124 | at hook (X:\2023安卓逆向CTF系列视频\2023安卓逆向CTF系列视频(四)\讲义\hook_4_crack.js:37) 125 | at apply (native) 126 | at (frida/runtime/core.js:51) 127 | AAAAAGhlbGxvAA== 128 | AAAAAGhlbGxvAA== 129 | AAAAAGhlbGxvAA== 130 | 131 | AAAAAGhlbGxvAA== 132 | 133 | aGVsbG8= 134 | 135 | aGVsbG8= 136 | 137 | -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向CTF系列视频(四)/test_post.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | url = "http://127.0.0.1:5004/chec" 4 | data = { 5 | "i":20000, 6 | } 7 | 8 | res = requests.post(url,data=data) 9 | print(res.text) -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向CTF网站收集/2023安卓逆向CTF网站收集.md: -------------------------------------------------------------------------------- 1 | 1. https://github.com/LeadroyaL/attachment_repo 2 | 2. https://github.com/ctfs/ 3 | 3. https://github.com/xtiankisutsa/awesome-mobile-CTF 4 | 4. https://ctf.bugku.com/challenges/index/gid/1/tid/7.html 5 | 5. https://www.ctfhub.com/#/challenge 6 | 7 | -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向CTF网站收集/~$封面图.pptx: -------------------------------------------------------------------------------- 1 | Admin Admin -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向工具篇/2023安卓逆向工具篇(Frida的基本使用).md: -------------------------------------------------------------------------------- 1 | ## frida server 2 | ``` 3 | cd /data/local/tmp 4 | chmod 777 * 5 | ./frida-server-16.0.8-android-arm64 6 | ./frida-server-16.0.8-android-arm64 -l 0.0.0.0:1314 7 | 8 | 1. attach 9 | adb devices 10 | frida -D 936AX05033 -F 11 | frida -UF 12 | frida -U -n 设置 13 | frida -U -N com.android.settings 14 | 15 | 2. spawn 16 | frida -U -f com.android.settings --no-pause 17 | ``` 18 | 19 | 20 | 21 | ## frida gadget 22 | ```python 23 | # pip install lief 24 | # pm path com.example.testgadgethook 25 | import lief 26 | 27 | libnative = lief.parse("libtestgadgethook.so") # 287kb 28 | libnative.add_library("frida-gadget-16.0.8-android-arm64.so") # frida-gadget的so文件名,最好改个名字防检测 29 | libnative.write("libtestgadgethook.so") 30 | ``` 31 | App需要网络权限 32 | ``` 33 | 34 | ``` 35 | 36 | ## frida inject 37 | ``` 38 | ./frida-inject-16.0.8-android-arm64 -f com.android.settings -s hello.js 39 | ./frida-inject-16.0.8-android-arm64 -p pid -s hello.js 40 | ``` 41 | 42 | 43 | ## frida gum 44 | 45 | 46 | 47 | ## 参考资料 48 | 1. [多种姿势花样使用Frida注入](https://ashenone66.cn/2021/09/20/duo-chong-zi-shi-hua-yang-shi-yong-frida-zhu-ru/) 49 | 2. [Frida源码分析](https://mabin004.github.io/2018/07/31/Mac%E4%B8%8A%E7%BC%96%E8%AF%91Frida/) 50 | 3. [Frida Internal - Part 1: 架构、Gum 与 V8](https://mp.weixin.qq.com/s/P6WGhDL3b4qB-edyc4hpXg) 51 | 4. [从Frida源码学习ArtHook(一)](https://github.com/wuhx/AppInspect/wiki/%E4%BB%8EFrida%E6%BA%90%E7%A0%81%E5%AD%A6%E4%B9%A0ArtHook%EF%BC%88%E4%B8%80%EF%BC%89) 52 | 5. [[原创]frida源代码分析--进程注入和server dbus通讯架构分析](https://bbs.kanxue.com/thread-270305.htm) 53 | -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向工具篇/2023安卓逆向工具篇(Windows下python虚拟环境)(Frida多版本安装).md: -------------------------------------------------------------------------------- 1 | ## 1. python多版本安装 2 | 3 | 4 | 5 | ## 2. 虚拟环境的env的安装 6 | https://pypi.org/project/virtualenvwrapper-win/ 7 | 8 | 1. pip install virtualenvwrapper-win 9 | 2. 设置WORKON_HOME环境变量 10 | 11 | ## 3. frida多版本安装 12 | 1. pip install frida-tools 13 | 14 | pip install -i https://pypi.doubanio.com/simple/ --trusted-host pypi.doubanio.com frida-tools 15 | pip install -i https://pypi.doubanio.com/simple/ --trusted-host pypi.doubanio.com objection 16 | https://github.com/sensepost/objection 17 | 18 | 2. frida旧版本的安装 19 | pip install -i https://pypi.doubanio.com/simple/ --trusted-host pypi.doubanio.com frida-tools==11.0.0 20 | pip install -i https://pypi.doubanio.com/simple/ --trusted-host pypi.doubanio.com objection==1.11.0 21 | 22 | pip install -i https://pypi.doubanio.com/simple/ --trusted-host pypi.doubanio.com frida-tools==9.2.5 23 | -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向工具篇/2023安卓逆向工具篇(windows下ollvm的使用).md: -------------------------------------------------------------------------------- 1 | ## 如何使用ollvm保护自己的程序 2 | 3 | 1. 第一步,替换ndk路径下X:\android-config-files\Sdk\ndk\25.0.8775105\toolchains\llvm\prebuilt\windows-x86_64\bin下的clang.exe,clang++.exe,clang-cl.exe 4 | 2. 把X:\android-config-files\Sdk\ndk\25.0.8775105\toolchains\llvm\prebuilt\windows-x86_64\lib64\clang下面的不是13.0.1的文件夹复制到X:\android-config-files\Sdk\ndk\25.0.8775105\toolchains\llvm\prebuilt\windows-x86_64\lib\clang下,然后改名为13.0.1 5 | 3. 把缺失的头文件加进来 6 | 4. SET(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -flegacy-pass-manager -mllvm -bcf -mllvm -sub -mllvm -fla -mllvm -sobf -mllvm -split -fvisibility=hidden") 7 | 8 | 9 | 10 | 11 | ## 参考链接 12 | 1. [一种高端的APP代码保护方案](https://mp.weixin.qq.com/s/QvEB2Nvoluj8G4Z97f8w5A) 13 | 14 | 2. [跟着铁头干混淆2 ubuntu20.04编译ollvm](https://www.jianshu.com/p/9136f7257e46) 15 | 16 | 3. [OLLVM混淆学习(0)——环境搭建及混淆初体验](https://jev0n.com/2022/07/07/ollvm-0.html) 17 | 18 | 4. [OLLVM混淆学习(1)——控制流平坦化(FLA)](https://jev0n.com/2022/07/08/ollvm-1.html) 19 | 20 | 5. [https://bbs.pediy.com/thread-271271.htm]([原创]一种将LLVM Pass集成到NDK中的通用方法) 21 | 22 | 6. [[分享]ollvm反混淆学习 ](https://bbs.pediy.com/thread-269441.htm) 23 | 7. [使用unidbg去ollvm虚假分支反混淆](http://missking.cc/2021/05/04/ollvm2/) 24 | 25 | 8. [使用Ghidra P-Code对OLLVM控制流平坦化进行反混淆](http://galaxylab.pingan.com.cn/%E4%BD%BF%E7%94%A8ghidra-p-code%E5%AF%B9ollvm%E6%8E%A7%E5%88%B6%E6%B5%81%E5%B9%B3%E5%9D%A6%E5%8C%96%E8%BF%9B%E8%A1%8C%E5%8F%8D%E6%B7%B7%E6%B7%86/) 26 | 27 | 9. [【LLVM奶妈式教学-1】LLVM从安装到手写第一个pass 【hello llvm】](https://blog.csdn.net/qq_41645482/article/details/120265194) -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向工具篇/2023安卓逆向工具篇(xposed7-12的安装).md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | [【Xposed】雷电模拟器4.0.67(Android 7.1.2 x86_64) 无法安装Xposed框架的解决方法(附带x86解决方法)](https://www.bujj.org/index.php/2021/10/29/130/) 8 | 9 | [【xposed】64位xposed教程,本地一键安装xp](https://www.ldmnq.com/forum/72545.html) -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向工具篇/inject-gadget.py: -------------------------------------------------------------------------------- 1 | # pip install lief 2 | import lief 3 | 4 | libnative = lief.parse("libtestgadgethook.so") # 287kb 5 | libnative.add_library("frida-gadget-16.0.8-android-arm64.so") # frida-gadget的so文件名,最好改个名字防检测 6 | libnative.write("libtestgadgethook.so") -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向工具篇/myollvm13.0.1.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xyxdaily/lessons/01ed7cbe956194916ae1b0506ccfadcbbba44eee/2023安卓逆向CTF系列视频/2023安卓逆向工具篇/myollvm13.0.1.zip -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向工具篇/script.sh: -------------------------------------------------------------------------------- 1 | ########################################################################################## 2 | # 3 | # Xposed framework installer zip. 4 | # 5 | # This script installs the Xposed framework files to the system partition. 6 | # The Xposed Installer app is needed as well to manage the installed modules. 7 | # 8 | ########################################################################################## 9 | 10 | grep_prop() { 11 | REGEX="s/^$1=//p" 12 | shift 13 | FILES=$@ 14 | if [ -z "$FILES" ]; then 15 | FILES='/system/build.prop' 16 | fi 17 | cat $FILES 2>/dev/null | sed -n $REGEX | head -n 1 18 | } 19 | 20 | android_version() { 21 | case $1 in 22 | 15) echo '4.0 / SDK'$1;; 23 | 16) echo '4.1 / SDK'$1;; 24 | 17) echo '4.2 / SDK'$1;; 25 | 18) echo '4.3 / SDK'$1;; 26 | 19) echo '4.4 / SDK'$1;; 27 | 21) echo '5.0 / SDK'$1;; 28 | 22) echo '5.1 / SDK'$1;; 29 | 23) echo '6.0 / SDK'$1;; 30 | 24) echo '7.0 / SDK'$1;; 31 | 25) echo '7.1 / SDK'$1;; 32 | 26) echo '8.0 / SDK'$1;; 33 | 27) echo '8.1 / SDK'$1;; 34 | *) echo 'SDK'$1;; 35 | esac 36 | } 37 | 38 | cp_perm() { 39 | cp -f $1 $2 || exit 1 40 | set_perm $2 $3 $4 $5 $6 41 | } 42 | 43 | set_perm() { 44 | chown $2:$3 $1 || exit 1 45 | chmod $4 $1 || exit 1 46 | if [ "$5" ]; then 47 | chcon $5 $1 2>/dev/null 48 | else 49 | chcon 'u:object_r:system_file:s0' $1 2>/dev/null 50 | fi 51 | } 52 | 53 | install_nobackup() { 54 | cp_perm ./$1 $1 $2 $3 $4 $5 55 | } 56 | 57 | install_and_link() { 58 | TARGET=$1 59 | XPOSED="${1}_xposed" 60 | BACKUP="${1}_original" 61 | if [ ! -f ./$XPOSED ]; then 62 | return 63 | fi 64 | cp_perm ./$XPOSED $XPOSED $2 $3 $4 $5 65 | if [ ! -f $BACKUP ]; then 66 | mv $TARGET $BACKUP || exit 1 67 | ln -s $XPOSED $TARGET || exit 1 68 | chcon -h 'u:object_r:system_file:s0' $TARGET 2>/dev/null 69 | fi 70 | } 71 | 72 | install_overwrite() { 73 | TARGET=$1 74 | if [ ! -f ./$TARGET ]; then 75 | return 76 | fi 77 | BACKUP="${1}.orig" 78 | NO_ORIG="${1}.no_orig" 79 | if [ ! -f $TARGET ]; then 80 | touch $NO_ORIG || exit 1 81 | set_perm $NO_ORIG 0 0 600 82 | elif [ -f $BACKUP ]; then 83 | rm -f $TARGET 84 | gzip $BACKUP || exit 1 85 | set_perm "${BACKUP}.gz" 0 0 600 86 | elif [ ! -f "${BACKUP}.gz" -a ! -f $NO_ORIG ]; then 87 | mv $TARGET $BACKUP || exit 1 88 | gzip $BACKUP || exit 1 89 | set_perm "${BACKUP}.gz" 0 0 600 90 | fi 91 | cp_perm ./$TARGET $TARGET $2 $3 $4 $5 92 | } 93 | 94 | ########################################################################################## 95 | 96 | echo "**************************" 97 | echo "Xposed framework installer" 98 | echo "**************************" 99 | 100 | if [ ! -f "system/xposed.prop" ]; then 101 | echo "! Failed: Extracted file system/xposed.prop not found!" 102 | exit 1 103 | fi 104 | 105 | echo "- Checking environment" 106 | API=$(grep_prop ro.build.version.sdk) 107 | APINAME=$(android_version $API) 108 | ABI=$(grep_prop ro.product.cpu.abi | cut -c-3) 109 | ABI2=$(grep_prop ro.product.cpu.abi2 | cut -c-3) 110 | ABILONG=$(grep_prop ro.product.cpu.abi) 111 | 112 | XVERSION=$(grep_prop version system/xposed.prop) 113 | XARCH=$(grep_prop arch system/xposed.prop) 114 | XMINSDK=$(grep_prop minsdk system/xposed.prop) 115 | XMAXSDK=$(grep_prop maxsdk system/xposed.prop) 116 | 117 | XEXPECTEDSDK=$(android_version $XMINSDK) 118 | if [ "$XMINSDK" != "$XMAXSDK" ]; then 119 | XEXPECTEDSDK=$XEXPECTEDSDK' - '$(android_version $XMAXSDK) 120 | fi 121 | 122 | ARCH=arm 123 | IS64BIT= 124 | if [ "$ABI" = "x86" ]; then ARCH=x86; fi; 125 | if [ "$ABI2" = "x86" ]; then ARCH=x86; fi; 126 | if [ "$API" -ge "21" ]; then 127 | if [ "$ABILONG" = "arm64-v8a" ]; then ARCH=arm64; IS64BIT=1; fi; 128 | if [ "$ABILONG" = "x86_64" ]; then ARCH=x86_64; IS64BIT=1; fi; 129 | fi 130 | 131 | # echo "DBG [$API] [$ABI] [$ABI2] [$ABILONG] [$ARCH] [$XARCH] [$XMINSDK] [$XMAXSDK] [$XVERSION]" 132 | 133 | echo " Xposed version: $XVERSION" 134 | 135 | XVALID= 136 | if [ "$ARCH" = "$XARCH" ]; then 137 | if [ "$API" -ge "$XMINSDK" ]; then 138 | if [ "$API" -le "$XMAXSDK" ]; then 139 | XVALID=1 140 | else 141 | echo "! Wrong Android version: $APINAME" 142 | echo "! This file is for: $XEXPECTEDSDK" 143 | fi 144 | else 145 | echo "! Wrong Android version: $APINAME" 146 | echo "! This file is for: $XEXPECTEDSDK" 147 | fi 148 | else 149 | echo "! Wrong platform: $ARCH" 150 | echo "! This file is for: $XARCH" 151 | fi 152 | 153 | if [ -z $XVALID ]; then 154 | echo "! Please download the correct package" 155 | echo "! for your platform/ROM!" 156 | exit 1 157 | fi 158 | 159 | echo "- Placing files" 160 | install_nobackup /system/xposed.prop 0 0 0644 161 | install_nobackup /system/framework/XposedBridge.jar 0 0 0644 162 | 163 | install_and_link /system/bin/app_process32 0 2000 0755 u:object_r:zygote_exec:s0 164 | install_overwrite /system/bin/dex2oat 0 2000 0755 u:object_r:dex2oat_exec:s0 165 | install_overwrite /system/bin/oatdump 0 2000 0755 166 | install_overwrite /system/bin/patchoat 0 2000 0755 u:object_r:dex2oat_exec:s0 167 | install_overwrite /system/lib/libart.so 0 0 0644 168 | install_overwrite /system/lib/libart-compiler.so 0 0 0644 169 | install_overwrite /system/lib/libsigchain.so 0 0 0644 170 | install_nobackup /system/lib/libxposed_art.so 0 0 0644 171 | if [ $IS64BIT ]; then 172 | install_and_link /system/bin/app_process64 0 2000 0755 u:object_r:zygote_exec:s0 173 | install_overwrite /system/lib64/libart.so 0 0 0644 174 | install_overwrite /system/lib64/libart-compiler.so 0 0 0644 175 | install_overwrite /system/lib64/libart-disassembler.so 0 0 0644 176 | install_overwrite /system/lib64/libsigchain.so 0 0 0644 177 | install_nobackup /system/lib64/libxposed_art.so 0 0 0644 178 | fi 179 | 180 | mkdir -p /system/priv-app/XposedInstaller 181 | chmod 0755 /system/priv-app/XposedInstaller 182 | chcon -h u:object_r:system_file:s0 /system/priv-app/XposedInstaller 183 | cp system/priv-app/XposedInstaller/XposedInstaller.apk /system/priv-app/XposedInstaller/XposedInstaller.apk 184 | chmod 0644 /system/priv-app/XposedInstaller/XposedInstaller.apk 185 | chcon -h u:object_r:system_file:s0 /system/priv-app/XposedInstaller/XposedInstaller.apk 186 | 187 | if [ "$API" -ge "22" ]; then 188 | find /system /vendor -type f -name '*.odex.gz' 2>/dev/null | while read f; do mv "$f" "$f.xposed"; done 189 | fi 190 | 191 | echo "- Done" 192 | exit 0 193 | -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向工具篇/xposed-sdk25-x86_64.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xyxdaily/lessons/01ed7cbe956194916ae1b0506ccfadcbbba44eee/2023安卓逆向CTF系列视频/2023安卓逆向工具篇/xposed-sdk25-x86_64.zip -------------------------------------------------------------------------------- /2023安卓逆向CTF系列视频/2023安卓逆向工具篇/xposed-v89-sdk25-x86.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xyxdaily/lessons/01ed7cbe956194916ae1b0506ccfadcbbba44eee/2023安卓逆向CTF系列视频/2023安卓逆向工具篇/xposed-v89-sdk25-x86.zip -------------------------------------------------------------------------------- /2023安卓逆向红包题/First.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xyxdaily/lessons/01ed7cbe956194916ae1b0506ccfadcbbba44eee/2023安卓逆向红包题/First.png -------------------------------------------------------------------------------- /2023安卓逆向红包题/HappyNewYear2023-no-ollvm-new1.1.apk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xyxdaily/lessons/01ed7cbe956194916ae1b0506ccfadcbbba44eee/2023安卓逆向红包题/HappyNewYear2023-no-ollvm-new1.1.apk -------------------------------------------------------------------------------- /2023安卓逆向红包题/HappyNewYear2023-ollvm-new1.1.apk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xyxdaily/lessons/01ed7cbe956194916ae1b0506ccfadcbbba44eee/2023安卓逆向红包题/HappyNewYear2023-ollvm-new1.1.apk -------------------------------------------------------------------------------- /2023安卓逆向红包题/Readme.md: -------------------------------------------------------------------------------- 1 | ## 红包题情况 2 | 2023年1月21日下午16:27:00已经有大佬做出来了 3 | ![](./First.png) 4 | 5 | 2023年1月25日下午23:05:00第二位已经做出来啦。 6 | ![](./Second.png) -------------------------------------------------------------------------------- /2023安卓逆向红包题/Second.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xyxdaily/lessons/01ed7cbe956194916ae1b0506ccfadcbbba44eee/2023安卓逆向红包题/Second.png -------------------------------------------------------------------------------- /2024安卓Flutter开发与抓包学习/flutter-sslpinning-easy.apk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xyxdaily/lessons/01ed7cbe956194916ae1b0506ccfadcbbba44eee/2024安卓Flutter开发与抓包学习/flutter-sslpinning-easy.apk -------------------------------------------------------------------------------- /2024安卓Flutter开发与抓包学习/flutter-sslpinning-medium.apk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xyxdaily/lessons/01ed7cbe956194916ae1b0506ccfadcbbba44eee/2024安卓Flutter开发与抓包学习/flutter-sslpinning-medium.apk -------------------------------------------------------------------------------- /2024安卓Flutter开发与抓包学习/main.dart: -------------------------------------------------------------------------------- 1 | // import 'dart:convert'; 2 | import 'dart:io'; 3 | // import 'dart:typed_data'; 4 | import 'package:flutter/material.dart'; 5 | // import 'package:http/http.dart' as http; 6 | import 'package:http/io_client.dart'; 7 | import 'package:crypto/crypto.dart'; 8 | import 'package:fluttertoast/fluttertoast.dart'; 9 | import 'package:path_provider/path_provider.dart'; 10 | 11 | void main() { 12 | runApp(MyApp()); 13 | } 14 | 15 | class MyApp extends StatelessWidget { 16 | const MyApp({super.key}); 17 | 18 | @override 19 | Widget build(BuildContext context) { 20 | return MaterialApp( 21 | home: Scaffold( 22 | appBar: AppBar( 23 | // title: Text('Flutter SSL Pinning Example Easy'), 24 | title: const Text('Flutter SSL Pinning Example Medium'), 25 | ), 26 | body: Center( 27 | child: NetworkExample(), 28 | ), 29 | ), 30 | ); 31 | } 32 | } 33 | 34 | class NetworkExample extends StatefulWidget { 35 | const NetworkExample({super.key}); 36 | 37 | @override 38 | _NetworkExampleState createState() => _NetworkExampleState(); 39 | } 40 | 41 | class _NetworkExampleState extends State { 42 | String _response = 'No response yet'; 43 | 44 | Future _fetchData() async { 45 | final client = await _createHttpClient(); 46 | // final url = Uri.parse('https://www.baidu.com/'); 47 | final url = Uri.parse('https://httpbin.org/json'); 48 | // final url = Uri.parse('https://hao123.com/'); 49 | final response = await client.get(url); 50 | 51 | if (response.statusCode == 200) { 52 | setState(() { 53 | // _response = jsonDecode(response.body)['title']; 54 | _response = response.body; 55 | }); 56 | } else { 57 | setState(() { 58 | _response = 'Request failed with status: ${response.statusCode}'; 59 | }); 60 | } 61 | } 62 | 63 | String bytesToHex(List bytes) { 64 | return bytes.map((byte) => byte.toRadixString(16).padLeft(2, '0')).join(); 65 | } 66 | 67 | Future saveContentToFile(String content) async { 68 | // 获取应用程序的文档目录 69 | final directory = await getApplicationDocumentsDirectory(); 70 | final file = File('${directory.path}/example.txt'); 71 | 72 | // 写入内容到文件 73 | await file.writeAsString(content); 74 | 75 | print('Content saved to file: ${file.path}'); 76 | } 77 | 78 | Future _createHttpClient() async { 79 | const expectedPublicKeyHash = 80 | // '28689b30e4c306aab53b027b29e36ad6dd1dcf4b953994482ca84bdc1ecac996'; 81 | '445eec78bc61215044a0379656aa2d5db5e42f76cb70b8d14c2077aa943d4ebb'; 82 | // '9073ded9d993a934c29c5ec3c6afa7286d2f0f8848352f94d02035865d8568e2'; 83 | 84 | // www.hao123.com 85 | // List expectedPublicKeyHashList = 86 | // ['445eec78bc61215044a0379656aa2d5db5e42f76cb70b8d14c2077aa943d4ebb', '9073ded9d993a934c29c5ec3c6afa7286d2f0f8848352f94d02035865d8568e2']; 87 | 88 | // httpbin.org 89 | List expectedPublicKeyHashList = [ 90 | '28689b30e4c306aab53b027b29e36ad6dd1dcf4b953994482ca84bdc1ecac996' 91 | ]; 92 | 93 | final client = HttpClient(context: SecurityContext()); 94 | client.badCertificateCallback = 95 | (X509Certificate cert, String host, int port) { 96 | final derBytes = cert.der; 97 | print("host = ${host}"); 98 | print("derBytes length = ${derBytes.length}"); 99 | print('derBytes : ${bytesToHex(derBytes)}'); // android studio log长度有限制 100 | print('derBytes : ${(cert.pem)}'); 101 | saveContentToFile(cert.pem); 102 | final publicKeyHash = sha256.convert(derBytes).toString(); 103 | print('Public Key Hash: $publicKeyHash'); 104 | if (expectedPublicKeyHashList 105 | .any((item) => item.contains(publicKeyHash))) { 106 | return true; 107 | } else { 108 | Fluttertoast.showToast( 109 | msg: 'SSL Pinning failed: Public key hash does not match', 110 | toastLength: Toast.LENGTH_SHORT, 111 | gravity: ToastGravity.BOTTOM, 112 | timeInSecForIosWeb: 1, 113 | backgroundColor: Colors.red, 114 | textColor: Colors.white, 115 | fontSize: 16.0, 116 | ); 117 | // return false; 118 | throw Exception('SSL Pinning failed: Public key hash does not match'); 119 | } 120 | // if (publicKeyHash != expectedPublicKeyHash) { 121 | // Fluttertoast.showToast( 122 | // msg: 'SSL Pinning failed: Public key hash does not match', 123 | // toastLength: Toast.LENGTH_SHORT, 124 | // gravity: ToastGravity.BOTTOM, 125 | // timeInSecForIosWeb: 1, 126 | // backgroundColor: Colors.red, 127 | // textColor: Colors.white, 128 | // fontSize: 16.0, 129 | // ); 130 | // // return false; 131 | // throw Exception('SSL Pinning failed: Public key hash does not match'); 132 | // } 133 | // return true; 134 | }; 135 | 136 | // keylog file 137 | final directory = await getApplicationDocumentsDirectory(); 138 | final log = File('${directory.path}/keylog.txt'); 139 | client.keyLog = 140 | (line) => log.writeAsStringSync(line, mode: FileMode.append); 141 | 142 | return IOClient(client); 143 | } 144 | 145 | @override 146 | Widget build(BuildContext context) { 147 | return Column( 148 | mainAxisAlignment: MainAxisAlignment.center, 149 | children: [ 150 | ElevatedButton( 151 | onPressed: _fetchData, 152 | child: const Text('Fetch Data'), 153 | ), 154 | const SizedBox(height: 20), 155 | Text(_response), 156 | ], 157 | ); 158 | } 159 | } 160 | -------------------------------------------------------------------------------- /2024安卓Flutter开发与抓包学习/pubspec.yaml: -------------------------------------------------------------------------------- 1 | name: myflutternew 2 | description: "A new Flutter project." 3 | # The following line prevents the package from being accidentally published to 4 | # pub.dev using `flutter pub publish`. This is preferred for private packages. 5 | publish_to: 'none' # Remove this line if you wish to publish to pub.dev 6 | 7 | # The following defines the version and build number for your application. 8 | # A version number is three numbers separated by dots, like 1.2.43 9 | # followed by an optional build number separated by a +. 10 | # Both the version and the builder number may be overridden in flutter 11 | # build by specifying --build-name and --build-number, respectively. 12 | # In Android, build-name is used as versionName while build-number used as versionCode. 13 | # Read more about Android versioning at https://developer.android.com/studio/publish/versioning 14 | # In iOS, build-name is used as CFBundleShortVersionString while build-number is used as CFBundleVersion. 15 | # Read more about iOS versioning at 16 | # https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/CoreFoundationKeys.html 17 | # In Windows, build-name is used as the major, minor, and patch parts 18 | # of the product and file versions while build-number is used as the build suffix. 19 | version: 1.0.0+1 20 | 21 | environment: 22 | sdk: ^3.5.3 23 | 24 | # Dependencies specify other packages that your package needs in order to work. 25 | # To automatically upgrade your package dependencies to the latest versions 26 | # consider running `flutter pub upgrade --major-versions`. Alternatively, 27 | # dependencies can be manually updated by changing the version numbers below to 28 | # the latest version available on pub.dev. To see which dependencies have newer 29 | # versions available, run `flutter pub outdated`. 30 | dependencies: 31 | flutter: 32 | sdk: flutter 33 | http: ^0.13.3 34 | crypto: ^3.0.1 35 | fluttertoast: ^8.0.8 36 | path_provider: ^2.0.11 37 | 38 | 39 | # The following adds the Cupertino Icons font to your application. 40 | # Use with the CupertinoIcons class for iOS style icons. 41 | cupertino_icons: ^1.0.8 42 | 43 | dev_dependencies: 44 | flutter_test: 45 | sdk: flutter 46 | 47 | # The "flutter_lints" package below contains a set of recommended lints to 48 | # encourage good coding practices. The lint set provided by the package is 49 | # activated in the `analysis_options.yaml` file located at the root of your 50 | # package. See that file for information about deactivating specific lint 51 | # rules and activating additional ones. 52 | flutter_lints: ^4.0.0 53 | 54 | # For information on the generic Dart part of this file, see the 55 | # following page: https://dart.dev/tools/pub/pubspec 56 | 57 | # The following section is specific to Flutter packages. 58 | flutter: 59 | 60 | # The following line ensures that the Material Icons font is 61 | # included with your application, so that you can use the icons in 62 | # the material Icons class. 63 | uses-material-design: true 64 | 65 | assets: 66 | - assets/httpbin.org.pem 67 | 68 | # To add assets to your application, add an assets section, like this: 69 | # assets: 70 | # - images/a_dot_burr.jpeg 71 | # - images/a_dot_ham.jpeg 72 | 73 | # An image asset can refer to one or more resolution-specific "variants", see 74 | # https://flutter.dev/to/resolution-aware-images 75 | 76 | # For details regarding adding assets from package dependencies, see 77 | # https://flutter.dev/to/asset-from-package 78 | 79 | # To add custom fonts to your application, add a fonts section here, 80 | # in this "flutter" section. Each entry in this list should have a 81 | # "family" key with the font family name, and a "fonts" key with a 82 | # list giving the asset and other descriptors for the font. For 83 | # example: 84 | # fonts: 85 | # - family: Schyler 86 | # fonts: 87 | # - asset: fonts/Schyler-Regular.ttf 88 | # - asset: fonts/Schyler-Italic.ttf 89 | # style: italic 90 | # - family: Trajan Pro 91 | # fonts: 92 | # - asset: fonts/TrajanPro.ttf 93 | # - asset: fonts/TrajanPro_Bold.ttf 94 | # weight: 700 95 | # 96 | # For details regarding fonts from package dependencies, 97 | # see https://flutter.dev/to/font-from-package 98 | -------------------------------------------------------------------------------- /2024安卓Flutter开发与抓包学习/redmi: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xyxdaily/lessons/01ed7cbe956194916ae1b0506ccfadcbbba44eee/2024安卓Flutter开发与抓包学习/redmi -------------------------------------------------------------------------------- /2024安卓Flutter开发与抓包学习/番外篇之flutter开发与抓包示例.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## flutter开发环境搭建 4 | 5 | https://doc.flutterchina.club/tutorials/ 6 | https://docs.flutter.cn/community/china/ 7 | 8 | 9 | ## flutter 的 sslpinning 10 | 11 | https://juejin.cn/post/7106300111927377956#heading-0 12 | https://www.jianshu.com/p/9ef8dfceba4d 13 | https://dawnnnnnn.com/2024/06/:/day/Flutter%20Android%20APP%E9%80%86%E5%90%91/index.html#%E7%AE%80%E4%BB%8B 14 | https://blog.csdn.net/Soujer/article/details/140011700#:~:text=Flutter%E5%BA%94%E7%94%A8%E7%BD%91 15 | 16 | 17 | ## 核心代码 18 | https://chat.mistral.ai/ 19 | 20 | 21 | 22 | 23 | 24 | ## 编译 libflutter.so 25 | 26 | https://bbs.kanxue.com/thread-272866.htm 27 | https://www.sunmoonblog.com/2020/06/10/compile-flutter-engine/ 28 | https://fucknmb.com/2019/02/26/Flutter-Engine-%E7%BC%96%E8%AF%91%E6%8C%87%E5%8C%97/ 29 | 30 | 31 | https://github.com/flutter/engine/tree/36335019a8eab588c3c2ea783c618d90505be233 32 | 33 | 34 | ## 分析 libapp.so 35 | 36 | reflutter 37 | blutter -------------------------------------------------------------------------------- /2024安卓逆向与安全/mydetectstack-20240628.apk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xyxdaily/lessons/01ed7cbe956194916ae1b0506ccfadcbbba44eee/2024安卓逆向与安全/mydetectstack-20240628.apk -------------------------------------------------------------------------------- /Readme.md: -------------------------------------------------------------------------------- 1 | ## 微信公众号:面向小白的逆向笔记 2 | 个人微信:lovexyx2020 3 | 4 | ## [github地址](https://github.com/xyxdaily/lessons) 5 | 6 | ## [安卓反调试入门&检测](https://mp.weixin.qq.com/s/qWyAhZbakUPH0Ys_SbLR4w) 7 | 8 | ### [(视频)反调试入门第一课第一节上](https://mp.weixin.qq.com/s/s2Emtv29pFcHf9qTF6Zxgw) 9 | ### [(视频)反调试入门第一课第一节下](https://mp.weixin.qq.com/s/b97lYo-qQs8S4OC5DlcnYQ) 10 | ### [(视频)反调试入门第六课lsposed编译与简单魔改(上)](https://mp.weixin.qq.com/s/e5OX9ieECzEIswTokzR3lw) 11 | ### [(视频)反调试入门第六课lsposed编译与简单魔改(下)](https://mp.weixin.qq.com/s/TrjHPhQIniCVBVCCBRZp2Q) 12 | 13 | ### [(视频)番外篇之java混淆函数的hook处理](https://mp.weixin.qq.com/s/OjKT0VOEMIbfNNYo99hmmw) 14 | 15 | ## 2023安卓逆向CTF系列视频 16 | ### [2023安卓逆向CTF系列视频(一)(上)](https://www.bilibili.com/video/BV1zK411r79R/) 17 | 课件在相应的文件夹 18 | 19 | ### [2023安卓逆向CTF系列视频(一)(下)](https://www.bilibili.com/video/BV1nv4y1C7AP/) 20 | 21 | ### [2023安卓逆向CTF系列视频(二概述)](https://www.bilibili.com/video/BV1rx4y1u7sN/) 22 | 23 | ### [2023安卓逆向CTF系列视频(二(1)frida inlinehook)](https://www.bilibili.com/video/BV1QY411Q7u2/) 24 | 25 | ### [2023安卓逆向CTF系列视频(二(2)ida attach分析)](https://www.bilibili.com/video/BV1Gx4y1g7EQ/) 26 | 27 | ### [2023安卓逆向CTF系列视频(三)](https://www.bilibili.com/video/BV17M411B7ef/) 28 | 29 | ### [2023安卓逆向CTF系列视频(四概述暴力破解)](https://www.bilibili.com/video/BV1vM411i73B/) 30 | 31 | ### [2023安卓逆向CTF系列视频(四)(一Frida暴力破解)](https://www.bilibili.com/video/BV1Zy4y1Q7Mm/) 32 | 33 | ### [2023安卓逆向CTF系列视频(四)(一Frida之RPC)](https://www.bilibili.com/video/BV19M4y1Q7E9/) 34 | 35 | ### [2023安卓逆向CTF系列视频(四)(二Xposed之暴力破解)](https://www.bilibili.com/video/BV1fM4y1S7gu/) 36 | 37 | ### [2023安卓逆向CTF系列视频(四)(二Xposed之Rpc)](https://www.bilibili.com/video/BV1zM411w7Ph/) 38 | 39 | ## 2023安卓Hook框架源码入门 40 | 41 | ### [2023安卓Hook框架源码入门(一YAHFA框架)(1概述)](https://www.bilibili.com/video/BV1TY4y1f7rw/) 42 | 43 | ### [2023安卓Hook框架源码入门(一YAHFA框架)(2使用)](https://www.bilibili.com/video/BV1Dx4y1M76f) 44 | 45 | ### [2023安卓Hook框架源码入门(一YAHFA框架)(3ArtMethod)](https://www.bilibili.com/video/BV17T411y7AE/) 46 | 47 | ### [2023安卓Hook框架源码入门(一YAHFA框架)(4ArtMethod执行流)](https://www.bilibili.com/video/BV1N84y177nF) 48 | 49 | ### [2023安卓Hook框架源码入门(一YAHFA框架)(5源码介绍)](https://www.bilibili.com/video/BV1kY411Q7H8/) 50 | 51 | ### [2023安卓Hook框架源码入门(一YAHFA框架)(6简单对抗)](https://www.bilibili.com/video/BV1fs4y1p7wW/) 52 | 53 | ### [2023安卓Hook框架源码入门(番外篇之dlopen限制与反射限制)](https://www.bilibili.com/video/BV1NM411Y7V1/) 54 | 55 | ## 2023安卓逆向工具篇 56 | 57 | ### [2023安卓逆向工具篇(Windows下python虚拟环境)(Frida多版本安装)](https://www.bilibili.com/video/BV1nM4y1X746/) 58 | 59 | ### [2023安卓逆向工具篇(windows下ollvm的使用)](https://www.bilibili.com/video/BV1824y1s7tP/) 60 | 61 | --------------------------------------------------------------------------------