Android逆向（五） 找flag实例

一、系统环境

OS: Windows_NT x64 10.0.19045

python:3.8.10

Node.js: 18.17.1

frida :14.2.14

objection:1.11.0

vscode: 1.87.2

device:nexus 5x-7.1.2

二、详细分析

前言：

从界面看这个apk用的是手势解锁，随意尝试划动几次发现没有任何文字方面的提示，接下来就用JADX和GDA静态分析看看代码逻辑

正文：

apk未加壳，只有一个MainActivity，查看OnCreate函数可以看到首先是对界面控件初始化操作，接着是对手势密码控件绑定监听函数

1.静态分析

public void onCreate(Bundle bundle) {
        super.onCreate(bundle);
        setContentView(C0794R.layout.activity_main);
        TextView textView = (TextView) findViewById(C0794R.id.tv_text);
        this.tvText = textView;
        textView.setText("\u3000\u3000吾名玄天帝，昔为诸界之尊，因古诅咒，沉睡亿载。今幸苏醒，欲召百万神兵仙将，复掌万界，重铸天序。此举，需汝解封印，贡力之源。若助吾破诅归位，赐汝万界神尊，封一神域为土，永居众神之巅。");
        GestureUnlock gestureUnlock = (GestureUnlock) findViewById(C0794R.id.myunlock);
        this.myunlock = gestureUnlock;
        gestureUnlock.setIGestureListener(new IGestureListener() { // from class: com.zj.wuaipojie2024_2.MainActivity.1
            @Override // com.example.gesturelock.IGestureListener
            public void isSetUp(String str) {
            }

            @Override // com.example.gesturelock.IGestureListener
            public void isSuccessful(String str) {
                Log.e("zj595", str);
            }

            @Override // com.example.gesturelock.IGestureListener
            public void isError(String str) {
                Log.e("zj595", str);
                MainActivity.this.checkPassword(str);
            }
        });
}

查看手势密码控件类代码没有发现对手势密码进行判断的地方

public GestureUnlock(Context context, AttributeSet attributeSet, int i) {
        super(context, attributeSet, i);
        this.cicleRadius = 10;
        this.firstInit = false;
        this.points = new ArrayList();
        this.selectP = new ArrayList();
        this.alreadyTouch = false;
        this.isUp = false;
        this.lockTouch = false;
        this.returnFun = 0;
        this.defaultKey = "01234";
        this.setUpKey = BuildConfig.FLAVOR;
        this.errorKey = BuildConfig.FLAVOR;
        this.handler = new Handler(Looper.myLooper(), new Handler.Callback() { // from class: com.example.gesturelock.GestureUnlock.1
            @Override // android.os.Handler.Callback
            public boolean handleMessage(Message message) {
                try {
                    int i2 = message.arg1;
                    if (i2 != 1) {
                        if (i2 != 2) {
                            if (i2 != 3) {
                                if (i2 == 4) {
                                    Toast.makeText(GestureUnlock.this.context, "请连接至少" + GestureUnlock.this.minSelect + "个点", 0).show();
                                }
                            } else if (GestureUnlock.this.gestureListener != null) {
                                GestureUnlock.this.gestureListener.isSetUp(GestureUnlock.this.setUpKey);
                            }
                        } else if (GestureUnlock.this.gestureListener != null) {
                            GestureUnlock.this.gestureListener.isError(GestureUnlock.this.errorKey);
                        }
                    } else if (GestureUnlock.this.gestureListener != null) {
                        GestureUnlock.this.gestureListener.isSuccessful(GestureUnlock.this.defaultKey);
                    }
                    Thread.sleep(GestureUnlock.this.determineTime * 1000.0f);
                    GestureUnlock.this.selectP.clear();
                    Iterator it = GestureUnlock.this.points.iterator();
                    while (it.hasNext()) {
                        Iterator it2 = ((List) it.next()).iterator();
                        while (it2.hasNext()) {
                            ((GesturePoint) it2.next()).setCode(1);
                        }
                    }
                    GestureUnlock.this.invalidate();
                } catch (InterruptedException e) {
                    e.printStackTrace();
                }
                return