Google CTF 2018 - Shall We Play a Game?
在这里下载 APK:
我将上传 APK 到 https://appetize.io/(免费账户)查看 apk 的行为:
看起来你需要赢得 1000000 次才能获得 flag。
按照 Android 渗透测试 中的步骤,您可以反编译应用程序以获取 smali 代码,并使用 jadx 读取 Java 代码。
阅读 Java 代码:
看起来打印 flag 的函数是 m().
Smali 更改
第一次调用 m()
让应用程序在变量 this.o != 1000000 时调用 m(),为此,只需更改条件:
Google CTF 2018: Shall we play a game?
Flag 1
The first flag is stored in the SharedPreferences
of the application. You can easily retrieve it using adb
.
Flag 2
The second flag is stored in the app's internal database. You can access it by pulling the database file from the device using adb
.
Flag 3
The third flag is stored in a file located at /data/data/com.google.ctf.shallweplayagame/files/flag3.txt
on the device. You can pull this file using adb
.
Flag 4
The fourth flag is stored in the app's cache directory. You can retrieve it by pulling the cache directory from the device using adb
.
Flag 5
The fifth flag is stored in the app's private directory. You can access it by pulling the app's private directory from the device using adb
.
Flag 6
The sixth flag is stored in the app's external storage directory. You can retrieve it by pulling the external storage directory from the device using adb
.
按照Android渗透测试的步骤重新编译并签署APK。然后,将其上传到https://appetize.io/,看看会发生什么:
看起来标志是未完全解密地写入的。可能应该调用m()函数1000000次。
另一种方法是不更改指令,而是更改比较的指令:
另一种方法是将值与1000000进行比较,将值设置为1,以便将this.o与1进行比较:
第四种方法是添加一条指令,将v9(1000000)的值移动到v0 (this.o):
解决方案
当您第一次获胜时,使应用程序运行循环100000次。为此,您只需要创建**:goto_6循环,并使应用程序跳转到那里,如果this.o
**的值不是100000:
您需要在物理设备内执行此操作,因为(我不知道为什么)在模拟设备中无法正常工作。
最后更新于