【Android 逆向】【攻防世界】ill-intentions

android,逆向,攻防,世界,ill,intentions · 浏览次数 : 85

小编点评

**1. apk 安装到手机,啥输入框都没有** 由于没有在代码中设置输入框,所以无法在运行时看到输入框。 **2. apk拖入jadx中看看public class MainActivity extends Activity** 该代码表明该 APK 正在运行一个名为 `MainActivity` 的活动。 **3. 编写脚本function main() ** 该脚本定义了一个名为 `main()` 的函数,它包含了将 APK 运行的代码。 **代码解析:** **1. apk 安装到手机,啥输入框都没有** ```java // 获取应用安装目录 File installDir = Environment.getExternalStorageDirectory(); // 获取 APK 文件路径 File apkFile = new File(installDir, "app.apk"); ``` **2. apk拖入jadx中看看public class MainActivity extends Activity** ```java // 获取 Activity 的 Java 类名 String className = "com.ctf.INCOMING_INTENT"; // 创建一个 intent 用于接收广播 Intent intent = new Intent(className); // 注册广播接收器 registerReceiver(new Send_to_Activity(), intent, Manifest.permission._MSG, null); ``` **3. 编写脚本function main() ** ```java // 创建一个 Handler 对象,用于处理广播 Send_to_Activity handler = new Send_to_Activity(); // 在 Activity 中注册广播接收器 registerReceiver(handler, intent, Manifest.permission._MSG, null); // 在广播接收器中处理接收的消息 @Override public void onReceive(Context context, Intent intent) { // 处理广播消息 // 例如,打印接收的信息 Log.d("hooker_3.8.5", "IsThisTheRealOneHandler called: " + intent.getStringExtra("flag")); } ```

正文

1. apk 安装到手机, 啥输入框都没有

2. apk拖入到jadx中看看

public class MainActivity extends Activity {
    @Override // android.app.Activity
    public void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        TextView tv = new TextView(getApplicationContext());
        tv.setText("Select the activity you wish to interact with.To-Do: Add buttons to select activity, for now use Send_to_Activity");
        setContentView(tv);
        IntentFilter filter = new IntentFilter();
        filter.addAction("com.ctf.INCOMING_INTENT");
        Send_to_Activity receiver = new Send_to_Activity();
        registerReceiver(receiver, filter, Manifest.permission._MSG, null);
    }
}

大概就是动态注册了一个广播接收器,看看接收器代码

/* loaded from: classes.dex */
public class Send_to_Activity extends BroadcastReceiver {
    @Override // android.content.BroadcastReceiver
    public void onReceive(Context context, Intent intent) {
        String msgText = intent.getStringExtra("msg");
        if (msgText.equalsIgnoreCase("ThisIsTheRealOne")) {
            Intent outIntent = new Intent(context, ThisIsTheRealOne.class);
            context.startActivity(outIntent);
        } else if (msgText.equalsIgnoreCase("IsThisTheRealOne")) {
            Intent outIntent2 = new Intent(context, IsThisTheRealOne.class);
            context.startActivity(outIntent2);
        } else if (msgText.equalsIgnoreCase("DefinitelyNotThisOne")) {
            Intent outIntent3 = new Intent(context, DefinitelyNotThisOne.class);
            context.startActivity(outIntent3);
        } else {
            Toast.makeText(context, "Which Activity do you wish to interact with?", 1).show();
        }
    }
}

广播接收就跳转到各个activity,直接使用objecttion来实现直接跳到对应的activity

└─# objection -g com.example.hellojni explore

                                                                                                          
A newer version of objection is available!                                                                
You have v1.9.6 and v1.11.0 is ready for download.
                                                                                                          
Upgrade with: pip3 install objection --upgrade
For more information, please see: https://github.com/sensepost/objection/wiki/Updating

Using USB device `MI 5X`
Agent injected and responds ok!

     _   _         _   _
 ___| |_|_|___ ___| |_|_|___ ___
| . | . | | -_|  _|  _| | . |   |
|___|___| |___|___|_| |_|___|_|_|
      |___|(object)inject(ion) v1.9.6

     Runtime Mobile Exploration
        by: @leonjza from @sensepost

[tab] for command suggestions
com.example.hellojni on (xiaomi: 8.1.0) [usb] # android intent launch_activity com.example.application.Def
initelyNotThisOne
 
(agent) Starting activity com.example.application.DefinitelyNotThisOne...
(agent) Activity successfully asked to start.
com.example.hellojni on (xiaomi: 8.1.0) [usb] # android intent launch_activity com.example.application.IsT
hisTheRealOne
(agent) Starting activity com.example.application.IsThisTheRealOne...
(agent) Activity successfully asked to start.
com.example.hellojni on (xiaomi: 8.1.0) [usb] #

每个activity 都使用了一个native函数, hook住它,看看有没有什么发现

3. 编写脚本





function main() {
Java.perform(function() {
    var DefinitelyNotThisOneHandler = Java.use('com.example.application.DefinitelyNotThisOne')
    DefinitelyNotThisOneHandler.definitelyNotThis.implementation = function(arg0, arg1) {
        console.log('DefinitelyNotThisOneHandler called: ' + arg0 + "  \n" + arg1)
        var ret = this.definitelyNotThis(arg0, arg1)
        console.log('DefinitelyNotThisOneHandler ret: ' + ret )
        return ret
    }

    var ThisIsTheRealOneHandler = Java.use('com.example.application.ThisIsTheRealOne')
    ThisIsTheRealOneHandler.orThat.overload('java.lang.String', 'java.lang.String', 'java.lang.String').implementation = function(arg0, arg1, arg2) {
        console.log('ThisIsTheRealOneHandler called: ' + arg0 + "  \n" + arg1 + "  \n" + arg2)
        var ret =  this.orThat(arg0, arg1, arg2)
        console.log('ThisIsTheRealOneHandler ret: ' + ret )
        return ret
    }

    var IsThisTheRealOneHandler = Java.use('com.example.application.IsThisTheRealOne')
    IsThisTheRealOneHandler.perhapsThis.overload('java.lang.String', 'java.lang.String', 'java.lang.String').implementation = function(arg0, arg1, arg2) {
        console.log('IsThisTheRealOneHandler called: ' + arg0 + "  \n" + arg1 + "  \n" + arg2)
        var ret =  this.perhapsThis(arg0, arg1, arg2)
        console.log('IsThisTheRealOneHandler ret: ' + ret )
        return ret
    }
})
}

setImmediate(main)

日志

(hooker_3.8.5) ┌──(hooker_3.8.5)(root㉿r0env)-[~/Documents/code_dir/study/20230215/001]
└─# frida -U com.example.hellojni -l lesson16.js --no-pause
     ____
    / _  |   Frida 14.2.2 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://www.frida.re/docs/home/
                                                                                
[MI 5X::com.example.hellojni]-> DefinitelyNotThisOneHandler called: YjYwYWZjMjRkMhVhZTQhZDIwZGFkNWJhMGZmZGYiYmQaMmFkMjBiMTEhNDAtMzMzMjdlZmEWNzU?
  
MzYwNjMeNjgxNWZkNGQeOTFhOTIhNDkiMDVhNDBkYTAyNWQtYhYxNWYwOTUxMzZiMTlmMzciMjM?

DefinitelyNotThisOneHandler ret: Told you so!
[MI 5X::com.example.hellojni]->
[MI 5X::com.example.hellojni]->
[MI 5X::com.example.hellojni]->
[MI 5X::com.example.hellojni]-> IsThisTheRealOneHandler called: TRytfrgooq|F{i-JovFBungFk\VlphgQbwvj~HuDgaeTzuSt.@Lex^~  
ZGFkNGIwYzIWYjEzMTUWNjVjNTVlNjZhOGJkNhYtODIyOGEaMTMWNmQaOTVjZjkhMzRjYmUzZGE?
  
MzQxZTZmZjAxMmIiMWUzNjUxMmRiYjIxNDUwYTUxMWItZGQzNWUtMzkyOWYyMmQeYjZmMzEaNDQ?

IsThisTheRealOneHandler ret: Congratulation!YouFoundTheRightActivityHereYouGo-CTF{IDontHaveABadjokeSorry}

日志中(返回值)发现flag

android 逆向 攻防 世界 ill intentions

与【Android 逆向】【攻防世界】ill-intentions相似的内容:

【Android 逆向】【攻防世界】ill-intentions

1. apk 安装到手机, 啥输入框都没有 2. apk拖入到jadx中看看 public class MainActivity extends Activity { @Override // android.app.Activity public void onCreate(Bundle save

android 逆向 攻防 世界
85
【Android 逆向】【攻防世界】基础android

1. 下载并安装apk,提示要输入密码 2. apk拖入到jadx中看一下 this.login.setOnClickListener(new View.OnClickListener() { // from class: com.example.test.ctf02.MainActivity.1

android 逆向 攻防 世界
55
【Android 逆向】【攻防世界】android2.0

这是一道纯算法还原题 1. apk安装到手机,提示输入flag,看来输入就是flag 2. jadx 打开apk查看 this.button.setOnClickListener(new View.OnClickListener() { // from class: com.example.test

android 逆向 攻防 世界
113
【Android 逆向】【攻防世界】APK逆向

1. apk安装到手机,提示输入flag 2. jadx打开apk 定位到checkSN方法 public boolean checkSN(String userName, String sn) { if (userName != null) { try { if (userName.length(

android 逆向 攻防 世界
42
【Android 逆向】【攻防世界】人民的名义-抓捕赵德汉1-200

1. 这一题下载下来是个jar文件,感觉很android关系不大,但还是放在了mobile这个分类下了 2. 直接java jar运行,提示需要输入密码 # java -jar 169e139f152e45d5ae634223fe53e6be.jar Enter password: 1234 Inc

android 逆向 攻防 世界
35
【Android 逆向】【攻防世界】boomshakalaka-3

1. apk 安装到手机,是一个cocos2dx 写的打飞机的游戏 题目描述跟得分有关(题目描述: play the game, get the highest score) 2. jadx 打开apk public class FirstTest extends Cocos2dxActivity

android 逆向 攻防 世界
35
【Android 逆向】【攻防世界】easy-apk

apk 安装到手机,随便输入点内容,提示错误 2. apk 拖入到jadx中看看 public class MainActivity extends AppCompatActivity { /* JADX INFO: Access modifiers changed from: protected

android 逆向 攻防 世界
29
【Android 逆向】【攻防世界】app1

1. apk安装到手机, 老套路了 2. jadx打开 this.btn.setOnClickListener(new View.OnClickListener() { // from class: com.example.yaphetshan.tencentgreat.MainActivity.1

android 逆向 攻防 世界
18
【Android 逆向】【攻防世界】app2

1. 手机安装apk,随便点击,进入到第二个页面就停了 2. jadx打开apk,发现一共有三个activity,其中第三个activity: FileDataActivity 里面有东西 public class FileDataActivity extends a { private TextV

android 逆向 攻防 世界
52
【Android 逆向】【攻防世界】easy-so

1. apk安装到手机,随便输入点内容,提示错误 2. jadx打开apk btn.setOnClickListener(new View.OnClickListener() { // from class: com.testjava.jack.pingan2.MainActivity.1 @Ove

android 逆向 攻防 世界
23
# 热门排行
微软 New Bing AI 申请与使用保姆级教程(免魔法) ChatGPT API使用介绍 ChatGPT开发实战 一篇带你了解如何使用纯前端类Excel表格构建现金流量表 手把手教你玩转 Excel 数据透视表 为什么 C# 可能是最好的第一编程语言 .NET 入门到高级路线 提高工作效率的神器:基于前端表格实现Chrome Excel扩展插件 React + Springboot + Quartz,从0实现Excel报表自动化 用Echarts实现前端表格引用从属关系可视化
© PmDaddy. 2023 PmDaddy教程网 All rights reserved.