NewStarCTF2022 WriteUp

Re

艾克体悟题

方法1. frida练习一下

# 启动指定 Activity
adb shell
su
am start -n com.droidlearn.activity_travel/.FlagActivity

//a.js hook一下
Java.perform(function () {
    let FlagActivity = Java.use("com.droidlearn.activity_travel.FlagActivity");
    FlagActivity["access$004"].implementation = function (instance) {
        instance.cnt.value = 100001;
        let ret = this.access$004(instance);
        return ret;
    };
});

frida -UF -l .\a.js

方法2. objection 方式

堆上查找实例, 修改cnt值。

objection -g com.droidlearn.activity_travel explore
android intent launch_activity com.droidlearn.activity_travel.FlagActivity

android heap search instances com.droidlearn.activity_travel.FlagActivity --dump-args --dump-backtrace --dump-return

Hashcode  Class                                        toString()
---------  -------------------------------------------  ---------------------------------------------------
112045134  com.droidlearn.activity_travel.FlagActivity  com.droidlearn.activity_travel.FlagActivity@6adac4e

android heap evaluate 112045134
clazz.cnt.value = 100001;
// Esc Enter 返回