NepCTF2024

re

0zandroid

unidbg模拟跑一下

package re;

import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.Module;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.memory.Memory;

import java.io.File;

public class appdebug extends AbstractJni {
    public static AndroidEmulator emulator;
    public static Memory memory;
    public static VM vm;
    public static DalvikModule dm;
    public static Module module;


    public appdebug() {
        emulator = AndroidEmulatorBuilder.for64Bit().setProcessName("com.example.clickmemore").build();

        memory = emulator.getMemory();

        memory.setLibraryResolver(new AndroidResolver(23));

        vm = emulator.createDalvikVM(new File("apks/CTF_re/a.apk"));
        vm.setJni(this);


        dm = vm.loadLibrary(new File("apks/CTF_re/libplay.so"), false);
        dm.callJNI_OnLoad(emulator);

        module = dm.getModule();
    }

    public void getBytes() {
        /*
         public native byte[] encrypt(int i, String str);
        */
        DvmClass MainClass = vm.resolveClass("com.example.clickmemore.MainActivity");
        String method = "encrypt(ILjava/lang/String;)[B";

        for (int i = 0; i < 0xffff; i++) {
            DvmObject<byte[]> result = MainClass.callStaticJniMethodObject(emulator, method, i, "bangboo!Knows!!!");
            byte[] array = result.getValue();
            System.out.println(i);

            if (array[2] == 37 && array[3] == 80 && array[4] == 68 && array[5] == 70 && array[6] == 45 && array[7] == 49 && array[8] == 46 && array[9] == 52) {
                System.out.println(i);
                System.out.println("Yes"); // 10714
                return;
            }
        }
    }


    public static void main(String[] args) {
        appdebug appdebug = new appdebug();
        appdebug.getBytes();
    }
}

friida过调试。然后改成17013 点一下修改。再点确认。得到flag


// frida -U -f com.example.clickmemore -l a1.js
Java.perform(function () {
    // hookisDebuggerConnected()

    var c = Java.use('android.os.Debug')

    c.isDebuggerConnected.implementation = function () {
        return false
    }
    c.waitForDebugger.implementation = function () {
        console.log(this.waitForDebugger());
        return false
    }

    let AntiCheater = Java.use("com.example.clickmemore.AntiCheater");
    AntiCheater["isDebug"].implementation = function () {
        return false;
    };

    MainActivity["lambda$onCreate$0$com-example-clickmemore-MainActivity"].implementation = function (calendar, random, layout, v) {
        console.log(`cilck1点点我的11`);
        this.clickCount.value = 10713;
        this["lambda$onCreate$0$com-example-clickmemore-MainActivity"](calendar, random, layout, v);
        console.log('end')
    };
});

flag{enenneenneneen,neneenenen!neen!}

posted @ 2024-12-22 14:08  wgf4242  阅读(3)  评论(0编辑  收藏  举报