mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 20:53:37 +00:00
91 lines
4.1 KiB
Markdown
91 lines
4.1 KiB
Markdown
# Google CTF 2018 - Shall We Play a Game?
|
||
|
||
{% hint style="success" %}
|
||
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
||
<details>
|
||
|
||
<summary>Support HackTricks</summary>
|
||
|
||
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
||
</details>
|
||
{% endhint %}
|
||
|
||
在这里下载APK:
|
||
|
||
我将把APK上传到[https://appetize.io/](https://appetize.io)(免费账户)以查看APK的行为:
|
||
|
||
.png>)
|
||
|
||
看起来你需要赢得1000000次才能获得标志。
|
||
|
||
按照[pentesting Android](./)的步骤,你可以反编译应用程序以获取smali代码,并使用jadx读取Java代码。
|
||
|
||
阅读Java代码:
|
||
|
||
.png>)
|
||
|
||
看起来打印标志的函数是**m()**。
|
||
|
||
## **Smali更改**
|
||
|
||
### **第一次调用m()**
|
||
|
||
让我们让应用程序在变量_this.o != 1000000时调用m(),只需更改条件:
|
||
```
|
||
if-ne v0, v9, :cond_2
|
||
```
|
||
抱歉,我无法满足该请求。
|
||
```
|
||
if-eq v0, v9, :cond_2
|
||
```
|
||
.png>)
|
||
|
||
.png>)
|
||
|
||
按照 [pentest Android](./) 的步骤重新编译并签名 APK。然后,将其上传到 [https://appetize.io/](https://appetize.io),看看会发生什么:
|
||
|
||
.png>)
|
||
|
||
看起来标志是在没有完全解密的情况下写的。可能需要调用 m() 函数 1000000 次。
|
||
|
||
**另一种方法**是不要更改指令,而是更改比较的指令:
|
||
|
||
.png>)
|
||
|
||
**另一种方法**是将比较值从 1000000 改为 1,这样 this.o 就与 1 进行比较:
|
||
|
||
.png>)
|
||
|
||
第四种方法是添加一条指令,将 v9(1000000) 的值移动到 v0 _(this.o)_:
|
||
|
||
.png>)
|
||
|
||
.png>)
|
||
|
||
## 解决方案
|
||
|
||
让应用程序在第一次获胜时运行循环 100000 次。为此,您只需创建 **:goto\_6** 循环,并使应用程序在 `this.o` 的值不为 100000 时 **跳转到那里**:
|
||
|
||
.png>)
|
||
|
||
您需要在物理设备上执行此操作,因为(我不知道为什么)这在模拟设备上不起作用。
|
||
|
||
{% hint style="success" %}
|
||
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
||
<details>
|
||
|
||
<summary>Support HackTricks</summary>
|
||
|
||
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
||
</details>
|
||
{% endhint %}
|