转载

2015-0CTF-vezel

Java静态分析

题目地址: https://github.com/ctf-wiki/c...

1.运行

2015-0CTF-vezel

2.定位关键代码

public void confirm(View v) {
        String first = String.valueOf(getSig(getPackageName()));
        if (("0CTF{" + first + getCrc() + "}").equals(this.et.getText().toString())) {
            Toast.makeText(this, "Yes!", 0).show();
        } else {
            Toast.makeText(this, "0ops!", 0).show();
        }
    }

flag: "0CTF{" + first + getCrc() + "}"

3.详细分析

3.1 first

String first = String.valueOf(getSig(getPackageName()));
private int getSig(String packageName) {
        int sig = 0;
        try {
            return getPackageManager().getPackageInfo(packageName, 64).signatures[0].toCharsString().hashCode();
        } catch (Exception e) {
            e.printStackTrace();
            return sig;
        }
    }

通过编写一个app可以获得该app签名

MainActivity.java

package com.iromise.getsignature;

import android.content.pm.PackageInfo;
import android.content.pm.PackageManager;
import android.content.pm.Signature;
import android.support.v7.app.AppCompatActivity;
import android.os.Bundle;
import android.text.TextUtils;
import android.util.Log;
import android.widget.Toast;

public class MainActivity extends AppCompatActivity {

    private StringBuilder builder;

    public void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
        PackageManager manager = getPackageManager();
        builder = new StringBuilder();
        String pkgname = "com.ctf.vezel";
        boolean isEmpty = TextUtils.isEmpty(pkgname);
        if (isEmpty) {
            Toast.makeText(this, "应用程序的包名不能为空!", Toast.LENGTH_SHORT);
        } else {
            try {
                PackageInfo packageInfo = manager.getPackageInfo(pkgname, PackageManager.GET_SIGNATURES);
                Signature[] signatures = packageInfo.signatures;
                Log.i("hashcode", String.valueOf(signatures[0].toCharsString().hashCode()));
            } catch (PackageManager.NameNotFoundException e) {
                e.printStackTrace();
            }
        }
    }
}

从log中过滤出

07-18 11:05:11.895 16124-16124/? I/hashcode: -183971537

3.2 crc

获得 class.dex 的CRC

编写代码

import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.util.zip.CRC32;
import java.util.zip.CheckedInputStream;

public class crc {

    public static void main(String[] args) {
        if (args.length < 1) {
            System.out.println("Usage: java crc <file>");
            System.exit(-1);
        }
        System.out.println(args[0]);
        String path =  args[0];
        String crc = loadCRC32(path);

        System.out.println("HEX:" + crc);
        System.out.println("DEC:"+ Integer.parseInt(crc,16));
    }

    public static String loadCRC32(String filePath) {
        CRC32 crc32 = new CRC32();
        FileInputStream inputStream = null;
        CheckedInputStream checkedinputstream = null;
        String crcStr = null;
        try {
            inputStream = new FileInputStream(new File(filePath));
            checkedinputstream = new CheckedInputStream(inputStream, crc32);
            while (checkedinputstream.read() != -1) {
            }
            crcStr = Long.toHexString(crc32.getValue()).toUpperCase();
        } catch (FileNotFoundException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        } finally {
            if (inputStream != null) {
                try {
                    inputStream.close();
                } catch (IOException e2) {
                    e2.printStackTrace();
                }
            }
            if (checkedinputstream != null) {
                try {
                    checkedinputstream.close();
                } catch (IOException e) {
                    e.printStackTrace();
                }
            }
        }

        return crcStr;
    }

}
java crc vezel/classes.dex
vezel/classes.dex
HEX:46E26557
DEC:1189242199

Flag

0CTF{-1839715371189242199}

5.参考文章

  1. 2015-0CTF-vezel wp
  2. 如何防止 Android 应用被二次打包? - 轩辕的回答 - 知乎
原文  https://segmentfault.com/a/1190000018773254
正文到此结束
Loading...