WP
TrustMe
简简单单的安卓
题目{:download="Trustme.apk"}
拖进Jeb,简要分析下代码
看看MainActivity,
public void onClick(View view0) {
TextView textView0 = (TextView)this.findViewById(id.username);
TextView textView1 = (TextView)this.findViewById(id.password);
textView0.getText();
if(MainActivity.bytesToHex(MainActivity.RC4(textView1.getText().toString().getBytes(), "XYCTF".getBytes())).equals("5a3c46e0228b444decc7651c8a7ca93ba4cb35a46f7eb589bef4")) {
Toast.makeText(this, "成功!", 0);
}
}
猜想是RC4加密,用在线解密试试
解出来是:The Real username is admin
但是并不是密码,看看AndroidManifest.xml,发现真正的Application是ProxyApplication
分析了下,是动态加载Dex文件
File file0 = this.getDir("payload_dex", 0);
File file1 = this.getDir("payload_lib", 0);
this.dexPath = file0.getAbsolutePath();
this.libPath = file1.getAbsolutePath();
this.apkFileName = file0.getAbsolutePath() + "\\" + "shell.apk";
File file2 = new File(this.apkFileName);
if(!file2.exists()) {
file2.createNewFile();
this.splitPayloadFromDex(this.readDexFileFromApk());
}
找找 payload_dex 和 payload_dex 在哪,因为是 this.getDir,所以存在
/data/data/包名/ 下,确实找到了 shell.apk
拖进 Jeb,在MainActivity里,发现是对数据库的操作
在 MoveSQLiteUtil 中,发现Sqlite文件是 /data/data/com.swdd.tru5tme/databases/mydb.db,加密过的,加密代码如下:
InputStream inputStream0 = context0.getAssets().open("mydb.db");
FileOutputStream fileOutputStream0 = new FileOutputStream(file0);
byte[] arr_b = new byte[0x400];
while(true) {
int v = inputStream0.read(arr_b);
if(v <= 0) {
break;
}
for(int v1 = 0; v1 < v; ++v1) {
arr_b[v1] = (byte)(arr_b[v1] ^ 0xFF);
}
fileOutputStream0.write(arr_b, 0, v);
}
fileOutputStream0.flush();
fileOutputStream0.close();
inputStream0.close();
Log.d("OK", "数据库复制成功");
好吧,看起来加密了,使用 HxD Hex Viewer 查看之后发现SQL的文件头还在
拖进Sqlite查看器,直接就出Flag了