4-Android初级题
52 2024 春节
4-Android初级题
52 2024 春节

4-Android初级题

原!妙不可言

image-20240214024812120

image-20240214024906952

抽卡小游戏,盲猜出金(flag)

image-20240214025109420

这不直接改倍率?????

题解

先查看文本

image-20240214025338818

image-20240214025321808

WishActivity祈愿界面,点击事件

package com.kbtx.redpack_simple.WishActivity;
import a.b.c.h;
import java.util.Timer;
import b.b.a.b;
import android.os.Bundle;
import com.kbtx.redpack_simple.WishActivity$a;
import java.util.TimerTask;
import android.view.View;
import b.b.a.a;
import android.view.View$OnClickListener;

public class WishActivity extends h // class@0003cb from classes.dex
{
    public int[] o;
    public int[] p;
    public Timer q;
    public Runnable r;

    public void WishActivity(){
       super();
       this.o = new int[3]{10,0,0};
       this.p = new int[8]{1,2,4,8,16,32,64,128};
       this.q = new Timer();
       this.r = new b(this);
    }
    public void onCreate(Bundle p0){
       super.onCreate(p0);
       this.setContentView(R.layout.activity_wish);
       //计时器
       this.q.schedule(new WishActivity$a(this), 1000, 1000);
       //点击事件
       this.findViewById(R.id.btn_action).setOnClickListener(new a(this));
    }
}

b.b.a.a

public final void run() {
    WishActivity wishActivity = this.b;
    TextView textView = (TextView) wishActivity.findViewById(0x7f0700f1);
    int[] iArr = wishActivity.o;
    if (iArr[2] > 0) {
        iArr[2] = iArr[2] - 1;
    } else {
        if (iArr[0] < 10) {
            iArr[0] = iArr[0] + 1;
        }
        wishActivity.o[2] = wishActivity.p[Math.min((iArr[0] + iArr[1]) - 10, wishActivity.p.length - 1)];
    }
    int[] iArr2 = wishActivity.o;
    textView.setText(iArr2[0] < 10 ? String.format(Locale.SIMPLIFIED_CHINESE, "当前已完成%d次祈愿,拥有%d个纠缠之缘\n%d秒后将为你补充一个", Integer.valueOf(iArr2[1]), Integer.valueOf(wishActivity.o[0]), Integer.valueOf(wishActivity.o[2])) : String.format(Locale.SIMPLIFIED_CHINESE, "当前已完成%d次祈愿,当前拥有%d个纠缠之缘\n纠缠之缘已满,%d秒后将溢出一个,请尽快使用!", Integer.valueOf(iArr2[1]), Integer.valueOf(wishActivity.o[0]), Integer.valueOf(wishActivity.o[2])));
}

b.b.a.a

public final void onClick(View view) {
    String str;
    WishActivity wishActivity = this.b;
    if (wishActivity.o[0] < 10) {
        str = "纠缠之缘不足,无法进行祈愿";
    } else {
        for (int i = 0; i < 10; i++) {
            int[] iArr = wishActivity.o;
            iArr[0] = iArr[0] - 1;
            iArr[1] = iArr[1] + 1;
            double random = Math.random();
            int[] iArr2 = wishActivity.o;
            if (random < (iArr2[1] <= 80 ? 0.006d : (iArr2[1] - 80) * 0.1d)) {
                Toast.makeText((Context) wishActivity, (CharSequence) "恭喜你十连出金了,奖品为 flag 提示!", 1).show();
                wishActivity.startActivity(new Intent((Context) wishActivity, (Class<?>) FlagActivity.class));
                return;
            }
        }
        str = "哎呀呀,(又)没抽中,一会再试试吧";
    }
    Toast.makeText((Context) wishActivity, (CharSequence) str, 0).show();
}

FlagActivity

嘿嘿,还有signature签名校验

public class FlagActivity extends h {
    public static byte[] o = {86, -18, 98, 103, 75, -73, 51, -104, 104, 94, 73, 81, 125, 118, 112, 100, -29, 63, -33, -110, 108, 115, 51, 59, 55, 52, 77};

    /* JADX WARN: Multi-variable type inference failed */
    public void onCreate(Bundle bundle) {
        byte[] bArr;
        Signature[] signatureArr;
        super.onCreate(bundle);
        setContentView(0x7f0a001c);
        byte[] bArr2 = o;
        try {
            signatureArr = getPackageManager().getPackageInfo(getPackageName(), 64).signatures;
        } catch (PackageManager.NameNotFoundException unused) {
            bArr = new byte[0];
        }
        if (signatureArr != null && signatureArr.length >= 1) {
            byte[] byteArray = signatureArr[0].toByteArray();
            ByteBuffer allocate = ByteBuffer.allocate(bArr2.length);
            for (int i = 0; i < bArr2.length; i++) {
                allocate.put((byte) (bArr2[i] ^ byteArray[i % byteArray.length]));
            }
            bArr = allocate.array();
            StringBuilder d = a.d("for honest players only: \n");
            d.append(new String(bArr));
            ((TextView) findViewById(0x7f0700f0)).setText(d.toString());
        }
        bArr = new byte[0];
        StringBuilder d2 = a.d("for honest players only: \n");
        d2.append(new String(bArr));
        ((TextView) findViewById(0x7f0700f0)).setText(d2.toString());
    }
}

关联分析得

WishActivity.o[3] = [ 纠缠之缘个数, 已祈愿次数, 倒计时 ]

解题思路很宽泛

  • 原神,启动!!!(~bushi)

    直接启动FlagActivity

    adb shell am start-activity -n com.kbtx.redpack_simple/.FlagActivity
  • 炸! 直接拉满抽奖次数

    修改o数组初始值

    // this.o = new int[3]{10,0,0};
this.o = new int[3]{999999,0,0};

//Smali
new-array v0, v0, [I
fill-array-data v0, :array_24
iput-object v0, p0, Lcom/kbtx/redpack_simple/WishActivity;->o:[I

:array_24
.array-data 4
  0x3b9ac9ff
  0x0
  0x0
.end array-data

    image-20240214032441979

  • 我要暗改倍率!!!!

    0.006d??? 不存在的,我要1.0

    // if (random < (iArr2[1] <= 80 ? 0.006d : (iArr2[1] - 80) * 0.1d)) 
if (random < (iArr2[1] <= 80 ? 1.0d : (iArr2[1] - 80) * 1.0d)) 


//Smali
const-wide v6, 0x3f789374bc6a7efaL  # 0.006
const-wide v8, 0x3fb999999999999aL  # 0.1

const-wide v6, 0x3FF0000000000000L  # 1.0
const-wide v8, 0x3FF0000000000000L  # 1.0
  • 硬算 
    byte[] bArr2 = {86, -18, 98, 103, 75, -73, 51, -104, 104, 94, 73, 81, 125, 118, 112, 100, -29, 63, -33, -110, 108, 115, 51, 59, 55, 52, 77};
String a = "30820300308201e8020101300d06092a864886f70d01010b050030463110300e06035504030c076b6274787765723110300e060355040b0c073532706f6a69653110300e060355040a0c073532706f6a6965310e300c06035504070c054368696e61301e170d3234303131363036333332335a170d3439303130393036333332335a30463110300e06035504030c076b6274787765723110300e060355040b0c073532706f6a69653110300e060355040a0c073532706f6a6965310e300c06035504070c054368696e6130820122300d06092a864886f70d01010105000382010f003082010a0282010100804804135f57c1539809a9f6291dd0da83c5f9fc57caf199a48cfe37b9a0cc46a1052132a6344e309a31b80ee715dffcbd207f84b07e620c8bc3232b093050473f829ecb74a545ee8fd429feae8480e4284c35bc69dc43d3c130ebf7b0a16c6d10857613c224202ae77126fcfdc9642144158287fe7a196963bc52a47bb942f0f75eb059236bfa64c52718c73547a4c362f1174ec642b98a31a4d7cbe8e991dfa27db70035d451c879b5def12dbb7db19fd5ab211110256c4156cd0be73d22d2c0603144dea18e657a12c0c0146ba5c5eba6b973a227b815fc8efed4c4a2754771854bd3c044686ecbe6505a540e7afaa0999339410b5a9feb826407452c288b0203010001300d06092a864886f70d01010b050003820101005e1024ed95992cd8d88334eaf360fd5699ed7d2333634dded65e9cda6222bb5ae68189db6afb5898ca9f3437959db2e50ce6d19fc3b982ede7e9ed5dd92488ded66928ad5939fdf318b17b4a95f0205bb6da27a3de4f7b69700d94a25e80767d256b630014e254648b2a37d689959ef47293a772c1509db31b0dded377964fe93366d8ef808e207d1b238bbbd51b6a1d38330e0c29bee1afdd0674e5003b4cd2555d25a0cf523f11791d2a97ff7d13235432fef0b44fb7a34c690ab51de4d54ba7876812eb1f6919d2bd2df97c37e9e927ce0d0f41a84f533e010fc8e1a7fa203c1c7c3e5d0873b2b9fc6cd74d9e538132c6d725c305bc5f760b0fb87101a8a2";//原始签名(可通过frida hook)
byte[] byteArray = new BigInteger(a, 16).toByteArray();
ByteBuffer allocate = ByteBuffer.allocate(bArr2.length);
for (int i = 0; i < bArr2.length; i++) {
  allocate.put((byte) (bArr2[i] ^ byteArray[i % byteArray.length]));
}
String flag = new String(allocate.array());
System.out.println(flag);

    frida脚本

    function bytesToHex(arr) {
var str = "";
var _split = "";
var k, j;
for (var i = 0; i < arr.length; i++) {
    k = arr[i];
    j = k;
    if (k < 0) {
        j = k + 256;
    }
    if (j < 16) {
        str += "0";
    }
    str += j.toString(16) + _split;
}
return str;
}

Java.perform(function () {
var Signature = Java.use("android.content.pm.Signature");
Signature.toByteArray.implementation = function () {
    console.log("toByteArray", bytesToHex(this.toByteArray()));
    return this.toByteArray();
};
});

image-20240214031810182

Android初级题-题解/材料