GDA分析

一眼webview js交互

打开apk

经典404页面,盲猜成功后返回flag

偷偷看一眼ys.mp4

典!!!

题解

既然是webview交互js,还是个抓小猫游戏,那肯定是赢了出结果

那就看JavaScriptInterface实现在哪

this.webView.addJavascriptInterface(new MyJavaScriptInterface(this), "AndroidInterface");


public class MyJavaScriptInterface
{
    private Context mContext;

    public void MyJavaScriptInterface(Context p0){
       super();
       this.mContext = p0;
    }
    public void onSolverReturnValue(int p0){
       if (p0 == -1) {
          this.mContext.startActivity(new Intent(this.mContext, YSQDActivity.class));
       }
       return;
    }
}

启动了新的界面YSQDActivity

protected void onCreate(Bundle p0){
   super.onCreate(p0);
   this.setContentView(R$layout.activity_ysqdactivity);
   this.setRequestedOrientation(0);
   this.tv = this.findViewById(R$id.textView);
   this.playVideo(this.filePath);
}

public void playVideo(String p0){
   this.getWindow().setFlags(1024, 1024);
   if (this.getSupportActionBar() != null) {
      this.getSupportActionBar().hide();
   }
   VideoView videoView = this.findViewById(R$id.videoView);
   videoView.setVideoURI(Uri.parse(p0));
   videoView.setMediaController(new MediaController(this));
   videoView.setOnPreparedListener(new YSQDActivity$1(this));
   videoView.setOnCompletionListener(new YSQDActivity$2(this));//结束动作
   videoView.start();
   return;
}

OnCompletionListener => onCompletion

public void onCompletion(MediaPlayer p0){
   YSQDActivity.access$000(this.this$0).setText(YSQDActivity.extractDataFromFile(this.this$0.filePath));
}

public static String extractDataFromFile(String p0){
   int i;
   try{
      RandomAccessFile randomAccess = new RandomAccessFile(p0, "r");
      long l = randomAccess.length();
      p0 = "flag{";
      long l1 = Math.max((l - (long)30), 0);
      while (true) {
         if ((l1 - l) < 0) {
            randomAccess.seek(l1);
            byte[] uobyteArray = new byte[30];
            randomAccess.read(uobyteArray);
            String str = new String(uobyteArray, StandardCharsets.UTF_8);
            if ((i = str.indexOf(p0)) != -1) {
               randomAccess.close();
               return str.substring(i).split("\\}")[0]+"}";
            }else {
               l1 = l1 + 1;
            }
         }else {
            randomAccess.close();
            break ;
         }
      }
   }catch(java.lang.Exception e9){
      e9.printStackTrace();
   }
   return null;
}

废话不多说,直接启动Activity

adb shell su -c am start-activity -n com.zj.wuaipojie2024_1/.YSQDActivity

或frida主动调用

function checkClass(targetClass){
    try{
        Java.use(targetClass);
    }catch(error){
        Java.enumerateClassLoaders({onMatch: function (loader) {
        try{
            if(loader.findClass(targetClass)) {
                Java.classFactory.loader = loader;
            }
        }catch(error){
            console.log('classloader failed' + error);
        }},onComplete: function () {}
    });}
}
Java.perform(function() {
    var targetClass=decodeURIComponent('com.zj.wuaipojie2024%5f1.YSQDActivity');
    checkClass(targetClass);
    var gclass = Java.use(targetClass);
    var ret=gclass['extractDataFromFile']("/data/user/0/com.zj.wuaipojie2024_1/files/ys.mp4");
    console.log(ret);
})

//  flag{happy_new_year_2024}

Android初级题-题解/材料