共计 3029 个字符,预计需要花费 8 分钟才能阅读完成。
Java 静态分析
题目地址:https://github.com/ctf-wiki/c…
1. 运行
2. 定位关键代码
public void confirm(View v) {
String first = String.valueOf(getSig(getPackageName()));
if ((“0CTF{” + first + getCrc() + “}”).equals(this.et.getText().toString())) {
Toast.makeText(this, “Yes!”, 0).show();
} else {
Toast.makeText(this, “0ops!”, 0).show();
}
}
flag:”0CTF{” + first + getCrc() + “}”
3. 详细分析
3.1 first
String first = String.valueOf(getSig(getPackageName()));
private int getSig(String packageName) {
int sig = 0;
try {
return getPackageManager().getPackageInfo(packageName, 64).signatures[0].toCharsString().hashCode();
} catch (Exception e) {
e.printStackTrace();
return sig;
}
}
通过编写一个 app 可以获得该 app 签名
MainActivity.java
package com.iromise.getsignature;
import android.content.pm.PackageInfo;
import android.content.pm.PackageManager;
import android.content.pm.Signature;
import android.support.v7.app.AppCompatActivity;
import android.os.Bundle;
import android.text.TextUtils;
import android.util.Log;
import android.widget.Toast;
public class MainActivity extends AppCompatActivity {
private StringBuilder builder;
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
PackageManager manager = getPackageManager();
builder = new StringBuilder();
String pkgname = “com.ctf.vezel”;
boolean isEmpty = TextUtils.isEmpty(pkgname);
if (isEmpty) {
Toast.makeText(this, “ 应用程序的包名不能为空!”, Toast.LENGTH_SHORT);
} else {
try {
PackageInfo packageInfo = manager.getPackageInfo(pkgname, PackageManager.GET_SIGNATURES);
Signature[] signatures = packageInfo.signatures;
Log.i(“hashcode”, String.valueOf(signatures[0].toCharsString().hashCode()));
} catch (PackageManager.NameNotFoundException e) {
e.printStackTrace();
}
}
}
}
从 log 中过滤出
07-18 11:05:11.895 16124-16124/? I/hashcode: -183971537
3.2 crc
获得 class.dex 的 CRC 编写代码
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.util.zip.CRC32;
import java.util.zip.CheckedInputStream;
public class crc {
public static void main(String[] args) {
if (args.length < 1) {
System.out.println(“Usage: java crc <file>”);
System.exit(-1);
}
System.out.println(args[0]);
String path = args[0];
String crc = loadCRC32(path);
System.out.println(“HEX:” + crc);
System.out.println(“DEC:”+ Integer.parseInt(crc,16));
}
public static String loadCRC32(String filePath) {
CRC32 crc32 = new CRC32();
FileInputStream inputStream = null;
CheckedInputStream checkedinputstream = null;
String crcStr = null;
try {
inputStream = new FileInputStream(new File(filePath));
checkedinputstream = new CheckedInputStream(inputStream, crc32);
while (checkedinputstream.read() != -1) {
}
crcStr = Long.toHexString(crc32.getValue()).toUpperCase();
} catch (FileNotFoundException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
} finally {
if (inputStream != null) {
try {
inputStream.close();
} catch (IOException e2) {
e2.printStackTrace();
}
}
if (checkedinputstream != null) {
try {
checkedinputstream.close();
} catch (IOException e) {
e.printStackTrace();
}
}
}
return crcStr;
}
}
java crc vezel/classes.dex
vezel/classes.dex
HEX:46E26557
DEC:1189242199
注意:mac 上有现成的命令
crc32 vezel/classes.dex
46e26557
然后只需要转为 10 进制就可以了
Flag
0CTF{-1839715371189242199}
5. 参考文章
2015-0CTF-vezel wp
如何防止 Android 应用被二次打包?– 轩辕的回答 – 知乎