app2- reverse Andrews
Download: Click here to download
1. Extract the file
Change app installation package suffix zip
these three files decompress it
then converts dex dex2jar jar file to file, to give a jar file that contains the majority of the program logic
reuse of AXMLPrinter2.jar de AndroidManifest.xml package
2. Analysis file
Analysis jar file using JD-GUI
find MainActivity.clss, because under normal circumstances MainActivity is the first page app loaded.
You can see the contents of the program get two edit boxes, SecondActivity by calling Intent mechanism
with a look past
the quality of the content connected to two edit boxes, encrypted by doRawData function compared with VEIzd / V2UPYNdn / bxH3Xig ==, with the function to doRawData , view the function logic
function is defined in the shared library, find the extract from the lib file
has three folder lib files, each folder has a file so it does not matter, all the same, just do not understand platform invoke understand libraries. Casually looking for a, drag IDA
find this function. IDA analysis of a little problem here, to manually type the function parameter a1 is changed JNIEnv*
, you can change the type of press Y on the variables
found it to be a AES encryption key is "thisisatestkey=="
decrypted script, or use the online decryption website, for a start this discovery decrypt the ciphertext.
import base64
from Crypto.Cipher import AES
cipher=base64.b64decode("VEIzd/V2UPYNdn/bxH3Xig==")
key = "thisisatestkey==".encode("utf-8")
aes = AES.new(key,AES.MODE_ECB)
msg = aes.decrypt(cipher)
print(msg.decode("utf-8"))
To plaintext
aimagetencent
After attempts, this is not a flag, entered in the app, the resulting nor flag
3. Analysis of the XML file
<activity
android:label="@7F050001"
android:name="com.tencent.testvuln.MainActivity"
>
<intent-filter
>
<action
android:name="android.intent.action.MAIN"
>
</action>
<category
android:name="android.intent.category.LAUNCHER"
>
</category>
</intent-filter>
</activity>
<activity
android:label="@7F050001"
android:name="com.tencent.testvuln.SecondActivity"
>
</activity>
<activity
android:name="com.tencent.testvuln.FileDataActivity"
>
<intent-filter
>
<action
android:name="android.intent.action.tencent"
>
</action>
</intent-filter>
</activity>
This page app found a total of three Activity, MainActivity, SecondActivity are analyzed, and only FileDataActivity still do not understand it is doing, return to JD-GUI found FileDataActivity.class. Found that there is a ciphertext, in IDA under the heel, take a look at the decode is doing
should be the AES decryption
4. flag proven to give
Cas3_0f_A_CAK3
5. Other Solutions
#连接虚拟机
adb connect 127.0.0.1:62001
#获取shell
adb shell
#使用am start调用FileDataActivity页面
am start com.tencent.testvuln/.FileDataActivity
Get flag