出题人blog:[SHCTF]easyLogin(出题小记) – Sw’Blog
运行APK文件后发现一个要输入服务器地址的弹窗
这里输入地址后发现无法链接上去,弹窗去不了,无法进行一下一步
用Jadx分析源码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
| package com.swdd.easylogin;
import android.app.AlertDialog;
import android.content.DialogInterface;
import android.os.Bundle;
import android.os.StrictMode;
import android.util.Log;
import android.view.View;
import android.widget.EditText;
import android.widget.Toast;
import androidx.appcompat.app.AppCompatActivity;
import com.swdd.easylogin.databinding.ActivityMainBinding;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.HttpURLConnection;
import java.net.ProtocolException;
import java.net.URL;
public class MainActivity extends AppCompatActivity {
private ActivityMainBinding binding;
private int responseCode;
private int responseCode2;
private String serverAddress;
public native String getPassticket();
static {
System.loadLibrary("easylogin");
}
@Override
protected void onCreate(Bundle bundle) {
super.onCreate(bundle);
StrictMode.setThreadPolicy(new StrictMode.ThreadPolicy.Builder().permitAll().build());
ActivityMainBinding activityMainBindingInflate = ActivityMainBinding.inflate(getLayoutInflater());
this.binding = activityMainBindingInflate;
setContentView(activityMainBindingInflate.getRoot());
promptForServerAddress();
this.binding.loginButton.setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View view) {
MainActivity.this.handleLogin();
}
});
}
public void handleLogin() {
String strTrim = this.binding.username.getText().toString().trim();
String strTrim2 = this.binding.password.getText().toString().trim();
String passticket = getPassticket();
if (strTrim.isEmpty() || strTrim2.isEmpty()) {
Toast.makeText(this, "Please enter both username and password.", 0).show();
return;
}
try {
String strSendRequest = sendRequest(this.serverAddress + "?username=" + strTrim + "&password=" + strTrim2 + "&passticket=" + passticket);
if (strSendRequest != null && strSendRequest.startsWith("SHCTF")) {
showAlert("Login Successful", strSendRequest);
} else if (this.responseCode2 == 203) {
Toast.makeText(this, "检测到新设备登录,请在旧设备上验证。", 0).show();
} else {
Toast.makeText(this, "Login failed. Check your credentials.", 0).show();
}
} catch (IOException e) {
Log.e("LoginError", "Error: " + e.getMessage());
Toast.makeText(this, "Login failed. Try again.", 0).show();
}
}
private String sendRequest(String str) throws IOException {
HttpURLConnection httpURLConnection = (HttpURLConnection) new URL(str).openConnection();
httpURLConnection.setRequestMethod("GET");
httpURLConnection.setConnectTimeout(5000);
httpURLConnection.setReadTimeout(5000);
int responseCode = httpURLConnection.getResponseCode();
this.responseCode2 = responseCode;
Log.i("ServerCheck", "Response code: " + responseCode);
if (responseCode == 200 || responseCode == 201 || responseCode == 202 || responseCode == 203) {
BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(httpURLConnection.getInputStream()));
StringBuilder sb = new StringBuilder();
while (true) {
String line = bufferedReader.readLine();
if (line != null) {
sb.append(line);
} else {
bufferedReader.close();
httpURLConnection.disconnect();
return sb.toString();
}
}
} else {
httpURLConnection.disconnect();
return null;
}
}
public void promptForServerAddress() {
AlertDialog.Builder builder = new AlertDialog.Builder(this);
builder.setTitle("Enter Server Address");
builder.setCancelable(false);
final EditText editText = new EditText(this);
editText.setInputType(17);
builder.setView(editText);
builder.setPositiveButton("Connect", new DialogInterface.OnClickListener() {
@Override
public void onClick(DialogInterface dialogInterface, int i) {
String strTrim = editText.getText().toString().trim();
MainActivity mainActivity = MainActivity.this;
mainActivity.serverAddress = mainActivity.validateAddress(strTrim);
MainActivity mainActivity2 = MainActivity.this;
if (mainActivity2.isServerReachable(mainActivity2.serverAddress)) {
if (MainActivity.this.responseCode == 200 || MainActivity.this.responseCode == 201 || MainActivity.this.responseCode == 202 || MainActivity.this.responseCode == 203) {
Toast.makeText(MainActivity.this, "Connected successfully!", 0).show();
return;
}
return;
}
Toast.makeText(MainActivity.this, "Connection failed. Try again.", 0).show();
MainActivity.this.promptForServerAddress();
}
});
builder.show();
}
public String validateAddress(String str) {
return (str.startsWith("http://") || str.startsWith("https://")) ? str : "http://" + str;
}
public boolean isServerReachable(String str) throws ProtocolException {
try {
HttpURLConnection httpURLConnection = (HttpURLConnection) new URL(str).openConnection();
httpURLConnection.setRequestMethod("GET");
httpURLConnection.setConnectTimeout(5000);
httpURLConnection.setReadTimeout(5000);
httpURLConnection.connect();
this.responseCode = httpURLConnection.getResponseCode();
Log.i("ServerCheck", "Response code: " + this.responseCode);
httpURLConnection.disconnect();
int i = this.responseCode;
return i == 200 || i == 201 || i == 202 || i == 203;
} catch (IOException e) {
Log.e("ServerCheck", "Error checking server: " + e.getMessage());
return false;
}
}
private void showAlert(String str, String str2) {
new AlertDialog.Builder(this).setTitle(str).setMessage(str2).setPositiveButton("OK", (DialogInterface.OnClickListener) null).show();
}
}
|
这里的主要逻辑就是用户先输入服务器网址,然后进入登入界面输入正确用户名和密码,然后从native调用获取passticket组成HTTP GET请求,正确的话服务器就会直接返回flag
题目给了相关描述:
1
| 你能帮我登陆上我的账号吗?我只记得我原来的账号是SWDD,密码是U1dERCBpcyB4aWFvbWVuZydzIERBRC4u,设备id是a24256ec5983b4a8
|
Hook去弹窗
可以看到promptForServerAddress (),validateAddress ()和 isServerReachable ()这三个方法就是弹窗的校验逻辑
promptForServerAddress ()弹出一个不可取消的输入对话框;validateAddress ()让用户输入服务器地址,自动给服务器地址补全 http:// 前缀;isServerReachable ()发送 GET 请求,检测服务器是否能正常响应,返回连通结果。
这里可以直接进行编写frida hook脚本进行去弹窗
1
2
3
4
5
6
7
8
9
10
11
12
13
| function hook() {
var MainActivity = Java.use('com.swdd.easylogin.MainActivity');
MainActivity.isServerReachable.implementation = function(str) {
console.log("[+] Hook成功跳过服务器弹窗\n ");
this.responseCode.value = 200;
return true;
}
console.log("[+] Hook完成\n");
}
function main() {
hook();
}
setImmediate(main)
|
发现frida附加不上,加了反调试
反调试分析
在.so文件中的init_array段可以找到反调试,init_array段有什么特殊的呢为什在则个地方可以添加反调?
因为ELF文件的加载顺序是:
1
2
3
4
5
6
7
8
9
10
11
12
13
| 加载 SO
↓
.init_array
↓
JNI_OnLoad()
↓
【等待 Java 调用】
↓
Java 调用 check()
↓
系统根据函数名自动匹配 Java_包名_类名_check
↓
执行函数
|
init_array 的执行时机在调用函数之前
将整个函数直接改为ret然后用MT管理器将改后的.so文件替换,签名并安装新app即可进行hook
Native层分析
找到主要函数Java_com_swdd_easylogin_MainActivity_getPassticket
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
| __int64 __fastcall Java_com_swdd_easylogin_MainActivity_getPassticket(__int64 a1, __int64 a2)
{
__int64 v4;
__int64 v5;
__int64 v6;
__int64 v7;
__int64 v8;
__int64 v9;
__int64 v10;
const char *v11;
size_t v12;
long double v13;
double v14;
size_t v15;
char *v16;
unsigned __int64 v17;
double v18;
_DWORD *v19;
double v20;
char *v21;
char *v22;
int v23;
char *v24;
__int64 v25;
unsigned __int64 v26;
bool v27;
unsigned __int64 v28;
char *v29;
bool v30;
int v31;
int v32;
unsigned __int64 v33;
unsigned __int64 v34;
unsigned __int64 v35;
signed __int64 v36;
__int64 v37;
__int64 v38;
unsigned __int64 v39;
__int64 v40;
double v41;
char *v42;
double v43;
double v44;
int v45;
int v46;
int v47;
int i;
double j;
unsigned __int64 v50;
int v51;
__n128 v52;
unsigned __int64 v53;
size_t v54;
size_t v55;
char *v56;
unsigned __int64 v57;
const char *v58;
__n128 v59;
unsigned __int64 v60;
__int64 v62;
int v63;
char *v64;
__int64 v65;
double v66;
char *v67;
unsigned __int64 v68;
__int64 v69;
size_t v70;
void *v71;
_QWORD v72[2];
char *v73;
double v74;
_DWORD *v75;
char *v76;
char s[8];
__int64 v78;
v78 = *(_ReadStatusReg(TPIDR_EL0) + 40);
v4 = (*(*a1 + 48LL))(a1, "android/provider/Settings$Secure");
v5 = (*(*a1 + 904LL))(a1, v4, "getString", "(Landroid/content/ContentResolver;Ljava/lang/String;)Ljava/lang/String;");
v6 = (*(*a1 + 48LL))(a1, "android/content/Context");
v7 = (*(*a1 + 264LL))(a1, v6, "getContentResolver", "()Landroid/content/ContentResolver;");
v8 = _JNIEnv::CallObjectMethod(a1, a2, v7);
v9 = (*(*a1 + 1336LL))(a1, "android_id");
v10 = _JNIEnv::CallStaticObjectMethod(a1, v4, v5, v8, v9);
v62 = a1;
v11 = (*(*a1 + 1352LL))(a1, v10, 0);
__android_log_print(4, "NativeCode", "Device ID: %s", v11);
v12 = strlen(v11);
if ( v12 >= 0xFFFFFFFFFFFFFFF0LL )
std::__basic_string_common<true>::__throw_length_error(&v69);
v15 = v12;
if ( v12 >= 0x17 )
{
v17 = (v12 + 16) & 0xFFFFFFFFFFFFFFF0LL;
v16 = operator new(v17);
v70 = v15;
v71 = v16;
v69 = v17 | 1;
}
else
{
v16 = &v69 + 1;
LOBYTE(v69) = 2 * v12;
if ( !v12 )
goto LABEL_7;
}
memcpy(v16, v11, v15);
LABEL_7:
v18 = 0.0;
v19 = 0;
v20 = 0.0;
v21 = 0;
v22 = 0;
v23 = 0;
v16[v15] = 0;
v24 = 0;
v25 = 0x4A000u;
v74 = 0.0;
v75 = 0;
v76 = 0;
while ( 1 )
{
LOBYTE(v13) = byte_4A700;
LOBYTE(v14) = byte_4A6FC;
v14 = *&v14;
*&v13 = (*&v13 + v14 * -2.0) * ((byte_4A6F0 + 7) / byte_4A6F4 - byte_4A6F8);
*s = *&v13;
if ( (byte_4A6F0 + 7) / byte_4A6F4 != byte_4A6F8 && byte_4A6FC + 21 * byte_4A760 != 3 )
break;
v14 = ((byte_4A6F0 + 7) / byte_4A6F4 - byte_4A6F8);
*&v13 = *s * v14;
if ( v23 >= (*s * v14) )
goto LABEL_52;
LABEL_14:
v63 = v23;
v26 = v69 >> 1;
if ( (v69 & 1) != 0 )
{
v26 = v70;
v27 = 0;
}
else
{
v27 = 1;
}
if ( v26 )
{
v28 = 0;
do
{
v29 = v71;
v30 = !v27;
v31 = 0;
v32 = 0;
v33 = v28 | 1;
v34 = v28 | 2;
if ( !v30 )
v29 = &v69 + 1;
v35 = v28 | 3;
while ( 1 )
{
LOBYTE(v13) = byte_4A700;
LOBYTE(v14) = byte_4A6FC;
v14 = *&v14;
*&v13 = (*&v13 + v14 * -2.0) * ((byte_4A6F0 + 7) / byte_4A6F4 - byte_4A6F8);
*s = *&v13;
if ( (byte_4A6F0 + 7) / byte_4A6F4 != byte_4A6F8 && byte_4A6FC + 21 * byte_4A760 != 3 )
break;
v14 = ((byte_4A6F0 + 7) / byte_4A6F4 - byte_4A6F8);
*&v13 = *s * v14;
if ( v32 >= (*s * v14) )
goto LABEL_19;
LABEL_33:
if ( v28 < v26 )
{
v31 |= v29[v28];
if ( v33 < v26 )
{
v31 |= v29[v33] << 8;
if ( v34 < v26 )
{
v31 |= v29[v34] << 16;
if ( v35 < v26 )
v31 |= v29[v35] << 24;
}
}
}
++v32;
}
if ( v32 < 6 )
goto LABEL_33;
LABEL_19:
if ( v22 == v21 )
{
v64 = v24;
v36 = &v21[-*&v20];
v37 = &v21[-*&v20] >> 2;
if ( (v37 + 1) >> 62 )
{
v74 = v18;
v75 = v19;
v76 = v64;
std::__vector_base_common<true>::__throw_length_error(&v74);
}
v38 = v36 >> 1;
if ( v36 >> 1 < (v37 + 1) )
v38 = v37 + 1;
v39 = 0x3FFFFFFFFFFFFFFFLL;
if ( v36 < 0x7FFFFFFFFFFFFFFCLL )
v39 = v38;
v68 = v39;
if ( v39 )
{
if ( v39 >> 62 )
{
v74 = v18;
v76 = v64;
sub_1FE84("allocator<T>::allocate(size_t n) 'n' exceeds maximum supported size");
}
v65 = v37;
v66 = v20;
*&v40 = COERCE_DOUBLE(operator new(4 * v39));
v37 = v65;
v20 = v66;
v18 = *&v40;
}
else
{
v18 = 0.0;
}
v22 = (*&v18 + 4 * v37);
*v22 = v31;
if ( v36 >= 1 )
{
v41 = v20;
v67 = (*&v18 + 4 * v37);
memcpy(*&v18, *&v20, v36);
v22 = v67;
v20 = v41;
}
v24 = (*&v18 + 4 * v68);
if ( v20 != 0.0 )
{
v42 = v22;
operator delete(*&v20);
v22 = v42;
}
v20 = v18;
v21 = (*&v18 + 4 * v68);
}
else
{
*v22 = v31;
}
v19 = v22 + 4;
v28 += 4LL;
v22 += 4;
v26 = v69 >> 1;
v27 = (v69 & 1) == 0;
if ( (v69 & 1) != 0 )
v26 = v70;
}
while ( v28 < v26 );
}
v23 = v63 + 1;
}
if ( v23 < 6 )
goto LABEL_14;
LABEL_52:
v74 = v18;
v75 = v19;
v43 = -2.0;
v76 = v24;
LOBYTE(v13) = byte_4A700;
LOBYTE(v14) = byte_4A6FC;
v44 = *&v14;
*s = (*&v13 + v44 * -2.0) * ((byte_4A6F0 + 7) / byte_4A6F4 - byte_4A6F8);
v45 = 0;
v46 = -2128831035;
*&v13 = -2.0;
LABEL_54:
LOBYTE(v44) = byte_4A700;
LOBYTE(v43) = byte_4A6FC;
v43 = *&v43;
v44 = (*&v44 + v43 * -2.0) * ((byte_4A6F0 + 7) / byte_4A6F4 - byte_4A6F8);
*s = v44;
if ( (byte_4A6F0 + 7) / byte_4A6F4 != byte_4A6F8 && byte_4A6FC + 21 * byte_4A760 != 3 )
{
if ( v45 >= 6 )
goto LABEL_75;
goto LABEL_59;
}
v43 = ((byte_4A6F0 + 7) / byte_4A6F4 - byte_4A6F8);
v44 = *s * v43;
if ( v45 < (*s * v43) )
{
LABEL_59:
v47 = 0;
while ( 1 )
{
for ( i = 0; ; ++i )
{
LOBYTE(v44) = byte_4A700;
LOBYTE(v43) = byte_4A6FC;
v43 = *&v43;
v44 = (*&v44 + v43 * -2.0) * ((byte_4A6F0 + 7) / byte_4A6F4 - byte_4A6F8);
*s = v44;
if ( (byte_4A6F0 + 7) / byte_4A6F4 != byte_4A6F8 && byte_4A6FC + 21 * byte_4A760 != 3 )
break;
v43 = ((byte_4A6F0 + 7) / byte_4A6F4 - byte_4A6F8);
v44 = *s * v43;
if ( i >= (*s * v43) )
goto LABEL_60;
LABEL_68:
for ( j = v18; *&j != v19; v46 = -1028477387
* ((-2048144789 * (v50 >> 19)) ^ ((-2048144789 * (v50 >> 19)) >> 15)) )
{
v51 = **&j;
LOBYTE(v44) = byte_4A700;
LOBYTE(v43) = byte_4A6FC;
v43 = *&v43;
v44 = (*&v44 + v43 * -2.0) * ((byte_4A6F0 + 7) / byte_4A6F4 - byte_4A6F8);
*s = v44;
if ( (byte_4A6F0 + 7) / byte_4A6F4 == byte_4A6F8 || byte_4A6FC + 21 * byte_4A760 == 3 )
v44 = *s;
*&j += 4LL;
HIDWORD(v50) = v51 ^ v46;
LODWORD(v50) = v51 ^ v46;
}
}
if ( i < 6 )
goto LABEL_68;
LABEL_60:
if ( ++v47 == 3 )
{
++v45;
goto LABEL_54;
}
}
}
LABEL_75:
v52 = sub_1FDE4(s, v13);
v52.n128_u8[0] = byte_4A700;
LOBYTE(v53) = byte_4A6FC;
if ( (byte_4A6F0 + 7) / byte_4A6F4 != byte_4A6F8 && byte_4A6FC + 21 * byte_4A760 != 3
|| ((v52.n128_u64[0] + v53 * -2.0)
* ((byte_4A6F0 + 7) / byte_4A6F4 - byte_4A6F8)
* ((byte_4A6F0 + 7) / byte_4A6F4 - byte_4A6F8)) >= 1 )
{
v54 = strlen(s);
if ( v54 >= 0xFFFFFFFFFFFFFFF0LL )
std::__basic_string_common<true>::__throw_length_error(v72);
v55 = v54;
if ( v54 >= 0x17 )
{
v57 = (v54 + 16) & 0xFFFFFFFFFFFFFFF0LL;
v56 = operator new(v57);
v72[1] = v55;
v73 = v56;
v72[0] = v57 | 1;
}
else
{
v56 = v72 + 1;
LOBYTE(v72[0]) = 2 * v54;
if ( !v54 )
{
LABEL_84:
v18 = v74;
v56[v55] = 0;
goto LABEL_85;
}
}
memcpy(v56, s, v55);
goto LABEL_84;
}
LABEL_85:
if ( v18 != 0.0 )
operator delete(*&v18);
if ( (v69 & 1) != 0 )
operator delete(v71);
if ( (v72[0] & 1) != 0 )
v58 = v73;
else
v58 = v72 + 1;
__android_log_print(4, "NativeCode", "Hashed Device ID: %s", v58);
v59 = (*(*v62 + 1360LL))(v62, v10, v11);
v59.n128_u8[0] = byte_4A700;
LOBYTE(v60) = byte_4A6FC;
v74 = (v59.n128_u64[0] + v60 * -2.0) * ((byte_4A6F0 + 7) / byte_4A6F4 - byte_4A6F8);
if ( ((byte_4A6F0 + 7) / byte_4A6F4 == byte_4A6F8 || byte_4A6FC + 21 * byte_4A760 == 3)
&& (v74 * ((byte_4A6F0 + 7) / byte_4A6F4 - byte_4A6F8)) <= 0 )
{
if ( (v72[0] & 1) != 0 )
LABEL_96:
operator delete(v73);
}
else
{
v25 = (*(*v62 + 1336LL))(v62);
if ( (v72[0] & 1) != 0 )
goto LABEL_96;
}
return v25;
}
|
这里是一个对设备ID进行一个hash加密,然后返回Hash值作为passticket,这边可以进行hook __android_log_print函数的到设备的ID以及输出的Hash
先使用Module.enumerateImports("libeasylogin.so")查看导入表
可以发现__android_log_print来自于libc.so,编写hook脚本获取ID和Hash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| function hook() {
var MainActivity = Java.use('com.swdd.easylogin.MainActivity');
MainActivity.isServerReachable.implementation = function(str) {
console.log("[+] Hook成功跳过服务器弹窗\n ");
this.responseCode.value = 200;
return true;
}
var adress = Module.findExportByName("libeasylogin.so", "__android_log_print");
Interceptor.attach(adress,{
onEnter:function(args){
console.log("[+] 开始Hook ID\n");
console.log(Memory.readUtf8String(args[3]));
},onLeave:function(retval){
}
})
console.log("[+] Hook完成\n");
}
function main() {
Java.perform(function(){
hook();
})
}
setImmediate(main)
|
发现Device ID与题目给的a24256ec5983b4a8不同,进行hook得到正确Passticket
最终Hook脚本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
| function hook() {
var Settings = Java.use("android.provider.Settings$Secure");
Settings.getString.overload(
'android.content.ContentResolver',
'java.lang.String'
).implementation = function(cr, name) {
if (name === "android_id") {
console.log("[+] 拦截 android_id,替换为目标设备 ID");
return "a24256ec5983b4a8";
}
return this.getString(cr, name);
};
var MainActivity = Java.use('com.swdd.easylogin.MainActivity');
MainActivity.isServerReachable.implementation = function(str) {
console.log("[+] Hook成功跳过服务器弹窗\n ");
this.responseCode.value = 200;
return true;
}
var adress = Module.findExportByName("libeasylogin.so", "__android_log_print");
Interceptor.attach(adress,{
onEnter:function(args){
console.log("[+] 开始Hook ID\n");
console.log(Memory.readUtf8String(args[3]));
},onLeave:function(retval){
}
})
console.log("[+] Hook完成\n");
}
function main() {
Java.perform(function(){
hook();
})
}
setImmediate(main)
|
得到Passticket = 2161b139
用curl 发送正确的 HTTP GET 请求:
1
| curl "http://192.168.137.1:49632/?username=SWDD&password=U1dERCBpcyB4aWFvbWVuZydzIERBRC4u&passticket=2161b139"
|
得到flag : SHCTF{68a46f2c-a8c0-4d66-ad31-084706c8332a}
![[2025软件系统安全赛]HappyLock](/img/%E5%8A%A8%E6%BC%AB%E5%B0%91%E5%A5%B3-%E5%AE%A4%E5%86%85%E5%9C%BA%E6%99%AF.png)
![[流量分析]2024强网杯-谍影重重5.0](/img/image_download_1733483405943_compressed.jpg)
![[SHCTF2024]easyLogin](/img/Image_437531313133693_compressed.jpg)
