1. apk 安装到手机, 啥输入框都没有
2. apk拖入到jadx中看看
public class MainActivity extends Activity {
@Override // android.app.Activity
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
TextView tv = new TextView(getApplicationContext());
tv.setText("Select the activity you wish to interact with.To-Do: Add buttons to select activity, for now use Send_to_Activity");
setContentView(tv);
IntentFilter filter = new IntentFilter();
filter.addAction("com.ctf.INCOMING_INTENT");
Send_to_Activity receiver = new Send_to_Activity();
registerReceiver(receiver, filter, Manifest.permission._MSG, null);
}
}
大概就是动态注册了一个广播接收器,看看接收器代码
/* loaded from: classes.dex */
public class Send_to_Activity extends BroadcastReceiver {
@Override // android.content.BroadcastReceiver
public void onReceive(Context context, Intent intent) {
String msgText = intent.getStringExtra("msg");
if (msgText.equalsIgnoreCase("ThisIsTheRealOne")) {
Intent outIntent = new Intent(context, ThisIsTheRealOne.class);
context.startActivity(outIntent);
} else if (msgText.equalsIgnoreCase("IsThisTheRealOne")) {
Intent outIntent2 = new Intent(context, IsThisTheRealOne.class);
context.startActivity(outIntent2);
} else if (msgText.equalsIgnoreCase("DefinitelyNotThisOne")) {
Intent outIntent3 = new Intent(context, DefinitelyNotThisOne.class);
context.startActivity(outIntent3);
} else {
Toast.makeText(context, "Which Activity do you wish to interact with?", 1).show();
}
}
}
广播接收就跳转到各个activity,直接使用objecttion来实现直接跳到对应的activity
└─# objection -g com.example.hellojni explore
A newer version of objection is available!
You have v1.9.6 and v1.11.0 is ready for download.
Upgrade with: pip3 install objection --upgrade
For more information, please see: https://github.com/sensepost/objection/wiki/Updating
Using USB device `MI 5X`
Agent injected and responds ok!
_ _ _ _
___| |_|_|___ ___| |_|_|___ ___
| . | . | | -_| _| _| | . | |
|___|___| |___|___|_| |_|___|_|_|
|___|(object)inject(ion) v1.9.6
Runtime Mobile Exploration
by: @leonjza from @sensepost
[tab] for command suggestions
com.example.hellojni on (xiaomi: 8.1.0) [usb] # android intent launch_activity com.example.application.Def
initelyNotThisOne
(agent) Starting activity com.example.application.DefinitelyNotThisOne...
(agent) Activity successfully asked to start.
com.example.hellojni on (xiaomi: 8.1.0) [usb] # android intent launch_activity com.example.application.IsT
hisTheRealOne
(agent) Starting activity com.example.application.IsThisTheRealOne...
(agent) Activity successfully asked to start.
com.example.hellojni on (xiaomi: 8.1.0) [usb] #
每个activity 都使用了一个native函数, hook住它,看看有没有什么发现
3. 编写脚本
function main() {
Java.perform(function() {
var DefinitelyNotThisOneHandler = Java.use('com.example.application.DefinitelyNotThisOne')
DefinitelyNotThisOneHandler.definitelyNotThis.implementation = function(arg0, arg1) {
console.log('DefinitelyNotThisOneHandler called: ' + arg0 + " \n" + arg1)
var ret = this.definitelyNotThis(arg0, arg1)
console.log('DefinitelyNotThisOneHandler ret: ' + ret )
return ret
}
var ThisIsTheRealOneHandler = Java.use('com.example.application.ThisIsTheRealOne')
ThisIsTheRealOneHandler.orThat.overload('java.lang.String', 'java.lang.String', 'java.lang.String').implementation = function(arg0, arg1, arg2) {
console.log('ThisIsTheRealOneHandler called: ' + arg0 + " \n" + arg1 + " \n" + arg2)
var ret = this.orThat(arg0, arg1, arg2)
console.log('ThisIsTheRealOneHandler ret: ' + ret )
return ret
}
var IsThisTheRealOneHandler = Java.use('com.example.application.IsThisTheRealOne')
IsThisTheRealOneHandler.perhapsThis.overload('java.lang.String', 'java.lang.String', 'java.lang.String').implementation = function(arg0, arg1, arg2) {
console.log('IsThisTheRealOneHandler called: ' + arg0 + " \n" + arg1 + " \n" + arg2)
var ret = this.perhapsThis(arg0, arg1, arg2)
console.log('IsThisTheRealOneHandler ret: ' + ret )
return ret
}
})
}
setImmediate(main)
日志
(hooker_3.8.5) ┌──(hooker_3.8.5)(root㉿r0env)-[~/Documents/code_dir/study/20230215/001]
└─# frida -U com.example.hellojni -l lesson16.js --no-pause
____
/ _ | Frida 14.2.2 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://www.frida.re/docs/home/
[MI 5X::com.example.hellojni]-> DefinitelyNotThisOneHandler called: YjYwYWZjMjRkMhVhZTQhZDIwZGFkNWJhMGZmZGYiYmQaMmFkMjBiMTEhNDAtMzMzMjdlZmEWNzU?
MzYwNjMeNjgxNWZkNGQeOTFhOTIhNDkiMDVhNDBkYTAyNWQtYhYxNWYwOTUxMzZiMTlmMzciMjM?
DefinitelyNotThisOneHandler ret: Told you so!
[MI 5X::com.example.hellojni]->
[MI 5X::com.example.hellojni]->
[MI 5X::com.example.hellojni]->
[MI 5X::com.example.hellojni]-> IsThisTheRealOneHandler called: TRytfrgooq|F{i-JovFBungFk\VlphgQbwvj~HuDgaeTzuSt.@Lex^~
ZGFkNGIwYzIWYjEzMTUWNjVjNTVlNjZhOGJkNhYtODIyOGEaMTMWNmQaOTVjZjkhMzRjYmUzZGE?
MzQxZTZmZjAxMmIiMWUzNjUxMmRiYjIxNDUwYTUxMWItZGQzNWUtMzkyOWYyMmQeYjZmMzEaNDQ?
IsThisTheRealOneHandler ret: Congratulation!YouFoundTheRightActivityHereYouGo-CTF{IDontHaveABadjokeSorry}
日志中(返回值)发现flag
标签:___,ill,ret,intentions,activity,hellojni,Android,com,example From: https://www.cnblogs.com/gradyblog/p/17226991.html