1. apk 安装到手机,是一个cocos2dx 写的打飞机的游戏
题目描述跟得分有关(题目描述: play the game, get the highest score)
2. jadx 打开apk
public class FirstTest extends Cocos2dxActivity {
/* JADX INFO: Access modifiers changed from: protected */
@Override // org.cocos2dx.lib.Cocos2dxActivity, android.app.Activity
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
a haha = new a(this, "flag");
haha.d("YmF6aW5nYWFhYQ==");
a hehe = new a(this, "Cocos2dxPrefsFile");
hehe.d("N0");
}
@Override // org.cocos2dx.lib.Cocos2dxActivity
public Cocos2dxGLSurfaceView onCreateView() {
Cocos2dxGLSurfaceView glSurfaceView = new Cocos2dxGLSurfaceView(this);
a hehe = new a(this, "Cocos2dxPrefsFile");
hehe.d("MG");
glSurfaceView.setEGLConfigChooser(5, 6, 5, 0, 16, 8);
return glSurfaceView;
}
static {
System.loadLibrary("cocos2dcpp");
}
}
public class a {
private SharedPreferences editor;
public a(Context arg1, String arg2) {
this.editor = null;
this.editor = arg1.getSharedPreferences(arg2, 0);
}
public void b() {
this.editor.edit().putString("DATA", "").commit();
}
public String c() {
return this.editor.getString("DATA", "");
}
public void d(String arg1) {
this.editor.edit().putString("DATA", String.valueOf(String.valueOf(c())) + arg1).commit();
}
}
可以看到在java层信息不多,在操作两个sharefpreference,玩一下游戏看看变化,结果发现打飞机随着分数的变化会持续的往sharefpreference里面写数据
3. IDA 打开so,搜索update 或者score看看,发现updateScore函数
cocos2d::CCUserDefault *__fastcall ControlLayer::updateScore(cocos2d::CCUserDefault *this, int a2)
{
......
while ( v2 != 4 );
if ( a2 <= &MEMORY[0x3B9ACA00] )
{
v4 = cocos2d::CCUserDefault::sharedUserDefault(this);
sub_D08D04D8(v21, &byte_D09262A0, v19);
cocos2d::CCUserDefault::getStringForKey(v20, v4, &v33, v21);
v5 = sub_D08CEDDC(v21);
switch ( a2 )
{
case 100:
v6 = cocos2d::CCUserDefault::sharedUserDefault(v5);
std::operator+<char>(v22, v20, "MW");
cocos2d::CCUserDefault::setStringForKey(v6, &v33, v22);
v7 = v22;
break;
case 600:
v8 = cocos2d::CCUserDefault::sharedUserDefault(v5);
std::operator+<char>(v23, v20, "Rf");
cocos2d::CCUserDefault::setStringForKey(v8, &v33, v23);
v7 = v23;
break;
case 700:
v9 = cocos2d::CCUserDefault::sharedUserDefault(v5);
std::operator+<char>(v24, v20, "Rz");
cocos2d::CCUserDefault::setStringForKey(v9, &v33, v24);
v7 = v24;
break;
case 3000:
v10 = cocos2d::CCUserDefault::sharedUserDefault(v5);
std::operator+<char>(v25, v20, "Bt");
cocos2d::CCUserDefault::setStringForKey(v10, &v33, v25);
v7 = v25;
break;
case 5600:
v11 = cocos2d::CCUserDefault::sharedUserDefault(v5);
std::operator+<char>(v26, v20, "RV");
cocos2d::CCUserDefault::setStringForKey(v11, &v33, v26);
v7 = v26;
break;
case 9900:
v12 = cocos2d::CCUserDefault::sharedUserDefault(v5);
std::operator+<char>(v27, v20, "9Z");
cocos2d::CCUserDefault::setStringForKey(v12, &v33, v27);
v7 = v27;
break;
case 18000:
v13 = cocos2d::CCUserDefault::sharedUserDefault(v5);
std::operator+<char>(v28, v20, "b1");
cocos2d::CCUserDefault::setStringForKey(v13, &v33, v28);
v7 = v28;
break;
case 88800:
v14 = cocos2d::CCUserDefault::sharedUserDefault(v5);
std::operator+<char>(v29, v20, "Vf");
cocos2d::CCUserDefault::setStringForKey(v14, &v33, v29);
v7 = v29;
break;
case 100000:
v15 = cocos2d::CCUserDefault::sharedUserDefault(v5);
std::operator+<char>(v30, v20, "S2");
cocos2d::CCUserDefault::setStringForKey(v15, &v33, v30);
v7 = v30;
break;
default:
if ( a2 != &MEMORY[0x3B9ACA00] )
{
LABEL_25:
v17 = cocos2d::CCString::createWithFormat("%d", a2);
(*(**(v18 + 66) + 428))(*(v18 + 66), *(v17 + 20));
return sub_D08CEDDC(v20);
}
v16 = cocos2d::CCUserDefault::sharedUserDefault(v5);
std::operator+<char>(v31, v20, "4w");
cocos2d::CCUserDefault::setStringForKey(v16, &v33, v31);
v7 = v31;
break;
}
sub_D08CEDDC(v7);
goto LABEL_25;
}
return this;
}
可以看到是顺着得分的增加,会追加字符到sharedpreference,加上一启动就会写入的前缀和游戏结束就会写入的后缀可以得到 MGN0ZntDMGNvUzJkX0FuRHJvMWRfRzBtRV9Zb1VfS24wdz99
base64解得0ctf{C0coS2d_AnDro1d_G0mE_YoU_Kn0w?}