标签：NewStarCTF2022 dump travel droidlearn activity FlagActivity com

Re

艾克体悟题

方法1. frida练习一下

//a.js
Java.perform(function () {
    let FlagActivity = Java.use("com.droidlearn.activity_travel.FlagActivity");
    FlagActivity["access$004"].implementation = function (instance) {
        instance.cnt.value = 100001;
        let ret = this.access$004(instance);
        return ret;
    };
});

frida -UF -l .\a.js

方法2. objection 方式

堆上查找实例, 修改cnt值。

android heap search instances com.droidlearn.activity_travel.FlagActivity --dump-args --dump-backtrace --dump-return

Hashcode  Class                                        toString()
---------  -------------------------------------------  ---------------------------------------------------
112045134  com.droidlearn.activity_travel.FlagActivity  com.droidlearn.activity_travel.FlagActivity@6adac4e

android heap evaluate 112045134
clazz.cnt.value = 100001;
// Esc Enter 返回

标签：NewStarCTF2022,dump,travel,droidlearn,activity,FlagActivity,com
From： https://www.cnblogs.com/wgf4242/p/16749745.html