2015-0CTF-vezel

Time:2019-11-8

Java static analysis

Title address: https://github.com/ctf-wiki/c

1. operation

2015-0CTF-vezel

2. Locate key codes

    public void confirm(View v) {
        String first = String.valueOf(getSig(getPackageName()));
        if (("0CTF{" + first + getCrc() + "}").equals(this.et.getText().toString())) {
            Toast.makeText(this, "Yes!", 0).show();
        } else {
            Toast.makeText(this, "0ops!", 0).show();
        }
    }

flag:"0CTF{" + first + getCrc() + "}"

3. Detailed analysis

3.1 first

String first = String.valueOf(getSig(getPackageName()));
    private int getSig(String packageName) {
        int sig = 0;
        try {
            return getPackageManager().getPackageInfo(packageName, 64).signatures[0].toCharsString().hashCode();
        } catch (Exception e) {
            e.printStackTrace();
            return sig;
        }
    }

You can obtain the app signature by writing an app

MainActivity.java

package com.iromise.getsignature;

import android.content.pm.PackageInfo;
import android.content.pm.PackageManager;
import android.content.pm.Signature;
import android.support.v7.app.AppCompatActivity;
import android.os.Bundle;
import android.text.TextUtils;
import android.util.Log;
import android.widget.Toast;

public class MainActivity extends AppCompatActivity {

    private StringBuilder builder;

    public void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
        PackageManager manager = getPackageManager();
        builder = new StringBuilder();
        String pkgname = "com.ctf.vezel";
        boolean isEmpty = TextUtils.isEmpty(pkgname);
        if (isEmpty) {
            Toast.maketext (this), "the package name of the application cannot be empty! ", Toast.LENGTH_SHORT);
        } else {
            try {
                PackageInfo packageInfo = manager.getPackageInfo(pkgname, PackageManager.GET_SIGNATURES);
                Signature[] signatures = packageInfo.signatures;
                Log.i("hashcode", String.valueOf(signatures[0].toCharsString().hashCode()));
            } catch (PackageManager.NameNotFoundException e) {
                e.printStackTrace();
            }
        }
    }
}

Filter out from the log

07-18 11:05:11.895 16124-16124/? I/hashcode: -183971537

3.2 crc

Get CRC of class.dex
Writing code

import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.util.zip.CRC32;
import java.util.zip.CheckedInputStream;

public class crc {

    public static void main(String[] args) {
        if (args.length < 1) {
            System.out.println("Usage: java crc <file>");
            System.exit(-1);
        }
        System.out.println(args[0]);
        String path =  args[0];
        String crc = loadCRC32(path);

        System.out.println("HEX:" + crc);
        System.out.println("DEC:"+ Integer.parseInt(crc,16));
    }

    public static String loadCRC32(String filePath) {
        CRC32 crc32 = new CRC32();
        FileInputStream inputStream = null;
        CheckedInputStream checkedinputstream = null;
        String crcStr = null;
        try {
            inputStream = new FileInputStream(new File(filePath));
            checkedinputstream = new CheckedInputStream(inputStream, crc32);
            while (checkedinputstream.read() != -1) {
            }
            crcStr = Long.toHexString(crc32.getValue()).toUpperCase();
        } catch (FileNotFoundException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        } finally {
            if (inputStream != null) {
                try {
                    inputStream.close();
                } catch (IOException e2) {
                    e2.printStackTrace();
                }
            }
            if (checkedinputstream != null) {
                try {
                    checkedinputstream.close();
                } catch (IOException e) {
                    e.printStackTrace();
                }
            }
        }

        return crcStr;
    }

}
java crc vezel/classes.dex
vezel/classes.dex
HEX:46E26557
DEC:1189242199

Be careful:
There are ready-made commands on the MAC

crc32 vezel/classes.dex
46e26557

And then you just need to go to base 10

Flag

0CTF{-1839715371189242199}

5. Reference articles

  1. 2015-0CTF-vezel wp
  2. How to prevent Android apps from being repackaged -Xuanyuan’s answer – Zhihu