# Google CTF 2018 - Shall We Play a Game?

<details>

<summary><strong>从零开始学习AWS黑客技术，成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE（HackTricks AWS红队专家）</strong></a><strong>！</strong></summary>

支持HackTricks的其他方式：

* 如果您想在HackTricks中看到您的**公司广告**或**下载PDF格式的HackTricks**，请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family)，我们独家的[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品
* **加入** 💬 [**Discord群组**](https://discord.gg/hRep4RUj7f) 或 [**电报群组**](https://t.me/peass) 或在**Twitter**上关注我们 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。

</details>

在此下载APK：

我将上传APK到[https://appetize.io/](https://appetize.io)（免费账户）以查看APK的行为：

![](/files/jBQaMhOY9kggKQkaw1IO)

看起来您需要赢得1000000次才能获得flag。

按照[Android应用渗透测试](/mobile-pentesting/android-app-pentesting.md)中的步骤，您可以反编译应用程序以获取smali代码，并使用jadx阅读Java代码。

阅读Java代码：

![](/files/fDF4bmUI3Zu0t1FvC8Nm)

看起来打印flag的函数是 **m().**

## **Smali更改**

### **第一次调用m()**

让应用程序在变量 *this.o != 1000000* 时调用m()，为此，只需更改条件：

```
if-ne v0, v9, :cond_2
```

## Google CTF 2018: Shall we play a game?

***

### Task 1: Install the APK

Download the APK from the challenge page and install it on your Android device.

### Task 2: Analyze the APK

#### Step 1: Decompile the APK

Use JADX or apktool to decompile the APK.

#### Step 2: Analyze the source code

Look for interesting parts in the source code, such as API endpoints, sensitive information handling, etc.

### Task 3: Find the flag

Search for the flag within the APK or by analyzing the app's behavior.

### Task 4: Submit the flag

Submit the flag to the CTF platform to earn points.

***

Happy hacking! 🚀

```
if-eq v0, v9, :cond_2
```

![之前](/files/HUOHlEexRa9lOOWh4Xz2)

![之后](/files/ox5JLqovB45y1Fr2PYKo)

按照[Android渗透测试](/mobile-pentesting/android-app-pentesting.md)的步骤重新编译并签署APK。然后，将其上传到[https://appetize.io/](https://appetize.io)，看看会发生什么：

![](/files/BC9234xzQw5QtapomwQZ)

看起来旗标未完全解密就被写入。可能应该调用m()函数1000000次。

**另一种**方法是不更改指令，而是更改比较指令：

![](/files/oiXs94EWyxAGXw2GXmwU)

**另一种**方法是将值设置为1，这样this.o将与1进行比较：

![](/files/9IdTeb3Uq3Dby0gZuA4g)

第四种方法是添加一条指令将v9(1000000)的值移动到v0 *(this.o)*：

![](/files/qmrJY3TCU2uwKvMBbJpu)

![](/files/Uwry2McuPTC7JVuToom0)

## 解决方案

当您第一次获胜时，使应用程序运行循环100000次。为此，您只需要创建\*\*：goto\_6**循环，并使应用程序**跳转到那里，如果`this.o`\*\*的值不是100000\：

![](/files/fv33hM36i6u7ILINvecO)

您需要在物理设备内执行此操作，因为（我不知道为什么）在模拟设备中无法正常工作。


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://hacktricks.xsx.tw/mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.