This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2020-03-26
Channels
- # announcements (1)
- # autochrome-github (1)
- # babashka (9)
- # beginners (112)
- # bristol-clojurians (2)
- # calva (26)
- # cider (10)
- # clj-kondo (31)
- # cljs-dev (40)
- # clojure (114)
- # clojure-austin (1)
- # clojure-dev (112)
- # clojure-europe (22)
- # clojure-germany (5)
- # clojure-italy (1)
- # clojure-nl (2)
- # clojure-norway (1)
- # clojure-spec (10)
- # clojure-uk (96)
- # clojurescript (39)
- # core-logic (5)
- # datomic (40)
- # fulcro (34)
- # graphql (17)
- # jobs (3)
- # kaocha (4)
- # leiningen (10)
- # luminus (1)
- # malli (3)
- # meander (44)
- # midje (2)
- # off-topic (40)
- # pathom (5)
- # re-frame (8)
- # reitit (8)
- # ring (3)
- # ring-swagger (4)
- # shadow-cljs (83)
- # spacemacs (96)
- # tools-deps (16)
- # vim (4)
- # xtdb (15)
- # yada (20)
Hi everyone. I’m working on a CTF (Capture The Flag) challenge which is about apk
reverse engineering and I’ve got some Java code for Android here, that I’m trying to analyse. Unfortunately my knowledge in Java is not that good and I’m stuck with one specific function. I was wondering if anyone who knows java could help me out a bit?
Maybe post a link to a gist or something so as not to take up too much room here? I’d take a look.
so I’m including this one specific function and + strings.xml that I managed to extract. so I’m trying to find out where are the requests going to basically
with my little knowledge, I think one of the addresses is
(which comes from strings.xml)You want to understand this line?
HttpPost httpPost = new HttpPost("http://" + this.context.getResources().getStringArray(2131099648)[i] + this.context.getString(2131034123));
What class does the check_domain_200
method appear in?
It looks like it has its own Context
object, and that context has a getResources()
method that returns an instance of a class that has a getStringArray
method. If you can track down which class that is, you should get a better understanding of where the data is being stored.
I wasn’t able to track down getResources unfortunately. So I assumed that it was coming from that strings.xml file
It’s possible that the locations aren’t coded, and that the app is getting the data from either a remote source or from some kind of local storage, since the 2131099648
is such a high value.
First step is to find the definition for the class that check_domain_200
appears in, and look at its constructor, to see what it’s setting this.context
to.
It’s a bit confusing because it also defines Context context
at the top of the method, but context
and this.context
are different variables.
Actually, let’s thread this so we don’t consume too much space in #off-topic .
So the class is:
public class webServiceRobot {
Context context;
// and the method goes here
}
The constructor will give you the class that’s being stored in this.context
. It’ll either be instantiated directly, or passed in as a constructor arg.
Ok, you’ve got the class, can you see where this.context
is being set to a value? Or is it just a setContext
method?
there is a setContext method which just sets it
public void setContext(Context paramContext) {
this.context = paramContext;
}
so I guess it is being set from outside of this classYeah, you’re probably not going to find a list of IPs anywhere in the source code, I’m guessing. 2131099648 as a string index is too big to be the array index of a list of strings in a config file somewhere, so that’s most likely going to be a db ID into some kind of local storage, which suggests the data is coming in from some remote server somewhere.
Although it could be a generated ID from a compiled XML file like @UJRDALZA5 suggested outside the the thread.
All the strings in strings.xml
(and there can be multiple strings.xml) are compiled into a huge String array in Android.
android developer here
in source, this.context.getResources().getStringArray(2131099648)
would look something like this:
this.context.getResources().getStringArray(R.array.my_array)
R.array.my_array
is generated from the strings.xml
file as it’s being packaged into the apk
so in xml that would look something like:
strings.xml:
<resources>
<string-array name="my_array">
<item>Mercury</item>
<item>Venus</item>
<item>Earth</item>
<item>Mars</item>
</string-array>
</resources>
re: strings.xml, resources have a “configuration” system which allow for switching between different resources under different situations… for strings, this is often used for locale/language
so in source you might have res/values/strings.xml
and then a second res/values-es/strings.xml
for translation
i think that may be relevant in your case because this strings.xml
doesn’t have any string arrays in it. it appears to be a translation.
this string array is storing endpoints, so it’s almost certainly using the default strings.xml
, not a localization
(the default is res/values/strings.xml
)
i don’t know how to find the R.java
map that translates the integer into a string… if you have access to a runtime system, that can be done with an instance of the Resources
object
hey @U010GL90FN0, 4 months later, I just saw this, sorry. thanks for taking time explaining this to me! :)