看到這個題放在misc裏面,還以爲會是以apk掩人耳目的misc題,結果沒想到是一個純正的安卓逆向。
可以看到程序的入口點還是MainActivity
protected void onCreate(Bundle arg3) {
super.onCreate(arg3);
this.setContentView(2130968602);
ApplicationInfo v0 = this.getApplicationInfo();
v0.flags &= 2;
this.p();
this.findViewById(2131427413).setOnClickListener(new d(this));
}
我們找到setOnClickListene函數,此函數作用爲監聽apk中的事件。
可以看到,當我們點擊sure按鈕時,程序會new d..
繼續跟蹤下去。
public void onClick(View arg5) {
if(MainActivity.a(this.a, MainActivity.a(this.a), this.a.findViewById(2131427414).getText().toString())) {
View v0 = this.a.findViewById(2131427412);
Toast.makeText(this.a.getApplicationContext(), "Congratulations!", 1).show();
((TextView)v0).setText(2131099682);
}
else {
Toast.makeText(this.a.getApplicationContext(), "Oh no.", 1).show();
}
}
可以看到MainActivity.a是關鍵函數,他的返回值決定了Toast顯示的值,其中MainActivity.a(this.a)的返回值爲MainActivity中的v.
在MainActivity中我們可以找到v的賦值函數。
private void p() {
try {
InputStream v0_1 = this.getResources().getAssets().open("url.png");
int v1 = v0_1.available();
byte[] v2 = new byte[v1];
v0_1.read(v2, 0, v1);
byte[] v0_2 = new byte[16];
System.arraycopy(v2, 144, v0_2, 0, 16);
this.v = new String(v0_2, "utf-8");
}
catch(Exception v0) {
v0.printStackTrace();
}
}
p函數讀取url.png的數據,然後將從144開始的16個字符轉換爲String賦值給v。由於jeb的僞代碼更加接近於代碼,我們可以將p函數直接編譯運行得到v.我這兒是用python實現的
file=open('url.png','rb')
key=file.read()
file.close()
keylist=list(key)
passkey=[]
for i in range(144,160):
passkey.append(keylist[i])
print passkey
繼續跟蹤,我們可以看到
private boolean a(String arg4, String arg5) {
return new c().a(arg4, arg5).equals(new String(new byte[]{21, -93, -68, -94, 86, 117, -19, -68, -92, 33, 50, 118, 16, 13, 1, -15, -13, 3, 4, 103, -18, 81, 30, 68, 54, -93, 44, -23, 93, 98, 5, 59}));
}
a函數將v和輸入放到c類中的a函數中,然後將返回值與byte[]進行比較。
public String a(String arg5, String arg6) {
String v0 = this.a(arg5);
String v1 = "";
a v2 = new a();
v2.a(v0.getBytes());
try {
v0 = new String(v2.b(arg6.getBytes()), "utf-8");
}
catch(Exception v0_1) {
v0_1.printStackTrace();
v0 = v1;
}
return v0;
}
private String a(String arg4) {
String v0_2;
try {
arg4.getBytes("utf-8");
StringBuilder v1 = new StringBuilder();
int v0_1;
for(v0_1 = 0; v0_1 < arg4.length(); v0_1 += 2) {
v1.append(arg4.charAt(v0_1 + 1));
v1.append(arg4.charAt(v0_1));
}
v0_2 = v1.toString();
}
catch(UnsupportedEncodingException v0) {
v0.printStackTrace();
v0_2 = null;
}
return v0_2;
}
可以看到a函數是將v兩個字符進行交換,然後
將得到的結果作爲password初始化aes加密
所以對於v的操作所有代碼爲:
file=open('url.png','rb')
key=file.read()
file.close()
keylist=list(key)
passkey=[]
for i in range(144,160):
passkey.append(keylist[i])
print passkey
key=''
for i in range(0,16,2):
key+=passkey[i+1]
key+=passkey[i]
print key
this.a = new SecretKeySpec(arg4, "AES");
this.b = Cipher.getInstance("AES/ECB/PKCS5Padding");
最後將我們的輸入進行加密
this.b.init(1, this.a);
return this.b.doFinal(arg4);
所以我們只要將對比的byte[]數組以v作爲password進行aes解密即可得到flag.
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.SecretKeySpec;
public class flag{
/**
* @param args
*/
public static void main(String[] args) {
// TODO Auto-generated method stub
String password="htsii__sht_eek.y";
byte[] byteContent=new byte[]{21, -93, -68, -94, 86, 117, -19, -68, -92, 33, 50, 118, 16, 13, 1, -15, -13, 3, 4, 103, -18, 81, 30, 68, 54, -93, 44, -23, 93, 98, 5, 59};
SecretKeySpec key = new SecretKeySpec(password.getBytes(), "AES");
Cipher cipher;
byte[] result = null;
try {
cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, key);// 初始化
result = cipher.doFinal(byteContent);
} catch (NoSuchAlgorithmException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (NoSuchPaddingException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (InvalidKeyException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (IllegalBlockSizeException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (BadPaddingException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
System.out.println(new String(result));
}
}