JarvisOJ DD-Android Easy題解

1.拖入到模擬器中運行，輸入信息提示密碼錯誤，使用PKID查殼，發現無殼


2.將apk的後綴名該成rar，隨後進行解壓縮，使用d2j-dex2jar.bat對classes-dex進行反編譯，生成classes-dex2jar.jar
3.接着使用apktool工具，反編譯apk文件，可以看到so文件
4.把生成的classes-dex2jar.jar拖入到jadx-gui中，看到FlagActivity，裏面含有求解代碼，在該程序中看不到so層函數的影子，那麼求解flag的關鍵代碼就在FlagActivity裏
5、首先看到靜態數組，發現裏面的值大部分都是負值，看到p、q數組進行異或操作，並賦值給另一個數組，並把bArr數組中下標爲bArr[0]以後的數賦值給bArr2數組，bArr2數組形成的字符串就是flag。


看代碼

public class FlagActivity extends d {
    private static String m = "com.didi_ctf.flagapp.FlagActivity";
    //兩個靜態數組
    private static final byte[] p = {-40, -62, 107, 66, -126, 103, -56, 77, 122, -107, -24, -127, 72, -63, -98, 64, -24, -5, -49, -26, 79, -70, -26, -81, 120, 25, 111, -100, -23, -9, 122, -35, 66, -50, -116, 3, -72, 102, -45, -85, 0, 126, -34, 62, 83, -34, 48, -111, 61, -9, -51, 114, 20, 81, -126, -18, 27, -115, -76, -116, -48, -118, -10, -102, -106, 113, -104, 98, -109, 74, 48, 47, -100, -88, 121, 22, -63, -32, -20, -41, -27, -20, -118, 100, -76, 70, -49, -39, -27, -106, -13, -108, 115, -87, -1, -22, -53, 21, -100, 124, -95, -40, 62, -69, 29, 56, -53, 85, -48, 25, 37, -78, 11, -110, -24, -120, -82, 6, -94, -101};
    private static final byte[] q = {-57, -90, 53, -71, -117, 98, 62, 98, 101, -96, 36, 110, 77, -83, -121, 2, -48, 94, -106, -56, -49, -80, -1, 83, 75, 66, -44, 74, 2, -36, -42, -103, 6, -115, -40, 69, -107, 85, -78, -49, 54, 78, -26, 15, 98, -70, 8, -90, 94, -61, -84, 64, 112, 51, -29, -34, 126, -21, -126, -71, -31, -24, -60, -2, -81, 66, -84, 85, -91, 10, 84, 70, -8, -63, 26, 126, -76, -104, -123, -71, -126, -62, -23, 11, -39, 70, 14, 59, -101, -39, -124, 91, -109, 102, -49, 21, 105, 0, 37, Byte.MIN_VALUE, -57, 117, 110, -115, -86, 56, 25, -46, -55, 7, -125, 109, 76, 104, -15, 82, -53, 18, -28, -24};
    private TextView n;
    private TextView o;
    private String i() {
        byte[] bArr = new byte[p.length];
	//對p、q數組進行異或操作
        for (int i = 0; i < bArr.length; i++) {
            bArr[i] = (byte) (p[i] ^ q[i]);
        }
        byte b = bArr[0];
        int i2 = 0;
	//從bArr數組下標b開始統計非0的個數
        while (bArr[b + i2] != 0) {
            i2++;
        }
	//新建數組
        byte[] bArr2 = new byte[i2];
	//把bArr數組下標b以後的數賦值給bArr2數組
        for (int i3 = 0; i3 < i2; i3++) {
            bArr2[i3] = bArr[b + i3];
        }
        return new String(bArr2);
    }

    public void onClickTest(View view) {
        if (this.n.getText().toString().equals(i())) {
            this.o.setText(R.string.flag_result_yes);
        } else {
            this.o.setText(R.string.flag_result_no);
        }
    }

    /* access modifiers changed from: protected */
    public void onCreate(Bundle bundle) {
        super.onCreate(bundle);
        setContentView((int) R.layout.activity_flag);
        this.n = (TextView) findViewById(R.id.flag_entry);
        this.o = (TextView) findViewById(R.id.flag_result);
    }
}

6.接下來，把上述i方法代碼放到java IDE中運行，運行出flag。