JarvisOJ-findpass

发布于 2019-06-14  876 次阅读


FindPass

FindPass_200.7z

思路

用jeb3.0解包apk文件,打开mainactivity,发现一个Getkey函数,思路非常明显

程序读取了src.jpg、fkey、input的内容,并且进行一定的加密操作,获得flag

public void GetKey(View arg16) {
        String input = this.findViewById(0x7F080001).getText().toString();
        if(TextUtils.isEmpty(input.trim())) {
            goto label_57;
        }

        char[] fkey = this.getResources().getString(0x7F050003).toCharArray();
        int v2 = fkey.length;
        char[] from_jpg = new char[0x400];
        try {
            new InputStreamReader(this.getResources().getAssets().open("src.jpg")).read(from_jpg);
        }
        catch(Exception v3) {
            v3.printStackTrace();
        }

        int v6;
        for(v6 = 0; v6 < v2; ++v6) {
            int v12 = from_jpg[fkey[v6]] % 10;
            fkey[v6] = v6 % 2 == 1 ? ((char)(fkey[v6] + v12)) : ((char)(fkey[v6] - v12));
        }

        if(input.equals(new String(fkey))) {
            Toast.makeText(((Context)this), "恭喜您,输入正确!Flag==flag{Key}", 1).show();
        }
        else {
            Toast.makeText(((Context)this), "not right! lol。。。。", 1).show();
            return;
        label_57:
            Toast.makeText(((Context)this), "请输入key值!", 1).show();
        }
    }

唯一有一点问题就是那个

char[] fkey = this.getResources().getString(0x7F050003).toCharArray()

经多方询问,最后明白这是一个读取内置字符串的函数,我们可以在

Resources/values/strings.xml

内找到,大多数的安卓软件都会把字符串放在这里面

solve

fkey = "Tr43Fla92Ch4n93"
fromjpg = [0xFF,0xD8,0xFF,0xE0,0x00,0x10,0x4A,0x46,0x49,0x46,0x00,0x01,0x01,0x01,0x00,0x48,0x00,0x48,0x00,0x00,0xFF,0xE1,0x00,0x30,0x45,0x78,0x69,0x66,0x00,0x00,0x4D,0x4D,0x00,0x2A,0x00,0x00,0x00,0x08,0x00,0x01,0x01,0x31,0x00,0x02,0x00,0x00,0x00,0x0E,0x00,0x00,0x00,0x1A,0x00,0x00,0x00,0x00,0x77,0x77,0x77,0x2E,0x6D,0x65,0x69,0x74,0x75,0x2E,0x63,0x6F,0x6D,0x00,0xFF,0xDB,0x00,0x43,0x00,0x03,0x02,0x02,0x03,0x02,0x02,0x03,0x03,0x03,0x03,0x04,0x03,0x03,0x04,0x05,0x08,0x05,0x05,0x04,0x04,0x05,0x0A,0x07,0x07,0x06,0x08,0x0C,0x0A,0x0C,0x0C,0x0B,0x0A,0x0B,0x0B,0x0D,0x0E,0x12,0x10,0x0D,0x0E,0x11,0x0E,0x0B,0x0B,0x10,0x16,0x10,0x11]
ans = ""

for i in range(len(fkey)):
    t = 0
    if(i % 2 == 1):
        t = ord(fkey[i]) + (fromjpg[ord(fkey[i])] % 10)
    else:
        t = ord(fkey[i]) - (fromjpg[ord(fkey[i])] % 10)
    ans = ans + chr(t)

ans = "flag{" + ans + "}"
print(ans)

CTFer|NOIPer|CSGO|摸鱼|菜鸡