FindPass
思路
用jeb3.0解包apk文件,打开mainactivity,发现一个Getkey函数,思路非常明显
程序读取了src.jpg、fkey、input的内容,并且进行一定的加密操作,获得flag
public void GetKey(View arg16) {
String input = this.findViewById(0x7F080001).getText().toString();
if(TextUtils.isEmpty(input.trim())) {
goto label_57;
}
char[] fkey = this.getResources().getString(0x7F050003).toCharArray();
int v2 = fkey.length;
char[] from_jpg = new char[0x400];
try {
new InputStreamReader(this.getResources().getAssets().open("src.jpg")).read(from_jpg);
}
catch(Exception v3) {
v3.printStackTrace();
}
int v6;
for(v6 = 0; v6 < v2; ++v6) {
int v12 = from_jpg[fkey[v6]] % 10;
fkey[v6] = v6 % 2 == 1 ? ((char)(fkey[v6] + v12)) : ((char)(fkey[v6] - v12));
}
if(input.equals(new String(fkey))) {
Toast.makeText(((Context)this), "恭喜您,输入正确!Flag==flag{Key}", 1).show();
}
else {
Toast.makeText(((Context)this), "not right! lol。。。。", 1).show();
return;
label_57:
Toast.makeText(((Context)this), "请输入key值!", 1).show();
}
}唯一有一点问题就是那个
char[] fkey = this.getResources().getString(0x7F050003).toCharArray()
经多方询问,最后明白这是一个读取内置字符串的函数,我们可以在
Resources/values/strings.xml
内找到,大多数的安卓软件都会把字符串放在这里面
solve
fkey = "Tr43Fla92Ch4n93"
fromjpg = [0xFF,0xD8,0xFF,0xE0,0x00,0x10,0x4A,0x46,0x49,0x46,0x00,0x01,0x01,0x01,0x00,0x48,0x00,0x48,0x00,0x00,0xFF,0xE1,0x00,0x30,0x45,0x78,0x69,0x66,0x00,0x00,0x4D,0x4D,0x00,0x2A,0x00,0x00,0x00,0x08,0x00,0x01,0x01,0x31,0x00,0x02,0x00,0x00,0x00,0x0E,0x00,0x00,0x00,0x1A,0x00,0x00,0x00,0x00,0x77,0x77,0x77,0x2E,0x6D,0x65,0x69,0x74,0x75,0x2E,0x63,0x6F,0x6D,0x00,0xFF,0xDB,0x00,0x43,0x00,0x03,0x02,0x02,0x03,0x02,0x02,0x03,0x03,0x03,0x03,0x04,0x03,0x03,0x04,0x05,0x08,0x05,0x05,0x04,0x04,0x05,0x0A,0x07,0x07,0x06,0x08,0x0C,0x0A,0x0C,0x0C,0x0B,0x0A,0x0B,0x0B,0x0D,0x0E,0x12,0x10,0x0D,0x0E,0x11,0x0E,0x0B,0x0B,0x10,0x16,0x10,0x11]
ans = ""
for i in range(len(fkey)):
t = 0
if(i % 2 == 1):
t = ord(fkey[i]) + (fromjpg[ord(fkey[i])] % 10)
else:
t = ord(fkey[i]) - (fromjpg[ord(fkey[i])] % 10)
ans = ans + chr(t)
ans = "flag{" + ans + "}"
print(ans)
Comments | NOTHING