BUUCTF Reverse刷题笔记05——简单注册器
下载附件得到.apk文件,所有这是一道安卓逆向题
JEB打开
找到mian函数
看不懂,看不懂不要紧,Tab键转换
得到java代码
package com.example.flag;
import android.os.Bundle;
import android.support.v4.app.Fragment;
import android.support.v7.app.ActionBarActivity;
import android.view.LayoutInflater;
import android.view.Menu;
import android.view.MenuItem;
import android.view.View$OnClickListener;
import android.view.View;
import android.view.ViewGroup;
public class MainActivity extends ActionBarActivity {
public class PlaceholderFragment extends Fragment {
public PlaceholderFragment() {
super();
}
public View onCreateView(LayoutInflater arg4, ViewGroup arg5, Bundle arg6) {
return arg4.inflate(0x7F030018, arg5, false);
}
}
public MainActivity() {
super();
}
protected void onCreate(Bundle arg7) {
super.onCreate(arg7);
this.setContentView(0x7F030017);
if(arg7 == null) {
this.getSupportFragmentManager().beginTransaction().add(0x7F05003C, new PlaceholderFragment()).commit();
}
this.findViewById(0x7F05003F).setOnClickListener(new View$OnClickListener(this.findViewById(0x7F05003D), this.findViewById(0x7F05003E)) {
public void onClick(View arg13) {
int v11 = 0x1F;
int v9 = 2;
int v2 = 1;
String v6 = this.val$editview.getText().toString();
if(v6.length() != 0x20 || v6.charAt(v11) != 97 || v6.charAt(1) != 98 || v6.charAt(0) + v6.charAt(v9) - 0x30 != 56) {
v2 = 0;
}
if(v2 == 1) {
char[] v5 = "dd2940c04462b4dd7c450528835cca15".toCharArray();
v5[v9] = ((char)(v5[v9] + v5[3] - 50));
v5[4] = ((char)(v5[v9] + v5[5] - 0x30));
v5[30] = ((char)(v5[v11] + v5[9] - 0x30));
v5[14] = ((char)(v5[27] + v5[28] - 97));
int v4;
for(v4 = 0; v4 < 16; ++v4) {
char v0 = v5[0x1F - v4];
v5[0x1F - v4] = v5[v4];
v5[v4] = v0;
}
this.val$textview.setText("flag{" + String.valueOf(v5) + "}");
}
else {
this.val$textview.setText("输入注册码错误");
}
}
});
}
public boolean onCreateOptionsMenu(Menu arg3) {
this.getMenuInflater().inflate(0x7F0C0000, arg3);
return 1;
}
public boolean onOptionsItemSelected(MenuItem arg3) {
boolean v1 = arg3.getItemId() == 0x7F050040 ? true : super.onOptionsItemSelected(arg3);
return v1;
}
}
找到关键代码
if(v2 == 1) {
char[] v5 = "dd2940c04462b4dd7c450528835cca15".toCharArray();
v5[v9] = ((char)(v5[v9] + v5[3] - 50));
v5[4] = ((char)(v5[v9] + v5[5] - 0x30));
v5[30] = ((char)(v5[v11] + v5[9] - 0x30));
v5[14] = ((char)(v5[27] + v5[28] - 97));
int v4;
for(v4 = 0; v4 < 16; ++v4) {
char v0 = v5[0x1F - v4];
v5[0x1F - v4] = v5[v4];
v5[v4] = v0;
}
this.val$textview.setText("flag{" + String.valueOf(v5) + "}");
}
else {
this.val$textview.setText("输入注册码错误");
}
}
由这串代码可以分析出,v5中保存的"dd2940c04462b4dd7c450528835cca15"就是我们要找的flag,接下来就将这串字符串转换出来
运用脚本
str=['d','d','2','9','4','0','c','0','4','4','6','2','b','4','d','d','7','c','4','5','0','5','2','8','8','3','5','c','c','a','1','5']
str[2]=chr(ord(str[2])+ord(str[3])-50)
str[4]=chr( ord(str[2])+ord(str[5])-0x30)
str[30]=chr( ord(str[0x1f])+ord(str[9])-0x30)
str[14]=chr( ord(str[27])+ord(str[28])-97)
for i in range(16):
x=str[0x1f-i]
str[0x1f-i]=str[i]
str[i]=x
for i in str:
print (i,end="")