运行,随手一输
丢尽jadx看反编译代码。
直奔onClick事件
这个UserName是固定写死的,="Tenshine",然后把这个userName和用户输入的sn交给checkSN函数校验。
先直接把代码拷出到IDA,
package xctf.mobile;
import org.junit.jupiter.api.Test;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
public class ApkRE {
@Test
void click(){
System.out.println(checkSN("1","1"));
}
public boolean checkSN(String userName, String sn) {
if (userName != null) {
try {
if (userName.length() == 0 || sn == null || sn.length() != 22) {
return false;
}
MessageDigest digest = MessageDigest.getInstance("MD5");
digest.reset();
digest.update(userName.getBytes());
byte[] bytes = digest.digest();
String hexstr = toHexString(bytes, "");
StringBuilder sb = new StringBuilder();
for (int i = 0; i < hexstr.length(); i += 2) {
sb.append(hexstr.charAt(i));
}
String userSN = sb.toString();
return new StringBuilder().append("flag{").append(userSN).append("}").toString().equalsIgnoreCase(sn);
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
return false;
}
}
return false;
}
private static String toHexString(byte[] bytes, String separator) {
StringBuilder hexString = new StringBuilder();
for (byte b : bytes) {
String hex = Integer.toHexString(b & 255);
if (hex.length() == 1) {
hexString.append('0');
}
hexString.append(hex).append(separator);
}
return hexString.toString();
}
}
1. sn的长度必须等于22
2.加密userSN(固定)取偶数位和我们传入的sn忽略大小写进行比较
那我们要输入的SN就是flag{bc72f242a6af3857}
试一试