BUUCTF Reverse/简单注册器

BUUCTF Reverse/简单注册器

下载得到一个apk文件,直接拿JEB打开查看伪代码

package com.example.flag;

import android.os.Bundle;
import android.support.v4.app.Fragment;
import android.support.v7.app.ActionBarActivity;
import android.view.LayoutInflater;
import android.view.Menu;
import android.view.MenuItem;
import android.view.View$OnClickListener;
import android.view.View;
import android.view.ViewGroup;

public class MainActivity extends ActionBarActivity {
    public class PlaceholderFragment extends Fragment {
        public PlaceholderFragment() {
            super();
            super();
        }

        public View onCreateView(LayoutInflater arg4, ViewGroup arg5, Bundle arg6) {
            // Method was not decompiled
        }
    }

    public MainActivity() {
        super();
    }

    protected void onCreate(Bundle arg7) {
        super.onCreate(arg7);
        this.setContentView(0x7F030017);
        if(arg7 == null) {
            this.getSupportFragmentManager().beginTransaction().add(0x7F05003C, new PlaceholderFragment()).commit();
        }

        this.findViewById(0x7F05003F).setOnClickListener(new View$OnClickListener(this.findViewById(0x7F05003D), this.findViewById(0x7F05003E)) {
            public void onClick(View arg13) {
                int v11 = 0x1F;
                int v9 = 2;
                int v2 = 1;
                String v6 = this.val$editview.getText().toString();
                if(v6.length() != 0x20 || v6.charAt(v11) != 97 || v6.charAt(1) != 98 || v6.charAt(0) + v6.charAt(v9) - 0x30 != 56) {
                    v2 = 0;
                }

                if(v2 == 1) {
                    char[] v5 = "dd2940c04462b4dd7c450528835cca15".toCharArray();
                    v5[v9] = ((char)(v5[v9] + v5[3] - 50));
                    v5[4] = ((char)(v5[v9] + v5[5] - 0x30));
                    v5[30] = ((char)(v5[v11] + v5[9] - 0x30));
                    v5[14] = ((char)(v5[27] + v5[28] - 97));
                    int v4;
                    for(v4 = 0; v4 < 16; ++v4) {
                        char v0 = v5[0x1F - v4];
                        v5[0x1F - v4] = v5[v4];
                        v5[v4] = v0;
                    }

                    this.val$textview.setText("flag{" + String.valueOf(v5) + "}");
                }
                else {
                    this.val$textview.setText("输入注册码错误");
                }
            }
        });
    }

    public boolean onCreateOptionsMenu(Menu arg3) {
        this.getMenuInflater().inflate(0x7F0C0000, arg3);
        return 1;
    }

    public boolean onOptionsItemSelected(MenuItem arg3) {
    label_3:
        boolean v1 = arg3.getItemId() == 0x7F050040 ? true : super.onOptionsItemSelected(arg3);
        return v1;
        if(arg3.getItemId() == 0x7F050040) {
            goto label_3;
            v1 = true;
        }
        else {
            v1 = super.onOptionsItemSelected(arg3);
        }

        return v1;
    }
}

分析得知flag就存储在v5当中

				 char[] v5 = "dd2940c04462b4dd7c450528835cca15".toCharArray();
                    v5[v9] = ((char)(v5[v9] + v5[3] - 50));
                    v5[4] = ((char)(v5[v9] + v5[5] - 0x30));
                    v5[30] = ((char)(v5[v11] + v5[9] - 0x30));
                    v5[14] = ((char)(v5[27] + v5[28] - 97));
                    int v4;
                    for(v4 = 0; v4 < 16; ++v4) {
                        char v0 = v5[0x1F - v4];
                        v5[0x1F - v4] = v5[v4];
                        v5[v4] = v0;
                    }

根据代码写出脚本

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

int main()
{
   char v5[] = "dd2940c04462b4dd7c450528835cca15";
   int v11 = 0x1F;
   int v9 = 2;
   int v2 = 1;
    v5[v9] = v5[v9] + v5[3] - 50;
    v5[4] = v5[v9] + v5[5] - 0x30;
    v5[30] = v5[v11] + v5[9] - 0x30;
    v5[14] = v5[27] + v5[28] - 97;
   int v4;
   for(v4 = 0;  v4 < 16 ; ++v4)
   {
       char v0 = v5[0x1F - v4];
       v5[0x1F - v4] = v5[v4];
       v5[v4] = v0;
   }
    v5[32] = '\0';
    printf("flag{%s}\n",v5);
   return 0;

}

得到flag