攻防世界-wp-MOBILE-新手区-4-app1

题目附件：

b9af8dfef6b749d2819ef5be16c26a0d.apk

题目思路：

通过jeb将apk反编译，找到关键判断进行算法逆向

解题过程：

首先我们使用老套路，用jeb或者dex2jar反编译后用jd-gui打开，并且查看java源码，在apk下bytecode中的MainActivity找到主类，右键decompile

package com.example.yaphetshan.tencentgreat;
import android.content.pm.PackageInfo;
import android.content.pm.PackageManager$NameNotFoundException;
import android.os.Bundle;
import android.support.v7.app.AppCompatActivity;
import android.view.View$OnClickListener;
import android.view.View;
import android.widget.Button;
import android.widget.EditText;
import android.widget.Toast;
public class MainActivity extends AppCompatActivity {
    Button btn;
    public final String pName;
    EditText text;
    public MainActivity() {
        super();
        this.pName = "com.example.yaphetshan.tencentgreat";
    }
    protected void onCreate(Bundle arg3) {
        super.onCreate(arg3);
        this.setContentView(2130968603);
        this.btn = this.findViewById(2131427416);
        this.text = this.findViewById(2131427415);
        this.btn.setOnClickListener(new View$OnClickListener() {
            public void onClick(View arg10) {
                try {
                    String v1 = MainActivity.this.text.getText().toString();
                    PackageInfo v2 = MainActivity.this.getPackageManager().getPackageInfo("com.example.yaphetshan.tencentgreat", 16384);
                    String v3 = v2.versionName;
                    int v4 = v2.versionCode;
                    int v0 = 0;
                    while(v0 < v1.length()) {
                        if(v0 >= v3.length()) {
                            break;
                        }
                        if(v1.charAt(v0) != (v3.charAt(v0) ^ v4)) {//要完成这个条件才行，v4和v3的每一位异或，最后与v1比较
                            Toast.makeText(MainActivity.this, "再接再厉，加油~", 1).show();
                            return;
                        }
                        else {
                            ++v0;
                            continue;
                        }
                    }
                    if(v1.length() != v3.length()) { 
                        goto label_39;
                    }
                    Toast.makeText(MainActivity.this, "恭喜开启闯关之门！", 1).show();
                    return;
                }
                catch(PackageManager$NameNotFoundException v5) {
                }
            label_39:
                Toast.makeText(MainActivity.this, "年轻人不要耍小聪明噢", 1).show();
            }
        });
    }
}

就是一个异或运算，在apk下bytecode中找到BuildConfig类，右键decompile，发现v3=VERSION_NAME，v4=VERSION_CODE

package com.example.yaphetshan.tencentgreat;
public final class BuildConfig {
    public static final String APPLICATION_ID = "com.example.yaphetshan.tencentgreat";
    public static final String BUILD_TYPE = "debug";
    public static final boolean DEBUG = false;
    public static final String FLAVOR = "";
    public static final int VERSION_CODE = 15;
    public static final String VERSION_NAME = "X<cP[?PHNB<P?aj";
    static {
        BuildConfig.DEBUG = Boolean.parseBoolean("true");
    }
    public BuildConfig() {
        super();
    }
}

那就是15和X<cP[?PHNB<P?aj进行异或。 将每个字符转成的ASCII 数值与15的16进制进行异或，将ASCII 数值转换成字符串得到flag

str = "X<cP[?PHNB<P?aj"
flag=''
for i in str:
    flag+=chr(ord(i)^15)
print(flag)

W3l_T0_GAM3_0ne