题目:
张三听说AES算法很安全,他不想被别人发现他的flag,于是将其加密处理后写到了安卓应用中。并且他从未公开题目的源码,你能从apk附件中破解他想隐藏的flag是什么吗?
附件 : apk
题解:
首先下载安卓反编译工具对apk进行反编译,https://github.com/skylot/jadx
拿到反编译后的代码,根据其AES加密规则进行对应的解密。
public class MainActivity extends AppCompatActivity {
String enc = "bKhM9b9mSM2Xff4XgzzrYUXhKwfBxzUd30bdW3sOxpClsxmuVh04Ny7VAQhbjKui????";
String key = "yuNttCSojTyxZodsxxxxxxx";
private Cipher cipher;
/* JADX INFO: Access modifiers changed from: protected */
@Override
// androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
Log.e("WuHengCTF", "Try this awesome tool to decompile apk\nhttps://github.com/skylot/jadx");
final EditText editText = (EditText) findViewById(R.id.editText);
Button button = (Button) findViewById(R.id.button);
button.setOnClickListener(new View.OnClickListener() { // from class: com.wuhengctf.wuhengdroid1.MainActivity.1
@Override // android.view.View.OnClickListener
public void onClick(View view) {
try {
String s = editText.getText().toString();
String e1 = Decrypt(s, key);
Log.e("hsk -- > ", e1);
} catch (Exception e) {
e.printStackTrace();
}
String s = editText.getText().toString();
if (MainActivity.this.verify(s)) {
Toast.makeText(MainActivity.this.getApplicationContext(), "yep", Toast.LENGTH_SHORT).show();
} else {
Toast.makeText(MainActivity.this.getApplicationContext(), "nope", Toast.LENGTH_SHORT).show();
}
}
});
}
// flag{xxxxxx}
// WHCTF{XXX}
boolean verify(String k) {
try {
cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
cipher.init(1, new SecretKeySpec(this.key.getBytes(), "AES"), new IvParameterSpec(new byte[16]));
byte[] ciphertext = cipher.doFinal(k.getBytes(StandardCharsets.UTF_8));
String encode = Base64.encodeToString(ciphertext, 2);
Log.e("WuHengCTF", encode);
return this.enc.equals(encode);
} catch (Exception e) {
e.printStackTrace();
return false;
}
}
// 解密
public String Decrypt(String sSrc, String sKey) throws Exception {
try {
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
cipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(sKey.getBytes(), "AES"),new IvParameterSpec(new byte[16]));
byte[] encrypted1 = Base64.decode(sSrc, 2);
try {
// byte[] original = cipher.doFinal(sSrc.getBytes(StandardCharsets.UTF_8));
byte[] original = cipher.doFinal(encrypted1);
String originalString = new String(original, StandardCharsets.UTF_8);
Log.e("解密后", originalString);
return originalString;
} catch (Exception e) {
System.out.println(e.toString());
return null;
}
} catch (Exception ex) {
System.out.println(ex.toString());
return null;
}
}
}
最后通过解密得到flag