解包之后使用Java Decomplier GUI打开,在 com.hackergame.eternalEasterlyWind 里发现了端倪。
代码如下:
@Metadata(bv = {1, 0, 3}, d1 = {"\000$\n\002\030\002\n\002\020\000\n\002\b\002\n\002\030\002\n\002\030\002\n\000\n\002\020\016\n\002\b\003\n\002\020\022\n\000\030\0002\0020\001B\005?\006\002\020\002J\024\020\003\032\b\022\004\022\0020\0050\0042\006\020\006\032\0020\007J\026\020\b\032\0020\0072\006\020\t\032\0020\0072\006\020\n\032\0020\013��\006\f"}, d2 = {"Lcom/hackergame/eternalEasterlyWind/data/LoginDataSource;", "", "()V", "login", "Lcom/hackergame/eternalEasterlyWind/data/Result;", "Lcom/hackergame/eternalEasterlyWind/data/model/LoggedInUser;", "password", "", "logout", "rawpassword", "flxg", "", "app_release"}, k = 1, mv = {1, 1, 15})
public final class LoginDataSource {
public final Result<LoggedInUser> login(String paramString) {
Intrinsics.checkParameterIsNotNull(paramString, "password");
try {
byte[] arrayOfByte = paramString.getBytes(Charsets.UTF_8);
Intrinsics.checkExpressionValueIsNotNull(arrayOfByte, "(this as java.lang.String).getBytes(charset)");
String str = Base64.encodeToString(arrayOfByte, 2);
Intrinsics.checkExpressionValueIsNotNull(str, "password1String");
CharIterator charIterator = StringsKt.iterator((CharSequence)str);
str = "";
Iterator iterator = (Iterator)charIterator;
while (iterator.hasNext()) {
char c2;
char c1 = ((Character)iterator.next()).charValue();
StringBuilder stringBuilder = new StringBuilder();
this();
stringBuilder.append(str);
if (Character.isUpperCase(c1)) {
char c = Character.toLowerCase(c1);
c2 = c;
} else {
c2 = c1;
if (Character.isLowerCase(c1)) {
char c = Character.toUpperCase(c1);
c2 = c;
}
}
stringBuilder.append(c2);
str = stringBuilder.toString();
}
Log.d("pass1", str);
LoginDataSource$login$1 loginDataSource$login$1 = LoginDataSource$login$1.INSTANCE;
if (Intrinsics.areEqual(str, "AgfJA2vYz2fTztiWmtL3AxrOzNvUiq==")) {
LoggedInUser loggedInUser = new LoggedInUser();
String str1 = UUID.randomUUID().toString();
Intrinsics.checkExpressionValueIsNotNull(str1, "java.util.UUID.randomUUID().toString()");
byte[] arrayOfByte1 = loginDataSource$login$1.invoke(new int[] {
14, 13, 2, 12, 30, 30, 2, 0, 31, 11,
109, 81, 83, 8, 3, 54, 21, 6, 2, 39,
33, 104, 44, 62, 17, 14, 19, 23, 21, 18,
8, 24 });
try {
this(str1, logout(paramString, arrayOfByte1));
Result.Success success = new Result.Success();
this(loggedInUser);
return (Result)success;
} finally {}
} else {
Exception exception = new Exception();
this("错误的密码");
throw (Throwable)exception;
}
} finally {}
return (Result)new Result.Error((Exception)new IOException("Error logging in", paramString));
}
public final String logout(String paramString, byte[] paramArrayOfByte) {
Intrinsics.checkParameterIsNotNull(paramString, "rawpassword");
Intrinsics.checkParameterIsNotNull(paramArrayOfByte, "flxg");
int i = paramArrayOfByte.length - 1;
String str1 = "";
String str2 = str1;
if (i >= 0) {
int j = 0;
while (true) {
char c = (char)(paramArrayOfByte[j] ^ paramString.charAt(j % paramString.length()));
Log.d("pass2", String.valueOf(c));
StringBuilder stringBuilder = new StringBuilder();
stringBuilder.append(str1);
stringBuilder.append(c);
str1 = stringBuilder.toString();
str2 = str1;
if (j != i) {
j++;
continue;
}
break;
}
}
Log.d("pass2", str2);
return str2;
}
@Metadata(bv = {1, 0, 3}, d1 = {"\000\022\n\000\n\002\020\022\n\000\n\002\020\025\n\002\020\b\n\000\020\000\032\0020\0012\n\020\002\032\0020\003\"\0020\004H\n?\006\002\b\005"}, d2 = {"byteArrayOfInts", "", "ints", "", "", "invoke"}, k = 3, mv = {1, 1, 15})
static final class LoginDataSource$login$1 extends Lambda implements Function1<int[], byte[]> {
public static final LoginDataSource$login$1 INSTANCE = new LoginDataSource$login$1();
LoginDataSource$login$1() { super(1); }
public final byte[] invoke(int... param1VarArgs) {
Intrinsics.checkParameterIsNotNull(param1VarArgs, "ints");
int i = param1VarArgs.length;
byte[] arrayOfByte = new byte[i];
for (byte b = 0; b < i; b++)
arrayOfByte[b] = (byte)(byte)param1VarArgs[b];
return arrayOfByte;
}
}
}
代码首先将用户输入的字符串进行base64编码,再把得到的密文大小写转换一下,随后与字符串 AgfJA2vYz2fTztiWmtL3AxrOzNvUiq== 对比。
转换字符串解码出来的是 hackergame2019withfun!
然而这并不是最后的flag。在字符串对比之后还有一个logout函数,它利用数组 arrayOfByte1 对字符串进行异或运算。再计算一下,就可以拿到flag了。
# -*- coding:utf-8 -*- #Works on Python 37_64 arr4y = [14, 13, 2, 12, 30, 30, 2, 0, 31, 11, 109, 81, 83, 8, 3, 54, 21, 6, 2, 39, 33, 104, 44, 62, 17, 14, 19, 23, 21, 18, 8, 24] code = "hackergame2019withfun!" for index, item in enumerate(arr4y): print(chr(ord(code[index % len(code)]) ^ item), end='')
'''
output:
"C:\Program Files (x86)\Microsoft Visual Studio\Shared\Python37_64\python.exe" C:/Users/Adm1n/PycharmProjects/untitled/hello.py
flag{learn_ab1t_andROID_reverse}
Process finished with exit code 0
'''