1.拖入到模拟器中运行,输入信息提示密码错误,使用PKID查壳,发现无壳
2.将apk的后缀名该成rar,随后进行解压缩,使用d2j-dex2jar.bat对classes-dex进行反编译,生成classes-dex2jar.jar
3.接着使用apktool工具,反编译apk文件,可以看到so文件
4.把生成的classes-dex2jar.jar拖入到jadx-gui中,看到FlagActivity,里面含有求解代码,在该程序中看不到so层函数的影子,那么求解flag的关键代码就在FlagActivity里
5、首先看到静态数组,发现里面的值大部分都是负值,看到p、q数组进行异或操作,并赋值给另一个数组,并把bArr数组中下标为bArr[0]以后的数赋值给bArr2数组,bArr2数组形成的字符串就是flag。
看代码
public class FlagActivity extends d {
private static String m = "com.didi_ctf.flagapp.FlagActivity";
//两个静态数组
private static final byte[] p = {-40, -62, 107, 66, -126, 103, -56, 77, 122, -107, -24, -127, 72, -63, -98, 64, -24, -5, -49, -26, 79, -70, -26, -81, 120, 25, 111, -100, -23, -9, 122, -35, 66, -50, -116, 3, -72, 102, -45, -85, 0, 126, -34, 62, 83, -34, 48, -111, 61, -9, -51, 114, 20, 81, -126, -18, 27, -115, -76, -116, -48, -118, -10, -102, -106, 113, -104, 98, -109, 74, 48, 47, -100, -88, 121, 22, -63, -32, -20, -41, -27, -20, -118, 100, -76, 70, -49, -39, -27, -106, -13, -108, 115, -87, -1, -22, -53, 21, -100, 124, -95, -40, 62, -69, 29, 56, -53, 85, -48, 25, 37, -78, 11, -110, -24, -120, -82, 6, -94, -101};
private static final byte[] q = {-57, -90, 53, -71, -117, 98, 62, 98, 101, -96, 36, 110, 77, -83, -121, 2, -48, 94, -106, -56, -49, -80, -1, 83, 75, 66, -44, 74, 2, -36, -42, -103, 6, -115, -40, 69, -107, 85, -78, -49, 54, 78, -26, 15, 98, -70, 8, -90, 94, -61, -84, 64, 112, 51, -29, -34, 126, -21, -126, -71, -31, -24, -60, -2, -81, 66, -84, 85, -91, 10, 84, 70, -8, -63, 26, 126, -76, -104, -123, -71, -126, -62, -23, 11, -39, 70, 14, 59, -101, -39, -124, 91, -109, 102, -49, 21, 105, 0, 37, Byte.MIN_VALUE, -57, 117, 110, -115, -86, 56, 25, -46, -55, 7, -125, 109, 76, 104, -15, 82, -53, 18, -28, -24};
private TextView n;
private TextView o;
private String i() {
byte[] bArr = new byte[p.length];
//对p、q数组进行异或操作
for (int i = 0; i < bArr.length; i++) {
bArr[i] = (byte) (p[i] ^ q[i]);
}
byte b = bArr[0];
int i2 = 0;
//从bArr数组下标b开始统计非0的个数
while (bArr[b + i2] != 0) {
i2++;
}
//新建数组
byte[] bArr2 = new byte[i2];
//把bArr数组下标b以后的数赋值给bArr2数组
for (int i3 = 0; i3 < i2; i3++) {
bArr2[i3] = bArr[b + i3];
}
return new String(bArr2);
}
public void onClickTest(View view) {
if (this.n.getText().toString().equals(i())) {
this.o.setText(R.string.flag_result_yes);
} else {
this.o.setText(R.string.flag_result_no);
}
}
/* access modifiers changed from: protected */
public void onCreate(Bundle bundle) {
super.onCreate(bundle);
setContentView((int) R.layout.activity_flag);
this.n = (TextView) findViewById(R.id.flag_entry);
this.o = (TextView) findViewById(R.id.flag_result);
}
}
6.接下来,把上述i方法代码放到java IDE中运行,运行出flag。
