测试文件:https://www.lanzous.com/iann8pe
代码分析
用jadx-gui反编译后,直接看看主要的代码
1 public class MainActivity extends ActionBarActivity { 2 /* access modifiers changed from: protected */ 3 public void onCreate(Bundle savedInstanceState) { 4 super.onCreate(savedInstanceState); 5 setContentView((int) R.layout.activity_main); 6 if (savedInstanceState == null) { 7 getSupportFragmentManager().beginTransaction().add((int) R.id.container, new PlaceholderFragment()).commit(); 8 } 9 final TextView textview = (TextView) findViewById(R.id.textView1); 10 final EditText editview = (EditText) findViewById(R.id.editText1); 11 ((Button) findViewById(R.id.button1)).setOnClickListener(new View.OnClickListener() { 12 /* class com.example.flag.MainActivity.AnonymousClass1 */ 13 14 public void onClick(View v) { 15 int flag = 1; 16 String xx = editview.getText().toString(); 17 if (!(xx.length() == 32 && xx.charAt(31) == 'a' && xx.charAt(1) == 'b' && (xx.charAt(0) + xx.charAt(2)) - 48 == 56)) { 18 flag = 0; 19 } 20 if (flag == 1) { 21 char[] x = "dd2940c04462b4dd7c450528835cca15".toCharArray(); 22 x[2] = (char) ((x[2] + x[3]) - 50); 23 x[4] = (char) ((x[2] + x[5]) - 48); 24 x[30] = (char) ((x[31] + x[9]) - 48); 25 x[14] = (char) ((x[27] + x[28]) - 97); 26 for (int i = 0; i < 16; i++) { 27 char a = x[31 - i]; 28 x[31 - i] = x[i]; 29 x[i] = a; 30 } 31 textview.setText("flag{" + String.valueOf(x) + "}"); 32 return; 33 } 34 textview.setText("输入注册码错误"); 35 } 36 }); 37 }
第17行代码是对我们输入字符串的验证,第20行代码之后是生成flag的地方。
两种方法,第一种构造满足判断条件的字符串,输入进程序,flag就会输出。
第二种方法,将Java代码转换为Python即可。
脚本
# -*- coding:utf-8 -*- flagtrue = "dd2940c04462b4dd7c450528835cca15" x = [i for i in flagtrue] x[2] = chr(ord(x[2]) + ord(x[3]) - 0x32) x[4] = chr(ord(x[2]) + ord(x[5]) - 0x30) x[0x1e] = chr(ord(x[0x1f]) + ord(x[0x9]) - 0x30) x[0xe] = chr(ord(x[0x1b]) + ord(x[0x1c]) - 0x61) for i in range(16): x[i],x[31-i] = x[31-i],x[i] print ("flag{"+ ''.join(x) + "}")
get flag!
flag{59acc538825054c7de4b26440c0999dd}