測試文件:https://www.lanzous.com/iann8pe
代碼分析
用jadx-gui反編譯后,直接看看主要的代碼
1 public class MainActivity extends ActionBarActivity { 2 /* access modifiers changed from: protected */ 3 public void onCreate(Bundle savedInstanceState) { 4 super.onCreate(savedInstanceState); 5 setContentView((int) R.layout.activity_main); 6 if (savedInstanceState == null) { 7 getSupportFragmentManager().beginTransaction().add((int) R.id.container, new PlaceholderFragment()).commit(); 8 } 9 final TextView textview = (TextView) findViewById(R.id.textView1); 10 final EditText editview = (EditText) findViewById(R.id.editText1); 11 ((Button) findViewById(R.id.button1)).setOnClickListener(new View.OnClickListener() { 12 /* class com.example.flag.MainActivity.AnonymousClass1 */ 13 14 public void onClick(View v) { 15 int flag = 1; 16 String xx = editview.getText().toString(); 17 if (!(xx.length() == 32 && xx.charAt(31) == 'a' && xx.charAt(1) == 'b' && (xx.charAt(0) + xx.charAt(2)) - 48 == 56)) { 18 flag = 0; 19 } 20 if (flag == 1) { 21 char[] x = "dd2940c04462b4dd7c450528835cca15".toCharArray(); 22 x[2] = (char) ((x[2] + x[3]) - 50); 23 x[4] = (char) ((x[2] + x[5]) - 48); 24 x[30] = (char) ((x[31] + x[9]) - 48); 25 x[14] = (char) ((x[27] + x[28]) - 97); 26 for (int i = 0; i < 16; i++) { 27 char a = x[31 - i]; 28 x[31 - i] = x[i]; 29 x[i] = a; 30 } 31 textview.setText("flag{" + String.valueOf(x) + "}"); 32 return; 33 } 34 textview.setText("輸入注冊碼錯誤"); 35 } 36 }); 37 }
第17行代碼是對我們輸入字符串的驗證,第20行代碼之后是生成flag的地方。
兩種方法,第一種構造滿足判斷條件的字符串,輸入進程序,flag就會輸出。
第二種方法,將Java代碼轉換為Python即可。
腳本
# -*- coding:utf-8 -*- flagtrue = "dd2940c04462b4dd7c450528835cca15" x = [i for i in flagtrue] x[2] = chr(ord(x[2]) + ord(x[3]) - 0x32) x[4] = chr(ord(x[2]) + ord(x[5]) - 0x30) x[0x1e] = chr(ord(x[0x1f]) + ord(x[0x9]) - 0x30) x[0xe] = chr(ord(x[0x1b]) + ord(x[0x1c]) - 0x61) for i in range(16): x[i],x[31-i] = x[31-i],x[i] print ("flag{"+ ''.join(x) + "}")
get flag!
flag{59acc538825054c7de4b26440c0999dd}