Sharif University CTF 2016 -- Android App

很多种的方案：

方案 A: 直接逆向读代码
方案 B: 解包，加入debug信息，重新打包，动态调试
方案 C: 解包，改代码加入log.i整出flag， 去掉MainActivity里面d=什么也可以，重新打包
方案 D: 山寨一个, 抄一个，把那些不要的去掉

=============================

方案A:

step 01

      从Sharif_CTF.apk里导出classes.dex

step 02

      用d2j转成classes-dex2jar.jar

step 03

       用jd-gui打开classes-dex2jar.jar,看源码

public void onClick(View paramView)
  {
    new String(" ");
    paramView = this.a.b.getText().toString();
    Log.v("EditText", this.a.b.getText().toString());
    new String("");
    int i = this.a.processObjectArrayFromNative(paramView);
    int j = this.a.IsCorrect(paramView);
    paramView = this.a.d + i + " ";
    try
    {
      Object localObject = MessageDigest.getInstance("MD5");
      ((MessageDigest)localObject).update(paramView.getBytes());
      paramView = ((MessageDigest)localObject).digest();
      localObject = new StringBuffer();
      i = 0;
      for (;;)
      {
        if (i >= paramView.length)
        {
          if ((j == 1) && (this.a.e != "unknown")) {
            this.a.c.setText("Sharif_CTF(" + ((StringBuffer)localObject).toString() + ")");
          }
          if ((j == 1) && (this.a.e == "unknown")) {
            this.a.c.setText("Just keep Trying :-)");
          }
          if (j != 0) {
            break;
          }
          this.a.c.setText("Just keep Trying :-)");
          return;
        }
        ((StringBuffer)localObject).append(Integer.toString((paramView[i] & 0xFF) + 256, 

16).substring(1));
        i += 1;
      }
      return;
    }
    catch (NoSuchAlgorithmException paramView)
    {
      paramView.printStackTrace();
    }
  }

从这里看出来 flag与i和d有关， d可以在MainActivity里的OnCreate里得到 this.d = 114366;
 i是从native int processObjectArrayFromNative(String paramString)里得到的

step 04

从Sharif_CTF.apk里导出lib\armeabi\libadnjni.so,在ida里打开libadnjni.so

int __fastcall Java_com_example_ctf2_MainActivity_processObjectArrayFromNative
｛
 *v21 = 92060626;
v25 = *v21;
result = v25;
｝

得到i= 92060626;

 

step 05

public class Main{
    public static void main(String[] args) throws NoSuchAlgorithmException{
        int d = 114366;
        int i= 92060626;
        String paramView=d+i+" ";
        Object localObject = MessageDigest.getInstance("MD5");
        ((MessageDigest) localObject).update(paramView.getBytes());
        byte[] paramView2 = ((MessageDigest) localObject).digest();
        localObject = new StringBuffer();
        i = 0;
        for (;;) {
             if (i >= paramView2.length){
                 System.out.println("Sharif_CTF(" + ((StringBuffer)

localObject).toString() + ")");
                 break;
             }
          ((StringBuffer) localObject).append(Integer.toString(
                    (paramView2[i] & 0xFF) + 256, 16).substring(1));
            i += 1;
        }
    }
}

Sharif_CTF(833489ef285e6fa80690099efc5d9c9d)