BUUCTF-RE-findit
一、
apk文件用jeb打开 反编译
二、jeb分析
1 package com.example.findit; 2 3 import android.os.Bundle; 4 import android.support.v7.app.ActionBarActivity; 5 import android.view.MenuItem; 6 import android.view.View$OnClickListener; 7 import android.view.View; 8 9 public class MainActivity extends ActionBarActivity { 10 public MainActivity() { 11 super(); 12 } 13 14 protected void onCreate(Bundle arg8) { 15 super.onCreate(arg8); 16 this.setContentView(2130903064); 17 this.findViewById(2131034173).setOnClickListener(new View$OnClickListener(new char[]{'T', 'h', 'i', 's', 'I', 's', 'T', 'h', 'e', 'F', 'l', 'a', 'g', 'H', 'o', 'm', 'e'}, this.findViewById(2131034174), new char[]{'p', 'v', 'k', 'q', '{', 'm', '1', '6', '4', '6', '7', '5', '2', '6', '2', '0', '3', '3', 'l', '4', 'm', '4', '9', 'l', 'n', 'p', '7', 'p', '9', 'm', 'n', 'k', '2', '8', 'k', '7', '5', '}'}, this.findViewById(2131034175)) { 18 public void onClick(View arg13) { 19 int v11 = 17; 20 int v10 = 122; 21 int v9 = 90; 22 int v8 = 65; 23 int v7 = 97; 24 char[] v3 = new char[v11]; 25 char[] v4 = new char[38]; 26 int v0; 27 for(v0 = 0; v0 < v11; ++v0) { 28 if(this.val$a[v0] >= 73 || this.val$a[v0] < v8) { 29 if(this.val$a[v0] < 105 && this.val$a[v0] >= v7) { 30 label_39: 31 v3[v0] = ((char)(this.val$a[v0] + 18)); 32 goto label_44; 33 } 34 35 if(this.val$a[v0] >= v8 && this.val$a[v0] <= v9 || this.val$a[v0] >= v7 && this.val$a[v0] <= v10) { 36 v3[v0] = ((char)(this.val$a[v0] - 8)); 37 goto label_44; 38 } 39 40 v3[v0] = this.val$a[v0]; 41 } 42 else { 43 goto label_39; 44 } 45 46 label_44: 47 } 48 49 if(String.valueOf(v3).equals(this.val$edit.getText().toString())) { 50 v0 = 0; 51 goto label_18; 52 } 53 else { 54 this.val$text.setText("答案错了肿么办。。。不给你又不好意思。。。哎呀好纠结啊~~~"); 55 return; 56 label_18: 57 while(v0 < 38) { 58 if(this.val$b[v0] < v8 || this.val$b[v0] > v9) { 59 if(this.val$b[v0] >= v7 && this.val$b[v0] <= v10) { 60 label_80: 61 v4[v0] = ((char)(this.val$b[v0] + 16)); 62 if((v4[v0] <= v9 || v4[v0] >= v7) && v4[v0] < v10) { 63 goto label_95; 64 } 65 66 v4[v0] = ((char)(v4[v0] - 26)); 67 goto label_95; 68 } 69 70 v4[v0] = this.val$b[v0]; 71 } 72 else { 73 goto label_80; 74 } 75 76 label_95: 77 ++v0; 78 } 79 80 this.val$text.setText(String.valueOf(v4)); 81 } 82 } 83 }); 84 } 85 86 public boolean onOptionsItemSelected(MenuItem arg3) { 87 boolean v1 = arg3.getItemId() == 2131034176 ? true : super.onOptionsItemSelected(arg3); 88 return v1; 89 } 90 }
发现第17行的疑似加密过后的flag字符串pvkq{m164675262033l4m49lnp7p9mnk28k75}
应该是用了移位 移位密码最著名的就是凯撒密码
脚本如下
a=input() model = "abcdefghijklmnopqrstuvwxyz" flag='' for i in range(1,27): print("key=%d"%i, end='\n') for s in a: if s.isalpha(): //isalpha()测字符串是否只由字母组成 n = model.find(s) //find()检测字符串中是否包含子字符串model s = model[n-i] print(s, end='') print('\n')
三、flag
flag{c164675262033b4c49bdf7f9cda28a75}
