Bugku-REVERSE-First_Mobile(xman)
使用jeb3打开反编译代码
package com.example.xman.easymobile; import android.os.Bundle; import android.support.v7.app.AppCompatActivity; import android.view.View$OnClickListener; import android.view.View; import android.widget.Button; import android.widget.EditText; import android.widget.Toast; public class MainActivity extends AppCompatActivity { private Button button; private EditText editText; public MainActivity() { super(); } protected void onCreate(Bundle arg4) { super.onCreate(arg4); this.setContentView(0x7F04001A); this.findViewById(0x7F0B0056).setOnClickListener(new View$OnClickListener(this.findViewById(0x7F0B0055)) { public void onClick(View arg4) { new encode(); if(encode.check(this.val$editText.getText().toString())) { Toast.makeText(MainActivity.this.getApplicationContext(), "correct", 1).show(); } else { Toast.makeText(MainActivity.this.getApplicationContext(), "failed", 1).show(); } } }); } }
分析,程序将editText中的内容进行一次encode.check检查,通过就显示correct
那核心代码应该在encode函数中,
package com.example.xman.easymobile; public class encode { private static byte[] b; static { encode.b = new byte[]{23, 22, 26, 26, 25, 25, 25, 26, 27, 28, 30, 30, 29, 30, 0x20, 0x20}; } public encode() { super(); } public static boolean check(String arg7) { int v6 = 16; byte[] v1 = arg7.getBytes(); byte[] v3 = new byte[v6]; int v0; for(v0 = 0; v0 < v6; ++v0) { v3[v0] = ((byte)((v1[v0] + encode.b[v0]) % 61)); } for(v0 = 0; v0 < v6; ++v0) { v3[v0] = ((byte)(v3[v0] * 2 - v0)); } return new String(v3).equals(arg7); } }
这个函数逻辑很简单,就是对输入的长度为16的字符串的每个字符进行运算,若运算结果字符没有变,就通过。
解方程太复杂了,编写一个简单的python脚本进行爆破
byte = [23, 22, 26, 26, 25, 25, 25, 26, 27, 28, 30, 30, 29, 30, 0x20, 0x20] for i in range(16): for v1 in range(200): if ((v1+byte[i])%61)*2-i == v1 : print chr(v1),
得到结果如下
得到flag XMAN{LOHILMNMLKHILKHI}