初音ミクの消失

JarvisOJ-findpass

字数统计: 434阅读时长: 2 min
2019/06/14 Share

FindPass

FindPass_200.7z

思路

用jeb3.0解包apk文件,打开mainactivity,发现一个Getkey函数,思路非常明显

程序读取了src.jpg、fkey、input的内容,并且进行一定的加密操作,获得flag

public void GetKey(View arg16) {
String input = this.findViewById(0x7F080001).getText().toString();
if(TextUtils.isEmpty(input.trim())) {
goto label_57;
}

char[] fkey = this.getResources().getString(0x7F050003).toCharArray();
int v2 = fkey.length;
char[] from_jpg = new char[0x400];
try {
new InputStreamReader(this.getResources().getAssets().open("src.jpg")).read(from_jpg);
}
catch(Exception v3) {
v3.printStackTrace();
}

int v6;
for(v6 = 0; v6 < v2; ++v6) {
int v12 = from_jpg[fkey[v6]] % 10;
fkey[v6] = v6 % 2 == 1 ? ((char)(fkey[v6] + v12)) : ((char)(fkey[v6] - v12));
}

if(input.equals(new String(fkey))) {
Toast.makeText(((Context)this), "恭喜您,输入正确!Flag==flag{Key}", 1).show();
}
else {
Toast.makeText(((Context)this), "not right! lol。。。。", 1).show();
return;
label_57:
Toast.makeText(((Context)this), "请输入key值!", 1).show();
}
}

唯一有一点问题就是那个

char[] fkey = this.getResources().getString(0x7F050003).toCharArray()

经多方询问,最后明白这是一个读取内置字符串的函数,我们可以在

Resources/values/strings.xml

内找到,大多数的安卓软件都会把字符串放在这里面

solve

fkey = "Tr43Fla92Ch4n93"
fromjpg = [0xFF,0xD8,0xFF,0xE0,0x00,0x10,0x4A,0x46,0x49,0x46,0x00,0x01,0x01,0x01,0x00,0x48,0x00,0x48,0x00,0x00,0xFF,0xE1,0x00,0x30,0x45,0x78,0x69,0x66,0x00,0x00,0x4D,0x4D,0x00,0x2A,0x00,0x00,0x00,0x08,0x00,0x01,0x01,0x31,0x00,0x02,0x00,0x00,0x00,0x0E,0x00,0x00,0x00,0x1A,0x00,0x00,0x00,0x00,0x77,0x77,0x77,0x2E,0x6D,0x65,0x69,0x74,0x75,0x2E,0x63,0x6F,0x6D,0x00,0xFF,0xDB,0x00,0x43,0x00,0x03,0x02,0x02,0x03,0x02,0x02,0x03,0x03,0x03,0x03,0x04,0x03,0x03,0x04,0x05,0x08,0x05,0x05,0x04,0x04,0x05,0x0A,0x07,0x07,0x06,0x08,0x0C,0x0A,0x0C,0x0C,0x0B,0x0A,0x0B,0x0B,0x0D,0x0E,0x12,0x10,0x0D,0x0E,0x11,0x0E,0x0B,0x0B,0x10,0x16,0x10,0x11]
ans = ""

for i in range(len(fkey)):
t = 0
if(i % 2 == 1):
t = ord(fkey[i]) + (fromjpg[ord(fkey[i])] % 10)
else:
t = ord(fkey[i]) - (fromjpg[ord(fkey[i])] % 10)
ans = ans + chr(t)

ans = "flag{" + ans + "}"
print(ans)

原文作者:mrh929

原文链接:https://mrh1s.top/posts/512d4c5b/

发表日期:June 14th 2019, 12:00:52 am

更新日期:June 14th 2019, 1:54:33 pm

版权声明:本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. FindPass
    1. 1.1. 思路
    2. 1.2. solve