前言

有幸参加了2022年山西省第二届网络安全技能大赛企业组的比赛,这是第一次参加ctf比赛,本着积累实战经验的目的去的,排名有点意外.

提示：以下是本篇文章正文内容.

一、题目

题目：

apk逆向题.

附件：

schoolboy.apk

二、解题步骤

1.解题思路

反汇编apk文件,Find the startup page,查看算法,撸代码.

2.解题过程

反编译后,在com/example.worker/MainActivity可看到如下代码：

package com.example.worker;

import android.os.Bundle;
import android.util.Base64;
import android.view.View;
import android.widget.Button;
import android.widget.TextView;
import androidx.appcompat.app.AppCompatActivity;
import java.io.UnsupportedEncodingException;

/* loaded from: classes.dex */
public class MainActivity extends AppCompatActivity {
    public static int num = 0;

    public String b64Decrypt(String encodeWord) throws UnsupportedEncodingException {
        String decodeWord = new String(Base64.decode(encodeWord, 2), "utf-8");
        return decodeWord;
    }

    public String getFlag(String flag) throws Exception {
        String flag2 = b64Decrypt(flag); // 2.复盘：对flag进行base64解密
        byte[] c = flag2.getBytes();
        for (int i = 0; i < flag2.length(); i++) {
            c[i] = (byte) (c[i] ^ i); // 3.复盘：对BaseBitwise XOR of the decrypted string,Eject the original string
        }
        String result = new String(c, 0, c.length);
        return result;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // androidx.appcompat.app.AppCompatActivity, androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity
    public void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.main);
        Button studyButton = (Button) findViewById(R.id.button);
        final TextView studyTime = (TextView) findViewById(R.id.studytime);
        studyButton.setOnClickListener(new View.OnClickListener() { // from class: com.example.worker.MainActivity.1
            @Override // android.view.View.OnClickListener
            public void onClick(View v) {
                MainActivity.num++;
                studyTime.setText("\n你已经学习了" + MainActivity.num + "个小时\n");
                if (MainActivity.num == Integer.MAX_VALUE) {
                    try {
                        TextView textView = studyTime;
                        StringBuilder sb = new StringBuilder();
                        sb.append("\n");
                        MainActivity mainActivity = MainActivity.this;
                        sb.append(mainActivity.getFlag(mainActivity.getResources().getString(R.string.mysecret))); // 1.复盘：flag由此而来
                        sb.append("\n");
                        textView.setText(sb.toString());
                    } catch (Exception e) {
                        e.printStackTrace();
                    }
                }
            }
        });
    }
}

由
sb.append(mainActivity.getFlag(mainActivity.getResources().getString(R.string.mysecret))); // 1.复盘：flag由此而来
可知,flagin the resource filemysecret字串.

found in the following directorymysecret字串:

资源文件/resources.arsc/values/strings.xml

<string name="mysecret">REBRQFBDfWY5MDgzOj9vbiNzdCcicXBxeiwteS0vfHtDQhZAFRwfWggJCgsMDQ4P</string>

万事具备,开始撸码:

>>> mysecret='REBRQFBDfWY5MDgzOj9vbiNzdCcicXBxeiwteS0vfHtDQhZAFRwfWggJCgsMDQ4P'

>>> import base64

>>> flag2=base64.b64decode(mysecret).decode("utf-8")
>>> flag2
'[email protected]@PC}f9083:?on#st\'"qpqz,-y-/|{CB\[email protected]\x15\x1c\x1fZ\x08\t\n\x0b\x0c\r\x0e\x0f'

>>> flag=[chr(ord(flag2[i])^i) for i in range(len(flag2))]
>>> flag
['D', 'A', 'S', 'C', 'T', 'F', '{', 'a', '1', '9', '2', '8', '6', '2', 'a', 'a', '3', 'b', 'f', '4', '6', 'd', 'f', 'f', 'b', '5', '7', 'b', '1', '2', 'b', 'd', 'c', 'c', '4', 'c', '1', '9', '9', '}', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ']

>>> print(''.join(flag))
DASCTF{a192862aa3bf46dffb57b12bdcc4c199}        
>>> 

flag为：

DASCTF{a192862aa3bf46dffb57b12bdcc4c199}

三、总结

比赛时APKDecompiled software has temperaments,Failed to decompile normally.Replaced one offlineOK了.