使用jeb3打开反编译代码
package com.example.xman.easymobile;
import android.os.Bundle;
import android.support.v7.app.AppCompatActivity;
import android.view.View$OnClickListener;
import android.view.View;
import android.widget.Button;
import android.widget.EditText;
import android.widget.Toast;
public class MainActivity extends AppCompatActivity {
private Button button;
private EditText editText;
public MainActivity() {
super();
}
protected void onCreate(Bundle arg4) {
super.onCreate(arg4);
this.setContentView(0x7F04001A);
this.findViewById(0x7F0B0056).setOnClickListener(new View$OnClickListener(this.findViewById(0x7F0B0055)) {
public void onClick(View arg4) {
new encode();
if(encode.check(this.val$editText.getText().toString())) {
Toast.makeText(MainActivity.this.getApplicationContext(), "correct", 1).show();
}
else {
Toast.makeText(MainActivity.this.getApplicationContext(), "failed", 1).show();
}
}
});
}
}
分析,程序将editText中的内容进行一次encode.check检查,通过就显示correct
那核心代码应该在encode函数中,
package com.example.xman.easymobile;
public class encode {
private static byte[] b;
static {
encode.b = new byte[]{23, 22, 26, 26, 25, 25, 25, 26, 27, 28, 30, 30, 29, 30, 0x20, 0x20};
}
public encode() {
super();
}
public static boolean check(String arg7) {
int v6 = 16;
byte[] v1 = arg7.getBytes();
byte[] v3 = new byte[v6];
int v0;
for(v0 = 0; v0 < v6; ++v0) {
v3[v0] = ((byte)((v1[v0] + encode.b[v0]) % 61));
}
for(v0 = 0; v0 < v6; ++v0) {
v3[v0] = ((byte)(v3[v0] * 2 - v0));
}
return new String(v3).equals(arg7);
}
}
这个函数逻辑很简单,就是对输入的长度为16的字符串的每个字符进行运算,若运算结果字符没有变,就通过。
解方程太复杂了,编写一个简单的python脚本进行爆破
byte = [23, 22, 26, 26, 25, 25, 25, 26, 27, 28, 30, 30, 29, 30, 0x20, 0x20]
for i in range(16):
for v1 in range(200):
if ((v1+byte[i])%61)*2-i == v1 :
print chr(v1),
得到结果如下
得到flag XMAN{LOHILMNMLKHILKHI}