记录两道简单CTF-Android题目解题

• Test01-apk
• Test02.apk

Test01-apk

使用jadx反编译apk

在com.example.test01.MainActivity中找到主要源代码

public final class MainActivity extends k {

    /* renamed from: s  reason: collision with root package name */
    public static final /* synthetic */ int f265s = 0;
    public final String r = "ITQyMDIgbmkgZ25vb0wgZWh0IGZvIHJhZVkgZWh0IG5pIGtjdWwgZG9vRw==";

    @Override // androidx.activity.k, a0.a, android.app.Activity
    public final void onCreate(Bundle bundle) {
        super.onCreate(bundle);
        setContentView(R.layout.activity_main);
        final EditText editText = (EditText) findViewById(R.id.inputEditText);
        final TextView textView = (TextView) findViewById(R.id.resultTextView);
        ((Button) findViewById(R.id.checkButton)).setOnClickListener(new View.OnClickListener() { // from class: p0.a
            @Override // android.view.View.OnClickListener
            public final void onClick(View view) {
                String str;
                int i2 = MainActivity.f265s;
                MainActivity mainActivity = this;
                v0.a.k(mainActivity, "this$0");
                String obj = editText.getText().toString();
                v0.a.k(obj, "<this>");
                StringBuilder reverse = new StringBuilder((CharSequence) obj).reverse();
                v0.a.j(reverse, "StringBuilder(this).reverse()");
                byte[] bytes = reverse.toString().getBytes(a1.a.f3a);
                v0.a.j(bytes, "this as java.lang.String).getBytes(charset)");
                boolean b2 = v0.a.b(Base64.encodeToString(bytes, 2), mainActivity.r);
                TextView textView2 = textView;
                if (b2) {
                    str = "Flag Correct!";
                } else {
                    str = "Flag Incorrect!";
                }
                textView2.setText(str);
                textView2.setVisibility(0);
            }
        });
    }
}

代码逻辑

• 用户输入的字符串会被反转后进行Base64编码，并与预设的Base64字符串比较。

• 如果比较正确则输出Flag Correct！

将密文解密并反转

TQyMDIgbmkgZ25vb0wgZWh0IGZvIHJhZVkgZWh0IG5pIGtjdWwgZG9vRw==
!4202 ni gnooL eht fo raeY eht ni kcul dooG
Good luck in the Year of the Loong in 2024!

将APK安装到模拟器中

输入Good luck in the Year of the Loong in 2024!

提示flag正确。

Test02.apk

依旧是打开apk文件，定位com.example.yaphetshan.tencentgreat;，查看源代码

/* loaded from: classes.dex */
public class MainActivity extends AppCompatActivity {
    Button btn;
    public final String pName = BuildConfig.APPLICATION_ID;
    EditText text;

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // android.support.v7.app.AppCompatActivity, android.support.v4.app.FragmentActivity, android.support.v4.app.BaseFragmentActivityGingerbread, android.app.Activity
    public void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
        this.btn = (Button) findViewById(R.id.checBtn);
        this.text = (EditText) findViewById(R.id.input);
        this.btn.setOnClickListener(new View.OnClickListener() { // from class: com.example.yaphetshan.tencentgreat.MainActivity.1
            @Override // android.view.View.OnClickListener
            public void onClick(View v) {
                try {
                    String inputString = MainActivity.this.text.getText().toString();
                    PackageInfo pinfo = MainActivity.this.getPackageManager().getPackageInfo(BuildConfig.APPLICATION_ID, 16384);
                    String versionCode = pinfo.versionName;
                    int versionName = pinfo.versionCode;
                    for (int i = 0; i < inputString.length() && i < versionCode.length(); i++) {
                        if (inputString.charAt(i) != (versionCode.charAt(i) ^ versionName)) {
                            Toast.makeText(MainActivity.this, "再接再厉，加油~", 1).show();
                            return;
                        }
                    }
                    if (inputString.length() == versionCode.length()) {
                        Toast.makeText(MainActivity.this, "恭喜开启闯关之门！", 1).show();
                        return;
                    }
                } catch (PackageManager.NameNotFoundException e) {
                }
                Toast.makeText(MainActivity.this, "年轻人不要耍小聪明噢", 1).show();
            }
        });
    }
}

代码逻辑

• 获取versionName、versionCode

• 遍历输入的versionName和versionCode，对每个字符进行异或运算（^），并与输入的字符进行比较。若有不匹配的字符，就显示 “再接再厉，加油～” 的提示信息。若输入的字符串长度和版本名长度相同，就显示 “恭喜开启闯关之门！” 的提示信息。

源码看一下versionCode、versionName在哪里获取的

PackageInfo pinfo = MainActivity.this.getPackageManager().getPackageInfo(BuildConfig.APPLICATION_ID, 16384);
String versionCode = pinfo.versionName;

在BuildConfig类中获取

package com.example.yaphetshan.tencentgreat;

/* loaded from: classes.dex */
public final class BuildConfig {
    public static final String APPLICATION_ID = "com.example.yaphetshan.tencentgreat";
    public static final String BUILD_TYPE = "debug";
    public static final boolean DEBUG = Boolean.parseBoolean("true");
    public static final String FLAVOR = "";
    public static final int VERSION_CODE = 15;
    public static final String VERSION_NAME = "HelloWorld";
}

但实际上mainactivity里取得appname是从AndroidManifest.xml里取的，所以versionCode、versionName需要在配置文件中找

versionName = "BuildYourDreams"
versionCode = 15
flag=""
for i in range(len(versionName)):
    flag+=chr(ord(versionName[i]) ^ versionCode)
print(flag)

flag:MzfckV`z}K}jnb|

输入结果，测试成功