来自BugkuCTF的一道安卓逆向题SafeBox,链接:https://ctf.bugku.com/challenges。
先安卓测试一下,发现输入字符串包含非数字字符时,会报错,然后用procyon-decompiler反汇编,下面我贴出两个重要文件:
com/geekerchina/hi/MainActivity.java
//
// Decompiled by Procyon v0.5.30
//
package com.geekerchina.hi;
import android.view.MenuItem;
import android.view.Menu;
import android.view.View;
import android.view.View$OnClickListener;
import android.widget.EditText;
import android.widget.Button;
import android.os.Bundle;
import android.support.v7.app.AppCompatActivity;
public class MainActivity extends AppCompatActivity
{
@Override
protected void onCreate(final Bundle bundle) {
super.onCreate(bundle);
this.setContentView(2130968603);
((Button)this.findViewById(2131427415)).setOnClickListener((View$OnClickListener)new View$OnClickListener() {
final /* synthetic */ EditText val$Et1 = (EditText)this.findViewById(2131427414);
public void onClick(final View view) {
final int int1 = Integer.parseInt(this.val$Et1.getText().toString());
if (int1 > 10000000 && int1 < 99999999) {
int n = 1;
int n2 = 10000000;
final boolean b = true;
if (Math.abs(int1 / 1000 % 100 - 36) == 3 && int1 % 1000 % 584 == 0) {
int n3 = 0;
int n4;
while (true) {
n4 = (b ? 1 : 0);
if (n3 >= 4) {
break;
}
if (int1 / n % 10 != int1 / n2 % 10) {
n4 = 0;
break;
}
n *= 10;
n2 /= 10;
++n3;
}
if (n4 == 1) {
this.val$Et1.setText((CharSequence)("NJCTF{" + (char)(int1 / 1000000) + (char)(int1 / 10000 % 100) + (char)(int1 / 100 % 100) + "f4n}"));
}
}
}
}
});
}
public boolean onCreateOptionsMenu(final Menu menu) {
this.getMenuInflater().inflate(2131558400, menu);
return true;
}
public boolean onOptionsItemSelected(final MenuItem menuItem) {
return menuItem.getItemId() == 2131427439 || super.onOptionsItemSelected(menuItem);
}
}
com/geekerchina/hi/androidTest.java
//
// Decompiled by Procyon v0.5.30
//
package com.geekerchina.hi;
import android.view.MenuItem;
import android.view.Menu;
import android.view.View;
import android.view.View$OnClickListener;
import android.widget.EditText;
import android.widget.Button;
import android.os.Bundle;
import android.support.v7.app.AppCompatActivity;
public class androidTest extends AppCompatActivity
{
@Override
protected void onCreate(final Bundle bundle) {
super.onCreate(bundle);
this.setContentView(2130968604);
((Button)this.findViewById(2131427415)).setOnClickListener((View$OnClickListener)new View$OnClickListener() {
final /* synthetic */ EditText val$Et1 = (EditText)this.findViewById(2131427414);
public void onClick(final View view) {
final int int1 = Integer.parseInt(this.val$Et1.getText().toString());
if (int1 > 10000000 && int1 < 99999999) {
int n = 1;
int n2 = 10000000;
final boolean b = true;
if (Math.abs(int1 / 1000 % 100 - 36) == 3 && int1 % 1000 % 584 == 0) {
int n3 = 0;
int n4;
while (true) {
n4 = (b ? 1 : 0);
if (n3 >= 3) {
break;
}
if (int1 / n % 10 != int1 / n2 % 10) {
n4 = 0;
break;
}
n *= 10;
n2 /= 10;
++n3;
}
if (n4 == 1) {
this.val$Et1.setText((CharSequence)("NJCTF{have" + (char)(int1 / 1000000) + (char)(int1 / 10000 % 100) + (char)(int1 / 100 % 100 + 10) + "f4n}"));
}
}
}
}
});
}
public boolean onCreateOptionsMenu(final Menu menu) {
this.getMenuInflater().inflate(2131558400, menu);
return true;
}
public boolean onOptionsItemSelected(final MenuItem menuItem) {
return menuItem.getItemId() == 2131427439 || super.onOptionsItemSelected(menuItem);
}
}
上面的代码已经很明确了,我们只需要爆破就行,不必进行代码分析,下面是我的爆破代码:
main.java
public class main {
public static void main(String[] args) {
int int1;
System.out.println("MainActivity.java:");
for (int1 = 10000000; int1 < 99999999; int1++) {
if (int1 > 10000000 && int1 < 99999999) {
int n = 1;
int n2 = 10000000;
final boolean b = true;
if (Math.abs(int1 / 1000 % 100 - 36) == 3 && int1 % 1000 % 584 == 0) {
int n3 = 0;
int n4;
while (true) {
n4 = (b ? 1 : 0);
if (n3 >= 4) {
break;
}
if (int1 / n % 10 != int1 / n2 % 10) {
n4 = 0;
break;
}
n *= 10;
n2 /= 10;
++n3;
}
if (n4 == 1) {
System.out.println("NJCTF{" + (char) (int1 / 1000000) + (char) (int1 / 10000 % 100)
+ (char) (int1 / 100 % 100) + "f4n}");
}
}
}
}
System.out.println();
System.out.println("androidTest.java:");
for (int1 = 10000000; int1 < 99999999; int1++) {
if (int1 > 10000000 && int1 < 99999999) {
int n = 1;
int n2 = 10000000;
final boolean b = true;
if (Math.abs(int1 / 1000 % 100 - 36) == 3 && int1 % 1000 % 584 == 0) {
int n3 = 0;
int n4;
while (true) {
n4 = (b ? 1 : 0);
if (n3 >= 3) {
break;
}
if (int1 / n % 10 != int1 / n2 % 10) {
n4 = 0;
break;
}
n *= 10;
n2 /= 10;
++n3;
}
if (n4 == 1) {
System.out.println("NJCTF{have" + (char) (int1 / 1000000) + (char) (int1 / 10000 % 100)
+ (char) (int1 / 100 % 100 + 10) + "f4n}");
}
}
}
}
}
}编译执行效果如下:
ex@Ex:~/test/unzip/out/com/geekerchina/hi$ javac main.java
ex@Ex:~/test/unzip/out/com/geekerchina/hi$ java main
MainActivity.java:
NJCTF{05#f4n}
androidTest.java:
NJCTF{have05-f4n}
NJCTF{have05if4n}生成了3个flag,再根据题目给的提示:“flag格式NJCTF{xxx} 并且 xxx只包含[a-z][A-Z][0-9]”,就可以过滤掉两个错误的flag。