findit WriteUp

题目地址

https://buuoj.cn/challenges#findit

题解

一开始尝试用dex2jar生成jar然后用JD-GUI反编译查看，找到MainActivity.class代码如下：

package com.example.findit;

import android.os.Bundle;
import android.support.v7.app.ActionBarActivity;
import android.view.MenuItem;
import android.view.View;
import android.widget.Button;
import android.widget.EditText;
import android.widget.TextView;

public class MainActivity extends ActionBarActivity {
  protected void onCreate(Bundle paramBundle) {
    super.onCreate(paramBundle);
    setContentView(2130903064);
    Button button = (Button)findViewById(2131034173);
    final EditText edit = (EditText)findViewById(2131034174);
    final TextView text = (TextView)findViewById(2131034175);
    button.setOnClickListener(new View.OnClickListener() {
          public void onClick(View param1View) {
            char[] arrayOfChar1 = new char[17];
            char[] arrayOfChar2 = new char[38];
            int i = 0;
            while (true) {
              String str;
              if (i >= 17) {
                if (String.valueOf(arrayOfChar1).equals(edit.getText().toString())) {
                  for (i = 0;; i++) {
                    if (i >= 38) {
                      str = String.valueOf(arrayOfChar2);
                      text.setText(str);
                      return;
                    } 
                    if ((b[i] >= 'A' && b[i] <= 'Z') || (b[i] >= 'a' && b[i] <= 'z')) {
                      arrayOfChar2[i] = (char)(b[i] + 16);
                      if ((arrayOfChar2[i] > 'Z' && arrayOfChar2[i] < 'a') || arrayOfChar2[i] >= 'z')
                        arrayOfChar2[i] = (char)(arrayOfChar2[i] - 26); 
                    } else {
                      arrayOfChar2[i] = b[i];
                    } 
                  } 
                  break;
                } 
              } else {
                if ((a[i] < 'I' && a[i] >= 'A') || (a[i] < 'i' && a[i] >= 'a')) {
                  str[i] = (char)(a[i] + 18);
                } else if ((a[i] >= 'A' && a[i] <= 'Z') || (a[i] >= 'a' && a[i] <= 'z')) {
                  str[i] = (char)(a[i] - 8);
                } else {
                  str[i] = a[i];
                } 
                i++;
                continue;
              } 
              text.setText(");
              return;
            } 
          }
        });
  }
  
  public boolean onOptionsItemSelected(MenuItem paramMenuItem) {
    return (paramMenuItem.getItemId() == 2131034176) ? true : super.onOptionsItemSelected(paramMenuItem);
  }
}

发现找不到数组a和b的定义，比较懵。然后尝试了第二种反编译方法，即使用apktool.jar，这一次能将xml的乱码消除，并且产生了很多.smali文件，还是不太懂，遂去查wp，发现用APKIDE直接打开就行。
查看MainActivity.smali，发现一些16进制数，联想到刚刚看到的数组a和b

复制这俩数组的数，写脚本转成ascii码

# -*- coding: utf-8 -*-
# @Time    : 2020/4/6 22:27
# @Author  : 20181218-sl
# @Email   : 1743207528@qq.com
# @File    : findit.py
# @Software: PyCharm

a="""
        0x54s
        0x68s
        0x69s
        0x73s
        0x49s
        0x73s
        0x54s
        0x68s
        0x65s
        0x46s
        0x6cs
        0x61s
        0x67s
        0x48s
        0x6fs
        0x6ds
        0x65s
        0x70s
        0x76s
        0x6bs
        0x71s
        0x7bs
        0x6ds
        0x31s
        0x36s
        0x34s
        0x36s
        0x37s
        0x35s
        0x32s
        0x36s
        0x32s
        0x30s
        0x33s
        0x33s
        0x6cs
        0x34s
        0x6ds
        0x34s
        0x39s
        0x6cs
        0x6es
        0x70s
        0x37s
        0x70s
        0x39s
        0x6ds
        0x6es
        0x6bs
        0x32s
        0x38s
        0x6bs
        0x37s
        0x35s
        0x7ds
"""
a = a.replace(' ','')
a = a.replace('
','')
l = a.split('s')
del l[-1]
for c in l:
    print(chr(int(c,16)),end='')

跑完脚本得到的后部分用恺撒加密进行解密，试试位移，为10时解密出flag。

参考

apk反编译工具可以参考Android反编译apk逆向分析
BUUCTF Reverse helloword、findit