首先下载文件,看到是apk文件,那就是安卓逆向。拿模拟器来运行看看
1.看来是一个判断用户输入的程序,我们拿JEB分析源代码main类,如下:
package com.example.crackme;
import android.app.Activity;
import android.os.Bundle;
import android.view.Menu;
import android.view.MenuInflater;
import android.view.View;
import android.view.View.OnClickListener;
import android.widget.Button;
import android.widget.EditText;
import android.widget.Toast;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException; ###使用一些资源包
public class MainActivity
extends Activity
{
private Button btn_register;
private EditText edit_sn;
String edit_userName;
private boolean checkSN(String paramString1, String paramString2) ###参数1为用户名
{
bool1 = false;
bool2 = bool1;
if (paramString1 != null) {} ###参数1不为空的时候
for (;;)
{
try
{
if (paramString1.length() != 0) {
continue;
}
bool2 = bool1;
}
catch (NoSuchAlgorithmException paramString1)
{
Object localObject;
int i;
boolean bool3;
paramString1.printStackTrace();
bool2 = bool1;
continue;
}
return bool2;
bool2 = bool1;
if (paramString2 != null)
{
bool2 = bool1;
if (paramString2.length() == 22) ###如果参数2的长度为22的时候则进行MD5加密
{
localObject = MessageDigest.getInstance("MD5");
((MessageDigest)localObject).reset();
((MessageDigest)localObject).update(paramString1.getBytes()); ###通过使用 update 方法处理数据,使指定的 byte数组更新摘要,参数1经过MD5加密给localObject
paramString1 = toHexString(((MessageDigest)localObject).digest(), ""); ###toHexString方法操作参数加密数据。digest()转换为二进制,最终给str1
localObject = new java/lang/StringBuilder;
((StringBuilder)localObject).<init>();
i = 0;
if (i < paramString1.length())
{
((StringBuilder)localObject).append(paramString1.charAt(i)); ###此处把MD5加密后的形式相隔1位进行拼接
i += 2;
}
else
{
localObject = ((StringBuilder)localObject).toString();
paramString1 = new java/lang/StringBuilder;
paramString1.<init>();
bool3 = ("flag{" + (String)localObject + "}").equalsIgnoreCase(paramString2); ###判断用户名MD5加密并重构是否和用户输入一致
bool2 = bool1;
if (bool3) {
bool2 = true;
}
}
}
}
}
}
private static String toHexString(byte[] paramArrayOfByte, String paramString) ###此处加密方法,传参数1是经过MD5加密过的用户名
{ ##b9c77224ff234f27ac6badf83b855c76 32,递归传进来的参数1
StringBuilder localStringBuilder = new StringBuilder();
int i = paramArrayOfByte.length; ###将参数1长度给i
for (int j = 0; j < i; j++)
{
String str = Integer.toHexString(paramArrayOfByte[j] & 0xFF); ##toHexString转换为16进制,并且去掉paramArrayOfByte的符号
if (str.length() == 1) { ###如果str的长度为1
localStringBuilder.append(‘0‘); ###在字符串localStringBuilder之后拼接0,统一格式
}
localStringBuilder.append(str).append(paramString); ###把str给localStringBuilder字符串,paramString传参进来属于无内容
}
return localStringBuilder.toString();
}
public void onCreate(Bundle paramBundle) ###主入口函数
{
super.onCreate(paramBundle);
setContentView(2130968601);
setTitle(2131099677);
this.edit_userName = "Tenshine"; ###用户名
this.edit_sn = ((EditText)findViewById(2131492945));
this.btn_register = ((Button)findViewById(2131492946));
this.btn_register.setOnClickListener(new View.OnClickListener()
{
public void onClick(View paramAnonymousView)
{
if (!MainActivity.this.checkSN(MainActivity.this.edit_userName.trim(), MainActivity.this.edit_sn.getText().toString().trim())) { ###调用checkSN方法,参数1是用户名,trim() 方法用于删除字符串的头尾空白符
Toast.makeText(MainActivity.this, 2131099678, 0).show(); ###输出用户输入错误
}
for (;;)
{
return;
Toast.makeText(MainActivity.this, 2131099675, 0).show(); ##输出用户输入正确
MainActivity.this.btn_register.setEnabled(false);
MainActivity.this.setTitle(2131099673);
}
}
});
}
public boolean onCreateOptionsMenu(Menu paramMenu)
{
getMenuInflater().inflate(2131558400, paramMenu);
return true;
}
}
总结下来:首先用户名是固定的,Tenshine经过MD5加密之后就是b9c77224ff234f27ac6badf83b855c76这一串,根据源码分析,每隔1位进行拼接就是flag,所以就是flag{bc72f242a6af3857}
原文:https://www.cnblogs.com/xiaochaofang/p/14460998.html