基本的环境配置
1.打开夜神
2.打开AndroidKiller
3.将两者进行连接
4.在AndroidKiller中编译运行这个apk
程序正常运行了:
使用关键字符串进行搜索
具体方法可以参见非虫大大的那本书;
这里使用关键词equals搜索:发现一些关键的字符串 “ flag{you are clever!}”
进行反编译:
在onclick这个函数里面发现了关键的地方:
可以发现数据在encode这个函数作用之后与PassWord比较,
如果相等的话,将会有一个flag{you are clever!}”的吐司出现!
可见,这条题目的关键在于encode这个函数!
暴力枚举
首先看一波java伪代码:
public class MainActivity
extends AppCompatActivity
{
private static char[] alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz+=/".toCharArray();
private static byte[] codes = new byte[256];
String PassWord = "3t3tMTVQQcNl1Q//";
static
{
int i = 0;
while (i < 256)
{
codes[i] = -1;
i += 1;
}
i = 65;
while (i <= 90)
{
codes[i] = ((byte)(i - 65));
i += 1;
}
i = 97;
while (i <= 122)
{
codes[i] = ((byte)(i + 26 - 97));
i += 1;
}
i = 48;
while (i <= 57)
{
codes[i] = ((byte)(i + 52 - 48));
i += 1;
}
codes[43] = 62;
codes[47] = 63;
}
public static char[] encode(byte[] paramArrayOfByte)
{
char[] arrayOfChar1 = new char[(paramArrayOfByte.length + 2) / 3 * 4];
int j = 0;
int i = 0;
if (j < paramArrayOfByte.length)
{
int n = 0;
int k = 0;
int i1 = (paramArrayOfByte[j] & 0xFF) << 8;
int m = i1;
if (j + 1 < paramArrayOfByte.length)
{
m = i1 | paramArrayOfByte[(j + 1)] & 0xFF;
k = 1;
}
i1 = m << 8;
m = i1;
if (j + 2 < paramArrayOfByte.length)
{
m = i1 | paramArrayOfByte[(j + 2)] & 0xFF;
n = 1;
}
char[] arrayOfChar2 = alphabet;
if (n != 0)
{
n = m & 0x3F;
label120:
arrayOfChar1[(i + 3)] = arrayOfChar2[n];
m >>= 6;
arrayOfChar2 = alphabet;
if (k == 0) {
break label218;
}
}
label218:
for (k = m & 0x3F;; k = 64)
{
arrayOfChar1[(i + 2)] = arrayOfChar2[k];
k = m >> 6;
arrayOfChar1[(i + 1)] = alphabet[(k & 0x3F)];
arrayOfChar1[(i + 0)] = alphabet[(k >> 6 & 0x3F)];
j += 3;
i += 4;
break;
n = 64;
break label120;
}
}
return arrayOfChar1;
}
public void onClick(View paramView)
{
paramView = new String(encode(((EditText)findViewById(2131492971)).getText().toString().getBytes()));
if (this.PassWord.equals(paramView)) {
Toast.makeText(this, "flag{you are clever!}", 0).show();
}
Log.d("TAG", paramView);
}
protected void onCreate(Bundle paramBundle)
{
super.onCreate(paramBundle);
setContentView(2130968601);
setSupportActionBar((Toolbar)findViewById(2131492969));
((FloatingActionButton)findViewById(2131492970)).setOnClickListener(new View.OnClickListener()
{
public void onClick(View paramAnonymousView)
{
Snackbar.make(paramAnonymousView, "更多请登录官网 http://www.15pb.com", 0).setAction("Action", null).show();
}
});
}
public boolean onCreateOptionsMenu(Menu paramMenu)
{
getMenuInflater().inflate(2131558400, paramMenu);
return true;
}
public boolean onOptionsItemSelected(MenuItem paramMenuItem)
{
if (paramMenuItem.getItemId() == 2131492995) {
return true;
}
return super.onOptionsItemSelected(paramMenuItem);
}
}
// 注册机.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <windows.h>
#include <cstdlib>
char alphabet[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz+=/";
char* encode3(char * paramArrayOfByte)
{
int length = strlen(paramArrayOfByte);
char* arrayOfChar1 = new char[(length + 2) / 3 * 4];
int j = 0;
int i = 0;
if (j < length)
{
int n = 0;
int k = 0;
int i1 = (paramArrayOfByte[j] & 0xFF) << 8;
int m = i1;
if (j + 1 < length)
{
m = i1 | paramArrayOfByte[(j + 1)] & 0xFF;
k = 1;
}
i1 = m << 8;
m = i1;
if (j + 2 < length)
{
m = i1 | paramArrayOfByte[(j + 2)] & 0xFF;
n = 1;
}
char arrayOfChar2[1024];
strcpy(arrayOfChar2, alphabet);
if (n != 0)
{
n = m & 0x3F;
label120:
arrayOfChar1[(i + 3)] = arrayOfChar2[n];
m >>= 6;
//arrayOfChar2 = alphabet;
strcpy(arrayOfChar2, alphabet);
if (k == 0) {
goto label218;
//break;
}
}
label218:
for (k = m & 0x3F;; k = 64)
{
arrayOfChar1[(i + 2)] = arrayOfChar2[k];
k = m >> 6;
arrayOfChar1[(i + 1)] = alphabet[(k & 0x3F)];
arrayOfChar1[(i + 0)] = alphabet[(k >> 6 & 0x3F)];
j += 3;
i += 4;
break;
n = 64;
goto label120;
break;
}
}
return arrayOfChar1;
}
char *cRes;
char pool[] =
{
'0','1','2','3','4','5','6','7','8','9',
'a','b','c','d','e','f','g','h','i','j',
'k','l','m','n','o','p','q','r','s','t',
'u','v','w','x','y','z','A','B','C','D',
'E','F','G','H','I','J','K','L','M','N',
'O','P','Q','R','S','T','U','V','W','X',
'Y','Z'
};
int main()
{
//encode3("0001");
char cNum[128];
for (int i = 0; i < 62; i++)
{
for (int j = 0; j < 62; j++)
{
for (int l = 0; l < 62; l++)
{
for (int k = 0; k < 62; k++)
{
sprintf(cNum, "%c%c%c%c", pool[i], pool[j], pool[l], pool[k]);//分三次输入,3t3t,MTVQ,QcNl,1Q
cRes = encode3(cNum);//encode3函数为java中对应的encode函数!
cRes[4] = '\0';
if (!strcmp(cRes, "3t3t"))//3t3t
{
printf("5");
}
}
}
}
}
char cName[100];
printf("请输入注册名:");
scanf_s("%s", cName, 100);
encrypt1(cName);
char cUserBuffer[80];
DWORD sizeUser = 80;
GetUserNameA(cUserBuffer, &sizeUser);
printf("%s", cUserBuffer);
getchar();
return 0;
}
分三次输入:
分三次输入,可以推测出密码为:
www15PBcom