JarvisOJ misc100-easyapk wp

看到这个题放在misc里面，还以为会是以apk掩人耳目的misc题，结果没想到是一个纯正的安卓逆向。
可以看到程序的入口点还是MainActivity

protected void onCreate(Bundle arg3) {
        super.onCreate(arg3);
        this.setContentView(2130968602);
        ApplicationInfo v0 = this.getApplicationInfo();
        v0.flags &= 2;
        this.p();
        this.findViewById(2131427413).setOnClickListener(new d(this));
    }

我们找到setOnClickListene函数，此函数作用为监听apk中的事件。
可以看到，当我们点击sure按钮时，程序会new d..
继续跟踪下去。

public void onClick(View arg5) {
        if(MainActivity.a(this.a, MainActivity.a(this.a), this.a.findViewById(2131427414).getText().toString())) {
            View v0 = this.a.findViewById(2131427412);
            Toast.makeText(this.a.getApplicationContext(), "Congratulations!", 1).show();
            ((TextView)v0).setText(2131099682);
        }
        else {
            Toast.makeText(this.a.getApplicationContext(), "Oh no.", 1).show();
        }
    }

可以看到MainActivity.a是关键函数，他的返回值决定了Toast显示的值，其中MainActivity.a(this.a)的返回值为MainActivity中的v.
在MainActivity中我们可以找到v的赋值函数。

private void p() {
        try {
            InputStream v0_1 = this.getResources().getAssets().open("url.png");
            int v1 = v0_1.available();
            byte[] v2 = new byte[v1];
            v0_1.read(v2, 0, v1);
            byte[] v0_2 = new byte[16];
            System.arraycopy(v2, 144, v0_2, 0, 16);
            this.v = new String(v0_2, "utf-8");
        }
        catch(Exception v0) {
            v0.printStackTrace();
        }
    }

p函数读取url.png的数据，然后将从144开始的16个字符转换为String赋值给v。由于jeb的伪代码更加接近于代码，我们可以将p函数直接编译运行得到v.我这儿是用python实现的

file=open('url.png','rb')
key=file.read()
file.close()
keylist=list(key)
passkey=[]
for i in range(144,160):
    passkey.append(keylist[i])
print passkey

继续跟踪，我们可以看到

    private boolean a(String arg4, String arg5) {
        return new c().a(arg4, arg5).equals(new String(new byte[]{21, -93, -68, -94, 86, 117, -19, -68, -92, 33, 50, 118, 16, 13, 1, -15, -13, 3, 4, 103, -18, 81, 30, 68, 54, -93, 44, -23, 93, 98, 5, 59}));
    }

a函数将v和输入放到c类中的a函数中，然后将返回值与byte[]进行比较。

public String a(String arg5, String arg6) {
        String v0 = this.a(arg5);
        String v1 = "";
        a v2 = new a();
        v2.a(v0.getBytes());
        try {
            v0 = new String(v2.b(arg6.getBytes()), "utf-8");
        }
        catch(Exception v0_1) {
            v0_1.printStackTrace();
            v0 = v1;
        }

        return v0;
    }

    private String a(String arg4) {
        String v0_2;
        try {
            arg4.getBytes("utf-8");
            StringBuilder v1 = new StringBuilder();
            int v0_1;
            for(v0_1 = 0; v0_1 < arg4.length(); v0_1 += 2) {
                v1.append(arg4.charAt(v0_1 + 1));
                v1.append(arg4.charAt(v0_1));
            }

            v0_2 = v1.toString();
        }
        catch(UnsupportedEncodingException v0) {
            v0.printStackTrace();
            v0_2 = null;
        }

        return v0_2;
    }

可以看到a函数是将v两个字符进行交换，然后
将得到的结果作为password初始化aes加密
所以对于v的操作所有代码为：

file=open('url.png','rb')
key=file.read()
file.close()
keylist=list(key)
passkey=[]
for i in range(144,160):
    passkey.append(keylist[i])
print passkey
key=''
for i in range(0,16,2):
    key+=passkey[i+1]
    key+=passkey[i]
print key

this.a = new SecretKeySpec(arg4, "AES");
            this.b = Cipher.getInstance("AES/ECB/PKCS5Padding");

最后将我们的输入进行加密

this.b.init(1, this.a);
        return this.b.doFinal(arg4);

所以我们只要将对比的byte[]数组以v作为password进行aes解密即可得到flag.

import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;

import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.SecretKeySpec;

public class flag{

    /**
     * @param args
     */
    public static void main(String[] args) {
        // TODO Auto-generated method stub
         String password="htsii__sht_eek.y";
         byte[] byteContent=new byte[]{21, -93, -68, -94, 86, 117, -19, -68, -92, 33, 50, 118, 16, 13, 1, -15, -13, 3, 4, 103, -18, 81, 30, 68, 54, -93, 44, -23, 93, 98, 5, 59};
         SecretKeySpec key = new SecretKeySpec(password.getBytes(), "AES");  
         Cipher cipher;
         byte[] result = null;
        try {
            cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
            cipher.init(Cipher.DECRYPT_MODE, key);// 初始化  
            result = cipher.doFinal(byteContent);
        } catch (NoSuchAlgorithmException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        } catch (NoSuchPaddingException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        } catch (InvalidKeyException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        } catch (IllegalBlockSizeException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        } catch (BadPaddingException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }    

         System.out.println(new String(result));
    }

}