CTF Writeup: Weird Android Calculator

Weird Android Calculator 是来自 CTFLearn 的一道题。题目描述如下：

I've found this very weird android application.

Seems to be some kind of calculator, but there is something strange with it. Can you find out what it is?

https://mega.nz/#!qXIAgSKZ!u2QBlLV-3G8kmsr6yR0wqpQOFyv89e0WvBt45alBIRY

Flag is in Format: FLAG{...}

Note: You don't really need an android device to solve this. But it might be helpful :)

题中 link 给出的文件是 WeirdCalculator.apk。显然我们想看到它的 Java 源码。于是先用 d2j-dex2jar 将 apk 中的 dex 文件转为 jar 包：

d2j-dex2jar WeirdCalculator.apk
# dex2jar WeirdCalculator.apk -> ./WeirdCalculator-dex2jar.jar

然后使用 jd-gui 自动反编译 jar 包中的 class 文件，即可看到 Java 源码。

对源码稍作分析后，可发现 de.vidar.weirdcalculator.Parser.parseExpression() 中明显存在与 calculator 功能无关的代码：

Weird Code

将这段 weird code 单独拿出来，并对输出部分稍作如下修改：

// Test.java
int[] arrayOfInt = new int[41];
... ...
arrayOfInt[40] = 1348;
for (byte b = 0; b < i; b++) {
    // Log.d("OUTPUT", Integer.toString(arrayOfInt[b] ^ 0x539));
    System.out.print((char)(arrayOfInt[b] ^ 0x539));
}

最后运行上面的代码即可得到 flag：

javac Test.java
java Test
# FLAG{APK_4nalys1s_1s_r4th3r_3asy_1snt_1t}