反编译apk文件,搜索flag找到关键代码
public void onClick(View param1View) {
byte b = 1;
String str = editview.getText().toString();
if (str.length() != 32 || str.charAt(31) != 'a' || str.charAt(1) != 'b' || str.charAt(0) + str.charAt(2) - 48 != 56)
b = 0;
if (b == 1) {
char[] arrayOfChar = "dd2940c04462b4dd7c450528835cca15".toCharArray();
arrayOfChar[2] = (char)(char)(arrayOfChar[2] + arrayOfChar[3] - 50);
arrayOfChar[4] = (char)(char)(arrayOfChar[2] + arrayOfChar[5] - 48);
arrayOfChar[30] = (char)(char)(arrayOfChar[31] + arrayOfChar[9] - 48);
arrayOfChar[14] = (char)(char)(arrayOfChar[27] + arrayOfChar[28] - 97);
for (b = 0;; b++) {
String str1;
if (b >= 16) {
str1 = String.valueOf(arrayOfChar);
textview.setText("flag{" + str1 + "}");
return;
}
String str2 = str1[31 - b];
str1[31 - b] = str1[b];
str1[b] = str2;
}
}
编写脚本:
flagtrue = "dd2940c04462b4dd7c450528835cca15"
x = [i for i in flagtrue]
x[2] = chr(ord(x[2]) + ord(x[3]) - 0x32)
x[4] = chr(ord(x[2]) + ord(x[5]) - 0x30)
x[0x1e] = chr(ord(x[0x1f]) + ord(x[0x9]) - 0x30)
x[0xe] = chr(ord(x[0x1b]) + ord(x[0x1c]) - 0x61)
for i in range(16):
x[i],x[31-i] = x[31-i],x[i]
print ("flag{"+ ''.join(x) + "}")
flag{59acc538825054c7de4b26440c0999dd}