【攻防世界】Moblie系列之easy-apk

【攻防世界】Mobile系列之easy-apk

反编译定位MainActivity入口,观察其代码逻辑

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

public class MainActivity extends AppCompatActivity {
/* access modifiers changed from: protected */
@Override // android.support.v7.app.AppCompatActivity, android.support.v4.app.SupportActivity, android.support.v4.app.FragmentActivity
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
((Button) findViewById(R.id.button)).setOnClickListener(new View.OnClickListener() {
/* class com.testjava.jack.pingan1.MainActivity.AnonymousClass1 */

public void onClick(View view) {
if (new Base64New().Base64Encode(((EditText) MainActivity.this.findViewById(R.id.editText)).getText().toString().getBytes()).equals("5rFf7E2K6rqN7Hpiyush7E6S5fJg6rsi5NBf6NGT5rs=")) {
Toast.makeText(MainActivity.this, "验证通过!", 1).show();
} else {
Toast.makeText(MainActivity.this, "验证失败!", 1).show();
}
}
});
}
}

验证判断关键代码如下,通过对输入的字符串进行处理后与给定的字符串进行对比

1
new Base64New().Base64Encode(((EditText) MainActivity.this.findViewById(R.id.editText)).getText().toString().getBytes()).equals("5rFf7E2K6rqN7Hpiyush7E6S5fJg6rsi5NBf6NGT5rs=")

接下来的关键就是对Base64Encode()进行逆向

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
package com.testjava.jack.pingan1;

public class Base64New {
private static final char[] Base64ByteToStr = {'v', 'w', 'x', 'r', 's', 't', 'u', 'o', 'p', 'q', '3', '4', '5', '6', '7', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'y', 'z', '0', '1', '2', 'P', 'Q', 'R', 'S', 'T', 'K', 'L', 'M', 'N', 'O', 'Z', 'a', 'b', 'c', 'd', 'U', 'V', 'W', 'X', 'Y', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', '8', '9', '+', '/'};
private static final int RANGE = 255;
private static byte[] StrToBase64Byte = new byte[128];

public String Base64Encode(byte[] bytes) {
StringBuilder res = new StringBuilder();
for (int i = 0; i <= bytes.length - 1; i += 3) {
byte[] enBytes = new byte[4];
byte tmp = 0;
for (int k = 0; k <= 2; k++) {
if (i + k <= bytes.length - 1) {
enBytes[k] = (byte) (((bytes[i + k] & 255) >>> ((k * 2) + 2)) | tmp);
tmp = (byte) ((((bytes[i + k] & 255) << (((2 - k) * 2) + 2)) & 255) >>> 2);
} else {
enBytes[k] = tmp;
tmp = 64;
}
}
enBytes[3] = tmp;
for (int k2 = 0; k2 <= 3; k2++) {
if (enBytes[k2] <= 63) {
res.append(Base64ByteToStr[enBytes[k2]]);
} else {
res.append('=');
}
}
}
return res.toString();
}
}

对Base64进行解码操作的话,按照base64编码流程反推即可,代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
public class app_apk {
private static char[] Base64ByteToStr = null;
private static final int RANGE = 255;
private static byte[] StrToBase64Byte;

static {
Base64ByteToStr = new char[]{'v', 'w', 'x', 'r', 's', 't', 'u', 'o', 'p', 'q', '3', '4', '5', '6', '7', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'y', 'z', '0', '1', '2', 'P', 'Q', 'R', 'S', 'T', 'K', 'L', 'M', 'N', 'O', 'Z', 'a', 'b', 'c', 'd', 'U', 'V', 'W', 'X', 'Y', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', '8', '9', '+', '/'};
StrToBase64Byte = new byte[128];
}
public static byte getIndex(char x)//返回在码表中的位置
{
byte index = -1;
String table = new String(Base64ByteToStr);
if(x!='=')
{
index = (byte)table.indexOf(x);
}
else {
index = 0;
}
return index;
}

public static void Base64Decode()
{
String enflag = "5rFf7E2K6rqN7Hpiyush7E6S5fJg6rsi5NBf6NGT5rs=";
String flag = "";
String flag_temp = "";
for (int i=0;i<enflag.length();i+=4)
{
String enf = enflag.substring(i,i+4);
byte flag1= (byte)((getIndex(enf.charAt(0)) & 255) <<2 |(((getIndex(enf.charAt(1)))&255) >>>4));
byte flag2 = (byte)((getIndex(enf.charAt(1)) & 255) <<4|((getIndex(enf.charAt(2)) & 255) >>> 2 ));
byte flag3 = (byte) (((getIndex(enf.charAt(2)) & 255) << 6 )|((getIndex(enf.charAt(3))&255)));

flag_temp = "" +(char)flag1+(char)flag2+(char)flag3;
flag += flag_temp;
}
System.out.println(flag);
}
public static void main(String [] args)
{
Base64Decode();
}
}

得到原来的字符串为

1
05397c42f9b6da593a3644162d36eb01 
打赏
  • 版权声明: 本博客所有文章除特别声明外,著作权归作者所有。转载请注明出处!
  • Copyrights © 2021-2024 John Doe
  • 访问人数: | 浏览次数:

让我给大家分享喜悦吧!

微信