简单注册器
<p>[TOC]</p>
<h1>🌓分析</h1>
<p>用AndroidKiller打开apk文件,并查看源码,返现有一个监听按钮的函数</p>
<pre><code class="language-java">paramBundle.setOnClickListener(new View.OnClickListener()
{
public void onClick(View paramAnonymousView)
{
int j = 1;
paramAnonymousView = this.val$editview.getText().toString(); // 获取输入框内容
if ((paramAnonymousView.length() != 32) || (paramAnonymousView.charAt(31) != 'a') || (paramAnonymousView.charAt(1) != 'b') || (paramAnonymousView.charAt(0) + paramAnonymousView.charAt(2) - 48 != 56)) { // 长度需要为32、第31位为a、第1位为b、第0位+第2位-48=56
j = 0;
}
if (j == 1)
{
paramAnonymousView = "dd2940c04462b4dd7c450528835cca15".toCharArray();
paramAnonymousView[2] = ((char)(paramAnonymousView[2] + paramAnonymousView[3] - 50));
paramAnonymousView[4] = ((char)(paramAnonymousView[2] + paramAnonymousView[5] - 48));
paramAnonymousView[30] = ((char)(paramAnonymousView[31] + paramAnonymousView[9] - 48));
paramAnonymousView[14] = ((char)(paramAnonymousView[27] + paramAnonymousView[28] - 97));
j = 0;
for (;;)
{
if (j >= 16)
{
paramAnonymousView = String.valueOf(paramAnonymousView);
localTextView.setText("flag{" + paramAnonymousView + "}"); // flag为转变后的paramAnonymousView
return;
}
int i = paramAnonymousView[(31 - j)];
paramAnonymousView[(31 - j)] = paramAnonymousView[j];
paramAnonymousView[j] = i; // 前后序转换
j += 1;
}
}
localTextView.setText("输入注册码错误");
}
});</code></pre>
<p>所以其实最后flag和输入没有很多的关系,只要输入正确的序列那么都会得到flag,比如
<code>-b;aaaaaaaaaaaaaaaaaaaaaaaaaaaaa</code></p>
<p><img src="https://pic.imgdb.cn/item/63849e9916f2c2beb1cbd688.png" alt="Img" /></p>
<p>也可以自己写逆向脚本得到flag</p>
<h1>🌓Exploit</h1>
<pre><code class="language-python"># --run--
li = list('dd2940c04462b4dd7c450528835cca15')
li[2] = chr(ord(li[2]) + ord(li[3]) - 50)
li[4] = chr(ord(li[2]) + ord(li[5]) - 48)
li[30] = chr(ord(li[31]) + ord(li[9]) - 48)
li[14] = chr(ord(li[28]) + ord(li[27]) - 97)
for j in range(16):
li[31-j], li[j] = li[j], li[31-j]
print('flag{'+''.join(li)+'}')</code></pre>
<h1>🌓附件</h1>
<p><a href="https://cowtransfer.com/s/170b7cf2533d48">https://cowtransfer.com/s/170b7cf2533d48</a></p>