Mobile 基础android
1 题目
wget https://adworld.xctf.org.cn/media/file/task/6a0484a135bb44ba8fdcf829b5d9865b.apk
jadx 6a0484a135bb44ba8fdcf829b5d9865b.apk
resources/AndroidManifest.xml
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android" android:versionCode="1" android:versionName="1.0" package="com.example.test.ctf02" platformBuildVersionCode="24" platformBuildVersionName="7">
<uses-sdk android:minSdkVersion="14" android:targetSdkVersion="24"/>
<application android:theme="@style/AppTheme" android:label="@string/app_name" android:icon="@mipmap/ic_launcher" android:debuggable="true" android:allowBackup="true" android:supportsRtl="true">
<activity android:name="com.example.test.ctf02.MainActivity">
<intent-filter>
<action android:name="android.intent.action.MAIN"/>
<category android:name="android.intent.category.LAUNCHER"/>
</intent-filter>
</activity>
<receiver android:name="com.example.test.ctf02.GetAndChange" android:enabled="true" android:exported="true">
<intent-filter>
<action android:name="android.is.very.fun"/>
</intent-filter>
</receiver>
<activity android:name="com.example.test.ctf02.NextContent"/>
<activity android:name="com.example.test.ctf02.MainActivity2"/>
</application>
</manifest>
2 MainActivity
sources/com/example/test/ctf02/MainActivity.java
@Override // android.support.v7.app.AppCompatActivity, android.support.v4.app.FragmentActivity, android.support.v4.app.BaseFragmentActivityGingerbread, android.app.Activity
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.acticity_main_1);
this.passWord = (EditText) findViewById(R.id.passWord);
this.login = (Button) findViewById(R.id.button);
this.login.setOnClickListener(new View.OnClickListener() { // from class: com.example.test.ctf02.MainActivity.1
@Override // android.view.View.OnClickListener
public void onClick(View v) {
String str = MainActivity.this.passWord.getText().toString();
Check check = new Check();
if (check.checkPassword(str)) {
Toast.makeText(MainActivity.this, "Good,Please go on!", 0).show();
Intent intent = new Intent(MainActivity.this, MainActivity2.class);
MainActivity.this.startActivity(intent);
MainActivity.this.finish();
return;
}
Toast.makeText(MainActivity.this, "Failed", 0).show();
}
});
}
./sources/com/example/test/ctf02/Check.java
package com.example.test.ctf02;
/* loaded from: classes.dex */
public class Check {
public boolean checkPassword(String str) {
char[] pass = str.toCharArray();
if (pass.length != 12) {
return false;
}
for (int len = 0; len < pass.length; len++) {
pass[len] = (char) (((255 - len) - 100) - pass[len]);
if (pass[len] != '0' || len >= 12) {
return false;
}
}
return true;
}
}
从上文可知: 输入的密码使Check的checkPassword函数返回true,则跳转MainActivity2 exp1.py:
pwd=[]
plen = 12
for i in range(plen):
pwd.append( ( (255 - i) - 100) - ord('0'))
print(bytes(pwd)) # b'kjihgfedcba`'
3 MainActivity2
sources/com/example/test/ctf02/MainActivity2.java
@Override // android.support.v7.app.AppCompatActivity, android.support.v4.app.FragmentActivity, android.support.v4.app.BaseFragmentActivityGingerbread, android.app.Activity
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main_2);
init();
this.button.setOnClickListener(new View.OnClickListener() { // from class: com.example.test.ctf02.MainActivity2.1
@Override // android.view.View.OnClickListener
public void onClick(View v) {
String str = MainActivity2.this.editText.getText().toString();
Intent intent = new Intent(str);
MainActivity2.this.sendBroadcast(intent);
}
});
}
public void init() {
this.imageView = (ImageView) findViewById(R.id.image);
this.imageView.setImageResource(R.drawable.timg);
this.editText = (EditText) findViewById(R.id.pwd);
this.button = (Button) findViewById(R.id.button);
}
./sources/com/example/test/ctf02/GetAndChange.java
public class GetAndChange extends BroadcastReceiver {
@Override // android.content.BroadcastReceiver
public void onReceive(Context context, Intent intent) {
Intent intent1 = new Intent(context, NextContent.class);
context.startActivity(intent1);
}
}
4 NextContent
./sources/com/example/test/ctf02/NextContent.java
public class NextContent extends AppCompatActivity {
ImageView imageView;
/* JADX INFO: Access modifiers changed from: protected */
@Override // android.support.v7.app.AppCompatActivity, android.support.v4.app.FragmentActivity, android.support.v4.app.BaseFragmentActivityGingerbread, android.app.Activity
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_next_content);
init();
Change();
}
public void init() {
this.imageView = (ImageView) findViewById(R.id.imageview);
}
public void Change() {
String strFile = getApplicationContext().getDatabasePath("img.jpg").getAbsolutePath();
try {
File f = new File(strFile);
if (f.exists()) {
f.delete();
}
} catch (Exception e) {
e.printStackTrace();
}
try {
InputStream is = getApplicationContext().getResources().getAssets().open("timg_2.zip");
FileOutputStream fos = new FileOutputStream(strFile);
byte[] buffer = new byte[1024];
while (true) {
int count = is.read(buffer);
if (count <= 0) {
break;
}
fos.write(buffer, 0, count);
}
fos.flush();
fos.close();
is.close();
} catch (Exception e2) {
e2.printStackTrace();
}
this.imageView.setImageBitmap(BitmapFactory.decodeFile(strFile));
}
}
找到文件:./resources/assets/timg_2.zip, 文件是一个图片:
$ file ./resources/assets/timg_2.zip
./resources/assets/timg_2.zip: JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1200x1685, components 3
5 flag
flag{08067-wlecome}