Overview

题目给了一个APK, 属于MISC类型, 考察APK发现为存的加密算法分析, 没有JNI, 有Proguard混淆, 需要透过混淆分析Java层代码真实逻辑.

Analysis

程序的Android源码分为三个部分, 从一张图片读入key, 对key进行处理, 使用用户输入+key得到结果.

InputStream v0_1 = this.getResources().openRawResource(R.raw.url);

            int v1 = v0_1.available();
            byte[] v2 = new byte[v1];
            v0_1.read(v2, 0, v1);
            byte[] v0_2 = new byte[16];
            System.arraycopy(v2, 144, v0_2, 0, 16);
            this.para = new String(v0_2, "utf-8");

读取图片逻辑, 从便宜144开始读16个字符, 分析得到this_is_the_key.

    private String append(String arg4) {
        String v0_2;
        try {
            arg4.getBytes("utf-8");
            StringBuilder v1 = new StringBuilder();
            int v0_1;
            for(v0_1 = 0; v0_1 < arg4.length(); v0_1 += 2) {
                v1.append(arg4.charAt(v0_1 + 1));
                v1.append(arg4.charAt(v0_1));
            }

            v0_2 = v1.toString();
        }
        catch(UnsupportedEncodingException v0) {
            v0.printStackTrace();
            v0_2 = null;
        }

        return v0_2;
    }

对key进行处理, 简单的每两位互换位置.
接下来, 由于代码中比较阶段已经知道预期的密文是什么, 用密文加上密钥得到明文.

Solution

import javax.crypto.spec.SecretKeySpec;

public class Solve {


    public static void main(String[] args) throws Exception {
        byte[] output = new byte[]{21, -93, -68, -94, 86, 117, -19, -68,
                -92, 33, 50, 118, 16, 13, 1, -15, -13, 3, 4, 103, -18, 81, 30, 68, 54, -93, 44, -23,
                93, 98, 5, 59};


        String key_str = "this_is_the_key.";
    String key_sft = "htsii__sht_eek.y";

    SecretKeySpec secretKeySpec = new SecretKeySpec(key_sft.getBytes(), "AES");
    Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
    cipher.init(Cipher.DECRYPT_MODE, secretKeySpec);
    String s = new String(cipher.doFinal(output));
    System.out.println(s);
}
}
**flag:LCTF{1t's_rea1ly_an_ea3y_ap4}**