拿到一个apk,拖到jadx里面,拿到源码。
package cn.kwaiching.crackme;
import android.os.Bundle;
import android.support.v7.app.AppCompatActivity;
import android.view.View;
import android.view.View.OnClickListener;
import android.widget.Button;
import android.widget.EditText;
import android.widget.TextView;
public class CrackMe extends AppCompatActivity {
int[] a = new int[]{16, 6, 7, 10, 9, 16, 10, 8, 8, 9, 6, 6};
int[] b = new int[]{5, 10, 8, 15, 16, 15, 8, 16, 8, 16, 9, 17, 8, 17, 10, 8, 9, 18, 5, 15, 10, 9, 8, 9, 15, 18, 7, 8, 16, 6};
int[] c = new int[]{6, 7, 18, 9, 5, 16, 9, 15, 18, 8, 9, 5};
int[] d = new int[]{7, 7, 9, 12, 8, 7, 13, 5, 14, 5, 9, 17, 5, 7, 12, 8, 8, 6, 19, 6, 8, 16, 10, 6, 12, 9, 6, 7, 12, 5, 9, 8, 7, 8, 15, 9, 16, 8, 8, 19, 12, 6, 8, 7, 5, 15, 6, 16, 15, 7, 9, 12, 10, 7, 15, 6, 5, 14, 14, 9};
int e;
int f;
int g;
int h;
int i;
int j;
int k;
String[] l = new String[73];
String[] m = new String[]{"23to01", "01to03", "03to05", "05to07", "07to09", "09to11", "11to13", "13to15", "15to17", "17to19", "19to21", "21to23"};
TextView n;
protected void onCreate(Bundle bundle) {
super.onCreate(bundle);
setContentView((int) R.layout.activity_fate_me);
b();
this.n = (TextView) findViewById(R.id.fate);
((Button) findViewById(R.id.ok)).setOnClickListener(new OnClickListener() {
public void onClick(View view) {
try {
CrackMe.this.a();
} catch (Exception unused) {
CrackMe.this.n.setText(CrackMe.this.getString(R.string.notMe));
}
}
});
}
private void a() {
try {
c();
if (this.j == 0 || this.i == 0 || this.h == 0) {
this.n.setText(getString(R.string.notMe));
return;
}
d();
a(((e() + f()) + g()) + h());
} catch (Exception unused) {
this.n.setText(getString(R.string.notMe));
}
}
private void b() {
for (int i = 0; i <= 72; i++) {
if (i != 34) {
this.l[i] = getResources().getString(R.string.success00);
} else {
this.l[i] = getResources().getString(R.string.success34);
}
}
}
private void c() {
try {
String obj = ((EditText) findViewById(R.id.code)).getText().toString();
this.j = 0;
this.i = 0;
this.h = 0;
this.j = Integer.parseInt(obj.length() > 4 ? obj.substring(0, 4) : obj);
if (this.j > 0 && this.j < 189) {
this.j = 0;
}
if (this.j <= 1983 || this.j >= 2007) {
this.j = 0;
}
this.i = Integer.parseInt(obj.length() > 6 ? obj.substring(4, 6) : obj);
if (this.i < 1 || this.i > 12) {
this.i = 0;
}
if (obj.length() > 8) {
obj = obj.substring(6, 8);
}
this.h = Integer.parseInt(obj);
if (this.h < 1 || this.h > 31) {
this.h = 0;
}
} catch (Exception unused) {
this.n.setText(getString(R.string.notMe));
}
}
private void d() {
try {
if (this.j == 1989 || this.j == 2004) {
this.h = 31;
}
if (this.i == 1 || this.i == 4 || this.i == 5 || this.i == 7 || this.i == 10 || this.i == 11 || this.i == 12) {
this.j = 1999;
}
if (this.j <= 1994 && (this.i == 2 || this.i == 6 || this.i == 8)) {
this.i = 3;
}
if (this.j >= 1996 && (this.i == 2 || this.i == 6 || this.i == 8)) {
this.i = 9;
}
if (this.j == 1995 && (this.h > this.i + 2 || this.i == this.h)) {
this.i = 6;
}
this.g = this.j;
this.f = this.i;
this.e = this.h;
} catch (Exception unused) {
this.n.setText(getString(R.string.notMe));
}
}
private void a(int i) {
if (i > 34 || i < 34) {
this.n.setText(getString(R.string.notMe));
return;
}
try {
this.n.setText(String.format("%s%s", new Object[]{getString(R.string.me), this.l[i]}));
((Button) findViewById(R.id.ok)).setEnabled(false);
} catch (Exception unused) {
this.n.setText(getString(R.string.notMe));
}
}
private int e() {
try {
return this.d[(this.g - 1900) % 60];
} catch (Exception unused) {
this.n.setText(getString(R.string.notMe));
return 0;
}
}
private int f() {
try {
return this.c[this.f - 1];
} catch (Exception unused) {
this.n.setText(getString(R.string.notMe));
return 0;
}
}
private int g() {
try {
return this.b[this.e - 1];
} catch (Exception unused) {
this.n.setText(getString(R.string.notMe));
return 0;
}
}
/* JADX WARNING: Removed duplicated region for block: B:17:0x0050 A:{Catch:{ Exception -> 0x005c }} */
private int h() {
/*
r6 = this;
r0 = 2131165227; // 0x7f07002b float:1.7944665E38 double:1.0529355243E-314;
r1 = 2131427370; // 0x7f0b002a float:1.8476354E38 double:1.05306504E-314;
r2 = 0;
r0 = r6.findViewById(r0); Catch:{ Exception -> 0x005c }
r0 = (android.widget.EditText) r0; Catch:{ Exception -> 0x005c }
r0 = r0.getText(); Catch:{ Exception -> 0x005c }
r0 = r0.toString(); Catch:{ Exception -> 0x005c }
r3 = 8;
r4 = r0.length(); Catch:{ Exception -> 0x005c }
r0 = r0.substring(r3, r4); Catch:{ Exception -> 0x005c }
r3 = r6.f; Catch:{ Exception -> 0x005c }
r4 = 0;
L_0x0022:
r5 = r6.m; Catch:{ Exception -> 0x005c }
r5 = r5.length; Catch:{ Exception -> 0x005c }
if (r4 >= r5) goto L_0x004d;
L_0x0027:
r5 = r6.m; Catch:{ Exception -> 0x005c }
r5 = r5[r4]; Catch:{ Exception -> 0x005c }
r5 = r0.equals(r5); Catch:{ Exception -> 0x005c }
if (r5 == 0) goto L_0x004a;
L_0x0031:
r5 = 2;
if (r3 != r5) goto L_0x0042;
L_0x0034:
r3 = r6.m; Catch:{ Exception -> 0x005c }
r5 = 6;
r3 = r3[r5]; Catch:{ Exception -> 0x005c }
r0 = r0.equals(r3); Catch:{ Exception -> 0x005c }
if (r0 == 0) goto L_0x0042;
L_0x003f:
r0 = 63;
return r0;
L_0x0042:
r0 = r6.a; Catch:{ Exception -> 0x005c }
r0 = r0[r4]; Catch:{ Exception -> 0x005c }
r6.k = r0; Catch:{ Exception -> 0x005c }
r0 = 1;
goto L_0x004e;
L_0x004a:
r4 = r4 + 1;
goto L_0x0022;
L_0x004d:
r0 = 0;
L_0x004e:
if (r0 != 0) goto L_0x0059;
L_0x0050:
r0 = r6.n; Catch:{ Exception -> 0x005c }
r3 = r6.getString(r1); Catch:{ Exception -> 0x005c }
r0.setText(r3); Catch:{ Exception -> 0x005c }
L_0x0059:
r0 = r6.k; Catch:{ Exception -> 0x005c }
return r0;
L_0x005c:
r0 = r6.n;
r1 = r6.getString(r1);
r0.setText(r1);
return r2;
*/
throw new UnsupportedOperationException("Method not decompiled: cn.kwaiching.crackme.CrackMe.h():int");
}
}
可以看到,除了h()函数外,反编译结果非常友好。
看起来是要求输入一个日期,对年月日、时刻进行判断,进行一些神秘处理后,执行a(((e() + f()) + g()) + h())。a()的逻辑非常简单,就是判断参数是不是34。所以我们的目标就是e() + f()) + g()) + h() == 34。而这几个函数就是单纯查表,所以直接遍历所有的日期和时刻即可。
然后就开始复制粘贴外加一些替换和修改,得脚本如下:
a = [16, 6, 7, 10, 9, 16, 10, 8, 8, 9, 6, 6]
day_table = [5, 10, 8, 15, 16, 15, 8, 16, 8, 16, 9, 17, 8, 17, 10, 8, 9, 18, 5, 15, 10, 9, 8, 9, 15, 18, 7, 8, 16, 6]
month_table = [6, 7, 18, 9, 5, 16, 9, 15, 18, 8, 9, 5]
year_table = [7, 7, 9, 12, 8, 7, 13, 5, 14, 5, 9, 17, 5, 7, 12, 8, 8, 6, 19, 6, 8, 16, 10, 6, 12, 9, 6, 7, 12, 5, 9, 8, 7, 8, 15, 9, 16, 8, 8, 19, 12, 6, 8, 7, 5, 15, 6, 16, 15, 7, 9, 12, 10, 7, 15, 6, 5, 14, 14, 9]
tail_table = ["23to01", "01to03", "03to05", "05to07", "07to09", "09to11", "11to13", "13to15", "15to17", "17to19", "19to21", "21to23"]
def xx(year, month, day):
if (year == 1989 or year == 2004):
day = 31
if (month == 1 or month == 4 or month == 5 or month == 7 or month == 10 or month == 11 or month == 12):
year = 1999
if (year <= 1994 and (month == 2 or month == 6 or month == 8)):
month = 3 # <= 1994, month[2,6,8] -> 3
if (year >= 1996 and (month == 2 or month == 6 or month == 8)):
month = 9 # >= 1996, month[2,6,8] -> 9
if (year == 1995 and (day > month + 2 or month == day)):
month = 6 # == 1995 month[<day-2, day] -> 6
return (year, month, day)
for year in range(1984, 2007):
for month in range(1, 13):
for day in range(1, 32):
for k in range(len(tail_table)):
year_, month_, day_ = xx(year, month, day)
#print year_, month_, day_
try:
i = 0
i += year_table[(year_ - 1900) % 60]
i += month_table[month_ - 1]
i += day_table[day_ - 1]
if month_ != 2:
i += a[k]
else:
if k != 6:
i += a[k]
#print i,
if i == 34:
print year, month, day, tail_table[k]
except:
pass
运行后给出结果1995 2 3 05to07,所以答案是1995020305to07。
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
最后于 2018-12-9 18:09
被diycode编辑
,原因:
