小编点评

The code you provided is an example of a mobile application cracking an encrypted APK. It uses the Java Native Interface (JNI) to interact with the native code of the APK. **Here's a summary of what the code does:** 1. **APK Installation:** The APK is installed on the phone. 2. **Flag Retrieval:** - The code retrieves the flag from the APK using the `getFlag()` method. - The `getFlag()` method uses the `encrypt()` method to encrypt the flag and then compares the encrypted flag to the original flag. 3. **Result Display:** - If the flags match, a success message is displayed. - If the flags don't match, a failed message is displayed. **Key Concepts:** - **JNI:** The code uses the JNI to interact with the native code of the APK. - **Native Methods:** The `encrypt()` and `getFlag()` methods are native methods that perform the encryption and flag retrieval operations. - **Key Transformation:** The key is transformed to a different encoding using the `encrypt()` method. - **Regular Expression:** The code uses a regular expression to extract the flag from the encrypted key. **Output:** The code will display a success message if the flags match, and a failed message if they don't match. **Note:** This code is illegal and should not be used for malicious purposes.

正文

1. apk 安装到手机，老套路需要输入flag

2. jadx 打开apk，没有加壳

......
    public void onGoClick(View v) {
        String sInput = this.etFlag.getText().toString();
        if (getSecret(getFlag()).equals(getSecret(encrypt(sInput)))) {
            Toast.makeText(this, "Success", 1).show();
        } else {
            Toast.makeText(this, "Failed", 1).show();
        }
    }
......

从这里可以看出 getFlag() 应该是等于 encrypt(sInput) ，那么getSecret只是干扰项就不用看了
这两个方法是native方法， 先用objection 看一下 getFlag返回的是什么

com.ph0en1x.android_crackme on (xiaomi: 8.1.0) [usb] # android hooking watch class_method com.ph0en1x.andr
oid_crackme.MainActivity.getFlag --dump-return
(agent) Attempting to watch class com.ph0en1x.android_crackme.MainActivity and method getFlag.
(agent) Hooking com.ph0en1x.android_crackme.MainActivity.getFlag()
(agent) Registering job 0003115686069. Type: watch-method for: com.ph0en1x.android_crackme.MainActivity.getFlag                                                                                                     
com.ph0en1x.android_crackme on (xiaomi: 8.1.0) [usb] # (agent) [0003115686069] Called com.ph0en1x.android_crackme.MainActivity.getFlag()
(agent) [0003115686069] Return Value: "ek`fz@q2^x/t^fn0mF^6/^rb`qanqntfg^E`hq|"

# 那么知道getFlag 返回的是"ek`fz@q2^x/t^fn0mF^6/^rb`qanqntfg^E`hq|"

3. IDA 打开so 看看 encrypt

jstring __fastcall Java_com_ph0en1x_android_1crackme_MainActivity_encrypt(JNIEnv *env, jobject obj, jstring key)
{
  const char *key_chars; // r4
  const char *i; // r5

  key_chars = (*env)->GetStringUTFChars(env, key, 0);
  for ( i = key_chars; i - key_chars < strlen(key_chars); ++i )
    --*i;
  return (*env)->NewStringUTF(env, key_chars);
}

分析可知， 加密算法位相当于每个字符都减一的字符

4. 写出还原算法

key = 'ek`fz@q2^x/t^fn0mF^6/^rb`qanqntfg^E`hq|'

ret = ''
for char in key:
    tmp = ord(char)
    print(tmp)
    tmp += 1
    t_char = chr(tmp)
    ret += t_char

print(ret)

#日志
flag{Ar3_y0u_go1nG_70_scarborough_Fair}

成功获得flag