CTF 安卓加解密

Posted 2023-02-06 梦想家哈儿和他的bug

题目：
张三听说AES算法很安全，他不想被别人发现他的flag，于是将其加密处理后写到了安卓应用中。并且他从未公开题目的源码，你能从apk附件中破解他想隐藏的flag是什么吗？

附件 ： apk

题解：

首先下载安卓反编译工具对apk进行反编译，https://github.com/skylot/jadx
拿到反编译后的代码，根据其AES加密规则进行对应的解密。

public class MainActivity extends AppCompatActivity 

    String enc = "bKhM9b9mSM2Xff4XgzzrYUXhKwfBxzUd30bdW3sOxpClsxmuVh04Ny7VAQhbjKui？？？？";
    String key = "yuNttCSojTyxZodsxxxxxxx";
    private Cipher cipher;

    /* JADX INFO: Access modifiers changed from: protected */
    @Override
    // androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity
    public void onCreate(Bundle savedInstanceState) 
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
        Log.e("WuHengCTF", "Try this awesome tool to decompile apk\\nhttps://github.com/skylot/jadx");
        final EditText editText = (EditText) findViewById(R.id.editText);
        Button button = (Button) findViewById(R.id.button);
        button.setOnClickListener(new View.OnClickListener()  // from class: com.wuhengctf.wuhengdroid1.MainActivity.1
            @Override // android.view.View.OnClickListener
            public void onClick(View view) 
                try 
                    String s = editText.getText().toString();
                    String e1 = Decrypt(s, key);
                    Log.e("hsk -- > ", e1);
                 catch (Exception e) 
                    e.printStackTrace();
                
                String s = editText.getText().toString();
                if (MainActivity.this.verify(s)) 
                    Toast.makeText(MainActivity.this.getApplicationContext(), "yep", Toast.LENGTH_SHORT).show();
                 else 
                    Toast.makeText(MainActivity.this.getApplicationContext(), "nope", Toast.LENGTH_SHORT).show();
                
            
        );

    

    // flagxxxxxx
    // WHCTFXXX


    boolean verify(String k) 
        try 
            cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
            cipher.init(1, new SecretKeySpec(this.key.getBytes(), "AES"), new IvParameterSpec(new byte[16]));
            byte[] ciphertext = cipher.doFinal(k.getBytes(StandardCharsets.UTF_8));
            String encode = Base64.encodeToString(ciphertext, 2);
            Log.e("WuHengCTF", encode);
            return this.enc.equals(encode);
         catch (Exception e) 
            e.printStackTrace();
            return false;
        
    



    // 解密
    public String Decrypt(String sSrc, String sKey) throws Exception 
        try 
            Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
            cipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(sKey.getBytes(), "AES"),new IvParameterSpec(new byte[16]));
            byte[] encrypted1 = Base64.decode(sSrc, 2);
            try 
//                byte[] original = cipher.doFinal(sSrc.getBytes(StandardCharsets.UTF_8));
                byte[] original = cipher.doFinal(encrypted1);
                String originalString = new String(original, StandardCharsets.UTF_8);
                Log.e("解密后", originalString);
                return originalString;
             catch (Exception e) 
                System.out.println(e.toString());
                return null;
            
         catch (Exception ex) 
            System.out.println(ex.toString());
            return null;
        
    

最后通过解密得到flag