crackme2 | XHC BLOG

观察题目

是apk文件用jadx反编译

在com包下的example.CrackMe2目录下的MainActivity中

看到解题的关键

很简单是一个魔改的RC4加密 RC4加密解密用一套算法

脚本

只要将我们得到的密文当成原文输入即可的到真正的原文即flag

public  class wp{
      /**
     * @param encrypt
     * @param keys
     * @return
     */
    public static  String encode(char[] encrypt, String keys) {
        char[] keyBytes = new char[256];
        char[] cypherBytes = new char[256];
        for (int i = 0; i < 256; i++) 
        {
            keyBytes[i] = keys.charAt(i % keys.length());
            cypherBytes[i] = (char) i;
        }
        int jump = 0;
        for (int i2 = 0; i2 < 256; i2++) {
            jump = (cypherBytes[i2] + jump + keyBytes[i2]) & 255;
            char tmp = cypherBytes[i2];
            cypherBytes[i2] = cypherBytes[jump];
            cypherBytes[jump] = tmp;
        }
        int i3 = 0;
        int jump2 = 0;
        StringBuilder Result = new StringBuilder();
        for (int x = 0; x < encrypt.length; x++) {
            i3 = (i3 + 1) & 255;
            char tmp2 = cypherBytes[i3];
            jump2 = (jump2 + tmp2 + 136) & 255;
            char t = (char) ((cypherBytes[jump2] + tmp2) & 255);
            cypherBytes[i3] = cypherBytes[jump2];
            cypherBytes[jump2] = tmp2;
            try {
                Result.append(new String(new char[]{(char) (encrypt[x] ^ cypherBytes[t])}));
            } catch (Exception e) {
                e.printStackTrace();
                return "";
            }
        }
        return Result.toString();
    }
    public static void main(String[]args){
            char[] target = {205, 'R', 't', 'z', 30, '\b', '\b', 224, 'W', ';', 24, 153, 175, '=', 29, 148, 21, '%', 'g', '[', 'd', 'S', 31, ';', 220, 162, 'F', '6', 211, 253, 190, '3'};
            String result =encode(target,"happygame");
            System.out.println("flag{"+result+"}");
            }  
}