安卓逆向 reoky android-crackme-challenge1 jadx发现答案写在监听器里面

https://github.com/reoky/android-crackme-challenge/tree/master

补全环境

问ai补全环境 build.gradle
注意activity_challenge.xml要改成androidx.viewpager.widget.ViewPager 不然雷电模拟器会崩溃这个apk

丢到jadx

搜索writefile 找到

/* loaded from: classes5.dex */
public class ChallengeOneFragment extends Fragment {
    @Override // androidx.fragment.app.Fragment
    public void onActivityCreated(Bundle savedInstanceState) {
        super.onActivityCreated(savedInstanceState);
    }

    @Override // androidx.fragment.app.Fragment
    public View onCreateView(LayoutInflater inflater, ViewGroup container, Bundle savedInstanceState) {
        View view = inflater.inflate(R.layout.fragment_challenge_one, container, false);
        Button buttonCheck = (Button) view.findViewById(R.id.challenge_one_button_check);
        buttonCheck.setOnClickListener(new ChallengeOneFragmentOnClickListener());
        Button buttonWriteFile = (Button) view.findViewById(R.id.button_write_file);
        buttonWriteFile.setOnClickListener(new ChallengeOneFragmentOnClickListener());
        File file = view.getContext().getFileStreamPath("ANSWER");
        if (file.exists()) {
            buttonWriteFile.setText(R.string.string_challenge_delete_file);
        } else {
            buttonWriteFile.setText(R.string.string_challenge_write_file);
        }
        return view;
    }
}

然后点进去click监听器发现答案是"poorly-protected-secret"字符串内的内容

/* loaded from: classes4.dex */
public class ChallengeOneFragmentOnClickListener implements View.OnClickListener {
    @Override // android.view.View.OnClickListener
    public void onClick(View view) throws IOException {
        View parent = (View) view.getParent().getParent();
        int viewId = view.getId();
        if (viewId == R.id.challenge_one_button_check) {
            if (parent != null) {
                EditText textGuess = (EditText) parent.findViewById(R.id.challenge_one_text_guess);
                if (textGuess.getText().toString().toLowerCase().equals("poorly-protected-secret")) {
                    textGuess.setTextColor(parent.getResources().getColor(R.color.color_nebula));
                    Vibrator vibrator = (Vibrator) parent.getContext().getSystemService("vibrator");
                    vibrator.vibrate(400L);
                    Toast.makeText(parent.getContext(), "You've completed this challenge!", 1).show();
                    return;
                }
                textGuess.setTextColor(parent.getResources().getColor(R.color.color_nebula_dark));
                Toast.makeText(parent.getContext(), "Sorry, that's not right..", 0).show();
                return;
            }
            return;
        }
        if (viewId == R.id.button_write_file) {
            Button buttonWrite = (Button) parent.findViewById(R.id.button_write_file);
            File file = view.getContext().getFileStreamPath("ANSWER");
            if (file.exists()) {
                file.delete();
                buttonWrite.setText(R.string.string_challenge_write_file);
                Toast.makeText(parent.getContext(), "File Deleted", 1).show();
                return;
            }
            try {
                FileOutputStream fileOutputStream = parent.getContext().openFileOutput("ANSWER", 1);
                OutputStreamWriter outputStreamWriter = new OutputStreamWriter(fileOutputStream);
                outputStreamWriter.write("poorly-protected-secret");
                outputStreamWriter.flush();
                outputStreamWriter.close();
                Toast.makeText(parent.getContext(), "File Written", 1).show();
            } catch (FileNotFoundException e) {
                e.printStackTrace();
            } catch (IOException e2) {
                e2.printStackTrace();
            }
            buttonWrite.setText(R.string.string_challenge_delete_file);
        }
    }
}