原题:https://ctf.bugku.com/challenges/detail/id/99.html

话不多说解压下
将classes.dex转成jar

d2j-dex2jar.bat .\classes.dex

用jd-gui.jar查看源码

image.png

package re.sdnisc2018.sdnisc_apk1;

import android.content.Context;
import android.os.Bundle;
import android.support.v7.app.AppCompatActivity;
import android.util.Base64;
import android.view.View;
import android.widget.Button;
import android.widget.EditText;
import android.widget.Toast;

public class MainActivity extends AppCompatActivity {
  private String getFlag() {
    return getBaseContext().getString(2131427360);
  }
  
  private void showMsgToast(String paramString) {
    Toast.makeText((Context)this, paramString, 1).show();
  }
  
  public void checkPassword(String paramString) {
    if (paramString.equals(new String(Base64.decode((new StringBuffer(getFlag())).reverse().toString(), 0)))) {
      showMsgToast("Congratulations !");
    } else {
      showMsgToast("Try again.");
    } 
  }
  
  protected void onCreate(Bundle paramBundle) {
    super.onCreate(paramBundle);
    setContentView(2131296283);
    ((Button)findViewById(2131165261)).setOnClickListener(new View.OnClickListener() {
          public void onClick(View param1View) {
            String str = ((EditText)MainActivity.this.findViewById(2131165253)).getText().toString();
            MainActivity.this.checkPassword(str);
          }
        });
  }
}

发现getFlag方法中的2131427360,应该是一个资源的引用,R.class查下
image.png

 public static final int toString = 2131427360;

资源文件要到strings.xml查找。
再把apk用apktool反编译一下

java -jar apktool_2.3.4.jar d Sign_in.apk -o out

查看res/values/strings.xml得到

    <string name="toString">991YiZWOz81ZhFjZfJXdwk3X1k2XzIXZIt3ZhxmZ</string>

根据源码。将“991YiZWOz81ZhFjZfJXdwk3X1k2XzIXZIt3ZhxmZ”反转 再base64解码一下。得到flag
image.png

Q.E.D.