New Star Ctf Re

New Star Ctf Week1 Re

easy_RE

flag flag{welc0me_to_rev3rse!!}

咳

upx 壳

upx -d 文件

enc = 'gmbh|D1ohsbuv2bu21ot1oQb332ohUifG2stuQ[HBMBYZ2fwf2~'

for i in range(len(enc)):
    print(chr(ord(enc[i])-1)  ,end='')
#flag{C0ngratu1at10ns0nPa221ngTheF1rstPZGALAXY1eve1}

flag flag{C0ngratu1at10ns0nPa221ngTheF1rstPZGALAXY1eve1}

Segments

tips:IDA的Segments窗口要怎么打开呢(注:flag格式为flag{…})

shift+f7

flag flag{You_ar3_g0od_at_f1nding_ELF_segments_name}**

ELF

加密2是正常的base64

使用cyberCYBER

https://huajien.gitee.io/cyber

flag FLAG{D0_40U_7NOW_WHA7_ELF_1S?]

Endian

根据标题猜测是小端序

array = [0x75553A1E, 0x7B583A03, 0x4D58220C, 0x7B50383D, 0x736B3819]

result = [(x ^ 0x12345678) for x in array]


for i, value in enumerate(result):
    flag = value.to_bytes(4, 'little')
    print(flag.decode(),end='')
print("}\n")
#flag{llittl_Endian_a}

flag flag{llittl_Endian_a}

AndroXor

flag = ''
key = "happyx3"
enc = [14, ord('\r'), 17, 23, 2, ord('K'), ord('I'), ord('7'), ord(' '), 30, 20, ord('I'), ord('\n'), 2, ord('\f'), ord('>'), ord('('), ord('@'), 11, ord('\''), ord('K'), ord('Y'), 25, ord('A'), ord('\r')]

for i in range(len(enc)):
    indexs = i % len(key)
    flag += chr(enc[i] ^ ord(key[indexs]))
print(flag)

#flag{3z_And0r1d_X0r_x1x1}

flag flag{3z_And0r1d_X0r_x1x1}

EzPE

文件头他这是PZ 改为MZ

pe 结构到LONG AddressOfNewExeHeader

应该是0x80他这边是0x90改为0x80即可运行

enc =   [0x0A, 0x0C, 0x04, 0x1F, 0x26, 0x6C, 0x43, 0x2D, 0x3C, 0x0C, 
  0x54, 0x4C, 0x24, 0x25, 0x11, 0x06, 0x05, 0x3A, 0x7C, 0x51, 
  0x38, 0x1A, 0x03, 0x0D, 0x01, 0x36, 0x1F, 0x12, 0x26, 0x04, 
  0x68, 0x5D, 0x3F, 0x2D, 0x37, 0x2A, 0x7D]
for i in range(len(enc)-2,-1,-1):
     enc[i] ^= (i ^ enc[i + 1])
flag = ''.join(chr(i) for i in enc)
print(flag)
# flag{Y0u_kn0w_what_1s_PE_File_F0rmat}

flagflag{Y0u_kn0w_what_1s_PE_File_F0rmat}

lazy_activtiy

点购10000次就弹出flag

搜索flag 在

layout

flag flag{Act1v1ty_!s_so00oo0o_Impor#an#}

New Star Ctf Week2 Re

PZthon

是python打包的

使用pyinstxtractor.py 下载/pyinstxtractor.py

python pyinstxtractor.py 文件.exe

会出来一个文件.pyc 使用pycdc 可以在下载pycdc

反编译出来

D:\Software\SoftwareFile\tool\Tools\Disassemblers\PZthon.exe_extracted>pycdc.exe PZthon.pyc
# Source Generated with Decompyle++
# File: PZthon.pyc (Python 3.9)


def hello():
    art = '\n              ___                                                                      \n    //   ) )     / /    //   ) )  // | |     / /        // | |  \\ / / \\    / /       \n   //___/ /     / /    //        //__| |    / /        //__| |   \\  /   \\  / /        \n  / ____ /     / /    //  ____  / ___  |   / /        / ___  |   / /     \\/ /         \n //           / /    //    / / //    | |  / /        //    | |  / /\\     / /          \n//           / /___ ((____/ / //     | | / /____/ / //     | | / /  \\   / /           \n                                                                                       \n     / /        //   / / ||   / / //   / /  / /       /__  ___/ ||   / |  / / //   ) ) \n    / /        //____    ||  / / //____    / /          / /     ||  /  | / / //   / /  \n   / /        / ____     || / / / ____    / /          / /      || / /||/ / //   / /   \n  / /        //          ||/ / //        / /          / /       ||/ / |  / //   / /    \n / /____/ / //____/ /    |  / //____/ / / /____/ /   / /        |  /  | / ((___/ /     \n'
    print(art)
    return bytearray(input('Please give me the flag: ').encode())

enc = [115,121,116,114,110,76,37,96,88,116,113,112,36,97,65,125,103,37,96,114,125,65,39,112,70,112,118,37,123,113,69,79,82,84,89,84,77,76,36,112,99,112,36,65,39,116,97,36,102,86,37,37,36,104]
data = hello()
for i in range(len(data)):
    data[i] = data[i] ^ 21
if bytearray(enc) == data:
    print('WOW!!')
else:
    print('I believe you can do it!')
input('To be continue...')

脚本

enc = [115,121,116,114,110,76,37,96,88,116,113,112,36,97,65,125,103,37,96,114,125,65,39,112,70,112,118,37,123,113,69,79,82,84,89,84,77,76,36,112,99,112,36,65,39,116,97,36,102,86,37,37,36,104]
data = [0] * len(enc)
for i in range(len(enc)):
    data[i] = chr(enc[i] ^ 21)
print("".join(data))
#flag{Y0uMade1tThr0ughT2eSec0ndPZGALAXY1eve1T2at1sC001}

AndroGenshin

原神启动

方法1获取码表

先使用jadx-gui分析

让后编写脚本

function main(){
    Java.perform(function () {
        var rc4Class = Java.use("com.genshin.impact.it_is_not_RC4")
        rc4Class.rc4.implementation = function(name,table64){
            console.log("[+] 1",name);
            console.log("[+] 2",table64);
            var result = this.rc4(name,table64);
            console.log("[+] result",result);
            return result;
        }
    })
}
// 账户 genshinimpact

main();

//➜ frida -U -N com.genshin.impact  -l shenshen.js --pause

使用frida

BADCFEHGJILKNMPORQTSVUXWZYbadcfehgjilknmporqtsvuxwzy1032547698/+

方法2获取码表

使用jeb调试

BADCFEHGJILKNMPORQTSVUXWZYbadcfehgjilknmporqtsvuxwzy1032547698/+

flag flag{0h_RC4_w1th_Base64!!}

SMC

看标题应该是个SMC题

编写ipython代码

data_addr = 0x403040

lens = 40
key = [0x11, 0x22, 0x33, 0x44]
for i in range(lens):
    patch_byte(data_addr+i,Byte(data_addr+i)^key[i % 4 ])
print("end")

shift+f2

在0x403040地址下按c转换为代码按p转化为函数

进入发现操作密文编写脚本

enc = [  0x7C, 0x82, 0x75, 0x7B, 0x6F, 0x47, 0x61, 0x57, 0x53, 0x25, 
  0x47, 0x53, 0x25, 0x84, 0x6A, 0x27, 0x68, 0x27, 0x67, 0x6A, 
  0x7D, 0x84, 0x7B, 0x35, 0x35, 0x48, 0x25, 0x7B, 0x7E, 0x6A, 
  0x33, 0x71]
flag = ''
for x in range(len(enc)):
    flag += chr((enc[x] - 0x5)^ 0x11)
print(flag)
#flag{SMC_1S_1nt3r3sting!!R1ght?}

flag flag{SMC_1S_1nt3r3sting!!R1ght?}

Petals

据题目标题应该是花指令

程序中0x00000000000013B0 地址

按d转换为硬编码将0xe8改为(0x90== nop)

改完u未定义在按快捷键c转换为汇编代码0x000000000000120D按p生成函数push rbp

进入伪代码

import hashlib
enc = [0xD0, 0xD0, 0x85, 0x85, 0x80, 0x80, 0xC5, 0x8A, 0x93, 0x89, 
0x92, 0x8F, 0x87, 0x88, 0x9F, 0x8F, 0xC5, 0x84, 0xD6, 0xD1, 
0xD2, 0x82, 0xD3, 0xDE, 0x87]
flag = ''
tmp = [0] * 256
for i in range(256):    
    tmp[i] = (~(i ^ 25))&0xff

for x in range(len(enc)):
    flag += chr(tmp.index((enc[x])%256))
print("flag{"+hashlib.md5(flag.encode()).hexdigest()+"}")
#flag{d780c9b2d2aa9d40010a753bc15770de}

flag flag{d780c9b2d2aa9d40010a753bc15770de}

C？C++？

die查壳发现是c#是时候是你了dnspy和ilspy

using System;

namespace ConsoleApp1
{
	// Token: 0x02000002 RID: 2
	internal class Program
	{
		// Token: 0x06000001 RID: 1 RVA: 0x00002050 File Offset: 0x00000250
		private static void Main(string[] args)
		{
			int num = 35;
			int[] array = new int[]
			{		68, 75, 66, 72, 99, 19, 19, 78, 83, 74,
		91, 86, 35, 39, 77, 85, 44, 89, 47, 92,
		49, 88, 48, 91, 88, 102, 105, 51, 76, 115,
		-124, 125, 79, 122, -103
			};
			char[] array2 = new char[35];
			int[] array3 = new int[35];
			Console.Write("Input your flag: ");
			string text = Console.ReadLine();
			for (int i = 0; i < text.Length; i++)
			{
				array2[i] = text[i];
			}
			string text2 = "NEWSTAR";
			for (int j = 0; j < num; j++)
			{
				char[] array4 = array2;
				int num2 = j;
				array4[num2] += (char)j;
				char[] array5 = array2;
				int num3 = j;
				array5[num3] -= ' ';
			}
			for (int k = 0; k < 7; k++)
			{
				char[] array6 = array2;
				int num4 = k;
				array6[num4] += (char)(k ^ (int)(-(int)(text2[k] % '\u0004')));
				char[] array7 = array2;
				int num5 = k + 7;
				array7[num5] += text2[k] % '\u0005';
				char[] array8 = array2;
				int num6 = k + 14;
				array8[num6] += (char)(2 * k);
				char[] array9 = array2;
				int num7 = k + 21;
				array9[num7] += (char)(k ^ 2);
				char[] array10 = array2;
				int num8 = k + 28;
				array10[num8] += text2[k] / '\u0005' + '\n';
			}
			for (int l = 0; l < num; l++)
			{
				int num9 = (int)array2[l];
				array3[l] = num9;
			}
			for (int m = 0; m < 35; m++)
			{
				bool flag = m == 34 && array3[m] == array[m];
				if (flag)
				{
					Console.WriteLine("Right!");
				}
				bool flag2 = array3[m] == array[m];
				if (!flag2)
				{
					Console.WriteLine("Wrong!");
					break;
				}
			}
		}
	}
}

编写脚本

enc = [68, 75, 66, 72, 99, 19, 19, 78, 83, 74,
91, 86, 35, 39, 77, 85, 44, 89, 47, 92,
49, 88, 48, 91, 88, 102, 105, 51, 76, 115,
-124, 125, 79, 122, -103]
key = "NEWSTAR"
for i in range(7):
    enc[i + 28] -= (ord(key[i])//0x5) + ord("\n")
    enc[i + 21] -= i ^ 2
    enc[i + 14] -= 2 * i
    enc[i + 7] -= ord(key[i]) % 5
    enc[i]-= i ^ -(ord(key[i])%4)
for i in range(35):
    enc[i] -= i    
    enc[i] += ord(' ')  
    print(chr(enc[i]%256), end='')
#flag{45dg_ng78_d8b5_1a7d_gh47_kd5b}

flag flag{45dg_ng78_d8b5_1a7d_gh47_kd5b}

easy_enc

脚本

enc = [
  0xE8, 0x80, 0x84, 0x08, 0x18, 0x3C, 0x78, 0x68, 0x00, 0x70, 
  0x7C, 0x94, 0xC8, 0xE0, 0x10, 0xEC, 0xB4, 0xAC, 0x68, 0xA8, 
  0x0C, 0x1C, 0x90, 0xCC, 0x54, 0x3C, 0x14, 0xDC, 0x30]
flag = ''

tmp = [0] * 29
for j in range(29):
  for i in range(65,123):
      if 0x30 <= i <= 0x39:
         tmp[j] = ((i - 45) % 10 + 48)
      elif 0x41<= i <= 0x5A:
         tmp[j] = ((i - 52) % 26 + 65)
      elif 0x61 <= i <= 0x7A:
         tmp[j] = ((i - 89) % 26 + 97)
      key = 'NewStarCTF'
      tmp[j] += ord(key[j % len(key)])
      tmp[j] = ~tmp[j]
      tmp[j] = (tmp[j] * 52) & 0xff
      if(tmp[j] == enc[j]):
         flag += chr(i)
print("flag{"+flag+"}")
#flag{BruteForceIsAGoodwaytoGetFlag}

flag flag{BruteForceIsAGoodwaytoGetFlag}

R4ndom

随机种子srand 0x5377654E

处理大小端序

str2 = [
    0x3513AB8AB2D7E6EE, 0x2EEDBA9CB9C97B02, 0x16E4F8C8EEFA4FBD,
    0x383014F4983B6382, 0xEA32360C3D843607, 42581
]

result = []
for i in str2:
    for j in range(8):
        result.append(i & 0xFF)
        i >>= 8
    # result.extend([(i >> (8*j)) & 0xFF for j in range(8)])

hex_result = '0x' + ',0x'.join(format(x, '02x') for x in result if x != 0)
print(hex_result)
#0xee,0xe6,0xd7,0xb2,0x8a,0xab,0x13,0x35,0x02,0x7b,0xc9,0xb9,0x9c,0xba,0xed,0x2e,0xbd,0x4f,0xfa,0xee,0xc8,0xf8,0xe4,0x16,0x82,0x63,0x3b,0x98,0xf4,0x14,0x30,0x38,0x07,0x36,0x84,0x3d,0x0c,0x36,0x32,0xea,0x55,0xa6

一

编写代码注意用Linux运行

记录点Linux和Windows 的rand随机数不同记使用对应的系统编译

#include <stdio.h> 
#include <string.h> 
#include <stdlib.h>

int main(void) {
__uint8_t Table[] = {
0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01,
0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D,
0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4,
0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC,
0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 0x04, 0xC7,
0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2,
0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E,
0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB,
0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 0xD0, 0xEF, 0xAA, 0xFB,
0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C,
0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5,
0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C,
0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D,
0x64, 0x5D, 0x19, 0x73, 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A,
0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3,
0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A,
0xAE, 0x08, 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6,
0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E,
0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9,
0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9,
0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99,
0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
};
srand(0x5377654E);
__uint8_t enc[] = {
0xee, 0xe6, 0xd7, 0xb2, 0x8a, 0xab, 0x13, 0x35, 0x02, 0x7b, 
0xc9, 0xb9, 0x9c, 0xba, 0xed, 0x2e, 0xbd, 0x4f, 0xfa, 0xee, 
0xc8, 0xf8, 0xe4, 0x16, 0x82, 0x63, 0x3b, 0x98, 0xf4, 0x14, 
0x30, 0x38, 0x07, 0x36, 0x84, 0x3d, 0x0c, 0x36, 0x32, 0xea, 
0x55, 0xa6};
for (int i = 0; i < 42; i++) {
    for (int j = 0; j < 256; j++) {
        if (Table[j] == enc[i]) {
            printf("%c", (char)(j - rand() % 255));
        }
      }
  }
  return 0;
}
#flag{B8452786-DD8E-412C-E355-2B6F27DAB5F9}

flag flag{B8452786-DD8E-f12C-E355-2B6F27DA25F9}

二

参考：newstar week2 - nyyydddd

str2 = [
        0x3513AB8AB2D7E6EE, 0x2EEDBA9CB9C97B02, 0x16E4F8C8EEFA4FBD,
        0x383014F4983B6382, 0xEA32360C3D843607, 42581
]


Table = [
        0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82,
        0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26,
        0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96,
        0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0,
        0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB,
        0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F,
        0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF,
        0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
        0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32,
        0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D,
        0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6,
        0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E,
        0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E,
        0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F,
        0xB0, 0x54, 0xBB, 0x16
    ]

v4_values = [
        1339546161, 401979842, 1084912717, 882247430, 1048050849, 1950252444,
        1188894224, 1035316485, 1004145938, 292996994, 698777994, 1572612448,
        187344395, 1998928827, 490869405, 1976471722, 861192779, 1683160727,
        1968082326, 1836887756, 1806801098, 176220730, 2616407, 375557835,
        1798606494, 1079742625, 657352025, 1384338308, 1249182411, 600742620,
        1626386373, 441244924, 1002722462, 563815442, 1323492354, 2050773311,
        366584239, 364902931, 938606148, 1370730177, 657899925, 1637384142
]
# print(len(v4_values))
s2 = bytearray(b for value in str2 for b in value.to_bytes(8, byteorder="little") if b != 0)
#print(s2)

for val in s2.strip():
    rand_v4 = v4_values[s2.index(val) % len(v4_values)]
    decoded_char = next(
        (chr(chr_val) for chr_val in range(129)
            if Table[(16 * ((chr_val + rand_v4 % 255) >> 4) + 0xF) &
                (chr_val + rand_v4 % 255) % len(Table)] == val),
        None
    )
    if decoded_char:
        print(decoded_char, end="")
#flag{B8452786-DD8E-f12C-E355-2B6F27DA25F9}

flag flag{B8452786-DD8E-f12C-E355-2B6F27DA25F9}

AndroDbgMe

使用jeb调试就弹出flag了

flagflag{Let_1t_run_@t_f1rs7_m@ybe_th3_b3st}

官方解法：

• 考点：Java层动调

• flag：flag{Let_1t_run_@t_f1rs7_m@ybe_th3_b3st}

• 解题步骤

本题调试即可以得到Flag

关于如何调试apk进程，需要在Manifest需要给AndroidManifest.xml设置

android:debuggable="true"

使用apktool 工具解包修改manifest

重打包回去之后进行签名

先对文件进行对齐

zipalign -p -f -v 4 input.apk output_unsigned.apk

加签名 其中abc.keystore 是我通过androidstudio生成的签名文件

也可以自行用工具生成，不再赘述

APK反编译、重打包、签名之apktool实现_apktool反编译还是乱码-CSDN博客

apksigner sign –ks abc.keystore output_unsigned.apk

安装到手机上，以调试模式启动

adb shell am start -D -n com.chick.androdbgme/.MainActivity

用jeb attach上去，得到flag

更新中！！！