apk破解心得

最近搞了几个apk的破解，主要是对smali代码的修改，看上去挺简单的，但是实际动手，却不是那么回事了。

　　一开始是寻找关键位置，当然是采用加Log的办法了，加入以下Log：　

?

1

2

const-string v0, "SMS"

invoke-static {v0, v1}, Landroid/util/Log;->v(Ljava/lang/String;Ljava/lang/String;)I

开启DDMS查看，可是没有发现任何带有“SMS”标识的信息，以为没有执行到位，在mainActivity的onCreate中添加后仍然没有，奇怪了。于是乎，换了种方式，直接加入如下代码：　　

?

1

2

3

4

5

6

7

//注意makeText的第一个参数是Context类型的。

const-string v0, "SMS Bindi"

const/4 v2,0x1

iget-object v1, p0, Lcom/chinamworld/mobile_bank/i;->a:Lcom/chinamworld/mobile_bank/BTCSMSBindDeviceActivity;

invoke-static {v1, v0, v2}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast;

move-result-object v0

invoke-virtual {v0}, Landroid/widget/Toast;->show()V

加入后程序启动不起来了，查看logcat时发现context不对，原来我把makeText的第一个参数整错了，修改后重打包运行一切OK，成功的找到关键位置 。

　　后来需要加入一段调用startActivity的代码：　　

?

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

//在Lcom/newtime/KC2011的changeListener方法（即Lcom/newtime/KC2011$changeListener文件）中调用startActivity<br>

//在Lcom/newtime/KC2011中声明：

.fieldprotected mContext:Landroid/content/Context;

 

//在本文件中声明

.fieldfinal syntheticthis$0:Lcom/newtime/KC2011;

 

 

    new-instance v0, Landroid/content/Intent;

 

    invoke-direct {v0}, Landroid/content/Intent;-><init>()V

 

    .line300

    .local v0, intent:Landroid/content/Intent;

    iget-object v2, p0, Lcom/newtime/KC2011$changeListener;->this$0:Lcom/newtime/KC2011;

 

    iget-object v2, v2, Lcom/newtime/KC2011;->mContext:Landroid/content/Context;

 

    const-class v3, Lcom/newtime/service/KcLoginActivity;

 

    invoke-virtual {v0, v2, v3}, Landroid/content/Intent;->setClass(Landroid/content/Context;Ljava/lang/Class;)Landroid/content/Intent;

 

    .line301

    iget-object v2, p0, Lcom/newtime/KC2011$changeListener;->this$0:Lcom/newtime/KC2011;

 

    iget-object v2, v2, Lcom/newtime/KC2011;->mContext:Landroid/content/Context;

 

    invoke-virtual {v2, v0}, Landroid/content/Context;->startActivity(Landroid/content/Intent;)V

　　发现程序又崩溃了，logcat提示不能访问Lcom/newtime/KC2011的mContext，原来是在Lcom/newtime/KC2011中把mContext声明为private了，改成如下之后一切运行正常：　　

?

.fieldprotected mContext:Landroid/content/Context;

　　另外如果在重打包时出现如下错误：　　

[682,1] The register number must be less than v16

[684,4] All register args must fit in 4 bits

Exception in thread "main" brut.androlib.AndrolibException: Could not smali file: C:\Users\Tim\Desktop\ABC_Android_V1.1.0\smali\com\android\bankabc\FormAction.smali    at brut.androlib.src.DexFileBuilder.addSmaliFile(DexFileBuilder.java:45)    at brut.androlib.src.DexFileBuilder.addSmaliFile(DexFileBuilder.java:33)    at brut.androlib.src.SmaliBuilder.buildFile(SmaliBuilder.java:66)    at brut.androlib.src.SmaliBuilder.build(SmaliBuilder.java:50)    at brut.androlib.src.SmaliBuilder.build(SmaliBuilder.java:37)    at brut.androlib.Androlib.buildSourcesSmali(Androlib.java:257)    at brut.androlib.Androlib.buildSources(Androlib.java:214)    at brut.androlib.Androlib.build(Androlib.java:205)    at brut.androlib.Androlib.build(Androlib.java:176)    at brut.apktool.Main.cmdBuild(Main.java:228)    at brut.apktool.Main.main(Main.java:79)->编译完成！

则是因为很多指令不能够使用大于15的寄存器，故应该加上“move-object/from16 v1, px”语句进行转换。　　

px registers are after vx ones, so if you have for example 17 vx registers, then p0 is v17. Most of instructions can't use registers above v15, so you have to move values to "lower" registers to use them.

 补充：

　　后来通过加入类似如下的log，终于正常监控到log输出了：　　

const-string v1, "sms"const-string v4, "send a message"invoke-static {v1, v4}, Landroid/util/Log;->i(Ljava/lang/String;Ljava/lang/String;)I