Android Reversing Engineering II
来源:互联网 发布:淘宝网上禁止出售保护 编辑:程序博客网 时间:2024/05/19 12:28
接下来我将按照http://book.douban.com/subject/20556210/此书的内容快速将流程大致走一遍。在这里感谢书作者非虫。
首先我按照书内容第二章用Android Studio开发了个简易的注册码验证app(代码见http://www.ituring.com.cn/book/1131)。并使用apktool把新开发的app解包并反编译成smali格式的反汇编代码。
目标:『通过阅读smali code来理解程序的运行机制,找到程序的突破口进行修改,最后使用apktool重新编译生成apk文件并签名,最后运行测试。循环知道程序被成功破解』。在此过程可以配合上篇blog写的工具辅助分析。
实践过程
书中有云「对于一般的app, 错误提示信息通常是指引关键代码的风向标。错误提示附近一般是程序的核心验证代码,分析人员需要阅读这些代码来理解软件的注册流程。
」「错误提示是Android 程序中的字符串资源。可能来源于1. res\values下的strings.xml 2. java code中。在app打包后字符串会被加密存储为resources.arsc文件保存到apk包中 」。
在我们写的测试app中的string.xml定义了如下string
所有字符串资源都在"gen/<packagename>/R.java"文件的String类中被唯一标识(int 型索引)。这些索引会被在打包时保存到与string.xml同目录下的public.xml中。
找到我们在app中自定义的string了。错误信息即"unsuccessed", id 为0x7f0a0015。
在众smali文件中找呀找,最后在MainActivity$1.smali里成功找到。
# virtual methods.method public onClick(Landroid/view/View;)V .locals 4 .param p1, "v" # Landroid/view/View; .prologue const/4 v3, 0x0 .line 35 iget-object v0, p0, Lcom/example/hao/testapkinspector/MainActivity$1;->this$0:Lcom/example/hao/testapkinspector/MainActivity; iget-object v1, p0, Lcom/example/hao/testapkinspector/MainActivity$1;->this$0:Lcom/example/hao/testapkinspector/MainActivity; # getter for: Lcom/example/hao/testapkinspector/MainActivity;->edit_userName:Landroid/widget/EditText; invoke-static {v1}, Lcom/example/hao/testapkinspector/MainActivity;->access$000(Lcom/example/hao/testapkinspector/MainActivity;)Landroid/widget/EditText; move-result-object v1 invoke-virtual {v1}, Landroid/widget/EditText;->getText()Landroid/text/Editable; move-result-object v1 invoke-virtual {v1}, Ljava/lang/Object;->toString()Ljava/lang/String; move-result-object v1 invoke-virtual {v1}, Ljava/lang/String;->trim()Ljava/lang/String; move-result-object v1 iget-object v2, p0, Lcom/example/hao/testapkinspector/MainActivity$1;->this$0:Lcom/example/hao/testapkinspector/MainActivity; .line 36 # getter for: Lcom/example/hao/testapkinspector/MainActivity;->edit_sn:Landroid/widget/EditText; invoke-static {v2}, Lcom/example/hao/testapkinspector/MainActivity;->access$100(Lcom/example/hao/testapkinspector/MainActivity;)Landroid/widget/EditText; move-result-object v2 invoke-virtual {v2}, Landroid/widget/EditText;->getText()Landroid/text/Editable; move-result-object v2 invoke-virtual {v2}, Ljava/lang/Object;->toString()Ljava/lang/String; move-result-object v2 invoke-virtual {v2}, Ljava/lang/String;->trim()Ljava/lang/String; move-result-object v2 .line 35 # invokes: Lcom/example/hao/testapkinspector/MainActivity;->checkSN(Ljava/lang/String;Ljava/lang/String;)Z # 调用checkSN methond invoke-static {v0, v1, v2}, Lcom/example/hao/testapkinspector/MainActivity;->access$200(Lcom/example/hao/testapkinspector/MainActivity;Ljava/lang/String;Ljava/lang/String;)Z # 检查注册码是否合法 move-result v0 # 结果存到v0寄存器 if-nez v0, :cond_0 # 不为0则跳转到cond_0处 .line 37 iget-object v0, p0, Lcom/example/hao/testapkinspector/MainActivity$1;->this$0:Lcom/example/hao/testapkinspector/MainActivity; const v1, 0x7f0a0015 # 表示unsuccessed的id在这里 invoke-static {v0, v1, v3}, Landroid/widget/Toast;->makeText(Landroid/content/Context;II)Landroid/widget/Toast; move-result-object v0 invoke-virtual {v0}, Landroid/widget/Toast;->show()V .line 44 :goto_0 return-void .line 39 :cond_0 # 跳转到这 iget-object v0, p0, Lcom/example/hao/testapkinspector/MainActivity$1;->this$0:Lcom/example/hao/testapkinspector/MainActivity; const v1, 0x7f0a0013 # succeed 的id invoke-static {v0, v1, v3}, Landroid/widget/Toast;->makeText(Landroid/content/Context;II)Landroid/widget/Toast; move-result-object v0 .line 40 invoke-virtual {v0}, Landroid/widget/Toast;->show()V .line 41 iget-object v0, p0, Lcom/example/hao/testapkinspector/MainActivity$1;->this$0:Lcom/example/hao/testapkinspector/MainActivity; # getter for: Lcom/example/hao/testapkinspector/MainActivity;->btn_register:Landroid/widget/Button; invoke-static {v0}, Lcom/example/hao/testapkinspector/MainActivity;->access$300(Lcom/example/hao/testapkinspector/MainActivity;)Landroid/widget/Button; move-result-object v0 invoke-virtual {v0, v3}, Landroid/widget/Button;->setEnabled(Z)V # 设置注册button不可用 .line 42 iget-object v0, p0, Lcom/example/hao/testapkinspector/MainActivity$1;->this$0:Lcom/example/hao/testapkinspector/MainActivity; const v1, 0x7f0a0012 # registered字符串 invoke-virtual {v0, v1}, Lcom/example/hao/testapkinspector/MainActivity;->setTitle(I)V goto :goto_0.end method
和source 的java code 对比下
public void onClick(View v) { if (!checkSN(edit_userName.getText().toString().trim(), edit_sn.getText().toString().trim())) { Toast.makeText(MainActivity.this, R.string.unsuccessed, Toast.LENGTH_SHORT).show(); // pop } else { Toast.makeText(MainActivity.this, R.string.successed, Toast.LENGTH_SHORT).show(); btn_register.setEnabled(false); setTitle(R.string.registered); } }
综上所知branch语句if-nez v0, : coud_0是破解点,类似的branch语句还有if-eqz, if-gez, if-lez等,和汇编语言很像。
现在把if-nez替换成if-eqz并保存。
使用apktool重新把修改后的smali文件打包
apktool b
然后在当前目录下的dist目录里即躺着新生成的apk. 但如果现在就安装测试的话会发现安装失败。需要signapk.jar来对apk进行签名。
- Android Reversing Engineering II
- Reversing - Secrets of Reverse Engineering
- Reversing: Secrets of Reverse Engineering
- Reversing Secrets of Reverse Engineering
- Reversing: Secrect of Reverse Engineering by Wiley
- Wiley.Reversing.Secrets.of.Reverse.Engineering.Apr.2005.eBook-DDU
- Android - Application Reversing
- Reversing Microsoft Visual C++ Part II: Classes, Methods and RTTI
- Reversing Microsoft Visual C++ Part II: Classes, Methods and RTTI
- Reversing Microsoft Visual C++ Part II: Classes, Methods and RTTI
- [Android Tools] Android Reverse Engineering Heaven tools :)
- Tutorial: iOS Reverse Engineering Part II: class-dump & Hopper
- Reverse Engineering破解Android NDK程式(*.so)
- Android Reverse Engineering 101 – Part 1
- Android CTF Reverse-Engineering Android APK 1[binary][100]
- Over-Engineering & Under Engineering
- Android Reverse Engineering: Basics -- Tools Usage and Proguard
- Apktool—A tool for reverse engineering Android apk files
- 开发一个EJB应用
- Android内存泄露及分析
- hdu 1397 Goldbach's Conjecture
- lvs+mysql负载
- 上课笔记--台大政治学基础之政体
- Android Reversing Engineering II
- 杀毒软件网络版+5S专业服务 瑞星获国家电网万点大单
- POJ 1386 Play on Words(有向图欧拉路径并查集判定)
- spring扫描类在指定包路径通过注解过滤
- VirtualBox的四种网络连接方式
- Fibonacci数列
- 一贴学会PHP 新手入门教程
- Java代码优化
- 一摞烙饼的排序问题--读书笔记(2)