反编译获得java关键代码如下:
protected void onCreate(Bundle paramBundle)
{
super.onCreate(paramBundle);
setContentView(2130903040);
getWindow().setBackgroundDrawableResource(2130837504);
this.inputCode = ((EditText)findViewById(2131099648));
this.btn_submit = ((Button)findViewById(2131099649));
this.btn_submit.setOnClickListener(new View.OnClickListener()
{
public void onClick(View paramAnonymousView)
{
String str = MainActivity.this.inputCode.getText().toString();
if (MainActivity.this.securityCheck(str)) //这里就是关键地方,这个函数在动态库libcrackme.so中。
{
Intent localIntent = new Intent(MainActivity.this, ResultActivity.class);
MainActivity.this.startActivity(localIntent);
return;
}
Toast.makeText(MainActivity.this.getApplicationContext(), "验证码校验失败", 0).show();
}
});
}
经过对APK文件的反编译分析,发现主要调用libcrackme.so库中的函数Java_com_yaotong_crackme_MainActivity_securityCheck,要求返回值为1,函数的代码如下
.text:000011A8 EXPORT Java_com_yaotong_crackme_MainActivity_securityCheck
.text:000011A8 Java_com_yaotong_crackme_MainActivity_securityCheck
.text:000011A8
.text:000011A8 var_20 = -0x20
.text:000011A8 var_1C = -0x1C
.text:000011A8
.text:000011A8 STMFD SP!, {R4-R7,R11,LR}
.text:000011AC SUB SP, SP, #8
.text:000011B0 MOV R5, R0
.text:000011B4 LDR R0, =(_GLOBAL_OFFSET_TABLE_ - 0x11C8)
.text:000011B8 LDR R6, =(unk_6290 - 0x5FBC)
.text:000011BC MOV R4, R2
.text:000011C0 ADD R0, PC, R0 ; _GLOBAL_OFFSET_TABLE_
.text:000011C4 ADD R0, R6, R0 ; unk_6290
.text:000011C8 LDRB R0, [R0,#(byte_6359 - 0x6290)]
.text:000011CC CMP R0, #0
.text:000011D0 BNE loc_1214
.text:000011D4 MOV R1, #2
.text:000011D8 MOV R0, #7
.text:000011DC STR R1, [SP,#0x20+var_20]
.text:000011E0 STR R0, [SP,#0x20+var_1C]
.text:000011E4 LDR R0, =(_GLOBAL_OFFSET_TABLE_ - 0x11F4)
.text:000011E8 LDR R1, =(unk_446B - 0x5FBC)
.text:000011EC ADD R0, PC, R0 ; _GLOBAL_OFFSET_TABLE_
.text:000011F0 ADD R2, R1, R0
.text:000011F4 LDR R1, =(unk_4468 - 0x5FBC)
.text:000011F8 ADD R7, R6, R0 ; unk_6290
.text:000011FC ADD R3, R1, R0 ; unk_4468
.text:00001200 ADD R0, R7, #0x74
.text:00001204 MOV R1, #8
.text:00001208 BL sub_2494
.text:0000120C MOV R0, #1
.text:00001210 STRB R0, [R7,#(byte_6359 - 0x6290)]
.text:00001214
.text:00001214 loc_1214 ; CODE XREF: Java_com_yaotong_crackme_MainActivity_securityCheck+28j
.text:00001214 LDR R0, =(_GLOBAL_OFFSET_TABLE_ - 0x1220)
.text:00001218 ADD R0, PC, R0 ; _GLOBAL_OFFSET_TABLE_
.text:0000121C ADD R0, R6, R0
.text:00001220 LDRB R0, [R0,#0xCA]
.text:00001224 CMP R0, #0
.text:00001228 BNE loc_126C
.text:0000122C MOV R1, #3
.text:00001230 MOV R0, #0x75
.text:00001234 STR R1, [SP,#0x20+var_20]
.text:00001238 STR R0, [SP,#0x20+var_1C]
.text:0000123C LDR R0, =(_GLOBAL_OFFSET_TABLE_ - 0x124C)
.text:00001240 LDR R1, =(unk_4530 - 0x5FBC)
.text:00001244 ADD R0, PC, R0 ; _GLOBAL_OFFSET_TABLE_
.text:00001248 ADD R2, R1, R0 ; unk_4530
.text:0000124C LDR R1, =(unk_4474 - 0x5FBC)
.text:00001250 ADD R7, R6, R0
.text:00001254 ADD R3, R1, R0 ; unk_4474
.text:00001258 ADD R0, R7, #0xDC
.text:0000125C MOV R1, #0x19
.text:00001260 BL sub_24F4
.text:00001264 MOV R0, #1
.text:00001268 STRB R0, [R7,#0xCA]
.text:0000126C
.text:0000126C loc_126C ; CODE XREF: Java_com_yaotong_crackme_MainActivity_securityCheck+80j
.text:0000126C LDR R0, =(_GLOBAL_OFFSET_TABLE_ - 0x1278)
.text:00001270 ADD R7, PC, R0 ; _GLOBAL_OFFSET_TABLE_
.text:00001274 ADD R0, R6, R7
.text:00001278 ADD R1, R0, #0x74
.text:0000127C ADD R2, R0, #0xDC
.text:00001280 MOV R0, #4
.text:00001284 BL __android_log_print
.text:00001288 LDR R0, [R5]
.text:0000128C MOV R1, R4
.text:00001290 MOV R2, #0
.text:00001294 LDR R3, [R0,#0x2A4]
.text:00001298 MOV R0, R5
.text:0000129C BLX R3 ; 获得输入的字符串,将jstring类型转换为char *
.text:000012A0 LDR R1, =(off_628C - 0x5FBC)
.text:000012A4 LDR R2, [R1,R7] ; off_628C ; 获得真实的密码
.text:000012A8
.text:000012A8 loc_12A8 ; CODE XREF: Java_com_yaotong_crackme_MainActivity_securityCheck+120j
.text:000012A8 LDRB R3, [R2] ; 这里开始比较输入的内容与真实的密码,将jstring转换为char*
.text:000012A8 ; 这里改为 mov R1,R0
.text:000012AC LDRB R1, [R0] ; 这里要转到__android_log_print,将输入与真实的内容出
.text:000012AC ; 这里需要改为BL LOC_1280
.text:000012AC ; 输出的内容,输入值在TAG项,真实密码在message项
.text:000012B0 CMP R3, R1
.text:000012B4 BNE loc_12D0
.text:000012B8 ADD R2, R2, #1
.text:000012BC ADD R0, R0, #1
.text:000012C0 MOV R1, #1
.text:000012C4 CMP R3, #0
.text:000012C8 BNE loc_12A8
.text:000012CC B loc_12D4
.text:000012D0 ; ---------------------------------------------------------------------------
.text:000012D0
.text:000012D0 loc_12D0 ; CODE XREF: Java_com_yaotong_crackme_MainActivity_securityCheck+10Cj
.text:000012D0 MOV R1, #0
.text:000012D4
.text:000012D4 loc_12D4 ; CODE XREF: Java_com_yaotong_crackme_MainActivity_securityCheck+124j
.text:000012D4 MOV R0, R1
.text:000012D8 ADD SP, SP, #8
.text:000012DC LDMFD SP!, {R4-R7,R11,PC}
将12A8的代码由
12A8: 00 30 D2 E5 00 10 D0 E5
改为
12A8: 00 10 80 E2 F3 FF FF EB
修改后的关键代码如下:
.text:00001280
.text:00001280 loc_1280 ; CODE XREF: Java_com_yaotong_crackme_MainActivity_securityCheck+104j
.text:00001280 04 00 A0 E3 MOV R0, #4
.text:00001284 92 FF FF EB BL __android_log_print
.text:00001288 00 00 95 E5 LDR R0, [R5]
.text:0000128C 04 10 A0 E1 MOV R1, R4
.text:00001290 00 20 A0 E3 MOV R2, #0
.text:00001294 A4 32 90 E5 LDR R3, [R0,#0x2A4]
.text:00001298 05 00 A0 E1 MOV R0, R5
.text:0000129C 33 FF 2F E1 BLX R3
.text:000012A0 60 10 9F E5 LDR R1, =(off_628C - 0x5FBC)
.text:000012A4 07 20 91 E7 LDR R2, [R1,R7] ; off_628C
.text:000012A8
.text:000012A8 loc_12A8 ; CODE XREF: .text:000012C8j
.text:000012A8 00 10 80 E2 MOV R1, R0
.text:000012AC F3 FF FF EB BL loc_1280
提交修改的库到系统中:
D:\ platform-tools>adb push libcrackme.so /data/data/com.yaotong.crackme/lib/
100 KB/s (22416 bytes in 0.218s)
运行程序并输入密码111111调试输出的结果如下:
I 01-24 07:48:18:321 808 808 111111 aiyou.bucuoo
由此可以知道正确的密码为“
aiyou.bucuoo”.
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
