-
-
[原创]第一题,AliCrackme_1.apk破解思路
-
发表于: 2015-1-26 11:02 2673
-
1、修改AliCrackme_1.apk扩展名为zip解压后获取classes.dex文件。
2、通过dex2jar解压classes.dex后获得classes_dex2jar.jar文件。如:dex2jar classes.dex
3、用winrar解压classes_dex2jar.jar文件后获得包内MainActivity.class文件
4、通过DJ.Java.Decompiler反编译获取了MainActivity.java文件
5、通过分析MainActivity.java文件中的aliCodeToBytes和bytesToAliSmsCode,发现bytesToAliSmsCode是参与加密的函数,aliCodeToBytes为解密函数。
6、通过eclipse重写代码aliCodeToBytes函数的执行结果为最终答案
代码如下:
import java.io.BufferedInputStream;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.io.UnsupportedEncodingException;
public class MainClasses {
public static String sourceFile="D:\\Person\\Java\\workspace\\UFO-1\\bin\\logo.png";
public static void main(String[] args) {
// TODO Auto-generated method stub
try {
String s="";
String s1 = getTableFromPic();
String s2 = getPwdFromPic();
byte abyte[] =aliCodeToBytes(s1,s2) ;
s= new String(abyte, "utf-8");
System.out.println(s);//正确密码,即581026
String s3 = bytesToAliSmsCode(s1, s.getBytes("utf-8"));
//System.out.println(s1);//未解密密码
//System.out.println(s2);//密码表
//System.out.println(s3);//验证输入密码是否正确
} catch (UnsupportedEncodingException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
public static String getPwdFromPic(){//根据logo.png获取未解密密码
String s1="";
try {
InputStream inputstream= new BufferedInputStream(new FileInputStream(sourceFile));
int i = inputstream.available();
byte abyte0[] = new byte[i];
inputstream.read(abyte0, 0, i);
byte abyte1[] = new byte[18];
System.arraycopy(abyte0, 0x16481, abyte1, 0, 18);
s1 = new String(abyte1, "utf-8");
} catch (FileNotFoundException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
return s1;
}
public static String getTableFromPic(){//根据logo.png获取密码表
String s1="";
int i;
try {
InputStream inputstream= new BufferedInputStream(new FileInputStream(sourceFile));
i = inputstream.available();
byte abyte0[] = new byte[i];
inputstream.read(abyte0, 0, i);
byte abyte1[] = new byte[768];
System.arraycopy(abyte0, 0x15d81, abyte1, 0, 768);
s1 = new String(abyte1, "utf-8");
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
return s1;
}
public static String bytesToAliSmsCode(String s, byte abyte0[]){//通过输入的密码获取加密后的密码,即getTableFromPic获取的密码
StringBuilder stringbuilder = new StringBuilder();
int i = 0;
do
{
if(i >= abyte0.length)
return stringbuilder.toString();
stringbuilder.append(s.charAt(0xff & abyte0[i]));
i++;
} while(true);
}
private static byte[] aliCodeToBytes(String s, String s1)//通过getTableFromPic获取的未解密密码获取正确密码
{
byte abyte0[] = new byte[s1.length()];
int i = 0;
do
{
if(i >= s1.length())
return abyte0;
abyte0[i] = (byte)s.indexOf(s1.charAt(i));
i++;
} while(true);
}
}
2、通过dex2jar解压classes.dex后获得classes_dex2jar.jar文件。如:dex2jar classes.dex
3、用winrar解压classes_dex2jar.jar文件后获得包内MainActivity.class文件
4、通过DJ.Java.Decompiler反编译获取了MainActivity.java文件
5、通过分析MainActivity.java文件中的aliCodeToBytes和bytesToAliSmsCode,发现bytesToAliSmsCode是参与加密的函数,aliCodeToBytes为解密函数。
6、通过eclipse重写代码aliCodeToBytes函数的执行结果为最终答案
代码如下:
import java.io.BufferedInputStream;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.io.UnsupportedEncodingException;
public class MainClasses {
public static String sourceFile="D:\\Person\\Java\\workspace\\UFO-1\\bin\\logo.png";
public static void main(String[] args) {
// TODO Auto-generated method stub
try {
String s="";
String s1 = getTableFromPic();
String s2 = getPwdFromPic();
byte abyte[] =aliCodeToBytes(s1,s2) ;
s= new String(abyte, "utf-8");
System.out.println(s);//正确密码,即581026
String s3 = bytesToAliSmsCode(s1, s.getBytes("utf-8"));
//System.out.println(s1);//未解密密码
//System.out.println(s2);//密码表
//System.out.println(s3);//验证输入密码是否正确
} catch (UnsupportedEncodingException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
public static String getPwdFromPic(){//根据logo.png获取未解密密码
String s1="";
try {
InputStream inputstream= new BufferedInputStream(new FileInputStream(sourceFile));
int i = inputstream.available();
byte abyte0[] = new byte[i];
inputstream.read(abyte0, 0, i);
byte abyte1[] = new byte[18];
System.arraycopy(abyte0, 0x16481, abyte1, 0, 18);
s1 = new String(abyte1, "utf-8");
} catch (FileNotFoundException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
return s1;
}
public static String getTableFromPic(){//根据logo.png获取密码表
String s1="";
int i;
try {
InputStream inputstream= new BufferedInputStream(new FileInputStream(sourceFile));
i = inputstream.available();
byte abyte0[] = new byte[i];
inputstream.read(abyte0, 0, i);
byte abyte1[] = new byte[768];
System.arraycopy(abyte0, 0x15d81, abyte1, 0, 768);
s1 = new String(abyte1, "utf-8");
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
return s1;
}
public static String bytesToAliSmsCode(String s, byte abyte0[]){//通过输入的密码获取加密后的密码,即getTableFromPic获取的密码
StringBuilder stringbuilder = new StringBuilder();
int i = 0;
do
{
if(i >= abyte0.length)
return stringbuilder.toString();
stringbuilder.append(s.charAt(0xff & abyte0[i]));
i++;
} while(true);
}
private static byte[] aliCodeToBytes(String s, String s1)//通过getTableFromPic获取的未解密密码获取正确密码
{
byte abyte0[] = new byte[s1.length()];
int i = 0;
do
{
if(i >= s1.length())
return abyte0;
abyte0[i] = (byte)s.indexOf(s1.charAt(i));
i++;
} while(true);
}
}
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
赞赏
他的文章
看原图
赞赏
雪币:
留言: