AliCrackme_2, alicrackme_2

AliCrackme_2, alicrackme_2

Author: Fly2015

AliCrackme_2.apk ,.

First, use the android decompiler jebto analyze the Java-Layer Code of alicrackme_2.apk.

Fortunately, the securityCheck function of the user registration code of the apk program is found and implemented at the Native layer. Next we will go to the so library of the program to find the Native Implementation of the function.

The registration of the Native-layer securityCheck function is not registered using the JNI_OnLoad function. Therefore, we are lucky to find the implementation of the securityCheck function. The analysis is as follows:

Static Analysis of Native code shows that _ lpSaveBuffer = off_628C stores the correct registration code string. Therefore, to obtain the registration code of this apk, you must perform dynamic debugging on it, you can obtain the content of the string stored in _ lpSaveBuffer to crack the apk.

 

Debug the Android Application dynamically. In other words, Android applications generally perform reverse debugging in the JNI_OnLoad function to prevent dynamic debugging of their apps. After several rounds of dynamic debugging experiments, it is found that the Android Application will call the pthread_create function to create a thread for reverse debugging. Therefore, the method to crack a breakpoint under the Java_com_yaotong_crackme_MainActivity_securityCheck function cannot be achieved directly.

Therefore, the code of the App is modified to prevent anti-debugging of the App ., Locate the location of the ARM assembly command BLX R7 at A8CE 9C58 in the memory, and then change the Assembly command BLX R7 to the Assembly command MOV R0, and RO means that the NOP drops the BLX R7 command.

For the conversion between ARM Assembly commands and machine code, use the following tool. However, you must place this tool on the desktop before it can be used normally.

When the anti-debugging obstacle is successfully crossed, the next step is to bring up and down the breakpoint in the Java_com_yaotong_crackme_MainActivity_securityCheck function, and go straight to the topic.

On the Password Input page, enter a string password. The Java_com_yaotong_crackme_MainActivity_securityCheck function is called.

The program will be disconnected from the Java_com_yaotong_crackme_MainActivity_securityCheck function, and then find the assembly code LDR R2, [R1, R7] corresponding to _ lpSaveBuffer = off_628C in this function. When the next instruction in the assembly code LDR R2, [R1, R7] is broken up or down, the address of the password string pointer saved by R2 is A8CEC450, then, synchronize the R2 value in the program data memory to locate the aiyou and bucuoo strings at the address A8CEC450. Obviously, aiyou and bucuoo are the passwords to be obtained.

AliCrackme_2 analysis documentation and apk: http://download.csdn.net/detail/qq1084283172/8897059

Copyright Disclaimer: This article is an original article by the blogger and cannot be reproduced without the permission of the blogger.