chapter2--How to analyze Android program (i)

I bought the book "Android software Security and reverse analysis" a few days ago and decided to take some notes here.

The first chapter describes how to set up the environment, omitted here, and chapter two begins to analyze the Android program.

The following records key content sequentially.

--------------------------------------

2.1. Write an apk that needs to fill in the registration code

To crack the existing "pilot", the author wrote an app called Crackme02,

The main codes are:

Off-topic, introduce the hash:

Hash, the general translation to do "hash", there is a direct transliteration of "hash", is the arbitrary length of the input (also known as pre-mapping, pre-image), through the hash algorithm, transformed into a fixed-length output, the output is the hash value. This conversion is a compression map, that is, the space of the hash value is usually much smaller than the input space, the different inputs may be hashed to the same output, but not from the hash value to uniquely determine the input value.
and MD5 can be said to be the most widely used hash algorithm at present.

The above code uses the MD5 algorithm to calculate the hash of the user name string, converts the computed result into a 32-bit 16-digit string, and then takes the odd bits of the string back into the new string, which becomes the registration code. Then there is a judgment statement.

Next he wrote a simple interface that asked for a username and registration code, and then clicked the Register button.

2.2 Cracking the first program

Crack the program written in 2.1. The author uses apktool to decompile the APK, get the disassembly code in the Smali format, and the resources in the Res folder.

The breach is an error in the Strings.xml in the previously written program.

Open Strings.xml and navigate to this line:

<string name = "unsucceeded" > Invalid user name or registration code </string>

Strings.xml all string resources are marked in the string class of the "Gen/<package Name>/r.java" file,

Each string has a unique index value of type int. After Apktool is deserialized, all index values are stored in Public.xml in the directory with the same name as the Strings.xml file, such as:

(Note that the app_name of the two graphs are not the same application, so they are different.) Because only after the Apktool decompile will produce the res/public.xml, but not the Gen R.java. I did not intentionally decompile the application, but found an anti-compiled apk. )

The author found the unsucceeded corresponding ID in Public.xml:

<public type= "string" name= "unsucceeded" id= "0x7f070024"/>

Then search the Smali directory for files containing content 0x7f070024, and find only mainactivity$1.smali files in one place. Open this file, the code a lot,

Find the key section:

Invoke-static {v0,v1,v2},lcom/droider/crackme0201/mainactivity;->access$2.....; ljava/lang/string;) Z #检测注册码是否合法move-result V0if-nez v0,: Cond_0 #如果结果不为0, jump to Cond_0: .... cond_0 ....

Saves a Boolean value to V0 and jumps to cond_0 if the condition is true, otherwise it is executed sequentially.

Obviously, it is possible to turn the If-nez into a if-eqz .

Then use the Apktool B command to recompile the package into APK.

Next, use Signapk.jar to sign the APK signapk is a signature tool in the source code. Can use the Android source code in the signature file Testkey.pk8,testkay.x509.pem as a signature file. Specific signature steps are not introduced, in the book of 26 pages.

Then the installation. He used the ADB install signed.apk to put this into the AVD. Then just enter anything in the registration code.

----------

The important point of this article is:

Navigate to unsucceeded through the text in the Strings.xml,

Then find its ID in the Public.xml,

Then find the corresponding Smali file in the Smali file

These three steps.

Almost like this: http://bbs.pediy.com/showthread.php?t=153295