Android APK credit limit cracking instance

Recently, I used an online music listening software, which has many good stories for children. However, online music often experiences intermittent disconnection, and the software requires more than 1500 credits to download the entire page. To meet the credit conditions, you need to manually install dozens of recommended applications. Therefore, the attack is decided. If the name of apkis mytest.apk, perform the following steps: Step 1: Obtain the resource and smali files. 1) obtain the apktool in http://code.google.com/p/android-apktool/ Download the following packages: apktool-1.0.0.tar.bz2and apktool-install-windows-2.20.r01-1.zip. And apktool.bat.((copy A. jar file after extracting apktool-1.0.0.tar.bz2) 2) enter the folder where apktool. bat is located in the doscommand window. D: \ android \ tool \ apktool d C: \ mytest.apk C: \ out command line explanation: apktool d to decompile the file Output Folder pay special attention: files to be decompiled must be placed in the root directory of drive c. 3 ). open the C: \ out folder to get various resources. Step 2: Get the java file method a: 1、、change the APK file name to .zip, and decompress the class. dex file 2). Install the tool dex2jar that decompile the dex file into a jar file. http://code.google.com/p/dex2jar/downloads/list3 Copy class. dex to the directory where dex2jar. bat is located. 4) generate the jar file classes. dex. dex2jar. jar dex2jar. bat classes. dexdex2jar. bat classes. dex5). Install the tool that decompile the jar into java. JD-GUI) http://java.decompiler.free.fr/?q=jdgui6 ), Run the JD-GUI tool, open the jar File above 7), File-> Save All Sources will generate the Java source code File to c: \ out method B (TBV): 1 ). get dexdump from the out directory. 2 ). adb shell dexdump-d-f-h/data/dalvik-cache/data@app@mytest.apk @ classes. dex> twitpic. text Step 3: crack source code 1 ). find the location because the software requires more than 1500 points to download, so open the java file, search 1500 found that three files are defined, PlayActivity $12. java, Cfg. java, ScoreDialog $5. java. PlayActivity $12. java final class PlayActivity $12 implements Runnable {public void run () {... int I = 1500; int j; Cfg. IS_WITHAD = j; if (j! = 0) {if (this. val $ arg1> = I) // It seems to be the display ad threshold control value break label91; boolean bool2 = Cfg. HIDDEN_GUANGGAO; label35: boolean bool3 ;//??? Cfg. HIDDEN_GUANGGAO = bool3; Cfg. saveBool ("hiddenguanggao", bool3);} final class PlayActivity $12 implements Runnable {public void run (){... int I = 1500; int j; Cfg. IS_WITHAD = j; if (j! = 0) {if (this. val $ arg1> = I) // It seems to be the display ad threshold control value break label91; boolean bool2 = Cfg. HIDDEN_GUANGGAO; label35: boolean bool3 ;//??? Cfg. HIDDEN_GUANGGAO = bool3; Cfg. saveBool ("hiddenguanggao", bool3);} ScoreDialog $5. java final class ScoreDialog $5 implements Runnable {public void run () {Object localObject1 = null; int I = 17301659; int j = 1500; // Score... if (localProgressDialog! = Null) if (this. val $ arg1 <j) // you can guess this is one of the defined scores. If not, the dialog box {ScoreDialog localScoreDialog1 = this is displayed. this $0; final class ScoreDialog $5 implements Runnable {public void run () {Object localObject1 = null; int I = 17301659; int j = 1500; // Score... if (localProgressDialog! = Null) if (this. val $ arg1 <j) // you can guess this is one of the defined scores. If not, the dialog box {ScoreDialog localScoreDialog1 = this is displayed. this $0; Cfg. java public class Cfg {... public static final int HIDDEN_GUANGGAO_NEED_SCORE = 1500; // The threshold public class Cfg {... public static final int HIDDEN_GUANGGAO_NEED_SCORE = 1500; // It seems to be the score threshold for displaying ads or not PlayActivity $12. java final class PlayActivity $12 implements Runnable {public void run () {bool Ean bool1 = true; DialogInterface. OnClickListener localOnClickListener1 = null; int I = 1500; but HIDDEN_GUANGGAO_NEED_SCORE is not applied to any other files, but this value is always changed for the sake of warranty. Final class PlayActivity $12 implements Runnable {public void run () {boolean bool1 = true; DialogInterface. onClickListener localOnClickListener1 = null; int I = 1500; but HIDDEN_GUANGGAO_NEED_SCORE is not applied to any other files, but this value is always changed for the sake of security. 2) Change the smali file to the suffix of the java file. smali, so you can find the smali file Cfg. smali. field public static final HIDDEN_GUANGGAO_NEED_SCORE: I = 0x5DC // change it to 0x0. field public static final HIDDEN_GUANGGAO_NEED_SCORE: I = 0x5DC // change to 0x0PlayActivity $12 here. smali. method public run () V. locals 6. prologue const/4 v2, 0x1 const/4 v4, 0x0 const/16 v3, 0x5DC // change to 0x0 here. method public run () V. locals 6. prologue const/4 v2, 0x1 const/4 v4, 0x0 const/16 v3, 0x5DC // change to 0x0ScoreDialog $5 here. smali. method public run () V. locals 10. prologue const/4 v7, 0x0 const v5, 0x108009b // corresponding to 17301659 const/16 v6, 0x5DC // change to 0x0 here. method public run () V. locals 10. prologue const/4 v7, 0x0 const v5, 0x108009b // corresponding to 17301659 const/16 v6, 0x5DC // here change to 0x0 Step 4 pack the decompressed file into apkfile out.apk apktool B c: \ out out_raw.apkapktool B c: \ out out_raw.apk Step 5: sign the generated apk: 1 ). if JDK is not installed, download JDK from the official website of Sun. http://www.java.net/download/jdk6/6u10/promoted/b32/binaries/jdk-6u10-rc2-bin-b32-windows-i586-p-12_sep_2008.exe In fact, only Keytool and Jarsigner are needed. 2) Prepare the signature file www.2cto.com "C: \ Program Files \ Java \ jdk1.6.0 _ 24 \ bin \ keytool"-genkey-alias wendy. keystore-keyalg RSA-validity 20000-keystore wendy. keystore "C: \ Program Files \ Java \ jdk1.6.0 _ 24 \ bin \ keytool"-genkey-alias wendy. keystore-keyalg RSA-validity 20000-keystore wendy. note that the keystore password is 6 digits, for example, 123456. 3) signature [plain] view plaincopyprint? "C: \ Program Files \ Java \ jdk1.6.0 _ 24 \ bin \ jarsigner"-verbose-keystore wendy. keystore-signedjar out.apk out_raw.apk wendy. keystore "C: \ Program Files \ Java \ jdk1.6.0 _ 24 \ bin \ jarsigner"-verbose-keystore wendy. keystore-signedjar out.apk out_raw.apk wendy.keystorethis requires the 2nd step of the password 123456. the execution can generate the out.apk file behind the signature. so far, the attack is complete.