Android dynamic mode hack apk Prelude (Eclipse dynamic Debug Smail source)

First, preface

Today we start apk hack another way: Dynamic code debugging hack, before actually in an article on how to crack apk:

Android use static way to hack apk is mainly used in static mode, the steps are very simple, first use Apktool to decompile the APK, get Smail source code, and then analyze Smail codes, using code injection technology to track the code, and then find the key method to modify, and then crack, You can also use some open-source hook frameworks, such as xposed and Cydia substrate, to hook up critical methods. So here we can see that the first step in our hack is to use Apktool for successful anti-compilation, then we need to understand the Smali syntax, but about Smali syntax is actually very simple, there are many tutorials on the web.

Second, the Knowledge summary analysis

So today we'll use another way to hack apk: Dynamic way, about the dynamic way is actually very broad, because the dynamic mode is more difficult than the static way, but he is more efficient than static mode, can be targeted to more than the scope of the crack. Of course there are a lot of dynamic ways, so here are three articles to explain this piece:

1, dynamic way to crack apk Prelude (Eclipse dynamic debugging Smail source code)

2, dynamic way to hack apk upgrade (IDA dynamic debugging so source)

3. Dynamic mode hack apk Ultimate (deal with the hardened apk hack method)

From these three articles can let us break the general apk without any problems, but can not represent the ability to crack all the apk, because there is no absolute security, there is no absolute crack, both sides in progress, we can only concrete problems specific analysis. Well, let's look at the first article, and today's focus: Eclipse dynamic debugging Smali source code

First of all need to explain why this is the debug Smali source code, not Java source code, because we have been anti-compilation people know that using Apktool anti-compilation apk, there will be a Smali folder, where the apk corresponding to the Smali source code, About Smali source code here does not explain, online has introduced.

third, case analysis

Because this is a tutorial, so you can not say that it will be very boring, so here is an example to introduce:

We'll use Ali 2014 Security challenge the first question: alicrack_one.apk

See this picture, Ali also kinda will make atmosphere, then actually very simple, we enter the password can be cracked, below we will see how to get this password.

First step: Use Apktool to hack apk

Java-jar Apktool_2.0.0rc4.jar d-d Alicraceme_1.apk-o out

The command here does not explain, but one parameter must be taken, that is:-D

Because this parameter means that the Smali is a Java file, the name of the file is the suffix Java, if not with this parameter, the suffix is smali, but in Eclipse is not recognized Smali, but to identify the Java file, So make sure to add this parameter here.

After the anti-compilation succeeds, we get an out directory, as follows:

The source code is placed in the Smali folder, we go to check the file:

See, here are all Java files, in fact, only the suffix named Java, the content is still Smali:

2. Modify the debug properties in Androidmanifest.xml and add Waitdebug in the ingress code

The above we have succeeded in the anti-compilation, the following we for the subsequent debugging work, so still need to do two things:

1. Modify android:debuggable= "true" in Androidmanifest.xml

As for this property, when we introduced the Run-as command earlier, we also mentioned that he identifies whether the application is a debug version, which will affect whether the application can be debugged, so it must be set to true.

2. Add waitfordebugger code at the entrance to debug wait.

The entrance that is said here is the place where the program starts, that is, our general entrance activity, looking for this activity, there are too many ways, For example, we found here directly from the above Androidmanifest.xml, because the action and category of the entry activity is fixed.

Of course there are other ways, such as aapt to view the contents of the APK, or it is possible to use the ADB dumpsys Activity top command to view it after installing the APK.

After finding the entry activity, we directly add the Waitfordebugger code to the first line of his OnCreate method to find the corresponding mainactivity Smali Source:

Then add a line of code:

invoke-static {}, Landroid/os/debug;->waitfordebugger () V

This is Smali syntax, in fact, the corresponding Java code is:Android.os.Debug.waitForDebugger ();

Here the Java language translated into Smali grammar, not difficult, online has Smali syntax parsing, here do not want to explain.

Step three: Compile the APK and sign the installation again

Java-jar Apktool_2.0.0rc4.jar b-d Out-o debug.apk

or use Apktool to compile back

After compiling, will get debug.apk file, but this apk is not signed, so it can not be installed, then we need to sign, here we use the test program in Android signature file and the Sign.jar tool to sign:

For more information on signing, you can read this article: An explanation of the signature mechanism in Android

Java-jar. \sign\signapk.jar. \sign\testkey.x509.pem. \sign\testkey.pk8 debug.apk debug.sig.apk

After signing, we are ready to install it.

Fourth step: Create a new Java project in Eclipse, import the Smali source code

Here we create a new Java project, remember not the Android project, because our final debugging is actually through the Java debugger, and then check out the use of the default location option, select our Smali source directory, That is, after the anti-compilation of the Out directory, click Finish

The project engineering structure after we import the source code:

Mainly see Mainactivity class:

Fifth step: Find the key, then break the point

This step we see, actually said more broadly, this to specific problems specific analysis, such as this example, we know that when we enter the password, we must click the button, and then trigger the password verification process, then here we know the definition of the button to find the place, Then go into his click event and you can. This is divided into three steps:

1. Use the eclipse's own view analysis tool to find the button's Resid

After clicking, you need to wait a while to analyze the results after the view:

See, here we can see the entire layout of the current page, the property values for each control, we need to find the button's Resource-id

Here we see that the definition is @+id/button this value.

2 "After we get this resid, can we search for this value in the Smali project to locate the definition of this button?"

Then we look at the results:

At this time we actually found this ID in the resource file definition, this ID value corresponds to the 0x7f05003e.

Of course, in addition to this approach, we also have a way to quickly find the ID corresponding to the integer value, that is, in the values/public.xml file after the anti-compilation:

This file is very useful, he is the whole apk in all the resource files defined by the mapping content, such as drawable/string/anim/attr/id, such as the value of these resource files defined, name and integer values corresponding to the place:

This file is important, is the key to our search for a breakthrough, such as we sometimes need to use string content to locate the key point, here can be defined by the string to find the corresponding integer value.

After we have found the ID value of the button, we can use this ID value in a global search, because we know that Android in the post-compilation apk, in the code used by the RESID is replaced by an integer value, the integer value is defined in the R file, The ID of the resource and a value corresponding, and then the code is generally used R.id.button such a value, when the APK is compiled, this value will be replaced with the corresponding integer value, so in the global search 0x7f05003e

The results of the search are as follows:

See, here we go to this button in the code, we enter the code to see:

Here, see, using the Findviewbyid way to define the button, we have a simple analysis of the Smali syntax below, the following is to add a button event, here is the internal class mainactivity$1, we look at this class, He must have implemented the Onclicklistener interface, then directly search the OnClick method:

Here we can the next breakpoint, here is the trigger password check process.

Sixth step: Run the program, set up the remote debugging project

In the fifth step, we found the key, then we hit the breakpoint, and then we run the program and set up the remote debugging project in Eclipse

First we run the program, because we have added the Waitfordebug code, so there will be a Wait Debug dialog box when you start. However, when I test, my phone does not appear this dialog box, but a white screen, but this does not affect, after the program runs, we see how to set up Remote debugging project in Eclipse, first we find the program that needs to be debugged corresponds to the port corresponding to the remote debugging server:

Here we see a few points:

1 "When the program waits for the remote debugging server, a red spider appears in front of it.

2 "On the commissioning service side here we will see two port numbers: 8600/8700, here to explain why there are two port numbers?"

First here the port number, which represents the remote debugging server-side ports, below in a simple look at the Java Debug System:

Here we see that there are three characters here:

111 "JDB Client side (clients being debugged), here we can think that we need to crack the program is the client, if a program can be debugged, when started, there will be a jdwp thread used to communicate with the remote debugging server

Here we see that the program we need to crack starts the JDWP thread, and note that this thread is only available when the program is in debug mode. That is, the debug attribute value in Androidmanifest.xml must be true, that is, the reason why we want to modify this value at the beginning.

222 "JDWP Protocol (for the transfer of debugging information, such as debug line number, current local variable information, etc.), this can explain why we at the beginning, the anti-compilation into a Java file, because for Eclipse to import the recognized Java files, and then why can debug it? Because the Smali file has information such as the line number and local variables of the code, it can be debugged.

333 "JDB Server side (the service side of remote debugging, usually has the JVM side), is to open a JVM program to listen to the debug side, here can be considered as a local PC, of course, there must be a port for monitoring, then the above 8600 port is this role, And here the port is starting from 8600, followed by the program port is added in turn 1, such as other debugging programs:

So with 8600 ports, why do you have a 8700 port? What's he doing?

In fact, his role is the remote debugging side of the basic port, that is to say, such as the crack program here, we use 8600 port can be connected to debug, 8700 is also possible, but other programs, such as Demo.systemapi his 8607 port can be connected debugging, 8700 is also possible:

So, you can think of port 8700 as a port that everyone can use to connect to debugging, however, in practice it is recommended to use the unique port number 8600 for the program, and we can view the occupancy of the 8600 and 8700 ports on the remote debug side (local PC):

See, here the 8600 port and 8700 port number is the corresponding JAVAW program, in fact, the JAVAW program is to start a JVM to listen.

Well, here we get to the debug system in Java and the port number for remote debugging.

Attention:

In fact, we can use the adb jdwp command to view the process number information of the program that can be debugged in the current device:

Continue below, we know the remote debugging server port: 8600, as well as the IP address, this is the local ip:localhost/127.0.0.1

We can create a new remote debugging project in Eclipse that associates our Smali source project with the program that needs to be debugged in the device:

Right-click on the project being debugged = "Select Debug Configurations:

Then start setting up the Debug project

Select romote Java application, select the Smali project to be debugged in project, select Socketattach mode in the Connection Type , In fact, there is another way is listener, about these two ways in fact very good understanding:

Listner mode: Is the debug client is ready to start a port, when the debug server is ready, connect this port for debugging

Attach mode: Is the debug server start a port, waiting for the debug side to connect to this port

We generally choose the attach way to operate.

OK, after we set up the project of remote debugging, start running, wipe discovery, the program on the device or white screen, this is why? Look at the state of the debugger in DDMS:

Rub, related to this process, the reason is very simple, we are using the above is the 8700 port number, this time we selected this process, so the Smali debugging project related to this process, so the process of cracking did not respond, we immediately change, with 8600 port:

Well, this succeeds, we see the red spider turned green, indicating that the debug side has been connected to the remote debugging server.

Attention:

When setting up the remote debugging project, we must pay attention to the setting of the port number, otherwise the debugging project source code and debugging program is not associated, it is not any effect

Seventh step: Start running the debugger, go to debug

Here we start to operate, in the program's text box type: GGGG content, click to start:

OK, here we see the long-awaited debugging interface came out, to the beginning of the time we add the breakpoint, when we can start debugging, using F6 single-step debugging, F5 Step Into, F7 step out of the operation:

See, here we use the V3 variable to save what we entered.

Here is a key place, is to call Mainactivity's gettablefrompic method, get a string string, from the value of the variable, it seems that the string content is not the rule, here first no tube, continue to go down:

Here is another important way:getpwdfrompic, in the literal sense, should be to get the correct password, for the following password string comparison.

Look at the contents of the password, it seems to be an irregular string, but we can see the table string obtained above the content format is similar, and then go down:

Another message here is that the system's log print is called, and the log tag is the value saved by V6: Lil

At this point, we see that V3 is saving the contents of the password we entered, here using Utf-8 to get his byte array, and then passing it to the Access$0 method, we use F5 to enter this method:

In this method, there is also a Bytestoalismscode method that uses F5 to enter:

So this method actually seems to be very simple, is to pass in the byte array, iterate, take out the byte value, and then into the int type, and then call the table string obtained above the Chatat to get the specified character, using StringBuilder for stitching, Then return.

Press F7 to jump out, view, we return to encrypt the content is: Day and day, that is to say gggg=> day and Day day

In the end, you can see the work of code alignment.

So we're done analyzing all the code logic, it's not complicated, so let's comb the process:

A> calls the Gettablefrompic method in mainactivity to get a table string

We can take a look at the implementation of this method:

Here can be generally understood, he is to read the asset directory under a logo.png picture, and then get the image of the bytecode, in the operation, to get a string, then we from the above analysis can know, actually here the table string similar to a keystore.

B> get the correct password content through the Getpwdfrompic method in the Mainactivity

C> gets the byte code of the Utf-8 of our input, and then calls the Access$0 method to get the content after the encryption

In the D>access$0 method, after calling the Bytestoalismscode method, gets the content after the encryption

This method is the most core, and we know by analysis that his logic is that by passing in an array of bytes, iterating through the array, getting the byte into the int type, and then getting the character in the Charat of the call to the KeyStore string table, using StringBuilder for stitching.

With the above analysis, we know that the input after getting the encryption and the correct password content are compared, then we now have the resources are:

The KeyStore string and the correct password after encryption, as well as the encryption logic

Then our hack idea is actually very simple, equivalent, we know the KeyStore string, also know, the character string after the encryption, then you can iterate through the encrypted string, iterate, get the character, and then go to the KeyStore to find the specified index, and then turn into Byte, Save to a byte array, and then use Utf-8 to get a string, then this string is the password we want.

Here we use code to implement this function:

Code logic, very simple, actually this function is equivalent to the bytestoalismscode of the above cryptographic function, the result of the operation:

OK, get the correct password, the following to verify:

Haha, do not be too excited, the success of the ~ ~. Cracked success.

Add:

Just when we were debugging breakpoints, we saw that the code used log to print the log, tag is lil, then we can print this log to see the result:

See, here table is the KeyStore, PW is the correct password after encryption, Enpassword is the password we entered after encryption.

So from here we can see, this example, in fact, when we cracked the APK, sometimes the log is also a very important information.

Cracked need for information I have uploaded,: http://download.csdn.net/detail/jiangwei0910410003/9526113

iv. arrangement of ideas

1, we use the Apktool tool to do the anti-compilation apk, Get Smali source and Androidmanifest.xml, and then modify the Debug property in Androidmanifest.xml to true, at the same time add waitfordebug code at the entrance, debug wait, the general entrance is to find the entry activity first, And then in the first line of the OnCreate method, it is important to note that theApktool tool must be prefixed with the-d parameter, so that the compiled file is a Java file so that it can be identified by Eclipse and debugged .

2. After modifying the completion androidmanifest.xml and adding waitfordebug, we need to use Apktool to compile, back to compile after a non-signed apk, we also need to use Signapk.jar to sign, signature file directly using the test program's signature text Can be installed at the end of the installation.

3, then we will decompile the Smali source code into the Eclipse project, find the key point, the next breakpoint, here is the key point, generally we first understand the structure of the program run, and then find where we need to crack, using the View analysis tool, Or use the Jd-gui tool to view the APK source directly (using Dex2jar to convert the Dex file to a jar file and then view it with Jd-gui) to find the approximate location of the code. And then the breakpoint, where we can find the resid of the corresponding control with the Ddms of Eclipse's own view analysis tool, and then search the resid of the control globally, or directly in the values/ Find in Public.xml, and finally navigate to the location of the control, while viewing his click events.

4, set up the remote debugging project, first run the need to debug the program, and then find the port number of the corresponding debug server in Ddms, then set the remote debugging project in debug configurations, set the corresponding debug port and IP address (usually the native PC, That is localhost), and then the red spider turned green, indicating that our remote debugging Project connection on the debug program, it should be noted here, must be associated with the correct, otherwise there is no effect, after the successful association, you can operate.

5, the process of operation, will enter the key breakpoint, through F6 single step, F5 single Step Into, F7 step out, to debug, find the key method, and then through the analysis Smali syntax, understand the logic, if the logic is complex, you can see the value of the specific environment variables to observe, here is also the most important, is also the most complex, and there is no regulations can be found, this and everyone's logical thinking and the ability to decipher the relationship between the analysis of the key encryption method is required foundation, of course, there is also a need to pay attention to a message, is the log log, and sometimes a very important information.

6, the final general when we know the core method of logic, to get the correct password, or need to use their own language to implement the logic, such as the encryption method in this article, we need to manually code the reverse method of encryption, to obtain the correct password.

V. Legacy ISSUES

1, using the Apktool tool for anti-compilation sometimes not so smooth, such as the error like this:

This is generally apktool in the resolution of the error, in fact, this is now the APK in order to resist Apktool, do the APK reinforcement strategy, this later will write an article how to deal with these reinforcing strategies, how to do the apk repair, in fact, the principle is to analyze Apktool source code, Find the specified error location and make Apktool code repair.

2, this article mentioned the Java Debugging system, but in order to limit the space, no detailed explanation of the entire content, the following will be written a detailed introduction of Java Debugging System and Android debugging system.

3, sometimes we will also encounter the success of the compilation, and then run out of error, this need to use a static method to analyze the logic of the program start, to see if the program does not have any operating restrictions, such as in the static analysis of the article, referred to the application in order to prevent anti-compilation in the back-compilation run, At the entrance of the program to make a signature check, if the verification failed, directly kill their own process, quit the program, so this time we still need to use static mode to analyze the APK.

4, how to do not modify the debug Androidmanifest.xml in the properties can be debugged:

1 "Modify the boot.img to open the system debugging, so that you can save the app to add android:debuggable=" true ", and then re-packaging steps.
2. "Modify the System properties directly and use the Setpropex tool to modify the read-only system properties on the root device. Use this tool to modify the values of Ro.secure and ro.debuggable.

This will also be described in detail in the following two ways

Vi. Summary

This article describes how to use Eclipse to dynamically debug the Smali source code after the anti-compilation, which is much more efficient than the static mode, such as this example in this article, in fact, we can also use the static way to crack, but certainly efficiency is not dynamic way efficient, So later we learned a skill, is the dynamic debugging Smali source code to track the core point of the program, but now the majority of applications on the market is not so simple to crack, such as the core of the encryption algorithm placed in the native layer to do, then we need to go to the dynamic debugging so file tracking, This is the content of our next article, there are times, apk is reinforced, directly in the Apktool to decompile the failure, at this time we need to do the APK repair, and then to follow the operation, this is our next article, how to deal with the APK reinforcement strategy. Through this article we can see the dynamic way to crack more efficient than static, but sometimes we still need to use static methods to do some preparatory work, so in the time of the APK, static and dynamic combination, to achieve the perfect crack.

Android dynamic mode hack apk Prelude (Eclipse dynamic Debug Smail source)