Preface
In addition to continuing my original project, I plan to study Android reverse engineering at the beginning of a new year, it mainly includes decompilation, Smali, APK packaging, signature, reverse direction and mobile security. This is the first article in the new topic, but it is necessary to sacrifice the application of Hapi Mei-Lori. I am more intuitive and aware of the big problem of Android security through cracking Hapi Mei-Lori. If our applications do not adopt special measures to prevent cracking, as a developer, the results of hard work will not be rewarded if the original paid applications are modified to be able to play without money. Is it particularly affected? Therefore, anti-reverse is a concern of developers. In a series of articles on Android reverse engineering, I will introduce Android reverse engineering and reverse engineering. Please look forward to it.
Why did you choose to crack Hapi Mei-Lori?
This was an accident. I accidentally discovered this application a few days ago. I thought about it and installed it. As a result, I found that some functions need to be charged for use. So I came up with the idea of cracking it, the attack went smoothly. In addition, I need to note that I am opposed to cracking others' applications through illegal means, because this is immoral and violates industry rules. Why should I write articles to introduce the method of cracking? Although it is not good to crack other people's applications, this type of cracking has been widely spread. Even if I don't crack it, other people may crack it. So what I want to do is introduce the cracking process and hazards, which will attract the attention of developers. If you can notice the anti-cracking problem during application development, then the attack will not be so rampant. In fact, cracking is very difficult to prevent, but some specific methods can be used to prevent some simple and conventional methods, so as to reduce the probability of applications being cracked. In line with industry standards, I will only give the idea of cracking, but will not give the apk after cracking. I hope you can understand it.
Attack preparation
Since I work in linux, the cracking tools and commands described in this article are all in linux, but the tools and commands on windows and mac are similar to those on linux, you can understand it yourself.
Tools required for cracking
Source code decompilation Tool: Dex2jar, jd-gui
Decompiling apk into smali, packaging, and signature tools: Apktool, signapk. jar, and key file required for signature
Dex2jar converts the dex file into a jar package, and the jd-gui completes the conversion from the jar package to the java file, so that you can see the source code, but the source code is often confused and looks like garbled; apktool unpacks and packs the apk, signapk. jar uses the key file to sign the packaged apk. OK. After signing, you can directly install the apk. So far, a shanzhai application has been created. Note that the apk must be signed after it is packaged. Otherwise, the apk cannot be installed. If you do not believe it, try it. However, because your key file is used for signature, therefore, the signed apk is different from the official version signature. That is to say, the apk we generated is a cottage version, but it can also be used.
Cracking command
Decompilation command:
Step 1./dex2jar. sh classes. dex
Step 2 Use jd-gui to open the jar package and view the source code
Note: The classes. dex in the first step is from the original apk. Extract the original apk and copy the classes. dex file.
Command for unpacking, packaging, and signing:
Step 1./apktool d-f com.qxshikong.mm.lolita.apk com. lolita
Step 2 modify smali
Step 3 package the apk./apktool B com. lolita com.lolita.apk
Step 4. apk signature java-jar signapk. jar testkey. x509.pem testkey. pk8 com.lolita.apk com.lolita.signed.apk
OK ,com.lolita.signed.apk is our final apk. install it.
Note: in step 1, com.qxshikong.mm.lolita.apk and com. lolita are respectively the names of the original apk file and the directories after the package. Step 3 is to package the extracted directories into apk.
Cracking Process
The tools and commands required for cracking are described above, but the last step is to modify smali. This step is the key to cracking any apk, its core work is at this step. First, describe the gameplay of Hapi Mei-Lori, then describe the cracking ideas, and finally give the code of the cracked smali.
Harpimei-Lori's gameplay
It's just a pretty girl who can interact with you. It's actually playing different mp4 videos. Ordinary interactions can be played at will, but deep interactions, such as dancing and costumes, require you to have a certain amount of gold coins and diamonds. Gold Coins can be earned through games and must be recharged, but if you want to watch a girl dance, it is very difficult not to recharge your account but to earn money by using games. It is almost impossible.
Cracking ideas
If you can modify the number of gold coins and diamonds in the game, isn't the problem solved? Yes, it turns out. Some people may say that it is not enough to directly find a memory modification tool (such as the ghost tool) and change the money. Note that the root permission is required for the memory modification tool to change the money, mobile phones that do not have root permissions cannot be modified. In addition, modifying the memory does not belong to reverse engineering, but is a plug-in. According to our thinking, there should be a place in the program that stores the current number of gold coins and diamonds, probably an object, because the whole game will directly access the money, I think developers should set a class and hold the class objects globally. I also tried to get useful information through log, but I didn't find any valuable log.
Attack Method
I opened jd-gui and checked the decompiled Code. The Code was obfuscated. Although it was difficult, I found the key point. I found the following class, by analyzing the logic of obfuscation code, I think this class represents gold coins and diamond. It turns out that I am right.
Package com. qxshikong. mm. lolita. c; public final class c {private int a; private int B; public final int a () {return this. a; // here we return 999999999} public final void a (int paramInt) {this. a = paramInt;} public final int B () {return this. b; // here we return 999999999} public final void B (int paramInt) {this. B = paramInt ;}}
With this class, it is very easy. The modification method looks at the comments of the above Code and forces the 999999999 to be returned directly in the two get methods. It is enough for both the gold coins and the diamond. We cannot directly modify the decompiled source code of smali. We can only modify smali. For more information about the detailed Syntax of smali, I will write an article to introduce it later, here is a general idea.
Smali before modification:
. Class public final Lcom/qxshikong/mm/lolita/c ;. super Ljava/lang/Object; # instance fields. field private a: I. field private B: I # direct methods. method public constructor
() V. locals 0 invoke-direct {p0}, Ljava/lang/Object;->
() V return-void.end method # virtual methods. method public final a () I. locals 1 iget v0, p0, Lcom/qxshikong/mm/lolita/c;-> a: I return v0 # modify the returned value to 999999999.end method. method public final a (I) V. locals 0 iput p1, p0, Lcom/qxshikong/mm/lolita/c;-> a: I return-void.end method. method public final B () I. locals 1 iget v0, p0, Lcom/qxshikong/mm/lolita/c;-> B: I return v0 # modify the returned value to 999999999.end method. method public final B (I) V. locals 0 iput p1, p0, Lcom/qxshikong/mm/lolita/c;-> B: I return-void.end method
Modified smali:
. Class public final Lcom/qxshikong/mm/lolita/c ;. super Ljava/lang/Object; # instance fields. field private a: I. field private B: I # direct methods. method public constructor
() V. locals 0 invoke-direct {p0}, Ljava/lang/Object;->
() V return-void.end method # virtual methods. method public final a () I. locals 1 const v0, 0x3b9ac9ff # define a constant v0 = 999999999 return v0 # return v0.end method. method public final a (I) V. locals 0 iput p1, p0, Lcom/qxshikong/mm/lolita/c;-> a: I return-void.end method. method public final B () I. locals 1 const v0, 0x3b9ac9ff # define a constant v0 = 999999999 return v0 # return v0.end method. method public final B (I) V. locals 0 iput p1, p0, Lcom/qxshikong/mm/lolita/c;-> B: I return-void.end method
After the Cracked Effect is installed with the cracked apk, the number of gold coins and diamonds has changed to 999999999, and no matter how much money is spent, the following is a video image that was originally visible at a cost. At this point, the entire cracking process has been completed. It can be found that the difficulty of the cracking is: how to find the key modification points and modify smali. As for whether or not to use some integrated decompilation tools, I don't think it is necessary. I think it is good to press a few commands myself. Why should I use an integrated tool and the integrated tool cannot help you with the cracking, it only allows you to run a few fewer commands. As a series of my blogs, Android reverse engineering will be updated continuously. At the same time, I will continue to update the series of advanced Android experts and troubleshooting series. I hope you will pay more attention to and communicate with me.