Exploring the Android Apk decryption Project (2) -- code injection

1. Cracking procedure
2. The first step is to decompile the apk.
3. Read and understand how to obtain the correct serial number in the code
4. Create the smali code of Logd
5. Merge Part 1 of the Code into a proper position
6. Package and sign the apk File
7. Install to a virtual machine for testing

 

The interface and function of this Apk are the same, but the actual serial number is different. Yes, the serial number of this apk is changed, specifically, each time the program starts, a random integer of less than 10000 is generated, and the random number is used as the correct serial number. Of course, the actual software does not have serial numbers that are different each time. The random number is used here to increase the decryption speed. In addition, it is expected to serve as an example.

The goal is the same: Find the correct serial number.

Here, the principle of decryption is to use smali code injection. To put it simply, let the program modify the decompiled smali code and let the program itself tell us what the serial number is.

Many may think that reading smali code is a problem. In fact, it is also relatively simple, just do it.

First, let's talk about my ideas. If you want to add a control on the Android screen to display the correct serial number, you may need to modify the layout. It doesn't matter if you are in trouble. Therefore, I personally think the most secure way is to use the Log class. So my idea is to print the serial number error message. At the same time, output the correct serial number to logcat through Log. d.

Cracking steps: 1.1 The first step is the same. decompile the apk.

First, use apktool to decompile the apk application to get the CrackMe-RandomInteger. In order not to break the decompiled code, I copied a copy and renamed it CrackMe-RandomIntegerTest.

 

 
1.2 read and understand the code: how to get the correct serial number in the code

It should not be difficult to understand the basics of language. Note A place we will use later.

1 iget-object v1, p0, Lcom/mstar/test/LisenceCheck $ 1;-> This $ 0: Lcom/mstar/test/LisenceCheck;
 
2 iget v1, v1, Lcom/mstar/test/LisenceCheck;-> a: I
 
3 invoke-static {v1}, Ljava/lang/String;-> valueOf (I) Ljava/lang/String;
 
4 move-result-object v1

The above code is to obtain the random number a from the previous OnCreate. (For details about OnCreate, refer to LisenceCheck. put the code of smali in v1, and then convert v1 to string in v1.

Simple remarks:

A in "a: I" in the second row is the variable name, And I is an integer.

The "{v1}" in the third line is marked with braces as the method for passing in the parameter.

1.3 create the smali code for Log. d.

We can draw the serial number from the gourd. So how does Log. d write the smali code?

My method is very stupid, but it is also very practical. When I create an application, I will write two sentences:

1 IntA = 0;
2 Log. d ( "     SN:     ", String. valueOf ());

Then we use apktool to decompile this apk and get the smali code of Log. d. The two key sentences are like this.

1 const-string v0, "SN :"
2 invoke-static {v0, v1}, Landroid/util/Log;-> d (Ljava/lang/String ;) I 1.4 combines code in parts 1.2 and 1.3 into a proper position.

Of course we add the code to lisence uncorrect! Put it in front of goto: goto_0, so that when we enter an incorrect serial number, we can get the correct serial number in logcat. The added code is as follows.

In actual operations, it is appropriate to copy and paste the code.

1 const-string v0, "SN :"
 
2 iget-object v1, p0, Lcom/mstar/test/LisenceCheck $ 1;-> This $ 0: Lcom/mstar/test/LisenceCheck;
 
3 iget v1, v1, Lcom/mstar/test/LisenceCheck;-> a: I
 
4 invoke-static {v1}, Ljava/lang/String;-> valueOf (I) Ljava/lang/String;
 
5 move-result-object v1
 
6 invoke-static {v0, v1}, Landroid/util/Log;-> d (Ljava/lang/String ;) I 1.5 package and sign the apk file.

Packaging:

 

Signature:

 

1.6 install it in a virtual machine for testing

Use adb push to upload data to the sdcard in the simulator. Then use the apk installer.

Why use the apk installer? If there is a problem with our apk, we can see the error message in logcat during the installation of the apk installer, and then some basic errors may be ruled out. However, if you directly push adb to/data/app, you may not be able to see this information. In addition, the incorrect apk application may not appear in the System menu.

After running, enter a serial number as needed:

 

Then click Verify. Of course, Lisence uncorrect is displayed! ).

Then, we can see the correct serial number output from the adb shell and logcat.

 

As you can see, here is the correct serial number output using log. d. 7716. Then, enter the serial number in the apk. Lisence correct! The decryption is successful.

 

It is worth noting that the serial number of this APK is obtained through a random number in OnCreate, and may change when you start the program next time.

The used apk file is in my shared resources. If you need it, download it.