Android reverse has never been so easy

Ha, the title party again. But I will do my best to write an introductory article for the most people.

This article is only for the purpose of learning and communication, do not use for illegal purposes, if the reader uses the knowledge learned, for illegal business purposes or illegal profit, all the responsibility by the operator to bear, and I have nothing to do. Readers are expected to read this article simply by understanding the principles and protecting their apps from minimizing harm.

This article is published from Wing's local pub, please specify the source.

This article takes one of the simplest examples to teach you some of the basics of Android's reverse entry. So first we need to prepare an apk, do a few simple, is a edittext, has a button, simulation verification registration code.

When the verification code is filled in correctly, the validation fails when the validation is successful and the error occurs.

Now, we will enumerate a few ways to break the validation, so that we can enter any password to verify success.

Weapon of the Divine Soldier

• Shakaapktool Https://github.com/rover12421/ShakaApktool
• Dex2jar Https://github.com/pxb1988/dex2jar
• Smali Https://github.com/JesusFreke/smali
• Smaliidea https://bitbucket.org/JesusFreke/smali/downloads/

If you have a bad command line (which is a bad start), you can also use a visual tool that integrates together Androidcracktool Https://github.com/Jermic/Android-Crack-Tool

First of all, put our apk with Apktool to decompile, into the directory found the following folder

Among them, Smali folder, put is Dex decompile Smali file, if want to change the application logic, only need to modify Smali and then repack. Next, we introduce several breakthrough methods.

Looking for a point of direct search method

Detach the Dex file from the APK and use Dex2jar to convert to a jar file.

In the code, we can clearly see that in the OnClick method, the verification code is judged. At this point we have found an entry point.

Resource Reference method

The general APK code will not be so simple, there must be a lot of complex code, how to find the entry point, in fact, we can be based on the reference resources to find, such as our registration failure will prompt registration failure, this time, we go to the Res folder to find string.

<stringname="failed">注册失败</string>

Find the name failed, and then go to the public file to find the corresponding ID, found the

<publictype="string" name="failed" id="0x7f060022" />

Convert this 16-binary ID into 10-binary, get 2131099682, the jar file in reverse, index this ID, find just the reference, so this area is the key code area.

Guessing method

Reverse can not be separated from guessing, to find the target page, if you want to get a click event, then guess the type of button property, in the confusion code, only a button called a, then just find this a click event.

Now that we have an entry point, we are going to start to achieve our goal, which is to change the code logic.

Cut the code.

Since we have caught the point of entry, how to crack this registration code in the end is how much, next to introduce you to several methods of surgery.

Direct Analysis Method

See the confusing code, read it, found that the registration code is generated according to the date, so we only need to calculate the current date input.

Of course, this method is very flawed because the general algorithm is not so simple.

Rescue method

Now that we've found the point of judgment, we're going to read the Smali code.

Note that the 48th line, here is the method of executing a (), that is, the method of generating a key, the return value to the V0, the following all the logic is based on this judgment, so we can put V0 to secretly replace, assuming we replace with "123", so we enter 123, we can pass the verification, the code is as follows:

The drinking Mantra method

What is a drunken mantra? is to drink too much to let him spit out the true words, then we how to let him spit out the true words? Of course, it's a log. Hey, we just play a log behind the V0, put this v0 out, the verification code is not on their own out, haha. The code is as follows:

Deep into the enemy camp

This is definitely the big play, what is called deep enemy camp? is to break into the enemy inside, here is the dynamic debugging Pull ~ Direct Debug Smali, look at the values in each register, you say greasy harm not greasy harm ~

First, you need to have an as under 2.3 because Smaliidea does not support 2.3 and then installs the plugin.

Next, make a little change to the reverse Androidmanifest.xml file, add a sentence to him

<application android:debuggable="true"/>

Then repackage and install to the phone. Next, the entire reverse project is imported into the AS.

Add the Smali folder as source root.

Next Run->edit configurations add remote, wait for the port to be modified.

At this point, open the DDMS, see the port is 8600, this time the window to change the port to 8600.

Change the SDK to 10.

Next, click the Debug button and you can debug it dynamically.

Next is the break point, after generating the verification code, hit the breakpoint, and then click the button.

Can print out the function call stack, each register and so on, we use evaluate expression to print out the value of V0:

As you can see, with our previous code guessing the result is the same, the verification code is "0318", to this, we have completed the reverse of this verification system.

Conclusion

Here, the content of this article is over, I hope that you readers do not use this knowledge to do bad things, mills. Instead, we should think about how to prevent others from destroying our app, such as increasing confusion, signature checking, reinforcing, and so on, although these can be cracked, but will increase the difficulty. After all, the safety of this matter, anti-gentleman. The door of the house can be pried open, but I will still be closed when I go to work.

If you like my article, please pay more attention to me, also can join my Android pub to discuss Android technology: 425983695

Reference:

"Android software security and reverse analysis"
https://www.zybuluo.com/oro-oro/note/167401

Android reverse has never been so easy