Android simple app hack--runtime.apk

For the last practice attached to the article "Debugging Android Application", I used another static method to circumvent the original logic. The main process is as follows:

Use Apktool to decompile the runtime.apk file of the practice , generate the smali format of the disassembly code, and then from the Smali file code to find a breakthrough, modify the program, and then use apktool recompile to generate the apk file and sign, and finally run the test.

First install the original application test function, when the correct pin code, as shown in the figure below, and enter the wrong pin code, as shown in the figure below.

　　

The goal of the program hack is that regardless of what pin value is entered , the program feedback "Correct Pin entered".

the tools that need to be used

1.apktool. used to apk anti-compilation and recompilation of files

2. Signature tool -signapk. recompiling the packaged apk file is unsigned and cannot install the test, so you need to have the tool sign the apk file.

anti-compilation apk file

Previously, I had added Apktool to the system's PATH environment variable for immediate use. Then run the following command:

　　Apktool D runtime.apk

A new directory runtime is generated , with the following directories and files in the directory

The Res directory holds all the resource files in the program, andthesmali directory holds all the disassembly code for the program.

Analyze Code

Read the files in the smali directory, because the program is relatively simple, it can be easily guessed that the main file is the \smali\com\fs\runtime1 directory Mainactivity.smali File

Open the file to find a breakthrough.

When you first test the original application, you can see that when you enter the wrong pin , the "incorrect PIN please try again later" prompt pops up, and you enter the correct PIN code, it pops up "Correct PIN entered" prompt. Therefore, you can look for these key hints in your code to determine the different logical sections of code.

According to the Code -rows and107the above two pieces of code, and you can find +conditional jump Instruction for rowsIF-EQZ v1,: Cond_1(Ifv1the value of the register is0, you jump tocond_1label), which infers the jump from this instruction tocond_1is an input errorPINcode, and the sequential execution is the right inputPINthe case of the code. The judgment, the instructionIF-EQZ v1,: Cond_1for the program's crack point, as long as the row is deleted, regardless of the input value, the program will not jump to the output error prompt in the code snippet, that is, to achieve our goal of cracking:No matter what pin you entercode value, the program all Feedback "Correct PIN entered".

Recompile and sign

After saving the exit, start recompiling the package into an apk file and run the command in the runtime 's parent directory:

　　Apktool B Runtime

Compilation succeeded. InRuntimethe directory has aDistdirectory, which contains the successful compilationapkfile. The next step is toapkfile signature. I was using theAndroidthe signature tool in the source packageSignapk.jarto sign the. At the same time using the source packageTestkey.pk8and theTestkey.x509.pem, use three to generate aSignapk.bat, as long as theSignapk.jar,Testkey.pk8,Testkey.x509.pemand theSignapk.batin the same directory, and add the directory to the system'sPATHenvironment variable, you can use it directly.

Run the following command:

　　signapk runtime.apk

If successful, a signed apkwill be generated, named signed.apk.

Installation Test

Finally, install the test. To run the command after opening the Android emulator:

　　ADB install signed.apk

The installation was successful. Test.

Enter any character, click the Check button, will output the prompt "Correct PIN entered"

Cracked success!

Android simple app hack--runtime.apk