Preliminary Exploration of the android APK decryption Project (4)-bao force cracking and simple reverse transformation

The full text of the Bao is violent, because the word Bao force exists, so do not let the release, only in this way change --- ⊙ B Khan

The APK to be decrypted in this section requires the user name and serial number to be entered. If the matching is true, a lisence correct is displayed through toast! Otherwise, lisence Uncorrect is displayed!

Startup Interface

Incorrect username and serial number

Unlike the previous APK, this APK requires the user name and serial number to be input, and adopts the third serial number protection Authentication Mode in the previous article, that is, the following:

F1 (User Name) = F2 (serial number)

1. Crack the program through Bao

Generally, either F1 or F2 can be reversed. The method for finding the correct serial number is to find such a inverse transformation of F1 or F2. If the F1 or F2 functions are relatively simple, it is feasible to find out the inverse transformation to write the registration machine. This is also the decryption method pursued by many cracker, and this method does not undermine the integrity of the original APK. But sometimes, in order to quickly decrypt the software's serial number protection, many choose to use Bao to crack. The starting point of BaO force cracking is the final comparison code. No matter which serial number protection verification mode is used, there will inevitably be such a similar comparison method. Post with pseudo code:

If a is equal to B

{

// Verify the correctness

// Do something

}

Else

{

// Verification Failed

// Do something

}

The main point of BaO force cracking is to modify the judgment statement conditions. Change "equal" to "not equal", or change "not equal" to "equal ". At this time, enter the wrong user name and serial number to go to the "verify correct" section to successfully register the software.

In assembly languages, Bao force cracking is similar.

Je or JZ // equal jump (machine code 74 or 84)

JNE or jnz // skip if not equal (machine code is 75 or 85)

A common modification is to change 74 of the machine code in the comparison part to 75 or 84 to 85, which is similar to that in the decompiled smali file.

Equal comparison symbol in smali In

Symbol	SmaliSyntax	Bao force cracking and Modification
=	If-EQ	Change if-EQ to if-ne.
! =	If-ne	Change if-ne to if-EQ.
Equals	If-eqz	Change if-eqz to if-Nez.
! Equals	If-Nez	Change if-Nez to if-eqz.

Bao crack CrackMe-F1F2 process :( 1), using apktool decompile CrackMe-F1F APK program, get the decompile file.

(2) locate the comparison judgment portal in the smali source code and modify the judgment conditions.

// If not equal, jump to cond_4. Here is the comparison of ciphertext.

. Line 80

If-ne V2, V3,: cond_4

..

// At cond_4, use toast to display lisence Uncorrect!

: Cond_4

..

Const-string V7, "lisence Uncorrect/uff01"

...

Invoke-virtual {V6}, landroid/widget/toast;-> show () V

We just put the above

If-ne V2, V3,: cond_4

Modify

If-EQ V2, V3,: cond_4

So far, the core step of the APK serial number Bao force cracking is complete.

(3) Use apktool and signapk to package and sign the APK. (4) upload to the Virtual Machine for testing.

Use ADB to push to the Virtual Machine for testing. If you enter any incorrect combination in the user name and serial number input box, "lisence correct!" is displayed !". For example:

2. Reverse conversion-Write the registration server

Reading the smali code of the F1 and F2 functions does not repeat any more. This only requires patience, because the decompiled smali code has many jumps and is relatively difficult to read, however, it is easier to understand than assembly. The following lists the Java code of the two F1 and F2 functions used by this APK. To help us complete the registration of this APK.

F1 and F2 Functions

// F1 function, S1 is the input user name

1 IntI = 0, K1 = 0;;
2 CharCh;
3 For(I = 0; I <S1. Length(); I ++)
4 {
5 CH = s1.charat (I );
6 If(CH < ' A ') Break;
7 If(CH> ' Z ') Ch-= 32;
8 k1 = k1 + CH;
9}
10 k1 = k1 ^ 0x5678;

// F2 function, S2 is the input serial number

1 IntK2 = 0;
2 For(I = 0; I <S2. Length(); I ++)
3 {
4 CH = s2.charat (I );
5 ch-= 48;
6 k2 = k2 * 10+ CH;
7}
8 k2 = k2 ^ 0x1234;

The original APK is like this. If k1 = k2, the verification is successful; otherwise, the verification fails.

We can see that the loop part of the F2 function only converts the serial number S2 from the string to an integer and stores it in K2. Here, K2 is the [serial number] of K2. Finally, we perform an exclusive or operation to obtain the ciphertext, which is covered in K2. Here, K2 becomes K2 [ciphertext]. In an exclusive or operation, if

C = a xor B (corresponding to the last step in the F2 function, that is, K2 [ciphertext] = k2 [serial number] XOR 0x1234)

Then a = c xor B (corresponding to K2 [serial number] = k2 [ciphertext] XOR 0x1234)

That is to say, the serial number can be obtained through ciphertext XOR 0x1234.

The result of the F1 function is the ciphertext. Therefore, the registration machine is written as follows: The result XOR 0x1234 of F1 is the correct serial number of the corresponding user name.

Core code of the registration Machine

 

1 IntI = 0;
2 IntK3 = 0;
3 CharCh;
4 For(I = 0; I <S1. Length(); I ++)
5 {
6 CH = s1.charat (I );
7 If(CH < ' A ') Break;
8 If(CH> ' Z ')
9 ch-= 32;
10 K3 = K3 + CH;
11}
12 K3 = K3 ^ Zero X 5678^ Zero X 1234;

// S1 is the user name, K3 is the correct serial number calculated based on S1, write a separate registration machine, and then calculate the "Ethan" serial number through the registration machine, the correct serial number is 17724, verification passed.

Correct username and serial number

 

The original APK is stored in the shared resource. Download it as needed.