First, decompress the package. In the assets folder, find the file to be compiled: appmgr. Jar. After installation, an appmgr.apk is generated under/data/<package name>/files/folder,
It is actually a resource file that stores code. It was renamed during installation and ended with an APK.
Decompress the JAR file to obtain classes. DEX and drag it to IDA pro 6.1 or later versions to identify it as an android Dex file.
In view of the Algorithm for Finding signature_md5, use Alt + T to search for the "signature_md5" string and find:
Code: 0001 acce const-string/jumbo V1, asignature_md5 # "signature_md5" // define an asignature_md5 string and put it in the V1 register
// View the Dalvik instruction set here
Next we will do these things for V1:
Get a key-value pair from JSON and put it in V2 and V1;
Move-result-object and put the data back in V1;
Check-cast, converted to string format;
Define a comma and put it in V8; // Why does it appear with a comma?
Use a comma in V8 to call the split V1 method of string. Note that the split returns the splitArray;
After splittingArrayPut it in V11;
The following is not very important because the edition_brief variable is defined. We track V11 below:
Array-length, and put the array length of V11 in V9;
If-Ge, greater or equal, V2> = V9 will jump to loc_1ad72. Note that V2 is defined as 0, that is, if the length is equal to zero, it will jump, note that V9 is the length of the string obtained in JSON into an array;
If-nez, not equal zero, V8! If it is set to 0, it will jump to loc_1ad72. Note that V8 is equal to 0 as defined above. This is a bit confusing;
Put the signature obtained from packageinfo_signatures to v13 and V10 in the next sentence;
Note:Arrays. tostring (REF); and XX. tostring ();Is different.
XX. tostring (); the output is a string of [@ XXXXX, and it seems that every time it is different. I guess it is an address, and someone on the internet says it is a hash.
The numeric array cannot be output as a whole,
You can use loop output
For (I = 0; I <10; I ++)
System. Out. println (A [I] + "");
With the help of arrays. tostring (a), it saves the previous loop steps and Outputs One Step (of course, internal processing of the called function ).
Note that v13 is stored in v13, and v13 gives V23 and V23 a series of conversion formats, and finally gets signature_md5 using an ad. A (REF;
Then, in the last row, V11 and V2 gave V24;
Compare V23 with V24, that is, packageinfo_signatures with MD5 in JSON after ad. A (REF.
Now we can see that the function we are looking for is ad. A (byte [] X );
In this case, use dex2jar to decompile Dex into jar, put it in JD-Gui, and find ad. ():
Tip: The result type after the colon is found yesterday. The function a is like this:
However, we found that no getmd5 () was found by following W. F ().
The great god proposed to use the string function in the notepad ++ search file to search 360 APKDecompile the entire fileSmali. I don't know how he thought of it.
Found. Here is the trackingObfuscation codeIt takes a lot of patience.
EVT. C (), find EVG. B (),
Find EUA. D (); I could not find this a (paramarrayofbyte) in EUA. I thought it would be necessary to find it in the EVG function of B!
Finally, it is found.
This really requires a lot of patience. I'm afraid I gave up a step long ago, because it's hard to accept the result that I couldn't get for a long time. Awesome ox B.
May August 7, 2014.