Security and reverse: How to reverse-analyze Android programs

after the introduction of tools such as Apktool,dx2jar,jd-gui and other anti-compilation tools, this chapter combines a practical case to explain how to analyze Android programs.
first, the analysis steps
1. Use the Dex2jar and Jd-gui tools to analyze the Java Anti-compilation source code;
2. Use Apktools to decompile the Smail file. As the Smail grammar alone is difficult to read, we can combine the Java anti-compiling source code for analysis;
3. According to the relevant characteristics and clues, modify the Smail source code, using Apktools re-packaging;
4. Use Jarsigner to re-sign the APK, install and verify that the modification is correct, repeat steps 3;
Second, Case introduction
Here we use the simplest user login as a case, verify the user input user name and password through, then toast Display login success!, otherwise login faild! (run as):

Iii. Analysis and Practice
1. Use the Dex2jar and Jd-gui tools to analyze the Java anti-compile login page source code nextactivity (use of related tools, view "Security and Reverse" series blog related articles):

2. Use Apktools (use of related tools, view "Security and Reverse" series blog related articles), decompile Smail main smail files (e.g.):

3. Analysis by Java source, the relevant Smail file for Nextactivity.smail and Nextactivity$1.smail files (related smail syntax, view "Security and Reverse" series blog related articles), detailed as follows:
Nextactivity.smail file:

. class public lcom/qunar/hotel/nextactivity;. Super landroid/support/v7/app/appcompatactivity;. Source " Nextactivity.java "# instance fields. field private Mlogin:landroid/widget/button;. Field Private Mpassword:landroid/ widget/edittext; field private muser:landroid/widget/edittext; # Direct methods. Method public Constructor <init> () v. Locals 0 ... return-object v0. End Method # Virt UAL methods. Method protected OnCreate (Landroid/os/bundle;) v. Locals 2. param P1, "asavedinstancestate" # Landr     Oid/os/bundle; . Prologue line Invoke-super {p0, p1}, Landroid/support/v7/app/appcompatactivity;->oncreate (Landroid/os/Bund Le;) v. Line Sget V0, lcom/qunar/hotel/r$layout;->activity_next:i invoke-virtual {p0, v0}, Lcom/qunar/hot El/nextactivity;->setcontentview (I) v. Line Sget V0, lcom/qunar/hotel/r$id;->user:i invoke-virtual {p0     , V0}, Lcom/qunar/hotel/nextactivity;->findviewbyid (I) Landroid/view/view; move-Result-object v0 check-cast V0, Landroid/widget/edittext;     Iput-object V0, P0, lcom/qunar/hotel/nextactivity;->muser:landroid/widget/edittext; . Line Sget V0, lcom/qunar/hotel/r$id;->password:i invoke-virtual {p0, v0}, LCOM/QUNAR/HOTEL/NEXTACTIVITY;-&G     T;findviewbyid (I) Landroid/view/view;     Move-result-object v0 check-cast V0, Landroid/widget/edittext;      Iput-object V0, P0, lcom/qunar/hotel/nextactivity;->mpassword:landroid/widget/edittext; . Line Sget V0, lcom/qunar/hotel/r$id;->login:i invoke-virtual {p0, v0}, Lcom/qunar/hotel/nextactivity;->f     Indviewbyid (I) Landroid/view/view;     Move-result-object v0 check-cast V0, Landroid/widget/button;     Iput-object V0, P0, lcom/qunar/hotel/nextactivity;->mlogin:landroid/widget/button;     . Line Iget-object V0, P0, lcom/qunar/hotel/nextactivity;->mlogin:landroid/widget/button;     New-instance v1, lcom/qunar/hotel/nextactivity$1; Invoke-direct {v1, p0}, Lcom/qunar/hoTel/nextactivity$1;-><init> (lcom/qunar/hotel/nextactivity;) V invoke-virtual {v0, v1}, Landroid/widget/ Button;->setonclicklistener (Landroid/view/view$onclicklistener;) v. Line return-void. End method

nextactivity#1.smail file:  

. class lcom/qunar/hotel/nextactivity$1;. super Ljava/lang/object;. Source "Nextactivity.java" # interfaces. Implements Landroid/view/view$onclicklistener;     # annotations. Annotation system ldalvik/annotation/enclosingmethod; Value = Lcom/qunar/hotel/nextactivity;->oncreate (landroid/os/bundle;) v. End annotation. Annotation system ldalvik/     Annotation/innerclass; AccessFlags = 0x0 name = null. End annotation # instance fields. Field Final Synthetic this$0:lcom/qunar/hotel/nextact ivity;    # Direct methods. Method constructor <init> (lcom/qunar/hotel/nextactivity;) v. Locals 0. param P1, "this$0"     # lcom/qunar/hotel/nextactivity;     . Prologue Line Iput-object P1, P0, lcom/qunar/hotel/nextactivity$1;->this$0:lcom/qunar/hotel/nextactivity; Invoke-direct {p0}, ljava/lang/object;-><init> () V return-void. End method # virtual methods. Method Publi C OnClick (Landroid/view/view;) v. Locals 4. param P1, "Aview" # Landroid/view/view;    . Prologue CONST/4 v3, 0x0//Determine the correctness of the user name and password. Line Iget-object v0, P0, lcom/qunar/hotel/nextactivity$1;     ->this$0:lcom/qunar/hotel/nextactivity;     # getter for:lcom/qunar/hotel/nextactivity;->muser:landroid/widget/edittext; invoke-static {v0}, lcom/qunar/hotel/nextactivity;->access$000 (lcom/qunar/hotel/nextactivity;) Landroid/widget     /edittext;     Move-result-object v0 invoke-virtual {v0}, Landroid/widget/edittext;->gettext () landroid/text/editable;     Move-result-object v0 invoke-virtual {v0}, ljava/lang/object;->tostring () ljava/lang/string; Move-result-object v0 const-string v1, "user" invoke-virtual {v0, v1}, Ljava/lang/string;->equals (ljava/lang/ob ject;) Z Move-result v0//If the Equals method returns True If-eqz V0,: Cond_0 iget-object v0, P0, Lcom/qunar/hotel/nextacti     vity$1;->this$0:lcom/qunar/hotel/nextactivity;     # getter for:lcom/qunar/hotel/nextactivity;->mpassword:landroid/widget/edittext; invoke-static {V0}, lcom/qunar/hotel/nextactivity;->access$100 (lcom/qunar/hotel/nextactivity;) Landroid/widget/edittext;     Move-result-object v0 invoke-virtual {v0}, Landroid/widget/edittext;->gettext () landroid/text/editable;     Move-result-object v0 invoke-virtual {v0}, ljava/lang/object;->tostring () ljava/lang/string; Move-result-object v0 const-string v1, "123456" invoke-virtual {v0, v1}, Ljava/lang/string;->equals (Ljava/lang/     Object;) Z Move-result v0//If the Equals method returns True If-eqz V0,: cond_0//Login Successful popup login scuess Tost prompt. Line 34     Iget-object V0, P0, lcom/qunar/hotel/nextactivity$1;->this$0:lcom/qunar/hotel/nextactivity;     invoke-virtual {v0}, lcom/qunar/hotel/nextactivity;->getapplication () landroid/app/application; Move-result-object v0 Iget-object v1, P0, lcom/qunar/hotel/nextactivity$1;->this$0:lcom/qunar/hotel/nextactivity     ; invoke-virtual {v1}, lcom/qunar/hotel/nextactivity;->getresources () Landroid/content/res/resourceS Move-result-object v1 sget v2, lcom/qunar/hotel/r$string;->login_success:i invoke-virtual {v1, v2}, Landroid/co     Ntent/res/resources;->getstring (I) ljava/lang/string; Move-result-object v1 invoke-static {v0, v1, v3}, Landroid/widget/toast;->maketext (Landroid/content/context;     Ljava/lang/charsequence;i) Landroid/widget/toast;      Move-result-object v0 invoke-virtual {v0}, Landroid/widget/toast;->show () v. Line 38:GOTO_0 return-void Login failed to eject login faild tost hint. Line 36:cond_0 iget-object V0, P0, Lcom/qunar/hotel/nextactivity$1;->this     $0:lcom/qunar/hotel/nextactivity;     invoke-virtual {v0}, lcom/qunar/hotel/nextactivity;->getapplication () landroid/app/application; Move-result-object v0 Iget-object v1, P0, lcom/qunar/hotel/nextactivity$1;->this$0:lcom/qunar/hotel/nextactivity     ;     invoke-virtual {v1}, lcom/qunar/hotel/nextactivity;->getresources () landroid/content/res/resources; Move-result-object v1 sgET v2, lcom/qunar/hotel/r$string;->login_faild:i invoke-virtual {v1, v2}, landroid/content/res/resources;->     GetString (I) ljava/lang/string; Move-result-object v1 invoke-static {v0, v1, v3}, Landroid/widget/toast;->maketext (Landroid/content/context;     Ljava/lang/charsequence;i) Landroid/widget/toast;  Move-result-object v0 invoke-virtual {v0}, Landroid/widget/toast;->show () V goto:goto_0. End method

4. Analyze related Smail and Java files, via keywords related to login_success,toast,equals, Read the basic code logic. This case in the Java source code has been clearly obtained user name and password for user,123456, here we show how to analyze and modify the Smail file "decipher". Read the key code below, and we can modify the IF (Muser.gettext (). toString (). Equals ("user") statement to be the IF ("user"), the same as if ("12345". Equals ( "123456"), i.e. invoke-virtual {v0, v1} modified to invoke-virtual {v1, v1} to "bypass" user name and password authentication. The actual development situation will be more complex, here we simply modify for demonstration analysis process;  

5. RePack and sign the APK (use of related tools, view "Security and Reverse" series blog related articles), after installation verification, such as the successful "bypass" User name and password authentication;

Security and reverse: How to reverse-analyze Android programs