Simple Android CrackMe Analysis 3

This is an Android CrackMe found on crackmes.de, which is also a relatively simple type. Of course, if you want to learn it, you can try to read the smali code and manually translate it into Java code, write a Keygen.

Before analysis, first install the apk on the simulator and check that there are two activities, prompting two Hardware IDs. You need to enter the user name and registration code for registration.

Use the Apktool GUI to unpackage the apk and view AndroidManifest. xml file, see two activities, respectively com. example. helloandroid. helloAndroid and com. example. helloandroid. prueba2, where the former is MainActivity. Now extract the classes. dex from the APK package and convert it to a jar package, and use the JD-GUI to view the code. There are 5 classes in total, and the analysis is performed one by one below.

1. HelloAndroid code analysis
This class is MainActivity. In the onCreate method, calculate two Hardware IDs and display them on the interface. The specific algorithm can be ignored for the moment, because the same logic exists in another piece of code. Then set the listener for the two buttons. Previously we saw two buttons in the interface, one being the "register" Button and the other being the "about" Button.

2. Code Analysis for class HelloAndroid $1
This is the listener class of the "about" button. In The onClick method, start the "about" interface Activity through Intent, that is, the prueba2 class.

3. prueba2 code analysis
The "about" interface Activity has a button to return to the registration interface. The code of this class is very simple.

4. prueba2 $1 code analysis
Listener class of the "return" button on the "about" interface, which is returned to the registration interface through Intent in The onClick method.

5. Code Analysis for class HelloAndroid $2
This is the listener class for the "register" button, and the entire registration algorithm is also here, so this is the code to be analyzed. In fact, if you just write the registration machine, a little sort of JD-GUI in the code will be OK, but the JD-GUI decompilation code sometimes can be read is not very good, here from the perspective of learning, read the smali code to restore the Java advanced code.

In the smali code of the HelloAndroid $2 class, I personally feel that apart from the try catch structure, the other code is still quite clear. In the process of trying to restore, the location of try catch cannot be determined. The restored Java code is as follows:

​class MyOnClickListener implements OnClickListener {    public void onClick(View v) {        EditText editName = (EditText)findViewById(0x7F050004);        EditText editSerial = (EditText)findViewById(0x7F050006);        String strName = editName.getText().toString();        String strSerial = editSerial.getText().toString();        String strTemp1 = "";         if (strName.length() < 4) {            Toast.makeText(                getApplicationContext(),                 "Min 4 chars",                 Toast.LENGTH_LONG            ).show();            return ;        }         int i = 0;        int len = strName.length();        while (i < len) {            char ch = strName.charAt(i);            int nVal = (int)ch;            String strTemp = String.valueOf(strTemp1);            StringBuilder strBuilder = new StringBuilder(strTemp);            strBuilder.append(nVal);            strTemp1 = strBuilder.toString();            i += 1;        }         strTemp1 = strTemp1.substring(0, 5);        int nName = Integer.parseInt(strTemp1);        nName = nName ^ 0x6B016;        strTemp1 = String.valueOf(nName);         TelephonyManager telMgr =            (TelephonyManager)getSystemService("phone");        String strDevId = telMgr.getDeviceId();        String strSimNo = telMgr.getSimSerialNumber();        String strSubDevId = strDevId.substring(0, 6);        String strSubSimNo = strSimNo.substring(0, 6);        int nSubDevId = Integer.parseInt(strSubDevId);        int nSubSimNo = Integer.parseInt(strSubSimNo);        long nTemp = nSubDevId ^ nSubSimNo;         StringBuilder strBuilder = new StringBuilder(strTemp1);        strBuilder.append("-");        strBuilder.append(String.valueOf(nTemp));        strBuilder.append("-");        strBuilder.append(strSubDevId);        String strTemp2 = strBuilder.toString();         if (strTemp2.equals(strSerial)) {            Toast.makeText(                getApplicationContext(),                 "God boy",                 Toast.LENGTH_LONG            ).show();        } else {            Toast.makeText(                getApplicationContext(),                 "Bad boy",                 Toast.LENGTH_LONG            ).show();        }    }}

The specific process is to patiently read the smali code. The entire algorithm process is:

FirstThe username must be at least 4 characters long, and then the ASCII values of each character of the username are connected to a string. The first five characters of the string are converted to an integer type, and then the XOR operation is performed with 0x6B016, the result is converted to a string, which is the first part of the registration code;

SecondUse TelephonyManager to obtain DeviceId and SimSerialNumber, convert the first six characters of the two strings to an integer, then perform the exclusive or operation on the two integer values, and convert the result to a string, obtain the second part of the registration code;

LastIs the first 6 Characters of the DeviceId, which is the third part of the registration code.

Connect these three strings with the hyphen "-", which is the registration code.

6. Compile Keygen
KeyGen refer to the Code for registering an algorithm. The effect is as follows:

Registration machine interface:

Download CrackMe/Keygen:
Http://www.bkjia.com/uploadfile/2013/0805/20130805121900496.zip