Simple Android CrackMe Analysis

This is an Android CrackMe question from ISCC this year. It's relatively simple. It's almost easy to understand ARM commands. Just take a look at smali or something. About playing one or two such CrackMe will give you a rough idea of Android's reverse engineering. However, it was later found that this was from 《Android software security and Reverse AnalysisThe original question is a little painful. This is a restart registered APK. The question requires that it be patched so that the Enterprise Edition program is entered. First, use the ApkTool GUI to unpackage and find that this App calls an so library file compiled by NDK, crackme6 \ lib \ armeabi \ libhack. so. Rename crackme6.apkas crackme6.zip and decompress it. You can obtain the classes. dex file (crackme6Zip \ classes. dex) in the root directory after decompression ). Use the ApkTool GUI to convert it to a jar file. Use the JD-GUI to convert the jar file into Java code, where MyApp loads the so file, as shown in the following code:

Import android. app. application; public class MyApp extends Application {public static int m = 0; static {System. loadLibrary ("hack"); // load hack} public native void initSN (); public void onCreate () {initSN (); super. onCreate ();} public native void saveSN (String paramString); public native void work ();}

 

In addition, some functions such as initSN, saveSN, and work are declared, such as the export function of the so file. RegActivity registers the interface. The core code is as follows:

Public class RegActivity extends Activity {public void onCreate (Bundle paramBundle) {super. onCreate (paramBundle); setContentView (2130903041); this. btn_reg = (Button) findViewById (2131165184); this. edit_sn = (EditText) findViewById (2131165185); this. btn_reg.setOnClickListener (new View. onClickListener () {public void onClick (View paramView) {String str = RegActivity. this. edit_sn.getText (). toStri Ng (). trim (); if (str = null) | (str. length () = 0) {Toast. makeText (RegActivity. this, "Enter the registration code", 0 ). show (); return;} (MyApp) RegActivity. this. getApplication ()). saveSN (str); new AlertDialog. builder (RegActivity. this ). setTitle ("register "). setMessage ("the registration code has been saved. Click OK and the program will exit. Please manually restart this program! "). SetPositiveButton ("OK", new DialogInterface. onClickListener () {public void onClick (DialogInterface paramDialogInterface, int paramInt) {Process. killProcess (Process. myPid ());}}). show ();}});}}

 

It can be seen that this is a registration restart program. In the middle, MyApp. SaveSN is called to save the entered registration code, and then automatically exits and needs to be manually restarted. After the restart, you will naturally make judgments in MainActivity. The core code is as follows:

Public class MainActivity extends Activity {public void doRegister () {/* prompts registration */} public void onCreate (Bundle paramBundle) {(MyApp) getApplication ()); int I = MyApp. m; // judge the registration type String str based on this variable; if (I = 0) str = "-not registered"; while (true) {setTitle ("click to execute the function to register" + str); this. btn1 = (Button) findViewById (2131165184); this. btn1.setOnClickListener (new View. onClickListener () {public void onClick (View paramView) {(MyApp) MainActivity. this. getApplication (); if (MyApp. m = 0) {// The system prompts you to register MainActivity. this. doRegister (); return;} (MyApp) MainActivity. this. getApplication ()). work (); Toast. makeText (MainActivity. this. getApplicationContext (), MainActivity. workString, 0 ). show (); // prompt for successful registration}); return; if (I = 1) {str = "-official version"; continue;} if (I = 2) {str = "-Professional Edition"; continue;} if (I = 3) {str = "-Enterprise Edition"; continue;} if (I = 4) {str = "-dedicated edition"; continue;} str = "-unknown edition ";}}

 

It can be determined that work, initSN, and saveSN are all in the so file, and IDA is used for reverse analysis. These export functions are not seen, but there are three suspicious functions n1, n2, n3, which actually correspond to these functions:

N1 corresponds to initSN, n2 corresponds to saveSN, and n3 corresponds to work. The n2 function is responsible for calculating the received registration code with a lowercase 32-bit MD5 value, and saving it in the/sdcard/reg. dat file. The verification process lies in the n1 function:

. Text: 201712e8 04 00 A0 E1 MOV R0, R4; s1.text: 201712ec 01 10 8F E0 ADD R1, PC, R1; 25d55ad283aa400af464c76d713c07ad. text: 201712ec; 12345678 MD5.text: 201712f0 49 ff eb bl strcmp; string comparison. text: 201712f4 08 00 50 E1 CMP R0, R8; equal. text: 201712f8 17 00 00 0A BEQ loc_135C; jump if it is equal. text: 201712fc BC 10 9F E5 LDR R1, = (a08e0750210f663-0x130C ). text: 00001300 04 00 A0 E1 MOV R0, R4; s1.text: 00001304 01 10 8F E0 ADD R1, PC, R1; 08e0750210f661_eb83957973705aad. text: 00001304; 22345678 MD5.text: 00001308 43 ff eb bl strcmp. text: 0000130C 00 00 50 E3 CMP R0, #0. text: 00001310 15 00 00 0A BEQ loc_136C.text: 00001314 A8 10 9F E5 LDR R1, = (aB2db1185c9e5b8-0x1324 ). text: 00001318 04 00 A0 E1 MOV R0, R4; s1.text: 2017131c 01 10 8F E0 ADD R1, PC, R1; b2db1185c9e5b88d9b70d7b3278a4947. text: 127131c; 32345678 MD5.text: 00001320 3D ff eb bl strcmp. text: 00001324 00 00 50 E3 CMP R0, #0. text: 00001328 13 00 00 0A BEQ loc_137C.text: 2017132c 94 10 9F E5 LDR R1, = (a18e56d777d194c-0x133C ). text: 00001330 04 00 A0 E1 MOV R0, R4; s1.text: 00001334 01 10 8F E0 ADD R1, PC, R1; 18e56d777d194c4d589046d62801501c. text: 00001334; 42345678 MD5.text: 00001338 37 ff eb bl strcmp. text: 10000133c 00 00 50 E3 CMP R0, #0. text: 00001340 04 10 A0 03 MOVEQ R1, #4. text: 00001344 07 00 A0 E1 MOV R0, R7.text: 00001348 08 10 A0 11 MOVNE R1, R8; R0 is the initial input parameter. text: Drawing 134C A9 ff eb bl setValue; R1 value is 0 1 2 3 4 0 indicates failure

 

The above is the core code. The initSN reads the file content and performs string comparison directly. The following MD5 values are available: the registration code MD5 meaning 12345678 forbidden official version 22345678 08e0750210f66108eb83957973705aad Professional Edition 32345678 forbidden Enterprise Edition 42345678 forbidden Special Edition. There are two other statuses, if the initSN function fails to open the file, memory allocation fails, or the registration code is incorrect, the system prompts "the program is not registered and the function cannot be used! ", There is also an exception. Theoretically, there is no "Software Version status Exception !". After the comparison is complete, use the setValue function to save it in a memory. The work function obtains the saved value through getValue and then judges:. text: 12714a0 10 40 2D E9 127fd SP !, {R4, LR }. text: 201714a4 00 40 A0 E1 MOV R4, R0.text: 201714a8 6F ff eb bl fnCheckRegSN. text: Drawing 14ac 04 00 A0 E1 MOV R0, R4.text: Drawing 14b0 35 ff eb bl getValue; read the comparison result. text: Listen 14b4 00 00 50 E3 CMP R0, #0; registration failed. text: Listen 14b8 0C 00 00 0A BEQ loc_14F0.text: Listen 14bc 01 00 50 E3 CMP R0, #1. text: Listen 14c0 13 00 00 0A BEQ loc_1514.text: Listen 14c4 02 00 50 E3 CMP R0, #2. text: Listen 14c8 16 00 00 0A BEQ loc _ 1528. text: Listen 14cc 03 00 50 E3 CMP R0, #3; Enterprise Edition. text: Listen 14d0 19 00 00 0A BEQ fEnterpriseVersion. text: Listen 14d4 04 00 50 E3 CMP R0, #4. text: Drawing 14d8 04 00 A0 E1 MOV R0, R4.text: Drawing 14dc 08 00 00 0A BEQ loc_1504.text: Drawing 14e0 68 10 9F E5 LDR R1, = (aSPfCiicMckCabx-0x14EC ). text: Listen 14e4 01 10 8F E0 ADD R1, PC, R1; Software Version status Exception !. Text: Limit 14e8 10 40 BD E8 ldmfd sp !, {R4, LR }. text: Listen 14ec B6 ff ea B callWork and then jump according to the result :. text: Limit 14f0 ;---------------------------------------------------------------------------. text: Limit 14f0. text: 201714f0 loc_14F0; code xref: fnShowRegResult + 18j. text: 201714f0 5C 10 9F E5 LDR R1, = (aCilxPcKcIxjmqM-0x1500 ). text: 201714f4 04 00 A0 E1 MOV R0, R4.text: 201714f8 01 10 8F E0 ADD R1, PC, R1; the program is not registered and the function cannot be used !. Text: 201714fc 10 40 BD E8 ldmfd sp !, {R4, LR }. text: 00001500 B1 ff ea B callWork. text: 00001504 ;---------------------------------------------------------------------------. text: 00001504. text: 00001504 loc_1504; code xref: fnShowRegResult + 3Cj. text: 00001504 4C 10 9F E5 LDR R1, = (aCdqsVcvifCfifU-0x1510 );. text: 00001508 01 10 8F E0 ADD R1, PC, R1; thank you for using the dedicated Edition program !. Text: 127150c 10 40 BD E8 ldmfd sp !, {R4, LR }. text: 00001510 ad ff ea B callWork. text: 00001514 ;---------------------------------------------------------------------------. text: 00001514. text: 00001514 loc_1514; code xref: fnShowRegResult + 20j. text: 00001514 40 10 9F E5 LDR R1, = (aCdqsVcvisNfCng-0x1524 ). text: 00001518 04 00 A0 E1 MOV R0, R4.text: 2017151c 01 10 8F E0 ADD R1, PC, R1; thank you for purchasing the official edition program !. Text: 00001520 10 40 BD E8 ldmfd sp !, {R4, LR }. text: 00001524 A8 ff ea B callWork. text: 00001528 ;---------------------------------------------------------------------------. text: 00001528. text: 00001528 loc_1528; code xref: fnShowRegResult + 28j. text: 00001528 30 10 9F E5 LDR R1, = (aCdqsVcvisNfFUf-0x1538 );. text: 2017152c 04 00 A0 E1 MOV R0, R4.text: 00001530 01 10 8F E0 ADD R1, PC, R1; thank you for purchasing the Professional Edition program !. Text: 00001534 10 40 BD E8 ldmfd sp !, {R4, LR }. text: 00001538 A3 ff ea B callWork. text: Pushed 153C ;---------------------------------------------------------------------------. text: 255.153c. text: Listen 153C fEnterpriseVersion; code xref: fnShowRegResult + 30j. text: 2017153c 20 10 9F E5 LDR R1, = (asc_3A70-0x154C); Enterprise Edition registered successfully. text: 00001540 04 00 A0 E1 MOV R0, R4.text: 00001544 01 10 8F E0 ADD R1, PC, R1; thank you for purchasing the Enterprise Edition program !. Text: 00001548 10 40 BD E8 ldmfd sp !, {R4, LR}. text: 2017154c 9E ff ea B callWork. text: 2017154c; End of function fnShowRegResult. text: 2017154c the Enterprise Edition is used when setValue is set to 3. Now, we can modify several MOV statements in initSN to set any comparison result, failed to open the file, and failed to allocate memory to 3. The Enterprise Edition is displayed when registration is not required. Return to the initSN function in IDA. Take one of the branches as an example: Change MOV R1, #2 to MOV R1, #3, change 02 at 0x1370 offset to 03 in the hexadecimal editor, and modify the branch in initSN in the same way. Red byte in the modified area: Save the so file and re-package the signature. install it in the simulator for testing. click the button to prompt "thank you for purchasing the Enterprise Edition program". The registration process is no longer displayed, result

 
Successfully cracked this Android CrackMe mentioned in the Article APK and idb files have been packaged and uploaded to Baidu cloud, for: Android CrackMe Copyed From the program life Home Page: http://www.programlife.net