Simple Android CrackMe Analysis 2

This is an Android CrackMe found on the Internet. It is a simple type, but it uses ProGuard for processing. I. switch structure in the analysis of this CrackMe, first let's talk about the JD-GUI of the switch structure support problem, know the existence of this BUG is good. The switch statement decompiled by the JD-GUI is poorly readable, so it is best to look at the branch direction with the smali code. Let's write a switch code first to understand this BUG. Compile the following code:

Button btnTest = (Button)findViewById(R.id.btnTest);final EditText editInput = (EditText)findViewById(R.id.editText);btnTest.setOnClickListener(new OnClickListener() {public void onClick(View v) {int n = Integer.parseInt(editInput.getText().toString());String strText;switch (n) {case 0:strText = "AAAA";break;case 1:strText = "BBBB";break;case 2:strText = "CCCC";break;default:strText = "DEFAULT";break;}Toast.makeText(getApplicationContext(), strText, Toast.LENGTH_LONG).show();}});

 

Turn classes. dex into a jar package, and then use the JD-GUI to view, it is already different:

public void onClick(View paramView){    String str;    switch (Integer.parseInt(this.val$editInput.getText().toString()))    {    default:      str = "DEFAULT";    case 0:    case 1:    case 2:    }    while (true)    {      Toast.makeText(this.this$0.getApplicationContext(), str, 1).show();      return;      str = "AAAA";      continue;      str = "BBBB";      continue;      str = "CCCC";    }}

 

It is really not nice for people who are new to me. However, it can be understood from experience that case 0 corresponds to AAAA, case 1 corresponds to BBBB, case 2 corresponds to CCCC, default corresponds to DEFAULT, and then the Toast code is executed and returned. Let's take a look at the structure of the smali code:

Packed-switch v0,: pswitch_data_0 # v0 is the switch parameter. line 47const-string v1, "DEFAULT" # default value # omitting N multi-code: pswitch_data_0.packed-switch 0x0: pswitch_0: pswitch_1: pswitch_2.end packed-switch

 

The above code can be interpreted as follows: after the first code is executed, the v0 value is checked at. packed-switch, because our original check range is 0 ~ 2. Therefore, the initial value is 0x0. There are three branches corresponding to 0, 1, and 2 respectively. If the values are equal, the system jumps to the corresponding branch, if not, jump back, that is, the default branch. Of course, if the value we check in the switch is not continuous, then. packed-switch will change a little bit, for example:

Sparse-switch v0,: sswitch_data_0 # v0 is the switch parameter. line 36const-string v1, "DEFAULT" # default value: sswitch_data_0.sparse-switch 0x4d2->: sswitch_0 # branch 1 0x929->: sswitch_1 # branch 2 0xd80->: sswitch_2 # branch 3.end sparse-switch

 

The keyword is changed from packed-switch to sparse-switch. The branch structure is that the specific value corresponds to a branch. About switch will be introduced here, mainly to let everyone know how JD-GUI switch code. In fact, not just switch, sometimes the JD-GUI code is not very good-looking, this time you have to combine smali Code together for analysis. Ii. CrackMe analysis start to dissect the CrackMe. First, use the ApkTool GUI to decompile the apk file and view AndroidManifest. xml to know that the MainActivity class is Main. Then extract the classes from the APK package using the decompression software. dex and convert it to the jar package, you can use the JD-GUI to view the Java code, see a lot of a, B, c and other method names and class names, it should be known that this is handled by ProGuard, but it doesn't matter, the code can still be viewed. Class B code analysis can start with the Main class code and see that class a, B, and c are used. Here we first look at Class B code. Class B provides a public constructor B, a private member function B, and a public member function. Private Method B obtains device-related information through TelephonyManager, and obtains its own signature (com. lohan. crackme1) through PackageManager, and then concatenates these strings. Method a of Class B obtains the string by calling method B, and then stores the string value to the key machine_id through SharedPreferences. Editor, which is the so-called machine code. After the above analysis, Class B provides method a, which generates and stores the machine code in the system. The corresponding key is machine_id. 2.2 Class c code analysis class c provides many methods. The following describes their functions one by one. 1. public c (Context paramContext) constructor, defining two strings simultaneously: B = "f0d412b5530e1f9841aab434d989cc77"; c = "4ec407446b872351e613111339daae9"; 2. public static boolean B () obtains its own signature through getPackageManager. If the signature is equal to any of the two strings B or c in the constructor, false is returned; otherwise, true is returned. 3. private static String B (String paramString) uses MessageDigest to calculate the MD5 value of paramString. 4. The public static int a (String paramString) jd-gui code is a bit messy, combined with the smali code. The restored code is as follows: it can be seen that the function of this Code is to calculate the MD5 of the machine code. If it is consistent with the input parameter, it is saved to the serial field through SharedPreferences. Of course, some judgments are made by calling method B. The signature cannot be known.

public static int a(String paramString) {    if (b() == false) {        SharedPreferences localSharedPreferences =             PreferenceManager.getDefaultSharedPreferences(a);        String mId = localSharedPreferences.getString("machine_id", "");        String idMd5 = b(mId);        if (idMd5.equals(paramString) == false) {            return 0;        }        SharedPreferences.Editor editor1 = localSharedPreferences.edit();        editor1.putString("serial", paramString);        editor1.commit();        return 1;    }    return 0;}

 

5. public static boolean a () is actually the packaging function of int a (String paramString) above. It obtains the serial field through SharedPreferences and passes it to this method to return the corresponding return value. The 2.3 Class a code analysis countdown is 6 seconds, and then the class c's a method (boolean) is called. If false is returned, the TextView content is set to prompt registration. 2.4 Main class code analysis in the OnCreate method, first call B. a () stores the machine code and then calls c. a (), that is, to determine whether serial has been stored and whether it can pass algorithm verification:

  invoke-static {}, Lcom/lohan/crackme1/c;->a()Z    move-result v0    if-eqz v0, :cond_0    :try_start_0    invoke-direct {p0}, Lcom/lohan/crackme1/Main;->a()V    :try_end_0    .catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_0    :cond_0    :goto_0    return-void

 

If it fails, it does not do anything. If it can pass, it calls its own method (). C. B () method, if c. if B () returns false, set Button and EditText to hidden (setVisibility (4) and set TextView text to PRO VERSION! (Id = "0x7f040003") and enable countdown Class a. In this case, there are two verifications. In The OnClick method, pass the entered registration code to the c. a (String) method for check. If it passes, the Thanks for purchasing prompt is displayed !, Otherwise, the message "Invalid serial!" is displayed !. After the above analysis, if the APK signature is f0d412b5530e1f9841aab434d989cc77 or 4ec407446b872351e613111339daae9, even if the serial number passes verification, the pro version is displayed in 6 seconds !, Then you will be prompted to register. However, the APK signature is a long string, so there should be no impact here. 3. Compile Keygen. Refer to Method B of Class B to obtain the machine code and then calculate the MD5 value. The core code is as follows:

BtnKeygen. setOnClickListener (new OnClickListener () {public void onClick (View v) {TelephonyManager tm = (TelephonyManager) getSystemService ("phone"); String str1 = tm. getDeviceId (); String str2 = tm. getLine1Number (); String str3 = tm. getDeviceSoftwareVersion (); String str4 = tm. getSimSerialNumber (); String str5 = tm. getSubscriberId (); String machineId; PackageManager pm = getPackageManager (); try {PackageInfo pkgInfo = pm. getPackageInfo ("com. lohan. crackme1 ", PackageManager. GET_SIGNATURES); String sig = pkgInfo. signatures [0]. toCharsString (); machineId = str1 + str2 + str3 + str4 + str5 + sig; // machine code editMachineId. setText (machineId); // signature editSig. setText (sig); // registration code: MessageDigest md = MessageDigest. getInstance ("MD5"); int len = machineId. length (); md. update (machineId. getBytes (), 0, len); BigInteger bigInt = new BigInteger (1, md. digest (); String serial = bigInt. toString (16); editSerial. setText (serial);} catch (Exception e) {editMachineId. setText ("CrackMe not found ");}}});

 

KeyGen runs as follows: Enter the registration code to CrackMe for registration, and the message is displayed as follows:
4. The CrackMe of Android resources is hard to find, and only a few crackmes.de resources can be found. The CrackMe in this article comes from the Internet. The author's blog is. CrackMe/Keygen download: http://pan.baidu.com/share/link? Author ID = 2857217394 & uk = 369321854 Copyed From program life Home Page: http://www.programlife.net