Android逆向笔记之smali代码分析

前言:书本中对crackme02.apk的破解是分析关键词进行破解的,而本文使用另外的Smali分析方式,对样本进行分析。
样本:《Android软件安全与逆向分析》crackme02.apk
工具:AndroidKiller v1.3.1.0(AK) && Android Studio2.2.3(AS)
语言:Java,Smali
目的:Smali代码分析破解程序实现免注册码注册。

使用shakaapktool反编译apk文件后,生成的文件夹中会出现一个smali文件夹。
smali文件格式如下:
一、描述类信息
.class <访问权限>[修饰关键字]<类名>
.super<父类名>
.source<源文件名>

二、代码主体
1、字段声明
.field<访问权限>[修饰关键字]<字段名>:<字段类型>
2、直接/虚方法声明
“#direct methods / #virtual method
.method
…….
.end method
3、.locals 指定使用的局部变量个数
4、.parameter 指定方法参数
5、.prologue 指定代码开始处
6、move-result v0 移动上一次方法调用的返回值到寄存器v0
等。。。
具体AndroidKiller上面有提示

贴上项目中Mainactivity.smali代码:

.class public Lcom/droider/crackme0201/MainActivity;
.super Landroid/app/Activity;
.source "MainActivity.java"


# instance fields
.field private btn_register:Landroid/widget/Button;

.field private edit_sn:Landroid/widget/EditText;

.field private edit_userName:Landroid/widget/EditText;


# direct methods
.method public constructor ()V
    .locals 0

    .prologue
    .line 17
    invoke-direct {p0}, Landroid/app/Activity;->()V

    return-void
.end method

.method static synthetic access$000(Lcom/droider/crackme0201/MainActivity;)Landroid/widget/EditText;
    .locals 1
    .param p0, "x0"    # Lcom/droider/crackme0201/MainActivity;

    .prologue
    .line 17
    iget-object v0, p0, Lcom/droider/crackme0201/MainActivity;->edit_userName:Landroid/widget/EditText;

    return-object v0
.end method

.method static synthetic access$100(Lcom/droider/crackme0201/MainActivity;)Landroid/widget/EditText;
    .locals 1
    .param p0, "x0"    # Lcom/droider/crackme0201/MainActivity;

    .prologue
    .line 17
    iget-object v0, p0, Lcom/droider/crackme0201/MainActivity;->edit_sn:Landroid/widget/EditText;

    return-object v0
.end method

.method static synthetic access$200(Lcom/droider/crackme0201/MainActivity;Ljava/lang/String;Ljava/lang/String;)Z
    .locals 1
    .param p0, "x0"    # Lcom/droider/crackme0201/MainActivity;
    .param p1, "x1"    # Ljava/lang/String;
    .param p2, "x2"    # Ljava/lang/String;

    .prologue
    .line 17
    invoke-direct {p0, p1, p2}, Lcom/droider/crackme0201/MainActivity;->checkSN(Ljava/lang/String;Ljava/lang/String;)Z

    move-result v0

    return v0
.end method

.method static synthetic access$300(Lcom/droider/crackme0201/MainActivity;)Landroid/widget/Button;
    .locals 1
    .param p0, "x0"    # Lcom/droider/crackme0201/MainActivity;

    .prologue
    .line 17
    iget-object v0, p0, Lcom/droider/crackme0201/MainActivity;->btn_register:Landroid/widget/Button;

    return-object v0
.end method

.method private checkSN(Ljava/lang/String;Ljava/lang/String;)Z
    .locals 10
    .param p1, "userName"    # Ljava/lang/String;
    .param p2, "sn"    # Ljava/lang/String;

    .prologue
    const/4 v7, 0x1

    .line 54
    if-eqz p1, :cond_0

    :try_start_0
    invoke-virtual {p1}, Ljava/lang/String;->length()I

    move-result v8

    if-nez v8, :cond_1

    .line 76
    :cond_0 #return v7的出口
    :goto_0
    return v7

    .line 56
    :cond_1
    if-eqz p2, :cond_0

    invoke-virtual {p2}, Ljava/lang/String;->length()I

    move-result v8

    const/16 v9, 0x10

    if-ne v8, v9, :cond_0

    .line 58
    const-string v8, "MD5"

    invoke-static {v8}, Ljava/security/MessageDigest;->getInstance(Ljava/lang/String;)Ljava/security/MessageDigest;

    move-result-object v1

    .line 59
    .local v1, "digest":Ljava/security/MessageDigest;
    invoke-virtual {v1}, Ljava/security/MessageDigest;->reset()V

    .line 60
    invoke-virtual {p1}, Ljava/lang/String;->getBytes()[B

    move-result-object v8

    invoke-virtual {v1, v8}, Ljava/security/MessageDigest;->update([B)V

    .line 61
    invoke-virtual {v1}, Ljava/security/MessageDigest;->digest()[B

    move-result-object v0

    .line 62
    .local v0, "bytes":[B
    const-string v8, ""

    invoke-static {v0, v8}, Lcom/droider/crackme0201/MainActivity;->toHexString([BLjava/lang/String;)Ljava/lang/String;

    move-result-object v3

    .line 63
    .local v3, "hexstr":Ljava/lang/String;
    new-instance v5, Ljava/lang/StringBuilder;

    invoke-direct {v5}, Ljava/lang/StringBuilder;->()V

    .line 64
    .local v5, "sb":Ljava/lang/StringBuilder;
    const/4 v4, 0x0

    .local v4, "i":I
    :goto_1
    invoke-virtual {v3}, Ljava/lang/String;->length()I

    move-result v8

    if-ge v4, v8, :cond_2

    .line 65
    invoke-virtual {v3, v4}, Ljava/lang/String;->charAt(I)C

    move-result v8

    invoke-virtual {v5, v8}, Ljava/lang/StringBuilder;->append(C)Ljava/lang/StringBuilder;

    .line 64
    add-int/lit8 v4, v4, 0x2

    goto :goto_1

    .line 67
    :cond_2
    invoke-virtual {v5}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v6

    .line 70
    .local v6, "userSN":Ljava/lang/String;
    invoke-virtual {v6, p2}, Ljava/lang/String;->equalsIgnoreCase(Ljava/lang/String;)Z
    :try_end_0
    .catch Ljava/security/NoSuchAlgorithmException; {:try_start_0 .. :try_end_0} :catch_0

    move-result v8

    if-eqz v8, :cond_0

    .line 76
    const/4 v7, 0x0

    goto :goto_0

    .line 72
    .end local v0    # "bytes":[B
    .end local v1    # "digest":Ljava/security/MessageDigest;
    .end local v3    # "hexstr":Ljava/lang/String;
    .end local v4    # "i":I
    .end local v5    # "sb":Ljava/lang/StringBuilder;
    .end local v6    # "userSN":Ljava/lang/String;
    :catch_0
    move-exception v2

    .line 73
    .local v2, "e":Ljava/security/NoSuchAlgorithmException;
    invoke-virtual {v2}, Ljava/security/NoSuchAlgorithmException;->printStackTrace()V

    goto :goto_0
.end method

.method private static toHexString([BLjava/lang/String;)Ljava/lang/String;
    .locals 7
    .param p0, "bytes"    # [B
    .param p1, "separator"    # Ljava/lang/String;

    .prologue
    .line 80
    new-instance v2, Ljava/lang/StringBuilder;

    invoke-direct {v2}, Ljava/lang/StringBuilder;->()V

    .line 81
    .local v2, "hexString":Ljava/lang/StringBuilder;
    array-length v4, p0

    const/4 v3, 0x0

    :goto_0
    if-ge v3, v4, :cond_1

    aget-byte v0, p0, v3

    .line 82
    .local v0, "b":B
    and-int/lit16 v5, v0, 0xff

    invoke-static {v5}, Ljava/lang/Integer;->toHexString(I)Ljava/lang/String;

    move-result-object v1

    .line 83
    .local v1, "hex":Ljava/lang/String;
    invoke-virtual {v1}, Ljava/lang/String;->length()I

    move-result v5

    const/4 v6, 0x1

    if-ne v5, v6, :cond_0

    .line 84
    const/16 v5, 0x30

    invoke-virtual {v2, v5}, Ljava/lang/StringBuilder;->append(C)Ljava/lang/StringBuilder;

    .line 86
    :cond_0
    invoke-virtual {v2, v1}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v5

    invoke-virtual {v5, p1}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    .line 81
    add-int/lit8 v3, v3, 0x1

    goto :goto_0

    .line 88
    .end local v0    # "b":B
    .end local v1    # "hex":Ljava/lang/String;
    :cond_1
    invoke-virtual {v2}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v3

    return-object v3
.end method


# virtual methods
.method public onCreate(Landroid/os/Bundle;)V
    .locals 2
    .param p1, "savedInstanceState"    # Landroid/os/Bundle;

    .prologue
    .line 23
    invoke-super {p0, p1}, Landroid/app/Activity;->onCreate(Landroid/os/Bundle;)V

    .line 24
    const/high16 v0, 0x7f030000

    invoke-virtual {p0, v0}, Lcom/droider/crackme0201/MainActivity;->setContentView(I)V

    .line 25
    const v0, 0x7f05000a

    invoke-virtual {p0, v0}, Lcom/droider/crackme0201/MainActivity;->setTitle(I)V

    .line 26
    const v0, 0x7f080001

    invoke-virtual {p0, v0}, Lcom/droider/crackme0201/MainActivity;->findViewById(I)Landroid/view/View;

    move-result-object v0

    check-cast v0, Landroid/widget/EditText;

    iput-object v0, p0, Lcom/droider/crackme0201/MainActivity;->edit_userName:Landroid/widget/EditText;

    .line 27
    const v0, 0x7f080002

    invoke-virtual {p0, v0}, Lcom/droider/crackme0201/MainActivity;->findViewById(I)Landroid/view/View;

    move-result-object v0

    check-cast v0, Landroid/widget/EditText;

    iput-object v0, p0, Lcom/droider/crackme0201/MainActivity;->edit_sn:Landroid/widget/EditText;

    .line 28
    const v0, 0x7f080003

    invoke-virtual {p0, v0}, Lcom/droider/crackme0201/MainActivity;->findViewById(I)Landroid/view/View;

    move-result-object v0

    check-cast v0, Landroid/widget/Button;

    iput-object v0, p0, Lcom/droider/crackme0201/MainActivity;->btn_register:Landroid/widget/Button;

    .line 29
    iget-object v0, p0, Lcom/droider/crackme0201/MainActivity;->btn_register:Landroid/widget/Button;

    new-instance v1, Lcom/droider/crackme0201/MainActivity$1;

    invoke-direct {v1, p0}, Lcom/droider/crackme0201/MainActivity$1;->(Lcom/droider/crackme0201/MainActivity;)V

    invoke-virtual {v0, v1}, Landroid/widget/Button;->setOnClickListener(Landroid/view/View$OnClickListener;)V

    .line 44
    return-void
.end method

.method public onCreateOptionsMenu(Landroid/view/Menu;)Z
    .locals 2
    .param p1, "menu"    # Landroid/view/Menu;

    .prologue
    .line 48
    invoke-virtual {p0}, Lcom/droider/crackme0201/MainActivity;->getMenuInflater()Landroid/view/MenuInflater;

    move-result-object v0

    const/high16 v1, 0x7f070000

    invoke-virtual {v0, v1, p1}, Landroid/view/MenuInflater;->inflate(ILandroid/view/Menu;)V

    .line 49
    const/4 v0, 0x1

    return v0
.end method

然后是根据上述smali代码进行Java解释分析:

private (Button)btn_register;
private (EditText)edit_sn;
private (EditText)edit_userName

public void constructoe(init) {
    void Android.app.Activity().init;
}

bool private checkSN(String ){
    p1 = String "userName" 
    p2 =String "sn" 
    v7 = 0x0  //四位
    if(p1 == 0){
      return v7
    }
    else{
    ##开始捕获异常
        v8 = (int)p1.length
        if(v8 != 0){
            if(p2 = 0){
                return v7
            }
        }
        else
            return v7
    }
    v8 = int p2.length
    v9 = 0x10 //16位
    if(v8 != v9)
        return v7
    v8 = const "MD5"
    java.security.MessageDigest v1 = java.security.MessageDigest.getInstance(v8)
    v1 = (MessageDigest.digest) #.local v1,"digest":Ljava/security/MessageDigest;(猜测)
    v8 = byte[] getBytes(p1)
    MessageDigest v1.update(v8)
    v0 = byte[] v1.digest.digest
    v0 = (byte[])
    v8 = String ""
    v8 = (String)toHexString(v0)
    v3 = v8
    hexstr -> v3   .local v3, "hexstr":Ljava/lang/String;
    v5 = new StringBuilder
    sb -> v5
    v4 = 0x0 四位数
    int i -> v4
    int v8 = v3.length
    if(v4 > v8){
        v6 = v5.toString
        String userSN -> v6
        bool v8 = equalsIgnoreCase(v6,p2)
        } ##捕获异常终点
    ##处理异常 catch Ljava/security/NoSuchAlgorithmException; {:try_start_0 .. :try_end_0} :catch_0
    if (v8 == 0) return v7
    v7 = 0x1 四位数
    return v7 ##返回正确
    v2 = exception
    }

我们注意到:
1、在smali代码的.line 76处定义了一个出口:cond_0,而每次进行值得判断的时候总要跳转到这个地方。因此
return v7可能就是程序返回结果的关键代码。
2、注意到

.locals 10
    .param p1, "userName"    # Ljava/lang/String;
    .param p2, "sn"    # Ljava/lang/String;

    .prologue
    const/4 v7, 0x0

这里利用4位常量0x0来初始化寄存器v7的值,且注意到如下Java解释的代码:
if (v8 == 0) return v7
v7 = 0x1 四位数
return v7 ##返回正确
v2 = exception
}
对应的smali代码:

if-eqz v8, :cond_0
    .line 76
    const/4 v7, 0x1

v7的值为0x1时,注册成功。
因此直接修改v7初始化的值即可,即改

.locals 10
    .param p1, "userName"    # Ljava/lang/String;
    .param p2, "sn"    # Ljava/lang/String;

    .prologue
   const/4 v7, 0x0

const/4 v7, 0x0改为const/4 v7, 0x1
然后将工程利用Apkkiller回编译并安装apk到机器中有如下免注册码注册效果:
Android逆向笔记之smali代码分析_第1张图片

你可能感兴趣的:(Android逆向,汇编)