Android逆向笔记之smali代码分析
前言:书本中对crackme02.apk的破解是分析关键词进行破解的,而本文使用另外的Smali分析方式,对样本进行分析。
样本:《Android软件安全与逆向分析》crackme02.apk
工具:AndroidKiller v1.3.1.0(AK) && Android Studio2.2.3(AS)
语言:Java,Smali
目的:Smali代码分析破解程序实现免注册码注册。
使用shakaapktool反编译apk文件后,生成的文件夹中会出现一个smali文件夹。
smali文件格式如下:
一、描述类信息
.class <访问权限>[修饰关键字]<类名>
.super<父类名>
.source<源文件名>
二、代码主体
1、字段声明
.field<访问权限>[修饰关键字]<字段名>:<字段类型>
2、直接/虚方法声明
“#direct methods / #virtual method
.method
…….
.end method
3、.locals 指定使用的局部变量个数
4、.parameter 指定方法参数
5、.prologue 指定代码开始处
6、move-result v0 移动上一次方法调用的返回值到寄存器v0
等。。。
具体AndroidKiller上面有提示
贴上项目中Mainactivity.smali代码:
.class public Lcom/droider/crackme0201/MainActivity;
.super Landroid/app/Activity;
.source "MainActivity.java"
# instance fields
.field private btn_register:Landroid/widget/Button;
.field private edit_sn:Landroid/widget/EditText;
.field private edit_userName:Landroid/widget/EditText;
# direct methods
.method public constructor ()V
.locals 0
.prologue
.line 17
invoke-direct {p0}, Landroid/app/Activity;->()V
return-void
.end method
.method static synthetic access$000(Lcom/droider/crackme0201/MainActivity;)Landroid/widget/EditText;
.locals 1
.param p0, "x0" # Lcom/droider/crackme0201/MainActivity;
.prologue
.line 17
iget-object v0, p0, Lcom/droider/crackme0201/MainActivity;->edit_userName:Landroid/widget/EditText;
return-object v0
.end method
.method static synthetic access$100(Lcom/droider/crackme0201/MainActivity;)Landroid/widget/EditText;
.locals 1
.param p0, "x0" # Lcom/droider/crackme0201/MainActivity;
.prologue
.line 17
iget-object v0, p0, Lcom/droider/crackme0201/MainActivity;->edit_sn:Landroid/widget/EditText;
return-object v0
.end method
.method static synthetic access$200(Lcom/droider/crackme0201/MainActivity;Ljava/lang/String;Ljava/lang/String;)Z
.locals 1
.param p0, "x0" # Lcom/droider/crackme0201/MainActivity;
.param p1, "x1" # Ljava/lang/String;
.param p2, "x2" # Ljava/lang/String;
.prologue
.line 17
invoke-direct {p0, p1, p2}, Lcom/droider/crackme0201/MainActivity;->checkSN(Ljava/lang/String;Ljava/lang/String;)Z
move-result v0
return v0
.end method
.method static synthetic access$300(Lcom/droider/crackme0201/MainActivity;)Landroid/widget/Button;
.locals 1
.param p0, "x0" # Lcom/droider/crackme0201/MainActivity;
.prologue
.line 17
iget-object v0, p0, Lcom/droider/crackme0201/MainActivity;->btn_register:Landroid/widget/Button;
return-object v0
.end method
.method private checkSN(Ljava/lang/String;Ljava/lang/String;)Z
.locals 10
.param p1, "userName" # Ljava/lang/String;
.param p2, "sn" # Ljava/lang/String;
.prologue
const/4 v7, 0x1
.line 54
if-eqz p1, :cond_0
:try_start_0
invoke-virtual {p1}, Ljava/lang/String;->length()I
move-result v8
if-nez v8, :cond_1
.line 76
:cond_0 #return v7的出口
:goto_0
return v7
.line 56
:cond_1
if-eqz p2, :cond_0
invoke-virtual {p2}, Ljava/lang/String;->length()I
move-result v8
const/16 v9, 0x10
if-ne v8, v9, :cond_0
.line 58
const-string v8, "MD5"
invoke-static {v8}, Ljava/security/MessageDigest;->getInstance(Ljava/lang/String;)Ljava/security/MessageDigest;
move-result-object v1
.line 59
.local v1, "digest":Ljava/security/MessageDigest;
invoke-virtual {v1}, Ljava/security/MessageDigest;->reset()V
.line 60
invoke-virtual {p1}, Ljava/lang/String;->getBytes()[B
move-result-object v8
invoke-virtual {v1, v8}, Ljava/security/MessageDigest;->update([B)V
.line 61
invoke-virtual {v1}, Ljava/security/MessageDigest;->digest()[B
move-result-object v0
.line 62
.local v0, "bytes":[B
const-string v8, ""
invoke-static {v0, v8}, Lcom/droider/crackme0201/MainActivity;->toHexString([BLjava/lang/String;)Ljava/lang/String;
move-result-object v3
.line 63
.local v3, "hexstr":Ljava/lang/String;
new-instance v5, Ljava/lang/StringBuilder;
invoke-direct {v5}, Ljava/lang/StringBuilder;->()V
.line 64
.local v5, "sb":Ljava/lang/StringBuilder;
const/4 v4, 0x0
.local v4, "i":I
:goto_1
invoke-virtual {v3}, Ljava/lang/String;->length()I
move-result v8
if-ge v4, v8, :cond_2
.line 65
invoke-virtual {v3, v4}, Ljava/lang/String;->charAt(I)C
move-result v8
invoke-virtual {v5, v8}, Ljava/lang/StringBuilder;->append(C)Ljava/lang/StringBuilder;
.line 64
add-int/lit8 v4, v4, 0x2
goto :goto_1
.line 67
:cond_2
invoke-virtual {v5}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;
move-result-object v6
.line 70
.local v6, "userSN":Ljava/lang/String;
invoke-virtual {v6, p2}, Ljava/lang/String;->equalsIgnoreCase(Ljava/lang/String;)Z
:try_end_0
.catch Ljava/security/NoSuchAlgorithmException; {:try_start_0 .. :try_end_0} :catch_0
move-result v8
if-eqz v8, :cond_0
.line 76
const/4 v7, 0x0
goto :goto_0
.line 72
.end local v0 # "bytes":[B
.end local v1 # "digest":Ljava/security/MessageDigest;
.end local v3 # "hexstr":Ljava/lang/String;
.end local v4 # "i":I
.end local v5 # "sb":Ljava/lang/StringBuilder;
.end local v6 # "userSN":Ljava/lang/String;
:catch_0
move-exception v2
.line 73
.local v2, "e":Ljava/security/NoSuchAlgorithmException;
invoke-virtual {v2}, Ljava/security/NoSuchAlgorithmException;->printStackTrace()V
goto :goto_0
.end method
.method private static toHexString([BLjava/lang/String;)Ljava/lang/String;
.locals 7
.param p0, "bytes" # [B
.param p1, "separator" # Ljava/lang/String;
.prologue
.line 80
new-instance v2, Ljava/lang/StringBuilder;
invoke-direct {v2}, Ljava/lang/StringBuilder;->()V
.line 81
.local v2, "hexString":Ljava/lang/StringBuilder;
array-length v4, p0
const/4 v3, 0x0
:goto_0
if-ge v3, v4, :cond_1
aget-byte v0, p0, v3
.line 82
.local v0, "b":B
and-int/lit16 v5, v0, 0xff
invoke-static {v5}, Ljava/lang/Integer;->toHexString(I)Ljava/lang/String;
move-result-object v1
.line 83
.local v1, "hex":Ljava/lang/String;
invoke-virtual {v1}, Ljava/lang/String;->length()I
move-result v5
const/4 v6, 0x1
if-ne v5, v6, :cond_0
.line 84
const/16 v5, 0x30
invoke-virtual {v2, v5}, Ljava/lang/StringBuilder;->append(C)Ljava/lang/StringBuilder;
.line 86
:cond_0
invoke-virtual {v2, v1}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
move-result-object v5
invoke-virtual {v5, p1}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
.line 81
add-int/lit8 v3, v3, 0x1
goto :goto_0
.line 88
.end local v0 # "b":B
.end local v1 # "hex":Ljava/lang/String;
:cond_1
invoke-virtual {v2}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;
move-result-object v3
return-object v3
.end method
# virtual methods
.method public onCreate(Landroid/os/Bundle;)V
.locals 2
.param p1, "savedInstanceState" # Landroid/os/Bundle;
.prologue
.line 23
invoke-super {p0, p1}, Landroid/app/Activity;->onCreate(Landroid/os/Bundle;)V
.line 24
const/high16 v0, 0x7f030000
invoke-virtual {p0, v0}, Lcom/droider/crackme0201/MainActivity;->setContentView(I)V
.line 25
const v0, 0x7f05000a
invoke-virtual {p0, v0}, Lcom/droider/crackme0201/MainActivity;->setTitle(I)V
.line 26
const v0, 0x7f080001
invoke-virtual {p0, v0}, Lcom/droider/crackme0201/MainActivity;->findViewById(I)Landroid/view/View;
move-result-object v0
check-cast v0, Landroid/widget/EditText;
iput-object v0, p0, Lcom/droider/crackme0201/MainActivity;->edit_userName:Landroid/widget/EditText;
.line 27
const v0, 0x7f080002
invoke-virtual {p0, v0}, Lcom/droider/crackme0201/MainActivity;->findViewById(I)Landroid/view/View;
move-result-object v0
check-cast v0, Landroid/widget/EditText;
iput-object v0, p0, Lcom/droider/crackme0201/MainActivity;->edit_sn:Landroid/widget/EditText;
.line 28
const v0, 0x7f080003
invoke-virtual {p0, v0}, Lcom/droider/crackme0201/MainActivity;->findViewById(I)Landroid/view/View;
move-result-object v0
check-cast v0, Landroid/widget/Button;
iput-object v0, p0, Lcom/droider/crackme0201/MainActivity;->btn_register:Landroid/widget/Button;
.line 29
iget-object v0, p0, Lcom/droider/crackme0201/MainActivity;->btn_register:Landroid/widget/Button;
new-instance v1, Lcom/droider/crackme0201/MainActivity$1;
invoke-direct {v1, p0}, Lcom/droider/crackme0201/MainActivity$1;->(Lcom/droider/crackme0201/MainActivity;)V
invoke-virtual {v0, v1}, Landroid/widget/Button;->setOnClickListener(Landroid/view/View$OnClickListener;)V
.line 44
return-void
.end method
.method public onCreateOptionsMenu(Landroid/view/Menu;)Z
.locals 2
.param p1, "menu" # Landroid/view/Menu;
.prologue
.line 48
invoke-virtual {p0}, Lcom/droider/crackme0201/MainActivity;->getMenuInflater()Landroid/view/MenuInflater;
move-result-object v0
const/high16 v1, 0x7f070000
invoke-virtual {v0, v1, p1}, Landroid/view/MenuInflater;->inflate(ILandroid/view/Menu;)V
.line 49
const/4 v0, 0x1
return v0
.end method 然后是根据上述smali代码进行Java解释分析:
private (Button)btn_register;
private (EditText)edit_sn;
private (EditText)edit_userName
public void constructoe(init) {
void Android.app.Activity().init;
}
bool private checkSN(String ){
p1 = String "userName"
p2 =String "sn"
v7 = 0x0 //四位
if(p1 == 0){
return v7
}
else{
##开始捕获异常
v8 = (int)p1.length
if(v8 != 0){
if(p2 = 0){
return v7
}
}
else
return v7
}
v8 = int p2.length
v9 = 0x10 //16位
if(v8 != v9)
return v7
v8 = const "MD5"
java.security.MessageDigest v1 = java.security.MessageDigest.getInstance(v8)
v1 = (MessageDigest.digest) #.local v1,"digest":Ljava/security/MessageDigest;(猜测)
v8 = byte[] getBytes(p1)
MessageDigest v1.update(v8)
v0 = byte[] v1.digest.digest
v0 = (byte[])
v8 = String ""
v8 = (String)toHexString(v0)
v3 = v8
hexstr -> v3 .local v3, "hexstr":Ljava/lang/String;
v5 = new StringBuilder
sb -> v5
v4 = 0x0 四位数
int i -> v4
int v8 = v3.length
if(v4 > v8){
v6 = v5.toString
String userSN -> v6
bool v8 = equalsIgnoreCase(v6,p2)
} ##捕获异常终点
##处理异常 catch Ljava/security/NoSuchAlgorithmException; {:try_start_0 .. :try_end_0} :catch_0
if (v8 == 0) return v7
v7 = 0x1 四位数
return v7 ##返回正确
v2 = exception
}我们注意到:
1、在smali代码的.line 76处定义了一个出口:cond_0,而每次进行值得判断的时候总要跳转到这个地方。因此
return v7可能就是程序返回结果的关键代码。
2、注意到
.locals 10
.param p1, "userName" # Ljava/lang/String;
.param p2, "sn" # Ljava/lang/String;
.prologue
const/4 v7, 0x0这里利用4位常量0x0来初始化寄存器v7的值,且注意到如下Java解释的代码:
if (v8 == 0) return v7
v7 = 0x1 四位数
return v7 ##返回正确
v2 = exception
}
对应的smali代码:
if-eqz v8, :cond_0
.line 76
const/4 v7, 0x1v7的值为0x1时,注册成功。
因此直接修改v7初始化的值即可,即改
.locals 10
.param p1, "userName" # Ljava/lang/String;
.param p2, "sn" # Ljava/lang/String;
.prologue
const/4 v7, 0x0中const/4 v7, 0x0改为const/4 v7, 0x1
然后将工程利用Apkkiller回编译并安装apk到机器中有如下免注册码注册效果:
