Android逆向之初
環境搭建
系統:Windows 10(1709) 64bit
java環境:JDK 1.8.0_144 ; JRE 1.8.0_144
Android Studio Version 3.1.1
Android SDK 4.4&8.1
安卓模擬器(我使用的是"夜神")
AndroidKiller
First Android CrackMe
測試程序
首先查看程序,運行看一下.
在程序中輸入用戶名和序列號後出現"未成功,還需努力"的提示
找到入手點
使用AndroidKiller打開這個APK文件,分析這個文件.嘗試使用工程搜索功能,查找這個提示的字符串,找到如下圖所示
分析代碼:
查看整個工程入口和其他文件.發現MainActivity$2.smail文件如下代碼就是判斷驗證是否成功的地方
主要代碼:
.line 46
.local v1, "user":Ljava/lang/String;
iget-object v2, p0, Lcom/bluelesson/crackme000/MainActivity$2;->this$0:Lcom/bluelesson/crackme000/MainActivity;
invoke-static {v2}, Lcom/bluelesson/crackme000/MainActivity;->access$100(Lcom/bluelesson/crackme000/MainActivity;)Landroid/widget/EditText;
move-result-object v2
invoke-virtual {v2}, Landroid/widget/EditText;->getText()Landroid/text/Editable;
move-result-object v2
invoke-virtual {v2}, Ljava/lang/Object;->toString()Ljava/lang/String;
move-result-object v0
.line 47
.local v0, "name":Ljava/lang/String;
const-string v2, ""
invoke-virtual {v1, v2}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z
move-result v2
if-nez v2, :cond_0
const-string v2, ""
invoke-virtual {v0, v2}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z
move-result v2
if-eqz v2, :cond_1
.line 48
:cond_0
iget-object v2, p0, Lcom/bluelesson/crackme000/MainActivity$2;->this$0:Lcom/bluelesson/crackme000/MainActivity;
invoke-static {v2, v5, v4}, Landroid/widget/Toast;->makeText(Landroid/content/Context;II)Landroid/widget/Toast;
move-result-object v2
.line 49
invoke-virtual {v2}, Landroid/widget/Toast;->show()V
.line 61
:goto_0
return-void
.line 52
:cond_1
iget-object v2, p0, Lcom/bluelesson/crackme000/MainActivity$2;->this$0:Lcom/bluelesson/crackme000/MainActivity;
const v3, 0x7f060024
invoke-virtual {v2, v3}, Lcom/bluelesson/crackme000/MainActivity;->getString(I)Ljava/lang/String;
move-result-object v2
invoke-virtual {v1, v2}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z
move-result v2
if-eqz v2, :cond_2
iget-object v2, p0, Lcom/bluelesson/crackme000/MainActivity$2;->this$0:Lcom/bluelesson/crackme000/MainActivity;
const v3, 0x7f060022
invoke-virtual {v2, v3}, Lcom/bluelesson/crackme000/MainActivity;->getString(I)Ljava/lang/String;
move-result-object v2
invoke-virtual {v0, v2}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z
move-result v2
if-eqz v2, :cond_2
.line 53
iget-object v2, p0, Lcom/bluelesson/crackme000/MainActivity$2;->this$0:Lcom/bluelesson/crackme000/MainActivity;
const v3, 0x7f06001a
invoke-static {v2, v3, v4}, Landroid/widget/Toast;->makeText(Landroid/content/Context;II)Landroid/widget/Toast;
move-result-object v2
.line 54
invoke-virtual {v2}, Landroid/widget/Toast;->show()V
.line 55
iget-object v2, p0, Lcom/bluelesson/crackme000/MainActivity$2;->this$0:Lcom/bluelesson/crackme000/MainActivity;
invoke-static {v2}, Lcom/bluelesson/crackme000/MainActivity;->access$200(Lcom/bluelesson/crackme000/MainActivity;)Landroid/widget/Button;
move-result-object v2
invoke-virtual {v2, v4}, Landroid/widget/Button;->setEnabled(Z)V
.line 56
iget-object v2, p0, Lcom/bluelesson/crackme000/MainActivity$2;->this$0:Lcom/bluelesson/crackme000/MainActivity;
const v3, 0x7f060019
invoke-virtual {v2, v3}, Lcom/bluelesson/crackme000/MainActivity;->setTitle(I)V
goto :goto_0
.line 58
:cond_2
iget-object v2, p0, Lcom/bluelesson/crackme000/MainActivity$2;->this$0:Lcom/bluelesson/crackme000/MainActivity;
invoke-static {v2, v5, v4}, Landroid/widget/Toast;->makeText(Landroid/content/Context;II)Landroid/widget/Toast;
move-result-object v2
.line 59
invoke-virtual {v2}, Landroid/widget/Toast;->show()V
goto :goto_0
.end method
轉成僞代碼分析:
我們看到其中用了id取到的字符串.分析這幾個對比的對象id.在結合之前看到的name和user對象.搜索name和user找到其id賦值的地方.對比發現正是驗證的字符串.
註冊驗證:
user對應的用戶名ID,name對應的序列號ID
在軟件中輸入字符串測試一下.提示 "恭喜,成功註冊了",註冊按鈕也變灰色不可點擊了.完成了第一個Android CrackMe.
總結:
安卓的逆向剛剛興起,很多思路和套路都是簡單的.分析程序可直接從 字符串,進程提示,log信息,資源文件等簡單的去入手.很少直接去看反編譯代碼