081453491447681.png (158.33 KB, 下載次數: 0)
2016-3-28 10:22 上傳
開始分析:
當程式執行錯誤時:會彈出,無效的用戶名稱或註冊碼,以此線索來尋找關鍵代碼。開啟"resvaluesstring.xml"檔案:
- <?xml version="1.0" encoding="UTF-8"?>
- -<resources>
- <string name="app_name">Crackme0201</string>
- <string name="menu_settings">Settings</string>
- <string name="title_activity_main">Crackme0201</string>
- <string name="info">Android程式破解演示實例</string>
- <string name="username">用戶名稱:</string>
- <string name="sn">註冊碼:</string>
- <string name="register">注 冊</string>
- <string name="hint_username">請輸入用戶名稱</string>
- <string name="hint_sn">請輸入16位的註冊碼</string>
- <string name="unregister">程式未註冊</string>
- <string name="registered">程式已註冊</string>
- <string name="unsuccessed">無效用戶名稱或註冊碼</string>
- <string name="successed">恭喜您!註冊成功</string>
- </resources>
string.xml中的字符串資源在"gen/<packagename>/R.java"檔案中的string類中被標識,每一個字符串都有唯一的Int類型索引值,apktool反編譯之後,所有索引值在public.xml檔案中。
- <?xml version="1.0" encoding="UTF-8"?>
- -<resources>
- <public id="0x7f020001" name="ic_launcher" type="drawable"/>
- <public id="0x7f020000" name="ic_action_search" type="drawable"/>
- <public id="0x7f030000" name="activity_main" type="layout"/>
- <public id="0x7f040000" name="padding_small" type="dimen"/>
- <public id="0x7f040001" name="padding_medium" type="dimen"/>
- <public id="0x7f040002" name="padding_large" type="dimen"/>
- <public id="0x7f050000" name="app_name" type="string"/>
- <public id="0x7f050001" name="menu_settings" type="string"/>
- <public id="0x7f050002" name="title_activity_main" type="string"/>
- <public id="0x7f050003" name="info" type="string"/>
- <public id="0x7f050004" name="username" type="string"/>
- <public id="0x7f050005" name="sn" type="string"/>
- <public id="0x7f050006" name="register" type="string"/>
- <public id="0x7f050007" name="hint_username" type="string"/>
- <public id="0x7f050008" name="hint_sn" type="string"/>
- <public id="0x7f050009" name="unregister" type="string"/>
- <public id="0x7f05000a" name="registered" type="string"/>
- <public id="0x7f05000b" name="unsuccessed" type="string"/>
- <public id="0x7f05000c" name="successed" type="string"/>
- <public id="0x7f060000" name="AppTheme" type="style"/>
- <public id="0x7f070000" name="activity_main" type="menu"/>
- <public id="0x7f080000" name="textView1" type="id"/>
- <public id="0x7f080001" name="edit_username" type="id"/>
- <public id="0x7f080002" name="edit_sn" type="id"/>
- <public id="0x7f080003" name="button_register" type="id"/>
- <public id="0x7f080004" name="menu_settings" type="id"/>
- </resources>
可知:unsuccessed的值為0x7f05000b;
接下來在smali目錄中搜尋含有內容為0X7F05000b的檔案:【註:在檔案下面的組織裡面的--資料夾和搜尋選項中--搜尋---始終搜尋檔案名和內容】即可搜尋。(有點問題,有時候搜不出來。正在鑽研中。)
最後發現:只有MainActivity$1.smali檔案一處被調用。
- .class Lcom/droider/crackme0201/MainActivity$1;
- .super Ljava/lang/Object;
- .source "MainActivity.java"
- # interfaces
- .implements Landroid/view/View$OnClickListener;
- # annotations
- .annotation system Ldalvik/annotation/EnclosingMethod;
- value = Lcom/droider/crackme0201/MainActivity;->onCreate(Landroid/os/Bundle;)V
- .end annotation
- .annotation system Ldalvik/annotation/InnerClass;
- accessFlags = 0x0
- name = null
- .end annotation
- # instance fields
- .field final synthetic this$0:Lcom/droider/crackme0201/MainActivity;
- # direct methods
- .method constructor <init>(Lcom/droider/crackme0201/MainActivity;)V
- .locals 0
- .parameter
- .prologue
- .line 1
- iput-object p1, p0, Lcom/droider/crackme0201/MainActivity$1;->this$0:Lcom/droider/crackme0201/MainActivity;
- .line 29
- invoke-direct {p0}, Ljava/lang/Object;-><init>()V
- return-void
- .end method
- # virtual methods
- .method public onClick(Landroid/view/View;)V
- .locals 4
- .parameter "v"
- .prologue
- const/4 v3, 0x0
- .line 32
- iget-object v0, p0, Lcom/droider/crackme0201/MainActivity$1;->this$0:Lcom/droider/crackme0201/MainActivity;
- iget-object v1, p0, Lcom/droider/crackme0201/MainActivity$1;->this$0:Lcom/droider/crackme0201/MainActivity;
- #getter for: Lcom/droider/crackme0201/MainActivity;->edit_userName:Landroid/widget/EditText;
- invoke-static {v1}, Lcom/droider/crackme0201/MainActivity;->access$0(Lcom/droider/crackme0201/MainActivity;)Landroid/widget/EditText;
- move-result-object v1
- invoke-virtual {v1}, Landroid/widget/EditText;->getText()Landroid/text/Editable;
- move-result-object v1
- invoke-interface {v1}, Landroid/text/Editable;->toString()Ljava/lang/String;
- move-result-object v1
- invoke-virtual {v1}, Ljava/lang/String;->trim()Ljava/lang/String;
- move-result-object v1
- .line 33
- iget-object v2, p0, Lcom/droider/crackme0201/MainActivity$1;->this$0:Lcom/droider/crackme0201/MainActivity;
- #getter for: Lcom/droider/crackme0201/MainActivity;->edit_sn:Landroid/widget/EditText;
- invoke-static {v2}, Lcom/droider/crackme0201/MainActivity;->access$1(Lcom/droider/crackme0201/MainActivity;)Landroid/widget/EditText;
- move-result-object v2
- invoke-virtual {v2}, Landroid/widget/EditText;->getText()Landroid/text/Editable;
- move-result-object v2
- invoke-interface {v2}, Landroid/text/Editable;->toString()Ljava/lang/String;
- move-result-object v2
- invoke-virtual {v2}, Ljava/lang/String;->trim()Ljava/lang/String;
- move-result-object v2
- .line 32
- #calls: Lcom/droider/crackme0201/MainActivity;->checkSN(Ljava/lang/String;Ljava/lang/String;)Z
- invoke-static {v0, v1, v2}, Lcom/droider/crackme0201/MainActivity;->access$2(Lcom/droider/crackme0201/MainActivity;Ljava/lang/String;Ljava/lang/String;)Z
- move-result v0
- .line 33
- if-nez v0, :cond_0 #如果結果不為0,則跳轉到cond_0處。
- .line 34
- iget-object v0, p0, Lcom/droider/crackme0201/MainActivity$1;->this$0:Lcom/droider/crackme0201/MainActivity;
- .line 35
- const v1, 0x7f05000b
- .line 34
- invoke-static {v0, v1, v3}, Landroid/widget/Toast;->makeText(Landroid/content/Context;II)Landroid/widget/Toast;
- move-result-object v0
- .line 35
- invoke-virtual {v0}, Landroid/widget/Toast;->show()V
- .line 42
- :goto_0
- return-void
- .line 37
- :cond_0
- iget-object v0, p0, Lcom/droider/crackme0201/MainActivity$1;->this$0:Lcom/droider/crackme0201/MainActivity;
- #使用iget-object指令獲取MainActivity實例的引用。
- .line 38
- const v1, 0x7f05000c
- .line 37
- invoke-static {v0, v1, v3}, Landroid/widget/Toast;->makeText(Landroid/content/Context;II)Landroid/widget/Toast;
- move-result-object v0
- .line 38
- invoke-virtual {v0}, Landroid/widget/Toast;->show()V
- .line 39
- iget-object v0, p0, Lcom/droider/crackme0201/MainActivity$1;->this$0:Lcom/droider/crackme0201/MainActivity;
- #getter for: Lcom/droider/crackme0201/MainActivity;->btn_register:Landroid/widget/Button;
- invoke-static {v0}, Lcom/droider/crackme0201/MainActivity;->access$3(Lcom/droider/crackme0201/MainActivity;)Landroid/widget/Button;
- move-result-object v0
- invoke-virtual {v0, v3}, Landroid/widget/Button;->setEnabled(Z)V
- .line 40
- iget-object v0, p0, Lcom/droider/crackme0201/MainActivity$1;->this$0:Lcom/droider/crackme0201/MainActivity;
- const v1, 0x7f05000a
- invoke-virtual {v0, v1}, Lcom/droider/crackme0201/MainActivity;->setTitle(I)V
- goto :goto_0
- .end method
修改Smali檔案代碼:
if-nez v0, :cond_0 #如果結果不為0,則跳轉到cond_0處。修改為:
if-eqz v0, :cond_0 #如果結果為0或等於0,則跳轉到cond_0處。
然後對修改後的檔案進行重新編譯打包成apk檔案。
在cmd中輸入:apktool b outdir
編譯生成的apk沒有簽名,還不能安裝測試。接下裡需要用signapk.jar工具對apk檔案進行簽名。
安裝測試:
由於AVD太慢,所以在手機設備上執行;轉換成手機模式:window---OpenPerspective---DDOS,雙擊即可。
在命令行下:adb install signed.apk
安裝完後,隨便輸入註冊碼,就會出現:恭喜您,註冊成功字樣!
作者: betty740827 時間: 2016-4-4 06:13
看不懂@@
作者: police4 時間: 2016-4-19 20:54
受益良多,繼續加油!!
| 歡迎光臨 Android 台灣中文網 (https://apk.tw/) | Powered by Discuz! X3.1 |