JavaScript basics
Prompt information- My Love Crack - LCG - LSG | Android Crack | Virus Analysis | www.52pojie.cn
1. Zero-based js reverse project
MD5 kill
length 32 positions
Search keywords:
Hexadecimal
0x67452301
Decimal
1732584193
RSA
search keywords:
setpublickey
AES
cryptojs.aes
DES
cryptojs.des.encrypt
Android reverse
1. Simulator environment construction
Magisk is a set of open source software for customizing Android, supporting devices higher than Android 5.0.
Here are some feature highlights:
-
MagiskSU : Provide root access to applications
-
Magisk module : Modify read-only partitions by installing modules
-
MagiskHide : Hide Magisk from root detection/system integrity checks (Shamiko)
-
MagiskBoot : The most complete Android boot image unpacking and repacking tool
6. Installation steps
1. Go to the official website to download the 9.0 emulator, and install
the Raiden Android emulator-mobile game emulator Android version_android mobile phone emulator computer version_Raiden emulator official website
[Update!] Tutorial for installing magisk on almost all Android emulators (7+) - simple and mindless
[Update!] Tutorial for installing magisk on almost all Android emulators (7+) - simple and mindless - 『 Mobile Security Zone』 - My Love Crack - LCG - LSG | Android Crack | Virus Analysis | www.52pojie.cn
(Source: My Love Crack Forum)
2. Download the configuration file
3. Install the mask
2. First familiarity with APK file structure, double opening, Sinicization, and basic modification
The full name of apk is Android Package, which is equivalent to a compressed file, as long as the suffix of apk is changed to zip on the computer, it can be decompressed.
| document | note |
|---|---|
| assets directory | Store APK static resource files, such as video, audio, pictures, etc. |
| lib directory | armeabi-v7a is basically common to all android devices, arm64-v8a is only suitable for 64-bit android devices, x86 is commonly used for android emulators, and the .so files in its directory are dynamic link library files compiled by c or c++ |
| META-INF directory | Save the signature information of the application, the signature information can verify the integrity of the APK file, which is equivalent to the ID card of the APK (verify whether the file has been modified again) |
| res directory | The res directory stores resource files, including pictures, strings, etc. The face of the APK is designed by its layout file |
| AndroidMainfest.xml file | APK's application manifest information, which describes the application's name, version, permissions, referenced library files, etc. |
| classes.dex file | classes.dex is the java bytecode file generated after java source code compilation, the main logic of APK operation |
| resources.arsc file | resources.arsc is the compiled binary resource file. It is a mapping table that maps resources and ids. You can find the corresponding resources through the id in the R file. |
2. Double opening and principle
Dual-open: Simply put, it means that the mobile phone runs two or more of the same applications at the same time, such as running two WeChat at the same time
| principle | explain |
|---|---|
| Modify the package name | Let the mobile phone system think that these are 2 APPs, so that 2 data storage paths can be generated. At this time, more openings at this time means that you have opened two APPs that do not interfere with each other. |
| Modify Framework | For manufacturers with system modification rights, they can modify the Framework to achieve the purpose of dual opening, for example: Xiaomi comes with multiple openings |
| Realized by virtualization technology | A complete set of virtual technologies such as virtual Framework layer, virtual file system, simulated Android component management, virtual application process management, etc., copy APK to run in virtual space, for example: parallel space |
| Run as a plugin | Using reflection replacement and dynamic proxy {pass}{filter} to hook most of the functions of the system that communicate with the system-server process, as the purpose of "deception", tricking the system into "thinking" that there is only one apk in the system Run, trick the plugin into "thinking" it is installed. For example: VirtualApp |
Select apk coexistence
3. Sinicized APK
Sinicization: Use special tools to read, translate, modify, and write back the software resources of the foreign language version, so that the user interfaces such as menus, dialog boxes, and prompts of the software are displayed in Chinese, while the kernel and functions of the program remain No change, this process is software Sinicization
Basically, the strings are all in arsc, it is recommended to Chineseize with one click, and then polish it.
A small number of strings that have not been localized can be localized one by one by referring to the method in the video.
flow chart
<font color=#ED7001>What needs to be noted here is that if you want to directly install the application, you should sign the installation first to see if there is a flashback caused by signature verification</font>
Search for in-app strings, modify
Core Crack: Resolving signature failures
Developer tools:
Interface resource analysis
For the last search, you need to open the dex file: Reverse determines height, development determines depth.
4. Getting to know AndroidManifest.xml first
The AndroidManifest.xml file is the information description file of the entire application, which defines the Activity, Service, Content provider and BroadcastReceiver component information contained in the application. Each application must contain an AndroidManifest.xml file in the root directory, and the file name cannot be modified. It describes the components exposed in the package, their respective implementation classes, various data that can be processed and the startup location.
| Attributes | definition |
|---|---|
| versionCode | Version number, mainly used for updating, for example: 12 |
| versionName | Version name, for users to see, for example: 1.2 |
| package | Package name, for example: com.zj.52pj.demo |
| uses-permission android:name="" | Application permissions, for example: android.permission.INTERNET represents network permissions |
| android:label="@string/app_name" | Application Name |
| android:icon="@mipmap/ic_launcher" | app icon path |
| android:debuggable="true" | Whether the app has debug permissions enabled |
3. Getting to know smali for the first time, the vip terminator
1. Understand JVM, Dalvik, ART
2. First knowledge of smali syntax
3. Modify smali in actual combat
2. Tools
1. Tutorial Demo (Update)
2. MT Manager/NP Manager
3. Raiden Simulator
4.jadx-gui (computer decompilation tool)
5. Core cracking (1
3. Course content
1. What is JVM, Dalvik, ART
JVM is a JAVA virtual machine that runs JAVA bytecode programs.
Dalvik is a virtual machine specially designed by Google for Android. Dalvik has its own file execution format dex (Dalvik executable)
Art (Android Runtime), which is equivalent to an upgraded version of Dalvik. It is essentially the same as Dalvik is no different
2. smali and its syntax
smali is the register language of Dalvik, and the smali code is decompiled from dex.
keywords
| name | note |
|---|---|
| .class | class name |
| .super | Parent class name, the name of the inherited superior class name |
| .source | original name |
| .field | variable |
| .method | method name |
| .register | register |
| .end method | end of method name |
| public | public |
| protected | 半公开,只有同一家人才能用 |
| private | 私有,只能自己使用 |
| .parameter | 方法参数 |
| .prologue | 方法开始 |
| .line xxx | 位于第xxx行 |
数据类型对应
| smali类型 | java类型 | 注释 |
|---|---|---|
| V | void | 无返回值 |
| Z | boolean | 布尔值类型,返回0或1 |
| B | byte | 字节类型,返回字节 |
| S | short | 短整数类型,返回数字 |
| C | char | 字符类型,返回字符 |
| I | int | 整数类型,返回数字 |
| J | long (64位 需要2个寄存器存储) | 长整数类型,返回数字 |
| F | float | 单浮点类型,返回数字 |
| D | double (64位 需要2个寄存器存储) | 双浮点类型,返回数字 |
| string | String | 文本类型,返回字符串 |
| Lxxx/xxx/xxx | object | 对象类型,返回对象 |
常用指令
| 关键字 | 注释 |
|---|---|
| const | 重写整数属性,真假属性内容,只能是数字类型 |
| const-string | 重写字符串内容 |
| const-wide | 重写长整数类型,多用于修改到期时间。 |
| return | 返回指令 |
| if-eq | 全称equal(a=b),比较寄存器ab内容,相同则跳 |
| if-ne | 全称not equal(a!=b),ab内容不相同则跳 |
| if-eqz | 全称equal zero(a=0),z即是0的标记,a等于0则跳 |
| if-nez | 全称not equal zero(a!=0),a不等于0则跳 |
| if-ge | 全称greater equal(a>=b),a大于或等于则跳 |
| if-le | 全称little equal(a<=b),a小于或等于则跳 |
| goto | 强制跳到指定位置 |
| switch | 分支跳转,一般会有多个分支线,并根据指令跳转到适当位置 |
| iget | 获取寄存器数据 |
其余指令可用语法工具查询
定位方法:搜索弹窗关键字、抓取按钮id
中文 转 Unicode Unicode编码转换 - 站长工具
//一个私有、静态、不可变的方法 方法名
.method private static final onCreate$lambda-2(Lkotlin/jvm/internal/Ref$IntRef;Lcom/zj/wuaipojie/ui/ChallengeSecond;Landroid/widget/ImageView;Landroid/widget/ImageView;Landroid/widget/ImageView;Landroid/view/View;)Z //(这里面是方法的参数)这里是方法返回值类型,表示布尔值类型,返回假或真
.registers 7 //寄存器数量
.line 33 //代码所在的行数
iget p0, p0, Lkotlin/jvm/internal/Ref$IntRef;->element:I //读取p0(第一个参数,参考寄存器知识)中element的值赋值给p0
const/4 p5, 0x1 //p5赋值1
const/16 v0, 0xa //v0赋值10,在16进制里a表示10
if-ge p0, v0, :cond_15 //判断p0的值是否大于或等于v0的值(即p0的值是否大于或等于10),如果大于或等于则跳转到:cond_15
.line 34 //以下是常见的Toast弹窗代码
check-cast p1, Landroid/content/Context; //检查Context对象引用
const-string p0, "请先获取10个硬币哦" //弹窗文本信息,把""里的字符串数据赋值给p0
check-cast p0, Ljava/lang/CharSequence; //检查CharSequence对象引用
invoke-static {p1, p0, p5}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast;
//将弹窗文本、显示时间等信息传给p1
move-result-object p0 //结果传递给p0
invoke-virtual {p0}, Landroid/widget/Toast;->show()V //当看到这个Toast;->show你就应该反应过来这里是弹窗代码
goto :goto_31 //跳转到:goto_31
:cond_15 //跳转的一个地址
invoke-virtual {p1}, Lcom/zj/wuaipojie/ui/ChallengeSecond;->isvip()Z //判断isvip方法的返回值是否为真(即结果是否为1)
move-result p0 //结果赋值给p0
if-eqz p0, :cond_43 //如果结果为0则跳转cond_43地址
const p0, 0x7f0d0018 //在arsc中的id索引,这个值可以进行查询
.line 37
invoke-virtual {p2, p0}, Landroid/widget/ImageView;->setImageResource(I)V //设置图片资源
const p0, 0x7f0d0008
.line 38
invoke-virtual {p3, p0}, Landroid/widget/ImageView;->setImageResource(I)V
const p0, 0x7f0d000a
.line 39
invoke-virtual {p4, p0}, Landroid/widget/ImageView;->setImageResource(I)V
.line 40
sget-object p0, Lcom/zj/wuaipojie/util/SPUtils;->INSTANCE:Lcom/zj/wuaipojie/util/SPUtils;
check-cast p1, Landroid/content/Context;
const/4 p2, 0x2 //p2赋值2
const-string p3, "level" //sp的索引
invoke-virtual {p0, p1, p3, p2}, Lcom/zj/wuaipojie/util/SPUtils;->saveInt(Landroid/content/Context;Ljava/lang/String;I)V //写入数据
goto :goto_50 //跳转地址
:cond_43
check-cast p1, Landroid/content/Context;
const-string p0, "\u8bf7\u5148\u5145\u503c\u5927\u4f1a\u5458\u54e6\uff01" //请先充值大会员哦!
check-cast p0, Ljava/lang/CharSequence;
invoke-static {p1, p0, p5}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast;
move-result-object p0
invoke-virtual {p0}, Landroid/widget/Toast;->show()V
:goto_50
return p5 //返回p5的值
.end method //方法结束
//判断是否是大会员的方法
.method public final isvip()Z
.registers 2
const/4 v0, 0x0 //v0赋值0
return v0 //返回v0的值
.end method修改方法:修改判断、强制跳转、修改寄存器的值
3.寄存器
在smali里的所有操作都必须经过寄存器来进行:本地寄存器用v开头数字结尾的符号来表示,如v0、 v1、v2。 参数寄存器则使用p开头数字结尾的符号来表示,如p0、p1、p2。特别注意的是,p0不一定是函数中的第一个参数,在非static函数中,p0代指“this",p1表示函数的第一个 参数,p2代表函数中的第二个参数。而在static函数中p0才对应第一个参数(因为Java的static方法中没有this方法)
在判断前加个赋值
move-result p0
const/4 p0, 0x1
if-eqz p0, :cond_44四、课后小作业
1.关掉视频自己复现三种方法
2.完成这个作业demo(因为最近实在是太太太忙了,绝对不是因为我懒,咕咕咕。搞懂这个demo那也基本上能理解本节课的内容)
丑小鸭师傅的demo
链接:百度网盘 请输入提取码 密码:07p9
原文链接:教我兄弟学Android逆向02 破解第一个Android程序
作业:不知道goto是否符合要求?
屏蔽掉第147行 #if-eqz p0, :cond_43,
让上面的第124行if-ge p0, v0, :cond_15修改为:“goto :cond_15”
这样程序就可以自上而下顺利一键三连了,五、反思&答疑
关于jadx搜不到大会员的unicode编码,这是因为我录视频之前在设置里把unicode的转义打开而导致的,像你们第一次安装jadx都是默认关闭这个选项的,所以能直接搜到大会员的汉字!!!
由于准备不是很充足,我感觉我讲的不是太好,多看看我列举参考文档有利于理解smali语法。
对于开发者而言,在打包应用时,最好对代码进行混淆,否则逆向人员轻而易举得进行Crack,或者说在写代码的时候就不要用isvip、getvip等易辨识的单词作为方法名
推荐 控制流混淆
4、恭喜你获得广告&弹窗静默卡
1.了解安卓四大组件、Activity生命周期
2.弹窗定位、去更新
3.广告分析与布局优化
二、工具
1.教程Demo(更新)
2.MT管理器/NP管理器
3.算法助手
4.雷电模拟器
5.开发助手
三、课程内容
1.广告类型
启动广告 弹窗&更新广告 横幅广告
2.安卓四大组件
| 组件 | 描述 |
|---|---|
| Activity(活动) | 在应用中的一个Activity可以用来表示一个界面,意思可以理解为“活动”,即一个活动开始,代表 Activity组件启动,活动结束,代表一个Activity的生命周期结束。一个Android应用必须通过Activity来运行和启动,Activity的生命周期交给系统统一管理。 |
| Service(服务) | Service它可以在后台执行长时间运行操作而没有用户界面的应用组件,不依赖任何用户界面,例如后台播放音乐,后台下载文件等。 |
| Broadcast Receiver(广播接收器) | 一个用于接收广播信息,并做出对应处理的组件。比如我们常见的系统广播:通知时区改变、电量低、用户改变了语言选项等。 |
| Content Provider(内容提供者) | 作为应用程序之间唯一的共享数据的途径,Content Provider主要的功能就是存储并检索数据以及向其他应用程序提供访问数据的接口。Android内置的许多数据都是使用Content Provider形式,供开发者调用的(如视频,音频,图片,通讯录等) |
1.activity的切换
<!---声明实现应用部分可视化界面的 Activity,必须使用 AndroidManifest 中的 <activity> 元素表示所有 Activity。系统不会识别和运行任何未进行声明的Activity。----->
<activity
android:label="@string/app_name"
android:name="com.zj.wuaipojie.ui.MainActivity"
android:exported="true"> <!--当前Activity是否可以被另一个Application的组件启动:true允许被启动;false不允许被启动-->
<!---指明这个activity可以以什么样的意图(intent)启动--->
<intent-filter>
<!--表示activity作为一个什么动作启动,android.intent.action.MAIN表示作为主activity启动--->
<action
android:name="android.intent.action.MAIN" />
<!--这是action元素的额外类别信息,android.intent.category.LAUNCHER表示这个activity为当前应用程序优先级最高的Activity-->
<category
android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
<activity
android:name="com.zj.wuaipojie.ui.ChallengeFirst" />
<activity
android:name="com.zj.wuaipojie.ui.ChallengeFifth"
android:exported="true" />
<activity
android:name="com.zj.wuaipojie.ui.ChallengeFourth"
android:exported="true" />
<activity
android:name="com.zj.wuaipojie.ui.ChallengeThird"
android:exported="false" />
<activity
android:name="com.zj.wuaipojie.ui.ChallengeSecond"
android:exported="false" />
<activity
android:name="com.zj.wuaipojie.ui.AdActivity" /> 启动广告流程:
启动Activity->广告Activity->主页Activity
修改方法:
1.修改加载时间
2.Acitivity切换定位,修改Intent的Activity类名
switch (position) {
case 0:
Intent intent = new Intent();
intent.setClass(it.getContext(), ChallengeFirst.class);
it.getContext().startActivity(intent);
return;
case 1:
Intent intent2 = new Intent();
intent2.setClass(it.getContext(), ChallengeSecond.class);
it.getContext().startActivity(intent2);
return;
case 2:
Intent intent3 = new Intent(); //new一个Intent,
intent3.setClass(it.getContext(), AdActivity.class); //传入要切换的Acitivity的类名
it.getContext().startActivity(intent3); //启动对应的Activity
return;
case 3:
Intent intent4 = new Intent();
intent4.setClass(it.getContext(), ChallengeFourth.class);
it.getContext().startActivity(intent4);
return;
default:
return;
}
3.Activity生命周期
| 函数名称 | 描述 |
|---|---|
| onCreate() | 一个Activity启动后第一个被调用的函数,常用来在此方法中进行Activity的一些初始化操作。例如创建View,绑定数据,注册监听,加载参数等。 |
| onStart() | 当Activity显示在屏幕上时,此方法被调用但此时还无法进行与用户的交互操作。 |
| onResume() | 这个方法在onStart()之后调用,也就是在Activity准备好与用户进行交互的时候调用,此时的Activity一定位于Activity栈顶,处于运行状态。 |
| onPause() | 这个方法是在系统准备去启动或者恢复另外一个Activity的时候调用,通常在这个方法中执行一些释放资源的方法,以及保存一些关键数据。 |
| onStop() | 这个方法是在Activity完全不可见的时候调用的。 |
| onDestroy() | 这个方法在Activity销毁之前调用,之后Activity的状态为销毁状态。 |
| onRestart() | 当Activity从停止stop状态恢进入start状态时调用状态。 |
4.弹窗定位&堆栈分析
修改方法:
1.修改xml中的versiocode
2.Hook弹窗(推荐算法助手开启弹窗定位)
3.修改dex弹窗代码
4.抓包修改响应体(也可以路由器拦截)
5.布局优化
1.开发者助手抓布局
2.MT管理器xml搜索定位
3.修改xml代码
复制代码 隐藏代码
android:visibility="gone"
四、课后小作业
定位并去除作业demo首页中的弹窗
作业demo.apk - 蓝奏云
常见反爬措施
options请求(跨域预检)
The options request is a preflight request, which can be used to detect the http methods allowed by the server. When a cross-domain request is initiated , due to security reasons, when certain conditions are triggered, the browser will automatically initiate an OPTIONS request before the formal request, that is, a CORS pre-check request. If the server accepts the cross-domain request, the browser will continue to initiate the formal request.
options request (cross-domain preflight)_Huancaixi's Blog-CSDN Blog
References: