ly2121 发表于 2016-3-16 09:03

【原创】浅谈 Android APK定点爆破

本帖最后由 ly2121 于 2016-3-16 09:14 编辑

这是一个MTK改IMEI的APK
软件不大~通用所有MTK芯片的机器改串~
是一个手机行业的朋友送我这来RMB寻求爆破的~

所以有幸拿出来与大家分享下爆破经历~

相关工具网络上很多~介绍也都全面~这里就不一一熬述了~
直接进入正题:



这是程序的主界面~机器码注册的~


随便输入一个注册码~


返回错误信息~对不起,您输入的数据有误!

寻找爆破点位置方法一
看到上图三的错误返回信息~相信玩过破解的鞋童都清楚,这就是关键字所在了~
载入APK搜索关键字~


找到smali文件CodeSigWindow.smali~
爆破关键点就在此文件内~离程序爆破已经不远咯~

寻找爆破点位置方法二
看到上图一的界面信息~一般老手都清楚每个信息都是关键字所在~
载入APK寻找主界面关键字信息~

找到xml文件codesigwindow.xml ~


到这里鞋童们应该发现两个名字一样的codesigwindow文件,只是格式不同~
因为XML格式的文件是界面 smali文件是功能代码
找到界面了~功能代码位置就不难找了吧~


方法二 通常是无提示信息的APK程序爆破寻找基址用的~


转入整体~看一下CodeSigWindow.smali 分析爆破点~
.class public Lcom/mayor/codeSig/CodeSigWindow;
.super Landroid/app/Activity;
.source "CodeSigWindow.java"


# instance fields
.field private csig:Ljava/lang/String;

.field editText:Landroid/widget/EditText;

.field private isNum:Z

.field private mLen:I

.field textView:Landroid/widget/TextView;


# direct methods
.method public constructor <init>()V
    .locals 1

    .prologue
    .line 22
    invoke-direct {p0}, Landroid/app/Activity;-><init>()V

    .line 26
    const/4 v0, 0x1

    iput-boolean v0, p0, Lcom/mayor/codeSig/CodeSigWindow;->isNum:Z

    .line 27
    const/16 v0, 0xa

    iput v0, p0, Lcom/mayor/codeSig/CodeSigWindow;->mLen:I

    .line 28
    const-string v0, "#id12"

    iput-object v0, p0, Lcom/mayor/codeSig/CodeSigWindow;->csig:Ljava/lang/String;

    .line 22
    return-void
.end method

.method private read()Ljava/lang/String;
    .locals 7

    .prologue
    .line 101
    :try_start_0
    const-string v5, "code.ini"

    invoke-virtual {p0, v5}, Lcom/mayor/codeSig/CodeSigWindow;->openFileInput(Ljava/lang/String;)Ljava/io/FileInputStream;

    move-result-object v4

    .line 102
    .local v4, inputStream:Ljava/io/FileInputStream;
    const/16 v5, 0x400

    new-array v1, v5, [B

    .line 103
    .local v1, bytes:[B
    new-instance v0, Ljava/io/ByteArrayOutputStream;

    invoke-direct {v0}, Ljava/io/ByteArrayOutputStream;-><init>()V

    .line 104
    .local v0, arrayOutputStream:Ljava/io/ByteArrayOutputStream;
    :goto_0
    invoke-virtual {v4, v1}, Ljava/io/FileInputStream;->read([B)I

    move-result v5

    const/4 v6, -0x1

    if-ne v5, v6, :cond_0

    .line 107
    invoke-virtual {v4}, Ljava/io/FileInputStream;->close()V

    .line 108
    invoke-virtual {v0}, Ljava/io/ByteArrayOutputStream;->close()V

    .line 109
    new-instance v2, Ljava/lang/String;

    invoke-virtual {v0}, Ljava/io/ByteArrayOutputStream;->toByteArray()[B

    move-result-object v5

    invoke-direct {v2, v5}, Ljava/lang/String;-><init>([B)V

    .line 110
    .local v2, content:Ljava/lang/String;
    invoke-virtual {v2}, Ljava/lang/String;->trim()Ljava/lang/String;

    move-result-object v5

    .line 117
    .end local v0         #arrayOutputStream:Ljava/io/ByteArrayOutputStream;
    .end local v1         #bytes:[B
    .end local v2         #content:Ljava/lang/String;
    .end local v4         #inputStream:Ljava/io/FileInputStream;
    :goto_1
    return-object v5

    .line 105
    .restart local v0       #arrayOutputStream:Ljava/io/ByteArrayOutputStream;
    .restart local v1       #bytes:[B
    .restart local v4       #inputStream:Ljava/io/FileInputStream;
    :cond_0
    const/4 v5, 0x0

    array-length v6, v1

    invoke-virtual {v0, v1, v5, v6}, Ljava/io/ByteArrayOutputStream;->write([BII)V
    :try_end_0
    .catch Ljava/io/FileNotFoundException; {:try_start_0 .. :try_end_0} :catch_0
    .catch Ljava/io/IOException; {:try_start_0 .. :try_end_0} :catch_1

    goto :goto_0

    .line 112
    .end local v0         #arrayOutputStream:Ljava/io/ByteArrayOutputStream;
    .end local v1         #bytes:[B
    .end local v4         #inputStream:Ljava/io/FileInputStream;
    :catch_0
    move-exception v3

    .line 113
    .local v3, e:Ljava/io/FileNotFoundException;
    invoke-virtual {v3}, Ljava/io/FileNotFoundException;->printStackTrace()V

    .line 117
    .end local v3         #e:Ljava/io/FileNotFoundException;
    :goto_2
    const-string v5, ""

    goto :goto_1

    .line 114
    :catch_1
    move-exception v3

    .line 115
    .local v3, e:Ljava/io/IOException;
    invoke-virtual {v3}, Ljava/io/IOException;->printStackTrace()V

    goto :goto_2
.end method

.method private save()V
    .locals 6

    .prologue
    const/4 v5, 0x1

    .line 86
    iget-object v3, p0, Lcom/mayor/codeSig/CodeSigWindow;->editText:Landroid/widget/EditText;

    invoke-virtual {v3}, Landroid/widget/EditText;->getText()Landroid/text/Editable;

    move-result-object v3

    invoke-interface {v3}, Landroid/text/Editable;->toString()Ljava/lang/String;

    move-result-object v0

    .line 88
    .local v0, content:Ljava/lang/String;
    :try_start_0
    const-string v3, "code.ini"

    .line 89
    const/4 v4, 0x0

    .line 88
    invoke-virtual {p0, v3, v4}, Lcom/mayor/codeSig/CodeSigWindow;->openFileOutput(Ljava/lang/String;I)Ljava/io/FileOutputStream;

    move-result-object v2

    .line 90
    .local v2, outputStream:Ljava/io/FileOutputStream;
    invoke-virtual {v0}, Ljava/lang/String;->getBytes()[B

    move-result-object v3

    invoke-virtual {v2, v3}, Ljava/io/FileOutputStream;->write([B)V

    .line 91
    invoke-virtual {v2}, Ljava/io/FileOutputStream;->flush()V

    .line 92
    invoke-virtual {v2}, Ljava/io/FileOutputStream;->close()V
    :try_end_0
    .catch Ljava/io/FileNotFoundException; {:try_start_0 .. :try_end_0} :catch_0
    .catch Ljava/io/IOException; {:try_start_0 .. :try_end_0} :catch_1

    .line 98
    .end local v2         #outputStream:Ljava/io/FileOutputStream;
    :goto_0
    return-void

    .line 93
    :catch_0
    move-exception v1

    .line 94
    .local v1, e:Ljava/io/FileNotFoundException;
    new-instance v3, Ljava/lang/StringBuilder;

    invoke-virtual {v1}, Ljava/io/FileNotFoundException;->getMessage()Ljava/lang/String;

    move-result-object v4

    invoke-static {v4}, Ljava/lang/String;->valueOf(Ljava/lang/Object;)Ljava/lang/String;

    move-result-object v4

    invoke-direct {v3, v4}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V

    const-string v4, " "

    invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v3

    invoke-virtual {v3}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v3

    invoke-static {p0, v3, v5}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast;

    move-result-object v3

    invoke-virtual {v3}, Landroid/widget/Toast;->show()V

    goto :goto_0

    .line 95
    .end local v1         #e:Ljava/io/FileNotFoundException;
    :catch_1
    move-exception v1

    .line 96
    .local v1, e:Ljava/io/IOException;
    new-instance v3, Ljava/lang/StringBuilder;

    invoke-virtual {v1}, Ljava/io/IOException;->getMessage()Ljava/lang/String;

    move-result-object v4

    invoke-static {v4}, Ljava/lang/String;->valueOf(Ljava/lang/Object;)Ljava/lang/String;

    move-result-object v4

    invoke-direct {v3, v4}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V

    const-string v4, " "

    invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v3

    invoke-virtual {v3}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v3

    invoke-static {p0, v3, v5}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast;

    move-result-object v3

    invoke-virtual {v3}, Landroid/widget/Toast;->show()V

    goto :goto_0
.end method


# virtual methods
.method public GetSR()Ljava/lang/String;
    .locals 2

    .prologue
    .line 121
    new-instance v0, Ljava/lang/StringBuilder;

    invoke-virtual {p0}, Lcom/mayor/codeSig/CodeSigWindow;->GetStr()Ljava/lang/String;

    move-result-object v1

    invoke-static {v1}, Ljava/lang/String;->valueOf(Ljava/lang/Object;)Ljava/lang/String;

    move-result-object v1

    invoke-direct {v0, v1}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V

    iget-object v1, p0, Lcom/mayor/codeSig/CodeSigWindow;->csig:Ljava/lang/String;

    invoke-virtual {v0, v1}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v0

    invoke-virtual {v0}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v0

    invoke-virtual {p0, v0}, Lcom/mayor/codeSig/CodeSigWindow;->MD5(Ljava/lang/String;)Ljava/lang/String;

    move-result-object v0

    return-object v0
.end method

.method public GetStr()Ljava/lang/String;
    .locals 4

    .prologue
    .line 55
    const-string v2, "phone"

    invoke-virtual {p0, v2}, Lcom/mayor/codeSig/CodeSigWindow;->getSystemService(Ljava/lang/String;)Ljava/lang/Object;

    move-result-object v1

    check-cast v1, Landroid/telephony/TelephonyManager;

    .line 56
    .local v1, tm:Landroid/telephony/TelephonyManager;
    invoke-virtual {v1}, Landroid/telephony/TelephonyManager;->getDeviceId()Ljava/lang/String;

    move-result-object v0

    .line 57
    .local v0, deviceId:Ljava/lang/String;
    new-instance v2, Ljava/lang/StringBuilder;

    invoke-static {v0}, Ljava/lang/String;->valueOf(Ljava/lang/Object;)Ljava/lang/String;

    move-result-object v3

    invoke-direct {v2, v3}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V

    iget-object v3, p0, Lcom/mayor/codeSig/CodeSigWindow;->csig:Ljava/lang/String;

    invoke-virtual {v2, v3}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v2

    invoke-virtual {v2}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v2

    invoke-virtual {p0, v2}, Lcom/mayor/codeSig/CodeSigWindow;->MD5(Ljava/lang/String;)Ljava/lang/String;

    move-result-object v2

    return-object v2
.end method

.method public MD5(Ljava/lang/String;)Ljava/lang/String;
    .locals 12
    .parameter "str"

    .prologue
    .line 126
    const/4 v5, 0x0

    .line 129
    .local v5, md5:Ljava/security/MessageDigest;
    :try_start_0
    const-string v9, "MD5"

    invoke-static {v9}, Ljava/security/MessageDigest;->getInstance(Ljava/lang/String;)Ljava/security/MessageDigest;
    :try_end_0
    .catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_0

    move-result-object v5

    .line 136
    invoke-virtual {p1}, Ljava/lang/String;->toCharArray()[C

    move-result-object v1

    .line 137
    .local v1, charArray:[C
    array-length v9, v1

    new-array v0, v9, [B

    .line 139
    .local v0, byteArray:[B
    const/4 v4, 0x0

    .local v4, i:I
    :goto_0
    array-length v9, v1

    if-lt v4, v9, :cond_1

    .line 143
    invoke-virtual {v5, v0}, Ljava/security/MessageDigest;->digest([B)[B

    move-result-object v6

    .line 145
    .local v6, md5Bytes:[B
    new-instance v3, Ljava/lang/StringBuffer;

    invoke-direct {v3}, Ljava/lang/StringBuffer;-><init>()V

    .line 146
    .local v3, hexValue:Ljava/lang/StringBuffer;
    const/4 v4, 0x0

    :goto_1
    array-length v9, v6

    if-lt v4, v9, :cond_2

    .line 155
    invoke-virtual {v3}, Ljava/lang/StringBuffer;->toString()Ljava/lang/String;

    move-result-object v7

    .line 156
    .local v7, ret:Ljava/lang/String;
    iget-boolean v9, p0, Lcom/mayor/codeSig/CodeSigWindow;->isNum:Z

    if-eqz v9, :cond_0

    .line 158
    const/16 v4, 0x61

    :goto_2
    const/16 v9, 0x66

    if-le v4, v9, :cond_4

    .line 161
    :cond_0
    const/4 v9, 0x0

    iget v10, p0, Lcom/mayor/codeSig/CodeSigWindow;->mLen:I

    invoke-virtual {v7, v9, v10}, Ljava/lang/String;->substring(II)Ljava/lang/String;

    move-result-object v9

    .end local v0         #byteArray:[B
    .end local v1         #charArray:[C
    .end local v3         #hexValue:Ljava/lang/StringBuffer;
    .end local v4         #i:I
    .end local v6         #md5Bytes:[B
    .end local v7         #ret:Ljava/lang/String;
    :goto_3
    return-object v9

    .line 130
    :catch_0
    move-exception v2

    .line 132
    .local v2, e:Ljava/lang/Exception;
    invoke-virtual {v2}, Ljava/lang/Exception;->printStackTrace()V

    .line 133
    const-string v9, ""

    goto :goto_3

    .line 141
    .end local v2         #e:Ljava/lang/Exception;
    .restart local v0       #byteArray:[B
    .restart local v1       #charArray:[C
    .restart local v4       #i:I
    :cond_1
    aget-char v9, v1, v4

    int-to-byte v9, v9

    aput-byte v9, v0, v4

    .line 139
    add-int/lit8 v4, v4, 0x1

    goto :goto_0

    .line 148
    .restart local v3       #hexValue:Ljava/lang/StringBuffer;
    .restart local v6       #md5Bytes:[B
    :cond_2
    aget-byte v9, v6, v4

    and-int/lit16 v8, v9, 0xff

    .line 149
    .local v8, val:I
    const/16 v9, 0x10

    if-ge v8, v9, :cond_3

    .line 151
    const-string v9, "0"

    invoke-virtual {v3, v9}, Ljava/lang/StringBuffer;->append(Ljava/lang/String;)Ljava/lang/StringBuffer;

    .line 153
    :cond_3
    invoke-static {v8}, Ljava/lang/Integer;->toHexString(I)Ljava/lang/String;

    move-result-object v9

    invoke-virtual {v3, v9}, Ljava/lang/StringBuffer;->append(Ljava/lang/String;)Ljava/lang/StringBuffer;

    .line 146
    add-int/lit8 v4, v4, 0x1

    goto :goto_1

    .line 159
    .end local v8         #val:I
    .restart local v7       #ret:Ljava/lang/String;
    :cond_4
    new-instance v9, Ljava/lang/StringBuilder;

    int-to-char v10, v4

    invoke-static {v10}, Ljava/lang/String;->valueOf(C)Ljava/lang/String;

    move-result-object v10

    invoke-direct {v9, v10}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V

    invoke-virtual {v9}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v9

    new-instance v10, Ljava/lang/StringBuilder;

    add-int/lit8 v11, v4, -0x61

    invoke-static {v11}, Ljava/lang/String;->valueOf(I)Ljava/lang/String;

    move-result-object v11

    invoke-direct {v10, v11}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V

    invoke-virtual {v10}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v10

    invoke-virtual {v7, v9, v10}, Ljava/lang/String;->replace(Ljava/lang/CharSequence;Ljava/lang/CharSequence;)Ljava/lang/String;

    move-result-object v7

    .line 158
    add-int/lit8 v4, v4, 0x1

    goto :goto_2
.end method

.method public btn1_click(Landroid/view/View;)V
    .locals 3
    .parameter "view"

    .prologue
    .line 62
    iget-object v1, p0, Lcom/mayor/codeSig/CodeSigWindow;->editText:Landroid/widget/EditText;

    invoke-virtual {v1}, Landroid/widget/EditText;->getText()Landroid/text/Editable;

    move-result-object v1

    invoke-interface {v1}, Landroid/text/Editable;->toString()Ljava/lang/String;

    move-result-object v1

    invoke-virtual {p0}, Lcom/mayor/codeSig/CodeSigWindow;->GetSR()Ljava/lang/String;

    move-result-object v2

    invoke-virtual {v1, v2}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z

    move-result v1

    if-eqz v1, :cond_0

    .line 64
    invoke-direct {p0}, Lcom/mayor/codeSig/CodeSigWindow;->save()V

    .line 65
    invoke-virtual {p0}, Lcom/mayor/codeSig/CodeSigWindow;->showMain()V

    .line 81
    :goto_0
    return-void

    .line 67
    :cond_0
    new-instance v1, Landroid/app/AlertDialog$Builder;

    invoke-direct {v1, p0}, Landroid/app/AlertDialog$Builder;-><init>(Landroid/content/Context;)V

    .line 68
    invoke-virtual {v1}, Landroid/app/AlertDialog$Builder;->create()Landroid/app/AlertDialog;

    move-result-object v0

    .line 69
    .local v0, dialog:Landroid/app/AlertDialog;
    const-string v1, "\u6570\u636e\u9519\u8bef"

    invoke-virtual {v0, v1}, Landroid/app/AlertDialog;->setTitle(Ljava/lang/CharSequence;)V

    .line 70
    const-string v1, "\u786e\u5b9a"

    new-instance v2, Lcom/mayor/codeSig/CodeSigWindow$1;

    invoke-direct {v2, p0}, Lcom/mayor/codeSig/CodeSigWindow$1;-><init>(Lcom/mayor/codeSig/CodeSigWindow;)V

    invoke-virtual {v0, v1, v2}, Landroid/app/AlertDialog;->setButton(Ljava/lang/CharSequence;Landroid/content/DialogInterface$OnClickListener;)V

    .line 78
    const-string v1, "\u5bf9\u4e0d\u8d77\uff0c\u60a8\u8f93\u5165\u7684\u6570\u636e\u6709\u8bef\uff01"

    invoke-virtual {v0, v1}, Landroid/app/AlertDialog;->setMessage(Ljava/lang/CharSequence;)V

    .line 79
    invoke-virtual {v0}, Landroid/app/AlertDialog;->show()V

    goto :goto_0
.end method

.method public btn2_click(Landroid/view/View;)V
    .locals 0
    .parameter "view"

    .prologue
    .line 50
    invoke-virtual {p0}, Lcom/mayor/codeSig/CodeSigWindow;->finish()V

    .line 51
    return-void
.end method

.method protected onCreate(Landroid/os/Bundle;)V
    .locals 3
    .parameter "savedInstanceState"

    .prologue
    .line 32
    invoke-super {p0, p1}, Landroid/app/Activity;->onCreate(Landroid/os/Bundle;)V

    .line 33
    const v0, 0x7f030022

    invoke-virtual {p0, v0}, Lcom/mayor/codeSig/CodeSigWindow;->setContentView(I)V

    .line 34
    invoke-virtual {p0}, Lcom/mayor/codeSig/CodeSigWindow;->getWindow()Landroid/view/Window;

    move-result-object v0

    invoke-virtual {v0}, Landroid/view/Window;->getDecorView()Landroid/view/View;

    move-result-object v0

    const-string v1, "1"

    invoke-virtual {v0, v1}, Landroid/view/View;->findViewWithTag(Ljava/lang/Object;)Landroid/view/View;

    move-result-object v0

    check-cast v0, Landroid/widget/TextView;

    iput-object v0, p0, Lcom/mayor/codeSig/CodeSigWindow;->textView:Landroid/widget/TextView;

    .line 35
    invoke-virtual {p0}, Lcom/mayor/codeSig/CodeSigWindow;->getWindow()Landroid/view/Window;

    move-result-object v0

    invoke-virtual {v0}, Landroid/view/Window;->getDecorView()Landroid/view/View;

    move-result-object v0

    const-string v1, "2"

    invoke-virtual {v0, v1}, Landroid/view/View;->findViewWithTag(Ljava/lang/Object;)Landroid/view/View;

    move-result-object v0

    check-cast v0, Landroid/widget/EditText;

    iput-object v0, p0, Lcom/mayor/codeSig/CodeSigWindow;->editText:Landroid/widget/EditText;

    .line 36
    iget-object v0, p0, Lcom/mayor/codeSig/CodeSigWindow;->textView:Landroid/widget/TextView;

    new-instance v1, Ljava/lang/StringBuilder;

    const-string v2, "\u673a\u5668\u7801\uff1a"

    invoke-direct {v1, v2}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V

    invoke-virtual {p0}, Lcom/mayor/codeSig/CodeSigWindow;->GetStr()Ljava/lang/String;

    move-result-object v2

    invoke-virtual {v1, v2}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v1

    invoke-virtual {v1}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v1

    invoke-virtual {v0, v1}, Landroid/widget/TextView;->setText(Ljava/lang/CharSequence;)V

    .line 37
    iget-object v0, p0, Lcom/mayor/codeSig/CodeSigWindow;->editText:Landroid/widget/EditText;

    invoke-direct {p0}, Lcom/mayor/codeSig/CodeSigWindow;->read()Ljava/lang/String;

    move-result-object v1

    invoke-virtual {v0, v1}, Landroid/widget/EditText;->setText(Ljava/lang/CharSequence;)V

    .line 38
    invoke-direct {p0}, Lcom/mayor/codeSig/CodeSigWindow;->read()Ljava/lang/String;

    move-result-object v0

    invoke-virtual {v0}, Ljava/lang/String;->length()I

    move-result v0

    if-lez v0, :cond_0

    .line 40
    invoke-virtual {p0}, Lcom/mayor/codeSig/CodeSigWindow;->showMain()V

    .line 42
    :cond_0
    return-void
.end method

.method public showMain()V
    .locals 2

    .prologue
    .line 44
    new-instance v0, Landroid/content/Intent;

    const-class v1, Lorg/imei/mtk65xx/Mtk65xx;

    invoke-direct {v0, p0, v1}, Landroid/content/Intent;-><init>(Landroid/content/Context;Ljava/lang/Class;)V

    .line 45
    .local v0, intent:Landroid/content/Intent;
    invoke-virtual {p0, v0}, Lcom/mayor/codeSig/CodeSigWindow;->startActivity(Landroid/content/Intent;)V

    .line 46
    invoke-virtual {p0}, Lcom/mayor/codeSig/CodeSigWindow;->finish()V

    .line 47
    return-void
.end method


有基础的鞋童~看到这if语句段代码应该就明白是爆破点了吧~
将if-eqz改为if-nez 强制跳转成功~软件定点爆破结束~



其实程序破解方式·只要肯动脑~多变通~有很多方法~
有不懂的鞋童可跟帖交流~{:17_1078:}

考虑到此APK软件属于商业程序~暂时先不放出了~
如果鞋童强烈需要~请跟帖打赏~
本人可以向客户申请放出给各位鞋童享用~



taintitly 发表于 2017-3-13 18:10

这个软件的注册算法很简单:
机器码+字符串:“#id12” MD加密后,取前面十位。
如果字符里有abcdef,进行012345对应的替换。
比如你的机器码:2103560136
            注册码:2394931315

ly2121 发表于 2016-10-13 02:42

临轩听雨 发表于 2016-8-29 17:29
这个,我反编译之后,也找到了关键的文件,但是里面语句太多了,不知道哪一句是爆破的关键所在,就是看不懂 ...

那你要从编程语法学起了,没有捷径…很无聊的一段过程

1070885984 发表于 2016-3-16 09:07

什么都看不懂,能教我最基础的吗

ly2121 发表于 2016-3-16 09:10

1070885984 发表于 2016-3-16 09:07
什么都看不懂,能教我最基础的吗

多基础的叫基础啊???
你总不能让我们每一篇帖子都从十以内加减法讲起吧?
{:301_1008:}

nothinglhw 发表于 2016-3-16 09:43

不错的分享,赞~~

superykc 发表于 2016-3-16 13:26

认认真真学习,争取早日成为大婶级别。

solea 发表于 2016-3-16 13:59

好帖,好好研究一下。

mounsurf 发表于 2016-3-16 14:01

认真学习

yuan6975 发表于 2016-3-16 14:05

额这个我会就是以前被爱加密这种给治了

8taizi 发表于 2016-3-16 18:29

有教程分享下不

1070885984 发表于 2016-3-16 19:52

ly2121 发表于 2016-3-16 09:10
多基础的叫基础啊???
你总不能让我们每一篇帖子都从十以内加减法讲起吧?

刚刚进论坛的,编程什么的都不会{:1_937:}
页: [1] 2 3 4
查看完整版本: 【原创】浅谈 Android APK定点爆破