Android apk逆向实战

简介

逆向Android apk其实是一个分析Android apk的一个过程，必须了解Android程序开发的流程、结构、语句分支、解密原理等等。

功能

破解一个注册验证程序（自写一个简单的注册验证程序，然后分析它，再破解它）。

步骤

1、编写一个简单的注册验证apk，关键代码如下：

    private boolean checkSN(String userName, String sn) { //确认验证
        try {
            if ((userName == null) || (userName.length() == 0))
                return false;
            if ((sn == null) || (sn.length() != 16))
                return false;
            MessageDigest digest = MessageDigest.getInstance("MD5");
            digest.reset();
            digest.update(userName.getBytes());
            byte[] bytes = digest.digest();     //采用MD5对用户名进行Hash
            String hexstr = toHexString(bytes, ""); //将计算结果转化成字符串
            StringBuilder sb = new StringBuilder();
            for (int i = 0; i < hexstr.length(); i += 2) {
                sb.append(hexstr.charAt(i));
            }
            String userSN = sb.toString(); //计算出的SN        
            //Log.d("crackme", hexstr);
            //Log.d("crackme", userSN);
            if (!userSN.equalsIgnoreCase(sn))   //比较注册码是否正确
                return false;
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
            return false;
        }        
        return true;
    }
    
    private static String toHexString(byte[] bytes, String separator) { //转为十六进制
        StringBuilder hexString = new StringBuilder();
        for (byte b : bytes) {
            String hex = Integer.toHexString(0xFF & b);
            if(hex.length() == 1){
                hexString.append('0');
            }
            hexString.append(hex).append(separator);
        }
        return hexString.toString();
    }

这个方法的主要功能是计算用户名与注册码是否匹配。

运行效果如图：

2、分析、破解

下载开源工具ApkTool：http://code.google.com/p/android-apktool/

破解Android apk的方法是将apk文件利用ApkTool反编译，生成Smali格式的反汇编代码，然后分析Smali文件的代码运行机制，找到程序的突破口进程修改，最后使用ApkTool

重新编译生成apk文件并签名。

命令格式如下：

反编译apk：apktool d[ecode] [opts] <file.apl> [<dir>]

编译apk：apktool b[uild] [opts] [<app_path>] [<out_file>]

运行效果如图：

反编译apk文件成功后，会在当前的outdir目录下（默然是apk文件名）生成一系列目录与文件，其中smali目录下存放了程序所有的反汇编代码，res目录则是程序中所有的资源文件，这些目录的子目录和文件与原程序的源码目录结构是一致的。

如何寻找突破口是分析一个程序的关键，一般来说，错误提示信息通常是指引关键代码的风向标，在错误提示附近一般是程序的核心验证码。

错误提示是Android 程序中的字符串资源，这些字符串可能硬编码到源代码中，也可能引用自 “res目录下的string.xml文件，apk打包时，string.xml中的字符串被加密存储为resources.arsc文件保存到apk程序包中。

string.xml 详情如下：

<resources>

    <string name="app_name">Crackme0201</string>
    <string name="menu_settings">Settings</string>
    <string name="title_activity_main">Crackme0201</string>
    <string name="info">Android程序破解演示实例</string>
    <string name="username">用户名：</string>
    <string name="sn">注册码：</string>
    <string name="register">注    册</string>
    <string name="hint_username">请输入用户名</string>
    <string name="hint_sn">请输入16位的注册码</string>
    <string name="unregister">程序未注册</string>
    <string name="registered">程序已注册</string>
    <string name="unsuccessed">无效用户名或注册码</string>
    <string name="successed">恭喜您！注册成功</string>

</resources>

对应加密文件（public.xml）详情：

<?xml version="1.0" encoding="utf-8"?>
<resources>
    <public type="drawable" name="ic_launcher" id="0x7f020001" />
    <public type="drawable" name="ic_action_search" id="0x7f020000" />
    <public type="layout" name="activity_main" id="0x7f030000" />
    <public type="dimen" name="padding_small" id="0x7f040000" />
    <public type="dimen" name="padding_medium" id="0x7f040001" />
    <public type="dimen" name="padding_large" id="0x7f040002" />
    <public type="string" name="app_name" id="0x7f050000" />
    <public type="string" name="hello_world" id="0x7f050001" />
    <public type="string" name="menu_settings" id="0x7f050002" />
    <public type="string" name="title_activity_main" id="0x7f050003" />
    <public type="string" name="info" id="0x7f050004" />
    <public type="string" name="username" id="0x7f050005" />
    <public type="string" name="sn" id="0x7f050006" />
    <public type="string" name="register" id="0x7f050007" />
    <public type="string" name="hint_username" id="0x7f050008" />
    <public type="string" name="hint_sn" id="0x7f050009" />
    <public type="string" name="unregister" id="0x7f05000a" />
    <public type="string" name="registered" id="0x7f05000b" />
    <public type="string" name="unsuccessed" id="0x7f05000c" />
    <public type="string" name="successed" id="0x7f05000d" />
    <public type="style" name="AppTheme" id="0x7f060000" />
    <public type="menu" name="activity_main" id="0x7f070000" />
    <public type="id" name="textView1" id="0x7f080000" />
    <public type="id" name="edit_username" id="0x7f080001" />
    <public type="id" name="edit_sn" id="0x7f080002" />
    <public type="id" name="button_register" id="0x7f080003" />
    <public type="id" name="menu_settings" id="0x7f080004" />
</resources>

unsuccessed的id值为0x7f05000c，在smali目录中搜索含有内容为0x7f05000c的文件，最后发现只有MainActivity$1.smali文件一处调用，代码如下：

.class Lcom/droider/crackme0201/MainActivity$1;
.super Ljava/lang/Object;
.source "MainActivity.java"

# interfaces
.implements Landroid/view/View$OnClickListener;


# annotations
.annotation system Ldalvik/annotation/EnclosingMethod;
    value = Lcom/droider/crackme0201/MainActivity;->onCreate(Landroid/os/Bundle;)V
.end annotation

.annotation system Ldalvik/annotation/InnerClass;
    accessFlags = 0x0
    name = null
.end annotation


# instance fields
.field final synthetic this$0:Lcom/droider/crackme0201/MainActivity;


# direct methods
.method constructor <init>(Lcom/droider/crackme0201/MainActivity;)V
    .locals 0
    .parameter

    .prologue
    .line 1
    iput-object p1, p0, Lcom/droider/crackme0201/MainActivity$1;->this$0:Lcom/droider/crackme0201/MainActivity;

    .line 29
    invoke-direct {p0}, Ljava/lang/Object;-><init>()V

    return-void
.end method


# virtual methods
.method public onClick(Landroid/view/View;)V
    .locals 4
    .parameter "v"

    .prologue
    const/4 v3, 0x0

    .line 32
    iget-object v0, p0, Lcom/droider/crackme0201/MainActivity$1;->this$0:Lcom/droider/crackme0201/MainActivity;

    iget-object v1, p0, Lcom/droider/crackme0201/MainActivity$1;->this$0:Lcom/droider/crackme0201/MainActivity;

    #getter for: Lcom/droider/crackme0201/MainActivity;->edit_userName:Landroid/widget/EditText;
    invoke-static {v1}, Lcom/droider/crackme0201/MainActivity;->access$0(Lcom/droider/crackme0201/MainActivity;)Landroid/widget/EditText;

    move-result-object v1

    invoke-virtual {v1}, Landroid/widget/EditText;->getText()Landroid/text/Editable;

    move-result-object v1

    invoke-interface {v1}, Landroid/text/Editable;->toString()Ljava/lang/String;

    move-result-object v1

    invoke-virtual {v1}, Ljava/lang/String;->trim()Ljava/lang/String;

    move-result-object v1

    .line 33
    iget-object v2, p0, Lcom/droider/crackme0201/MainActivity$1;->this$0:Lcom/droider/crackme0201/MainActivity;

    #getter for: Lcom/droider/crackme0201/MainActivity;->edit_sn:Landroid/widget/EditText;
    invoke-static {v2}, Lcom/droider/crackme0201/MainActivity;->access$1(Lcom/droider/crackme0201/MainActivity;)Landroid/widget/EditText;

    move-result-object v2

    invoke-virtual {v2}, Landroid/widget/EditText;->getText()Landroid/text/Editable;

    move-result-object v2

    invoke-interface {v2}, Landroid/text/Editable;->toString()Ljava/lang/String;

    move-result-object v2

    invoke-virtual {v2}, Ljava/lang/String;->trim()Ljava/lang/String;

    move-result-object v2

    .line 32             #调用checkSN函数
    #calls: Lcom/droider/crackme0201/MainActivity;->checkSN(Ljava/lang/String;Ljava/lang/String;)Z
    invoke-static {v0, v1, v2}, Lcom/droider/crackme0201/MainActivity;->access$2(Lcom/droider/crackme0201/MainActivity;Ljava/lang/String;Ljava/lang/String;)Z

    move-result v0     

    if-neqz v0, :cond_0    #关键跳转  程序的破接口  把if-eqz v0  ---->if-eqz v0 即可
    .line 34#获取实例的引用
    iget-object v0, p0, Lcom/droider/crackme0201/MainActivity$1;->this$0:Lcom/droider/crackme0201/MainActivity;

    .line 35                                   字符串压人v1寄存器
    const v1, 0x7f05000c注意！！！！！！！！！！！！

    .line 34
    invoke-static {v0, v1, v3}, Landroid/widget/Toast;->makeText(Landroid/content/Context;II)Landroid/widget/Toast;

    move-result-object v0

    .line 35
    invoke-virtual {v0}, Landroid/widget/Toast;->show()V

    .line 42
    :goto_0
    return-void

    .line 37
    :cond_0
    iget-object v0, p0, Lcom/droider/crackme0201/MainActivity$1;->this$0:Lcom/droider/crackme0201/MainActivity;

    .line 38
    const v1, 0x7f05000d

    .line 37
    invoke-static {v0, v1, v3}, Landroid/widget/Toast;->makeText(Landroid/content/Context;II)Landroid/widget/Toast;

    move-result-object v0

    .line 38
    invoke-virtual {v0}, Landroid/widget/Toast;->show()V

    .line 39
    iget-object v0, p0, Lcom/droider/crackme0201/MainActivity$1;->this$0:Lcom/droider/crackme0201/MainActivity;

    #getter for: Lcom/droider/crackme0201/MainActivity;->btn_register:Landroid/widget/Button;
    invoke-static {v0}, Lcom/droider/crackme0201/MainActivity;->access$3(Lcom/droider/crackme0201/MainActivity;)Landroid/widget/Button;

    move-result-object v0

    invoke-virtual {v0, v3}, Landroid/widget/Button;->setEnabled(Z)V

    .line 40
    iget-object v0, p0, Lcom/droider/crackme0201/MainActivity$1;->this$0:Lcom/droider/crackme0201/MainActivity;

    const v1, 0x7f05000b

    invoke-virtual {v0, v1}, Lcom/droider/crackme0201/MainActivity;->setTitle(I)V

    goto :goto_0
.end method

分析完毕，重新编译生成apk文件并签名

签名成功后会在同目录下生成signed.apk文件，如图：

破解完成，放入模拟器运行下，可以了。

小结

通过实战破解一个简单的验证程序，了解Android程序的一般分析与破解流程，但在实际的分析过程中，接触的代码远比这些要复杂得多。

下载

实例及工具下载