實戰操作——一次簡單的逆向分析破解鎖機軟件

事情的起因是這樣的，群里有位小朋友的手機被鎖了，問及原因，原來是下載了一個名叫“cf外掛助手激活版”的這么一個軟件，我收到了這份軟件之后看到他是這樣的...

emmm....才二百多kb，看來這是個不折不扣的小白了

從大小上來分析，只有二百多kb的“外掛”肯定是有貓膩的

從名字上來看，也很有問題，接下來我果斷百度了下這個名字

emmmmm...........這樣一來便更加深了我對他小白的印象

接下來我將這個文件上傳到哈勃分析系統（https://habo.qq.com/）

得出文件MD5值：703b33a0def90c8d689881017878ae2d 百度搜索沒有任何有關此MD5的信息，接下來進行逆向工作

工具：Android killer

將.apk文件放入Android killer中，發現入口M，查看代碼信息：

.class public Lcom/h/M;
.super Landroid/app/Activity;
.source "M.java"


# direct methods
.method public constructor <init>()V
    .locals 3

    .prologue
    .line 25
    move-object v0, p0

    move-object v2, v0

    invoke-direct {v2}, Landroid/app/Activity;-><init>()V

    return-void
.end method

.method private activiteDevice()V
    .locals 13
    .annotation system Ldalvik/annotation/Signature;
        value = {
            "()V"
        }
    .end annotation

    .prologue
    .line 19
    move-object v0, p0

    new-instance v5, Landroid/content/Intent;

    move-object v12, v5

    move-object v5, v12

    move-object v6, v12

    const-string v7, "android.app.action.ADD_DEVICE_ADMIN"

    invoke-direct {v6, v7}, Landroid/content/Intent;-><init>(Ljava/lang/String;)V

    move-object v1, v5

    .line 20
    new-instance v5, Landroid/content/ComponentName;

    move-object v12, v5

    move-object v5, v12

    move-object v6, v12

    move-object v7, v0

    :try_start_0
    const-string v8, "com.h.MyAdmin"

    invoke-static {v8}, Ljava/lang/Class;->forName(Ljava/lang/String;)Ljava/lang/Class;
    :try_end_0
    .catch Ljava/lang/ClassNotFoundException; {:try_start_0 .. :try_end_0} :catch_0

    move-result-object v8

    invoke-direct {v6, v7, v8}, Landroid/content/ComponentName;-><init>(Landroid/content/Context;Ljava/lang/Class;)V

    move-object v2, v5

    .line 21
    move-object v5, v1

    const-string v6, "android.app.extra.DEVICE_ADMIN"

    move-object v7, v2

    invoke-virtual {v5, v6, v7}, Landroid/content/Intent;->putExtra(Ljava/lang/String;Landroid/os/Parcelable;)Landroid/content/Intent;

    move-result-object v5

    .line 24
    move-object v5, v0

    move-object v6, v1

    const/4 v7, 0x0

    invoke-virtual {v5, v6, v7}, Lcom/h/M;->startActivityForResult(Landroid/content/Intent;I)V

    return-void

    .line 20
    :catch_0
    move-exception v5

    move-object v3, v5

    new-instance v5, Ljava/lang/NoClassDefFoundError;

    move-object v12, v5

    move-object v5, v12

    move-object v6, v12

    move-object v7, v3

    invoke-virtual {v7}, Ljava/lang/Throwable;->getMessage()Ljava/lang/String;

    move-result-object v7

    invoke-direct {v6, v7}, Ljava/lang/NoClassDefFoundError;-><init>(Ljava/lang/String;)V

    throw v5
.end method


# virtual methods
.method public onCreate(Landroid/os/Bundle;)V
    .locals 5
    .annotation system Ldalvik/annotation/Signature;
        value = {
            "(",
            "Landroid/os/Bundle;",
            ")V"
        }
    .end annotation

    .annotation runtime Ljava/lang/Override;
    .end annotation

    .prologue
    move-object v0, p0

    move-object v1, p1

    move-object v3, v0

    invoke-static {v3}, LLogCatBroadcaster;->start(Landroid/content/Context;)V

    .line 13
    move-object v3, v0

    move-object v4, v1

    invoke-super {v3, v4}, Landroid/app/Activity;->onCreate(Landroid/os/Bundle;)V

    .line 14
    move-object v3, v0

    invoke-direct {v3}, Lcom/h/M;->activiteDevice()V

    return-void
.end method

未發現有意義的線索，接下來嘗試搜索“序列號”

bingo!!只有一個搜索結果,嗅到了成功的味道

nice，成功找到密碼：beautifulflower，前提是得使得序列號為0，這里就需要手機進行雙清操作了，沒辦法，誰讓貪小便宜呢

順便掛下傳播勒索軟件人的qq:543892683，相信這也不是他本人做的，應該是網上找的一鍵生成程序

順便告誡下大家，莫貪小便宜，不要隨便下群里所謂的“黑客工具”“盜號軟件”“輔助外掛”之類的東西，十有八九都是有病毒的