新年
快乐

垃圾堆中的精品

垃圾堆中的精品

某直播APK文件破解writeup

无聊在某威客网上看到了项目,破解APK文件,无聊就下载下来看看,能不能搞定。
APK先安装到手机上,直接打开,哎呀直接就要注册码,连内容不给看。

 
201502231

哎呀我的这个暴脾气,拿来神器Android Killer,载入,分析。


 
图片未加载

稍等一会,待分析完成后。

 
图片未加载

搜索字符串“输入注册码”,找到后分析。对Samli语言不懂。
    #v3=(One);
    invoke-virtual {v0, v3}, Ljava/lang/reflect/Field;->setAccessible(Z)V

    .line 783
    const/4 v3, 0x0

    #v3=(Null);
    invoke-static {v3}, Ljava/lang/Boolean;->valueOf(Z)Ljava/lang/Boolean;

    move-result-object v3

    #v3=(Reference,Ljava/lang/Boolean;);
    invoke-virtual {v0, p1, v3}, Ljava/lang/reflect/Field;->set(Ljava/lang/Object;Ljava/lang/Object;)V
    :try_end_0
    .catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_2

    .line 823
    .end local v0    # "field":Ljava/lang/reflect/Field;
    :goto_0
    #v0=(Conflicted);v1=(Conflicted);
    return-void

    .line 790
    :cond_1
    #v0=(Uninit);v1=(Uninit);v3=(Boolean);v4=(Uninit);
    iget-object v3, p0, Lcom/test/load/LogUtils$3;->val$ctx:Landroid/app/Activity;

    #v3=(Reference,Landroid/app/Activity;);
    invoke-static {v3, v2}, Lcom/test/load/LogUtils;->access$1(Landroid/content/Context;Ljava/lang/String;)Z

    move-result v3

    #v3=(Boolean);
    if-eqz v3, :cond_3

    .line 791
    iget-object v3, p0, Lcom/test/load/LogUtils$3;->val$ctx:Landroid/app/Activity;

    #v3=(Reference,Landroid/app/Activity;);
    const-string v4, "passwd"

    #v4=(Reference,Ljava/lang/String;);
    invoke-static {v3, v4, v2}, Lcom/test/load/LogUtils;->access$2(Landroid/content/Context;Ljava/lang/String;Ljava/lang
/String;)V

    .line 792
    iget-object v3, p0, Lcom/test/load/LogUtils$3;->val$ctx:Landroid/app/Activity;

    const-string v4, "\u6ce8\u518c\u7801\u6b63\u786e\uff0c\u6b22\u8fce\u4f7f\u7528\u672c\u8f6f\u4ef6"

    invoke-static {v3, v4, v5}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)
Landroid/widget/Toast;

    move-result-object v3

    .line 793
    invoke-virtual {v3}, Landroid/widget/Toast;->show()V

    .line 794
    invoke-interface {p1}, Landroid/content/DialogInterface;->dismiss()V

    .line 795
    iget-object v3, p0, Lcom/test/load/LogUtils$3;->val$handler:Landroid/os/Handler;

    if-eqz v3, :cond_2

    .line 796
    new-instance v1, Landroid/os/Message;

    #v1=(UninitRef,Landroid/os/Message;);
    invoke-direct {v1}, Landroid/os/Message;->()V

    .line 797
    .local v1, "msg":Landroid/os/Message;
    #v1=(Reference,Landroid/os/Message;);
    iput v6, v1, Landroid/os/Message;->what:I

    .line 798
    iget-object v3, p0, Lcom/test/load/LogUtils$3;->val$handler:Landroid/os/Handler;

    invoke-virtual {v3, v1}, Landroid/os/Handler;->sendMessage(Landroid/os/Message;)Z

    .line 802
    .end local v1    # "msg":Landroid/os/Message;
    :cond_2
    :try_start_1
    #v1=(Conflicted);
    invoke-virtual {p1}, Ljava/lang/Object;->getClass()Ljava/lang/Class;

    move-result-object v3

    invoke-virtual {v3}, Ljava/lang/Class;->getSuperclass()Ljava/lang/Class;

    move-result-object v3

    .line 803
    const-string v4, "mShowing"

    invoke-virtual {v3, v4}, Ljava/lang/Class;->getDeclaredField(Ljava/lang/String;)Ljava/lang/reflect/Field;

    move-result-object v0

    .line 804
    .restart local v0    # "field":Ljava/lang/reflect/Field;
    #v0=(Reference,Ljava/lang/reflect/Field;);
    const/4 v3, 0x1

 
图片未加载

没办法,打开JD_JUI,载入查看JAVA源码,找到判断方法。发现是一个if的判断。
private static void showPasswdDialog(final Activity paramActivity, final Handler paramHandler)
  {
    EditText localEditText = new EditText(paramActivity);
    localEditText.setText("");
    String str = getRegStr(paramActivity);
    AlertDialog.Builder localBuilder = new AlertDialog.Builder(paramActivity).setCancelable(false).setTitle(title)
.setMessage("机器码=" + str).setView(localEditText).setPositiveButton("输入注册码", new DialogInterface.OnClickListener()
    {
      public void onClick(DialogInterface paramAnonymousDialogInterface, int paramAnonymousInt)
      {
        String str = LogUtils.this.getText().toString().trim();
        if ((str == null) || (str.equals(""))) {
          Toast.makeText(paramActivity, "请输入注册码", 0).show();
        }
        try
        {
          Field localField1 = paramAnonymousDialogInterface.getClass().getSuperclass().getDeclaredField("mShowing");
          localField1.setAccessible(true);
          localField1.set(paramAnonymousDialogInterface, Boolean.valueOf(false));
          return;
        }
        catch (Exception localException1) {}
        if (LogUtils.c(paramActivity, str))
        {
          LogUtils.writeKeyValue(paramActivity, "passwd", str);
          Toast.makeText(paramActivity, "注册码正确,欢迎使用本软件", 0).show();
          paramAnonymousDialogInterface.dismiss();
          if (paramHandler != null)
          {
            Message localMessage = new Message();
            localMessage.what = 1;
            paramHandler.sendMessage(localMessage);
          }
          try
          {
            Field localField3 = paramAnonymousDialogInterface.getClass().getSuperclass().getDeclaredField("mShowing");
            localField3.setAccessible(true);
            localField3.set(paramAnonymousDialogInterface, Boolean.valueOf(true));
            return;
          }
          catch (Exception localException3)
          {
            return;
          }
        }
        Toast.makeText(paramActivity, "注册码错误,请输入正确的注册码", 0).show();
        try
        {
          Field localField2 = paramAnonymousDialogInterface.getClass().getSuperclass().getDeclaredField("mShowing");
          localField2.setAccessible(true);
          localField2.set(paramAnonymousDialogInterface, Boolean.valueOf(false));
          return;
        }
        catch (Exception localException2) {}
      }
    }).setNegativeButton("取消", new DialogInterface.OnClickListener()
    {
      public void onClick(DialogInterface paramAnonymousDialogInterface, int paramAnonymousInt)
      {
        LogUtils.this.finish();
      }
    }).setOnKeyListener(new DialogInterface.OnKeyListener()
    {
      public boolean onKey(DialogInterface paramAnonymousDialogInterface, int paramAnonymousInt, KeyEvent
 paramAnonymousKeyEvent)
      {
        switch (paramAnonymousInt)
        {
        default: 
          return false;
        }
        return true;
      }
    });
    SimpleDateFormat localSimpleDateFormat1;
    if (!TextUtils.isEmpty(passwdValidTime))
    {
      localSimpleDateFormat1 = new SimpleDateFormat("yyyyMMddHHmmss");
      new Date();
    }
    try
    {
      Date localDate2 = localSimpleDateFormat1.parse(passwdValidTime);
      localDate1 = localDate2;
    }
    catch (Exception localException)
    {
      for (;;)
      {
        SimpleDateFormat localSimpleDateFormat2;
        Object[] arrayOfObject;
        Date localDate1 = new Date();
      }
    }
    localSimpleDateFormat2 = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
    arrayOfObject = new Object[1];
    arrayOfObject[0] = localSimpleDateFormat2.format(localDate1);
    localEditText.setHint(String.format("有效期:%s", arrayOfObject));
    if (passwdStatus == 2) {
      localBuilder.setNeutralButton("继续", new DialogInterface.OnClickListener()
      {
        public void onClick(DialogInterface paramAnonymousDialogInterface, int paramAnonymousInt)
        {
          paramAnonymousDialogInterface.dismiss();
          if (LogUtils.this != null)
          {
            Message localMessage = new Message();
            localMessage.what = 1;
            LogUtils.this.sendMessage(localMessage);
          }
          try
          {
            Field localField = paramAnonymousDialogInterface.getClass().getSuperclass().getDeclaredField("mShowing");
            localField.setAccessible(true);
            localField.set(paramAnonymousDialogInterface, Boolean.valueOf(true));
            return;
          }
          catch (Exception localException) {}
        }
      });
    }
    localBuilder.show();
  }
回到samli,找到关键判断语句。然后向上找到v3的定义语句:const/4 v3, 0x0,并改成const/4 v3, 0x1,也就是改为真。

 
图片未加载

然后编译,安装,直接点击输入注册码,嗯,没有意外,软件界面出来了,还不错的电视软件,频道还挺多。

 
图片未加载

联系发布人,至此100大洋到手。

 

评论回复

回到顶部