本文详细介绍了Android平台下的两个Crackme挑战,通过反编译APK为smali代码进行分析。作者首先解析了Crackme01的关键算法,通过分析callYailPrimitive函数确定了比大小的逻辑。接着,分析了Crackme02,发现验证条件包括name的长度至少为1,并揭示了序列号的计算方法。整个过程提升了作者对smali代码的理解和技能。
1.Crackme01
用APKtools反编译成smali代码 定位到关键部位如下:
invoke-static {v1}, Lcom/google/youngandroid/runtime;->sanitizeComponentData(Ljava/lang/Object;)Ljava/lang/Object;
move-result-object v1
sget-object v2, Lappinventor/ai_garikoitzmartinez/crackme01/Screen1;->Lit35:Lgnu/math/IntNum; #V2=0x2E812
invoke-static {v1, v2}, Lgnu/lists/LList;->list2(Ljava/lang/Object;Ljava/lang/Object;)Lgnu/lists/Pair;
move-result-object v1
sget-object v2, Lappinventor/ai_garikoitzmartinez/crackme01/Screen1;->Lit36:Lgnu/lists/PairWithPosition;
const-string v3, ">"
invoke-static {v0, v1, v2, v3}, Lcom/google/youngandroid/runtime;->callYailPrimitive(Ljava/lang/Object;Ljava/lang/Object;Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;
move-result-object v0
sget-object v1, Ljava/lang/Boolean;->FALSE:Ljava/lang/Boolean; #v1=false
if-eq v0, v1, :cond_0 #v0=v1 Ôòʧ°Ü Sv0ҪΪÕæ
sget-object v0, Lappinventor/ai_garikoitzmartinez/crackme01/Screen1;->Lit0:Lgnu/mapping/SimpleSymbol;
invoke-static {v0}, Lcom/google/youngandroid/runtime;->lookupInCurrentFormEnvironment(Lgnu/mapping/Symbol;)Ljava/lang/Object;
move-result-object v0
sget-object v1, Lappinventor/ai_garikoitzmartinez/crackme01/Screen1;->Lit13:Lgnu/mapping/SimpleSymbol;
const-string v2, "Crackme01! << by deurus >> - Good boy!" 如果是爆破的话,把False改成true即可。而我想的是分析下这个cm的算法,于是开始向上走起了。因为v1是False,所以v0要为True。
V0-->从callYailPrimitive(,,,)返回过来的,找到这函数:
.method public static callYailPrimitive(Ljava/lang/Object;Ljava/lang/Object;Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;
.locals 3
.parameter "prim" 对应V0 为函数返回值
.parameter "arglist" 对应V1
.parameter "typelist" 对应V2 Lit36
.parameter "codeblocks$Mnname" 对应V3 = “>”因此另外几个参数也要知晓才好分析,于是继续往上看 v3= ‘>’,然后又继续往上看,
最低0.47元/天 解锁文章
扫一扫
961
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
