信息反馈法

具体做法

运行目标程序，根据程序运行时给出的反馈信息作为突破口寻找关键代码。比如字符串，在程序中字符串有两种保存方式：1是string.xml，2是写到代码中

字符串信息

编写一个APK文件

主要文件：

MainActivity.xml

package com.example.administrator.myapplication;

import android.support.v7.app.AppCompatActivity;
import android.os.Bundle;
import android.widget.Toast;

public class MainActivity extends AppCompatActivity {

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);

       Toast.makeText(getApplicationContext(), "你好世界"+"hello world"+R.string.helloworld_zh+R.string.helloworld_en, Toast.LENGTH_SHORT).show();
    }
}

activity_main.xml

<?xml version="1.0" encoding="utf-8"?>
<android.support.constraint.ConstraintLayout
    xmlns:android="http://schemas.android.com/apk/res/android"
    xmlns:tools="http://schemas.android.com/tools"
    android:layout_width="match_parent"
    android:layout_height="match_parent"
    tools:context="com.example.administrator.myapplication.MainActivity">
<LinearLayout
    android:layout_width="368dp"
    android:layout_height="495dp"
    android:orientation="vertical">
    <TextView
        android:layout_width="wrap_content"
        android:layout_height="wrap_content"
        android:text="@string/helloworld_en" />
    <TextView
        android:layout_width="wrap_content"
        android:layout_height="wrap_content"
        android:text="@string/helloworld_zh" />
    <TextView
        android:layout_width="wrap_content"
        android:layout_height="wrap_content"
        android:text="hello world" />
    <TextView
        android:layout_width="wrap_content"
        android:layout_height="wrap_content"
        android:text="你好世界" />
</LinearLayout>


</android.support.constraint.ConstraintLayout>

string.xml

<resources>
    <string name="app_name">My Application</string>
    <string name="helloworld_en">hello world</string>
    <string name="helloworld_zh">你好世界</string>
</resources>

反编译

得到的文件：
MainActivity.smali

.class public Lcom/example/administrator/myapplication/MainActivity;
.super Landroid/support/v7/app/AppCompatActivity;
.source "MainActivity.java"


# direct methods
.method public constructor <init>()V
    .locals 0

    .prologue
    .line 7
    invoke-direct {p0}, Landroid/support/v7/app/AppCompatActivity;-><init>()V

    return-void
.end method


# virtual methods
.method protected onCreate(Landroid/os/Bundle;)V
    .locals 3
    .param p1, "savedInstanceState"    # Landroid/os/Bundle;

    .prologue
    .line 11
    invoke-super {p0, p1}, Landroid/support/v7/app/AppCompatActivity;->onCreate(Landroid/os/Bundle;)V

    .line 12
    const v0, 0x7f04001b

    invoke-virtual {p0, v0}, Lcom/example/administrator/myapplication/MainActivity;->setContentView(I)V

    .line 14
    invoke-virtual {p0}, Lcom/example/administrator/myapplication/MainActivity;->getApplicationContext()Landroid/content/Context;

    move-result-object v0

    const-string v1, "\u4f60\u597d\u4e16\u754chello world21310996832131099682"

    const/4 v2, 0x0

    invoke-static {v0, v1, v2}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast;

    move-result-object v0

    invoke-virtual {v0}, Landroid/widget/Toast;->show()V

    .line 15
    return-void
.end method

string.xml（部分）

<string name="app_name">My Application</string>

<string name="helloworld_en">hello world</string>

<string name="helloworld_zh">你好世界</string>

R$string.smali（部分）

.field public static final app_name:I = 0x7f060021

.field public static final helloworld_en:I = 0x7f060022

.field public static final helloworld_zh:I = 0x7f060023

信息

这里的信息只有一条：
一个Toast

const-string v1, "\u4f60\u597d\u4e16\u754chello world21310996832131099682"

这里就是显示的字符串。

\u4f60\u597d\u4e16\u754

就是“你好世界”

2131099683=0x7f060023
2131099682=0x7f060022

这两个就是英文和中文的hello world