Take buu-Findit, a simple Android reverse. Our goal is to modify apK and repackage the + signature so that it works on the Android emulator and prints flags no matter what string is entered.

The author:hans774882968As well ashans774882968

tool

  1. Apktool: Download guide. It’s just a JAR package.
  2. Genymotion3.2.1, the android emulator, is available for free, but you need to sign up on his website.

Configuring Genymotion is a bit of a hassle… Some of the tutorials online are pretty old, so I’ll probably write a more detailed one later. Just remember the problem I encountered:

  1. Drag when the mouse display is prohibited, that is, cannot drag: set compatibility, Windows8, and do not run with administrator rights. Both seem to be indispensable.
  2. Genymotion-arm-translation installation failure: Do not select a new one, Android10 will fail (specifically, the GenyMotion-ARM-Translation version must match the android version supported by your emulator).
  3. But later found www.jianshu.com/p/1db4cb031… This link provided by Baidu web disk provides support for Android9 genyMotion-ARM-Translation.
  4. Drag and drop the installation app can be installed and opened normally.

Looking for critical code

JEB view will not be repeated. We found this smali

.method public onClick(View)V
          .registers 14
00000000  const/16            v11, 17
00000004  const/16            v10, 0x007A
00000008  const/16            v9, 90
0000000C  const/16            v8, 65
00000010  const/16            v7, 97
00000014  new-array           v3, v11, [C
00000018  const/16            v5, 38
0000001C  new-array           v4, v5, [C
00000020  const/4             v0, 0
:22
00000022  if-lt               v0, v11, :70
:26
00000026  const/4             v1, 0
00000028  invoke-static       String->valueOf([C)String, v3
0000002E  move-result-object  v1
00000030  iget-object         v5, p0, MainActivity$1->val$edit:EditText
00000034  invoke-virtual      EditText->getText()Editable, v5
0000003A  move-result-object  v5
0000003C  invoke-interface    Editable->toString()String, v5
00000042  move-result-object  v5
00000044  invoke-virtual      String->equals(Object)Z, v1, v5
0000004A  move-result         v5
0000004C  if-eqz              v5, :190
Copy the code

Looking at the decomcompiled code, we can see that the :190 tag is followed by the failed statement. So we just need to remove the if-eqz instruction.

Modify the smali

Download ApkTool (just a JAR package). Run the Java -jar apktool.jar d 1.apk command to generate the decomcompiled folder with the same name. MainActivity$1.smali = MainActivity$1.smali

But how could I settle for that? Let’s make it output something more interesting.

# register number changed a little bit more in the first place. The locals 15 # and then add some code below. The line iget struck in 69 - the object v5, p0, Lcom/example/findit/MainActivity $1; ->val$text:Landroid/widget/TextView; Start new-instance v12, Ljava/lang/StringBuilder; Invoke-direct {v12}, Ljava/lang/StringBuilder; -><init>()V const-string v13, "信 用 : I am a great acmer!" invoke-virtual {v12, v13}, Ljava/lang/StringBuilder; ->append(Ljava/lang/String;) Ljava/lang/StringBuilder; invoke-virtual {v12, v2}, Ljava/lang/StringBuilder; ->append(Ljava/lang/String;) Ljava/lang/StringBuilder; invoke-virtual {v12, v13}, Ljava/lang/StringBuilder; ->append(Ljava/lang/String;) Ljava/lang/StringBuilder; invoke-virtual {v12}, Ljava/lang/StringBuilder; ->toString()Ljava/lang/String; End invoke-virtual {v5, v2}, Landroid/widget/TextView; ->setText(Ljava/lang/CharSequence;) V .line 74 .end local v2 # "n":Ljava/lang/String; :goto_2 return-voidCopy the code

This smali syntax I just learned, invoke-virtual is used to call a method and move-result-object assigns the return value of the method to a register.

During that time I threw the emulator and found that it was always crashing. It took me a long time to debug that MY V12 had forgotten to call the constructor.

Repackage + signature

Package with ApkTool and sign APK with Java built-in tools.

Jar b 1-o 1-out. Apk

Apk signature:

  1. To the Java installation directory (that is, the bin folder, there isjava.exeFolder), run the command.\keytool -genkeypair -alias demo.keystore -keyalg RSA -validity 500000 -keystore demo.keystore. Then he will ask you a few questions, such as your name and address. Fill in everything else except the password. You only need to generate this the first time, so you can reuse it later.
  2. Jarsigner needs the above keystore file. Command:.\jarsigner -keystore D:\xxx\demo.keystore -signedjar D:\xxx\1-signed.apk D:\xxx\1-out.apk demo.keystore. There are four parameters: keystore file, output file path, input file path, and keystore alias. Then it will ask you to enter your keystore password.

Drag the apK directly into the simulator.

The effect

As shown in figure

Refer to the link

  1. Android reverse flow: www.52pojie.cn/thread-8224…
  2. How do smali string concatenation: blog.csdn.net/sumsear/art…