网站 › 『=逆向图文=』 › 安卓逆向 - 玄奥八字爆破

sumith 发表于 2016-8-3 12:03

安卓逆向 - 玄奥八字爆破

一、首先运行软件，要知道我们逆向的是什么，没注册我们只能排1999年的



二、菜单--更多--注册，输入乱码，看有什么提示，“请输入注册号”





三、载入AK，搜索错误提示，记得转码，搜索“\u8bf7\u8f93\u5165”





四、进入JAVA代码，具体分析，





五、返回AK，继续搜索，验证注册码的方法“ChkNumA()”





六、分析代码，ChkNumA()、ChkNumB()、ChkNumC()


public boolean ChkNumA()
{
    long l1 = 0L;
    char[] arrayOfChar = new char;
    if ((this.Fregcode.length() != 15) || (this.Fsoftsn.length() != 12)) {
      return false;
    }
    long l2 = 10000L;
    int i = 1;
    long l3;
    long l4;
    do
    {
      l3 = l1 + (this.Fregcode.charAt(i - 1) - '0') * l2;
      i += 1;
      l4 = l2 / 10L;
      l2 = l4;
      l1 = l3;
    } while (l4 > 0L);
    String str = String.valueOf(((l3 ^ SnCal(1555L)) + 1555L) / 3L - 1555L).trim();
    l1 = str.length();
    str.getChars(0, (int)l1, arrayOfChar, 0);
    if (l1 < 4L)
    {
      l2 = 4L - l1;
      i = (int)(l1 - 1L);
      if (i < 0)
      {
      i = 0;
      label165:
      if (i < (int)l2) {
          break label199;
      }
      }
    }
    else
    {
      i = 1;
    }
    for (;;)
    {
      if (i > 4)
      {
      return true;
      arrayOfChar[((int)(i + l2))] = arrayOfChar;
      i -= 1;
      break;
      label199:
      arrayOfChar = '0';
      i += 1;
      break label165;
      }
      if (arrayOfChar[(i - 1)] != this.Fsoftsn.charAt(i - 1)) {
      return false;      //三个函数都是这里返回flase，我们猜想改成true，看行不行，
      }
      i += 1;
    }
}


七、返回AK，修改代码，然后保存，编译


.method public ChkNumA()Z
    .locals 14

    .prologue
    .line 257
    const-wide/16 v0, 0x613

    .line 258
    .local v0, "DW1":J
    const-wide/16 v9, 0x0

    .line 259
    .local v9, "tol":J
    const/4 v11, 0x6

    new-array v2, v11, [C

    .line 261
    .local v2, "cnum":[C
    const-string v4, ""

    .line 263
    .local v4, "stmp":Ljava/lang/String;
    iget-object v11, p0, LMy/XuanAo/BaZi/CSoftReg;->Fregcode:Ljava/lang/String;

    invoke-virtual {v11}, Ljava/lang/String;->length()I

    move-result v11

    const/16 v12, 0xf

    if-ne v11, v12, :cond_0

    iget-object v11, p0, LMy/XuanAo/BaZi/CSoftReg;->Fsoftsn:Ljava/lang/String;

    invoke-virtual {v11}, Ljava/lang/String;->length()I

    move-result v11

    const/16 v12, 0xc

    if-eq v11, v12, :cond_1

    :cond_0
    const/4 v11, 0x0

    .line 289
    :goto_0
    return v11

    .line 264
    :cond_1
    const-wide/16 v5, 0x2710

    .local v5, "t1":J
    const/4 v3, 0x1

    .line 266
    .local v3, "ii":I
    :cond_2
    iget-object v11, p0, LMy/XuanAo/BaZi/CSoftReg;->Fregcode:Ljava/lang/String;

    add-int/lit8 v12, v3, -0x1

    invoke-virtual {v11, v12}, Ljava/lang/String;->charAt(I)C

    move-result v11

    add-int/lit8 v11, v11, -0x30

    int-to-long v7, v11

    .line 267
    .local v7, "t2":J
    mul-long v11, v7, v5

    add-long/2addr v9, v11

    .line 268
    add-int/lit8 v3, v3, 0x1

    .line 269
    const-wide/16 v11, 0xa

    div-long/2addr v5, v11

    .line 270
    const-wide/16 v11, 0x0

    cmp-long v11, v5, v11

    if-gtz v11, :cond_2

    .line 271
    const-wide/16 v11, 0x613

    invoke-virtual {p0, v11, v12}, LMy/XuanAo/BaZi/CSoftReg;->SnCal(J)J

    move-result-wide v11

    xor-long/2addr v9, v11

    .line 272
    const-wide/16 v11, 0x613

    add-long/2addr v9, v11

    const-wide/16 v11, 0x3

    div-long/2addr v9, v11

    .line 273
    const-wide/16 v11, 0x613

    sub-long/2addr v9, v11

    .line 274
    invoke-static {v9, v10}, Ljava/lang/String;->valueOf(J)Ljava/lang/String;

    move-result-object v11

    invoke-virtual {v11}, Ljava/lang/String;->trim()Ljava/lang/String;

    move-result-object v4

    .line 275
    invoke-virtual {v4}, Ljava/lang/String;->length()I

    move-result v11

    int-to-long v5, v11

    .line 276
    const/4 v11, 0x0

    long-to-int v12, v5

    const/4 v13, 0x0

    invoke-virtual {v4, v11, v12, v2, v13}, Ljava/lang/String;->getChars(II[CI)V

    .line 277
    const-wide/16 v11, 0x4

    cmp-long v11, v5, v11

    if-gez v11, :cond_3

    .line 279
    const-wide/16 v11, 0x4

    sub-long v7, v11, v5

    .line 280
    const-wide/16 v11, 0x1

    sub-long v11, v5, v11

    long-to-int v3, v11

    :goto_1
    if-gez v3, :cond_4

    .line 282
    const/4 v3, 0x0

    :goto_2
    long-to-int v11, v7

    if-lt v3, v11, :cond_5

    .line 285
    :cond_3
    const/4 v3, 0x1

    :goto_3
    const/4 v11, 0x4

    if-le v3, v11, :cond_6

    .line 289
    const/4 v11, 0x1

    goto :goto_0

    .line 281
    :cond_4
    int-to-long v11, v3

    add-long/2addr v11, v7

    long-to-int v11, v11

    aget-char v12, v2, v3

    aput-char v12, v2, v11

    .line 280
    add-int/lit8 v3, v3, -0x1

    goto :goto_1

    .line 283
    :cond_5
    const/16 v11, 0x30

    aput-char v11, v2, v3

    .line 282
    add-int/lit8 v3, v3, 0x1

    goto :goto_2

    .line 287
    :cond_6
    add-int/lit8 v11, v3, -0x1

    aget-char v11, v2, v11

    iget-object v12, p0, LMy/XuanAo/BaZi/CSoftReg;->Fsoftsn:Ljava/lang/String;

    add-int/lit8 v13, v3, -0x1

    invoke-virtual {v12, v13}, Ljava/lang/String;->charAt(I)C

    move-result v12

    if-eq v11, v12, :cond_7

    const/4 v11, 0x0    //将三个函数的这里0x0改为0x1即“const/4 v11, 0x1 ”

    goto :goto_0

    .line 285
    :cond_7
    add-int/lit8 v3, v3, 0x1

    goto :goto_3
.end method





八、运行编译号apk，成功逆向




希望大家能够多多评分，谢谢。。。。

笔尖下的日子 发表于 2016-8-3 12:18

回复再看了！！！

Doubts 发表于 2016-8-3 12:39

这个好{:5_117:}

oo-fish 发表于 2016-8-3 22:21

很高大上呀，慢慢消化！

我好想世界末日 发表于 2016-8-5 19:42

感谢 十分感谢 我之前就想研究下安卓的 现在有你这个做基础 貌似刚好 谢谢了

taxuewuhen 发表于 2016-8-5 21:02

chenjinghappy 发表于 2016-8-6 01:09

谢谢楼主分享 ！！   谢谢！{:5_116:}

KingRom 发表于 2016-8-6 08:09

pnccm 发表于 2016-8-6 09:06

现在的app都有加固,希望能出个这类的教程

wusuobuzai 发表于 2016-8-6 09:33

查看完整版本: 安卓逆向 - 玄奥八字爆破