π¦toolS FOR APK :
1) Android killer v1.3.1.0-used to search for strings and repackagE
2) Apktool Box v1.6.4-used to obtain debugging start commands
3) android7.0-used to run apk
4) Android Studio 2.3.3 (install smideea-0.0.5 plug-in)-used to debug smali source code
5) Jadx-gui 0.7.1-used to view smali decompilation source code, in fact, AK also has decompilation function, but AK decompilation is not as good as jadx, I found that switchcase structure AK is always translated into ifelse structure.
6) Build and debug environment
1) Android killer v1.3.1.0-used to search for strings and repackagE
2) Apktool Box v1.6.4-used to obtain debugging start commands
3) android7.0-used to run apk
4) Android Studio 2.3.3 (install smideea-0.0.5 plug-in)-used to debug smali source code
5) Jadx-gui 0.7.1-used to view smali decompilation source code, in fact, AK also has decompilation function, but AK decompilation is not as good as jadx, I found that switchcase structure AK is always translated into ifelse structure.
6) Build and debug environment
1) Repackage to generate adjustable APK :
> Debugging smali with AS requires apk to set the debug logo (otherwise AS will display an error: Unable to open debugger port (localhost: 7800): java.net.SocketException "connection reset"), open the apk with AK, and open the file from the project manager bar androidmanifest.xml, add the following code in the application item:
> Debugging smali with AS requires apk to set the debug logo (otherwise AS will display an error: Unable to open debugger port (localhost: 7800): java.net.SocketException "connection reset"), open the apk with AK, and open the file from the project manager bar androidmanifest.xml, add the following code in the application item:
<font style="vertical-align: inherit;"><font style="vertical-align: inherit;">android: debuggable = "true"</font></font>
2) Then select the menu android-> Compile and repackage the APK. And install it in Mi 5.
3) Copy the following command in the above picture to cmd, start the apk, and the apk in the phone will stop at the debugging startup interface. Then check the process PID of the apk,
4) Then use the adb command to forward debugging to tcp port 8700, as follows:
5) Next, use the AS to build the smali source code project and configure the debug port. There are ready-made tutorials on this part of the content on the Internet. I wo nβt say much here. After the establishment is complete, click the debug button. The log below the AS shows that the startup debugging is successful:
6) At this point, the debugging environment is successfully built, and the cracking begins below.
π¦
π¦
π¦Cracking process
Idea 1: Error message prompt
Old ideas, first try it out. Click on the game's purchase, a purchase box will pop up, you need to enter the mobile phone number and verification code, enter a mobile phone number and verification code here, click to confirm payment, no accident will fail, and a prompt box pops up..
> Well, this is my first and first failure point. My idea is that since it gives this error message, there must be logic of payment success and failure in the place where this error is displayed, then I modified this logic and it's
> ok. OK, here is how to find the logic of this judgment. That βs right, string search. The most traditional method is to search for a string in Android. You ca nβt directly search for Chinese characters. You need to convert it to unicode code, and then convert βSMS verification code verification failedβ to unicode code, it is "u77ed \ u4fe1 \ u9a8c \ u8bc1 \ u7801 \ u9a8c \ u8bc1 \ u5931 \ u8d25", the result was not found, okay, is it a concatenation of strings, shorter, search for "SMS verification code", and then there are search results :
Idea 1: Error message prompt
Old ideas, first try it out. Click on the game's purchase, a purchase box will pop up, you need to enter the mobile phone number and verification code, enter a mobile phone number and verification code here, click to confirm payment, no accident will fail, and a prompt box pops up..
> Well, this is my first and first failure point. My idea is that since it gives this error message, there must be logic of payment success and failure in the place where this error is displayed, then I modified this logic and it's
> ok. OK, here is how to find the logic of this judgment. That βs right, string search. The most traditional method is to search for a string in Android. You ca nβt directly search for Chinese characters. You need to convert it to unicode code, and then convert βSMS verification code verification failedβ to unicode code, it is "u77ed \ u4fe1 \ u9a8c \ u8bc1 \ u7801 \ u9a8c \ u8bc1 \ u5931 \ u8d25", the result was not found, okay, is it a concatenation of strings, shorter, search for "SMS verification code", and then there are search results :
π¦Sorry, I ca nβt understand smali, I converted it to java source code,
1) The original function is too large, only a part of it is posted here, it looks really different from the logic, so is it the logic? The verification method is very simple, here is the next breakpoint, then, there is no break. Then the next breakpoint at the function entrance still didn't come. Well, this idea ended in failure. Later, I found out that the payment box popped up from the so-called tracking code. Woo. .
2) Idea Two: Drawing on Internet Posts
I have searched for similar posts before, and the post said that the search string was "successful payment", so I converted the string into a unicode code, searched in AK, and then found three results:
I have searched for similar posts before, and the post said that the search string was "successful payment", so I converted the string into a unicode code, searched in AK, and then found three results:
3) Similarly, to verify whether this is the logic code to determine whether the payment is successful, set a breakpoint at the function head where each string is located, and there is no breakpoint at the position where the string is located because I will not dig out the wallet,
4) All operations are payment failure operations. The code logic of successful payment will definitely not come, so set a breakpoint in the function header, and then click to confirm that the payment has not been broken, but when I click the close button, it succeeds Is broken in the first function. This was an unexpected surprise. Then use jadx to view the logic of this function:
4) All operations are payment failure operations. The code logic of successful payment will definitely not come, so set a breakpoint in the function header, and then click to confirm that the payment has not been broken, but when I click the close button, it succeeds Is broken in the first function. This was an unexpected surprise. Then use jadx to view the logic of this function: