分析-王者荣耀皮肤

解锁

这个apk中的关键信息是,需要激活设备管理器,然后当激活完成后,apk会黑屏,可以发现系统被上锁,值系统屏幕锁密码被改.关键的函数有两个,都是激活管理器的函数.
1.LockNow();
2.resetPassword();

卸载

去掉锁屏

卸载之后依然有锁屏密码

删除系统文件中密码文件:/data/system/password.key

分析-秒抢红包

第一层密码分析

hbCode.zip

DU.java(用的是jadx的Java代码)

package com.company;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import java.security.Key;
public class DU {
    private static String strDefaultKey = "national";
    private Cipher decryptCipher = (Cipher)null;
    private Cipher encryptCipher = (Cipher)null;
    public DU()
            throws Exception
    {
        this(strDefaultKey);
    }
    public DU(String paramString)
    {
        try
        {
           Key key = getKey(paramString.getBytes());
            this.encryptCipher = Cipher.getInstance("DES");
            this.encryptCipher.init(1, key);
            this.decryptCipher = Cipher.getInstance("DES");
            this.decryptCipher.init(2, key);
            return;
        }
        catch (Exception e)
        {
            e.printStackTrace();
        }
    }
    public static String byteArr2HexStr(byte[] paramArrayOfByte)
            throws Exception
    {
        int k = paramArrayOfByte.length;
        StringBuffer localStringBuffer = new StringBuffer(k * 2);
        int i = 0;
        if (i >= k) {
            return localStringBuffer.toString();
        }
        int j = paramArrayOfByte[i];
        for (;;)
        {
            if (j >= 0)
            {
                if (j < 16) {
                    localStringBuffer.append('0');
                }
                localStringBuffer.append(Integer.toString(j, 16));
                i += 1;
                break;
            }
            j += 256;
        }
        return null;
    }
    private Key getKey(byte[] paramArrayOfByte)
            throws Exception
    {
        byte[] arrayOfByte = new byte[8];
        int i = 0;
        for (;;)
        {
            if ((i >= paramArrayOfByte.length) || (i >= arrayOfByte.length)) {
                return new SecretKeySpec(arrayOfByte, "DES");
            }
            arrayOfByte[i] = paramArrayOfByte[i];
            i += 1;
        }
    }
    public static byte[] hexStr2ByteArr(String paramString)
            throws Exception
    {
        byte[] bytes  = paramString.getBytes();
        int j = bytes.length;
        byte[] arrayOfByte = new byte[j / 2];
        int i = 0;
        for (;;)
        {
            if (i >= j) {
                return arrayOfByte;
            }
            String str = new String(bytes, i, 2);
            arrayOfByte[(i / 2)] = ((byte)Integer.parseInt(str, 16));
            i += 2;
        }
    }
    public String decrypt(String paramString)
            throws Exception
    {
        return new String(decrypt(hexStr2ByteArr(paramString)));
    }
    public byte[] decrypt(byte[] paramArrayOfByte)
            throws Exception
    {
        return this.decryptCipher.doFinal(paramArrayOfByte);
    }
    public String encrypt(String paramString)
            throws Exception
    {
        return byteArr2HexStr(encrypt(paramString.getBytes()));
    }
    public byte[] encrypt(byte[] paramArrayOfByte)
            throws Exception
    {
        return this.encryptCipher.doFinal(paramArrayOfByte);
    }
}

Main.java（用的是java compiler里边的代码）

package com.company;
public class Main {
    public static void main(String[] args) {
    // write your code here
        DU des = new DU("flower");
        try {
            des = new DU(des.decrypt("c29fe56fa59ab0db"));
            System.out.println(des.decrypt("df24aefb99a46b13700ecb6bb7b627a9"));
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}