分析-王者荣耀皮肤
解锁
这个apk中的关键信息是,需要激活设备管理器,然后当激活完成后,apk会黑屏,可以发现系统被上锁,值系统屏幕锁密码被改.关键的函数有两个,都是激活管理器的函数.
1.LockNow();
2.resetPassword();
卸载
去掉锁屏
卸载之后依然有锁屏密码
删除系统文件中密码文件:/data/system/password.key
分析-秒抢红包
第一层密码分析
DU.java(用的是jadx的Java代码)
package com.company;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import java.security.Key;
public class DU {
private static String strDefaultKey = "national";
private Cipher decryptCipher = (Cipher)null;
private Cipher encryptCipher = (Cipher)null;
public DU()
throws Exception
{
this(strDefaultKey);
}
public DU(String paramString)
{
try
{
Key key = getKey(paramString.getBytes());
this.encryptCipher = Cipher.getInstance("DES");
this.encryptCipher.init(1, key);
this.decryptCipher = Cipher.getInstance("DES");
this.decryptCipher.init(2, key);
return;
}
catch (Exception e)
{
e.printStackTrace();
}
}
public static String byteArr2HexStr(byte[] paramArrayOfByte)
throws Exception
{
int k = paramArrayOfByte.length;
StringBuffer localStringBuffer = new StringBuffer(k * 2);
int i = 0;
if (i >= k) {
return localStringBuffer.toString();
}
int j = paramArrayOfByte[i];
for (;;)
{
if (j >= 0)
{
if (j < 16) {
localStringBuffer.append('0');
}
localStringBuffer.append(Integer.toString(j, 16));
i += 1;
break;
}
j += 256;
}
return null;
}
private Key getKey(byte[] paramArrayOfByte)
throws Exception
{
byte[] arrayOfByte = new byte[8];
int i = 0;
for (;;)
{
if ((i >= paramArrayOfByte.length) || (i >= arrayOfByte.length)) {
return new SecretKeySpec(arrayOfByte, "DES");
}
arrayOfByte[i] = paramArrayOfByte[i];
i += 1;
}
}
public static byte[] hexStr2ByteArr(String paramString)
throws Exception
{
byte[] bytes = paramString.getBytes();
int j = bytes.length;
byte[] arrayOfByte = new byte[j / 2];
int i = 0;
for (;;)
{
if (i >= j) {
return arrayOfByte;
}
String str = new String(bytes, i, 2);
arrayOfByte[(i / 2)] = ((byte)Integer.parseInt(str, 16));
i += 2;
}
}
public String decrypt(String paramString)
throws Exception
{
return new String(decrypt(hexStr2ByteArr(paramString)));
}
public byte[] decrypt(byte[] paramArrayOfByte)
throws Exception
{
return this.decryptCipher.doFinal(paramArrayOfByte);
}
public String encrypt(String paramString)
throws Exception
{
return byteArr2HexStr(encrypt(paramString.getBytes()));
}
public byte[] encrypt(byte[] paramArrayOfByte)
throws Exception
{
return this.encryptCipher.doFinal(paramArrayOfByte);
}
}
Main.java(用的是java compiler里边的代码)
package com.company;
public class Main {
public static void main(String[] args) {
// write your code here
DU des = new DU("flower");
try {
des = new DU(des.decrypt("c29fe56fa59ab0db"));
System.out.println(des.decrypt("df24aefb99a46b13700ecb6bb7b627a9"));
} catch (Exception e) {
e.printStackTrace();
}
}
}
Smali 注入
日志里边得到密码
在Android Killer里边自带的日志查看