actions

发表于 | 分类于 | 阅读次数

smali

语法

案例

有点像汇编

ARM

寻址

寄存器

IDA

debug 静态分析

apktool d test.apk <-o output> apktool b bar <-o new_bar.apk>

检查apk校验工作

日志信息

adb logcat -s <Tag>

分析native

IDA实战小demo 找不到合适IDA for mac破解版 莫名crash 难以实战

分析思路

动态分析smali

步骤

decompile apk

apktool d test.apk <-o output>

修改 AndroidManifest.xml

<application android:debuggable="true" 不然debug会报错 Unable to open debugger port (localhost:7800): java.net.SocketException "connection reset")

入口Activity

一般有actioncategory

<activity  android:name="xxx.MainActivity" >
    <intent-filter>
        <action android:name="android.intent.action.MAIN"/>
        <category android:name="android.intent.category.LAUNCHER"/>
    </intent-filter>
</activity>

rebuild apk

apktool 会遇到错误

apktool b bar <-o new_bar.apk> < 2> error.txt >

error: Error retrieving parent for item: No resource found that matches the given name ‘@android:xxxx’.

一般情况下,此时更新最新的apktool.jar就可以解决问题,但有时单纯更新apktool也不行。其实问题不在apktool,而是framework太旧了! 如果你只是更新了apktool.jar,而没有更新framework,这时候很有可能还会遇到最初的问题。 如果你不知道自己的framework路径,就去运行一遍apktool d命令,命令行中会显示使用的framework路径

1
rm -rf /Users/xxxxx/Library/apktool/framework/1.apk

当你下次运行apktool时,会自动安装对应的framework,这样一来就算完全更新了apktool。

error: Public symbol xxx declared here is not defined.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
W: /Users/wyx/stash/isafe/res/values/public.xml:25: error: Public symbol array/aouts declared here is not defined.
W: /Users/wyx/stash/isafe/res/values/public.xml:26: error: Public symbol array/aouts_values declared here is not defined.
W: /Users/wyx/stash/isafe/res/values/public.xml:27: error: Public symbol array/audio_title_alignment_list declared here is not defined.
W: /Users/wyx/stash/isafe/res/values/public.xml:28: error: Public symbol array/audio_title_alignment_values declared here is not defined.
W: /Users/wyx/stash/isafe/res/values/public.xml:29: error: Public symbol array/chroma_formats declared here is not defined.
W: /Users/wyx/stash/isafe/res/values/public.xml:30: error: Public symbol array/chroma_formats_values declared here is not defined.
W: /Users/wyx/stash/isafe/res/values/public.xml:31: error: Public symbol array/deblocking_list declared here is not defined.
W: /Users/wyx/stash/isafe/res/values/public.xml:32: error: Public symbol array/deblocking_values declared here is not defined.
W: /Users/wyx/stash/isafe/res/values/public.xml:33: error: Public symbol array/dev_hardware_decoder_list declared here is not defined.
W: /Users/wyx/stash/isafe/res/values/public.xml:34: error: Public symbol array/dev_hardware_decoder_values declared here is not defined.
W: /Users/wyx/stash/isafe/res/values/public.xml:35: error: Public symbol array/hardware_acceleration_list declared here is not defined.
W: /Users/wyx/stash/isafe/res/values/public.xml:36: error: Public symbol array/hardware_acceleration_values declared here is not defined.
W: /Users/wyx/stash/isafe/res/values/public.xml:37: error: Public symbol array/screen_orientation_list declared here is not defined.
W: /Users/wyx/stash/isafe/res/values/public.xml:38: error: Public symbol array/screen_orientation_values declared here is not defined.
W: /Users/wyx/stash/isafe/res/values/public.xml:39: error: Public symbol array/subtitles_encoding_list declared here is not defined.
W: /Users/wyx/stash/isafe/res/values/public.xml:40: error: Public symbol array/subtitles_encoding_values declared here is not defined.
W: /Users/wyx/stash/isafe/res/values/public.xml:41: error: Public symbol array/vouts declared here is not defined.
W: /Users/wyx/stash/isafe/res/values/public.xml:42: error: Public symbol array/vouts_froyo declared here is not defined.
W: /Users/wyx/stash/isafe/res/values/public.xml:43: error: Public symbol array/vouts_values declared here is not defined.
W: /Users/wyx/stash/isafe/res/values/public.xml:44: error: Public symbol array/vouts_values_froyo declared here is not defined.

我注释掉对应文件的对应行

重新打包签名

手动签名

zipalign 可以确保所有未压缩的数据的开头均相对于文件开头部分执行特定的字节对齐,这样可减少应用消耗的 RAM 量。

1
2
可选
zipalign -v -p 4 my-app-unsigned.apk my-app-unsigned-aligned.apk

更新到sdk/build-tools/28.0.3使用apksigner进行签名

使用 keytool 生成一个私钥 my-release-key.jks

1
keytool -genkey -v -keystore my-release-key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias my-alias

在本例中,在使用单密钥库文件 my-release-key.jks 中存储的私钥和证书签署 APK 后,将以 my-app-release.apk 的形式输出签署的 APK。

1
apksigner sign --ks my-release-key.jks --out my-app-release.apk my-app-unsigned-aligned.apk

验证您的 APK 是否已签署:

1
apksigner verify my-app-release.apk

安装apk

先卸载原来的apk 否侧

adb: failed to install xxx.apk: Failure [INSTALL_FAILED_UPDATE_INCOMPATIBLE: Package [package name] signatures do not match previously installed version; ignoring!]

1
adb install my-app-release.apk

导入到AS

安装插件

安装 smali插件下载导入,重启AS

导入工程

导入反编译后的文件夹 一直next直到finish

配置project

这步做不做好像没所谓

配置jdk

debug 配置 remote

打开对应的APP

1
2
3
4
➜ adb shell dumpsys activity top|grep ACTIVITY
  ACTIVITY com.github.shadowsocks/.MainActivity 6b899d7 pid=25351
  ACTIVITY net.oneplus.launcher/.Launcher ab1eb3 pid=3549
  ACTIVITY com.awesapp.isafe/.core.MainActivity cec1c35 pid=29081

端口转发

1
adb forward tcp:5005 jdwp:29081

下断点

res/values/public.xml

了解程序结构,找破解的地方。在View确定控件。

  • apk toast message 反馈 直接查字符串

  • 手动log

adb logcat -s SN:v

  • 逐步调试
  • DDMS 里面的Method Profiling
  • 找控件 adb shell dumpsys activity top > 4.txt 定位Activity,再debug

小思路

内购

登录注册

动态分析so

逆向加固

  • apk 先解压出classes.dex使用dex2jar+jdgui
  • 使用apktool反编译