Android reverse analysis learning and research (1) ---- to do things well, you must first sharpen the tool, android learning and research

Android reverse analysis learning and research (1) ---- to do things well, you must first sharpen the tool, android learning and research

Note: The articles published during the first day of an MOOC activity will be moved here from there

You can download the tool from xixue Mobile: Click to open the link to download the tool list, which is very detailed.

1. What is reverse

The so-called reverse engineering refers to the "reverse engineering" of the program, which is called "reverse" in English. It is an important technology in the computer security field. Common scenarios: 1. there is a software in hand (it can be a Win platform, it can be Android, or it can be ios). The software itself has a good function, but for commercial and copyright reasons, most of the software is not open-source. At this time, you would like to find out the source code or whether this function is urgently needed in your project. The rest is "reverse, the general process and main code of the software program can be obtained through reverse engineering. 2. when detecting viruses, Trojans, or software with vulnerabilities (or you want to dig for vulnerabilities), reverse engineering is the best way to understand the target software program.

Ii. Reverse Engineering of Android applications

This article will be discussed in later articles around the Android platform, while Windows and IOS platforms will not be discussed.

Iii. Start with the apk File

When you install an app on your mobile phone, you actually install the apk file. The apk is generally considered an "Android executable file" and you want to use the windows exe file, in fact, you understand it as an executable file. It does contain an executable file, but this is not a completely correct statement. Apk is the abbreviation of "Android Package". It is an Android Package file. The apk file can be decompressed and will not be demonstrated here. Therefore, it is not a real executable file. The real executable file is a ". dex" file. The dex file is short for "Dalvik execute", that is, the Dalvik executable file. But do not really think it is a binary file. It is actually a Dalvik bytecode file and will be submitted to the Dalvik Virtual Machine for interpretation and execution in the future. The Dalvik virtual machine is also mentioned here. It is a Java virtual machine on the Android platform. It features similar to the jvm virtual machine on the PC, but Dalvik is definitely not a JVM! The former is developed by Google, and the latter is from Oracle, although the two companies are still in litigation. The reverse is initially the reverse of the apk file. Some tools are used to obtain some target files and then analyze them.

4. Write a simple Android Application.

MainActivity. java

Package com. example. reversedemo; import android. app. activity; import android. OS. bundle; import android. view. view; import android. view. view. onClickListener; import android. widget. button; import android. widget. toast; public class MainActivity extends Activity {private Button btn; @ Overrideprotected void onCreate (Bundle savedInstanceState) {super. onCreate (savedInstanceState); setContentView (R. layout. activity_m Ain); super. onCreate (savedInstanceState); setContentView (R. layout. activity_main); btn = (Button) findViewById (R. id. button_1); btn. setOnClickListener (new OnClickListener () {@ Overridepublic void onClick (View arg0) {// method stub MessageBox ("Hello World! ") ;}}) ;}Public void MessageBox (String text) {Toast. makeText (this, text, Toast. LENGTH_LONG). show ();}}

Running result:

4. Use apktool.

APKTool is an APK compilation tool provided by GOOGLE. It can decompile and decompile the apk, install the framework-res framework required by the decompilation system apk, and clear the last decompilation folder. Java support is required.

Configure the environment variable before use: Example: My: Add D: \ adsec \ apktool-install-windows-r05-ibot \ apktool-install-windows-r05-ibot; to PATH.

Basic commands:

Decode:

This command is used to decompile the apk file.

Apktool d <file.apk> <dir>

<File.apk> indicates the path of the apk file to be decompiled. It is best to write an absolute path, such as C: \ HelloWorld.apk.

<Dir> represents the storage location of decompiled files, such as C: \ HelloWorld

If the specified <dir> already exists, you will be prompted after entering the command and cannot execute it. You need to modify the command and add the-f command.

Apktool d-f <file.apk> <dir>

This will forcibly overwrite existing files.

Build

This command is used to compile modified files.

Apktool B <dir>

Here, <dir> is the <dir> (such as C: \ HelloWorld) You entered during decompilation. After entering this line of command, if everything works properly, you will find C: \ MusicPlayer has two more folders: build and dist, which respectively store the files compiled one by one during the compilation process and the final packaged apk files.

Install

The install-frameworkcommand is used to install a specific framework-res.apk file for apktoolto decompile some APK files that are mutually dependent on the ROM.

Start using apktool:

1.find your .apk (Note: firstreverse.apk is the first time it was sent. It is really difficult to upload the image. The firstreverse.apk in the next image

Completely changed to reversedemo.apk, but the name is different)

And I'm reversedemo.apk

2. Copy the apk to your specific working directory ).

For example, my ID is D: \ adsec \ APK.

3. Start Reverse!

(1) Use the cmd window cd to go to the target working directory. For example, my:

.

(2) Use "apktool d APK file name .apk target directory" to start decompilation.

, Successful!

(3) Open the target working directory FirstReverse

Get the folder structure shown above.

(4) Open the smali folder, open the com folder, and then \ example \ firstreverse to find many smali files.

(5) use NotePad to open the smali file (You may ask if there is an editor with a code prompt when using notepad. A: Yes. Don't worry about it now, later ).

The smali file is the result of decompilation. We can see the clues of the software from the smali code.

(6) modify the smali code

MainActivity $1. smali

.class Lcom/example/reversedemo/MainActivity$1;.super Ljava/lang/Object;.source "MainActivity.java"# interfaces.implements Landroid/view/View$OnClickListener;# annotations.annotation system Ldalvik/annotation/EnclosingMethod;    value = Lcom/example/reversedemo/MainActivity;->onCreate(Landroid/os/Bundle;)V.end annotation.annotation system Ldalvik/annotation/InnerClass;    accessFlags = 0x0    name = null.end annotation# instance fields.field final synthetic this$0:Lcom/example/reversedemo/MainActivity;# direct methods.method constructor <init>(Lcom/example/reversedemo/MainActivity;)V    .locals 0    .parameter    .prologue    .line 1    iput-object p1, p0, Lcom/example/reversedemo/MainActivity$1;->this$0:Lcom/example/reversedemo/MainActivity;    .line 19    invoke-direct {p0}, Ljava/lang/Object;-><init>()V    return-void.end method# virtual methods.method public onClick(Landroid/view/View;)V    .locals 2    .parameter "arg0"    .prologue    .line 24    iget-object v0, p0, Lcom/example/reversedemo/MainActivity$1;->this$0:Lcom/example/reversedemo/MainActivity;####################################################################################################################

####################### The code to be modified ############ ######################################## #####################

######################################## ######################################## #################################### Const-string v1, "Hello World! "########### Change to const-string v1," Hello World! Changed! "Invoke-virtual {v0, v1}, Lcom/example/reversedemo/MainActivity;-> MessageBox (Ljava/lang/String;) V. line 25 return-void.end method

(7) repackage as an apk File

Command: apktool B ReverseDemo

Note: The above is the ReverseDemo folder, which is the folder you get after reverse conversion.

The dist folder will be generated in the ReverseDemo. The structure of the Q & A folder is as follows:

Open the dist folder and the reversedemo.apk file appears.

Do not worry about installation. The installation may fail, for example:

The reason is that the re-compiled apk file has no signature. At this point, apktool has been used.

5. Use signapk

Signapk is an apk file signature tool. Only the signed apk can be installed and used!

Write batch processing: signapk. bat is as follows:

Java-jar "% ~ Dp0signapk. jar "" % ~ Dp0testkey. x509.pem "" % ~ Dp0testkey. pk8 "% 1 signed.apk

Add signapk. bat to the path environment variable in the folder where the following four prices are located, such as signapk. jar.

Set signapk. bat

Use the command: signapk ReverseDermo.apk signature.

Install signed.apk

In this case, if you have installed the reversedemo.apk app on your mobile phone (If yes, it was previously reversed)

Be sure to uninstall and execute install, otherwise, as shown below:

Here, the adb command error prompt is added.

The INSTALL_FAILED_ALREADY_EXISTS program already exists.

INSTALL_FAILED_INVALID_APK invalid APK

INSTALL_FAILED_INVALID_URI is invalid.

INSTALL_FAILED_INSUFFICIENT_STORAGE does not have enough storage space.

INSTALL_FAILED_DUPLICATE_PACKAGE already has a program with the same name

The shared user specified by INSTALL_FAILED_NO_SHARED_USER does not exist.

INSTALL_FAILED_UPDATE_INCOMPATIBLE versions cannot coexist.

INSTALL_FAILED_SHARED_USER_INCOMPATIBLE: the shared user signature is incorrect.

The shared library required by INSTALL_FAILED_MISSING_SHARED_LIBRARY has been lost.

The shared library required by INSTALL_FAILED_REPLACE_COULDNT_DELETE is invalid.

INSTALL_FAILED_DEXOPT dex optimization Verification Failed

INSTALL_FAILED_OLDER_SDK old version

INSTALL_FAILED_CONFLICTING_PROVIDER has a content provider with the same name.

INSTALL_FAILED_NEWER_SDK system version newer

INSTALL_FAILED_TEST_ONLY test programs that the caller is not allowed to test

INSTALL_FAILED_CPU_ABI_INCOMPATIBLE contains incompatible local code

CPU_ABIINSTALL_FAILED_MISSING_FEATURE uses an invalid feature.

INSTALL_FAILED_CONTAINER_ERROR: An error occurred while accessing the SD card.

The installation path of INSTALL_FAILED_INVALID_INSTALL_LOCATION is invalid.

INSTALL_FAILED_MEDIA_UNAVAILABLE: the SD card does not exist.

INSTALL_FAILED_INTERNAL_ERROR system problems cause installation failure

DEFAULT unknown error

Running result.