Analyze Android app behavior using Smali's own proactive injection technology

Today, in addition to app development, there are many tools around the Android developer community, such as security, performance, etc., app products

already there. Big Mac, but the product of the tool class. There is no bigger company, mostly in the entrepreneurial phase, which may

is the next opportunity for entrepreneurs. Tool Products relative to app development has a higher technical threshold, engaged in this aspect of the development of technical personnel need to palm

The basic skills of the grip are as follows:

1, familiar with the Android app compilation process, understand the JVM bytecode and Dalvik bytecode difference;

2, familiar with the Android framework, read part of the code. For example, the system startup process, zygote process-related logic, skilled use of the NDK,

Master the basics of inline hooks principle;

3, familiar with scripting language, such as Python, scripting language in the development of some analytical tools still have a great advantage, and some famous

Open source tools are also written in Python , for example Androguard.

4, familiar with the structure of the APK file, familiar with the structure of Dex file, such as the structure of Dex file header;

5, familiar with Smali grammar, skilled use of apktool and other tools. Can parse the Smali file, and read into the memory of its own definition data structure;

With this knowledge, there are many things that can be done, such as the ability to insert their own definition code to monitor the app's behavioral data through Smali injection.

include performance data as well as some logical data, the ability to monitor the behavior of the application by means of an inline hook, the author has made a tool to

Take the initiative to insert the Smali code into the APK. detailed procedures such as the following:

1. Parse the APK file by Androguard and get Dex file;

2, through the Baksmali to the Dex file to Smali file;

3, start parsing Smali file. Map the Smali file to a memory data structure;

4, Analysis Smali file, find the method keyword need to replace. And by rewriting the Smali file method to inject code;

Of course there are a lot of details that need to be addressed, such as inserting code that will have an effect on the original Smali code logic. such as the number of registers

Added, the use of registers, the effect of jump logic. These all require you to analyze the code context logic that you need to insert or replace, making the insertion logic correct.

Let me take json as an example to describe how to replace the Smali code in detail:

The Smali code for the JSON object initialization:

    New-instance v3, Lorg/json/jsonobject;    Invoke-direct {v3, p0}, Lorg/json/jsonobject;-><init> (ljava/lang/string;) V

The first line of code is used to generate a Jsonobject object and put it into the V3 register. Second line of code

Call the Init method of the Jsonobject object in v3. Parameters Call a JSON object for a string object in the presence of a p0 register (the first parameter)

Formatting Strings Jsonobject . toString. The corresponding Smali code such as the following:

    invoke-virtual {v3}, lorg/json/jsonobject;->tostring () ljava/lang/string;    Move-result-object V8

The first line of code calls the ToString method of the JSON object stored in V3, and the second line of code stores the return value in the V8 register.

The following defines a static method that overrides the corresponding method of Jsonobject :

public static String toString (Jsonobject jsonobject) {string jsonstring = Jsonobject.tostring (); LOG.I ("JSON toString:" + jsonstring); return jsonstring;}

OK, the rest is to change the logic in the Smali code to call the static method above. The replaced content is as follows:

    invoke-static {v3}, lcom/test/jsonreplace;->tostring (lorg/json/jsonobject;) ljava/lang/string;    Move-result-object V7

The Init method does the same processing. This allows you to intercept the contents of the JSON object, allowing you to monitor app content that uses JSON to upload data.

Assume that the system time is obtained where the above method starts and ends. can also be used to get the time spent by the JSON ToString method.

The JSON method is just one of many methods that can be captured, and you can capture many other methods that you are interested in, according to similar logic.

In order to test the results of Smali self-injected, the author downloaded a 360 security guard, carried out their own active injection, it is important to note that

Finish Smali you need to pack your signature again. and 360 security guard at the start to do a signature check. Suppose a signature inconsistency is found that pops up a

dialog box lets you download the app and exit, but this can also be done by changing the way the Smali code to solve, can find the signature verification of the place will

The return value is changed to 1. Because this part of the content of the app's security policy, and this article does not have much to do with the subject matter, so I do not write

Out, interested in being able to communicate privately.

after injection Smali can captures all JSON string content uploaded to 360 security defender. I have extracted some of the content:

JSON init:{"ads": [{"Des": "1mob," "RIS": 0, "name": "1mob", "FBS": [{"T": 1, "S": 1, "C": "Ff#* #1a #/br; #1a #/pia; #1a #/main;# 1a#/pmanager, #1a #ljava/lang/reflect/method; Getparametertypes: () [Ljava/lang/class; #1a #ljava/lang/class;. Getdeclaredmethods: () [Ljava/lang/reflect/method; "," N ":" Ad.push.1mob "," St ": 2},{" T ": 1," S ": 0," C ":" Ff#* #1a #/br; #1a #/us, #1a #/main, #1a #/unmanager, #1a #ljava/lang/reflect/method; Getparametertypes: () [Ljava/lang/class; #1a #ljava/lang/class;. Getdeclaredmethods: () [Ljava/lang/reflect/method; #1a #setgaptime "," N ":" Ad.spot.1mob "," St ": 8}]},{" des ":" 360dianjing "," RIS ": 0," name ":" 360dianjing "," FBS ": [{" T ": 1," S ": 0," C ":" Ff#* #1a1 #http://mob.tf.360.cn/#1a1 # 360dianjing#1a1#ibstates.php "," N ":" Ad.banner.360dianjing.a "," St ": 1},{" T ": 1," S ": 0," C ":" Ff#* #1a1 #http:// ads.lianmeng.360.cn/#1a1 #360dianjing#1a1#ibstates.php "," N ":" ad.banner.360dianjing.b "," St ": 1}]},{" des ":" 3gyu "," RIS ": 0," "Name": "3gyu", "FBS": []},{"des": "7xpush", "RIS": 0, "name": "7xpush", "FBS": [{"T": 1, "S": 1, "C": "Ff#* #1a1 #http ://WWW.QIXIAZI.COM/ADS.XML#1A1#com. Kding.ads.service.downservice#1a1#/kding/ads#1a1#notification "," N ":" Ad.push.7xpush "," St ": 2}]},{" des ":" 91zan "," RIS ": 0," name ":" 91zan "," FBS ": [{" T ": 1," S ": 0," C ":" Ff#* #1a1 #com.skpresent.shell.shellservicekit#1a1# Zpresent.jar#1a1#zpresent.dex "," N ":" Ad.banner.91zan.a "," St ": 1},{" T ": 1," S ": 0," C ":" Ff#* #1a1 # Com.skpop.shell.shellservicekit#1a1#zpop.jar#1a1#zpop.dex "," N ":" ad.banner.91zan.b "," St ": 1},{" T ": 1," S ": 0," C ":" ff#* #1a1 #com.skfloat.shell.shellservicekit#1a1#zfloat.jar#1a1#zfloat.dex "," N ":" Ad.banner.91zan.c "," St ": 1},{" T " : 1, "S": 1, "C": "Ff#* #1a1 #com.skpush.shell.shellservicekit#1a1#zan_dev_appconfig_push#1a1#zpush.dex", "N": " Ad.push.91zan "," St ": 2}]},{" des ":" 98mid "," RIS ": 0," name ":" 98mid "," FBS ": [{" T ": 1," S ": 1," C ":" Ff#* #1a1 #img=d:/images #1a1 #myappmarket98mid#1a1#times.bat#1a1#http://www.98mid.com/"," N ":" Ad.push.98mid "," St ": 2}]},{" des ":" A-cubic ad "," RIS ":", "name": "A3ad", "FBS": [{"T": 1, "S": 0, "C": "Ff#* #1a1 #lcom/allyes/a3/sdk/widget/adview;", "N": "Ad.banner.a3ad "," St ": 1}]},{" des ":" AdChina "," RIS ":", "" Name ":" AdChina "," FBS ": [{" T ": 1," S ": 0," C ":" Ff#* #1a1 #lcom/adchina/android/ads/admanager; "," N ":" Ad.banner.adchina.b "," St ": 1 },{"T": 1, "S": 0, "C": "Ff#* #1a1 #lcom/adchina/android/ads/views/adview;", "N": "AD.BANNER.ADCHINA.C", "St": 1}]},{"des ":" Adcocoa "," RIS ": 0," name ":" Adcocoa "," FBS ": [{" T ": 1," S ": 0," C ":" Ff#* #1a1 #adcocoa_icon_default.png#1a1#adcocoa_id #1a1 #adcocoa/cache "," N ":" Ad.spot.adcocoa "," St ": 8}]},{" des ":" Ader "," RIS ": 0," name ":" Ader "," FBS ": [{" T ": 1," S ": 0," C ":" Ff#* #1a1 #adbigwebview#1a1#com.rrgame.sdk#1a1#banner "," N ":" Ad.banner.ader "," St ": 1}]},{" des ":" Adfonic "," RIS " : 0, "name": "Adfonic", "FBS": [{"T": 1, "S": 0, "C": "Ff#* #1a1 #http://adfonic.net/ad/", "N": "Ad.banner.adfonic", "St": 1}] },{"des": "Adlantis", "RIS": 0, "name": "Adlantis", "FBS": [{"T": 1, "S": 0, "C": "Ff#* #1a #ljp/adlantis/android/", "N": " Ad.banner.adlantis.a "," St ": 1},{" T ": 1," S ": 0," C ":" Ff#* #1a1 #sp.ad.adlantis.jp "," N ":" ad.banner.adlantis.b "," St ": 1} ]},{"des": "Adlayout", "ris": +, "name": "Adlayout", "FBS": [{"T": 1, "S": 0, "C": "Ff#* #1a1 #lnet/adlayout/ad/adlayout;", "N": "Ad.gather. Adlayout "," St ": 11}]},{" des ":" Admarket "," RIS ": 0," name ":" Admarket "," FBS ": [{" T ": 1," S ": 0," C ":" Ff#* #1a1 # Showmyappdialog#1a1#huituixiazai "," N ":" Ad.banner.admarket "," St ": 1}]},{" des ":" AdMob "," RIS ": 0," name ":" AdMob "," FBS ": [{" T ": 1," S ": 0," C ":" Ff#* #1a1 #http://a.admob.com/f0?
#1a1 #admobsdk ",

/catchjson (7454): JSON tostring:{"pkg": "Org.orangenose.games", "Ti": {"V": 0, "M": 2}, "Si": {"V": 22907852054, "M": 511}} I/catchjson (7454): JSON tostring:{"pkg": "Cn.ishuidi.shuidi", "Ti": {"V": 0, "M": 2}, "Si": {"V": 22906475797, "M": 511}}i/ Catchjson (7454): JSON tostring:{"pkg": "NET.OT24.ET.SQT", "Ti": {"V": 0, "M": 2}, "Si": {"V": 22906475797, "M": 511}}i/ Catchjson (7454): JSON tostring:{"pkg": "Cc.freecall.ipcall", "Ti": {"V": 0, "M": 2}, "Si": {"V": 22906542357, "M": 511}}i/ Catchjson (7454): JSON tostring:{"pkg": "Cn.btcall.ipcall", "Ti": {"V": 0, "M": 2}, "Si": {"V": 22906542613, "M": 511}}i/ Catchjson (7454): JSON tostring:{"pkg": "Cn.pyt365.ipcall", "Ti": {"V": 0, "M": 2}, "Si": {"V": 22906541333, "M": 511}}i/ Catchjson (7454): JSON tostring:{"pkg": "Com.lanshan.weimi", "Ti": {"V": 0, "M": 2}, "Si": {"V": 22907853334, "M": 511}}i/ Catchjson (7454): JSON tostring:{"pkg": "Com.liulishuo.engzo", "Ti": {"V": 0, "M": 2}, "Si": {"V": 22907591190, "M": 511}}i/ Catchjson (7454): JSON tostring:{"pkg": "Com.wandoujia.phoenix2.usbproxy", "Ti": {"V": 0, "M": 2}, "Si": {"V": 22906541333, "M": 511}}i/catchjson (7454): JSON tostring:{"pkg": "Com.dnurse", "Ti": {"V": 0, "M": 2}, "Si": {"V": 22906475797, "M" : 511}}i/catchjson (7454): JSON tostring:{"pkg": "Com.sec.android.app.myfiles", "Ti": {"V": 0, "M": 2}, "Si": {"V" : 22906475797, "M": 511}}i/catchjson (7454): JSON tostring:{"pkg": "Com.qihoo360.smartkey", "Ti": {"V": Ten, "M": 2}, "Si": { "V": 22906475797, "M": 511}}i/catchjson (7454): JSON tostring:{"pkg": "Com.qihoo.wifi", "Ti": {"V": Ten, "M": 2}, "Si": {"V" : 22906475797, "M": 511}}i/catchjson (7454): JSON tostring:{"pkg": "Com.qihoo.antivirus", "Ti": {"V": Ten, "M": 2}, "Si": {"V ": 22906475797," M ": 511}}i/catchjson (7454): JSON tostring:{" pkg ":" Com.android.fileexplorer "," Ti ": {" V ": 0," M ": 2}," Si ": {" V ": 22906475797," M ": 511}}i/catchjson (7454): JSON tostring:{" pkg ":" Com.meizu.filemanager "," Ti ": {" V ": 0," M ": 2}," Si ": {" V ": 22906475797," M ": 511}}i/catchjson (7454): JSON tostring:{" pkg ":" Com.android.browser "," Ti ": {" V ": 0," M ": 2}," Si ": {" V ": 22906475797," M ": 511}}

I/catchjson (7454): JSON tostring:{"s": "11146D3626E64DAB800A6A0AE57E4EC0", "a": 1119509, "T": 10}i/catchjson (7454): JSON tostring:{"s": "12332c1955435e036a5a94df4e188bd7", "a": 1119509, "T": 10}i/catchjson (7454): JSON tostring:{"s": " 15db4f6a2b422f536cd3ce8230120e35 "," a ": 1119509," T ": 10}i/catchjson (7454): JSON tostring:{" s ":" 1d4dcf3a79293e05fa9744444263d048 "," a ": 1119509," T ": 10}i/catchjson (7454): JSON tostring:{" s ":" 328f0b456d41a3f19464241ab327b6c5 "," a ": 1119509," T ": 10}i/catchjson (7454): JSON tostring:{" s ":" 3bd87d5c8d98f7d711eff0d82d8fe7b9 "," a ": 1119509," T ": 10}i/catchjson (7454): JSON tostring:{" s ":" 517badabd9c40f1fca00d0b74d514a31 "," a ": 1119509," T ": 10}i/catchjson (7454): JSON tostring:{" s ":" 58f2fe7e4a67c1ba29c2a5c58c66739b "," a ": 1119509," T ": 10}i/catchjson (7454): JSON tostring:{" s ":" 5B252A142A450B34BD3253ACB51882BD "," a ": 1119509," T ": 10}i/catchjson (7454): JSON tostring:{" s ":" 6d1fc48aeafe7286cfc9b05d815fd9f9 "," a ": 1119509," T ": 10}i/catchjson (7454): JSON tostring:{" s ":" 72fa45c1f82c02200c2bb769f641759e "," a ": 1119509," T ": 10}i/catchjson (7454): JSON tostring:{" s ":" 829E5B4F1E9725EE6A3900009521D6DF "," a ": 1119509," T " : 10}i/catchjson (7454): JSON tostring:{"s": "8609665349f3431def232651c7785b86", "a": 1119509, "T": 10}i/catchjson (7454 ): JSON tostring:{"s": "8823a09ee4baaf6c63d767e56e5a295d", "a": 1119509, "T": 10}i/catchjson (7454): JSON tostring:{"s": "Ca45263bc938da16ef1b069c95e61ba2", "a": 1119509, "T": 10}i/catchjson (7454): JSON tostring:{"s": " D488edaf562233024a034073f7d2bd93 "," a ": 1119509," T ": 10}i/catchjson (7454): JSON tostring:{" s ":" Dc6dbd6e49682a57a8b82889043b93a8 "," a ": 1119509," T ": 10}i/catchjson (7454): JSON tostring:{" s ":" fec53268a38f029357056d46098c9384 "," a ": 1119509," T ": 10}i/catchjson (7454): JSON tostring:{" s ":" bb5cf8250d16d684a7b1e28b12780636 "," a ": 1119509," T ": 10}

As for the usefulness of the contents of the string, because the author does not analyze their code logic, and I do not have to write the topic, so do not explain, here only this

Technical perspective to analyze your own initiative to inject Smali code to get the possibility of applying behavior, and to examine the author's own proactive injection

Tools, without his meaning.

This is through Smali injection technology to obtain the data of the application, but also through the way of the inline hook, the dynamic capture of the application's behavior data,

This author has also made a tool. Perhaps write the article specific introduction.

Analyze Android app behavior using Smali's own proactive injection technology