Android Black Tech Series--static analysis technology to hack apk

First, preface

From the beginning of this article we began our path of cracking, the previous several articles in how we explain how to strengthen our apk, to prevent others to crack, then we will start to crack our apk, for the previous encryption method of using the corresponding crack technology, The hack in Android can be broadly divided into static analysis and dynamic analysis, which can be subdivided into Java layers (Smail and Dex) and native layers (so). So today we're mainly going to explain how to hack our apk by static analysis, and this article will be explained in the example of Java layer and native layer.

Ii. preparatory work

Before we start today's article, we need to prepare something,

First, the first is the basic knowledge:

1. Learn the structure of the APK file in Android.

2. Understanding Smail Syntax and Dex file formats

3, the APK signature mechanism

About these three knowledge points, here does not do the detailed introduction, does not understand the classmate can oneself online study, has a lot of information to explain.

Second, there are a few important tools

1, Apktool: Anti-compilation of the weapon

2. Dex2jar: Turn Dex into a jar

3. Jd-gui: A good tool for viewing jar files

4. IDA: The most complete tool for billing (analysis of Dex and so Can)

: Http://pan.baidu.com/s/1hqBC7Es

Extra: The top four tools are the most basic, but now there are some better tools on the Web: Jeb,gda and so on. But these tools are enriched with the above four tools, so it is enough to say that we only have four tools above. Ida tools I specifically gave one, the other tools in the case we provided.

Three, the principle of technology

The preparation is finished, the following is a look at today's crack Way introduction:

The static analysis of the hack in Android is said to be important and unimportant, why do you say so?

Because we will introduce dynamic analysis in the back, when we cracked an apk, we found that the static analysis method is almost useless, because the current program reinforcement is more advanced, static analysis is almost invalid, so dynamic analysis is necessary, but if static analysis is useless, then also wrong, Because we are in some scenarios, only static analysis can begin to crack the door, without static analysis of the results, dynamic analysis is not able to carry out. This is illustrated below. So in the process of cracking, static analysis and dynamic analysis will be bound together, only in this way we will go forward. Here's a look at how we cracked the apk with static analysis.

First, the process of static analysis

1. Use Apktool to decompile apk

In this process, we will find that some apk is very easy to decompile, but some apk every time the anti-compilation will report a variety of errors, this is normal, because of the reinforcement. Now there are a lot of online apk encryption way, directly to the anti-compilation, such as androidmanifest files, dex files, etc., because apktool he needs to parse these important resources, once these files are encrypted then will terminate, So here we all think that the APK can be anti-compilation, because we are mainly to explain how to break through static analysis, about the problem of the anti-compilation here, I will be in a post in detail, I will enumerate some examples of anti-compilation errors.

2, get the program Smail source code and Androidmanifest.xml file

We know that an Android program entry information will be in the androidmanifest.xml, such as application and portal activity, so we will definitely first analyze this file, find the information we want, There is, of course, a common command to remember:

ADB shell Dumpsys activity top

Ability to obtain activity information for the current program

Then we'll analyze the Smail code and make changes to the code logic.

3. Unzip the apk file directly to get the Classes.dex file, then use the Dex2jar tool to get the jar, and use the Jd-gui tool to view

Here we mainly easy to view the code, because we in the second step to get the Smail source, we can analyze the program, but we know that although the smail syntax is not very complex, at least more simple than the assembly, but how to look at is not convenient, or see Java code is more convenient, So we look at the code logic with the Jd-gui tool and then modify it in the Smail code, and the Jeb tool mentioned above reinforces the functionality of the Jd-gui tool, which translates the smail source directly into Java code so that we don't have to first view it with the Jd-gui tool. Again to Smail source modified, with the help of Jeb.

4, if there is a native layer involved in the program, we can use IDA to open the specified so file. We still need to look at the Java code First, find the specified so file, and use Ida to statically parse so files.

Second, the use of technology

The above describes the static analysis of the process, the following look at the static analysis of several techniques, we in the static analysis of the APK, we need to find the breakthrough point, to find the key classes and methods, of course, here needs experience, not a method to follow. But we will use some technology to speed up the crack.

1. Global lookup of key strings and log information

This technique is entirely eye-searching, and after we run the program, we see the strings that appear in the program, such as text boxes, text on buttons, information such as toast display, and so on, which can be important information, and then we could search this string globally in the Jd-gui tool. This will quickly locate the logical place we want to find:

Of course we have another important point is the log information in Android, because in a large project, there will be more people development, so each module each development, everyone will debug information, so will add some log information, But not all of us will remember to close all log information in the project when it was released, which is a bad habit in the process of project development. Then we can run through the program, we will print some log information, then we can use this information to obtain a breakthrough, Android log can be based on an application to filter, Or we can do a global search in Jd-gui with the string in the log message.

2, the Code injection technology

In the first way, we search through some key strings to find the breakthrough point, but this is sometimes not so, so we need to add some code to observe the information, here is a common way is to add our own log code to trace the code execution logic, Because this is the static analysis technology, so the code injection technology to track the execution logic, after the introduction of dynamic analysis technology, then it is simple, we can arbitrarily break point to debug. The add code here is to modify the Smail code, add our log information, we will use examples below to explain, this is our most commonly used a technology.

3. Using the hook technology of the system, inject the crack program process, get the execution logic of the key method

About the process injection and hook technology in Android, there is no detailed introduction, the students do not know these techniques can be fought:

Injection technology: http://blog.csdn.net/jiangwei0910410003/article/details/39292117

Hook Technology: http://blog.csdn.net/jiangwei0910410003/article/details/41941393

These two articles introduce these two techniques, but we do not use in the actual process of the two articles used in the way, because these two articles are only introduction principle, technology is not very mature, about these two technologies, online has two framework is very mature, is also very practical, is people familiar: Cydia and xposed, On the two frameworks, the information on the Internet is too much, and it is easy to use, here do not do too much detailed introduction.

In the actual process of cracking, this way is a bit less, because the efficiency of this way is a little low, so only in a specific scenario will be used.

4. Use IDA to statically analyze so files

The IDA tool has finally been used, I am feeling that the tool is too powerful, he can see the code logic in so, we can see the assembly instructions, so here is a problem, crack so, we also have to master a skill, is to understand the assembly instructions, or use IDA to crack the program, will be very much, about the assembly instructions, the university, we contacted, but we felt that this thing is difficult, and the use of a few places, so do not care too much, in fact, really understand the assembly of the talent is a good programmer:

See some assembly instructions, head immediately big, but this use more, cracked more, still can. We can see our function in the left column, where we can find the definition of the specified function to see. In fact Ida is the most powerful place in the dynamic debugging so files, the next article will explain how to dynamically debug so files. Of course Ida may also be able to view the APK file directly:

To view all files in the apk file, we can select the Classes.dex file:

But here we may encounter a problem, that is, if the application is too large, this open process will be very slow, it is possible that Ida stopped working, so slowly wait:

Once opened, we can see our class and method names, which can also be used to search for the class name and method name Ctrl+f, or to view the string contents (SHIRT+F12):

We found out that Ida is also a good player in analyzing Java code, so this tool is so powerful.

Four, case analysis

This explains the techniques of static analysis, so let's start with an example of static analysis.

First, static analysis Java (Smail) code

First we get the apk we need to hack and use the Apktool.jar tool to decompile:

Java-jar Apktool.jar D xxx.apk

This apk is very easy to decompile, it does not seem to be any reinforcement. That's good to do, we here to change his androidmanifest.xml in the information, changed to the adjustable mode, this is the premise of dynamic debugging behind us, a formal apk, in Androidmanifest.xml this value is false.

Let's take a look at his Androidmanifest.xml file:

Let's change this value to true. In the back compile, this time we can dynamically debug this apk, so in this we can see that static analysis is the premise of dynamic analysis, this value is not modified, we are the way to follow the dynamic debugging.

After the modification is successful, we compile it back:

CD C:\Users\jiangwei\Desktop\ Static Analysis \APKTOOL_2.0.0RC4
Del debug.sig.apk
Java-jar Apktool.jar b-d 123-o debug.apk
Java-jar. \sign\signapk.jar. \sign\testkey.x509.pem. \sign\testkey.pk8 debug.apk debug.sig.apk
Del debug.apk
ADB uninstall Com.shuqi.controller
ADB install debug.sig.apk
ADB shell am start-n com.shuqi.controller/. Loading
Pause

Here is the simple, write a batch, first go to the directory, and then use the command to compile back:

Java-jar Apktool.jar b-d Sq-o debug.apk

Sq is the previously deserialized directory, debug.apk is the file that is compiled back

At this time, debug.apk is unable to install the run, because there is no signature, Android is not allowed to install an unsigned apk

Continue to sign the following, we use the system's own signature file can be signed:

Java-jar. \sign\signapk.jar. \sign\testkey.x509.pem. \sign\testkey.pk8 debug.apk debug.sig.apk

Note: In fact, when we use IDE tools to develop the Android project, the tool is signed with this signature file, but the process of the IDE to help us do.

This is followed by installing the APK and running the APK. In this process we only need to know the application's package name and the entry activity name, this information we can also be obtained in androidmanifest.xml, of course, we use: the ADB shell dumpsys Activity Top command can also be obtained:

Back to compile, we run the program, found that there is a problem, is to click on the program's icon, no response, not run, we are looking at the log of the exception information, we found that there is no exception, then, we judge, he internal certainly did what calibration work, This general back to compile after the program does not work, that is, the internal calibration, generally do check, there are two kinds:

1. Check with Dex to prevent changes to Dex's

2. Check the APK signature to prevent repackaging

Then we need to look at his code and see if it's done with a checksum:

When we analyze the code, we must first see if he has his own definition of the application, if there is a definition, you need to see his own application class, Here we see him set his own Application:com.shuqi.application.ShuqiApplication.

We unzip the APK, get Dex, then dex2jar the conversion, get the jar, and then use Jd-gui to view the class:

Here we see his code is confusing, but some system callback methods must not be confused, such as the OnCreate method, but here we generally find the method is:

1, first of all see this class there is no static method and static code block, because this kind of code will run before the object initialization, may load so file here, or the cryptographic checksum operation

2. Then look at the construction method of this class

3. Finally look at the life cycle method

So here we see his core code in OnCreate, calling a lot of class methods, and guessing that some method here does work?

At this time we will inject our code to track which method is the problem, here are some students have doubts, in fact, these several methods, directly a look at the knot, hey, we this article is to introduce static analysis technology, of course, need to do cases.

Below to see how we add our log information, in fact, is very simple, is to add the log, need to modify the Smail file, we are going to view Smail Source:

About Smail Grammar, I think it is not difficult, so we go online to search some information to learn about it, here we can see very clearly call these methods, then we in each method plus our log information, here plus the log there are two ways, one is directly here to call the system's Log method , but there are two problems:

1. Need to import package, modify in Smail

2, need to define a two parameters, one is tag,msg, to normal print log out

Obviously this method is a bit cumbersome, here we define a MyLog class, and then decompile, get mylog smail file, Add it to the root directory of this shuqiapplication.smail, and then call it directly in the code, as to why it should be placed in the root directory, so that it does not need to import the package in the code, such as some static method calls in Suqiapplication.smail:

Write the Log class MyLog, the code is not pasted here, after we create a new project, the anti-compilation of mylog.smail files, put into the directory:

When we get this file, we must note that the Mylog.smail package name information is deleted, because we put in the root directory, meaning that the MyLog class is not any package name, this need to note, or the last add, but also error.

We insert our log method in the OnCreate method of Shuqiapplication:

invoke-static {}, Lmylog;->print () V

But when we add code, we need to note that to find the right place to add, so-called to find the right place, is after the last method call, such as:

Invoke-virtual,invoke-static and so on, and these instructions cannot be followed: Move-result-object, because this instruction is to get the return value of the method, so we typically add code like this:

1, in the invoke-static/invoke-virtual instruction his return type is V can join

2, after the invoke-static/invoke-virtual instruction return type is not V, after the Move-result-object command can join

After we have added our log code, we will go back to the compile execution, in this process may encounter Samil syntax error, this corresponds to the specified file modification can be, we get back to compile the APK, you can decompile, to see his Java code:

We saw that we added the code after each method to print the information.

Below we run the program while opening our log of tag:adb logcat-s JW

See our print log, we found that print three log, here is to note that although the print three log, but all in a different process, so say a process of log, only print one, so we judge, the problem appears in Vr.h this method

We look at this method source code:

Sure enough, this method does a signature verification, incorrect words, and exits the program directly. So now we want to run the normal program, it is very simple, direct comment this line of code: VR.H (This)

And then back to compile, in the run, sure enough no error, here is not the demo:

Well, the above will be injected into the code to track the problem, this method is very common, but also very real.

Second, static analysis native code

Here's how to use Ida to statically analyze native code, so be sure to familiarize yourself with the assembly instructions, otherwise it looks like a lot of effort.

After we decompile, we see that there is a code to load so in his OnCreate method

Look at this code:

The way to get the password is native, we'll take a look at that Getdbpassword method, open the Libpsprocess.so file with Ida:

We look at the implementation of this function, we generally directly look at BL/BLX and other information, jump logic, there is the return value, we in the last part of the function, we find a focus, is: BL __android_log_print This is the native layer call log function, we look up , found: Tag is system.out.c

We run the program to look at the log, but we can also add the log at this point in the Java layer: We search this method globally, in the Yi class called the

We modify the Yi.smail code:

Back to compile, run the program, turn on log:

ADB logcat-s JW

ADB logcat-s system.out.c

found that the password returned is the same as the Java layer and the native layer. The static analysis of native is still valid.

Well, here we have the content of today, of course, there are a lot of static analysis of the APK method, here is only introduced the technology I used.

Case Download: http://download.csdn.net/detail/jiangwei0910410003/9308217

There is a document in the case, please read before running ~ ~

V. Unresolved issues

1, how to solve the problem of Apktool tool anti-compilation error

This I also said at the beginning, the reason for the error is that most of the APK has been reinforced, so I will introduce you later on how to solve such a problem

2, how to get a apk can be debugged

We see an apk to be able to debug, we need to modify the value of the android:debug, but sometimes we will encounter a modification failure, the program will not run, there are several ways to let a post apk can be debugged

VI. Technical Summary

This article describes how to use the static way to crack an apk, when we hack an apk, is actually the pity Dorado code, and then can run, to achieve the function we want, generally is:

1, note specific functions, such as advertising display, etc.

2. Get the return value of the method, such as getting the user's password

3, add our code, such as to join our own monitoring code and advertising, etc.

In the static analysis of the code, we need to follow the general route:

1, first be able to decompile, get Androidmanifest.xml file, find the program entry code

2, find the code logic that we want, generally will be combined with interface analysis, such as we want to let the user login success, we certainly want to get user login interface activity, this time we can use the ADB shell dumpsys activity top command to get activity name, Then use the eclipse's own program's Current View analysis tool: Get the name of the control, or get the layout file in the code, usually the call place of the Setcontentview method, and then use the layout file in combination with the code to get the user login logic, to modify

3. Tracking code execution logic in key places through code injection technology

4, pay attention to the method of return value, conditional judgment and other relatively conspicuous code

5, for some of the APK source code, maybe he has his own encryption algorithm, this time we need to obtain this encryption method, if the encryption method is more complex, we need a large number of test data to obtain the logic of this encryption method, usually input and output as a test case, For example, Ali Security first game of the first problem can be solved by static analysis, it is a cryptographic algorithm inside, we need to use test data to crack.

6, for those system.loadlibrary loading so file code, we just need to find this so file, and then use IDA open for static analysis, because some apk has put the encryption algorithm in so, we can also test data to obtain the encryption algorithm.

7, through the above example, we can summarize a way, is now a lot of apk will do some validation work, generally included in the code: "Signature" string information, so we can search the global, we may be able to get some important information.

Vi. Summary

This article is finally explained, in fact, have long wanted to write cracked article, because the crack than reinforcement interesting, at least cracked success has a sense of accomplishment. This article mainly describes how to break through static analysis, introduced some tools, the process of cracking and cracking skills. The most common is the code injection technology and global search for key strings, and so on, but we can see that many of the current market apk, light through static analysis is not enough to meet our needs of the crack, so the dynamic analysis of the way is coming, and the dynamic way to crack difficult will be very large, need to master a lot of things, I will be a few articles later to introduce the dynamic cracking skills and common problems. But it's also important to hack it in a static way. Of course is the premise of dynamic analysis, so since we play a crack, then both of these technologies must be well mastered.

Android Black Tech Series--static analysis technology to hack apk