Android Dynamic Reverse analysis tool zjdroid--shelling artifact

Project address:https://github.com/BaiduSecurityLabs/ZjDroid

Prerequisites:

1. Root Phone

2, need to install xposed Framework through xposed installer (http://dl.xposed.info/latest.apk);

I. Introduction of ZJDROID Tools

Zjdroid is a dynamic inverse analysis module based on the Xposed Framewrok, which can be completed by the reverse analyst through Zjdroid:
1. dex File Memory Dump
2, based on the Dalvik key pointer memory Baksmali. Effective crack Reinforcement Application
3. Dynamic monitoring of sensitive APIs
4. Specify memory area data dump
5. Get the app to load Dex information.
6. Gets the specified Dex file load class information.

7, Dump Dalvik Java heap information.
8. Execute LUA scripts dynamically in the target process.

Second, zjdroid related orders

1. Get apk currently loading dex file information:

Am broadcast-a com.zjdroid.invoke--ei target pid--es cmd ' {' Action ': ' Dump_dexinfo '} '

Instructions for use
PID is called when the PID is changed to the ID of the target process
View results:
View the results from Android Logcat and get information about the currently loaded Dex, such as:
The Dexfile infomation
07-27 02:29:52.728:d/zjdroid-shell-com.evernote (5365): filepath:/data/app/com.evernote-2.apk mCookie:1770063976
End Dexfile Infomation

2. Get the specified Dex file to include the load class name:

Am broadcast-a com.zjdroid.invoke--ei target pid--es cmd ' {' Action ': ' Dump_class ', ' dexpath ': ' * * * *} '

Instructions for use
PID is called when the PID is changed to the ID of the target process
Dexpath the Dex file address of the previous command output, such as/data/app/com.evernote-2.apk
View results:
View the results from Android Logcat and get the current loaded class information

4. Dynamically decompile the specified Dex according to the Dalvik related memory pointer and save it as a file.

Am broadcast-a com.zjdroid.invoke--ei target pid--es cmd ' {' Action ': ' Backsmali ', ' dexpath ': ' * * * *} '

This method is capable of shelling out most of the popular reinforcement protection.

(perform more busy due to phone performance issues)
Exceptions:
Because apkprotect specific tamper detection, you need to do such as the following changes to solve the protection:
(1) Create a specific folder on the device (such as/data/local) and chmod 777
(2) Copy zjdroid.apk to the folder and change the file name to be called Zjdroid.jar
(3) Change/data/data/de.robv.android.xposed.installer/conf/modules.list module code file to "Zjdroid.jar"
You can start the device.

5. Dump specifies the data in Dex memory and saves it to a file (the data is in ODEX format. Can be decompile on the PC).
Am broadcast-a com.zjdroid.invoke--ei target pid--es cmd ' {' Action ': ' Dump_dex ', ' dexpath ': ' * * * *} '

6. Dump specifies the memory space area data to the file

Am broadcast-a com.zjdroid.invoke--ei target pid--es cmd ' {' Action ': ' Dump_mem ', ' startaddr ': 1234567, ' length ': 123} '

Instructions for use
STARTADDR Note that this value is 10 binary

Length Note that this value is 10 binary

7, Dump Dalvik stack information to the file, the file can be analyzed by the Java Heap Analysis tool processing.

Am broadcast-a com.zjdroid.invoke--ei target pid--es cmd ' {' Action ': ' Dump_heap '} '

8. Dynamically invoke Lua scripts at execution time
This feature enables dynamic invocation of Java code through a LUA script.
Usage scenarios:
Ability to invoke decryption functions dynamically, complete decryption.
Ability to dynamically trigger specific logic.

Am broadcast-a com.zjdroid.invoke--ei target pid--es cmd ' {' Action ': ' Invoke ', ' filepath ': ' * * *} '

Luajava Related uses:
http://www.keplerproject.org/luajava/

8. Sensitive API call Monitoring

Iii. related command execution results view:

1. Command execution Result:
adb shell logcat-s zjdroid-shell-{package name}

2, sensitive API call monitoring output results:
adb shell logcat-s zjdroid-apimonitor-{package name}

Android Dynamic Reverse analysis tool zjdroid--shelling artifact