Android Security Special-Apk reinforcement Analysis

Android Security Special-Apk reinforcement Analysis

0x00

I am not going to be ugly about the principle part. The above three articles are very clear. I am going to discuss how to implement the reinforcement process from 0, and I have stepped on a lot of pitfalls.

0x01

The first step is to create the reinforced Apk, which is your source Apk. Your job is to prevent this Apk from being cracked. Note the following points for this APK:

Remember your master Actvitiy name and other Activity names.

On the way, we can see that our main Activity isdoctorq.com.mysourceapk.MainActivity

There is also an Activity nameddoctorq.com.mysourceapk..SubActivity

Remember the Application name you created

We can see that our Application isdoctorq.com.mysourceapk.MyApplication

Try not to add layout files

The method used is the same as the method used in reference articles. add controls explicitly as follows:

 TextView content = new TextView(this);        content.setText("I am Source Apk");        content.setOnClickListener(new View.OnClickListener() {            @Override            public void onClick(View arg0) {                Intent intent = new Intent(MainActivity.this, SubActivity.class);                startActivity(intent);            }        });        setContentView(content);        Log.i("demo", "app:" + getApplicationContext());

The parent class of the activity is Activity.

Inherited fromAppCompatActivityThe following error is reported when the shell program is running, so there is no problem in running itself:

03-23 13:50:12.258 16721-16721/xposed.doctorq.com.decode2 E/AndroidRuntime: FATAL EXCEPTION: main03-23 13:50:12.258 16721-16721/xposed.doctorq.com.decode2 E/AndroidRuntime: Process: xposed.doctorq.com.decode2, PID: 1672103-23 13:50:12.258 16721-16721/xposed.doctorq.com.decode2 E/AndroidRuntime: java.lang.NoClassDefFoundError: doctorq/com/mysourceapk/SubActivity03-23 13:50:12.258 16721-16721/xposed.doctorq.com.decode2 E/AndroidRuntime:     at doctorq.com.mysourceapk.MainActivity$1.onClick(MainActivity.java:21)03-23 13:50:12.258 16721-16721/xposed.doctorq.com.decode2 E/AndroidRuntime:     at android.view.View.performClick(View.java:4444)03-23 13:50:12.258 16721-16721/xposed.doctorq.com.decode2 E/AndroidRuntime:     at android.view.View$PerformClick.run(View.java:18440)03-23 13:50:12.258 16721-16721/xposed.doctorq.com.decode2 E/AndroidRuntime:     at android.os.Handler.handleCallback(Handler.java:733)03-23 13:50:12.258 16721-16721/xposed.doctorq.com.decode2 E/AndroidRuntime:     at android.os.Handler.dispatchMessage(Handler.java:95)03-23 13:50:12.258 16721-16721/xposed.doctorq.com.decode2 E/AndroidRuntime:     at android.os.Looper.loop(Looper.java:136)03-23 13:50:12.258 16721-16721/xposed.doctorq.com.decode2 E/AndroidRuntime:     at android.app.ActivityThread.main(ActivityThread.java:5001)03-23 13:50:12.258 16721-16721/xposed.doctorq.com.decode2 E/AndroidRuntime:     at java.lang.reflect.Method.invokeNative(Native Method)03-23 13:50:12.258 16721-16721/xposed.doctorq.com.decode2 E/AndroidRuntime:     at java.lang.reflect.Method.invoke(Method.java:515)03-23 13:50:12.258 16721-16721/xposed.doctorq.com.decode2 E/AndroidRuntime:     at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:806)03-23 13:50:12.258 16721-16721/xposed.doctorq.com.decode2 E/AndroidRuntime:     at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:622)03-23 13:50:12.258 16721-16721/xposed.doctorq.com.decode2 E/AndroidRuntime:     at dalvik.system.NativeStart.main(Native Method)03-23 13:50:12.258 16721-16721/xposed.doctorq.com.decode2 E/AndroidRuntime:  Caused by: java.lang.IllegalAccessError: Class ref in pre-verified class resolved to unexpected implementation03-23 13:50:12.258 16721-16721/xposed.doctorq.com.decode2 E/AndroidRuntime:     at dalvik.system.DexFile.defineClassNative(Native Method)03-23 13:50:12.258 16721-16721/xposed.doctorq.com.decode2 E/AndroidRuntime:     at dalvik.system.DexFile.defineClass(DexFile.java:222)03-23 13:50:12.258 16721-16721/xposed.doctorq.com.decode2 E/AndroidRuntime:     at dalvik.system.DexFile.loadClassBinaryName(DexFile.java:215)03-23 13:50:12.258 16721-16721/xposed.doctorq.com.decode2 E/AndroidRuntime:     at dalvik.system.DexPathList.findClass(DexPathList.java:322)03-23 13:50:12.258 16721-16721/xposed.doctorq.com.decode2 E/AndroidRuntime:     at dalvik.system.BaseDexClassLoader.findClass(BaseDexClassLoader.java:54)03-23 13:50:12.258 16721-16721/xposed.doctorq.com.decode2 E/AndroidRuntime:     at java.lang.ClassLoader.loadClass(ClassLoader.java:497)03-23 13:50:12.258 16721-16721/xposed.doctorq.com.decode2 E/AndroidRuntime:     at java.lang.ClassLoader.loadClass(ClassLoader.java:457)03-23 13:50:12.258 16721-16721/xposed.doctorq.com.decode2 E/AndroidRuntime:     at doctorq.com.mysourceapk.MainActivity$1.onClick(MainActivity.java:21) 03-23 13:50:12.258 16721-16721/xposed.doctorq.com.decode2 E/AndroidRuntime:     at android.view.View.performClick(View.java:4444) 03-23 13:50:12.258 16721-16721/xposed.doctorq.com.decode2 E/AndroidRuntime:     at android.view.View$PerformClick.run(View.java:18440) 03-23 13:50:12.258 16721-16721/xposed.doctorq.com.decode2 E/AndroidRuntime:     at android.os.Handler.handleCallback(Handler.java:733) 03-23 13:50:12.258 16721-16721/xposed.doctorq.com.decode2 E/AndroidRuntime:     at android.os.Handler.dispatchMessage(Handler.java:95) 03-23 13:50:12.258 16721-16721/xposed.doctorq.com.decode2 E/AndroidRuntime:     at android.os.Looper.loop(Looper.java:136) 03-23 13:50:12.258 16721-16721/xposed.doctorq.com.decode2 E/AndroidRuntime:     at android.app.ActivityThread.main(ActivityThread.java:5001) 03-23 13:50:12.258 16721-16721/xposed.doctorq.com.decode2 E/AndroidRuntime:     at java.lang.reflect.Method.invokeNative(Native Method) 03-23 13:50:12.258 16721-16721/xposed.doctorq.com.decode2 E/AndroidRuntime:     at java.lang.reflect.Method.invoke(Method.java:515) 03-23 13:50:12.258 16721-16721/xposed.doctorq.com.decode2 E/AndroidRuntime:     at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:806) 03-23 13:50:12.258 16721-16721/xposed.doctorq.com.decode2 E/AndroidRuntime:     at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:622) 03-23 13:50:12.258 16721-16721/xposed.doctorq.com.decode2 E/AndroidRuntime:     at dalvik.system.NativeStart.main(Native Method) 

Effect

This demo is a TextView on the main interface. You can click to jump to the next Activity.

In this case, we can use the APK file. This file is required in step 3.

0x02

The second step is to solve the shell program, that is, the host of the source program. It is also an APK, but there are more things to pay attention to in this APK. I step on many pitfalls:

Modify AndroidManifest. xml

This file is modified in many locations as follows:

The main changes are as follows:

Add meta-data information

ThisAPPLICATION_CLASS_NAMEPoint toApplicationThis is also the reason for the special reminder.

Modify main Activity

We want to explain how to replace the shell program's own Activity with the source code's main Activity. At this time, it is useless to solve the activity in the shell program, and deleting the Activity will not affect it.

Add other activities

In the source code program, the activity must be configured in the configuration file of the shell program:

Modification in ProxyApplication

The main modification is the modification of the main Activity:

 try {                Object actObj = dLoader.loadClass("doctorq.com.mysourceapk.MainActivity");                Log.i("demo", "actObj:" + actObj);            } catch (Exception e) {                Log.i("demo", "activity:" + Log.getStackTraceString(e));            }

Package

Because of the package name you modified,activityIt cannot be identified.gradleOfassembleTo package.

At this time, we get the APK and dex files of the shell program. We will use these two files later.

0x03

Step 3: Reinforce the tool. This tool is a java project created in eclipse. The principle is to add the source code APK to the dex file of the shell program. There is no such thing as a pitfall. After the reinforcement is successful, we will get a product named classes. dex, because it will be replaced with the classes in the sdk apk. dex file.

0x04

Step 4: replace the classes in the shelling program. dex. In this case, the WinRAR tool is used. First, find the shelling program and then delete the classes in the backdoor program. dex, add the classes generated in the third part. dex File

0x05

Step 5: re-sign becauseAPKIf it is modified, it will be directly installed at this time, and a non-signature error will be reported. Therefore, we useAuto-signThe specific method for signing this tool is described in the decompilation of Android Security special test.

After the installation is complete, you can open our shelling program. At this time, you must be aware that we are going into the shelling app, rather than our previous source code app:

0x06

Source code

0x07

ThisdemoThere is no layout file in our source code, which is impossible in the actual project. So how can we add these layout files? Someone suggested adding all the layout files to the shelling program, in this way, we can find it.

0x08

We have done so much. Is it actually reinforced? OK. Let's experiment with apktool for decompilation:

58deMacBook-Pro-7:Auto-sign wuxian$ apktool d testerhome.apkI: Using Apktool 2.0.3 on testerhome.apkI: Loading resource table...I: Decoding AndroidManifest.xml with resources...I: Loading resource table from file: /Users/wuxian/Library/apktool/framework/1.apkI: Regular manifest package...I: Decoding file-resources...I: Decoding values */* XMLs...I: Baksmaling classes.dex...I: Copying assets and libs...I: Copying unknown files...I: Copying original files...

In fact, it is successful. Some people will go crazy. You don't mean reinforcement, but how can it be decompiled? Let's look at the product after decompilation:

You will find that we can't see the code in the source code demo project, even the package name. What you can see is just the shell program. The purpose of reinforcement is, however, there is also a risk that the shelling program can be decompiled. After all, some of our core code is written inProxyApplicationWhat should I do? I don't know for the moment. Think about it.