Android Reverse based xposed-zjdroid shelling

Http://bbs.pediy.com/thread-218798.htm

Objective

Previously introduced common anti-compilation mode but for the use of 360 hardened stick love encryption and so on, there is no way to strengthen the application,

You'll find that the anti-compiled Dex has only a few classes of logic called so.

Real Dex will be loaded into memory and hidden in the hardening application is the form of multiple Dex.

To get his real Dex, the basic principle of shelling is from in-memory dump. I usually start with a tool to try it out. IDA (anti-assembly artifact) super-strong work

The killer level runs through the mobile end of the PC but uses Ida for static analysis dynamic debugging it's going to be a lot of trouble and it's not something you can learn in two days.

We will introduce the use of tools today to try a simple shelling

Zjdroid Tools Introduction

Zjdroid is a dynamic inverse analysis module based on xposed Framewrok, the reverse analyst can do the following work through Zjdroid: 1. dex file Memory Dump 2, memory Dalvik based on Backsmali key pointer, effectively cracked mainstream reinforcement scheme 3 , dynamic monitoring of sensitive APIs 4, specify memory area data dump 5, get app load dex information. 6. Gets the specified Dex file load class information. 7, Dump Dalvik Java heap information. 8. Run the Lua script dynamically in the target process.

Zjdroid GitHub Open Source project main function is shelling based on memory dump other functions general author very NB There are always some people who can take xposed out of the flowers.

My next blog will introduce a powerful application analysis tool for Android!

Tool Preparation

Root Mobile One and install the xpsoed frame on the Zjdroid module

JEB apk Pro Reverse tool But like IDA, it's going to cost me a hack version of my Love Forum

Here's the advantage of Jeb. You can just open the APK for anti-compilation. Good restore Effect

Jd-gui look at the anti-compiled jar (source code) some codes are not shown for comment status but Jeb must be able to restore all of them.

Love Disk address Zjdroid address

Practical cases

A friend asked me to reverse a application called micro-lost marketing to the official website to download the APK dragged to Jeb simply looked down

There are only a few classes that look at the reinforcement application and are using a class of 360 to reinforce this structure in a application, a hardened application.

As for what operations are basically common routines release so files into the app sandbox directory

Note that the initial state of the code that JEB compiles is smali need to use the shortcut key Q or the right mouse button decompile

After simple analysis, download the APK to the main screen by opening the app to the Zjdroid phone installed.

We need to get the PID value for this application. This requires a command of the PC-side win+x+r cmd into the cmd window input command

Command: adb shell Dumpsys activity top

Get activity information to the current program This command is very practical.

If the display too much can be written as adb shell Dumpsys activity top |more Row output

Get the package name for this app Com.haiqu.oem also keep in mind that this PID 8445 operation will use him.

Then we'll use the PID to see where Dex is in the phone.

Query the location of DEX information

Am broadcast-a com.zjdroid.invoke--ei target 8445--es cmd ' {action:dump_dexinfo} '

Sometimes entering this command will report a warning:

WARNING:linker:app_process has text relocations. This was wasting memory and is a security risk. Please fix.
WARNING:linker:app_process has text relocations. This was wasting memory and is a security risk. Please fix.

WARNING: linker: app_process has text relocation. This is a waste of memory, is a security risk. Please fix

Just ignore it and you can warn.

Remember to start the ADB shell and go to the phone directory and enter this command

By entering this command, we find that there is no real change to use the zjdroid unique view Log command

LOG Query post-stamp for the package name you want to query for the app
ADB logcat-s Zjdroid-shell-com.haiqu.oem

Remember, open a CMD window.

This is where the APK is located filepath:/data/app/com.haiqu.oem-1.apk We'll use this for the next step.

Here is the next 5792 I restarted the phone PID into 5792

Start shelling command:

Am broadcast-a com.zjdroid.invoke--ei target 5792--es cmd ' {action:backsmali, ' dexpath ': '/data/app/ com.haiqu.oem-1.apk "}"

Enter the command to return to the Log cmd window for viewing

The/data/data/com.haiqu.oem/files/dexfile.dex on the top is the one that Dex gets, and Dex basically gets the source.

We use the RE file manager into this currently under the direct use of QQ to send a computer does not support this file

We need to move him to the root directory, and send it directly to the computer using pea pods or other tools.

Use the Android Reverse helper to turn Dex into a jar or use the Dexjar to see the Code tool directly using Jd-gui. I have a blog about the use of the reverse assistant of the Android can go to see Jeb or directly open the Dex format file directly to view

Summarize

Here's the most important feature of the tool. It's simple, but it can handle some common shell applications.

But wins in the efficiency is fast very convenient flaw cannot repack but if simply wants to see the code to study or the hook operation is enough

Android Reverse based xposed-zjdroid shelling