In reverse application, we sometimes want to be able to quickly locate the key method of the application, before I have described in detail a self-developed code dynamic Injection tool Icodetools, in order to dynamically inject log information into the application, Do not know the classmate can view here: Icodetools Dynamic injection Code parsing, after reading it will find that the tool for the application is now hardened, so how can we get the reinforcement of all the method information? No more complicated shelling steps can easily get the corresponding method information. This is what this article needs to introduce.
In the previous understanding of the principle of strengthening the application of the students or the shelling of the students know that the reinforcement is actually the source APK encryption, and then to decrypt the load run, so in this process if we want to get all the method information of the application, must be after the decryption load operation. This we need to rely on the system of an important class Dexfile, the following can see his source:
See these three methods, and these three methods are the final point of a class load run in an application, no matter how you harden it, eventually you will need to decrypt, load Dex, load the class and run. So these three places are the application of the operation of the pass. See the parameter information of three methods, you can know the name of this class and ClassLoader, then we can use these two information to get all the method information of this class through reflection, still need to use artifact xposed to hook operation, The object of the hook is the three methods of the system's Dalvik.system.DexFile class:
Note: In order to prevent multi-dex hook occurrence class can not find the error, here do a attach operation! to demonstrate the hardening application, I chose a gadget that I previously wrote to download today's headline video, which was not open source at the time, and was reinforced by a bump-bang reinforcement. I was also asked to get the source code. Then through this case analysis, you do not need the source code, you can spy on this gadget all the method information. This tool: Https://pan.baidu.com/s/1eR56t94, the use of tutorials is also available in the application. Or what you don't know can read this article: Python script download today's headline video.
Here's a look at the processing class method after the hook above:
In this method, first we get all the method information of this class through the class name and loader information, and then we start to construct the signature information of this method:
This information includes: modifier of method, return type, method name, parameter type, approximate final style:
Public final native java.lang.String xxx (java.lang.String, int)
This information will be able to show all the information of a method, follow-up if we want to use reflection outside the call this method to spy on the information is good, get the signature information of these methods, and then start the hook operation of each method:
When using xposed to hook a method, you need to know the class name, class loader, method name, method parameter type. This information can be found on the above, and the reason for the hook is to be able to determine whether the method is called, the method is called when the parameter value is. Because the above fetch is all methods of this class, it does not mean that these methods are called. The current method is invoked only at the time of the hook. One problem here is that if an application is too large, there are many ways. There are many ways to hook up in the xposed to make a mistake like oom. Therefore, in order to demonstrate that the optimization is not done, we can first get all the methods of the class, and then the hook operation in batches.
Below we run this xposed module, then restart the device to run, and finally run the above-installed reinforced today Headlines Downloader tool, run the effect log:
See, we've printed out all the methods of the tool, and then we'll look at his calling method:
From this information you can see that these methods are actually called, and then look at the parameter values when those methods are called:
See, the parameter value of the method call we can also print it out.
Here we achieve our goal, can dump out a reinforcement application of all methods, as well as the actual call method, but also the parameters can be printed processing, this article is a case of the reinforcement of the Bang bang, in fact, other home reinforcement is possible. Interested students can try a little bit. Below continue to see, the above obtained all the method information of the application, some students may want to do so, with reflection call a suspicious method, see the method return value is what? The so-called can, may need to learn through experience, combining the method of parameter information type to know the degree of suspicion of this method, reflection call is very simple:
You can write an application yourself and then get its corresponding context variable according to the package name, and then get its class loader, start loading this can method, but unfortunately, this operation should be an error:
I'm not sure I can find this class for a reason: because now the application is reinforced, the hardened final decryption Dex runs is definitely using its own classloader, And the above way to get to the context is only the outer shell of the class loader is the application of the default Pathclassloader loader, so in theory must not find this class, so if you want to not error, you need to find this class loader . But this is because there is no source code so difficult to find. So by this simple code to tell some students, this idea is good, but in fact is wrong.
Instead, we can use xposed to hook this method, because we can solve the ClassLoader problem in xposed:
The first hook system of the application class of the Attach method, and then get his context value, get the class loader, to load the specified class, if the load is successful, so found the corresponding class loader, then you can follow the hook operation . This method and thought are right.
Some students are curious, above we are in the acquisition of all the methods of the class information is not already the hook method, but also to get the method to run the parameter value, indeed there is done, but I also said,xposed one-time hook too many methods will be error, Because the number of application methods in this case is not many, it seems to be quite normal, if there is a problem with the application of Hook big. So in order to solve this problem, we can first get all the methods of the application, at this time we can not do the hook operation, and then have all the method information of the class, after the method analysis, and then the method can be a separate hook operation to verify.
Some students have questions again? Does this feel useless for a large app? Indeed, for example, such as WX, if used as a case in this article, you can see the Log Brush screen, no one will appear in the ANR, this problem has been mentioned in the Icodetools tool to operate the time also appeared. The solution at the time was controlled by a switch, which could actually be controlled by a switch. But here is to say, now the application of reinforcement is not a large-scale application, the reason is very simple, because the consolidation is a crash rate, there is no reinforcement platform can guarantee 0 crash rate, because the reinforcement now involves the native layer, and Android model complex, compatibility is certainly not good. So for those very large users of the application is not to be reinforced, such as BAT's mainstream products have not been reinforced. But some applications have to be reinforced, and that is related to finance, which is more important to them than the crash rate. There are also most of the fees and purchases in the game is also the choice of reinforcement. But this kind of application is now mostly medium-sized application , this article still can operate.
Project: Https://github.com/fourbrother/XposedHookAllMethod
This article mainly explains how to hook the system information, and then obtain all the method information after the reinforcement application, but also can obtain which methods are executed, as well as the process of executing the parameter information, which is the most important information to analyze an application. Of course, we can determine the degree of this method by analyzing the parameter information of the method, then we can verify the result by further hook with xposed. Introduced the content of this article, if you think the article helps students can more points like and sharing spread, if there is a reward that the best!
Click here for more information:
Focus on the public, the latest technology dry real-time push
Android Reverse Journey---Get all method information for the Hardened app app
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
