Android Reverse Basics

1. Android APK file structure
Question: What is the entry function for Android apk?
Android System History
2. SDK Tools-adb,monitor
ADB command
Monitor operation
3. Android Reverse Tool
① command-line tools
1.androidmanifest.xml Manifest file Decryption tool
2.Dex file disassembly, assembler tool
3.APK Signature Tool
4.APK Anti-compilation tool-apktool
5.dex2jar tool (convert file format)
6.Java Anti-compilation tool (decompile Java files to source code)
② Visualization Tool
1.AndroidKiller Tools (Integrated anti-compilation, back-compilation, install APK, view source code)
2.JEB Anti-compilation tool
3.jadx-gui
4.GDA Anti-compilation tool
4. Android Reverse Analysis method
5. String parsing-example-cracking the process of an APK
Crack steps
Using the Androidkiller string analysis method
6. Smali Code-helloworld
7. Log filtering Method-Example
filtering logs using Monitor
filtering logs using Androidkiller
8. Configuring Environmental issues
Night God simulator adb connection 0. Android Reverse Basic Introduction

1. Android APK file Structure
2. SDK Tools-adb,monitor
3. Introduction to Reverse Tools
4. Android Reverse Analysis method
5. String parsing-example-cracking the process of an APK
6. Log Filter Analysis method
7. Configuring environmental issues

1. Android APK file structure

The basic apk is a compressed package that has

Meta-inf Directory: signature information, including company information, file hash value
Res Directory: resource information, including pictures, XML (layout file, string, style style, etc.)
androidmainfest.xml: manifest file, including APK package name, some declaration definitions for four components, permissions, entry to the program
classes.dex: executable file, including Java class information, method information, field information, virtual machine directives. The build process for Dex files is from the Java source->class file->dex file
RESOURCES.ARSC: resource ordinal file, including all IDs, names in the resource. Resource ID corresponding file is r.class

In Android Studio , open the apk file, in the Lib directory dynamic library, the extension is. So, including C + + code, with various platforms such as X86,arm

Assets directory custom resources, such as. Txt,mp4, etc.

Question: What is the entry function for Android apk?

own definition of mainactivity in OnCreate
and the application node in the manifest file can add the android:name attribute, specifying a class that inherits from application to initialize the entire app's global information.
classes that inherit from application have two overriding functions that execute, which is the first function that the program executes.
①attachbasecontext
②oncreate

so the first function that an app executes is the Attachbasecontext function in the application class .
Generally after the apk is hardened, the application class is customized, and the Attachbasecontext function or OnCreate function is overridden and declared as a function of the native type.
The process of running the app

Android System History

Divided into three stages
①android2.3~4.0, Vung-chi
②android4.1~4.4 Growth, Leap
Android Virtual Machine Dalvik->art
③android5.0~ right now, overall good.
Environment for reverse analysis
System: Android 4.4 (with Dalvik and art at the same time)
Mobile: Google Nexus 4/5 (around 500)
Google Nexus 6p (around 800)

2. SDK Tools-ADB,MONITORADB Command

① Enumerating Devices
ADB devices
② apk upload to Device
ADB push

③ Install APK
ADB install-r apk file name (can overwrite installation)
④ Boot apk
ADB shell am start-n < package name/activity name >

adb -s emulator-5556 shell am start -n com.bluelesson.helloworldndk21/.MainActivity

ADB shell am start-d-N < package name/activity name > (start in debug mode)
⑤shell command
Ls,cd,su,ps,ps | grep com,kill,chmod

Monitor operation

① Overview

• Open in Androidstudio
  
• Open in file directory
  
• Main Window
  
  ② Device List
  
  ③ folder Operations
  
  ④ Log
  
  Filtering logs
  

3. Android Reverse Tool ① command line tool 1.androidmanifest.xml manifest file Decryption tool

• Axmlprinter2.jar
  Java-jar Axmlprinter2.jar < checklist file >
  Java-jar Axmlprinter2.jar androidmanifest.xml > Out.xml
• Apk15pbparser.jar (Integration of XML parsing part code in Axmlprinter2.jar,apktool.jar)
  Java-jar Apk15pbparser.jar
  Java-jar Apk15pbparser.jar helloworld1.apk

2.Dex file disassembly, assembler tool

Dex file is a binary file generated by Android Java code compilation that contains virtual machine instructions (Dalvik virtual machine)

• Baksmali.jar(Disassembly tool, disassembly of virtual machine directives into Smali code)
  Java-jar baksmali.jar-o < Output directory >
  Java-jar Baksmali.jar Classes.dex-o Out_dir
  The disassembly generated directory, including the class code in all Dex files, is a Smali file for each class.
  There are three kinds in Java, outer class, inner class, anonymous class
  External class: Mainactivity.java-Mainactivity.smali
  Inner class: Myonclicklistener class MainActivity$MyOnClickListener.smali in Mainactivity class
  Anonymous inner class: Mainactivity class, New Onclicklistener object, Mainactivity$1.smali
• Smali.jar (Assembler tool, generate Smali code assembler for Dex files)
  Java-jar Smali.jar < directory >-o file name
  Java-jar Smali.jar Out_dir-o Out.dex
  Modify the Smali code, #号是注释代码
  # IF-EQZ v2,: cond_24

3.APK Signature Tool

Signature tool, a tool used by the Android system to compile the source code
Java-jar Signapk.jar Testkey.x509.pem testkey.pk8 update.apk update_signed.apk
Signature tool: Signapk.jar
Key pair: Public key Testkey.x509.pem, private key Testkey.pk8
Signature: java -jar signapk.jar testkey.x509.pem testkey.pk8 代签名.apk 已签名.apk
Configuration of the Signature tool
Open the folder you sent to: Shell:sendto
java -jar 全路径 \signapk.jar 全路径 \testkey.x509.pem 全路径\testkey.pk8 %1 %1_signed.apk

4.APK Anti-compilation tool-apktool

Anti-compilation apk
Java-jar Apktool.jar D
Java-jar Apktool.jar D helloworld.apk
① decrypting the manifest file
② a corresponding relationship table between the resource number file and the resource name
Generated in the/res/values/public.xml
③ to decompile the Dex file into the Smali code

Back to compile apk directory
Java-jar Apktool.jar B < anti-compilation APK file directory >
Java-jar Apktool.jar b HelloWorld
Generated APK in the < anti-compile apk file directory >/dist directory

5.dex2jar tool (convert file format)

Dex2jar>d2j-dex2jar.bat
Dex2jar>d2j-dex2jar.bat Classes.dex
Dex2jar Classes.dex-\classes-dex2jar.jar

6.Java Anti-compilation tool (decompile Java files to source code)

② visualization tool 1. Androidkiller Tools (Integrated anti-compilation, back-compilation, install APK, view source code)

• Apktool
  Directory: Androidkiller_v1.3.1\bin\apktool\apktool
  
  Androidkiller SDK Environment
  
  Set up a new Apktool in Androidkiller
  
  
  
  

• ADB tools
  Common commands
  Open shell:adb shell, adb-s device name Shell
  Installing apk:adb install 1.apk, adb install-r 1.apk
  List devices: ADB devices

• Dex2jar Tool Set
  Convert dex files to jar files for easy Jd-gui decompile

• Jd-gui Tools
  Can see the Java source code corresponding to the Smali
  
  In addition, there are some good tools for the auxiliary tools
  
  Encoding Conversion
  
  

2.JEB Anti-compilation tool

3.jadx-gui

4.GDA Anti-compilation tool

4. Android Reverse Analysis method

① String Analysis method
② Log Analysis method
③ Dynamic Debug Smali, dynamic debug so file (c + + generated files)
④api Down (debug So, off for Linux API), stack backtracking analysis

5. String parsing-example-cracking an apk's process cracking steps

1. Get apk
2. Using the Anti-compilation tool for anti-compilation
3. Find a string based on the APK run prompt
4. Find string to parse, find key code to modify
5. RePack using the RePack tool
6. Signing with the Signature tool

Using the Androidkiller string analysis method

However, it is important to note that the Chinese string is displayed in Unicode encoding in Android, similar in format to \u4e0d\u597d\u610f\u601d. We need to convert, Androidkkiller provides this functionality

by locating the corresponding code, you can find a string that shows success near the code. There is a key jump above the success string, we just need to get the key jump NOP off. In fact, the Smali using the # # comment out.

Above the code, it should be the correct password location, view the context Discovery V2 register, and use a string obtained from the resource ID.

At this point, you typically search for the resource ID in the project, find the corresponding resource name and type from the resource ID, and then find the definition of the corresponding resource based on the type and name.

Then go to search for the corresponding resource name, find the string definition, because you already know the type is sting, directly can view the file Res/values/strings.xml.

After that, recompile, install the test.

6. Smali Code-helloworld

.class public LHelloWorld;#Ye olde hello world application#To assemble and run this on a phone or emulator:##java -jar smali.jar -o classes.dex HelloWorld.smali#zip HelloWorld.zip classes.dex#adb push HelloWorld.zip /data/local#adb shell dalvikvm -cp /data/local/HelloWorld.zip HelloWorld##if you get out of memory type errors when running smali.jar, try#java -Xmx512m -jar smali.jar HelloWorld.smali#instead.super Ljava/lang/Object;.method public static main([Ljava/lang/String;)V    .registers 2    sget-object v0, Ljava/lang/System;->out:Ljava/io/PrintStream;    const-string    v1, "Hello World!"    invoke-virtual {v0, v1}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V    return-void.end method

7. Log filtering Method-instance using monitor to filter logs

① Adding filter items

② Search Filter

filtering logs using Androidkiller

8. Configuring Environmental issues Night God simulator adb connection

Copy the ADB and DLL in Androidkiller to the SDK directory, the Night Gods installation directory

Android Reverse Basics