How Android anti-compilation is used to inject ads

This article was originally launched by my public number: Yang (hongyangandroid).

Reprint please indicate the source:
http://blog.csdn.net/lmj623565791/article/details/53370414;
This article is from: "Zhang Hongyang's Blog"

I. Overview

Recently chatting with friends, found some gray industry chain by Batch decompile the market apk, then inject ads, and then repackage on the channel.

I think we do not want their products or their own app so easy to be "occupy", but want to be able to defend themselves, first of all to know each other's means. So the purpose of this blog is not to teach you how to hack other people's app, but to let everyone improve security awareness, to our application to do some necessary protection, so that their app will not be so easy to be "occupied."

Because it is a preliminary study, do not need to master too much technology, mainly the use of a variety of tools ~ ~

Second, the tool

Several important tools, note the use of the latest version.

• https://ibotpeaches.github.io/Apktool/
• http://jd.benow.ca/
• https://sourceforge.net/projects/dex2jar/

Believe is to learn, we have more or less used the above several tools:

• Apktools the main user to decompile and package;
• Jd-gui is primarily used to display a. class file as a source code (such as a jar file)
• Dex2jar is primarily used to convert Dex files to jar files

If not, download it yourself and download the latest version as much as possible.

The topic is to inject ads, then we choose a type of ad injection, most apps have splash screen ads, then we simulate: decompile an apk, join our splash screen ad page, and then RePack.

Third, step

First we need to prepare an apk, we can write a simple demo.

package com.zhy.decompile;import android.support.v7.app.AppCompatActivity;import android.os.Bundle;publicclass MainActivity extends AppCompatActivity {    @Override    protectedvoidonCreate(Bundle savedInstanceState) {        super.onCreate(savedInstanceState);        setContentView(R.layout.activity_main);    }}

The app looks like this, make a cut a picture, it is said that no picture is not conducive to reading.

Then click Run, take the debug apk can, of course, it is not too troublesome to sign your own to get a confused apk, you can download a small audience of the app.

1. Decompile an App

./apktool d app.apk

Where the Res directory is a resource directory, Smali directory can be considered as the source directory, but are the corresponding Smali files.

If you have a clearer syntax for Smali, you can add logic directly to your code.

We'll forget about it here, but here we can open the Res directory, find the Activity_main layout file, and then modify the string inside to: This is hacked app! Play it yourself.

Yes, we're going to inject a splash screen ad.

Thinking, splash screen ads we can use activity to present, then I have a train of thought is such a step:

1. Write activity on a splash screen ad page
2. Modify the entry in Androidmanifest.xml activity for our splash page activity
3. In the splash screen page, jump to the original entry activity after 3s

Then it's done.

There seems to be something wrong, we here source code are Smali format, then splash screen page activity I will only Java ah, this how to transform, what is the tool of the miracle?

Well, there really is.

The tool is Android Studio, a joke, although we do not, but we know that the Smali file can be compiled to build, then we can look at the anti-compilation APK package name, then we create a new app, under the same package name to write a splash screen page activity, Then pack it up as an apk. Put this apk back to compile, extract the corresponding Flash screen page Smali file, paste it into the directory of the Anti-compilation apk is not good.

2. New project (for Smali files)

The contents are as follows:

 PackageCom.zhy.decompile; Public  class hackadactivity extends appcompatactivity {    PrivateHandler Mhandler =NewHandler (Looper.getmainlooper ());PrivateRunnable Mcallback =NewRunnable () {@Override         Public void Run() {Intent Intent =NewIntent (); Intent.setcomponent (NewComponentName ("Com.zhy.decompile","Com.zhy.decompile.MainActivity"));        StartActivity (Intent); }    };@Override    protected void onCreate(Bundle savedinstancestate) {Super. OnCreate (Savedinstancestate); Mhandler.postdelayed (Mcallback, the); }@Override    protected void OnDestroy() {Super. OnDestroy ();    Mhandler.removecallbacks (Mcallback); }}

Note that the package name must be consistent with the original package name & do not use to the layout file, the following will say ~ ~

Then extract the APK, re-do the above operation, fetch to the Smali file.

Note that our way of writing consists of inner classes, two directories copied to the Decompile app together.

Then open androidmanifest.xml Modify portal activity ...

You can see the entry activity changed to our new activity, and the original entry activity was switched to normal activity.

Here, our document has been modified.

Then we repack, and after packaging the APK, you can also install, after the installation of the first splash screen Ads page, and then the original page.

Then the next step is packing up ~ ~

3. Packaging

./apktool b apk1127 -o app1127_new.apk

./apktool B apk1127-o app1127_new. apkI:Using Apktool2.2. 0I:Checking whether sources has changed ...I:Smaling Smali folder into classes. Dex...W:Unknown file type, ignoring:apk1127/smali/. DS_storeW:Unknown file type, ignoring:apk1127/smali/com/. DS_storeW:Unknown file type, ignoring:apk1127/smali/com/zhy/. DS_storeI:Checking whether resources has changed ...I:Building Resources ...I:Building apk file ...I:Copying Unknown Files/dir ...

OK, after the package is successful, you can see a new app1127_new.apk.

This apk is not installed now, the result after installation:

Mainly because there is no signature.

So let's sign it next.

4. Signature

Signature, we need a signature file, we will come together under the new generation.

-genkey-alias zhy.-keyalg-validity20000-keystore zhy.

Then follow the prompts to enter it.

Of course, if you're too hard to remember, you can also use Android studio to visualize one of the following:

Click Build:

Choose Create New, then fill in the popup panel, and you will definitely fill it out.

With KeyStore, we can use the newly generated keystore to sign the apk we just hack.

-verbose-sigalg-digestalg-keystore zhy.-storepass123456 app1127_new.apk zhy.keystore

Remember that the above code is executed in one line:

The above options are actually not many, file path, password, alias Ah what, should be able to see clearly, interested in a detailed search under the relevant documents.

Once the signature is complete, it's usually ready to install, but we usually do a snap.

5. Align

4 app1127_new.apk app1127_new_align.apk

Run Now:

Originally there is only one page, you can see now we have injected a I am ad page.

Of course, if you are the way to simulate, because the previous said, do not use resources, so you should be able to see the page jump, but the ad page and there is no layout file.

Let's use the layout file.

Iv. use of layout files

Add a line to the hackadactivity:

  setContentView(R.layout.ad);

Or just work, re-decompile the copy smali file, and copy the ad layout into the anti-compiled folder of the app you want to inject.

And then it's good to pack?

Of course not, if it is, just a direct deal. When we write the code, we all know that it will generate a r.layout.ad, then this value, in the original app is definitely not (regardless of the name of the case).
So, we need to manually add in:

Open R$layout.smali File:

We add an ad's resource ID at the end:

publicstaticfinal0x7f04002e

Then save the exit.

Don't rush to pack ...

The definition is over, and we need to revise it in our Hackadactivity.smali.

I don't know how to change the Smali file.

It is still possible to change an ID.

Find Setcontentview front row, is not quite easy to locate.

After the change, re-packaging, signing, alignment is OK ~ ~

If you use more resources, remember to deal with them basically.

V. Summary

So here we have done the anti-compilation of an apk, and then inject a new activity into it and can customize the layout file, as for this activity can see what things everyone must understand.

However, our goal is not to get people to decompile their apk, but to know that our apk can be played by others.

So the thinking is:

如何预防这种行为呢？欢迎留言说说如何预防？

Not to be continued ...

Welcome to follow my Weibo:
http://weibo.com/u/3165018720

Public Number: Hongyangandroid
(Welcome to pay attention, do not miss every dry, support contributions)

How Android anti-compilation is used to inject ads