The process of zjdroid removing the encrypted Shell

Use zjdroid to unshell an APK that is encrypted and shelled.

Although this cainiao has some coding experience, it is the first time to crack the code. This time I encountered some problems when I used zjdroid to shell an APK, So I recorded that I would be very happy if I could wake up with the child boots that encountered the same problem. So, Please bypass it. Don't joke about cainiao :)

Background

The APK package named com. XXX. Client contains an so file called libxxx. So.
The entire package is encrypted with love and shelled. The typical feature is that the assert directory of APK contains the ijiami. dat file.

Principle

In a word, the "backsmali" command of zjdroid is used to directly dump the DEX content that has been shelled. Android security reinforcement industry analysis and cracking this article has a key sentence Analysis on love Encryption

Decrypts and loads DEX on layer C, replaces Dex in the memory with the original Dex, and replaces the runtime environment of the custom application with the original application.

Therefore, the simplest method is to wait for the encryption to replace the DEX content, and then directly dump it out.

The principle seems very simple, but it took me two weeks to become a cainiao ,:(

Environment preparation

1. I started to want to test the root phone on the simulator, But I encountered the root problem and the partition loading sequence problem later, which was too troublesome and delayed. So let's make a real machine.
   I am Xiaomi 1 S. Please note that, although xposed has made special processing for miui, there is still a problem with Xiaomi 1 S, and the resource loading is abnormal,
   So I gave my Xiaomi 1 s the native Android version provided by Xiaomi. For more information, see the online miui and native 4.1 tutorials.

2. The installation of xposed and zjdroid is smooth, which is not particularly explained. Remember to intensify the components.
   You can use ADB logcat "xposed: V *: s" to view the xposed log and confirm that everything is normal.

3. Use zjdroid to start Shell Cracking. For details, refer to Android dynamic reverse analysis tool zjdroid-shell removal.
   I started to use "dump"Dex "command dump, the result is still the dex of stub after encryption and reinforcement.
   However, "dump" is usedClass ", we can find that the classes dumped by dump are the ones I am interested in. The Dex information in the memory must have been de-shelled.
   Later I saw "fanqiliang" reading the analysis of love encryption in my post "android security reinforcement industry analysis and cracking", which strengthened my guess:
   "Love encryption is to replace the DEX content in the memory with the CLAS content after shelling when loading the real class for the first time"
   Therefore, if dump_dex doesn't work, use the "backsmali" command to decompile Dex class data.
   Two problems encountered in this process are recorded as follows:

Pitfalls and Avoidance Methods

1. Due to insufficient DVM heap size, DVM-heap-alloc XXX object failed.
   Because my APK has more than 2000 classes, it is relatively large,
   Therefore, when "backsmali" is decompiled into a smali file, everything goes smoothly. However, when the smali file is combined into a DEX file, it is estimated that the memory is large because it is completed in the memory, therefore, memory allocation fails.
   Solution: Increase the memory of the VM. Modify Dalvik. VM. heapsize = 512 m in/system/build. Prop to 512 M.
   Restart, so there will be no memory allocation error.

   
   

2. Java. Lang. file. finalaze () Timeout.
   This problem looks strange, but it is estimated that there are so many small files, it may be caused by the failure to release the file handle in time.
   Therefore, modify the src/COM/Android/reverse/smali/dexfilebuilder. Java file of zjdroid, close the opened handle in time, compile it, and reinstall it.

Finally, dexfile. Dex is displayed.
Now we need to repackage XXX to see if the DEX after shelling is normal.
1. apktools2 d-s xxx.apk. The output directory is XXX.
2. Replace dexfile. Dex with classes. Dex in XXX.
3. Delete ijiami. dat in xxx/assert
4. Delete libexec. So libexecmain. So in xxx/lib/armeabi.
5. Modify xxx/androidmanifest. xml and replace Android: name in the application with "com. XXX. Client. myapplication ".
6. apktools2 B xxx
7. autosing the new APK Signature
Install and run. Everything is normal.

Summary

1. Zjdroid is really a shell removal artifact
2. I need to add more system knowledge. Strive to fully understand the principle of shelling :)

The process of zjdroid removing the encrypted Shell