一吻江山
0%

Android App逆向

发表于 更新于

[TOC]

环境

  • Mac
  • Android SDK:
1
/Users/zhoujie/Library/Android/sdk
  • JDK
1
/Applications/Android Studio.app/Contents/jre/jdk/Contents/Home
  • 夜神模拟器
  • 真机 - HONOR20
1
2
3
4
Android 版本: 10

adb shell getprop ro.product.cpu.abi
arm64-v8a

adb

  • 理解adb start-server
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    //没有相关进程
    ➜  ~ ps aux | grep adb

    //没有相关端口监听
    ➜  netstat -nat | grep 5037

    ➜  ~ adb start-server
    * daemon not running; starting now at tcp:5037
    * daemon started successfully

    ➜  ~ ps aux | grep adb
    zhoujie 76412   0.0  0.0 34195628   5592   ??  Ss   10:27PM   0:00.23 adb -L tcp:5037 fork-server server --reply-fd 4

    ➜  ~ netstat -nat | grep 5037
    tcp4 0  0  127.0.0.1.5037  *.*  LISTEN
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
// 电脑上有adb进程
➜  ~ ps aux | grep adb
zhoujie 99607 0.9  0.0  4354316   3004   ??  S adb -P 5037 fork-server server --reply-fd 13

// 手机上有adbd进程
➜  ~ adb shell ps | grep adb
root 1770  1 11420  1276  c6716cc0 S /sbin/adbd

service.adb.tcp.port
- >  0:adbd将监听网络对应的端口(一般为5555)
- <=-1:adbd将监听USB

// 手机上运行设置
setprop service.adb.tcp.port 5555

// 电脑上运行设置
adb tcpip 5555

// 指定adb server的网络端口
// adb的默认端口为 5037
adb -P <port> start-server

// adb设置全局代理
adb shell settings put global http_proxy IP地址:端口号

// 移除代理
adb shell settings delete global http_proxy
  • 电脑上adb进程相关
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
// 查看adb进程
➜  ~ ps aux | grep adb

// 启动adb进程
➜  ~ adb start-server
* daemon not running; starting now at tcp:5037
* daemon started successfully

// 指定adb server的网络端口
// adb进程的默认端口为 5037
➜  ~ adb -P <port> start-server

➜  ~ ps aux | grep adb
zhoujie 943 adb -L tcp:5037 fork-server server --reply-fd 4

➜  ~ netstat -nat | grep 5037
tcp4 0 0  127.0.0.1.5037  *.*  LISTEN

// 杀死adb进程
// adb kill-server : kill the server if it is running
➜  ~ adb kill-server

// 启动adb进程-指定adb server的网络端口
adb -P <port> start-server
  • 连接模拟器或真机
    1
    2
    3
    4
    连接夜神模拟器:adb connect 127.0.0.1:62001
    连接MUMU模拟器:adb connect 127.0.0.1:22471[Mac]
    连接MUMU模拟器:adb connect 127.0.0.1:7555[windows]

阅读代码

  • 界面
1
2
// 普通真机也有效
adb shell dumpsys activity top
  • 搜索词 - 网络
1
implements Interceptor
  • 搜索词 - 加密
1
2
Cipher,SecretKeySpec,IvParameterSpec 
"AES
  • 退出
1
android.os.Process.killProcess(android.os.Process.myPid())

查看日志

真机用户手机也可以查看日志

1
2
3
4
5
6
// 1. 获取到进程ID
adb shell ps | grep com.jason
u0_a527       1876   673 1744336 148208 0 

// 2. 查看日志
adb logcat --pid=1876

任务:查壳、脱壳

1
2
3
4
5
Android 5.0开始默认是ART模式
libart.so - Openmemory函数

Android 4.4以下是Dalvik模式
libdvm.so - dvmDexFileOpenPartial函数

任务:可调试

  • 工具:mprop

方法一:

1
2
3
4
5
6
7
8
9
10
11
12
13
手机上执行:
// 查看    
# getprop ro.debuggable
0
// 修改为 全部App都可以 调试
# ./mprop ro.debuggable 1

# getprop ro.debuggable
1

文件:/default.prop
    ro.debuggable=0
文件:/system/build.prop

方法二:

1
2
// AndroidManifest.xml
<application android:debuggable="true" ...
1
am start -D -n com.outdoor.debugtest/.MainActivity

任务:webview可调试

1
2
3
4
5
var WebView = Java.use("android.webkit.WebView")
WebView.setWebContentsDebuggingEnabled.overload("boolean").implementation = function (s) { 
    console.log("\n[*] WebView.setWebContentsDebuggingEnabled")
    this.setWebContentsDebuggingEnabled(true) 
}

任务:签名

  • 下载 抖音极速版
1
2
3
4
从 小米应用商店 下载 抖音极速版
https://app.mi.com/details?id=com.ss.android.ugc.aweme.lite&ref=search

com.ss.android.ugc.aweme.lite.apk
  • 在模拟器上安装 原版抖音极速版 并运行,确保能正常运行
  • 删除原签名,重新打包
1
2
3
4
5
6
7
8
9
10
11
mkdir com.ss.self

unzip com.ss.android.ugc.aweme.lite.apk -d com.ss.self

// 删除 META-INF 目录
rm -rf com.ss.self/META-INF


// 打包成Apk - com.ss.self.apk 
cd com.ss.self
zip -r com.ss.self.apk *
  • 签名
1
2
3
4
5
// 进入到 apksigner 所在目录
cd /Users/zhoujie/Library/Android/sdk/build-tools/29.0.2

// 签名
./apksigner sign --ks ~/.keystore ~/Downloads/com.ss.self/com.ss.self.apk
  • 在模拟器上安装 重新签名的Apk 并运行,确保能正常运行
1
2
adb connect 127.0.0.1:62001
adb install ~/Downloads/com.ss.self/com.ss.self.apk
  • 一步到位
1
./apksigner sign --ks ~/.keystore ~/Downloads/com.ss.android.ugc.aweme.lite.apk

任务:信任用户证书

  • 在清单文件AndroidManifest.xml中开启网络安全配置,代码如下:
1
2
3
4
5
6
7
<?xml version="1.0" encoding="utf-8"?>
<manifest ... >
    <application android:networkSecurityConfig="@xml/network_security_config"
                    ... >
        ...
    </application>
</manifest>
  • 新建文件res/xml/network_security_config.xml来进行网络安全的配置,通过trust-anchors来设置信任的证书,代码如下:
1
2
3
4
5
6
7
8
9
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config>
        <trust-anchors>
            <certificates src="user" />
            <certificates src="system"/>
        </trust-anchors>
    </base-config>
</network-security-config>

任务:修改代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
// 1. 反编译出源代码
➜  apktool d bxd-app-release.apk
I: Using Apktool 2.5.0 on bxd-app-release.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /Users/zhoujie/Library/apktool/framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...
I: Copying META-INF/services directory

// 2. 修改smail代码 或 资源文件

// 3. 重新打包
➜  apktool b bxd-app-release
I: Using Apktool 2.5.0
I: Checking whether sources has changed...
I: Smaling smali folder into classes.dex...
W: Unknown file type, ignoring: bxd-app-release/smali/.DS_Store
W: Unknown file type, ignoring: bxd-app-release/smali/com/.DS_Store
W: Unknown file type, ignoring: bxd-app-release/smali/com/jason/.DS_Store
I: Checking whether resources has changed...
I: Building resources...
I: Copying libs... (/META-INF/services)
I: Building apk file...
I: Copying unknown files/dir...
I: Built apk...

任务:注入frida-gadget.so

  • 工具:objection,LIEF
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
// 
objection patchapk -2 -a arm64-v8a -s xxx.apk

// 
objection patchapk --help

Patch an APK with the frida-gadget.so.
Options:
  -s, --source TEXT              The source APK to patch  [required]
  -a, --architecture TEXT        The architecture of the device the patched
                                 APK will run on. This can be determined with
                                 `adb shell getprop ro.product.cpu.abi`. If it
                                 is not specified, this command will try and
                                 determine it automatically.
  -2, --use-aapt2                Use the aapt2 binary instead of aapt as part
                                 of the apktool processing.
  • 技巧:获取-a的正确值
1
adb shell getprop ro.product.cpu.abi
  • 技巧:获取-a的所有可取值
1
2
3
// 输入一个错误的值
objection patchapk -2 -a a -s 202103.apk
Exception: Invalid architecture `a` set. Valid options are: armeabi, armeabi-v7a, arm64, arm64-v8a, x86, x86_64
  • 细节:objection把libfrida-gadget.so下载在:
1
2
~/.objection/android/arm64/libfrida-gadget.so
~/.objection/android/arm64-v8a/libfrida-gadget.so
  • 参考

Gadget
https://frida.re/docs/gadget/

09 - How to use frida on a non-rooted device
https://lief.quarkslab.com/doc/latest/tutorials/09_frida_lief.html

任务:so相关

记一次unicorn半自动化逆向——还原某东sign算法

模拟器危险

  • 彩蛋视频
  • 快看点
  • 多看点
  • 红云视频极速版
  • 妙看赚钱-com.taige.mygold-libsecuritydevice.so

加固的App

问题:Apktool回编译失败

  • /res/layout/activity_main.xml:19: error: attribute android:abc not found
1
2
3
4
W: /Users/zhoujie/Downloads/bxd-app-release/res/layout/activity_main.xml:19: error: attribute android:abc not found.
W: error: failed linking file resources.
brut.androlib.AndrolibException: brut.common.BrutException: could not exec (exit code = 1): [/var/folders/q5/g49y_m_16t967y5b7z04fyvr0000gn/T/brut_util_Jar_158703877894311218821877137576166888159.tmp, link, -o, /var/folders/q5/g49y_m_16t967y5b7z04fyvr0000gn/T/APKTOOL10058866066230304687.tmp, --package-id, 127, --min-sdk-version, 21, --target-sdk-version, 29, --version-code, 1, --version-name, 1.0, --no-auto-version, --no-version-vectors, --no-version-transitions, --no-resource-deduping, -e, /var/folders/q5/g49y_m_16t967y5b7z04fyvr0000gn/T/APKTOOL9926499678324403846.tmp, -0, arsc, -I, /Users/zhoujie/Library/apktool/framework/1.apk, --manifest, /Users/zhoujie/Downloads/bxd-app-release/AndroidManifest.xml, /Users/zhoujie/Downloads/bxd-app-release/build/resources.zip]
Rebuilding process exited with code 1
  • 原因:xml中故意加入无效的attribute
  • 解决:删除xml中无效的attribute,再回编译