In daily development, sometimes it is necessary to obtain system APK learning (Po) learning (JIE), here is mainly recorded to obtain the system APK process, the process has been verified in Android 8.0.

Find the system APK odex file

During APK installation, the system extracts dex from APK and generates odex files through a wave of optimization. The main reason for converting dex files into ODEX files is to optimize and verify dex files in advance to improve application running speed. The system APK is stored in the /system/app directory. Go directly to this directory to find the corresponding APK. Here is an example of the file Launcher. There is no dex file. The dex file is optimized as an Odex file and saved in the OAT directory.

adb pull /system/app/Launcher/Launcher.apk
adb pull /system/app/Launcher/oat/arm64/Launcher.odex
Copy the code

2. Turn odex dex

Odex to dex requires two tools: jar:smali.jar and baksmali.jar:
  • Jar: The smali file is converted to the dex file
  • Baksmali. jar: The odex file is converted into a smali file

First we need to convert the odex file to the smALI file:

java -jar baksmali.jar deodex Launcher.odex
Copy the code

The above command will generally fail after execution, generally will report an error saying that no other OAT file can be found, such as:

Cannot find dependency boot-telephony-ext.oat in null
Copy the code

Generally, system APK will rely on some public function libraries of framwork layer, which can prevent system APK from being stolen and run on other ROMs. You need to go to Framwork layer to obtain the corresponding OAT file:

adb pull /system/framework/arm64/boot-telephony.ext.oat
Copy the code
After obtaining all the required OAT files, run the command again. After the decompression is successful, the out directory will be generated, which contains smali files.
Convert smALI files to dex files: 
Java-jar smali-2.6.6. jar assemble out/ -o class.dexCopy the code

After running the preceding command, you can obtain the dex file, which completes the process of converting the odex file to the dex file.

3. Turn the oat dex

Turn the oat dex a oat2dex jar package, the jar package is always unstable, it’s easy to have a strange question, look behind for a long time, found a library, can be directly extracted address for newandroidbook.com/tools/dextr… To extract dex, run the dextra -dextract xxx.oat command.

Decompile dex

Use jadx to open class.dex.

In live.

At present, manufacturers will customize a variety of applications, among which the most fun is the function of custom permissions, it is impossible to obtain the status of a custom permissions through API, through the decompilation system APK to see if it can find vulnerabilities to judge, the next chapter will introduce the actual cracking process.