Solemnly declare:
- 1, the relevant cracking technology is limited to technical research use, shall not be used for illegal purposes, otherwise the consequences!
- 2. Out of curiosity for reverse technology, the author does not damage the APP maliciously and respects the labor achievements of the original developer. It is not used for commercial purposes.
0x5, Time to hunt => Debug location
- After the previous chapter “quenching”, I believe that most of the “simple APP source” you are handy;
- But as the old saying goes, “Weak water 3000, only take a ladle”, when tasting other people’s code, you may encounter a lot of delicious “strange and clever skills”;
- But limited energy and time, so that we can not taste one by one, grasp the need is enough;
- Beauty village hero tomb, always keep awake “know what you want”, so as not to get bogged down in it (a dead end);
- Quickly locate the target code, make clear the logic, and complete the extraction of core code.
Here are some of the “debugging location techniques” I use. There are no advantages or disadvantages, but mix them to find the G-spot quickly
① Resource location method
The simplest, but the most efficient method, can be through “a line of text” “a picture” “an audio and video” complete positioning, “brainless global search!”
Remember to throw the APkTool decompiled RES and Implies folders together with the jADX decompiled code first! (This can also be done automatically using my batch decompiler script)
For example: The dialog box of a competing product suddenly looks nice, but I’m too lazy to write it myself:
Ctrl+Shift+F Search for “Login” or “Login will unlock more exciting content.”
By opening the DialogUtils class with 6 parameters, we can easily locate the third A method:
Following the CommonDialog class:
Directly to the layout file:
Copy and paste, change something, beautiful dialog box get√
② Get the current Activity
Activities and fragments are also good places to start. You can get information about activities at the top of the stack (currently) with a simple ADB command:
Get the name of the Activity at the top of the stack
adb shell dumpsys activity | grep "mFocusedActivity"
You can set an alias for the above name using alias:
alias ada="adb shell dumpsys activity | grep 'mFocusedActivity'"
Copy the codeThe effect is shown below:
You can use adb shell dumpsys activity top > info.txt to print the activity details to a file. You can also install “Developer Assistant” to get it directly (and see the fragments that may be involved) :
It is also available through The “Reflection Master” :
③ Android Device Monitor tracks method calls
The old version of AS has this thing, the new version hides the entrance, directly go to the “Android-SDK /tools” directory, find monitor, run:
Select the process to be debugged on the left:
If you feel that you have traced it, click the button ② to stop it, and the method call flow as described below will appear on the right:
Then you can follow step by step
④ Dynamic debugging of Smali
When Apktool decompiles APK, it produces a “Smali” file, which is a virtual machine instruction language, instead of a “Java” file. Jadx decompiled after dex although generate the Java code, can see, is not support for debugging, and Smali is adjustable, in the AS to debug Smali, also need to install “smalidea” plug-in, plug-in download, can visit: bitbucket.org/JesusFreke/… After the plug-in is downloaded, the AS installs a wave of plug-ins and restarts after the installation.
Note: If you want to debug someone else’s APP, you should first make their APP “debugable”.
A seemingly simple but tedious method:
Set the debuggable attribute in the target APP’s Androidmanifest.xml to true and repackage the signature.
If there are multiple apps in reverse, this should be too cumbersome. It is better to directly make “all apps on the phone debuggable”, as follows:
- Android 7.0 installed Xposed: download and install the “BDOpener module” : github.com/riusksk/BDO… To enable the plug-in and restart.
- Install MagiskHide Props Config and Busybox for Android NDK on Magisk. To set the options for adb shell, type props to Edit MagiskHide props, for example, 4:
Enter y to restart the process, and then open Logcat of AS to see all processes:
After setting up adjustable Settings, you can import SMAIL into AS. Note that the import process is not directly open! Open the apktool folder after decomcompiling the AS import script:
After importing, click this position in the top menu bar, “Edit Configurations”, and click “+” to select “Remote”.
Fill in a name and set a port number (use the auto-. sh script to change the port number).
“Command line start process debug wait mode” is tedious and repetitive, SO I wrote it directly to an auto-. sh file:
#! /bin/sh
if [[ $# == 0 ]]; then
echo "./debugTool [package] [activity] "
exit 1
fi
package=The $1
activity=$2
adb shell am start -D -n ${package}/${activity}
varId=`adb shell ps | grep package| awk '{print $2}'`
adb forward tcp:4567 jdwp:$varId
Copy the codeSh package name entry Activity as shown in the following example:./auto.
. /auto.sh com.xxx.xxx .MainActivity
Copy the codeAfter the APP enters the Debugger waiting mode, click “Attach Debugger To Android Process” at the top, set the breakpoint, and select debug Process:
Then wait until the program runs to the breakpoint, and the Debugger can see the relevant variables:
⑤ Share the learning posture of Smali grammar
The syntax of Smali is more complicated (I feel it is more troublesome than I used to learn assembly), the online tutorial is not generally messy, I will sort out a copy if I have the chance…
If you really want to learn Smali, it is suggested that the “practical operation side learning, namely plug (check)”, idea has a plug-in “intellij-Java2smali” Github address: github.com/ollide/inte… Support for converting “Java in the right project” to smALI files. Note: Correct! And the project! If the project has an error, the conversion directly error, a single independent Java file can not be converted! The usage is simple:
Open the Java files you want to convert and click run -> Compile to Smali on the top menu bar
Said a bug:
Error:Kotlin: Unsupported plugin option: Org. Jetbrains. Kotlin. Android: enabled = true, estimation is kotlin plugin used related, not upgrade, now there is no solution (such as official maintenance, or change their plug-in source code).
You can choose to create a pure Java project, the program does not error, can run, but when converting, there will be a bug:
Java: package R does not exist, R file cannot be found, although you can find it in the build directory, there is no R file path for the new version of AS.
In addition, PERSONALLY I feel smali is not very cool on AS! Well, if you don’t like it, then change your position, right? A few examples:
- Men feel not enough stimulation, with “grinding type”;
- Women think it is not exciting enough, they use “cat style”;
- Men want to double the pleasure, they use “back entry”;
- Women want to control freely, with the “traditional female superior”;
- If you want to increase your emotional connection, use the missionary position.
- To extend your time, lie on your side facing each other.
- Em… There are a lot of positions, not a list, just want to tell you: which way is suitable for their use of which ~
If you use VS Code, set up a “Smalise” plugin to highlight variables or method names:
In addition, you can also directly see “Chinese after Unicode conversion”, “variable information”, “Location to Definition”.
⑤ Dynamic debugging so
Not at present, you can learn if you are interested in it or need to learn it later
0x6, Time to show the real technology => Crack
Now that we have learned the debug location technique, we can quickly find the G-spot (core code). Let’s play a little more exciting:
Some people are interested in “Neighbor’s story” in the comments section of the last article “I tore my rival APP down to the bottom because of a design draft”. Let me summarize the following plot with a few simple poems:
Men work overtime home late, hastily pay the public grain. Sister felt a little disappointed, desire dissatisfaction secretly sigh. Neighbor first jie heart dark cool, aesthetic picture reflection. Girl soft MOE to be developed, uniform jump egg vibrator.
Think sister is too clever, neighbors want to secondary development sister (APK), so use three props, how to use these props and so on. Going back to this section, when using someone else’s APP, you might think: if I made the APP, I’d like to… ! Don’t think about it, just do it! Add something (custom UI) or change something (pay to become free, open hidden levels), of course, their dark cool good, can not spread everywhere, “damage computer information system crime warning”. Take competitive APP level payment as an example to explain a wave:
The problem is described as follows:
- 1. There is a lock for courses on the home page. Click: a dialog box for opening a complete course will pop up;
- 2, click the next level, can not switch to the next level, prompt: stay tuned;
- 3, 50-100 lessons with locks, click on the hint: trying to build… ;
- 4. Except for L1, other levels have locks. Click the hint: Please wait.
Uniform – debugging under the breakpoint directly change the flag bit
How to dynamically debug Smali has been introduced above, specific debugging skills can be seen in “Catch a snake! Android program debugging is as simple as it is”, came to the APP in the following page:
Click 50-100 to get the message “Trying to build” and open the Developer Assistant:
Locate CourseChangeFragment directly:
Let’s see what this.n is and what d is in it:
Ok, so d is the image highlighted, 1 is the image highlighted, and let’s see where this.n is assigned:
For level selection, search “select the course map corresponding to the level” to locate the ChangeLevelDialog, search globally, locate the CourseChangeFragment:
Again, take a look at what this.k is and where the assignment is done:
If you go to ChangeLevelDialog, you can see that you’re extracting CourseLevelInfo
Follow along:
Ok, this c is the state of the level, 1 is the available state, ok, find the break point, search the control:
The control id 0 x7f0f0363, back to CourseChangeFragment. Smali search:
Locate directly to sswitch_2:
The place circled here is actually The Chinese Unicode code. If you do not believe it, you will know:
Locate the following code:
Next wave of this code:
iget-object v0, p0, ... /CourseChangeFragment; ->n:... /$CourseLevelMapInfo;
P0 is an instance of the variable's class, this, and puts the value of n into register v0
if-eqz v0, :cond_1
If v0 is null, skip to cond_1
iget-object v0, p0, ... /CourseChangeFragment; ->n:... /$CourseLevelMapInfo
Put the value of n into register v0
iget v0, v0, ... $CourseLevelMapInfo; ->d:I
# reference n object stored in register v0, put the value of n.d into register v0
if-ne v0, v1, :cond_1
Cond_1 = cond_1 = cond_1
Copy the codeFinish the breakpoint as shown in the picture, start debugging smail, go to the concern page, click to enter the debugging mode:
Right-click D, select Set Value, Set the Value to 1, and proceed to execute the breakpoint.
TSK TSK, a little interesting, several other crack is also “the same”, but every time to debugging is too troublesome, there is no once and for all method? Of course, write a Xposed plug-in to play it ~
Jump egg – write Xposed plug-in
About Xposed, previously written a series, will not be introduced in detail:
- Sorry, Xposed really can do anything – 1. Basic knowledge reserves
- Sorry, Xposed really can do whatever you want — 2. Change the OV models smooth play high frame rate king pesticide
- Sorry, Xposed can really do whatever you want — 3. Wechat movement occupy the cover to sell advertising space
- Sorry, Xposed really can do anything — 4. Guessing dice you can win calculate I lose
- Sorry, Xposed really can do whatever you want – 5. I brush the Xposed with what not to give me
- Sorry, Xposed really can do whatever you want — 6. Your vindication can not be removed back
In short, you can:
Modifying variable values, Hook methods, explicitly executing methods, etc.
We need to locate the “source of the flag bit” (usually method), before or after the method is executed, make some modifications, the process is trivial, directly give the plug-in code! 3. Break the lock of course selection:
4. Crack the level selection dialog
Then it is: 2, crack the next concern for the home page
Finally: 1, crack all the levels on the home page
Put the written Xposed plug-in installed on the phone, Xposed Installer check, restart, then open the APP, look at the effect:
Ok, plug-in written, but after all, not everyone’s mobile phone will Root Xposed, just cracked after two packaging bar.
③ Vibrator — apktool secondary packaging
The process for repackaging with ApkTool is simple. The hard part is changing the Samli code:
Change smali => ApkTool B repackage => Jarsigner/Apksigner secondary signature
Ok, start work lu smali, positioning to CourseChangeFragment. The onClick function judgment about smali code:
The preceding number is the “hexadecimal resource ID”, which can be converted directly from the decomcompiled JADx id:
Corresponding to: 7f0F0360 and 7F0F0363, the corresponding jump => sswitch_3 and sswitch_2, first go to sswitch_2, you can see in the source code to make a judgment, if not meet the return, if yes, continue to go, here can use a loophole, “directly delete the judgment related code”, Keep only the code circled below:
Then drag the following command to pack the project back to APK:
apktool b xxx -o xxx.apk
Copy the codeThen open apK with “jadX-GUI” to see the code:
Yes, yes, yes, yes, yes, yes, yes, yes, yes, yes, yes, yes, yes, yes, yes, yes. The gameplay is as follows:
# If you don't have a signature, you can create it by using the following command
JKS -keyalg RSA -keysize keytool -genkey -v -keystore file name2048 -validity 10000 -aliasSignature alias
# ====== Jarsigner signed ======
# 1. Enter the following command and press Enter to enter the password
Jarsigner -verbose -keystore certificate -signedjar After signing apk Before signing apk Certificate alias
/ / add the following parameter before -keystore:
-digestalg SHA1 -sigalg MD5withRSA
# 3 Tips: You can use the following command to check whether the APK is signed
jarsigner -verify xxx.apk
# ====== Use Google's signature and validation tool: Apksigner ======
Android SDK/build-tools/SDK version /apksigner.bat
# 1. Align
zipalign -v -p 4 xxx.apk xxx_aligned.apk
# 2. Signature
Sign -- KS certificate --out release.apk origin_aligned.apk
Verify that the signature is successful
apksigner verify release.apk
Copy the codeInstall the signed APK on your phone and open it to see the result:
The lock icon is still there, but you can now switch levels by clicking on it. Yes, go ahead and select the level section:
Courselevelinfo.c == 1; courselevelinfo.c == 1;
After the code indicated by the arrow, add: courselevelInfo.c = 1; , but you need to convert the Java statement to smali! This conversion is not as easy as you might think. Open changeleveldialog. smali and locate method A:
We need to add the assignment code to.line:
The assignment requires holding 1(0x1) in a register and then assigning with iput:
Package apkTool B and open it with jadX-GUI.
Jarsigner will directly sign the adb on the phone for verification.
Yes, Nice, do the rest of the next level on the home page and all the levels:
Delete the assignment statement corresponding to Smali:
Repackage, jADX-GUI open view:
Each level locks bits to: MainHomeworkAdapter$CommonViewHolder class (dollar sign represents inner class)
Insert the assignment statement as shown,
Repackage, jADX-GUI open view:
Run to see the effect, the result and Xposed is much the same, but not installed xposed mobile phone can be used directly ~
Then say one thing:
Not all APKs can be directly re-packaged for signature! Some will do signature verification, open the wrong signature, directly flash back, Java layer can Hook off the verification method, Native layer can only change So; There are also some hardened APKs, although you can export dex, but the onCreate function needs to be fixed for secondary packaging (e.g. 360 hardened Gems). So most of the time, we can just look at the code ~ so Xposed or incense, Smali write up is really cumbersome, complex logic code will write want to cry, every time to see the effect of repackaging…
④ Reverse weapon of mobile terminal — MT Manager 2
PC side reverse, need to download a bunch of decompiler tools (apkTool, jadx, etc.), some better tools (AndroidKiller, smali2Java, etc.) do not support MAC, so here it comes — MT Manager 2: “Dual-window file management” and “powerful APK editing function” on mobile, you can efficiently modify Android software on mobile. The interface is as follows:
The official documentation has detailed explanation, not beep, readers to check out the documentation: MT Manager, there is also a related reverse forum: MT forum
Tips: It’s basically a paid service, and some features require members to use.
The author has the habit of “bookkeeping”, using “X bookkeeping”, the bound flour powder, quite Gay, is every time to open the pop-up “advertising flash screen page” make me very disgusted. All right, let’s go ahead and show you how to play MT Manager 2.
Click “Trace Activity” on the left menu bar to start tracing, then open the software, and then go back to the MT Manager to see the startup record of the Activity:
First LogoActivity, then MainActivity, click the left menu “Install Package Extraction” :
/MT2/apks directory, click apk, “View”, open androidmanifest.xml also see:
LogoActivity. Click classex. Dex to open the LogoActivity.
Next, open LogoActivity using the package name, click on the top right corner, “Convert to Java.”
The converted Java code is the same as Jadx’s:
@bindView (@bindView), @bindView (@bindView), @bindView
Smali is the same as PC, but compared with PC, after modification, you can directly switch to Java, much more convenient, save after modification, return will pop up the following dialog box:
However, open the repackaged APP: The AD content is missing, but it is stuck in the icon page, and you have to click on the upper right corner to close it. Just as I was about to start doing this, I saw this:
2333, in order to avoid “null pointer exception”, call adsView related methods before doing “null” can, good development habits!
But it’s also convenient for me.
I just set the “adsView to NULL” in the page initialization area.
Locate the View as shown in the figure and empty the View where it was initialized
Open the smali code corresponding to initView function, write the smali code to empty adsView:
Secondary packaging, overwrite the installation to see the effect:
Compare the effect without ads:
When it is really helpless, click the skip button is very small and easy to mistakenly touch, and the point is not immediately closed! Remove APP flash screen AD page in two lines of code
0x7, Death is like the wind, Always with me => Climb APP data
In fact, there was no this section, after all, APP source code has been stripped by your pants not left “arbitrary ravage”, but there is one point:
She doesn’t belong to you!
If, one day, the APP goes down, the server goes down, all the work you’ve done goes down the drain.
Instead of saying “sigh” one day later
“I wish you no waves of years, and respect me for the rest of my life.”
How about finding a way to make her truly yours:
In the final analysis: APP is just a resource display tool, and the background is a resource scheduling tool, the key or “resources”!
Use Fiddler, Charles and other capture tools to capture a wave of data, and then write a crawler to save the data in each level. Forget him! I stole other people’s APP code to feed you “, here will not be repeated, directly open catch:
There are several interfaces to screen out the interfaces we need:
The rules are relatively simple, the interface did not do user verification, paid resource links are also returned, only in the APP side to do restrictions. Add the data to MongoDB from the classes that store the data:
For the habit of anti-crawler, use “proxy IP” access, about how to obtain proxy IP, said before, no beep, here uses the Proxy tunnel of ABU Cloud, 1 yuan per hour, beautiful, relevant configuration is as follows:
In addition to using proxy IP, “device name, device ID, version” are generated randomly:
Then write methods to request and parse the data:
Finally open a wave of multi-process access:
Multi-process + high availability agent, less than a minute to climb, delectable:
Select * from (select * from (select * from (select * from (select * from)));
Line, data climb to finish, the rest of the interface is not a demonstration, right, you can also write a script to all audio and video resources, pictures climb to their own computer, or synchronized to the seven niuyun and other CDN sites, and then iterate to replace a wave of base address. In addition, if the packet capture analysis can not find the rule, you can also start from APP ~
0 by 8, summary
Through bumpy, finally put the last chapter was let out of the liver, write the purpose of this series is wanted to pick some nice effect of competing goods APP, living into reverse, the result is a phased study summary, reverse the water’s pretty deep, there are opportunities and leisure play play, just like that, then, to write a prepare weekly “interview” series, To supervise their own preparation for the interview, please look forward to.
For the last time in this series, I will send you a Python crawler primer, free of charge, next Friday.
Thank you for your continued support and love
Tips: this series of tools you want to use, there are more official download links!! You can also go to the public number “pat boy” input 000, reply to the corresponding serial number download, thank you ~
Congratulations on “Weihuawei” children’s shoes winning the lottery screen will be given later ~
