Shulou(Shulou.com)06/02 Report--

Today, I will talk to you about how to analyze the common Android bytecodes in the reverse entry, which may not be well understood by many people. In order to make you understand better, the editor has summarized the following contents. I hope you can get something from this article.

Cracking process

Break the Android program flow: decompile-> analyze-> modify-> recompile-> signature, all of which operate on the command line. Of course, there are also tools that integrate these operations:

Macos:Android-Crack-Tool

Windows:Android Killer

Related knowledge register

The concept of registers is explained here. Registers are used to store

Registers are some small storage areas used to store data in CPU, which are used to temporarily store the data and results involved in the operation. That is, storage is used to store data. Now all mobile phones use arm chips.

There are some digressions here: the more common CPU has intel's X86 architecture CPU and arm architecture CPU, in which intel's X86 architecture cpu instruction set has complex instruction set and reduced instruction set, and arm only has reduced instruction set.

Complex instruction set and reduced instruction set

The so-called complex and simple is based on whether to design instructions according to the program to improve the performance of the computer, the complex instruction set adds some complex functional instruction sets according to the application program, which leads to more and more CPU instructions, the more complex the design, the higher the cost, while the reduced instruction set will not design the instruction set according to the program, so how to improve the performance?

Some differences between jvm and davlik

The work of translating machine code is done by the compiler of the high-level language, leaving the work to the compiler. So the difference between the two is that the complex instruction set increases its own instruction set according to the program to improve computer performance, while the reduced instruction set is handed over to the compiler to do the instruction conversion work. Due to the addition of compiler conversion, it will run slowly and take up more memory, and the same program takes up more space on phones with arm chips and computers with intel chips. Another feature of the arm architecture of the reduced instruction set is that it has a large number of registers, and the davlik virtual machine uses this feature to change the original java virtual machine:

Each thread in the java virtual machine has a PC counter and a java stack. The PC counter is used to record where the program is executed. The call record used in the java stack to record the java method is called the stack frame. Each call to a method will allocate a new stack and press it into the java stack. Each stack frame contains a local variable area, the evaluation stack (jvm is called the Operand stack), and the local variable area is used to store method parameters and local variables. The evaluation stack is used to hold the intermediate results of the evaluation and parameters that call other methods. During the operation of the method, the data is taken from the local variable area in the stack, and the result is stored in the Operand stack, and the result is popped up from the Operand stack when it is returned.

The davlik virtual machine also maintains a PC counter and a call stack for each thread. The difference is that a register list is maintained in this call stack. As for the number of virtual registers allocated is given according to the registers field in the method structure, the davlik virtual machine creates a virtual register list based on this field. The local variable area and Operand stack in the frame of the java stack are replaced with a register list to store. So the java virtual machine is based on stack architecture, while the davlik virtual machine is based on register architecture.

Common Davlik bytecode interpretation

1. Common Davlike bytecode:

Define the field type:

Check-cast register (Operand), defined type

For example:

Check-cast v0,Lcom/android/Launcher2/launcherApplication

The type that represents the definition v0 is LauncherApplication

Field write Field read (General interpretation)

Summary: the instruction destination Operand source Operand represents the value in the instruction register (Operand). The class variable name variable attribute essentially instructs the operation or the Operand. Read get according to whether the instruction variable is read or assigned: read variable assignment to Operand assignment set: the value of the assigned variable is the value of the Operand

Static field writes:

Const register, the ID corresponding to the value (0X0 represents null)

Sput-object register, the class to which the field belongs;-> Field name: field type

Const/4 v3, 0x0

Sput-object v3, Lcom/disney/Class1;- > globalIapHandler:Lcom/disney/config/GlobalPurchaseHandler

Save 0x00 (which stands for null) in the v3 register

Writes the value in the v3 register to the globalIapHandler variable in Class1, which is of type GlobalPurchaseHandler

That is, Class1.globalIapHandler = null

Static field reading:

Sget-object register, the class to which the field belongs;-> Field name: field type

For example:

Sget-object v0, Lcom/disney/Class1;- > PREFS_INSTALLATION_ID:Ljava/lang/String

Read the PREFS_INSTALLATION_ID variable in Class1, which is of type String

Ordinary fields are written to:

.local v0, args:Landroid/os/Message

Const/4 v1, 0x12

Iput v1, v0, Landroid/os/Message;- > what:I

Store the args variable in the v0 register

Pass 0X12 to the v1 register

Set the what variable in Message to the v1 value

Equivalent to args.what=18

Normal field reading:

Iget-object register p0 (represents the example of the class in which the variable belongs, namely this), the class to which the field belongs;-> field name: zidaun1: field type

For example:

Iget-object v0, p0, Lcom/disney/Class1;- > _ view:Lcom/disney/Class2

Get the _ view variable in Class1 from the v0 register, which is of type Class2

Call method:

Invoke-virtual {register: caller (p0 represents this) and method parameter information}, the class in which the method is located;-> method name (parameter) returns the value

For example:

Invoke-virtual {p0}, Lcom/android/Launcher2/Launcher;_ > getApplication () L android/app/Application

The java implementation code is: (this.) getApplication ()

Call the parent class method:

Invoke-super {register: represents the caller and parameter}, the class to which the method belongs;-> method name (parameter type) returns a value [V represents no return value]

Invoke-super {p0menp1}, Landroid/app/ActivityGroup;- > onCreate (Landroid/os/Bundle;) V

Call API:

Invoke-interface {register [caller and method parameter information like method]}, the full name of the interface to which the method belongs;-> method name (parameter type) returns a value

Invoke-interface {v3 ~ (th) v6 ~ (th)), Landroid/content/SharedPreferences;- > getBoolean (Ljava/lang/String;Z) Z

The implementation code of java is: v3.getBoolean (v6jie v9)

Judgment statement:

One, if-nez (as opposed to if-eqz)

If-nez register (which stores operands),: at the label

If the Operand is not null or 0 or equal, jump to the label to execute the code

For example:

Move resule v0 (assign the result of the previous command to v0)

If-nez v0,: cond_0

(determine that the value is not 0 [the condition is true] and jump to the cond_0 label, otherwise the program continues to execute until it reaches the return-void instruction.)

Second, if-eqz

Means to jump when the result is 0 or equal (as opposed to if-nez)

Method returns:

Return-void does not return a value

Crack the program analyze and modify the smail file

1. Modify the smali file and install it on the phone.

Recompile, the recompile command is

Apktool b file address

Common errors in recompilation:

1. Prompt "at brut.androlib.Androlib.buildResourcesFull (Androlib.java:477)"

Explanation: this problem is caused by an error in packaging resources, and the inconsistency between the API version number used by the program and the Android-based version of framework-res.apk in apkool

For example: the API version used by the program is 25, while the apkttol version is 2.2.2, and the corresponding version of framework-res.apk is based on Android6.0.

Its API is 23. The two are inconsistent.

The solution is to find an android device with the same number of API versions used by API and the program, get the framework-res.apk from it, and install the apk locally

Use the command:

(1.) Get the framework-res.apk in the android device:

Adb pull / system/framework/framework-res.apk

(2.) Install to the local apktool

Apktool if. / framework-res.apk

Re-sign

The generated APK file is not signed after compilation, so it cannot be installed.

Sign the APK file through signapk

Use the command:

Cat / User/android/Program/signapk

#! / bin/sh

Java-jar ~ / Program/signapk_jar/signapk.jar ~ / Program/signapk_jar/testkey.x509.pem ~ / Program/signapk_jar/testkey.pk8 $1 signed.apk

These files can be extracted from the android source code.

Then complete the signature operation of apk:

Addresses of unsigned apk files after signapk compilation

After signing, the sign.apk file will be generated in the above file address.

After reading the above, do you have any further understanding of how to analyze the common Davlik bytecode in Android reverse entry? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.