Shulou(Shulou.com)05/31 Report--

In this article, the editor introduces in detail "how to conduct static analysis in Android". The content is detailed, the steps are clear, and the details are handled properly. I hope that this article "how to conduct static analysis in Android" can help you solve your doubts.

Android reverse is the process of decompilation, because we do not understand the results of Android forward compilation, so the premise of static analysis in CTF is to decompile the files to a layer of source code that we can understand, and do static analysis.

Basic description of 0X01

The logic code of Android application is developed by Java, so the first layer is java code.

The Java virtual machine JVM runs the class file compiled from the java file.

The Android virtual machine Dalvik is not the class file generated by executing the JVM compilation of the Java virtual machine, but the compiled smali file that executes and reintegrates the dex file generated by the package.

APK: is the Android application installation package after compilation

Dex file: is a packaged file of class file

Smali files: is an Dalvik bytecode file

Class files: is an JVM bytecode file

Use of 0X02 tool

In CTF, the Android topic does not necessarily give you a complete compiled APK, but may be any file type in the compilation process. The following file types are divided into the following file types to get the java source code that Douge can understand by using tools.

Type 1: class file

This situation is relatively simple. Recommend the tool jd-gui.

Pull the class file directly in and you can see the java source code.

Type 2: APK program

When the compilation of the Android project is completed, you will get the APK installation package we want. The APK file is actually a compressed package.

Unzip the modified suffix named zip, and the decompressed file is shown in the following figure:

META-INF folder:

Store apk signature information to ensure the integrity of APK package and the security of the system.

Res folder:

Store resource files, including icon,xml files.

AndroidManifest.xml file:

The application configuration file, which must be defined and included by each application, describes the name, version, permissions, referenced library files and other information of the application.

Classes.dex file:

The running file can be loaded directly on the Dalvik virtual machine, and the java file can be compiled and generated by IDE.

Resources.arsc file >

Binary resource files, including strings, etc.

Decompilation of APK recommended tools ApkIDE, JEB

1. JEB uses:

JEB is directly imported into APK, and after decompilation, you can see the smali file.

Many Android reverse tools are decompiled to smali files.

JEB press Q in the smali file to see the java file.

Advantages: the code structure of the java file decompiled from the smali file is clear.

Disadvantages: cannot be modified.

2. ApkIDE uses:

Project-> Open Apk

Wait for decompilation to complete.

See the smali file.

Select the smali file that you want to java source code, and click the button below to open the Java source code.

ApkIDE is associated with jd-gui. Click it and you will jump to jd-gui.

ApkIDE decompiles APK to class and then uses jd-gui to get the Java source code.

You can see the decompiled class file in the project directory of ApkIDE_v3.3\ ApkIDE\ Worksrc in ApkIDE.

Advantages: powerful, you can modify the decompiled smali file, recompile to generate APK.

Cons: the compiled java code is not clear enough.

3. Decompilation distinction

The Smali file is written in Smali syntax, and the Smali syntax is loose.

So if the decompilation process is different and the tools are different, the java source code must be different.

Here is the reverse result of the same APK using the above two tools:

Brother Doug, as an enthusiast of Java development, likes the reverse result of JEB and looks more comfortable.

Type 3: dex file

Recommended tool dex2.jar

Classes.dex file, which is a bytecode package compiled by Android source code

Try to use the dex2.jar tool to get the java source command as follows

.\ d2j-dex2jar.bat C:\ Users\ lin\ Desktop\ classes.dex

Jar files can be understood as compressed packages of classes files, and java virtual machines can run them directly.

Open classes-dex2jar.jar with Jd-gui and you can see the java source code

Type 4: smali file

When there is only a single smali file, it cannot be decompiled directly with the above tools.

Brother Douge thought that ApkIDE could decompile an APK into a smali file and add, delete, modify and check the smali file.

So open any complete APK with ApkIDE and add the smali file (APK can use its own development)

Add the smali file to the ApkIDE project.

Recompile to generate APK.

After successful compilation, an APK will be generated in the original APK directory.

Then open it with tools such as JEB and you can see the Ezreal.smali file.

Other tools:

Editor: notepad++, Sublime, etc.

Android simulator: Night god simulator, etc.

Analysis of 0X04 examples

Install the application to the simulator to see if there is a prompt in the interface.

Enter characters in the text box and click the button to indicate an error, wondering if it is used to determine the correct flag.

Use the JEB tool to compile the java file, the Android file is the sdk file, we want to analyze the source file under the com package.

There are only three classes with a small amount of code. first analyze the MainActivity from the program entry to find the key code block.

This sentence if is to judge whether flag is correct or not.

The search class sees where this method is called.

The analysis shows that arg12 is the parameter to be input by the interface, and then we know that the value of v5 is the flag we want.

The onCreate function calls the checkSN method, passing in two parameters:

MainActivity.this.edit_userName.trim ()

MainActivity.this.edit_sn.getText (). ToString (). Trim ()

/ / OnCreate is a special function in Android to "indicate that a window is being generated".

/ / it does not produce a window, but sets the properties of the window, such as style, position color, etc., before the window is displayed.

Public void onCreate (Bundle arg3) {

Super.onCreate (arg3)

This.setContentView (0x7F040019)

This.setTitle (0x7F06001D)

This.edit_userName = "Tenshine"

This.edit_sn = this.findViewById (0x7F0C0051)

This.btn_register = this.findViewById (0x7F0C0052)

This.btn_register.setOnClickListener (new View$OnClickListener () {

Public void onClick (View arg5) {

If (! MainActivity.this.checkSN (MainActivity.this.edit_userName.trim (), MainActivity.this.edit_sn.getText (). ToString (). Trim () {

Toast.makeText (MainActivity.this, 0x7F06001E, 0). Show ()

}

Else {

Toast.makeText (MainActivity.this, 0x7F06001B, 0). Show ()

MainActivity.this.btn_register.setEnabled (false)

MainActivity.this.setTitle (0x7F060019)

}

}

});

}

Analyze the value of v5, v5 is generated by v3 and v4, v4 is an int and directly assigned to 0 for the loop can be used directly

V3 is the return value of the toHexString method, and to be passed in, v1 is v1.update (arg11.getBytes ()); generated

Arg11 is the parameter "Tenshine" passed in.

Private boolean checkSN (String arg11, String arg12) {

Boolean v7 = false

If (arg11! = null) {

Try {

If (arg11.length () = = 0) {

Return v7

}

If (arg12 = = null) {

Return v7

}

If (arg12.length ()! = 22) {

Return v7

}

MessageDigest v1 = MessageDigest.getInstance ("MD5")

V1.reset ()

V1.update (arg11.getBytes ())

String v3 = MainActivity.toHexString (v1.digest (), "")

StringBuilder v5 = new StringBuilder ()

Int v4

For (v4 = 0; v4 < v3.length (); v4 + = 2) {

V5.append (v3.charAt (v4))

}

If (! "flag {" + v5.toString () + "}" .equals IgnoreCase (arg12)) {

Return v7

}

}

Catch (NoSuchAlgorithmException v2) {

Goto label_40

}

V7 = true

}

Return v7

Label_40:

V2.printStackTrace ()

Return v7

}

Take the above analysis results and take out the relational code that generated v5.

Are pure java code, do not need to introduce the package of Android, just introduce the dependency package of java.

Import java.security.MessageDigest

Import java.security.NoSuchAlgorithmException

Public class Code {

Static String toHexString (byte [] arg8, String arg9) {

StringBuilder v3 = new StringBuilder ()

Byte [] v0 = arg8

Int v5 = v0.length

Int v4

For (v4 = 0; v4 < v5; + v4) {

String v2 = Integer.toHexString (v0 [v4] & 255)

If (v2.length ()) = = 1) {

V3.append ('0')

}

V3.append (v2) .append (arg9)

}

Return v3.toString ()

}

Public static void main (String [] args) throws NoSuchAlgorithmException {

MessageDigest v1 = MessageDigest.getInstance ("MD5")

V1.reset ()

V1.update ("Tenshine" .getBytes ())

String v3 = Code.toHexString (v1.digest (), "")

StringBuilder v5 = new StringBuilder ()

Int v4

For (v4 = 0; v4 < v3.length (); v4 + = 2) {

V5.append (v3.charAt (v4))

}

System.out.println ("flag {" + v5.toString () + "}")

}

}

Edit and run with IDEA to get the flag.

After reading this, the article "how to conduct static analysis in Android" has been introduced. If you want to master the knowledge points of this article, you still need to practice and use it yourself. If you want to know more about related articles, welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.