Android[反编译和编译]对某个APK的实践总结

最近3个月摸索的比较多,需要整理一下思路,以后按图索骥比较方便,mark一下。

测试apk地址:http://download.downxia.com/down/apk/beijjiaoj.apk
保存为本地文件:~/Downloads/bjjj_244.apk
下面开始干活~~
1、Android APKTool
首先下载apktool工具,参考文档教程使用
其次,执行apktool d [apk文件路径] -o [输出目录]

    apktool d ~/Downloads/bjjj_244.apk -o ~/Downloads/tmp/bjjj_244

接着,执行apktool b [decode得到的目录] -o [输出apk文件]

    apktool b ~/Downloads/tmp/bjjj_244 -o ~/Downloads/tmp/bjjj_244.apk

可以看到build输出的log带错误提示,关于AndroidManifest.xml中被第三方加固修改过的部分,删除多余的属性

     android:qihoo="activity"

再次build,通过了,生成了apk文件,试试安装看

zeonadmindeMac-mini-2:~ zeonadmin$ adb install ~/Downloads/tmp/bjjj_244.apk 
[100%] /data/local/tmp/bjjj_244.apk
	pkg: /data/local/tmp/bjjj_244.apk
Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES]

提示此包未签名,使用自己创建的keystore来签名,成功安装上

zeonadmindeMac-mini-2:~ zeonadmin$ adb install ~/Downloads/tmp/bjjj_244_signed.apk
[100%] /data/local/tmp/bjjj_244_signed.apk
	pkg: /data/local/tmp/bjjj_244_signed.apk
Success

点开应用app图标。。。果然挂掉了。。。

11-09 15:20:09.495 785-795/? I/ActivityManager: Start proc 18728:com.zcbl.bjjj_driving/u0a100 for activity com.zcbl.bjjj_driving/com.zcbl.driving_simple.activity.SplashActivity
11-09 15:20:09.718 18728-18728/? D/AndroidRuntime: Shutting down VM
11-09 15:20:09.719 18728-18728/? E/AndroidRuntime: FATAL EXCEPTION: main
                                                   Process: com.zcbl.bjjj_driving, PID: 18728
                                                   java.lang.UnsatisfiedLinkError: JNI_ERR returned from JNI_OnLoad in "/data/user/0/com.zcbl.bjjj_driving/.jiagu/libjiagu.so"
                                                       at java.lang.Runtime.load(Runtime.java:332)
                                                       at java.lang.System.load(System.java:1069)
                                                       at com.stub.StubApp.attachBaseContext(StubApplication.java:205)
                                                       at android.app.Application.attach(Application.java:187)
                                                       at android.app.Instrumentation.newApplication(Instrumentation.java:997)
                                                       at android.app.Instrumentation.newApplication(Instrumentation.java:981)
                                                       at android.app.LoadedApk.makeApplication(LoadedApk.java:573)
                                                       at android.app.ActivityThread.handleBindApplication(ActivityThread.java:4680)
                                                       at android.app.ActivityThread.-wrap1(ActivityThread.java)
                                                       at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1405)
                                                       at android.os.Handler.dispatchMessage(Handler.java:102)
                                                       at android.os.Looper.loop(Looper.java:148)
                                                       at android.app.ActivityThread.main(ActivityThread.java:5417)
                                                       at java.lang.reflect.Method.invoke(Native Method)
                                                       at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:726)
                                                       at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:616)
11-09 15:20:09.720 785-4740/? W/ActivityManager:   Force finishing activity com.zcbl.bjjj_driving/com.zcbl.driving_simple.activity.SplashActivity

可以看到crash的地方:com.stub.StubApp.attachBaseContext(StubApplication.java:205),只好接着反编译java代码
2、dex2jar
下载工具dex2jar
执行

    sh dex2jar-2.0/d2j-dex2jar.sh -f ~/Downloads/bjjj_2_4_4.apk -o ~/Downloads/tmp/bjjj_244_apk.jar

使用JD-GUI打开jar文件查看,可以找到crash的代码段

    System.load(str + "/" + soName + ".so");

这里str是包路径 + “/.jiagu”,soName是”libjiagu”
使用root权限打开模拟器,观察该路径下边,是存在该so文件的;so文件是从assets/libjiagu.so拷贝过去的,下边对JNI_OnLoad入口进行探查
3、Hopper Disassembler v4
打开libjiagu.so,查找JNI可以看到jni的入口函数 JNI_OnLoad 以及它调用的 __arm_a_1(_JavaVM*, _JNIEnv*, void*, int&)
so调试直接参考别人的代码:
http://blog.csdn.net/justfwd/article/details/49886585
http://blog.csdn.net/feibabeibei_beibei/article/details/72803762
http://blog.csdn.net/mingzznet/article/details/51837377
修复so比较难,先跳过这一节往下看,先贴上资源回头细看
4、dex=>smali 以及smali=>dex
https://bitbucket.org/JesusFreke/smali/downloads/

暂时就这些内容了,基本的流程就是这样。