Android decompilation to explore how the application is injected with ads

This article was originally published by my WeChat public account: Hongyang (hongyangAndroid).

Please indicate the source for reprinting:
http://blog.csdn.net/lmj623565791/article/details/53370414 ;
This article comes from: [Zhang Hongyang's blog]

I. Overview

Chatting with friends recently, I found that some gray industry chains decompile apks on the market in batches, then inject advertisements, and then repackage them into channels.

I think everyone does not want their own products or their own apps to be so easily "occupied", but if you want to be able to defend yourself, you must first know the other party's means. Therefore, the purpose of this blog is not to teach you how to hack other people's apps, but to let you raise your awareness of security defense and do some necessary protection for our apps, so that your apps will not be "occupied" so easily.

Because it is a preliminary exploration, it does not need to master too much technology, mainly the use of various tools~~

2. Tools

Several important tools, pay attention to use the latest version.

• https://ibotpeaches.github.io/Apktool/
• http://jd.benow.ca/
• https://sourceforge.net/projects/dex2jar/

I believe it is for learning, and everyone has used the above tools more or less:

• The main users of apktools decompile and package;
• JD-GUI is mainly used to display .class files as source code (such as jar files)
• dex2jar is mainly used to convert dex files into jar files

If not, download it yourself, and download the latest version as much as possible.

The topic is to inject advertisements, then we choose a type of advertisement injection, most apps have splash screen advertisements, then we simulate: decompile an apk, add our splash screen advertisement page, and then repackage it.

3. Steps

First of all, we need to prepare an apk, we just write a simple demo.

package com.zhy.decompile;

import android.support.v7.app.AppCompatActivity;
import android.os.Bundle;

public class MainActivity extends AppCompatActivity {

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
    }
}

The app looks like this, just take a screenshot, it is said that no picture is not conducive to reading.

Then click run to get the debug apk. Of course, you can sign a confusing apk yourself, or download a niche app.

1. Decompile an app

./apktool d app.apk 

The res directory is the resource directory, and the smali directory can be considered as the source directory, but they are all corresponding smali files.

If you have a clearer syntax for smali, you can add logic directly to the code.

Let's forget it here, but we can open the res directory here, find the layout file of activity_main, and then modify the string inside to: This is hacked app!, play by yourself here.

By the way, we're going to inject a splash screen ad.

Thinking about it, we can use Activity to present the splash screen advertisement, so I have an idea as follows:

1. Write the activity of the splash screen advertisement page
2. Modify the entry Activity in AndroidManifest.xml to be our splash page Activity
3. In the splash screen page, jump to the original entry Activity after 3s

That's it.

There seems to be something wrong. The source code here is all in smali format, so I can only use java for the Activity of the splash screen page. How can I convert this? Is there any tool to make miracles?

Well, there really is.

The tool is Android Studio, just kidding, although we don't know it, but we know that the smali file can be decompiled and generated, then we can check the package name of the decompiled apk, and then we create a new app and write a flash under the same package name. Screen page Activity, and then packaged into apk. Decompile this apk again, extract the Smali file corresponding to the splash screen page, and paste it into the directory of the decompiled apk.

2. Create a new project (for Smali files)

The content is as follows:

package com.zhy.decompile;

public class HackAdActivity extends AppCompatActivity {

    private Handler mHandler = new Handler(Looper.getMainLooper());

    private Runnable mCallback = new Runnable() {
        @Override
        public void run() {
            Intent intent = new Intent();
            intent.setComponent(new ComponentName("com.zhy.decompile",
                    "com.zhy.decompile.MainActivity"));
            startActivity(intent);
        }
    };

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        mHandler.postDelayed(mCallback, 3000);
    }

    @Override
    protected void onDestroy() {
        super.onDestroy();
        mHandler.removeCallbacks(mCallback);
    }
}

Note that the package name must be the same as the original package name & do not use the layout file first, it will be said later~~

Then extract the apk, perform the above operations again, and get the Smali file.

Note that our way of writing includes inner classes, both of which are copied to the directory of the decompiled app.

Then open AndroidManifest.xml to modify the entry Activity...

You can see that the entry Activity has been changed to our newly created Activity, and the original entry Activity has been switched to a normal Activity.

At this point, our file has been modified.

Then we repackage it, and the packaged apk can also be installed. After installation, the splash screen advertisement page is started first, and then the original page.

Then it's packing~

3. Pack

./apktool b apk1127 -o app1127_new.apk

./apktool b apk1127 -o app1127_new.apk
I: Using Apktool 2.2.0
I: Checking whether sources has changed...
I: Smaling smali folder into classes.dex...
W: Unknown file type, ignoring: apk1127/smali/.DS_Store
W: Unknown file type, ignoring: apk1127/smali/com/.DS_Store
W: Unknown file type, ignoring: apk1127/smali/com/zhy/.DS_Store
I: Checking whether resources has changed...
I: Building resources...
I: Building apk file...
I: Copying unknown files/dir...

ok, after the package is successful, you can see a new app1127_new.apk.

This apk cannot be installed now, and the following result appears after installation:

Mainly because there is no signature.

So let's start signing!

4. Signature

To sign, we need a signature file, and let's generate it together.

keytool -genkey -alias zhy.keystore -keyalg RSA -validity 20000 -keystore zhy.keystore 

Then follow the prompts to enter.

Of course, if you think the command is too difficult to remember, you can also use Android Studio to generate one visually:

Click Build:

Select create New, then fill in the pop-up panel, you will definitely fill in.

After we have the keystore, we can use the newly generated keystore to sign the apk we just hacked.

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 
-keystore zhy.keystore 
-storepass 123456 
app1127_new.apk 
zhy.keystore

Remember to make the above code into one line to execute:

There are not many options above. The file path, password, alias, etc. should be understandable. If you are interested, you can search for the relevant files in detail.

After the signature is completed, it can generally be installed, but we usually do an alignment operation.

5. Align

zipalign 4 app1127_new.apk app1127_new_align.apk

Now run:

Originally there was only one page, you can see I am adthe page we have injected into it now.

Of course, if you simulate all the way, because as mentioned above, don't use resources first, so you should be able to see the jump of the page, but there is no layout file on the Ad page.

Now let's talk about using layout files.

Fourth, use the layout file

Add a line to HackAdActivity:

  setContentView(R.layout.ad);

It's still the work just now, re-decompile the copy Smali file, and copy the ad layout to the decompiled folder of the app you want to inject.

Then is it okay to pack it?

Of course not, if so, just said it directly. When we write code, we all know that an R.layout.ad will be generated, so this value is definitely not available in the original app (regardless of duplicate names).
So, we need to add it manually:

Open the R$layout.smalifile:

We add an ad resource id at the end:

.field public static final ad:I = 0x7f04002e

Then save and exit.

Don't rush to pack...

After the definition is complete, our HackAdActivity.smali still needs to be modified.

Don't you say I don't understand how to change the smali file?

It is still possible to change the id.

Find the line before setContentView, is it quite easy to locate.

After the modification, repackage, sign, and align it will be ok~~

If you use more resources, remember to basically deal with them.

V. Summary

So here is the completion of decompiling an apk, and then injecting a new Activity into it and customizing the layout file. As for what this Activity can see, everyone must understand.

However, our purpose is not to let everyone decompile other people's apk, but to know that our apk can be played by others.

So the thing to think about is:

如何预防这种行为呢？
欢迎留言说说如何预防？

To be continued…

---

Welcome to follow my Weibo:
http://weibo.com/u/3165018720

---

WeChat public account: hongyangAndroid
(Welcome to pay attention, don't miss every piece of dry goods, support submission)