APP Penetration - check unpacking, decompile, repackage signature

1 Introduction

  The previous articles mainly collected information on the APK file, and after the information is collected, it is necessary to dig out the APP vulnerabilities, but in essence, the APP is actually to insert the pages that should have been deployed on the website into the APP. All calls are given to the server, and when mining web vulnerabilities, except some vulnerabilities are caused by local pages, others can be said to be basically due to server-side problems.

  So in essence, after obtaining the APP-related information, you can directly open it in the browser, or intercept the relevant data packets for truncation testing. For example, if you obtain the IP address, you can directly use nmap to scan the port to see if the database port is open. , remote connection ports, middleware ports, etc., can be scanned and mined.

1.1. Others

  This chapter mainly introduces APP decompilation. The so-called decompilation is also a part of security in penetration. For example, the APP is decompiled to implant a backdoor, and then sent to others for installation, or through decompilation to modify membership functions, free reading, and cracking. etc. belong to the category of APP.

  Due to the limited personal level, the decompilation can only be used as a reference, and more detailed ones may require readers to search for relevant content for learning.

2. Installation tool

  The so-called "workers must first sharpen their tools if they want to be good at their work", then the relevant tools need to be installed before decompiling.

2.1. Download the jadx tool

  jadx - Dex to Java decompiler

  Command line and GUI tools for generating Java source code from Android Dex and Apk files

2.1.1. Download link

  jadx download

2.1.2. Execution file

  After downloading, enter the lib directory of the file, execute the command, and you will be able to see the interface after execution, and you will need to use this interface later.

 java -jar .\jadx-gui-1.4.7.jar

2.2. Download the apktool tool

  apktool is a tool for reverse engineering third-party, closed, binary Android applications. It can decode resources into a near-original form and rebuild them after making some modifications. It also makes working with the app easier as the project likes the file structure and automates some repetitive tasks like building the apk etc.

2.2.1. Download link

  apktool download

  Here you need to right-click wrapper scriptto select, 从链接另存为文件it must be the end of bat.

  Select find newest hereand continue to download the latest jar.

2.2.2. Testing

  After entering the execution command here, as long as the relevant information is printed out, it proves success.

apktool

2.3. Download the dex2jar tool

  Convert classes.dex to jar file.

2.3.1. Download link

  dex2jar

3. Check and unpack

  Checking and unpacking is mainly because when we decompile APK files, there may be APK files with shells, so if you want to decompile APK files smoothly, you need to unpack them. Of course, APK files can be packed. It is only added by some big companies, and ordinary companies will most likely not pack APK files.

  Packing is to implant a piece of code in a binary program, and to give priority to the control of the program when it is running, and to do some extra work. Most viruses are based on this principle. It is a method of applying reinforcement to encrypt/hide/obfuscate the original binary text.

  Function: The packed program can effectively prevent the disassembly analysis of the program. It is often used to protect software copyright and prevent it from being cracked by software.

3.1. Check shell

  The main purpose of shell checking is to facilitate the decompilation of APK files, otherwise APK files cannot be decompiled. There are many tools on the Internet, so I won’t give them here. There must be better tools for shell checking, and this tool It has been broken, so here is mainly for demonstration.

  Here we prepare two APK files, one for Tantan and one for chess and cards.

3.1.1. Probe Shell

  It can be seen that the Tantan APK file is reinforced with NetEase Yidun, and the shells reinforced by these big manufacturers are usually more difficult to unpack. After all, the shelling company needs to make money. If it is easily unpacked, Then how to make money? Of course, it is not ruled out that there are big bosses who have this technology. At that time, they used it to make money. How could they disclose the method of shelling, and there may be some risks if it is disclosed. As for what risks? , presumably should know.

3.1.2. Chess shell check

  This chess and card is an illegal software, and it is basically impossible to pack the software, so it can be decompiled if there is no shell, or the APK file that can be unpacked can be decompiled.

3.2. Shelling

  Unpacking is to unpack the originally packed APK file, so that the APK file can be decompiled, but still the same sentence, the packing of the big factory is not so easy to take off, and the small factory may still be able to use it. Take off.

  BlackDex

3.2.1. A concubine escapes her shell

  Here is a demonstration of a certain concubine's shelling. A certain concubine has no shell. Do you think a sex app developer might consider so much security?

3.2.1.1. Attempt to unpack

  You can see that the unpacking is successful, and the file is stored in this link. If you want to extract the file, you can enter this link to extract it.

3.2.1.2. Download files

  Here, it is a bit difficult to operate because of copying and pasting the files in the simulator. Here, the terminal is used to download the files.

adb pull 模拟器中文件路径 下载到主机的路径

3.2.1.3. Opening a file

  Here you can use the jadx tool just now to open the file.

3.2.1.4. Open Effect

  Here you can see the effect of opening. Of course, there is not only this one file under a certain concubine, there are three more.

3.3. Summary

  I originally wanted to find a screenshot of the unpacking failure, but I found that this tool can basically unpack, but as for whether the extracted content is useful, I don’t know if I’m not a boss.

4. Decompile

  Decompilation actually means that the App installation package we downloaded is an Apk file (Android Application Package). Through the Apk file, we can also get the code and resource files of this application and modify the application.

  In penetration testing, decompilation is actually equivalent to testing whether it can be decompiled. If it can be decompiled, and the content inside is modified to bypass the official restrictions, of course some innocuous modifications may not cause such serious problems. Consequences, but if you modify some core content, it may cause some unknown consequences, then this APP program is not safe.

4.1. Others

  Due to my poor personal level, at the same time, writing articles is mainly a learning record, so here I will use a simpler APP to decompile. As for the complicated ones, even if I decompile, I still don’t know the principle, so it’s better to read other people’s Woolen cloth.

  Of course, I wrote this article to leave notes for my own study, so that I can ensure that I can recall it quickly.

4.2. Decompilation attempt

  We will use the unshelled one for testing. If there is a shell, it must be unpacked first. Here you need to enter the apktool directory to execute the command. Of course, if you configure the environment variable, then you don’t need to enter the directory.

  Here I also randomly found a simple APP on the Internet for testing. This is an empty APP. The source article is below:

  Decompile an APP and repackage it

4.2.1. apktool tool

  However, the decompiled files are in the apktool directory, and you still need to enter the directory to use them.

  Note: d, stands for decompilation, and b stands for back compilation.

apktool d APK文件

4.2.2. Check the compilation effect

  Here we get the smail file after decompiling, and what we need is the .dex file.

  Here I found an explanation of the decompiled folders on the Internet:

  The Apk file is essentially a zip package. Just take the decompression tool to decompress it and you can see what it contains. The following is a brief introduction to the structure of the Apk file.

• AndroidManifest.xml: the application's global configuration file
• assets folder: the original resource folder, corresponding to the assets folder of the Android project, generally used to store the original web pages, audio, etc., the difference from the res folder will not be described here, you can refer to the two articles introduced above.
• classes.dex: After the source code is compiled into a class, it is converted into a jar, and then compressed into a dex file. dex is a file that can be run directly on the Android virtual machine.
• lib folder: the so file of the referenced third-party sdk.
• META-INF folder: Apk signature file.
• res folder: resource files, including layouts, pictures, etc.
• resources.arsc: Records the mapping relationship between resource files and resource ids.

  We've got a readable AndroidManifest.xml file, assets folder, res folder, smali folder, etc. that can be opened with a text editor. The original folder is the original AndroidManifest.xml file, the res folder is all the decompiled resources, and the smali folder is the decompiled code. Note that under the smali folder, the structure is exactly the same as the package of our source code, but replaced with smali language. It is somewhat similar to the syntax of assembly and is the register language used by the Android virtual machine.

4.2.3. Keep the dex file

  Go back to the file again, and you can see that there is a dex file in it.

apktool d -s -f D:\tool\loudongku\app\测试文件夹\测试APP.apk

d ##反编译 apk 文件，注意需要这里是使用d，而不是-d
-s ##不反编译 dex 文件，而是将其保留
-f ##如果目标文件夹存在，则删除后重新反编译

4.2.4. Other ways to get dex files

  The dex file can be obtained using the above method, but other methods can also be used here.

4.2.4.1. Modify APK suffix

  Here you can change the suffix name of the APK to be decompiled to .rar or .zip, and decompress it to get the classes.dex file (which is compiled by java files and packaged by the dx tool).

  Through this method, the dex file can also be obtained, and the xml file can be seen at the same time, but the xml file has not been decompiled, so it cannot be opened.

4.3. Compile java source code

  Here, after obtaining the dex file, you can use dex2jar to generate the jar file. This file is mainly used to analyze the logic. If you modify it, you still need to modify it in the xml file, which is the xml obtained through the apktool tool before. file to be modified.

4.3.1. Move dex file

  Here we move the dex file to the dex2jar directory.

4.3.2. Executing commands

  Here we make the dex file into a jar file by executing the command.

d2j-dex2jar classes.dex

4.3.3. View source code

  Here you can also use the jadx tool to view the source code, just drag and drop the file directly here.

4.3.4. Summary

  The translation into java code here also restores the code when decompiling, otherwise the xml file is not easy to decompile, but the modification still needs to modify the file in xml.

5. Subsequent procedures

5.1. Modify data

  At this point we can modify the data, but I still need to say something here, because I also learned this temporarily, and more detailed decompilation cannot be cleared up in a sentence or two. We mainly need to know one The overall process and specific and detailed content need to be studied by you.

5.1.1. Modify the apk file name

  I didn't find too complicated apk file to modify here, and there is nothing to modify in this apk file, so just modify the apk name!

  Here I am changing the original name todjyt

5.2. Recompile

  The recompilation here is to restore the modified file. After executing the following command, a dist directory will be generated under the original folder. There is an apk file in the directory, and this apk file is installed.

  However, it cannot be installed here, because all apk files need to be signed. If there is no signature or a third-party signature is used, it can be judged that the app has vulnerabilities.

apktool b 文件夹名称

5.3. Application Signature

  In the article referred to above, a big hole was dug in the application signature. If it is a Mac computer, it is okay, but if it is a Windows computer, it is directly a big hole. The introduction is about the application signature of Windows, but it is best to use mac tools for application signature, so I said that I have dug a big hole.

  Regarding the application signature, I haven't found a good way, it's quite complicated, due to the limited personal ability, the application signature is really powerless, of course, there are Android modification masters who can modify, generate, etc. with one click, you can go to understand, here I will Not introduced.

  It is true that there is nothing we can do, and the article is equivalent to unfinished. Follow up to find relevant information to see if there is any relevant app penetration. of.

  Here I am modifying the application signature. A big guy in the group suggested that MT Manager can be used. It must have been introduced in the previous article, so I will not provide the download link here. Let’s take a look at how to sign it!

5.3.1. MT Manager Signature

  Here, upload the APK obtained by the previous compilation to the emulator, then open the MT manager, find the APK file just uploaded, and click it to display the signature.
  You can see that there is no signature here, click on the function here, and the option will appear, just confirm, and a file will be generated in the current directory.

5.3.2. Check the effect

  You can see that another APK file has been generated in the current directory, and we can click Install.

5.3.3. Check the effect after installation

  As you can see here, what we just modified is the name, so djytthat's what is .