APP Penetration - check unpacking, decompile, repackage signature
1 Introduction
The previous articles mainly collected information on the APK file, and after the information is collected, it is necessary to dig out the APP vulnerabilities, but in essence, the APP is actually to insert the pages that should have been deployed on the website into the APP. All calls are given to the server, and when mining web vulnerabilities, except some vulnerabilities are caused by local pages, others can be said to be basically due to server-side problems.
So in essence, after obtaining the APP-related information, you can directly open it in the browser, or intercept the relevant data packets for truncation testing. For example, if you obtain the IP address, you can directly use nmap to scan the port to see if the database port is open. , remote connection ports, middleware ports, etc., can be scanned and mined.
1.1. Others
This chapter mainly introduces APP decompilation. The so-called decompilation is also a part of security in penetration. For example, the APP is decompiled to implant a backdoor, and then sent to others for installation, or through decompilation to modify membership functions, free reading, and cracking. etc. belong to the category of APP.
Due to the limited personal level, the decompilation can only be used as a reference, and more detailed ones may require readers to search for relevant content for learning.
2. Installation tool
The so-called "workers must first sharpen their tools if they want to be good at their work", then the relevant tools need to be installed before decompiling.
2.1. Download the jadx tool
jadx - Dex to Java decompiler
Command line and GUI tools for generating Java source code from Android Dex and Apk files
2.1.1. Download link
2.1.2. Execution file
After downloading, enter the lib directory of the file, execute the command, and you will be able to see the interface after execution, and you will need to use this interface later.
java -jar .\jadx-gui-1.4.7.jar
2.2. Download the apktool tool
apktool is a tool for reverse engineering third-party, closed, binary Android applications. It can decode resources into a near-original form and rebuild them after making some modifications. It also makes working with the app easier as the project likes the file structure and automates some repetitive tasks like building the apk etc.
2.2.1. Download link
Here you need to right-click wrapper script
to select, 从链接另存为文件
it must be the end of bat.
Select find newest here
and continue to download the latest jar.
2.2.2. Testing
After entering the execution command here, as long as the relevant information is printed out, it proves success.
apktool
2.3. Download the dex2jar tool
Convert classes.dex to jar file.
2.3.1. Download link
3. Check and unpack
Checking and unpacking is mainly because when we decompile APK files, there may be APK files with shells, so if you want to decompile APK files smoothly, you need to unpack them. Of course, APK files can be packed. It is only added by some big companies, and ordinary companies will most likely not pack APK files.
Packing is to implant a piece of code in a binary program, and to give priority to the control of the program when it is running, and to do some extra work. Most viruses are based on this principle. It is a method of applying reinforcement to encrypt/hide/obfuscate the original binary text.
Function: The packed program can effectively prevent the disassembly analysis of the program. It is often used to protect software copyright and prevent it from being cracked by software.
3.1. Check shell
The main purpose of shell checking is to facilitate the decompilation of APK files, otherwise APK files cannot be decompiled. There are many tools on the Internet, so I won’t give them here. There must be better tools for shell checking, and this tool It has been broken, so here is mainly for demonstration.
Here we prepare two APK files, one for Tantan and one for chess and cards.
3.1.1. Probe Shell
It can be seen that the Tantan APK file is reinforced with NetEase Yidun, and the shells reinforced by these big manufacturers are usually more difficult to unpack. After all, the shelling company needs to make money. If it is easily unpacked, Then how to make money? Of course, it is not ruled out that there are big bosses who have this technology. At that time, they used it to make money. How could they disclose the method of shelling, and there may be some risks if it is disclosed. As for what risks? , presumably should know.
3.1.2. Chess shell check
This chess and card is an illegal software, and it is basically impossible to pack the software, so it can be decompiled if there is no shell, or the APK file that can be unpacked can be decompiled.
3.2. Shelling
Unpacking is to unpack the originally packed APK file, so that the APK file can be decompiled, but still the same sentence, the packing of the big factory is not so easy to take off, and the small factory may still be able to use it. Take off.
3.2.1. A concubine escapes her shell
Here is a demonstration of a certain concubine's shelling. A certain concubine has no shell. Do you think a sex app developer might consider so much security?
3.2.1.1. Attempt to unpack
You can see that the unpacking is successful, and the file is stored in this link. If you want to extract the file, you can enter this link to extract it.
3.2.1.2. Download files
Here, it is a bit difficult to operate because of copying and pasting the files in the simulator. Here, the terminal is used to download the files.
adb pull 模拟器中文件路径 下载到主机的路径
3.2.1.3. Opening a file
Here you can use the jadx tool just now to open the file.
3.2.1.4. Open Effect
Here you can see the effect of opening. Of course, there is not only this one file under a certain concubine, there are three more.
3.3. Summary
I originally wanted to find a screenshot of the unpacking failure, but I found that this tool can basically unpack, but as for whether the extracted content is useful, I don’t know if I’m not a boss.
4. Decompile
Decompilation actually means that the App installation package we downloaded is an Apk file (Android Application Package). Through the Apk file, we can also get the code and resource files of this application and modify the application.
In penetration testing, decompilation is actually equivalent to testing whether it can be decompiled. If it can be decompiled, and the content inside is modified to bypass the official restrictions, of course some innocuous modifications may not cause such serious problems. Consequences, but if you modify some core content, it may cause some unknown consequences, then this APP program is not safe.
4.1. Others
Due to my poor personal level, at the same time, writing articles is mainly a learning record, so here I will use a simpler APP to decompile. As for the complicated ones, even if I decompile, I still don’t know the principle, so it’s better to read other people’s Woolen cloth.
Of course, I wrote this article to leave notes for my own study, so that I can ensure that I can recall it quickly.
4.2. Decompilation attempt
We will use the unshelled one for testing. If there is a shell, it must be unpacked first. Here you need to enter the apktool directory to execute the command. Of course, if you configure the environment variable, then you don’t need to enter the directory.
Here I also randomly found a simple APP on the Internet for testing. This is an empty APP. The source article is below:
Decompile an APP and repackage it
4.2.1. apktool tool
However, the decompiled files are in the apktool directory, and you still need to enter the directory to use them.
Note: d, stands for decompilation, and b stands for back compilation.
apktool d APK文件
4.2.2. Check the compilation effect
Here we get the smail file after decompiling, and what we need is the .dex file.
Here I found an explanation of the decompiled folders on the Internet:
The Apk file is essentially a zip package. Just take the decompression tool to decompress it and you can see what it contains. The following is a brief introduction to the structure of the Apk file.
- AndroidManifest.xml: the application's global configuration file
- assets folder: the original resource folder, corresponding to the assets folder of the Android project, generally used to store the original web pages, audio, etc., the difference from the res folder will not be described here, you can refer to the two articles introduced above.
- classes.dex: After the source code is compiled into a class, it is converted into a jar, and then compressed into a dex file. dex is a file that can be run directly on the Android virtual machine.
- lib folder: the so file of the referenced third-party sdk.
- META-INF folder: Apk signature file.
- res folder: resource files, including layouts, pictures, etc.
- resources.arsc: Records the mapping relationship between resource files and resource ids.
We've got a readable AndroidManifest.xml file, assets folder, res folder, smali folder, etc. that can be opened with a text editor. The original folder is the original AndroidManifest.xml file, the res folder is all the decompiled resources, and the smali folder is the decompiled code. Note that under the smali folder, the structure is exactly the same as the package of our source code, but replaced with smali language. It is somewhat similar to the syntax of assembly and is the register language used by the Android virtual machine.
4.2.3. Keep the dex file
Go back to the file again, and you can see that there is a dex file in it.
apktool d -s -f D:\tool\loudongku\app\测试文件夹\测试APP.apk
d ##反编译 apk 文件,注意需要这里是使用d,而不是-d
-s ##不反编译 dex 文件,而是将其保留
-f ##如果目标文件夹存在,则删除后重新反编译
4.2.4. Other ways to get dex files
The dex file can be obtained using the above method, but other methods can also be used here.
4.2.4.1. Modify APK suffix
Here you can change the suffix name of the APK to be decompiled to .rar or .zip, and decompress it to get the classes.dex file (which is compiled by java files and packaged by the dx tool).
Through this method, the dex file can also be obtained, and the xml file can be seen at the same time, but the xml file has not been decompiled, so it cannot be opened.
4.3. Compile java source code
Here, after obtaining the dex file, you can use dex2jar to generate the jar file. This file is mainly used to analyze the logic. If you modify it, you still need to modify it in the xml file, which is the xml obtained through the apktool tool before. file to be modified.
4.3.1. Move dex file
Here we move the dex file to the dex2jar directory.
4.3.2. Executing commands
Here we make the dex file into a jar file by executing the command.
d2j-dex2jar classes.dex
4.3.3. View source code
Here you can also use the jadx tool to view the source code, just drag and drop the file directly here.
4.3.4. Summary
The translation into java code here also restores the code when decompiling, otherwise the xml file is not easy to decompile, but the modification still needs to modify the file in xml.
5. Subsequent procedures
5.1. Modify data
At this point we can modify the data, but I still need to say something here, because I also learned this temporarily, and more detailed decompilation cannot be cleared up in a sentence or two. We mainly need to know one The overall process and specific and detailed content need to be studied by you.
5.1.1. Modify the apk file name
I didn't find too complicated apk file to modify here, and there is nothing to modify in this apk file, so just modify the apk name!
Here I am changing the original name todjyt
5.2. Recompile
The recompilation here is to restore the modified file. After executing the following command, a dist directory will be generated under the original folder. There is an apk file in the directory, and this apk file is installed.
However, it cannot be installed here, because all apk files need to be signed. If there is no signature or a third-party signature is used, it can be judged that the app has vulnerabilities.
apktool b 文件夹名称
5.3. Application Signature
In the article referred to above, a big hole was dug in the application signature. If it is a Mac computer, it is okay, but if it is a Windows computer, it is directly a big hole. The introduction is about the application signature of Windows, but it is best to use mac tools for application signature, so I said that I have dug a big hole.
Regarding the application signature, I haven't found a good way, it's quite complicated, due to the limited personal ability, the application signature is really powerless, of course, there are Android modification masters who can modify, generate, etc. with one click, you can go to understand, here I will Not introduced.
It is true that there is nothing we can do, and the article is equivalent to unfinished. Follow up to find relevant information to see if there is any relevant app penetration. of.
Here I am modifying the application signature. A big guy in the group suggested that MT Manager can be used. It must have been introduced in the previous article, so I will not provide the download link here. Let’s take a look at how to sign it!
5.3.1. MT Manager Signature
Here, upload the APK obtained by the previous compilation to the emulator, then open the MT manager, find the APK file just uploaded, and click it to display the signature.
You can see that there is no signature here, click on the function here, and the option will appear, just confirm, and a file will be generated in the current directory.
5.3.2. Check the effect
You can see that another APK file has been generated in the current directory, and we can click Install.
5.3.3. Check the effect after installation
As you can see here, what we just modified is the name, so djyt
that's what is .