This article is purely technical sharing, suitable for readers who are interested in xposed
to reverse a certain video app (1)
Reverse a certain video app (2)
Table of contents
foreword
It has been almost two years since the last article reversed a certain video app (1) φ(* ̄0 ̄), I am here to fill in the hole. The previous article talked about how to use xposed to crack the apk, but xposed has many limitations, so this article will talk about how to crack the apk by modifying the smali code and repackage it.
Due to the age, I chose another app this time, but the technology and principle are the same. Note that this article is only a technical research, infringement will be deleted immediately .
step
In fact, if the app is not hardened, we only need to master a little smali syntax to modify and package it directly, but after hardening, it will be a lot of trouble. First, we need to unpack the app to get the real dex file, then decompile the dex to find and modify the smali file, and then modify the AndroidManifest.
tool
1. Decompile apk
Use jadx to open the apk file, and find the source code as follows:
You can see that the real code cannot be seen here because of the Bangbang reinforcement, so it needs to be unpacked. The following is the unpacked file.
Drag the dex in it to jadx, and you can see the original code.
2. Get the smali source code
baksmali can convert dex into smali source code, and smali can convert smali source code into dex.
Find the dex where the smali you want to modify is located, and use baksmali to decompile the dex to get the smali source code. Here we modify the nickname field of UserInfo . Through jadx, we find that this class is in 0x742539b000.dex.
Execute the following command to compile
java -jar baksmali-2.3.jar d classse.dex
The smali code will be output to the out folder, the following is the modification.
3. Modify the smali file
Find the smali file through the class path and open it with a text editor. Since we want to modify the nickname, let getNickname return a fixed string. Let’s take a look at what getNickname looks like in smali. (The syntax of smali will not be expanded here, you can go to Baidu by yourself)
.method public getNickname()Ljava/lang/String;
.registers 2
.line 74
//获取当前对象的nickname字段
iget-object v0, p0, Lcom/xiaoxigua/media/net/bean/UserInfo;->nickname:Ljava/lang/String;
//返回nickname字段
return-object v0
.end method
After modification:
.method public getNickname()Ljava/lang/String;
.registers 2
.line 74
const-string v1, "hello world"
return-object v1
.end method
We directly return a string here, and the smali file has been changed here.
We convert the modified smali into a dex file and execute the following command:
java -jar smali-2.5.2.jar a out
4. Repair AndroidManifest.xml
First use apktools to decompile the downloaded original apk:
java -jar apktool_2.6.0…jar d apkName
Open AndroidManifest.xml with text editing software.
Since the android:appComponentFactory="com.SecShell.SecShell.AP" and android:name="com.SecShell.SecShell.AW" in the AndroidManifest.xml file have been modified after hardening, here we need to change it to the original application. It is not difficult to find the location of the application. As for the appComponentFactory, just change it to androidx.core.app.CoreComponentFactory .
Search for the SecShell keyword globally and delete all related modules.
5. Repackage
Still use the above decompiled directory, delete the smali folder, then copy the previous dex file, and modify it to the following name:
Execute the command to package the apk
java -jar apktool_2.6.0…jar b apkName
After success, a disk directory will be generated under the folder, which contains the repacked apk, but this apk is not signed and needs to be re-signed before it can be installed.
Execute the following command to generate a signature file
keytool -genkey -alias abc.keystore -keyalg RSA -validity 20000 -keystore abc.keystore
Use the following command to sign the repackaged apk
jarsigner -verbose -keystore abc.keystore -signedjar apprelease_signed.apk apprelease.apk abc.keystore
Finally install this apk file.