[Android Reverse] How to remove cloud injection simply and quickly (attached is a comparison of methods from a guy on MT Forum)

Mobile 2023-09-17 05:32:30 views: null

Table of contents:

0. Related tool links:

Let me talk about my solution first:

1. Use the algorithm assistant to analyze the Application class name written by the original author.
2. Replace the class name with the android:name attribute of <application in the AndroidManifest file.
3. (Optional) Delete the cloud injection file. If you cannot delete it, Deleting it will not affect it.

The tool used to back up Baidu Cloud link: (Tools are only for learning and communication, and must not be used for illegal purposes)
Please add image description

Because the virtual machine is a bit large, two options are provided:
1. With virtual machine (large file):
Link: https://pan.baidu.com/s/1nuhMH1QjrggwhFMek8N5Ow
Extraction code: 4848
2. Without virtual machine (small file) ):
Link: https://pan.baidu.com/s/1NGtp7VqpRXQpKfi49dEr5w
Extraction code: 4848

1. Demand analysis:

Because the virtual machine I was using recently suddenly became unusable, it was forced to pop up by Renyun injection, as shown below: (This looks like it was cloud injection)
Insert image description here

2. Principle analysis:

Prerequisite knowledge:
1. Every application in Android 真正的入口点is Application类实例( 安卓开发you will know if you have done it).
2. One application has the most 只能有一个Application类实例. Developers implement this by inheriting the Application class, which is written in Java as: public class Appextends Application. This Application comes from android.app.Applicationthe package. 3. If the user inherits the Application class and uses it, the package name (path) of this custom class
must be written in the AndroidManifest文件中<application tag .android:name属性

For example:
(1) Suppose the original author wrote an Application class (class name App):
public class App extends Application{ .... }
(2) Then the author must AndroidManifest文件have this thing appear in the <application tag: android:name="com.xxx...App"
But if you want to add your own Application, then you must 继承above App class (class name App2):
public class App2 extends App{ .... }
(3) Then correspondingly modify AndroidManifest文件the <application tag to 新的类:android:name="com.xxx...App2"

For specific details about this Application class, please check the official website documentation (English, translated by yourself)
https://developer.android.google.cn/reference/android/app/Application

In other words, if the original application author has already written one, 直接再加it is not possible to create your own Application class when you reversely modify it. If you want to add it, you must have 继承the Application class written by the original author. In other words, you first need to know the class name of the Application written by the original author. Generally, under AndroidManifest文件中<application, android:name属性you can see the Application class name path of the current program.

Through decompilation, we found that
1. This thing appears in the <application tag of the AndroidManifest file: android:name="com.cloudinject.feature.App"
For example:
Insert image description hereThis means that there may be two situations:
1. The original author did not inherit it. Application, but someone added it by modifying and inheriting the Application class.
2. The original author has inherited Application, but someone 那个类名added it by modifying and inheriting the original author's Application class.

2. Analyze the code corresponding to the com.cloudinject.feature.App package.
In fact, you will find that there is an additional directory of com.cloudinject.
The word cloudinject means cloud injection. 强行继承了The author's original one in this directory is then changed to his own Application类in AndroidManifest文件the <application tag . android:name属性In order to 防止云注入被破解also inherit the Application class name of the original author 加密了.

3. Solution:

According to the above [principle analysis],
(1)我的解决方法:

0、把cloudinject目录删了(其实删不删都无所谓)。
1、寻找原来作者的Application类名
2、在AndroidManifest文件的\<application标签的android:name属性改回作者原来的

Finally, save it, compile it, re-sign it and install it (there will be no problem if you use the MT manager).

(2)MT论坛某大佬的解决办法:

0、不要删cloudinject目录(其实反倒是需要修改)。
1、寻找原来作者的Application类名
2、修改其中的继承自原作者Application类的子类改为空壳代码

In other words, the boss's method requires modifying the smali code, but does not require modifying the AndroidManifest code. It is a little troublesome, but it may have better effects in certain situations, so here is just a record extension. I personally recommend using my method.

所以唯一的难点就是如何去寻找这个原来作者的Application类名,目前总结的部分方法如下:
(3)如何去寻找这个原来作者的Application类名:

1、通过解密的方式获取(MT大佬的方法,具体看文末,此处简单写出方法和工具)
	(1)通过分析smali代码,找到云注入的代码。然后复制A变量和app_id变量的值。
	(2)使用大佬的解密工具解密出类名。(此方法可行)
		工具可以去MT搜大佬的文章,获取链接。
		但是为了方便大家,我把自己保存的备份给你们。
2、通过MT的注入日志log来打印出来。
此方法感觉不简单,感兴趣的请自行尝试,此处我不做进一步探讨。

3、使用逆向中最常用的【算法助手】,使用其中的【Application监听】分析一下即可看到。但是此处需要lsp/xposed框架。

4. The method of a certain MT boss

If you are interested, please turn to the end of the article.

5 [Algorithm Assistant] Find the author’s Application class name (path)

Insert image description here

Insert image description here

我的解决办法:

Then we can know what we need later 原来的Application的类名``arm.StubApp, remember her. If you use my method, just modify the attribute of AndroidManifest directly 就不需要往下看了:
Insert image description here

----------END分割线:如果你使用我的方法,就不需要往下看了--------

6 [Use MT-DL method] Find the cloud injection startup code path and modify it

!注意:如果你使用我的方法,就不需要往下看了

Find the code for cloud injection (cloudinject).
Insert image description here
Here is the code started by cloud injection.
Insert image description here

7. Modify this class.

According to what the boss said, just change it to empty shell code.
Here we need to use the Application class name
[arm.StubApp] that we were looking for. The corresponding smali code is
[Larm/StubApp] with an L in front and a slash.

修改模板:
.super L路径;// 修改处注意1
# direct methods
.method public constructor <init>()V    
    .registers 1    
    invoke-direct {p0}, L路径;-><init>()V    // 修改处注意2
    return-void
.end method

Change to:

.class public Lcom/cloudinject/feature/App;

.super Larm/StubApp;
# direct methods
.method public constructor <init>()V    
    .registers 1    
    invoke-direct {p0}, Larm/StubApp;-><init>()V    
    return-void
.end method

As shown in the picture:
Insert image description here

Then save and exit and re-sign.

Because it is replaced with empty shell code, cloud injection is completely useless.

Finish.

8 [Final] Extension: The boss’s method

As shown in the picture (shared by the MT guy, interested friends can go to the guy’s homepage to read his other articles):Insert image description here

Guess you like

Origin blog.csdn.net/zhinengxiong6/article/details/128093594
Recommended
NetBSD bans submission of code generated by AI
Ranking
Talk dubbo of LRUCache
Chapter 1 Learning Summary
Introduction to Virtualization
pytorch 调用lstm
Six modules
[8086] The natural number of 1 to 36 into a 6x6 two-dimensional array of line-sequentially, and then print out the lower left half of the triangular array
mybatis mapper mapping file $ # {} {} understanding and
C language input and output buffer
c language floating-point input and output
andorid P version compatible, refer to Huawei
Daily
More
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)

Code World

© 2018 codetd.com