Table of contents:
- 0. Related tool links:
- 1. Demand analysis:
- 2. Principle analysis:
- 3. Solution:
- 4. The method of a certain MT boss
- 5 [Algorithm Assistant] Find the author’s Application class name (path)
- 6 [Use MT-DL method] Find the cloud injection startup code path and modify it
- 7. Modify this class.
- 8 [Final] Extension: The boss’s method
0. Related tool links:
Let me talk about my solution first:
1. Use the algorithm assistant to analyze the Application class name written by the original author.
2. Replace the class name with the android:name attribute of <application in the AndroidManifest file.
3. (Optional) Delete the cloud injection file. If you cannot delete it, Deleting it will not affect it.
The tool used to back up Baidu Cloud link: (Tools are only for learning and communication, and must not be used for illegal purposes)
Because the virtual machine is a bit large, two options are provided:
1. With virtual machine (large file):
Link: https://pan.baidu.com/s/1nuhMH1QjrggwhFMek8N5Ow
Extraction code: 4848
2. Without virtual machine (small file) ):
Link: https://pan.baidu.com/s/1NGtp7VqpRXQpKfi49dEr5w
Extraction code: 4848
1. Demand analysis:
Because the virtual machine I was using recently suddenly became unusable, it was forced to pop up by Renyun injection, as shown below: (This looks like it was cloud injection)
2. Principle analysis:
Prerequisite knowledge:
1. Every application in Android真正的入口点
isApplication类实例
(安卓开发
you will know if you have done it).
2. One application has the most只能有一个Application类实例
. Developers implement this by inheriting the Application class, which is written in Java as: public classApp
extendsApplication
. This Application comes fromandroid.app.Application
the package. 3. If the user inherits the Application class and uses it, the package name (path) of this custom class
must be written in theAndroidManifest文件中
<application tag .android:name属性
For example:
(1) Suppose the original author wrote an Application class (class nameApp
):
public class App extends Application{ .... }
(2) Then the author mustAndroidManifest文件
have this thing appear in the <application tag:android:name="com.xxx...App"
But if you want to add your own Application, then you must继承
above App class (class nameApp2
):
public class App2 extends App{ .... }
(3) Then correspondingly modifyAndroidManifest文件
the <application tag to新的类
:android:name="com.xxx...App2"
For specific details about this Application class, please check the official website documentation (English, translated by yourself)
https://developer.android.google.cn/reference/android/app/ApplicationIn other words, if the original application author has already written one,
直接再加
it is not possible to create your own Application class when you reversely modify it. If you want to add it, you must have继承
the Application class written by the original author. In other words, you first need to know the class name of the Application written by the original author. Generally, underAndroidManifest文件中
<application,android:name属性
you can see the Application class name path of the current program.
Through decompilation, we found that
1. This thing appears in the <application tag of the AndroidManifest file: android:name="com.cloudinject.feature.App"
For example:
This means that there may be two situations:
1. The original author did not inherit it. Application, but someone added it by modifying and inheriting the Application class.
2. The original author has inherited Application, but someone 那个类名
added it by modifying and inheriting the original author's Application class.
2. Analyze the code corresponding to the com.cloudinject.feature.App package.
In fact, you will find that there is an additional directory of com.cloudinject.
The word cloudinject means cloud injection. 强行继承了
The author's original one in this directory is then changed to his own Application类
in AndroidManifest文件
the <application tag . android:name属性
In order to 防止云注入被破解
also inherit the Application class name of the original author 加密了
.
3. Solution:
According to the above [principle analysis],
(1)我的解决方法:
0、把cloudinject目录删了(其实删不删都无所谓)。
1、寻找原来作者的Application类名
2、在AndroidManifest文件的\<application标签的android:name属性改回作者原来的
Finally, save it, compile it, re-sign it and install it (there will be no problem if you use the MT manager).
(2)MT论坛某大佬的解决办法:
0、不要删cloudinject目录(其实反倒是需要修改)。
1、寻找原来作者的Application类名
2、修改其中的继承自原作者Application类的子类改为空壳代码
In other words, the boss's method requires modifying the smali code, but does not require modifying the AndroidManifest code. It is a little troublesome, but it may have better effects in certain situations, so here is just a record extension. I personally recommend using my method.
所以唯一的难点就是如何去寻找这个原来作者的Application类名,目前总结的部分方法如下:
(3)如何去寻找这个原来作者的Application类名:
1、通过解密的方式获取(MT大佬的方法,具体看文末,此处简单写出方法和工具)
(1)通过分析smali代码,找到云注入的代码。然后复制A变量和app_id变量的值。
(2)使用大佬的解密工具解密出类名。(此方法可行)
工具可以去MT搜大佬的文章,获取链接。
但是为了方便大家,我把自己保存的备份给你们。
2、通过MT的注入日志log来打印出来。
此方法感觉不简单,感兴趣的请自行尝试,此处我不做进一步探讨。
3、使用逆向中最常用的【算法助手】,使用其中的【Application监听】分析一下即可看到。但是此处需要lsp/xposed框架。
4. The method of a certain MT boss
If you are interested, please turn to the end of the article.
5 [Algorithm Assistant] Find the author’s Application class name (path)
我的解决办法:
Then we can know what we need later 原来的Application的类名``arm.StubApp
, remember her. If you use my method, just modify the attribute of AndroidManifest directly 就不需要往下看了
:
----------END分割线:如果你使用我的方法,就不需要往下看了
--------
6 [Use MT-DL method] Find the cloud injection startup code path and modify it
!注意:如果你使用我的方法,就不需要往下看了
Find the code for cloud injection (cloudinject).
Here is the code started by cloud injection.
7. Modify this class.
According to what the boss said, just change it to empty shell code.
Here we need to use the Application class name
[arm.StubApp] that we were looking for. The corresponding smali code is
[Larm/StubApp] with an L in front and a slash.
修改模板:
.super L路径;// 修改处注意1
# direct methods
.method public constructor <init>()V
.registers 1
invoke-direct {p0}, L路径;-><init>()V // 修改处注意2
return-void
.end method
Change to:
.class public Lcom/cloudinject/feature/App;
.super Larm/StubApp;
# direct methods
.method public constructor <init>()V
.registers 1
invoke-direct {p0}, Larm/StubApp;-><init>()V
return-void
.end method
As shown in the picture:
Then save and exit and re-sign.
Because it is replaced with empty shell code, cloud injection is completely useless.
Finish.
8 [Final] Extension: The boss’s method
As shown in the picture (shared by the MT guy, interested friends can go to the guy’s homepage to read his other articles):