There are many open source shelling tools now. Today we will share some common shelling tools. There are shelling machines that flash into customized systems, there are Xpose module hooks for key functions, and there are also Frida tool hooks for shelling. Each has its own advantages and disadvantages, and friends can use them freely.
FART
This unpacking tool was written by Mr. Hanbing. It flashes into the system customized by Mr. Ice and then dynamically unpacks while the program is running.
For a detailed introduction, please see the boss’s github: https://github.com/hanbinglengyue/FART
principle introduction: [Original] FART: An automated shelling solution based on active calls in the ART environment - Android Security - Kanxue Forum - Security Community | Security Recruitment|bbs.pediy.com
Some people may find it troublesome to flash the phone. At the same time, Big Brother also provides a Frida version, which can be used to dynamically unpack directly using the frida hook script.
After we unzip the file, copy the fart.soand in the lib folder to the directory, and use privilege escalation. Then we can use the frida hook script to unpack normally.fart64.so/data/appchmod 777
frida -U -f [包名] frida_fart_hook.js --no-pause
Youpk
An active calling shelling machine based on ART, designed for overall Dex reinforcement + various Dex extraction shelling machines
A detailed introduction can be found on the boss’s github: https://github.com/youlor/unpacker
Principle introduction: [Original] Youpk: Another active unpacking machine based on ART - Android Security - Kanxue Forum - Security Community | Security Recruitment|bbs.pediy.com
The disadvantage of this tool is that it only has a flash package for pixel 1. Without this phone, you can only say goodbye.
When using this shelling machine, we also need to throw a configuration file on our mobile phone, which contains the package name of the program we want to shell, cn.aaa.bbb. adb shell "echo cn.aaa.bbb >> /data/local/tmp/unpacker.config"
The removed dex file and the bin file to be used for repair are both under our local package name /data/data/cn.aaa.bbb/unpacker
FUPK3
This is an earlier shelling machine than the above two. Currently it only supports Nexus5 hammerhead mobile phones. Other mobile phones can also modify and compile the source code according to the github instructions of F8LEFT boss.
The detailed introduction can be found on the boss’s github: https://github.com/F8LEFT/FUPK3
principle introduction: [Original] Android universal sheller FUPK3-Android Security-Kanxue Forum-Security Community|Safety Recruitment|bbs.pediy.com
This one needs to be unpacked with the FUpk3 program installed on the mobile phone. The removed dex is placed in the /data/data/pkgname/.fupk3 directory.
FDex2
This is developed based on Xposed. Through the loadClass method of Hook ClassLoader, the getDex method is called reflectively to obtain Dex (com.android.dex.Dex class object), and then the dex inside is written out.
For details, please check: https://bbs.pediy.com/thread-224105.htm
This one is a relatively early version of the shell, and there is no way to extract the class. However, you can also take it off and look at the method names, etc., and then use frida hook.
FRIDA-DEXDump
This frida-based shelling tool was written by the guy from Calabash. I checked that the latest update was in June. It is still relatively fresh and can be used.
github address: https://github.com/hluwa/FRIDA-DEXDump
We can install it directly with the pip command: pip3 install frida-dexdump
use:
frida-dexdump 
or
git clone https://github.com/hluwa/FRIDA-DEXDump
cd FRIDA-DEXDump/frida-dexdump
python main.py -hBlackDex
BlackDex is an unpacking tool that runs on Android phones. It supports 5.0 to 12 and can be used on any phone without relying on any environment, including emulators. It only takes a few seconds to unpack installed and uninstalled APKs.
github:https://github.com/CodingGay/BlackDex
Just install the 32-bit and 64-bit packages directly on our non-jailbroken mobile phone, then open the 32-bit or 64-bit app, select the app we want to unpack, and wait for unpacking.
The advantage is obvious, that is, it does not require root, no root, no root, and naturally no Xposed, mask, frida, and no need to flash the phone. It can be unpacked directly. It is very strong. It is very strong.
The disadvantage is that some classes and methods loaded during operation may not be unpacked, because the unpacking will not run the program at all.