To remove the upgrade prompt pop-up window of an unreinforced APP, we first checked whether the app was packed and found that it was using Bang Bang free packer
We installed this on the test machine APP, the installation command is as follows:
adb installl C:\Users\Avenue\Desktop\AndroidFridaBeginnersBook-main\Chap05\com.hello.qqc.apk
We can find that after the APP manually skips the welcome interface, an upgrade prompt pop-up window will pop up. No matter where you click, the pop-up window cannot be eliminated:
Commonly used implementation pop-up windows in Android There are three types: Android.App.Dialog, Android.App.AlertDialog and Android.widget.PopupWindows.
#Objection rapid automated positioning
We use objection to inject the app and search for the corresponding pop-up window class. This app seems to be a multi-process, so you need to use the -d parameter and turn off the roothide hiding function of magisk, otherwise it will fail.
You need to close the app before injecting it
The injection command is as follows:
objection -d -g com.hello.qqc explore
After the pop-up window appears, load the corresponding plug-in and search for the corresponding instance in the memory.
plugin load ./.objection/plugins/Wallbreaker
plugin wallbreaker objectsearch android.app.AlertDialog
plugin wallbreaker objectsearch android.app.Dialog
plugin wallbreaker objectsearch android.widget.PopupWindow
You can find that the pop-up class that appears is android.app.Dialog
We hook this class and check whether there is a corresponding function call record to determine whether the corresponding class is used. .
I found the above class to be suspicious
We use the following command to hook the android.app.Dialog.setCancelable function
android hooking watch class_method android.app.Dialog.setCancelable --dump-args --dump-backtrace --dump-return
After going through the call stack, I found that the function that initiates the pop-up window in the APP is as shown below:
Use object to load Wallbreaker to search for suspicious places
plugin wallbreaker objectsearch cn.net.tokyo.ccg.ui.fragment.dialog.UpdateDialogFragment
After finding it, print the properties of the object
plugin wallbreaker objectdump --fullname 0x2702
See [0x2aca]: cn. net. tokyo.ccg.bean.VersionBean$Version@2e81a62
Then print it out
plugin wallbreaker objectdump --fullname 0x2aca
You can see the printed content, which is consistent with what is displayed on the interface, verifying the WYSIWYG principle.
We use the unpacking tool Dexdunp to unpack
The unpacked files are as follows:
Use jadx-gui to open the target dex And find the corresponding UpdateDialogFragment class, we found that UpdateDialogFragment inherits the DialogFragment class
In order to further determine which external function this class is called, use the following command to hook
android hooking watch class cn.net.tokyo.ccg.ui.fragment.dialog.UpdateDialogFragment
Print call stack
android hooking watch class_method xxx.ui.fragment.d
ialog.UpdateDialogFragment.b --dump-args --dump-backtrace --dump-return
xxx.ui.fragment.dialog.UpdateDialogFragment.b comes from the class xxx.ui.activity.MainActivity.a
Use jadx-gui to locate this function, the code is as follows:
public void a(VersionBean.Version version, boolean z) {
this.f1696a = version.url;
if (version != null) {
UpdateDialogFragment.b(version, z).show(getSupportFragmentManager(), UpdateDialogFragment.class.getSimpleName());
}
}
#Modify the source code and repackage to force an upgrade
When we repackage, since the app is reinforced, we need to pay attention to some things:
First , when repackaging, you should use the dex of the original APP after unpacking to replace the original dex
Secondly, the entry function of the App after reinforcement becomes the entry point of the shell, so after repackaging The entry class of AndroidMainifest.xml needs to be modified.
When we use apktool to decompile the APK, we choose not to decompile the dex file and delete the dex of the shell. The -s parameter of apktool provides the function of not compiling the dex file in the APK.
apktool -s d xxx.apk
Delete the original classes.dex file of the apk and put the unpacked classes.dex into it. Name them classes.dex, classes2.dex, and classes3.dex according to the size of the files.
rm classes.dex
The second question is to modify the entry class of the app, use jadx-gui to open the dex file containing the key class, search for extends Application
and then compile again. For first use, you need to generate keytool. , signature
apktool b xxx 生成的目录在 dist 目录下
Then sign: # Generate keytool
keytool -genkey -alias android.key -keyalg RSA -validity 20000 -keystore /<MY_PATH>/android.key
Copy the apk in the dist directory to the d:\apktool directory and execute the following command
You need to put the apk and signature files in the bin directory of jdk
Note that you must specify a directory to generate a signed apk. You do not have permission to generate a signed apk in the current directory.
jarsigner -verbose -keystore abc.keystore -signedjar 目录/xxxsigned.apk xxx.apk abc.keystore
After the test can run successfully, we then decompile, search for the previously located smali file whose class name contains MainActivity, edit and search for UpdateDialogFragment and modify the judgment statement after finding it.
apktool d xxxsigned.apk
Find the corresponding code file
smali/cn/net/tokyo/ccg/ui/activity/MainActivity.smali
Modify it as follows: < /span>
After modification, compile, sign and run
apktool b xxx 生成的目录在 dist 目录下
Signing
jarsigner.exe -verbose -keystore lala.keystore -signedjar D:\APP-test\apktool/com_singn_tets.hello.qqc.apk com_singn.hello.qqc.apk lala
Then we tried it and found that there was no pop-up window for forced upgrade.
From: https://www.yuque.com/avenue-le/ybne4d/gex5gg
at last
If you want to become an architect or want to break through the 20-30K salary range, then don't be limited to coding and business, you must be able to select and expand, and improve your programming thinking. In addition, good career planning is also very important, and learning habits are important, but the most important thing is to be able to persevere. Any plan that cannot be implemented consistently is empty talk.
If you have no direction, here is a set of "Advanced Notes on the Eight Modules of Android" written by a senior architect at Alibaba to help you organize the messy, scattered and fragmented knowledge in a systematic way. Everyone systematically and efficiently masters various knowledge points of Android development.
Compared with the fragmented content we usually read, the knowledge points in this note are more systematic, easier to understand and remember, and are arranged strictly according to the knowledge system.
Full set of video materials:
1. Interview collection
2. Source code analysis collection
3. Open source framework collection
Welcome everyone to support with one click and three consecutive times. If you need information in the article, just click on the CSDN official certification WeChat card at the end of the article to get it for free