Previous spoke dex encryption and decryption have not seen the next dex can first understand how encryption and decryption, this will take you to complete the remaining work, after the completion of the need to decrypt dex agent ProxyApplication to delete, and then we their Application to add to our program. Want to replace ProxyApplication is not a simple thing, you must first start is very familiar with Application source code to manipulate it, following me to bring everyone together into the source of the world now.
Application binding process
APP can start the process to see my other article performance optimization (a) start optimization , today mainly from ActivityThread => main () begins next to a flow chart to illustrate:
How to parse XML in our Application
-
ActivityThread.java
mian () -> thread.attach () -> attachApplication () -> AMS receives parameters sent, after sendMessage (H.BIND_APPLICATION) -> Processing BIND_APPLICATION -> handleBindApplication () here ready application -> Application app = data .info.makeApplication () -> mInitialApplication = app;
-
LoadedApk.java
This class is the in-memory representation APK, you can get information such as code, data, function list, etc.
- By mApplicationInfo.className get the full class name registered with us
- app = mActivityThread.mInstrumentation.newApplication () 创建 application
- Next will use appContext.setOuterContext (app)
- mApplication = app
Content needs to be replaced reflection
- ContextImpl -> mOuterContext (app) obtained by attachBaseContext callback parameter of Application
- ActivityThread -> mAllApplication (arrayList) acquired by the attribute ContextImpl of mMainThread
- LoadedApk -> mApplication ContextImpl property acquired by mPackageInfo
Reflection began to replace Application
boolean isBindReal;
Application delegate;
private void bindRealApplicatin() throws Exception {
if (isBindReal) {
return;
}
if (TextUtils.isEmpty(app_name)) {
return;
}
//得到attachBaseContext(context) 传入的上下文 ContextImpl
Context baseContext = getBaseContext();
//创建用户真实的application (MyApplication)
Class<?> delegateClass = Class.forName(app_name);
delegate = (Application) delegateClass.newInstance();
//得到attach()方法
Method attach = Application.class.getDeclaredMethod("attach", Context.class);
attach.setAccessible(true);
attach.invoke(delegate, baseContext);
// ContextImpl---->mOuterContext(app) 通过Application的attachBaseContext回调参数获取
Class<?> contextImplClass = Class.forName("android.app.ContextImpl");
//获取mOuterContext属性
Field mOuterContextField = contextImplClass.getDeclaredField("mOuterContext");
mOuterContextField.setAccessible(true);
mOuterContextField.set(baseContext, delegate);
// ActivityThread--->mAllApplications(ArrayList) ContextImpl的mMainThread属性
Field mMainThreadField = contextImplClass.getDeclaredField("mMainThread");
mMainThreadField.setAccessible(true);
Object mMainThread = mMainThreadField.get(baseContext);
// ActivityThread--->>mInitialApplication
Class<?> activityThreadClass=Class.forName("android.app.ActivityThread");
Field mInitialApplicationField = activityThreadClass.getDeclaredField("mInitialApplication");
mInitialApplicationField.setAccessible(true);
mInitialApplicationField.set(mMainThread,delegate);
// ActivityThread--->mAllApplications(ArrayList) ContextImpl的mMainThread属性
Field mAllApplicationsField = activityThreadClass.getDeclaredField("mAllApplications");
mAllApplicationsField.setAccessible(true);
ArrayList<Application> mAllApplications =(ArrayList<Application>) mAllApplicationsField.get(mMainThread);
mAllApplications.remove(this);
mAllApplications.add(delegate);
// LoadedApk------->mApplication ContextImpl的mPackageInfo属性
Field mPackageInfoField = contextImplClass.getDeclaredField("mPackageInfo");
mPackageInfoField.setAccessible(true);
Object mPackageInfo=mPackageInfoField.get(baseContext);
Class<?> loadedApkClass=Class.forName("android.app.LoadedApk");
Field mApplicationField = loadedApkClass.getDeclaredField("mApplication");
mApplicationField.setAccessible(true);
mApplicationField.set(mPackageInfo,delegate);
//修改ApplicationInfo className LooadedApk
Field mApplicationInfoField = loadedApkClass.getDeclaredField("mApplicationInfo");
mApplicationInfoField.setAccessible(true);
ApplicationInfo mApplicationInfo = (ApplicationInfo)mApplicationInfoField.get(mPackageInfo);
mApplicationInfo.className=app_name;
delegate.onCreate();
isBindReal = true;
}
复制代码Now re-sign the package is complete, start our look APK Log
2019-06-04 23:17:30.892 6064-6064/com.yk.dexdeapplication I/DevYK: provider onCreate:com.example.proxy_core.ProxyApplication@1ec3c70
2019-06-04 23:17:30.892 6064-6064/com.yk.dexdeapplication I/DevYK: provider onCreate:com.example.proxy_core.ProxyApplication@1ec3c70
2019-06-04 23:17:30.892 6064-6064/com.yk.dexdeapplication I/DevYK: provider onCreate:com.example.proxy_core.ProxyApplication
2019-06-04 23:17:30.895 6064-6064/com.yk.dexdeapplication I/DevYK: MyApplication onCreate()
2019-06-04 23:17:30.995 6064-6064/com.yk.dexdeapplication I/DevYK: activity:com.yk.dexdeapplication.App@300b5f6
2019-06-04 23:17:30.995 6064-6064/com.yk.dexdeapplication I/DevYK: activity:com.yk.dexdeapplication.App@300b5f6
2019-06-04 23:17:30.995 6064-6064/com.yk.dexdeapplication I/DevYK: activity:com.yk.dexdeapplication.App
2019-06-04 23:17:31.001 6064-6064/com.yk.dexdeapplication I/DevYK: provider delete:com.example.proxy_core.ProxyApplication@1ec3c70
2019-06-04 23:17:31.021 6064-6064/com.yk.dexdeapplication I/DevYK: service:com.yk.dexdeapplication.App@300b5f6
2019-06-04 23:17:31.021 6064-6064/com.yk.dexdeapplication I/DevYK: service:com.yk.dexdeapplication.App@300b5f6
2019-06-04 23:17:31.021 6064-6064/com.yk.dexdeapplication I/DevYK: service:com.yk.dexdeapplication.App
2019-06-04 23:17:31.022 6064-6064/com.yk.dexdeapplication I/DevYK: reciver:android.app.ReceiverRestrictedContext@9b92293
2019-06-04 23:17:31.022 6064-6064/com.yk.dexdeapplication I/DevYK: reciver:com.yk.dexdeapplication.App@300b5f6
2019-06-04 23:17:31.022 6064-6064/com.yk.dexdeapplication I/DevYK: reciver:com.yk.dexdeapplication.App
复制代码Note the LOG
MyApplication onCreate()
复制代码Here it has been replaced with our own MyApplication, and Service Activity and get the context has replaced our success Applicaton. But ... maybe some better eyes have seen the problem, why the content provider or agent Application Context but also to perform than our own application, do before we see a problem with this Application onCreate what's up.
We click on installlContentProviders (app, providers);
Note that pass in or proxy Context
In the final focus
Note the logic judgment ring inside I outlined to determine the package name of the current application is consistent with the package name in the XML, if our unity on assignment Again here under the context of our agency context, then how do we do Le, we rewrite PackageName in the agent not to wait that long would go else creates a Context according to the package name
/**
* 让代码走入if中的第三段中
* @return
*/
@Override
public String getPackageName() {
if(!TextUtils.isEmpty(app_name)){
return "";
}
return super.getPackageName();
}
@Override
public Context createPackageContext(String packageName, int flags) throws PackageManager.NameNotFoundException {
if(TextUtils.isEmpty(app_name)){
return super.createPackageContext(packageName, flags);
}
try {
bindRealApplicatin();
} catch (Exception e) {
e.printStackTrace();
}
return delegate;
}
复制代码- First, determine whether our own app_name XML is empty
- If not empty, we pass an empty packet
- SDK will determine whether or not the same with the XML pck, finally walking else we rewrite createPackageContext incoming packets were our own applications. It generates a Context
Finally, we come to test:
2019-06-05 00:12:30.271 7570-7570/com.yk.dexdeapplication I/DevYK: MyApplication onCreate()
2019-06-05 00:12:30.273 7570-7570/com.yk.dexdeapplication I/DevYK: provider onCreate:com.yk.dexdeapplication.App@1ec3c70
2019-06-05 00:12:30.273 7570-7570/com.yk.dexdeapplication I/DevYK: provider onCreate:com.yk.dexdeapplication.App@1ec3c70
2019-06-05 00:12:30.273 7570-7570/com.yk.dexdeapplication I/DevYK: provider onCreate:com.yk.dexdeapplication.App
2019-06-05 00:12:30.381 7570-7570/com.yk.dexdeapplication I/DevYK: activity:com.yk.dexdeapplication.App@1ec3c70
2019-06-05 00:12:30.381 7570-7570/com.yk.dexdeapplication I/DevYK: activity:com.yk.dexdeapplication.App@1ec3c70
2019-06-05 00:12:30.381 7570-7570/com.yk.dexdeapplication I/DevYK: activity:com.yk.dexdeapplication.App
2019-06-05 00:12:30.387 7570-7570/com.yk.dexdeapplication I/DevYK: provider delete:com.yk.dexdeapplication.App@1ec3c70
2019-06-05 00:12:30.406 7570-7570/com.yk.dexdeapplication I/DevYK: service:com.yk.dexdeapplication.App@1ec3c70
2019-06-05 00:12:30.406 7570-7570/com.yk.dexdeapplication I/DevYK: service:com.yk.dexdeapplication.App@1ec3c70
2019-06-05 00:12:30.406 7570-7570/com.yk.dexdeapplication I/DevYK: service:com.yk.dexdeapplication.App
2019-06-05 00:12:30.408 7570-7570/com.yk.dexdeapplication I/DevYK: reciver:android.app.ReceiverRestrictedContext@b7a3b82
2019-06-05 00:12:30.408 7570-7570/com.yk.dexdeapplication I/DevYK: reciver:com.yk.dexdeapplication.App@1ec3c70
2019-06-05 00:12:30.408 7570-7570/com.yk.dexdeapplication I/DevYK: reciver:com.yk.dexdeapplication.App
复制代码Log in addition to BroadCase Context is the system we are replacing all the Context of Application Context. Perfect solution. But there is a hidden BUG, it said to face questions to ask then what Le?
You can use a service context in a broadcast or bind it turned on the radio?
In fact, we can take a look at the source of this problem
H -> RECEIVER message
Sure enough registered broadcast and binding services will throw an exception.
to sum up
Here we have finished reinforcement, from sub-dex -> Encryption -> Align> Signature -> packaged as a compressed APK. A complete set of processes and code are already finished. With reinforcing the principle of the market process are almost the same. I understand the principle of using a third party to go on like a pro.
Reproduced in: https: //juejin.im/post/5cf69d30f265da1b897abd53