课前准备
往期参考:https://testerhome.com/topics/16073
OWASP: https://www.owasp.org/index.php/Main_Page
Mobile_App_Security_Checklist: https://github.com/OWASP/owasp-mstg/raw/master/Checklists/Mobile_App_Security_Checklist.xlsx
Jadx: https://github.com/skylot/jadx/releases
Smali: https://source.android.com/devices/tech/dalvik/dalvik-bytecode
逆向分析
jadx
反编译
java -jar apktool_2.3.4.jar d keep_1013.apk -o keep
vi /Users/seveniruby/temp/mobile_sec/keep/smali_classes4/com/gotokeep/keep/splash/SplashActivity.smali
mv keep/res/drawable-xxhdpi/bg_top_shadow.png keep/res/drawable-xxhdpi/bg_top_shadow.png.bak
mv keep/res/drawable-xxhdpi/icon_store_pre_sale_current.9.png keep/res/drawable-xxhdpi/icon_store_pre_sale_current.9.png.bak
java -jar apktool_2.3.4.jar b keep -o keep-new.apk
[ -f my-release-key.jks ] || keytool -genkey -v -keystore my-release-key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias my-alias
jarsigner -verbose -keystore my-release-key.jks -signedjar keep-new-signed.apk keep-new.apk my-alias
adb install -r keep-new-signed.apk
植入代码
Android Studio Java2Smali插件可以把Java编译为Smali
Log.i("hogwarts", "onCreate "+ System.currentTimeMillis());
smali指令为
const-string v1, "hogwarts"
new-instance v2, Ljava/lang/StringBuilder;
invoke-direct {v2}, Ljava/lang/StringBuilder;-><init>()V
const-string v3, "onCreate "
invoke-virtual {v2, v3}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
move-result-object v2
invoke-static {}, Ljava/lang/System;->currentTimeMillis()J
move-result-wide v4
invoke-virtual {v2, v4, v5}, Ljava/lang/StringBuilder;->append(J)Ljava/lang/StringBuilder;
move-result-object v2
invoke-virtual {v2}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;
move-result-object v2
invoke-static {v1, v2}, Landroid/util/Log;->i(Ljava/lang/String;Ljava/lang/String;)I
System.out.println("hogwarts");
smali指令为
const-string v0, "testerhome"
const-string v1, "hello from seveniruby"
invoke-static {v0, v1}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I
寄存器数量需要根据编译出来的代码做调整,一般尽量修为该比较大的值,比如8
xposed
- root过的系统最好是4.4
- xposed apk:https://dl-xda.xposed.info/modules/de.robv.android.xposed.installer_v33_36570c.apk
- XPosed使用教程:https://github.com/rovo89/XposedBridge/wiki/Development-tutorial
- 创建xposed的扩展:https://github.com/rovo89/XposedExamples/blob/master/RedClock/src/de/robv/android/xposed/examples/redclock/RedClock.java
- jar包下载地址:https://forum.xda-developers.com/xposed/xposed-api-changelog-developer-news-t2714067
hook后
package com.testerhome.appium.xposeddemo1013;
import static de.robv.android.xposed.XposedHelpers.findAndHookMethod;
import android.graphics.Color;
import android.widget.TextView;
import de.robv.android.xposed.IXposedHookLoadPackage;
import de.robv.android.xposed.XC_MethodHook;
import de.robv.android.xposed.callbacks.XC_LoadPackage.LoadPackageParam;
public class RedClock implements IXposedHookLoadPackage {
public void handleLoadPackage(LoadPackageParam lpparam) throws Throwable {
if (!lpparam.packageName.equals("com.android.systemui"))
return;
findAndHookMethod("com.android.systemui.statusbar.policy.Clock", lpparam.classLoader, "updateClock", new XC_MethodHook() {
@Override
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
TextView tv = (TextView) param.thisObject;
String text = tv.getText().toString();
tv.setText(text + "hogwarts 6th :)");
tv.setTextColor(Color.RED);
}
});
}
}