线上班第五期专项测试下

seveniruby · 2018 年1 月 21 日 14:34

参考命令

java -jar apktool_2.3.1.jar  decode keep.apk  -o keep_decode
vim keep_decode//smali/com/gotokeep/keep/KApplication.smali
java -jar apktool_2.3.1.jar  build keep_decode/ -o keep-new.apk
jarsigner -verbose -keystore my-release-key.jks  -signedjar keep-new-signed.apk  keep-new.apk  my-alias
adb install -r keep-new-signed.apk
adb logcat  | grep testerhome

smali内容新增如下代码到onCreate

   const-string v0, "testerhome"
    const-string v1, "hello from seveniruby"
    invoke-static {v0, v1}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I

或者如下的smali指令，先把寄存器修改为6，

.locals 6

然后添加到函数的开头或者结尾

    const-string v3, "testerhome"

    const-string v4, "start"

    invoke-static {v3, v4}, Landroid/util/Log;->i(Ljava/lang/String;Ljava/lang/String;)I

    .line 30
    const-string v3, "testerhome"

    invoke-static {}, Ljava/lang/System;->currentTimeMillis()J

    move-result-wide v4

    invoke-static {v4, v5}, Ljava/lang/String;->valueOf(J)Ljava/lang/String;

    move-result-object v4

    invoke-static {v3, v4}, Landroid/util/Log;->i(Ljava/lang/String;Ljava/lang/String;)I

    .line 31
    const-string v3, "testerhome"

    const-string v4, "end"

    invoke-static {v3, v4}, Landroid/util/Log;->i(Ljava/lang/String;Ljava/lang/String;)I

java转smali语法

一个可供参考的脚本，需要自己修改下。

JAVA_HOME='/Applications/Android Studio.app/Contents/jre/jdk/Contents/Home'
cd /tmp
cat > input_tmp.java <<EOF
public class input_tmp {
    public static void main(String[] args) {
         $1
    }
}
EOF

javac -source 7 -target 7 input_tmp.java
/Users/me/Library/Android/sdk//build-tools/25.0.0/dx --dex --output=classes.dex input_tmp.class
java -jar /Users/me/Downloads/baksmali-2.2.1.jar dis classes.dex
cat out/input_tmp.smali
rm -rf input_tmp.class input_tmp.java classes.dex out

动态破解

XPosed: http://repo.xposed.info/module/de.robv.android.xposed.installer
Frida
Substrate

XPosed使用教程：https://github.com/rovo89/XposedBridge/wiki/Development-tutorial
创建xposed的扩展：https://github.com/rovo89/XposedExamples/blob/master/RedClock/src/de/robv/android/xposed/examples/redclock/RedClock.java

把installer安装到一个root过的机器上
安装框架
增加application的meta-data
添加xposed bridge api jar包并设置为不要打包进去
增加Class 替换方法
增加assets/xposed_init，填充类的路径
安装，并用xposed installer加载
重启

问题

android 模拟器需要superuser
bridge api jar包不要打包进去

服务端安全

演练环境： http://jenkins.testing-studio.com:8082/login.php