Frida-Apk-Unpack
无需其它操作依次拖入后重启:
SUPERSU 下载地址 https://download.chainfire.eu/696/supersu/
Xposed-sdk 下载地址 http://dl-xda.xposed.info/framework/
XposedInstaller 下载地址 https://forum.xda-developers.com/showthread.php?t=3034811 下面的apk
adb push android_server /data/local/tmp/android_server #是用IDA里面的android_server,放入到虚拟机的
adb shell
su root
chmod 777 /data/local/tmp/android_server
./android_server # 启动android_server
am start -D -n im.token.app/org.consenlabs.imtoken.MainActivity
打开新命令行,开启端口转发
adb forward tcp:23946 tcp:23946
启动activity
am start -D -n com.example.testjniso/com.example.testjniso.MainActivity
####
adb pull /system/lib/libart.so libart.so
##
adb shell getprop ro.product.cpu.abi #获得x86
frida-server-12.5.2-android-x86.xz
pip install frida
pip install frida-tools
frida-ps -U #获取真机状态
frida-ps -R #获取模拟器状态
过反调试
脱壳
java -jar baksmali-2.2.7.jar d classes.dex
java -jar smali-2.2.7.jar a out/ -o classes.dex
AXMLPrinter
invoke-static/range {v1 .. v1}, Lcom/stub/StubApp;->getOrigApplicationContext(Landroid/content/Context;)Landroid/content/Context;
move-result-object v1
对应正则:
invoke-static/range \{(.*)\}, Lcom/stub/StubApp;->getOrigApplicationContext\(Landroid/content/Context;\)Landroid/content/Context;
move-result-object ([vp].[0-9]*)
const-string v3, "gps"
invoke-static {v2, v3}, Lcom/stub/StubApp;->mark(Landroid/location/LocationManager;Ljava/lang/String;)Landroid/location/Location;
move-result-object v2
对应正则:
invoke-static \{v([0-9]), v([0-9])\}, Lcom/stub/StubApp;->mark\(Landroid/location/LocationManager;Ljava/lang/String;\)Landroid/location/Location;
move-result-object v([0-9])
invoke-static {p1}, Lcom/stub/StubApp;->mark(Landroid/location/Location;)V
对应正则:
invoke-static \{[pv]([0-9])\}, Lcom/stub/StubApp;->mark\(Landroid/location/Location;\)V
const v0, 0x1cbc
invoke-static {v0}, Lcom/stub/StubApp;->interface11(I)V
需要删除其壳原有的东西,填补oncreate缺失部分,即那些写入so内的native oncreate方法
sh: ./android_server: not executable: 32-bit ELF file
使用真机(arm架构)More
修改Python34\Lib\site-packages_frida.pyd, 用winhex查找python37.dll,修改为对应ptyhon34.dll(frida 12用的是python37.dll)
加固反编译报错,闪退:
Process: im.token.app, PID: 4101
java.lang.UnsatisfiedLinkError: JNI_ERR returned from JNI_OnLoad in "/data/data/im.token.app/.jiagu/libjiagu.so"
没联网,联网即可。
下载Xposed-sdk
/data/data/de.robv.android.xposed.install/cache/update-binary:not executable:32bit ELF file Error 1 occurred
More找到模拟器中的“设置”-“应用兼容”-“关闭”,然后卸载掉已经安装的xposed,关闭模拟器。开启模拟器后重新安装xposed