Common Davlik bytecode interpretation and APK cracking process for Android reverse

Cracking process

Android program cracking process: decompile - > analyze - > Modify - > decompile - > sign. These operations are performed on the command line. Of course, there are also tools that integrate these operations:
macos: Android-Crack-Tool
Windows: Android Killer

Relevant knowledge


The concept of register is explained here. Register is used to store
register It is a small storage area used to store data in the CPU, which is used to temporarily store the data and operation results involved in the operation. That is, to store data.
Now all mobile phones use arm chips

Here are some digressions: the more common CPUs are intel's X86 architecture CPU and arm architecture CPU. Among them, intel's X86 architecture CPU instruction set includes complex instruction set and reduced instruction set, and arm has only reduced instruction set.

Complex instruction set and reduced instruction set

The so-called complexity and simplicity is to improve the performance of the computer according to whether to design instructions according to the program. The complex instruction set adds some instruction sets of complex functions according to the application program, which leads to more and more CPU instructions, more and more complex design and higher cost. However, the reduced instruction set will not design the instruction set according to the program. So how to improve the performance?

Some differences between jvm and davlik

The work of translating machine code is done by the compiler of high-level language, and these work is entrusted to the compiler. Therefore, the two differences are that the complex instruction set increases its own instruction set according to the program to improve computer performance, and the reduced instruction set is handed over to the compiler to do instruction conversion. Due to the addition of compiler conversion, the running speed will be slow, and the memory occupied will become more. The same program takes up more space on the mobile phone of ARM chip and the computer of intel chip. Another feature of arm architecture of reduced instruction set is that it has many registers. davlik virtual machine uses this feature to change the original java virtual machine:

Each thread in the java virtual machine will have a PC counter and a java stack. The PC counter is used to record where the program is executed. The call records used to record java methods in the java stack are called stack frames. Each method call will allocate a new stack and push it into the java stack. Each stack frame contains a local variable area, and the evaluation stack (jvm is called operand stack), The local variable area is used to store method parameters and local variables, and the evaluation stack is used to save the intermediate results of evaluation and the parameters of calling other methods. Method takes data from the local variable area in the stack for operation, stores the result in the operand stack, and finally pops up the result from the operand stack when returning

The davlik virtual machine also maintains a PC counter and a call stack for each thread. The difference is that a register list is maintained in the call stack. The number of virtual registers allocated is given according to the registers field in the method structure. The davlik virtual machine creates a virtual register list according to this field. The local variable area and operand stack in java stack frame are replaced by register list for storage. So java virtual machine is based on stack architecture, while davlik virtual machine is based on register architecture

Common Davlik bytecode interpretation

1. Common Davlik bytecode:

Define field type:

check-cast Register (operand),Defined type;
give an example:
check-cast v0,Lcom/android/Launcher2/launcherApplication;

Representative definition v0 The type of is LauncherApplication
 Field write field read (general interpretation)

Summary: instruction destination operand source operand
The preceding represents the class variable name and variable attribute of the value (operand) in the instruction register
Essentially, an instruction operates on an operand, depending on whether the instruction variable is read or assigned
Read get: reads the assignment of variables to operands
Assignment set: the value of the assignment variable is the value of the operand

Static field write:

const register ,Value corresponds to ID(0X0 Represented by null)
sput-object register,The class to which the field belongs;->Field name:Field type
const/4  v3,  0x0
sput-object v3, Lcom/disney/Class1;->globalIapHandler:Lcom/disney/config/GlobalPurchaseHandler;
Will 0 x00(representative null)Deposit v3 Register
 take v3 Write value in register Class1 Medium globalIapHandler Variable of type GlobalPurchaseHandler,
that is Class1.globalIapHandler = null;

Static field reading:

sget -object register, The class to which the field belongs;->Field name:Field type
 give an example:
sget-object v0, Lcom/disney/Class1;->PREFS_INSTALLATION_ID:Ljava/lang/String;
read Class1 Medium PREFS_INSTALLATION_ID Variable of type String

Normal field write:

.local v0, args:Landroid/os/Message;
const/4 v1, 0x12
iput v1, v0, Landroid/os/Message;->what:I
 take args Variable storage v0 Register
 Will 0 X12 Incoming to v1 Register
 set up Message Medium what Variable is v1 Value of
 amount to args.what=18;

Normal field reading:

iget-object register p0(An example representing the class of the variable is this), The class to which the field belongs;->Field name:zidaun1: Field type
 give an example:
iget-object v0, p0, Lcom/disney/Class1;->_view:Lcom/disney/Class2;
from v0 Get in register Class1 Medium_view Variable of type Class2

Call method:

invoke-virtual {Registers: callers( p0 representative this)And method parameter information}, The class in which the method resides;->Method name (parameter) return value

give an example:
invoke-virtual {p0},Lcom/android/Launcher2/Launcher;_>getApplication()L android/app/Application;
java The implementation code is:(this.)getApplication();

Call parent method:

invoke-super {Registers: represent callers and parameters},Class to which the method belongs;->Method name(Parameter type)Return value[ V Represents no return value]

invoke-super {p0,p1},Landroid/app/ActivityGroup;->onCreate(Landroid/os/Bundle;)V

Calling interface:

invoke-interface {Register [like method, it is also caller and method parameter information]}, The full name of the interface to which the method belongs;->Method name (parameter type) return value

invoke-interface {v3,v6,v9},Landroid/content/SharedPreferences;->getBoolean(Ljava/lang/String;Z)Z
java The implementation code is: v3.getBoolean(v6,v9);

Judgment statement:

One, if-nez(And if-eqz (opposite)
if-nez Register (which stores operands), :Label Office
 If the operand is not null Or jump to the label to execute the code if it is not 0 or equal
 give an example:
move resule v0  (Assign the result of the previous command to v0)
if-nez v0, :cond_0 
 (Judge that the value is not 0 [condition is true] and jump to cond_0 On the contrary, the program continues to execute until return-void Instruction Division)
 Second, if-eqz
 Indicates to jump when the result is 0 or equal (and if-nez (opposite)

Method returns:

return-void no return value

Crack program

Analyze and modify smail files

1. After modifying the smali file, install it on the mobile phone

Recompile. The recompile command is

apktool b File address

Common errors in back compilation:
1.Tips"at brut.androlib.Androlib.buildResourcesFull("
Explanation: the problem is an error in packaging resources, which is used by the program API Version number and apkool in framework-res.apk be based on Android Caused by inconsistent versions of
 Example: program used API The version number is 25; and apkttol Version number is 2.2.2 Its corresponding framework-res.apk The version of is based on Android6.0 of
 his API Is 23. The two are inconsistent
 The solution is: find one API And procedures used API Consistent version number android Device, get from framework-res.apkļ¼ŒAnd put this apk Install to local
 Use command:
(1.)obtain android In the device framework-res.apk: 
adb pull /system/framework/framework-res.apk
(2.)Install to local apktool in
apktool if ./framework-res.apk

Re sign

The APK file generated after compilation is not signed, so it cannot be installed.

adopt signapk yes APK Sign the file
 Use command:
    cat /User/android/Program/signapk
    java -jar ~/Program/signapk_jar/signapk.jar   ~/Program/signapk_jar/testkey.x509.pem  ~/Program/signapk_jar/testkey.pk8 $1 signed.apk
 These files are available from android Extracted from the source code.
Then finish apk Signature operation for:
    signapk Unsigned after compilation apk File address
 After signing, it will be generated in the above file address sign.apk file

Tags: Java Android Android Studio

Posted on Wed, 24 Nov 2021 01:39:53 -0500 by abda53