1.解压apk
把.apk后缀名修改成zip,解压提取出classes.dex
2.修改classes.dex
通过 IDA PRO 或 C32ASM 等工具修改文件中的值
3.利用工具等对修改后的classes.dex重新效验
dexfixer 或者自己编写工具 java 代码如下
public class FixDexHeaderUtil {
public static void fix (String file) {
byte [] fBytes = readFile(file);
fix(fBytes);
saveFile(fBytes, file);
}
private static byte [] readFile (String file) {
FileInputStream fis = null ;
ByteArrayOutputStream bos = new ByteArrayOutputStream();
try {
fis = new FileInputStream(file);
if (fis != null && bos != null ) {
int len = -1 ;
byte [] buf = new byte [512 ];
while ((len = fis.read(buf)) != -1 ) {
bos.write(buf, 0 , len);
bos.flush();
}
}
} catch (Exception e) {
e.printStackTrace();
} finally {
if (fis != null ) {
try {
fis.close();
} catch (IOException e) {
e.printStackTrace();
}
}
}
byte [] fBytes = bos.toByteArray();
if (bos != null ) {
try {
bos.close();
} catch (IOException e) {
e.printStackTrace();
}
}
return fBytes;
}
private static void saveFile (byte [] fBytes, String file) {
FileOutputStream fos = null ;
try {
fos = new FileOutputStream(file);
fos.write(fBytes);
fos.flush();
} catch (Exception e) {
e.printStackTrace();
} finally {
if (fos != null ) {
try {
fos.close();
} catch (IOException e) {
e.printStackTrace();
}
}
}
}
private static void fix (byte [] fBytes) {
fixSha1Signature(fBytes);
fixChecksum(fBytes);
}
private static void fixSha1Signature (byte [] fBytes) {
MessageDigest sha1 = null ;
try {
sha1 = MessageDigest.getInstance("SHA1" );
sha1.update(fBytes, 32 , fBytes.length - 32 );
byte [] hashBytes = sha1.digest();
for (int i = 0 ; i < hashBytes.length; i++) {
fBytes[12 + i] = hashBytes[i];
}
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
}
}
private static void fixChecksum (byte [] fBytes) {
Adler32 al = new Adler32();
al.update(fBytes, 12 , fBytes.length - 12 );
int sum = (int ) al.getValue();
byte [] result = new byte [4 ];
result[0 ] = (byte ) sum;
result[1 ] = (byte ) (sum >> 8 );
result[2 ] = (byte ) (sum >> 16 );
result[3 ] = (byte ) (sum >> 24 );
for (int i = 0 ; i < result.length; i++) {
fBytes[8 + i] = result[i];
}
}
}
4.把classes.dex重新放入apk中
使用aapt命令 1.删除原apk包中的classes.dex
./aapt r source.apk classes.dex
./aapt a source.apk classes.dex
5.重新签名apk
推荐使用Android Crack Tool 工具中的签名方法,方便 或者手动使用keytool
/Library/Java/JavaVirtualMachines/jdk1.7 .0 _79. jdk/Contents/Home/bin/jarsigner -verbose -keystore 你的key. keystore -signedjar 签名后的文件名. apk 原始文件. apk '签名文件的别名(key alias)'
6.完成