Android学习笔记（4）--反编译

解压APK（Zip压缩包）后，文件：classes.dex

一、反编译流程图

                 

二、工具使用方法（命令）

准备工作

假设我的工作目录为 $AndroidDecompile ，首先要将 system.img 中（或者说从源码中编译好的）几个重要的 odex 文件拷贝到工作目录中，他们是： core.odex, ext.odex, framework.odex, android.policy.odex, services.odex （也可以放在别的目录，通过设置 BOOTCLASSPATH 指定，默认就是当前目录，关于BOOTCLASSPATH 请参考 baksmali 的帮助信息）。

 

下载以下工具到 $AndroidDecompile 中：

Baksmali :

http://code.google.com/p/smali/downloads/list

 

Smali :

http://code.google.com/p/smali/downloads/list

 

Dex2jar :

http://code.google.com/p/dex2jar/downloads/list

 

JD-GUI (Java Decompile GUI) :

http://java.deco mpiler.free.fr/?q=jdgui <!--[if !supportNestedAnchors]--> <!--[endif]-->

 

AutoSign :

http://d.download.csdn.net/down/2768910/fjfdszj

 

Apktool

http://code.google.com/p/android-apktool/downloads/list

 

假设我们有一个应用，它的类文件编译后被单独拿了出来，即有两个文件 app.apk 和 app.odex ，把他们放在$AndroidDecompile 下。

 

1. 使用 baksmali.jar 将 odex 文件分解为 smali 文件

$ java –jar baksmali-1.2.5.jar –x app.odex

如果成功的话，会在 $AndroidDecompile 下生成一个 out 目录，里面是一些以“ .smali ”为后缀名的文件，在此不深究这些文件的作用。

注意：rom反编译时用最新版的baksmail.jar后面要跟上-d framework.odex的路径，并且jdk为7以上版本。

 

2. 使用 smali.jar 将 out/ 目录下的 smali 文件转换为 classes.dex

$ java -Xmx512M –jar smali-1.2.5.jar out –o classes.dex

classes.dex 便是 Dalvik VM 所使用的编译后的类文件格式，在正常的 apk 文件里都会有。

 

3. 使用 dex2jar 将 classes.dex 反编译为 jar 文件

将下载后的 dex2jar 压缩包解压后，里面会有 dex2jar.sh( 和 dex2jar.bat) 文件，假如 classes.dex 文件与dex2jar.sh 在同一目录下，使用以下方式将 classes.dex 反编译为 jar 文件：

$dex2jar.bat classes.dex

如果执行成功，则会在当前目录下生成反编译后的文件 classes.dex.dex2jar.jar 。

dex2jar 即可以操作 dex 文件，也可以直接操作 apk 文件，它的使用规则为：

dex2jar file1.dexORapk file2.dexORapk ...

 

4. 使用 JD-GUI 查看反编译后的 jar 文件

JD-GUI 是一个可视化的 Java 反编译代码查看器，它可以实时的将 class 文件反编译成 java 文件进行查看。解压下载的 jd-gui 文件，执行目录中的 jd-gui 可执行文件启动，然后加载上一步中反编译好的classes.dex.dex2jar.jar 文件即可。

 

5. 将从 odex 反编译后的 classes.dex 与其他资源文件重新打包成一个完整的 apk

以上我们假设的情况是应用程序编译后的类文件从 apk 文件中被剥离出来，下面要做的是如何将上述步骤中得到的 classes.dex 与 apk 中的其他文件重新打包成一个可用的 apk 。

首先将反编译后的 classes.dex 和原先的 app.apk （不含 classes.dex ）重新压缩成一个完整的 app.apk （apk 文件可用压缩工具打开），也就是说将 classes.dex 放进 app.apk 中。

将下载的 AutoSign 文件解压，可以看到有 signapk.jar （还有个 Sign.bat ）文件，执行以下命令给 app.apk文件签名，就可以生成一个可以运行的 apk 文件了。

$ java -jar signapk.jar testkey.x509.pem testkey.pk8 app.apk app_signed.apk

 

6. apktool 的使用

网上还有个工具是 apktool ，可以对 apk 进行解析，反编译资源文件，并将类文件解析成 smali 文件；同时还可以将解析后的文件重新打包成 apk 。功能和以上介绍的几个工具类似，它的使用方法如下：

apktool d app.apk and     反编译 app.apk 到文件夹 and

apktool b app                 从文件夹 app 重建 APK ，输出到 ABC\dist\out.apk

具体的使用方法在此不再赘述，请参考官方网站，或者：

http://www.geeka.net/2010/05/apktool-decode-android-google-code/

 

7. 我的 $AndroidDecompile 目录下的文件的截图

 

 

三、一些工具的帮助信息

1. baksmali 的帮助信息

usage: java -jar baksmali.jar [options] <dex-file>

disassembles and/or dumps a dex file

  -?,--help                                 Prints the help message then exits.

  -b,--no-debug-info                          Specify twice for debug options

                            don't write out debug info (.local,

                                            .param, .line, etc.)

  -c,--bootclasspath <BOOTCLASSPATH>      The bootclasspath jars to use, for

                                           analysis. Defaults to

                                           core.jar:ext.jar:framework.jar:andro

                                           id.policy.jar:services.jar. If the

                                           value begins with a :, it will be

                                           appended to the default

                                           bootclasspath instead of replacing it

  -d,--bootclasspath-dir <DIR>                 The base folder to look for the

                                            bootclasspath files in. Defaults to

                                           the current directory

  -f,--code-offsets                            Add comments to the disassembly

                                           containing the code offset for each address

  -l,--use-locals                              Output the .locals directive with

                                           the number of non-parameter

                                           registers, rather than the .register

  -o,--output <DIR>                           Directive with the total number of  register

                                            the directory where the disassembled

                                            files will be placed. The default is out

  -p,--no-parameter-registers                   Use the v<n> syntax instead of the

                                           p<n> syntax for registers mapped to

                                           method parameters

  -r,--register-info <REGISTER_INFO_TYPES>   Print the specificed type(s) of

                                           register information for each

                                           instruction. "ARGS,DEST" is the

                                           default if no types are specified.

                                           Valid values are:

                                           ALL: all pre- and post-instruction registers.

                                           ALLPRE: all pre-instruction registers

                                            ALLPOST: all post-instruction registers

                                           ARGS: any pre-instruction registers

                                                used as arguments to the instruction

                                            DEST: the post-instruction

                                                destination register, if any

                                           MERGE: Any pre-instruction register

                                                has been merged from more than 1

                                                different post-instruction register

                                                from its predecessors

                                           FULLMERGE: For each register that

                                               would be printed by MERGE, also show

                                              the incoming register types that

                                              were merged

  -s,--sequential-labels                        Create label names using a

                                           sequential numbering scheme per

                                           label type, rather than using the

                                           bytecode address

  -v,--version                                Prints the version then exits

  -x,--deodex                               Deodex the given odex file. This

                                           option is ignored if the input file

                                           is not an odex file

 

2. smali 的帮助信息

usage: java -jar smali.jar [options] [--] [<smali-file>|folder]*

assembles a set of smali files into a dex file

  -?,--help            prints the help message then exits. Specify twice for

                      debug options

  -o,--output <FILE>   the name of the dex file that will be written. The default

                      is out.dex

  -v,--version         prints the version then exits

 

3. auto-sign 的帮助信息

SignApk.jar is a tool included with the Android platform source bundle.

testkey.pk8 is the private key that is compatible with the recovery image included in this zip file

testkey.x509.pem is the corresponding certificate/public key

 

Usage:

java -jar signapk.jar testkey.x509.pem testkey.pk8 update.zip update_signed.zip

 

4. apktool 的帮助信息

Apktool v1.3.2 - a tool for reengineering Android apk files

Copyright 2010 Ryszard Wi?niewski <brut.alll@gmail.com>

Apache License 2.0 (http://www.apache.org/licenses/LICENSE-2.0)

 

Usage: apktool [-v|--verbose] COMMAND [...]

 

COMMANDs are:

 

    d[ecode] [OPTS] <file.apk> [<dir>]

        Decode <file.apk> to <dir>.

 

        OPTS:

 

        -s, --no-src

            Do not decode sources.

        -r, --no-res

            Do not decode resources.

        -d, --debug

            Decode in debug mode. Check project page for more info.

        -f, --force

            Force delete destination directory.

        -t <tag>, --frame-tag <tag>

            Try to use framework files tagged by <tag>.

        --keep-broken-res

            Use if there was an error and some resources were dropped, e.g.:

            "Invalid config flags detected. Dropping resources", but you

            want to decode them anyway, even with errors. You will have to

            fix them manually before building.

    b[uild] [OPTS] [<app_path>] [<out_file>]

        Build an apk from already decoded application located in <app_path>.

 

        It will automatically detect, whether files was changed and perform

        needed steps only.

 

        If you omit <app_path> then current directory will be used.

        If you omit <out_file> then <app_path>/dist/<name_of_original.apk>

        will be used.

 

        OPTS:

 

        -f, --force-all

            Skip changes detection and build all files.

        -d, --debug

            Build in debug mode. Check project page for more info.

 

    if|install-framework <framework.apk> [<tag>]

        Install framework file to your system.

For additional info, see: http://code.google.com/p/android-apktool/