某加固使用xposed脱壳

最新推荐文章于 2024-05-15 15:17:35 发布
最新推荐文章于 2024-05-15 15:17:35 发布
阅读量5k 收藏 2
点赞数
分类专栏: Android脱壳
原文链接:http://www.cnblogs.com/xiaobaiyey/p/5919921.html
版权

这壳免费版本的好久没更新了。前两天用个demo加固测试,发现还是老的加固,免费版本的用的还是去年的壳。

 

用什么加固不提了,没啥技术含量。关键点正确的code_off偏移超过dex文件大小,并且这个偏移在内存中位于dex文件后面,所有dump时候只要多dump一段就行
hook主要点:


    private void loadhooklib(XC_LoadPackage.LoadPackageParam lpparam) {
        XposedHelpers.findAndHookMethod(DexFile.class.getName(), lpparam.classLoader, "loadDex",String.class, String.class, int.class,
                new XC_MethodHook() {
                    @Override
                    protected void afterHookedMethod(MethodHookParam param) throws Throwable {
                        if (!param.hasThrowable()) {
                            int falg = (Integer) param.args[2];
                            String sourcePathName = (String) param.args[0];
                            String outputPathName = (String) param.args[1];
                            Logger.log("sourcePathName:" + sourcePathName + " outputPathName:" + outputPathName + " falg:" + falg);
                            Object object = param.getResult();
                            if (object instanceof DexFile) {
                                Field field = ((DexFile) object).getClass().getDeclaredField("mCookie");
                                field.setAccessible(true);
                                int cookie = field.getInt(object);
                                field.setAccessible(false);
                                System.out.println("cookie:" + String.format("%x", cookie));
                                Thread thread = new Thread(new DexFileInfo.dumpThread(cookie));
                                thread.start();
                            }
                        }
                    }
                });
    }
    static {
        System.load("/data/data/com.xiaobai.helptoolclient/lib/libnativelib.so");
    }
    class dumpThread implements Runnable {
        int cookide;
        public dumpThread(int cookide){
            this.cookide=cookide;
        }

        @Override
        public void run() {
            try {
                Thread.sleep(5000);//休眠5s 时间足够壳修复dex
            } catch (InterruptedException e) {
                e.printStackTrace();
            }
            dumpdex(cookide);
        }
    }
    public native void dumpdex(int cookie);

hook点dalvik.system.DexFile类中的loadDex方法。http://androidxref.com/4.4_r1/xref/libcore/dalvik/src/main/java/dalvik/system/DexFile.java#141
此方法返回DexFile对象,通过反射 获取mCookie,将cookie值传入natvie方法在C层进行保存。


#include <jni.h>
#include <string>
#include <android/log.h>
#include "Object.h"
char* getExternalStorageDirectory(JNIEnv* env);
void printinfo(const char* tag, const char* fmt, ...);
char* jstringTostring(JNIEnv* env, jstring str)
{
    char* rtn = nullptr;
    jclass clsstring = env->FindClass("java/lang/String");
    jstring strencode = env->NewStringUTF("utf-8");
    jmethodID mid = env->GetMethodID(clsstring, "getBytes", "(Ljava/lang/String;)[B");
    jbyteArray barr = (jbyteArray)env->CallObjectMethod(str, mid, strencode);
    jsize alen = env->GetArrayLength(barr);
    jbyte* ba = env->GetByteArrayElements(barr, JNI_FALSE);
    if (alen > 0)
    {
        rtn = (char*)malloc(alen + 1);
        memcpy(rtn, ba, alen);
        rtn[alen] = 0;
    }
    env->ReleaseByteArrayElements(barr, ba, 0);

    return rtn;
}

char* getExternalStorageDirectory(JNIEnv* env)
{
    jclass Environment = env->FindClass("android/os/Environment");
    if (Environment != NULL)
    {
        //Messageprint::printinfo("util", "Environment class have found");
        jmethodID getExternalStorageDirectoryID = env->GetStaticMethodID(Environment, "getExternalStorageDirectory", "()Ljava/io/File;");
        if (getExternalStorageDirectoryID != NULL)
        {
            jobject fileobject = env->CallStaticObjectMethod(Environment, getExternalStorageDirectoryID);
            jclass Fileclass = env->FindClass("java/io/File");
            jmethodID getAbsolutePathId = env->GetMethodID(Fileclass, "getAbsolutePath", "()Ljava/lang/String;");
            jstring jstringPath = (jstring)env->CallObjectMethod(fileobject, getAbsolutePathId);
            char* StorageDirectoryPath = jstringTostring(env, jstringPath);
            return StorageDirectoryPath;
        }
    }
    return NULL;
}


extern "C"
JNIEXPORT void JNICALL
Java_com_xiaobai_helptoolclient_bean_DexFileInfo_dumpdex(JNIEnv *env, jobject instance,
                                                         jint cookie) {

    // TODO
    DexOrJar* pDexOrJar = (DexOrJar*)cookie;
    DvmDex* pDvmDex;
    printf("jni",pDexOrJar->fileName);
    if (pDexOrJar->isDex)
    {
        pDvmDex = pDexOrJar->pRawDexFile->pDvmDex;
    }
    else
    {
        pDvmDex = pDexOrJar->pJarFile->pDvmDex;
    }
    DexFile*dexFile =pDvmDex->pDexFile;
    MemMapping mapping=pDvmDex->memMap;
    printinfo("jni","MemMapping:addr:%x length:%x baseAddr:%x baseLength:%x",mapping.addr,mapping.length,mapping.baseAddr,mapping.baseLength);
    std::string path=getExternalStorageDirectory(env);
    path=path+"/xxxx.dex";
    FILE* file= fopen(path.c_str(),"wb+");
    fwrite(mapping.addr,mapping.length*3,1,file);//保存三倍dex文件长度
    fclose(file);

}
void printinfo(const char* tag, const char* fmt, ...)
{
    va_list ap;
    char buf[1024];

    va_start(ap, fmt);
    vsnprintf(buf, 1024, fmt, ap);
    va_end(ap);
    __android_log_write(ANDROID_LOG_INFO, tag, buf);
}

实际上就是保存dex文件长度的2-3倍的内存。在sdcard 下有个xxxx.dex,
头文件,这个头文件有点长,没精简直接复制过来的。
Object.h


/
// Created by xiaobai on 2016/9/25.
//

#ifndef HELPTOOLCLIENT_OBJECT_H
#define HELPTOOLCLIENT_OBJECT_H
#include <stddef.h>
#include <cstdint>

typedef uint8_t             u1;
typedef uint16_t            u2;
typedef uint32_t            u4;
typedef uint64_t            u8;
typedef int8_t              s1;
typedef int16_t             s2;
typedef int32_t             s4;
typedef int64_t             s8;
/* fwd decl */
struct DataObject;
struct InitiatingLoaderList;
struct ClassObject;
struct StringObject;
struct ArrayObject;
struct Method;
struct ExceptionEntry;
struct LineNumEntry;
struct StaticField;
struct InstField;
struct Field;
struct RegisterMap;

struct Object;
union JValue
{
    u1 z;
    s1 b;
    u2 c;
    s2 s;
    s4 i;
    s8 j;
    float f;
    double d;
    Object* l;
};

typedef void (*DalvikBridgeFunc)(const u4* args, JValue* pResult,
                                 const Method* method, struct Thread* self);

enum AccessFlags
{
    ACC_MIRANDA = 0x8000, // method (internal to VM)
    JAVA_FLAGS_MASK = 0xffff, // bits set from Java sources (low 16)
};

typedef void (*DalvikNativeFunc)(const u4* args, JValue* pResult);

enum ClassFlags
{
    CLASS_ISFINALIZABLE = (1 << 31), // class/ancestor overrides finalize()
    CLASS_ISARRAY = (1 << 30), // class is a "[*"
    CLASS_ISOBJECTARRAY = (1 << 29), // class is a "[L*" or "[[*"
    CLASS_ISCLASS = (1 << 28), // class is *the* class Class

    CLASS_ISREFERENCE = (1 << 27), // class is a soft/weak/phantom ref
    // only ISREFERENCE is set --> soft
            CLASS_ISWEAKREFERENCE = (1 << 26), // class is a weak reference
    CLASS_ISFINALIZERREFERENCE = (1 << 25), // class is a finalizer reference
    CLASS_ISPHANTOMREFERENCE = (1 << 24), // class is a phantom reference

    CLASS_MULTIPLE_DEFS = (1 << 23), // DEX verifier: defs in multiple DEXs

    /* unlike the others, these can be present in the optimized DEX file */
            CLASS_ISOPTIMIZED = (1 << 17), // class may contain opt instrs
    CLASS_ISPREVERIFIED = (1 << 16), // class has been pre-verified
};
#define EXPECTED_FILE_FLAGS \
    (ACC_CLASS_MASK | CLASS_ISPREVERIFIED | CLASS_ISOPTIMIZED)


#define SET_CLASS_FLAG(clazz, flag) \
    do { (clazz)->accessFlags |= (flag); } while (0)

#define CLEAR_CLASS_FLAG(clazz, flag) \
    do { (clazz)->accessFlags &= ~(flag); } while (0)

#define IS_CLASS_FLAG_SET(clazz, flag) \
    (((clazz)->accessFlags & (flag)) != 0)

#define GET_CLASS_FLAG_GROUP(clazz, flags) \
    ((u4)((clazz)->accessFlags & (flags)))

enum MethodFlags
{
    METHOD_ISWRITABLE = (1 << 31), // the method's code is writable
};

#define SET_METHOD_FLAG(method, flag) \
    do { (method)->accessFlags |= (flag); } while (0)

#define CLEAR_METHOD_FLAG(method, flag) \
    do { (method)->accessFlags &= ~(flag); } while (0)

#define IS_METHOD_FLAG_SET(method, flag) \
    (((method)->accessFlags & (flag)) != 0)

#define GET_METHOD_FLAG_GROUP(method, flags) \
    ((u4)((method)->accessFlags & (flags)))

enum ClassStatus
{
    CLASS_ERROR = -1,

    CLASS_NOTREADY = 0,
    CLASS_IDX = 1, /* loaded, DEX idx in super or ifaces */
            CLASS_LOADED = 2, /* DEX idx values resolved */
            CLASS_RESOLVED = 3, /* part of linking */
            CLASS_VERIFYING = 4, /* in the process of being verified */
            CLASS_VERIFIED = 5, /* logically part of linking; done pre-init */
            CLASS_INITIALIZING = 6, /* class init in progress */
            CLASS_INITIALIZED = 7, /* ready to go */
};
#define CLASS_WALK_SUPER ((unsigned int)(3))
#define CLASS_SMALLEST_OFFSET (sizeof(struct Object))
#define CLASS_BITS_PER_WORD (sizeof(unsigned long int) * 8)
#define CLASS_OFFSET_ALIGNMENT 4
#define CLASS_HIGH_BIT ((unsigned int)1 << (CLASS_BITS_PER_WORD - 1))
#define _CLASS_BIT_NUMBER_FROM_OFFSET(byteOffset) \
    (((unsigned int)(byteOffset) - CLASS_SMALLEST_OFFSET) / \
     CLASS_OFFSET_ALIGNMENT)
#define CLASS_CAN_ENCODE_OFFSET(byteOffset) \
    (_CLASS_BIT_NUMBER_FROM_OFFSET(byteOffset) < CLASS_BITS_PER_WORD)
#define CLASS_BIT_FROM_OFFSET(byteOffset) \
    (CLASS_HIGH_BIT >> _CLASS_BIT_NUMBER_FROM_OFFSET(byteOffset))
#define CLASS_OFFSET_FROM_CLZ(rshift) \
    (((int)(rshift) * CLASS_OFFSET_ALIGNMENT) + CLASS_SMALLEST_OFFSET)

struct InterfaceEntry
{
    ClassObject* clazz;
    int* methodIndexArray;
};

struct Object
{
    ClassObject* clazz;
    u4 lock;
};

#define DVM_OBJECT_INIT(obj, clazz_) \
    dvmSetFieldObject(obj, OFFSETOF_MEMBER(Object, clazz), clazz_)

struct DataObject : Object
{
    u4 instanceData[1];
};
struct StringObject : Object
{
    u4 instanceData[1];
    int length() const;
    int utfLength() const;
    ArrayObject* array() const;
    const u2* chars() const;
};
struct ArrayObject : Object
{
    u4 length;
    u8 contents[1];
};

struct InitiatingLoaderList
{
    Object** initiatingLoaders;
    int initiatingLoaderCount;
};
struct Field
{
    ClassObject* clazz; /* class in which the field is declared */
    const char* name;
    const char* signature; /* e.g. "I", "[C", "Landroid/os/Debug;" */
    u4 accessFlags;
};


struct StaticField : Field
{
    JValue value; /* initially set from DEX for primitives */
};
struct InstField : Field
{
    int byteOffset;
};

#define CLASS_FIELD_SLOTS   4
enum PrimitiveType
{
    PRIM_NOT = 0, /* value is a reference type, not a primitive type */
            PRIM_VOID = 1,
    PRIM_BOOLEAN = 2,
    PRIM_BYTE = 3,
    PRIM_SHORT = 4,
    PRIM_CHAR = 5,
    PRIM_INT = 6,
    PRIM_LONG = 7,
    PRIM_FLOAT = 8,
    PRIM_DOUBLE = 9,
};
struct ClassObject : Object
{
    u4 instanceData[CLASS_FIELD_SLOTS];

    const char* descriptor;
    char* descriptorAlloc;
    u4 accessFlags;
    u4 serialNumber;

    void* pDvmDex;

    ClassStatus status;

    ClassObject* verifyErrorClass;

    u4 initThreadId;

    size_t objectSize;

    ClassObject* elementClass;
    int arrayDim;
    PrimitiveType primitiveType;

    ClassObject* super;

    Object* classLoader;

    InitiatingLoaderList initiatingLoaderList;

    int interfaceCount;
    ClassObject** interfaces;

    int directMethodCount;
    Method* directMethods;
    int virtualMethodCount;
    Method* virtualMethods;

    
    int vtableCount;
    Method** vtable;

    int iftableCount;
    InterfaceEntry* iftable;

  
    int ifviPoolCount;
    int* ifviPool;

  
    int ifieldCount;
    int ifieldRefCount; // number of fields that are object refs
    InstField* ifields;

    u4 refOffsets;

    /* source file name, if known */
    const char* sourceFile;

    int sfieldCount;
    StaticField sfields[]; /* MUST be last item */
};


struct DexProto
{
    const void * dexFile; /* file the idx refers to */
    u4 protoIdx; /* index into proto_ids table of dexFile */
};

struct Method
{
    /* the class we are a part of */
    ClassObject* clazz;
    u4 accessFlags;

    u2 methodIndex;

    u2 registersSize; /* ins + locals */
    u2 outsSize;
    u2 insSize;

    /* method name, e.g. "<init>" or "eatLunch" */
    const char* name;

    DexProto prototype;

    const char* shorty;

    const u2* insns; /* instructions, in memory-mapped .dex */


    int jniArgInfo;


    DalvikBridgeFunc nativeFunc;


    bool fastJni;

   
    bool noRef;

   
    bool shouldTrace;

    
    const RegisterMap* registerMap;

    /* set if method was called during method profiling */
    bool inProfile;
};
enum
{
    ACC_PUBLIC = 0x00000001, // class, field, method, ic
    ACC_PRIVATE = 0x00000002, // field, method, ic
    ACC_PROTECTED = 0x00000004, // field, method, ic
    ACC_STATIC = 0x00000008, // field, method, ic
    ACC_FINAL = 0x00000010, // class, field, method, ic
    ACC_SYNCHRONIZED = 0x00000020, // method (only allowed on natives)
    ACC_SUPER = 0x00000020, // class (not used in Dalvik)
    ACC_VOLATILE = 0x00000040, // field
    ACC_BRIDGE = 0x00000040, // method (1.5)
    ACC_TRANSIENT = 0x00000080, // field
    ACC_VARARGS = 0x00000080, // method (1.5)
    ACC_NATIVE = 0x00000100, // method
    ACC_INTERFACE = 0x00000200, // class, ic
    ACC_ABSTRACT = 0x00000400, // class, method, ic
    ACC_STRICT = 0x00000800, // method
    ACC_SYNTHETIC = 0x00001000, // field, method, ic
    ACC_ANNOTATION = 0x00002000, // class, ic (1.5)
    ACC_ENUM = 0x00004000, // class, field, ic (1.5)
    ACC_CONSTRUCTOR = 0x00010000, // method (Dalvik only)
    ACC_DECLARED_SYNCHRONIZED =
    0x00020000, // method (Dalvik only)
    ACC_CLASS_MASK =
    (ACC_PUBLIC | ACC_FINAL | ACC_INTERFACE | ACC_ABSTRACT
     | ACC_SYNTHETIC | ACC_ANNOTATION | ACC_ENUM),
    ACC_INNER_CLASS_MASK =
    (ACC_CLASS_MASK | ACC_PRIVATE | ACC_PROTECTED | ACC_STATIC),
    ACC_FIELD_MASK =
    (ACC_PUBLIC | ACC_PRIVATE | ACC_PROTECTED | ACC_STATIC | ACC_FINAL
     | ACC_VOLATILE | ACC_TRANSIENT | ACC_SYNTHETIC | ACC_ENUM),
    ACC_METHOD_MASK =
    (ACC_PUBLIC | ACC_PRIVATE | ACC_PROTECTED | ACC_STATIC | ACC_FINAL
     | ACC_SYNCHRONIZED | ACC_BRIDGE | ACC_VARARGS | ACC_NATIVE
     | ACC_ABSTRACT | ACC_STRICT | ACC_SYNTHETIC | ACC_CONSTRUCTOR
     | ACC_DECLARED_SYNCHRONIZED),
};
bool dvmIsPublicMethod(const Method* method)
{
    return (method->accessFlags & ACC_PUBLIC) != 0;
}

bool dvmIsPrivateMethod(const Method* method)
{
    return (method->accessFlags & ACC_PRIVATE) != 0;
}

bool dvmIsStaticMethod(const Method* method)
{
    return (method->accessFlags & ACC_STATIC) != 0;
}

bool dvmIsSynchronizedMethod(const Method* method)
{
    return (method->accessFlags & ACC_SYNCHRONIZED) != 0;
}

bool dvmIsDeclaredSynchronizedMethod(const Method* method)
{
    return (method->accessFlags & ACC_DECLARED_SYNCHRONIZED) != 0;
}

bool dvmIsFinalMethod(const Method* method)
{
    return (method->accessFlags & ACC_FINAL) != 0;
}

bool dvmIsNativeMethod(const Method* method)
{
    return (method->accessFlags & ACC_NATIVE) != 0;
}

bool dvmIsAbstractMethod(const Method* method)
{
    return (method->accessFlags & ACC_ABSTRACT) != 0;
}

bool dvmIsSyntheticMethod(const Method* method)
{
    return (method->accessFlags & ACC_SYNTHETIC) != 0;
}

bool dvmIsMirandaMethod(const Method* method)
{
    return (method->accessFlags & ACC_MIRANDA) != 0;
}

bool dvmIsConstructorMethod(const Method* method)
{
    return *method->name == '<';
}

/* Dalvik puts private, static, and constructors into non-virtual table */
bool dvmIsDirectMethod(const Method* method)
{
    return dvmIsPrivateMethod(method) ||
           dvmIsStaticMethod(method) ||
           dvmIsConstructorMethod(method);
}

/* Get whether the given method has associated bytecode. This is the
* case for methods which are neither native nor abstract. */
bool dvmIsBytecodeMethod(const Method* method)
{
    return (method->accessFlags & (ACC_NATIVE | ACC_ABSTRACT)) == 0;
}

bool dvmIsProtectedField(const Field* field)
{
    return (field->accessFlags & ACC_PROTECTED) != 0;
}

bool dvmIsStaticField(const Field* field)
{
    return (field->accessFlags & ACC_STATIC) != 0;
}

bool dvmIsFinalField(const Field* field)
{
    return (field->accessFlags & ACC_FINAL) != 0;
}

bool dvmIsVolatileField(const Field* field)
{
    return (field->accessFlags & ACC_VOLATILE) != 0;
}

bool dvmIsInterfaceClass(const ClassObject* clazz)
{
    return (clazz->accessFlags & ACC_INTERFACE) != 0;
}

bool dvmIsPublicClass(const ClassObject* clazz)
{
    return (clazz->accessFlags & ACC_PUBLIC) != 0;
}

bool dvmIsFinalClass(const ClassObject* clazz)
{
    return (clazz->accessFlags & ACC_FINAL) != 0;
}

bool dvmIsAbstractClass(const ClassObject* clazz)
{
    return (clazz->accessFlags & ACC_ABSTRACT) != 0;
}

bool dvmIsAnnotationClass(const ClassObject* clazz)
{
    return (clazz->accessFlags & ACC_ANNOTATION) != 0;
}

bool dvmIsPrimitiveClass(const ClassObject* clazz)
{
    return clazz->primitiveType != PRIM_NOT;
}

/* linked, here meaning prepared and resolved */
bool dvmIsClassLinked(const ClassObject* clazz)
{
    return clazz->status >= CLASS_RESOLVED;
}

/* has class been verified? */
bool dvmIsClassVerified(const ClassObject* clazz)
{
    return clazz->status >= CLASS_VERIFIED;
}




bool dvmIsClassInitialized(const ClassObject* clazz)
{
    return (clazz->status == CLASS_INITIALIZED);
}

/* annotation constants */
enum
{
    kDexVisibilityBuild = 0x00, /* annotation visibility */
            kDexVisibilityRuntime = 0x01,
    kDexVisibilitySystem = 0x02,

    kDexAnnotationByte = 0x00,
    kDexAnnotationShort = 0x02,
    kDexAnnotationChar = 0x03,
    kDexAnnotationInt = 0x04,
    kDexAnnotationLong = 0x06,
    kDexAnnotationFloat = 0x10,
    kDexAnnotationDouble = 0x11,
    kDexAnnotationString = 0x17,
    kDexAnnotationType = 0x18,
    kDexAnnotationField = 0x19,
    kDexAnnotationMethod = 0x1a,
    kDexAnnotationEnum = 0x1b,
    kDexAnnotationArray = 0x1c,
    kDexAnnotationAnnotation = 0x1d,
    kDexAnnotationNull = 0x1e,
    kDexAnnotationBoolean = 0x1f,

    kDexAnnotationValueTypeMask = 0x1f, /* low 5 bits */
            kDexAnnotationValueArgShift = 5,
};

/* map item type codes */
enum
{
    kDexTypeHeaderItem = 0x0000,
    kDexTypeStringIdItem = 0x0001,
    kDexTypeTypeIdItem = 0x0002,
    kDexTypeProtoIdItem = 0x0003,
    kDexTypeFieldIdItem = 0x0004,
    kDexTypeMethodIdItem = 0x0005,
    kDexTypeClassDefItem = 0x0006,
    kDexTypeMapList = 0x1000,
    kDexTypeTypeList = 0x1001,
    kDexTypeAnnotationSetRefList = 0x1002,
    kDexTypeAnnotationSetItem = 0x1003,
    kDexTypeClassDataItem = 0x2000,
    kDexTypeCodeItem = 0x2001,
    kDexTypeStringDataItem = 0x2002,
    kDexTypeDebugInfoItem = 0x2003,
    kDexTypeAnnotationItem = 0x2004,
    kDexTypeEncodedArrayItem = 0x2005,
    kDexTypeAnnotationsDirectoryItem = 0x2006,
};

/* auxillary data section chunk codes */
enum
{
    kDexChunkClassLookup = 0x434c4b50, /* CLKP */
            kDexChunkRegisterMaps = 0x524d4150, /* RMAP */

            kDexChunkEnd = 0x41454e44, /* AEND */
};

/* debug info opcodes and constants */
enum
{
    DBG_END_SEQUENCE = 0x00,
    DBG_ADVANCE_PC = 0x01,
    DBG_ADVANCE_LINE = 0x02,
    DBG_START_LOCAL = 0x03,
    DBG_START_LOCAL_EXTENDED = 0x04,
    DBG_END_LOCAL = 0x05,
    DBG_RESTART_LOCAL = 0x06,
    DBG_SET_PROLOGUE_END = 0x07,
    DBG_SET_EPILOGUE_BEGIN = 0x08,
    DBG_SET_FILE = 0x09,
    DBG_FIRST_SPECIAL = 0x0a,
    DBG_LINE_BASE = -4,
    DBG_LINE_RANGE = 15,
};
enum
{
    kSHA1DigestLen = 20,
    kSHA1DigestOutputLen = kSHA1DigestLen * 2 + 1
};


/*
* Direct-mapped "header_item" struct.
*/
struct DexHeader
{
    u1 magic[8]; /* includes version number */
    u4 checksum; /* adler32 checksum */
    u1 signature[kSHA1DigestLen]; /* SHA-1 hash */
    u4 fileSize; /* length of entire file */
    u4 headerSize; /* offset to start of next section */
    u4 endianTag;
    u4 linkSize;
    u4 linkOff;
    u4 mapOff;
    u4 stringIdsSize;
    u4 stringIdsOff;
    u4 typeIdsSize;
    u4 typeIdsOff;
    u4 protoIdsSize;
    u4 protoIdsOff;
    u4 fieldIdsSize;
    u4 fieldIdsOff;
    u4 methodIdsSize;
    u4 methodIdsOff;
    u4 classDefsSize;
    u4 classDefsOff;
    u4 dataSize;
    u4 dataOff;
};

/*
* Direct-mapped "map_item".
*/
struct DexMapItem
{
    u2 type; /* type code (see kDexType* above) */
    u2 unused;
    u4 size; /* count of items of the indicated type */
    u4 offset; /* file offset to the start of data */
};

/*
* Direct-mapped "map_list".
*/
struct DexMapList
{
    u4 size; /* #of entries in list */
    DexMapItem list[1]; /* entries */
};

/*
* Direct-mapped "string_id_item".
*/
struct DexStringId
{
    u4 stringDataOff; /* file offset to string_data_item */
};

/*
* Direct-mapped "type_id_item".
*/
struct DexTypeId
{
    u4 descriptorIdx; /* index into stringIds list for type descriptor */
};

/*
* Direct-mapped "field_id_item".
*/
struct DexFieldId
{
    u2 classIdx; /* index into typeIds list for defining class */
    u2 typeIdx; /* index into typeIds for field type */
    u4 nameIdx; /* index into stringIds for field name */
};

/*
* Direct-mapped "method_id_item".
*/
struct DexMethodId
{
    u2 classIdx; /* index into typeIds list for defining class */
    u2 protoIdx; /* index into protoIds for method prototype */
    u4 nameIdx; /* index into stringIds for method name */
};

/*
* Direct-mapped "proto_id_item".
*/
struct DexProtoId
{
    u4 shortyIdx; /* index into stringIds for shorty descriptor */
    u4 returnTypeIdx; /* index into typeIds list for return type */
    u4 parametersOff; /* file offset to type_list for parameter types */
};

/*
* Direct-mapped "class_def_item".
*/
struct DexClassDef
{
    u4 classIdx; /* index into typeIds for this class */
    u4 accessFlags;
    u4 superclassIdx; /* index into typeIds for superclass */
    u4 interfacesOff; /* file offset to DexTypeList */
    u4 sourceFileIdx; /* index into stringIds for source file name */
    u4 annotationsOff; /* file offset to annotations_directory_item */
    u4 classDataOff; /* file offset to class_data_item */
    u4 staticValuesOff; /* file offset to DexEncodedArray */
};

/*
* Direct-mapped "type_item".
*/
struct DexTypeItem
{
    u2 typeIdx; /* index into typeIds */
};

/*
* Direct-mapped "type_list".
*/
struct DexTypeList
{
    u4 size; /* #of entries in list */
    DexTypeItem list[1]; /* entries */
};

typedef struct DexMapId
{
    u2 type; /*Section type*/

    u2 unused; /*unused*/
    u4 size; /* section size*/
    u4 offset; /* section offset */
} DexMapId;

/*
* Direct-mapped "code_item".
*
* The "catches" table is used when throwing an exception,
* "debugInfo" is used when displaying an exception stack trace or
* debugging. An offset of zero indicates that there are no entries.
*/
struct DexCode
{
    u2 registersSize;
    u2 insSize;
    u2 outsSize;
    u2 triesSize;
    u4 debugInfoOff; /* file offset to debug info stream */
    u4 insnsSize; /* size of the insns array, in u2 units */
    u2 insns[1];
    /* followed by optional u2 padding */
    /* followed by try_item[triesSize] */
    /* followed by uleb128 handlersSize */
    /* followed by catch_handler_item[handlersSize] */
};

/*
* Direct-mapped "try_item".
*/
struct DexTry
{
    u4 startAddr; /* start address, in 16-bit code units */
    u2 insnCount; /* instruction count, in 16-bit code units */
    u2 handlerOff; /* offset in encoded handler data to handlers */
};

/*
* Link table.  Currently undefined.
*/
struct DexLink
{
    u1 bleargh;
};


/*
* Direct-mapped "annotations_directory_item".
*/
struct DexAnnotationsDirectoryItem
{
    u4 classAnnotationsOff; /* offset to DexAnnotationSetItem */
    u4 fieldsSize; /* count of DexFieldAnnotationsItem */
    u4 methodsSize; /* count of DexMethodAnnotationsItem */
    u4 parametersSize; /* count of DexParameterAnnotationsItem */
    /* followed by DexFieldAnnotationsItem[fieldsSize] */
    /* followed by DexMethodAnnotationsItem[methodsSize] */
    /* followed by DexParameterAnnotationsItem[parametersSize] */
};

/*
* Direct-mapped "field_annotations_item".
*/
struct DexFieldAnnotationsItem
{
    u4 fieldIdx;
    u4 annotationsOff; /* offset to DexAnnotationSetItem */
};

/*
* Direct-mapped "method_annotations_item".
*/
struct DexMethodAnnotationsItem
{
    u4 methodIdx;
    u4 annotationsOff; /* offset to DexAnnotationSetItem */
};

/*
* Direct-mapped "parameter_annotations_item".
*/
struct DexParameterAnnotationsItem
{
    u4 methodIdx;
    u4 annotationsOff; /* offset to DexAnotationSetRefList */
};

/*
* Direct-mapped "annotation_set_ref_item".
*/
struct DexAnnotationSetRefItem
{
    u4 annotationsOff; /* offset to DexAnnotationSetItem */
};

/*
* Direct-mapped "annotation_set_ref_list".
*/
struct DexAnnotationSetRefList
{
    u4 size;
    DexAnnotationSetRefItem list[1];
};

/*
* Direct-mapped "annotation_set_item".
*/
struct DexAnnotationSetItem
{
    u4 size;
    u4 entries[1]; /* offset to DexAnnotationItem */
};

/*
* Direct-mapped "annotation_item".
*
* NOTE: this structure is byte-aligned.
*/
struct DexAnnotationItem
{
    u1 visibility;
    u1 annotation[1]; /* data in encoded_annotation format */
};

/*
* Direct-mapped "encoded_array".
*
* NOTE: this structure is byte-aligned.
*/
struct DexEncodedArray
{
    u1 array[1]; /* data in encoded_array format */
};

/*
* Lookup table for classes.  It provides a mapping from class name to
* class definition.  Used by dexFindClass().
*
* We calculate this at DEX optimization time and embed it in the file so we
* don't need the same hash table in every VM.  This is slightly slower than
* a hash table with direct pointers to the items, but because it's shared
* there's less of a penalty for using a fairly sparse table.
*/
struct DexClassLookup
{
    int size; // total size, including "size"
    int numEntries; // size of table[]; always power of 2
    struct
    {
        u4 classDescriptorHash; // class descriptor hash code
        int classDescriptorOffset; // in bytes, from start of DEX
        int classDefOffset; // in bytes, from start of DEX
    } table[1];
};

/*
* Header added by DEX optimization pass.  Values are always written in
* local byte and structure padding.  The first field (magic + version)
* is guaranteed to be present and directly readable for all expected
* compiler configurations; the rest is version-dependent.
*
* Try to keep this simple and fixed-size.
*/
struct DexOptHeader
{
    u1 magic[8]; /* includes version number */

    u4 dexOffset; /* file offset of DEX header */
    u4 dexLength;
    u4 depsOffset; /* offset of optimized DEX dependency table */
    u4 depsLength;
    u4 optOffset; /* file offset of optimized data tables */
    u4 optLength;

    u4 flags; /* some info flags */
    u4 checksum; /* adler32 checksum covering deps/opt */

    /* pad for 64-bit alignment if necessary */
};

#define DEX_OPT_FLAG_BIG            (1<<1)  /* swapped to big-endian */

#define DEX_INTERFACE_CACHE_SIZE    128     /* must be power of 2 */

/*
* Structure representing a DEX file.
*
* Code should regard DexFile as opaque, using the API calls provided here
* to access specific structures.
*/
struct DexFile
{
    /* directly-mapped "opt" header */
    const DexOptHeader* pOptHeader;

    /* pointers to directly-mapped structs and arrays in base DEX */
    const DexHeader* pHeader;
    const DexStringId* pStringIds;
    const DexTypeId* pTypeIds;
    const DexFieldId* pFieldIds;
    const DexMethodId* pMethodIds;
    const DexProtoId* pProtoIds;
    const DexClassDef* pClassDefs;
    const DexLink* pLinkData;

    /*
    * These are mapped out of the "auxillary" section, and may not be
    * included in the file.
    */
    const DexClassLookup* pClassLookup;
    const void* pRegisterMapPool; // RegisterMapClassPool

    /* points to start of DEX file data */
    const u1* baseAddr;

    /* track memory overhead for auxillary structures */
    int overhead;

    /* additional app-specific data structures associated with the DEX */
    //void*               auxData;
};


struct MemMapping
{
    void* addr; /* start of data */
    size_t length; /* length of data */

    void* baseAddr; /* page-aligned base address */
    size_t baseLength; /* length of mapping */
};

struct DvmDex
{
    /* pointer to the DexFile we're associated with */
    DexFile* pDexFile;

    /* clone of pDexFile->pHeader (it's used frequently enough) */
    const DexHeader* pHeader;

    /* interned strings; parallel to "stringIds" */
    struct StringObject** pResStrings;

    /* resolved classes; parallel to "typeIds" */
    struct ClassObject** pResClasses;

    /* resolved methods; parallel to "methodIds" */
    struct Method** pResMethods;

    /* resolved instance fields; parallel to "fieldIds" */
    /* (this holds both InstField and StaticField) */
    struct Field** pResFields;

    /* interface method lookup cache */
    struct AtomicCache* pInterfaceCache;

    /* shared memory region with file contents */
    bool isMappedReadOnly;
    MemMapping memMap;

    jobject dex_object;

    /* lock ensuring mutual exclusion during updates */
    pthread_mutex_t modLock;
};

struct JarFile
{
    u4* Nocare[9];
    char* cacheFileName;
    DvmDex* pDvmDex;
};

struct RawDexFile
{
    char* cacheFileName;
    struct DvmDex* pDvmDex; //DvmDex*
};

struct DexOrJar
{
    char* fileName;
    bool isDex;
    bool okayToFree;
    RawDexFile* pRawDexFile;
    JarFile* pJarFile;
    u1* pDexMemory; // malloc()ed memory, if any
};
#endif //HELPTOOLCLIENT_OBJECT_H

有任何问题可以在下面留言,谢谢。
@author:疯子在右

 

双刃剑客
关注
  • 0
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
xposed脱壳插件dumpdex .apk
06-10
基于xposes编写的脱壳插件, 可脱市面上大部分壳, 手机必须安装xposed框架才可以使用, 安装好插件之后重启手机激活插件, 启动要脱壳的apk, 成功脱壳的话会将脱出来的文件放在apk包目录下的dump文件夹中
xposed插件加固保护方案以及对华为方舟编译器的思考
大星星的专栏
10-25 2982
目前市面上各家加固厂商在对普通App的加固上已经做得比较成熟稳定,而且强度也很高了。但是似乎没有一个针对xposed插件加固的方案,笔者在试用了几家加固后,均会导致xposed插件的崩溃,要么就是插件功能失效,又或者运行性能大大影响导致App拦截的时候巨卡。 迫于无奈,对于本身就是安全从业者的笔者来说,只能自己动手想办法来解决了,以下提供两种思路,简单的demo笔者也已跑通了,但是可能稳定性上还需...
2024年安卓最全安卓逆向之基于Xposed-ZjDroid脱壳,二本学渣考研失败
最新发布
2401_84556783的博客
05-15 503
针对Android程序员,我这边给大家整理了一些资料,包括不限于高级UI、性能优化、架构师课程、NDK、混合式开发(ReactNative+Weex)微信小程序、Flutter等全方面的Android进阶实践技术;希望能帮助到大家,也节省大家在网上搜索资料的时间来学习,也可以分享动态给身边好友一起学习!往期Android高级架构资料、源码、笔记、视频。高级UI、性能优化、架构师课程、混合式开发(ReactNative+Weex)全方面的Android进阶实践技术,群内还有技术大牛一起讨论交流解决问题。
加固脱売工具,结合VirtualXposed一起使用
08-22
通过Hook ClassLoader的loadClass方法,反射调用getDex方法取得Dex(com.android.dex.Dex类对象),在将里面的dex写出。结合VirtualXposed一起使用
一个基于xposed和inline hook的一代壳脱壳工具
07-03
http://blog.csdn.net/zhangmiaoping23/article/details/74164657 原理 原理就是去hook libart.so里面的art::DexFile::OpenMemory,然后再把内存中的dex写到文件中去。就是这么简单,最主要的就是hook的时机,大部分的壳都是在attachBaseContext这个方法里面去完成代码的解密。所以呢,我们就去hook Application的attach方法,在这个方法执行之前,将我们的动态库加载起来,动态库里面实现的就是对art::DexFile::OpenMemory方法的劫持。这样的话在他解密代码前art::DexFile::OpenMemory就已经被我们给控制了,所以就可以为所欲为了。这里要感谢ele7enxxh提供的Android-Inline-Hook来让我可以对native层的hook。
[1195]Xposed+FDex2 app脱壳
周小董
05-19 2492
但是这种把java拿过来直接python调用的方法,不是任何时候都适用的,因为有时候,这段java代码可能是有很多的依赖的包,你运行的时候,就会缺少很多的包,这样就很麻烦,所以用python调用java的情况,这段代码最好不要有太多的依赖,有的app,接口调用的时候,有一个参数sign,要携带上请求接口才行,这个是变动的,你不知道,所以就不能调用通接口,可以通过重放来确定这个参数是不是动态的,下一步就是找到这个signature,然后看他怎么加密的,然后携带上这个signature,才可以请求这个api,
Art模式下基于Xposed Hook框架脱壳的代码
09-26
一份基于Art模式下Xposed Hook框架开发的脱壳工具的代码,对Android加固脱壳感兴趣的同学可以拿来学习参考一下。
使用过的一些逆向工具.zip
05-29
代码混淆、资源混淆、加固、字符串加密、密钥存so、xposed检测、常用逆向软件检测、签名验证、防hook等。。。 上面只是简述了几种常用逆向方式&防范方式,还有更多技能待了解&学习。 相关学习链接:
...
dumpDex::hundred_points:个Android脱壳工具,需要xposed支持,易开发已集成该项目:
02-18
dumpDex-Android脱壳插件需要在xposed环境中使用,支持市面上大多数加密壳,软件可以学习用,不要使用其他用途,项目不是成品,可能会引起软件崩溃编译环境Android Studio 3.0无法脱壳,请在文件中,将应用的包名加...
java安卓辅助源码-NaughtyWeCaht:一款可以发送微信好玩的语音Xposed插件
06-04
java安卓辅助源码 @ 应用展示 前景 曾经一直想做一款关于微信的软件,目标就是网上收集很多调皮捣蛋的语音或者录音变声,然后发送给某个微信好友,感觉很有意思 ...我的天加固了...,好吧,看来还得脱壳,脱壳方案,脱壳
ZjDroid.apk
07-01
ZjDroid是基于Xposed Framewrok的动态逆向分析模块,可以从内存中dump出dex,以完成加固应用的脱壳操作!
XposedHookTool资源:XposedHook所需要的工具资源
02-24
XposedHookToolResource XposedHook所需要的工具资源 0,FDex2.apk用来脱壳,目前360加固可破脱壳 1,jadx-gui-1.1.0-no-jre.exe导入.dex或者.apk可查看源代码
Dumpdex编译后的apk
11-11
dumpDex , 一个开源的 Android 脱壳插件工具,需要在 Xposed 环境中使用,支持市面上大多数加密壳(实测360加固、腾讯乐固、梆梆加固、百度加固均可脱壳)。 dumpDex需要依赖于Xposed 框架才能发挥作用。 Dumpdex...
ZjDroid下载、安装、使用教程
05-14
ZjDroid 是基于 Xposed Framework 的动态逆向分析模块,原本是百度安全实验室开发的一款脱壳神器。源代码原本是共享在 GitHub 上的,现在不知道什么原因,已经取消了共享。ZjDroid 的主要功能是逆向分析者可以通过 ...
Android代码-dumpDex
08-06
下载源码编译或者下载apk包并安装,应用xposed模块后重启,运行加固的应用后,插件会自动将dex文件dump到 /data/data/包名/dump 目录 apk文件不会实时更新,获取最新apk请自行编译源码 源码编译 将源码下载或者clone...
awesome-reverse:awesome-逆向基础入门,包括JS、安卓APPNative
04-28
简介 主要总结个人学习逆向相关所遇到的一些技术知识点和路径,因为逆向这个技术栈没有系统的规划路径,所以想要将工作中所遇到的和面试到的一些相关知识总结,面向逆向新人...安卓加固历代壳发展及对应脱壳技术 ARM
android xposed自动脚本,Android Studio + Xposed实现简单的hook(详细篇)
weixin_32487647的博客
05-26 1259
本帖最后由 Andy0214 于 2019-2-20 09:14 编辑一、Xposed框架实现Hook的原理介绍Dalvik 孵化器 Zygote是 Android 的核心,每运行一个 app,Zygote 就会 fork 一个虚拟机实例来运行 app,Xposed Framework 深入到了Android 核心机制中,通过改造 Zygote 来实现一些很牛逼的功能。Zygote 的启动配置在/...
FDex2脱腾讯乐固免费壳
本人随手记录,内容只是个人看懂程度,对内容有任何疑问请勿打扰
09-05 2460
app导出dex ,得到(⼀个或)多个dex⽂件,⽽这么多 dex ,其中只有⼀个是真正包含了安卓app的业 务逻辑的 dex ⽂件。 首先创建一个测试工程(随意自己写一个)。 然后进行腾讯乐固加固链接 然后进行签名,进行安装 打开该文件目录,可以发现有两个dex文件: 长按将两个文件复制到一个简单点的文件夹下,对其重命名(为了好导出来) 然后cmd:adb pull dev/bus/1.dex [本地文件路径] 用jadx-gui打开,其中可看到2.dex是原本程序的dex文件 ...
记一次使用Xposed框架DumpDex插件脱壳
Kawa103的博客
10-25 7582
DumpDex源码:https://github.com/WrBug/dumpDex   使用的时候还需要自己将安装包里面的lib里面的包导入手机,解压安装包就能看到lib目录 导入到这个文件夹/data/local/tmp/    因为DumpDex插件是这样加载so包的,看下面代码知道 插件运行的时候有个问题需要处理,就是 seLinux导致权限问题 导致错误:java.lan...
360加固一键脱壳工具
10-07
引用和引用[2]提供了关于360加固一键脱壳工具的信息。根据这两个引用,有两个工具可以实现360加固一键脱壳。第一个工具是"drizzleDumper",它是一个半自动化的...使用这两个工具可以方便地进行360加固一键脱壳操作。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值