• Android APK加壳技术方案代码实现


    本文章由Jack_Jia编写,转载请注明出处。  

    文章链接:http://blog.csdn.net/jiazhijun/article/details/8746917

    作者:Jack_Jia    邮箱: 309zhijun@163.com


     一、序言


            在上篇“Android APK加壳技术方案”(http://blog.csdn.net/jiazhijun/article/details/8678399)博文中,根据加壳数据在解壳程序Dex文件所处的位置,我提出了两种Android Dex加壳技术实现方案,本片博文将对方案1代码实现进行讲解。博友可以根据方案1的代码实现原理对方案2自行实现。

           在方案1的代码实现过程中,各种不同的问题接踵出现,最初的方案也在不同问题的出现、解决过程中不断的得到调整、优化。

           本文的代码实现了对整个APK包的加壳处理。加壳程序不会对源程序有任何的影响。


    二、代码实现


         本程序基于Android2.3代码实现,因为牵扯到系统代码的反射修改,本程序不保证在其它android版本正常工作,博友可以根据实现原理,自行实现对其它Android版本的兼容性开发。


         1、 加壳程序流程及代码实现

                      1、加密源程序APK为解壳数据

                      2、把解壳数据写入解壳程序DEX文件末尾,并在文件尾部添加解壳数据的大小。

                      3、修改解壳程序DEX头中checksum、signature 和file_size头信息。


           代码实现如下:

    package com.android.dexshell;
    import java.io.ByteArrayOutputStream;
    import java.io.File;
    import java.io.FileInputStream;
    import java.io.FileOutputStream;
    import java.io.IOException;
    import java.security.MessageDigest;
    import java.security.NoSuchAlgorithmException;
    import java.util.zip.Adler32;
    
    public class DexShellTool {
    	/**
    	 * @param args
    	 */
    	public static void main(String[] args) {
    		// TODO Auto-generated method stub
    		try {
    			File payloadSrcFile = new File("g:/payload.apk");
    			File unShellDexFile = new File("g:/unshell.dex");
    			byte[] payloadArray = encrpt(readFileBytes(payloadSrcFile));
    			byte[] unShellDexArray = readFileBytes(unShellDexFile);
    			int payloadLen = payloadArray.length;
    			int unShellDexLen = unShellDexArray.length;
    			int totalLen = payloadLen + unShellDexLen +4;
    			byte[] newdex = new byte[totalLen];
    			//添加解壳代码
    			System.arraycopy(unShellDexArray, 0, newdex, 0, unShellDexLen);
    			//添加加密后的解壳数据
    			System.arraycopy(payloadArray, 0, newdex, unShellDexLen,
    					payloadLen);
    			//添加解壳数据长度
    			System.arraycopy(intToByte(payloadLen), 0, newdex, totalLen-4, 4);
                            //修改DEX file size文件头
    			fixFileSizeHeader(newdex);
    			//修改DEX SHA1 文件头
    			fixSHA1Header(newdex);
    			//修改DEX CheckSum文件头
    			fixCheckSumHeader(newdex);
    
    
    			String str = "g:/classes.dex";
    			File file = new File(str);
    			if (!file.exists()) {
    				file.createNewFile();
    			}
    			
    			FileOutputStream localFileOutputStream = new FileOutputStream(str);
    			localFileOutputStream.write(newdex);
    			localFileOutputStream.flush();
    			localFileOutputStream.close();
    
    
    		} catch (Exception e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		}
    	}
    	
    	//直接返回数据,读者可以添加自己加密方法
    	private static byte[] encrpt(byte[] srcdata){
    		return srcdata;
    	}
    
    
    	private static void fixCheckSumHeader(byte[] dexBytes) {
    		Adler32 adler = new Adler32();
    		adler.update(dexBytes, 12, dexBytes.length - 12);
    		long value = adler.getValue();
    		int va = (int) value;
    		byte[] newcs = intToByte(va);
    		byte[] recs = new byte[4];
    		for (int i = 0; i < 4; i++) {
    			recs[i] = newcs[newcs.length - 1 - i];
    			System.out.println(Integer.toHexString(newcs[i]));
    		}
    		System.arraycopy(recs, 0, dexBytes, 8, 4);
    		System.out.println(Long.toHexString(value));
    		System.out.println();
    	}
    
    
    	public static byte[] intToByte(int number) {
    		byte[] b = new byte[4];
    		for (int i = 3; i >= 0; i--) {
    			b[i] = (byte) (number % 256);
    			number >>= 8;
    		}
    		return b;
    	}
    
    
    	private static void fixSHA1Header(byte[] dexBytes)
    			throws NoSuchAlgorithmException {
    		MessageDigest md = MessageDigest.getInstance("SHA-1");
    		md.update(dexBytes, 32, dexBytes.length - 32);
    		byte[] newdt = md.digest();
    		System.arraycopy(newdt, 0, dexBytes, 12, 20);
    		String hexstr = "";
    		for (int i = 0; i < newdt.length; i++) {
    			hexstr += Integer.toString((newdt[i] & 0xff) + 0x100, 16)
    					.substring(1);
    		}
    		System.out.println(hexstr);
    	}
    
    
    	private static void fixFileSizeHeader(byte[] dexBytes) {
    
    
    		byte[] newfs = intToByte(dexBytes.length);
    		System.out.println(Integer.toHexString(dexBytes.length));
    		byte[] refs = new byte[4];
    		for (int i = 0; i < 4; i++) {
    			refs[i] = newfs[newfs.length - 1 - i];
    			System.out.println(Integer.toHexString(newfs[i]));
    		}
    		System.arraycopy(refs, 0, dexBytes, 32, 4);
    	}
    
    
    	private static byte[] readFileBytes(File file) throws IOException {
    		byte[] arrayOfByte = new byte[1024];
    		ByteArrayOutputStream localByteArrayOutputStream = new ByteArrayOutputStream();
    		FileInputStream fis = new FileInputStream(file);
    		while (true) {
    			int i = fis.read(arrayOfByte);
    			if (i != -1) {
    				localByteArrayOutputStream.write(arrayOfByte, 0, i);
    			} else {
    				return localByteArrayOutputStream.toByteArray();
    			}
    		}
    	}
    
    
    }


        2、 解壳程序流程及代码实现

              在解壳程序的开发过程中需要解决如下几个关键的技术问题:

             (1)解壳代码如何能够第一时间执行

                      Android程序由不同的组件构成,系统在有需要的时候启动程序组件。因此解壳程序必须在Android系统启动组件之前运行,完成对解壳数                据的解壳及APK文件的动态加载,否则会使程序出现加载类失败的异常。

                      Android开发者都知道Applicaiton做为整个应用的上下文,会被系统第一时间调用,这也是应用开发者程序代码的第一执行点。因此通过对              AndroidMainfest.xml的application的配置可以实现解壳代码第一时间运行。

        <application
            android:icon="@drawable/ic_launcher"
            android:label="@string/app_name"
            android:theme="@style/AppTheme" android:name="com.android.dexunshell.ProxyApplication" >
        </application>

             (2)如何替换回源程序原有的Application?

                      当在AndroidMainfest.xml文件配置为解壳代码的Application时。源程序原有的Applicaiton将被替换,为了不影响源程序代码逻辑,我们需要              在解壳代码运行完成后,替换回源程序原有的Application对象。我们通过在AndroidMainfest.xml文件中配置原有Applicaiton类信息来达到我们              的目的。解壳程序要在运行完毕后通过创建配置的Application对象,并通过反射修改回原Application。

        <application
            android:icon="@drawable/ic_launcher"
            android:label="@string/app_name"
            android:theme="@style/AppTheme" android:name="com.android.dexunshell.ProxyApplication" >
            <meta-data android:name="APPLICATION_CLASS_NAME" android:value="com.***.Application"/>
        </application>

              

              (3)如何通过DexClassLoader实现对apk代码的动态加载。

                      我们知道DexClassLoader加载的类是没有组件生命周期的,也就是说即使DexClassLoader通过对APK的动态加载完成了对组件类的加载,              当系统启动该组件时,还会出现加载类失败的异常。为什么组件类被动态加载入虚拟机,但系统却出现加载类失败呢?

                      通过查看Android源代码我们知道组件类的加载是由另一个ClassLoader来完成的,DexClassLoader和系统组件ClassLoader并不存在关                  系,系统组件ClassLoader当然找不到由DexClassLoader加载的类,如果把系统组件ClassLoader的parent修改成DexClassLoader,我们就可              以实现对apk代码的动态加载。


             (4)如何使解壳后的APK资源文件被代码动态引用。

                     代码默认引用的资源文件在最外层的解壳程序中,因此我们要增加系统的资源加载路径来实现对借壳后APK文件资源的加载。


            解壳实现代码:

    package com.android.dexunshell;
    
    import java.io.BufferedInputStream;
    import java.io.ByteArrayInputStream;
    import java.io.ByteArrayOutputStream;
    import java.io.DataInputStream;
    import java.io.File;
    import java.io.FileInputStream;
    import java.io.FileOutputStream;
    import java.io.IOException;
    import java.lang.ref.WeakReference;
    import java.util.ArrayList;
    import java.util.HashMap;
    import java.util.Iterator;
    import java.util.zip.ZipEntry;
    import java.util.zip.ZipInputStream;
    
    import dalvik.system.DexClassLoader;
    import android.app.Application;
    import android.content.pm.ApplicationInfo;
    import android.content.pm.PackageManager;
    import android.content.pm.PackageManager.NameNotFoundException;
    import android.os.Bundle;
    
    public class ProxyApplication extends Application {
    
    	private static final String appkey = "APPLICATION_CLASS_NAME";
    	private String apkFileName;
    	private String odexPath;
    	private String libPath;
    	@Override
    	public void onCreate() {
    		// TODO Auto-generated method stub
    		super.onCreate();
    		try {
    			File odex = this.getDir("payload_odex", MODE_PRIVATE);
    			File libs = this.getDir("payload_lib", MODE_PRIVATE);
    			odexPath = odex.getAbsolutePath();
    			libPath = libs.getAbsolutePath();
    			apkFileName = odex.getAbsolutePath()+"/payload.apk";
    			File dexFile = new File(apkFileName);
    			if(!dexFile.exists())
    				dexFile.createNewFile();
    			//读取程序classes.dex文件
    			byte[] dexdata = this.readDexFileFromApk();
    			//分离出解壳后的apk文件已用于动态加载
    			this.splitPayLoadFromDex(dexdata);
    			//配置动态加载环境
    			this.configApplicationEnv();
    			
    		} catch (Exception e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		}
    	}
    	
    	private void configApplicationEnv() throws NameNotFoundException, IllegalAccessException, InstantiationException, ClassNotFoundException, IOException{ 
    
    		Object currentActivityThread = RefInvoke.invokeStaticMethod("android.app.ActivityThread", "currentActivityThread", new Class[]{}, new Object[]{});
            HashMap mPackages = (HashMap)RefInvoke.getFieldOjbect("android.app.ActivityThread", currentActivityThread, "mPackages");
            //替换组件类加载器为DexClassLoader,已使动态加载代码具有组件生命周期
            WeakReference wr = (WeakReference) mPackages.get(this.getPackageName());
    		DexClassLoader dLoader = new DexClassLoader(apkFileName,
    				odexPath, libPath, (ClassLoader) RefInvoke.getFieldOjbect("android.app.LoadedApk", wr.get(), "mClassLoader"));
            RefInvoke.setFieldOjbect("android.app.LoadedApk", "mClassLoader", wr.get(), dLoader);
    
            //如果源应用配置有Appliction对象,则替换为源应用Applicaiton,以便不影响源程序逻辑。
    		ApplicationInfo appInfo = this.getPackageManager().getApplicationInfo(this.getPackageName(),PackageManager.GET_META_DATA);
    		Bundle bundle =  appInfo.metaData;
    		if(bundle != null && bundle.containsKey(appkey)){
    			
    			String appClassName = bundle.getString(appkey);
    			Application app = (Application)Class.forName(appClassName).newInstance();
    			RefInvoke.setFieldOjbect("android.app.ContextImpl", "mOuterContext", this.getBaseContext(), app);
    			RefInvoke.setFieldOjbect("android.content.ContextWrapper", "mBase", app, this.getBaseContext());
    			Object mBoundApplication = RefInvoke.getFieldOjbect("android.app.ActivityThread", currentActivityThread, "mBoundApplication");
    			Object info = RefInvoke.getFieldOjbect("android.app.ActivityThread$AppBindData", mBoundApplication, "info");
    			RefInvoke.setFieldOjbect("android.app.LoadedApk", "mApplication", info, app);
    			Object oldApplication = RefInvoke.getFieldOjbect("android.app.ActivityThread", currentActivityThread, "mInitialApplication");
    			RefInvoke.setFieldOjbect("android.app.ActivityThread", "mInitialApplication", currentActivityThread, app);
    			ArrayList<Application> mAllApplications = (ArrayList<Application>)RefInvoke.getFieldOjbect("android.app.ActivityThread", currentActivityThread, "mAllApplications");
    			mAllApplications.remove(oldApplication);
    			mAllApplications.add(app);
    			HashMap mProviderMap = (HashMap) RefInvoke.getFieldOjbect("android.app.ActivityThread", currentActivityThread, "mProviderMap");
    			Iterator it = mProviderMap.values().iterator();
    			while(it.hasNext()){
    				Object providerClientRecord = it.next();
    				Object localProvider = RefInvoke.getFieldOjbect("android.app.ProviderClientRecord", providerClientRecord, "mLocalProvider");
    				RefInvoke.setFieldOjbect("android.content.ContentProvider", "mContext", localProvider, app);
    			}
    			RefInvoke.invokeMethod(appClassName, "onCreate", app, new Class[]{}, new Object[]{});
    		}
    	}
    	
    	private void splitPayLoadFromDex(byte[] data) throws IOException{
    		byte[] apkdata = decrypt(data);
    		int ablen = apkdata.length;
    		byte[] dexlen = new byte[4];
    		System.arraycopy(apkdata, ablen - 4, dexlen, 0, 4);
    		ByteArrayInputStream bais = new ByteArrayInputStream(dexlen);
    		DataInputStream in = new DataInputStream(bais);
    		int readInt = in.readInt();
    		System.out.println(Integer.toHexString(readInt));
    		byte[] newdex = new byte[readInt];
    		System.arraycopy(apkdata, ablen - 4 - readInt, newdex, 0, readInt);
    		File file = new File(apkFileName);
    		try {
    			FileOutputStream localFileOutputStream = new FileOutputStream(file);
    			localFileOutputStream.write(newdex);
    			localFileOutputStream.close();
    
    		} catch (IOException localIOException) {
    			throw new RuntimeException(localIOException);
    		}
    		
    		ZipInputStream localZipInputStream = new ZipInputStream(
    				new BufferedInputStream(new FileInputStream(file)));
    		while (true) {
    			ZipEntry localZipEntry = localZipInputStream.getNextEntry();
    			if (localZipEntry == null) {
    				localZipInputStream.close();
    				break;
    			}
    			String name = localZipEntry.getName();
    			if (name.startsWith("lib/") && name.endsWith(".so")) {
    				File storeFile = new File(libPath+"/"+name.substring(name.lastIndexOf('/')));
    				storeFile.createNewFile();
    				FileOutputStream fos = new FileOutputStream(storeFile);
    				byte[] arrayOfByte = new byte[1024];
    				while (true) {
    					int i = localZipInputStream.read(arrayOfByte);
    					if (i == -1)
    						break;
    					fos.write(arrayOfByte, 0, i);
    				}
    				fos.flush();
    				fos.close();	
    			}
    			localZipInputStream.closeEntry();
    		}
    		localZipInputStream.close();	
    		
    	}
    	
    	private byte[] readDexFileFromApk() throws IOException {
    		ByteArrayOutputStream dexByteArrayOutputStream = new ByteArrayOutputStream();
    		ZipInputStream localZipInputStream = new ZipInputStream(
    				new BufferedInputStream(new FileInputStream(this.getApplicationInfo().sourceDir)));
    		while (true) {
    			ZipEntry localZipEntry = localZipInputStream.getNextEntry();
    			if (localZipEntry == null) {
    				localZipInputStream.close();
    				break;
    			}
    			if (localZipEntry.getName().equals("classes.dex")) {
    				byte[] arrayOfByte = new byte[1024];
    				while (true) {
    					int i = localZipInputStream.read(arrayOfByte);
    					if (i == -1)
    						break;
    					dexByteArrayOutputStream.write(arrayOfByte, 0, i);
    				}
    			}
    			localZipInputStream.closeEntry();
    		}
    		localZipInputStream.close();
    		return dexByteArrayOutputStream.toByteArray();
    	}
    	
    	////直接返回数据,读者可以添加自己解密方法
    	private byte[] decrypt(byte[] data){
    		return data;
    	}
    }
    


            RefInvoke为反射调用工具类:


    package com.android.dexunshell;
    
    import java.lang.reflect.Field;
    import java.lang.reflect.InvocationTargetException;
    import java.lang.reflect.Method;
    
    public class RefInvoke {
    	
    	public static  Object invokeStaticMethod(String class_name, String method_name, Class[] pareTyple, Object[] pareVaules){
    		
    		try {
    			Class obj_class = Class.forName(class_name);
    			Method method = obj_class.getMethod(method_name,pareTyple);
    			return method.invoke(null, pareVaules);
    		} catch (SecurityException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		}  catch (IllegalArgumentException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		} catch (IllegalAccessException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		} catch (NoSuchMethodException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		} catch (InvocationTargetException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		} catch (ClassNotFoundException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		}
    		return null;
    		
    	}
    	
    	public static  Object invokeMethod(String class_name, String method_name, Object obj ,Class[] pareTyple, Object[] pareVaules){
    		
    		try {
    			Class obj_class = Class.forName(class_name);
    			Method method = obj_class.getMethod(method_name,pareTyple);
    			return method.invoke(obj, pareVaules);
    		} catch (SecurityException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		}  catch (IllegalArgumentException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		} catch (IllegalAccessException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		} catch (NoSuchMethodException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		} catch (InvocationTargetException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		} catch (ClassNotFoundException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		}
    		return null;
    		
    	}
    	
    	public static Object getFieldOjbect(String class_name,Object obj, String filedName){
    		try {
    			Class obj_class = Class.forName(class_name);
    			Field field = obj_class.getDeclaredField(filedName);
    			field.setAccessible(true);
    			return field.get(obj);
    		} catch (SecurityException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		} catch (NoSuchFieldException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		} catch (IllegalArgumentException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		} catch (IllegalAccessException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		} catch (ClassNotFoundException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		}
    		return null;
    		
    	}
    	
    	public static Object getStaticFieldOjbect(String class_name, String filedName){
    		
    		try {
    			Class obj_class = Class.forName(class_name);
    			Field field = obj_class.getDeclaredField(filedName);
    			field.setAccessible(true);
    			return field.get(null);
    		} catch (SecurityException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		} catch (NoSuchFieldException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		} catch (IllegalArgumentException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		} catch (IllegalAccessException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		} catch (ClassNotFoundException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		}
    		return null;
    		
    	}
    	
    	public static void setFieldOjbect(String classname, String filedName, Object obj, Object filedVaule){
    		try {
    			Class obj_class = Class.forName(classname);
    			Field field = obj_class.getDeclaredField(filedName);
    			field.setAccessible(true);
    			field.set(obj, filedVaule);
    		} catch (SecurityException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		} catch (NoSuchFieldException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		} catch (IllegalArgumentException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		} catch (IllegalAccessException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		} catch (ClassNotFoundException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		}	
    	}
    	
    	public static void setStaticOjbect(String class_name, String filedName, Object filedVaule){
    		try {
    			Class obj_class = Class.forName(class_name);
    			Field field = obj_class.getDeclaredField(filedName);
    			field.setAccessible(true);
    			field.set(null, filedVaule);
    		} catch (SecurityException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		} catch (NoSuchFieldException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		} catch (IllegalArgumentException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		} catch (IllegalAccessException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		} catch (ClassNotFoundException e) {
    			// TODO Auto-generated catch block
    			e.printStackTrace();
    		}		
    	}
    
    }
    


    三、总结


           本文代码基本实现了APK文件的加壳及脱壳原理,该代码作为实验代码还有诸多地方需要改进。比如:

                 1、加壳数据的加密算法的添加。

                 2、脱壳代码由java语言实现,可通过C代码的实现对脱壳逻辑进行保护,以达到更好的反逆向分析效果。


            

  • 相关阅读:
    痞子衡嵌入式:单片机AI的春天已来,ARM Cortex-M55发布了
    《痞子衡嵌入式半月刊》 第 1 期
    痞子衡嵌入式:ARM Cortex-M内核那些事(6)- 系统堆栈机制
    痞子衡嵌入式:嵌入式里堆栈原理及其纯C实现
    将博客搬至CSDN
    痞子衡嵌入式:知名半导体MCU大厂软件开发C代码规范
    痞子衡嵌入式:语音处理工具pzh-speech诞生记(4)- 音频录播实现(PyAudio)
    痞子衡嵌入式:语音处理工具pzh-speech诞生记(2)- 界面构建(wxFormBuilder3.8.0)
    痞子衡嵌入式:ARM Cortex-M内核那些事(3.2)- 为Security而生(M23/33/35P)
    痞子衡嵌入式:恩智浦i.MX RT1xxx系列MCU外设那些事(2)- 百变星君FlexRAM
  • 原文地址:https://www.cnblogs.com/jiangu66/p/3017514.html
Copyright © 2020-2023  润新知