分析Android APK-砸壳-Fdex2

砸壳的工具千千万，但是FDex2 是最有能耐的，我尝试过各种壳，都是秒砸的。特别说明一下，360的壳，oncreated 方法还是空的，但是其他大部分内容还是有的，反正是可以参考一下的。

安装环境：

1，安卓手机root ，必须root，记住是必须，只支持6.0 或者更低的版本，太高版本也不行。

Root 手机很好找，淘宝买个nexus 手机，然后家里用工具就可以root，为什么不 推荐其他手机，是因为其他手机现在root 特别麻烦，买个旧手机就几百块钱。

2，安装virtual xposed

Xposed 的安装，使用，之前已经讲过了，这里不在赘述。

3，安装Fdex2.

下载地址：链接:https://pan.baidu.com/s/1smxtinr 密码:dk4v

 

4, 激活FDex2 模块

开始砸壳：

安装app 到xposed， 启动FDex2 ，然后配置需要砸壳的app，

 

再提示的目录，就可以找到脱壳后的dex 文件。

 

Fdex2 的程序代码：

package com.ppma.xposed;

 import java.io.File;import java.io.FileOutputStream;import java.io.IOException;import java.io.OutputStream;import java.lang.reflect.Method;

 import de.robv.android.xposed.IXposedHookLoadPackage;import de.robv.android.xposed.XC_MethodHook;import de.robv.android.xposed.XSharedPreferences;import de.robv.android.xposed.XposedBridge;import de.robv.android.xposed.XposedHelpers;import de.robv.android.xposed.callbacks.XC_LoadPackage;

 public class MainHook implements IXposedHookLoadPackage {

    XSharedPreferences xsp;

    Class Dex;

    Method Dex_getBytes;

    Method getDex;

    String packagename;

    public void handleLoadPackage(XC_LoadPackage.LoadPackageParam lpparam) throws Throwable {

        xsp = new XSharedPreferences("com.ppma.appinfo", "User");

        xsp.makeWorldReadable();

        xsp.reload();

        initRefect();

        packagename = xsp.getString("packagename", null);

        XposedBridge.log("设定包名："+packagename);

        if ((!lpparam.packageName.equals(packagename))||packagename==null) {

            XposedBridge.log("当前程序包名与设定不一致或者包名为空");

            return;

        }

        XposedBridge.log("目标包名："+lpparam.packageName);

        String str = "java.lang.ClassLoader";

        String str2 = "loadClass";

        XposedHelpers.findAndHookMethod(str, lpparam.classLoader, str2, String.class, Boolean.TYPE, new XC_MethodHook() {

            protected void afterHookedMethod(MethodHookParam param) throws Throwable {

                super.afterHookedMethod(param);

                Class cls = (Class) param.getResult();

                if (cls == null) {

                    //XposedBridge.log("cls == null");

                    return;

                }

                String name = cls.getName();

                XposedBridge.log("当前类名：" + name);

                byte[] bArr = (byte[]) Dex_getBytes.invoke(getDex.invoke(cls, new Object[0]), new Object[0]);

                if (bArr == null) {

                    XposedBridge.log("数据为空：返回");

                    return;

                }

                XposedBridge.log("开始写数据");

                String dex_path = "/data/data/" + packagename + "/" + packagename + "_" + bArr.length + ".dex";

                XposedBridge.log(dex_path);

                File file = new File(dex_path);

                if (file.exists()) return;

                writeByte(bArr, file.getAbsolutePath());

            }

            } );

    }

    public void initRefect() {

        try {

            Dex = Class.forName("com.android.dex.Dex");

            Dex_getBytes = Dex.getDeclaredMethod("getBytes", new Class[0]);

            getDex = Class.forName("java.lang.Class").getDeclaredMethod("getDex", new Class[0]);

        } catch (ClassNotFoundException e) {

            e.printStackTrace();

        } catch (NoSuchMethodException e) {

            e.printStackTrace();

        }

    }

    public  void writeByte(byte[] bArr, String str) {

        try {

            OutputStream outputStream = new FileOutputStream(str);

            outputStream.write(bArr);

            outputStream.close();

        } catch (IOException e) {

            e.printStackTrace();

            XposedBridge.log("文件写出失败");

        }

    }

}