Android APK加壳技术方案【2】

zoukankan html css js c++ java

Android APK加壳技术方案【2】
本文章由Jack_Jia编写，转载请注明出处。

文章链接：http://blog.csdn.net/jiazhijun/article/details/8809542

作者：Jack_Jia 邮箱： 309zhijun@163.com

一、序言

在上篇“Android APK加壳技术方案”（http://blog.csdn.net/jiazhijun/article/details/8678399）博文中，根据加壳数据在解壳程序Dex文件所处的位置，我提出了两种Android Dex加壳技术实现方案，本片博文将对方案1代码实现进行讲解。博友可以根据方案1的代码实现原理对方案2自行实现。

在方案1的代码实现过程中，各种不同的问题接踵出现，最初的方案也在不同问题的出现、解决过程中不断的得到调整、优化。

本文的代码实现了对整个APK包的加壳处理。加壳程序不会对源程序有任何的影响。

二、代码实现

本程序基于Android2.3代码实现，因为牵扯到系统代码的反射修改，本程序不保证在其它android版本正常工作，博友可以根据实现原理，自行实现对其它Android版本的兼容性开发。

1、加壳程序流程及代码实现

1、加密源程序APK为解壳数据

2、把解壳数据写入解壳程序DEX文件末尾，并在文件尾部添加解壳数据的大小。

3、修改解壳程序DEX头中checksum、signature 和file_size头信息。

代码实现如下：
[java] view plain copy

package com.android.dexshell;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.zip.Adler32;

public class DexShellTool {
 /**
 * @param args
 */
 public static void main(String[] args) {
 // TODO Auto-generated method stub
 try {
 File payloadSrcFile = new File("g:/payload.apk");
 File unShellDexFile = new File("g:/unshell.dex");
 byte[] payloadArray = encrpt(readFileBytes(payloadSrcFile));
 byte[] unShellDexArray = readFileBytes(unShellDexFile);
 int payloadLen = payloadArray.length;
 int unShellDexLen = unShellDexArray.length;
 int totalLen = payloadLen + unShellDexLen +4;
 byte[] newdex = new byte[totalLen];
 //添加解壳代码
 System.arraycopy(unShellDexArray, 0, newdex, 0, unShellDexLen);
 //添加加密后的解壳数据
 System.arraycopy(payloadArray, 0, newdex, unShellDexLen,
 payloadLen);
 //添加解壳数据长度
 System.arraycopy(intToByte(payloadLen), 0, newdex, totalLen-4, 4);
 //修改DEX file size文件头
 fixFileSizeHeader(newdex);
 //修改DEX SHA1 文件头
 fixSHA1Header(newdex);
 //修改DEX CheckSum文件头
 fixCheckSumHeader(newdex);


 String str = "g:/classes.dex";
 File file = new File(str);
 if (!file.exists()) {
 file.createNewFile();
 }

 FileOutputStream localFileOutputStream = new FileOutputStream(str);
 localFileOutputStream.write(newdex);
 localFileOutputStream.flush();
 localFileOutputStream.close();


 } catch (Exception e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 }
 }

 //直接返回数据，读者可以添加自己加密方法
 private static byte[] encrpt(byte[] srcdata){
 return srcdata;
 }


 private static void fixCheckSumHeader(byte[] dexBytes) {
 Adler32 adler = new Adler32();
 adler.update(dexBytes, 12, dexBytes.length - 12);
 long value = adler.getValue();
 int va = (int) value;
 byte[] newcs = intToByte(va);
 byte[] recs = new byte[4];
 for (int i = 0; i < 4; i++) {
 recs[i] = newcs[newcs.length - 1 - i];
 System.out.println(Integer.toHexString(newcs[i]));
 }
 System.arraycopy(recs, 0, dexBytes, 8, 4);
 System.out.println(Long.toHexString(value));
 System.out.println();
 }


 public static byte[] intToByte(int number) {
 byte[] b = new byte[4];
 for (int i = 3; i >= 0; i--) {
 b[i] = (byte) (number % 256);
 number >>= 8;
 }
 return b;
 }


 private static void fixSHA1Header(byte[] dexBytes)
 throws NoSuchAlgorithmException {
 MessageDigest md = MessageDigest.getInstance("SHA-1");
 md.update(dexBytes, 32, dexBytes.length - 32);
 byte[] newdt = md.digest();
 System.arraycopy(newdt, 0, dexBytes, 12, 20);
 String hexstr = "";
 for (int i = 0; i < newdt.length; i++) {
 hexstr += Integer.toString((newdt[i] & 0xff) + 0x100, 16)
 .substring(1);
 }
 System.out.println(hexstr);
 }


 private static void fixFileSizeHeader(byte[] dexBytes) {


 byte[] newfs = intToByte(dexBytes.length);
 System.out.println(Integer.toHexString(dexBytes.length));
 byte[] refs = new byte[4];
 for (int i = 0; i < 4; i++) {
 refs[i] = newfs[newfs.length - 1 - i];
 System.out.println(Integer.toHexString(newfs[i]));
 }
 System.arraycopy(refs, 0, dexBytes, 32, 4);
 }


 private static byte[] readFileBytes(File file) throws IOException {
 byte[] arrayOfByte = new byte[1024];
 ByteArrayOutputStream localByteArrayOutputStream = new ByteArrayOutputStream();
 FileInputStream fis = new FileInputStream(file);
 while (true) {
 int i = fis.read(arrayOfByte);
 if (i != -1) {
 localByteArrayOutputStream.write(arrayOfByte, 0, i);
 } else {
 return localByteArrayOutputStream.toByteArray();
 }
 }
 }


}
2、解壳程序流程及代码实现

在解壳程序的开发过程中需要解决如下几个关键的技术问题：

（1）解壳代码如何能够第一时间执行？

Android程序由不同的组件构成，系统在有需要的时候启动程序组件。因此解壳程序必须在Android系统启动组件之前运行，完成对解壳数据的解壳及APK文件的动态加载，否则会使程序出现加载类失败的异常。

Android开发者都知道Applicaiton做为整个应用的上下文，会被系统第一时间调用，这也是应用开发者程序代码的第一执行点。因此通过对 AndroidMainfest.xml的application的配置可以实现解壳代码第一时间运行。
[html] view plain copy

<application
 android:icon="@drawable/ic_launcher"
 android:label="@string/app_name"
 android:theme="@style/AppTheme" android:name="com.android.dexunshell.ProxyApplication" >
</application>
（2）如何替换回源程序原有的Application?

当在AndroidMainfest.xml文件配置为解壳代码的Application时。源程序原有的Applicaiton将被替换，为了不影响源程序代码逻辑，我们需要在解壳代码运行完成后，替换回源程序原有的Application对象。我们通过在AndroidMainfest.xml文件中配置原有Applicaiton类信息来达到我们的目的。解壳程序要在运行完毕后通过创建配置的Application对象，并通过反射修改回原Application。
[html] view plain copy

<application
 android:icon="@drawable/ic_launcher"
 android:label="@string/app_name"
 android:theme="@style/AppTheme" android:name="com.android.dexunshell.ProxyApplication" >
 <meta-data android:name="APPLICATION_CLASS_NAME" android:value="com.***.Application"/>
</application>
（3）如何通过DexClassLoader实现对apk代码的动态加载。

我们知道DexClassLoader加载的类是没有组件生命周期的，也就是说即使DexClassLoader通过对APK的动态加载完成了对组件类的加载，当系统启动该组件时，还会出现加载类失败的异常。为什么组件类被动态加载入虚拟机，但系统却出现加载类失败呢？

通过查看Android源代码我们知道组件类的加载是由另一个ClassLoader来完成的，DexClassLoader和系统组件ClassLoader并不存在关系，系统组件ClassLoader当然找不到由DexClassLoader加载的类，如果把系统组件ClassLoader的parent修改成DexClassLoader，我们就可以实现对apk代码的动态加载。

（4）如何使解壳后的APK资源文件被代码动态引用。

代码默认引用的资源文件在最外层的解壳程序中，因此我们要增加系统的资源加载路径来实现对借壳后APK文件资源的加载。

解壳实现代码：
[java] view plain copy

package com.android.dexunshell;

import java.io.BufferedInputStream;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.DataInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.lang.ref.WeakReference;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.zip.ZipEntry;
import java.util.zip.ZipInputStream;

import dalvik.system.DexClassLoader;
import android.app.Application;
import android.content.pm.ApplicationInfo;
import android.content.pm.PackageManager;
import android.content.pm.PackageManager.NameNotFoundException;
import android.os.Bundle;

public class ProxyApplication extends Application {

 private static final String appkey = "APPLICATION_CLASS_NAME";
 private String apkFileName;
 private String odexPath;
 private String libPath;
 @Override
 public void onCreate() {
 // TODO Auto-generated method stub
 super.onCreate();
 try {
 File odex = this.getDir("payload_odex", MODE_PRIVATE);
 File libs = this.getDir("payload_lib", MODE_PRIVATE);
 odexPath = odex.getAbsolutePath();
 libPath = libs.getAbsolutePath();
 apkFileName = odex.getAbsolutePath()+"/payload.apk";
 File dexFile = new File(apkFileName);
 if(!dexFile.exists())
 dexFile.createNewFile();
 //读取程序classes.dex文件
 byte[] dexdata = this.readDexFileFromApk();
 //分离出解壳后的apk文件已用于动态加载
 this.splitPayLoadFromDex(dexdata);
 //配置动态加载环境
 this.configApplicationEnv();

 } catch (Exception e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 }
 }

 private void configApplicationEnv() throws NameNotFoundException, IllegalAccessException, InstantiationException, ClassNotFoundException, IOException{

 Object currentActivityThread = RefInvoke.invokeStaticMethod("android.app.ActivityThread", "currentActivityThread", new Class[]{}, new Object[]{});
 HashMap mPackages = (HashMap)RefInvoke.getFieldOjbect("android.app.ActivityThread", currentActivityThread, "mPackages");
 //替换组件类加载器为DexClassLoader，已使动态加载代码具有组件生命周期
 WeakReference wr = (WeakReference) mPackages.get(this.getPackageName());
 DexClassLoader dLoader = new DexClassLoader(apkFileName,
 odexPath, libPath, (ClassLoader) RefInvoke.getFieldOjbect("android.app.LoadedApk", wr.get(), "mClassLoader"));
 RefInvoke.setFieldOjbect("android.app.LoadedApk", "mClassLoader", wr.get(), dLoader);

 //如果源应用配置有Appliction对象，则替换为源应用Applicaiton，以便不影响源程序逻辑。
 ApplicationInfo appInfo = this.getPackageManager().getApplicationInfo(this.getPackageName(),PackageManager.GET_META_DATA);
 Bundle bundle = appInfo.metaData;
 if(bundle != null && bundle.containsKey(appkey)){

 String appClassName = bundle.getString(appkey);
 Application app = (Application)dLoader.loadClass(appClassName).newInstance();
 RefInvoke.setFieldOjbect("android.app.ContextImpl", "mOuterContext", this.getBaseContext(), app);
 RefInvoke.setFieldOjbect("android.content.ContextWrapper", "mBase", app, this.getBaseContext());
 Object mBoundApplication = RefInvoke.getFieldOjbect("android.app.ActivityThread", currentActivityThread, "mBoundApplication");
 Object info = RefInvoke.getFieldOjbect("android.app.ActivityThread$AppBindData", mBoundApplication, "info");
 RefInvoke.setFieldOjbect("android.app.LoadedApk", "mApplication", info, app);
 Object oldApplication = RefInvoke.getFieldOjbect("android.app.ActivityThread", currentActivityThread, "mInitialApplication");
 RefInvoke.setFieldOjbect("android.app.ActivityThread", "mInitialApplication", currentActivityThread, app);
 ArrayList<Application> mAllApplications = (ArrayList<Application>)RefInvoke.getFieldOjbect("android.app.ActivityThread", currentActivityThread, "mAllApplications");
 mAllApplications.remove(oldApplication);
 mAllApplications.add(app);
 HashMap mProviderMap = (HashMap) RefInvoke.getFieldOjbect("android.app.ActivityThread", currentActivityThread, "mProviderMap");
 Iterator it = mProviderMap.values().iterator();
 while(it.hasNext()){
 Object providerClientRecord = it.next();
 Object localProvider = RefInvoke.getFieldOjbect("android.app.ProviderClientRecord", providerClientRecord, "mLocalProvider");
 RefInvoke.setFieldOjbect("android.content.ContentProvider", "mContext", localProvider, app);
 }
 RefInvoke.invokeMethod(appClassName, "onCreate", app, new Class[]{}, new Object[]{});
 }
 }

 private void splitPayLoadFromDex(byte[] data) throws IOException{
 byte[] apkdata = decrypt(data);
 int ablen = apkdata.length;
 byte[] dexlen = new byte[4];
 System.arraycopy(apkdata, ablen - 4, dexlen, 0, 4);
 ByteArrayInputStream bais = new ByteArrayInputStream(dexlen);
 DataInputStream in = new DataInputStream(bais);
 int readInt = in.readInt();
 System.out.println(Integer.toHexString(readInt));
 byte[] newdex = new byte[readInt];
 System.arraycopy(apkdata, ablen - 4 - readInt, newdex, 0, readInt);
 File file = new File(apkFileName);
 try {
 FileOutputStream localFileOutputStream = new FileOutputStream(file);
 localFileOutputStream.write(newdex);
 localFileOutputStream.close();

 } catch (IOException localIOException) {
 throw new RuntimeException(localIOException);
 }

 ZipInputStream localZipInputStream = new ZipInputStream(
 new BufferedInputStream(new FileInputStream(file)));
 while (true) {
 ZipEntry localZipEntry = localZipInputStream.getNextEntry();
 if (localZipEntry == null) {
 localZipInputStream.close();
 break;
 }
 String name = localZipEntry.getName();
 if (name.startsWith("lib/") && name.endsWith(".so")) {
 File storeFile = new File(libPath+"/"+name.substring(name.lastIndexOf('/')));
 storeFile.createNewFile();
 FileOutputStream fos = new FileOutputStream(storeFile);
 byte[] arrayOfByte = new byte[1024];
 while (true) {
 int i = localZipInputStream.read(arrayOfByte);
 if (i == -1)
 break;
 fos.write(arrayOfByte, 0, i);
 }
 fos.flush();
 fos.close();
 }
 localZipInputStream.closeEntry();
 }
 localZipInputStream.close();

 }

 private byte[] readDexFileFromApk() throws IOException {
 ByteArrayOutputStream dexByteArrayOutputStream = new ByteArrayOutputStream();
 ZipInputStream localZipInputStream = new ZipInputStream(
 new BufferedInputStream(new FileInputStream(this.getApplicationInfo().sourceDir)));
 while (true) {
 ZipEntry localZipEntry = localZipInputStream.getNextEntry();
 if (localZipEntry == null) {
 localZipInputStream.close();
 break;
 }
 if (localZipEntry.getName().equals("classes.dex")) {
 byte[] arrayOfByte = new byte[1024];
 while (true) {
 int i = localZipInputStream.read(arrayOfByte);
 if (i == -1)
 break;
 dexByteArrayOutputStream.write(arrayOfByte, 0, i);
 }
 }
 localZipInputStream.closeEntry();
 }
 localZipInputStream.close();
 return dexByteArrayOutputStream.toByteArray();
 }

 ////直接返回数据，读者可以添加自己解密方法
 private byte[] decrypt(byte[] data){
 return data;
 }
}
RefInvoke为反射调用工具类：
[java] view plain copy

package com.android.dexunshell;

import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;

public class RefInvoke {

 public static Object invokeStaticMethod(String class_name, String method_name, Class[] pareTyple, Object[] pareVaules){

 try {
 Class obj_class = Class.forName(class_name);
 Method method = obj_class.getMethod(method_name,pareTyple);
 return method.invoke(null, pareVaules);
 } catch (SecurityException e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 } catch (IllegalArgumentException e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 } catch (IllegalAccessException e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 } catch (NoSuchMethodException e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 } catch (InvocationTargetException e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 } catch (ClassNotFoundException e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 }
 return null;

 }

 public static Object invokeMethod(String class_name, String method_name, Object obj ,Class[] pareTyple, Object[] pareVaules){

 try {
 Class obj_class = Class.forName(class_name);
 Method method = obj_class.getMethod(method_name,pareTyple);
 return method.invoke(obj, pareVaules);
 } catch (SecurityException e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 } catch (IllegalArgumentException e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 } catch (IllegalAccessException e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 } catch (NoSuchMethodException e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 } catch (InvocationTargetException e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 } catch (ClassNotFoundException e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 }
 return null;

 }

 public static Object getFieldOjbect(String class_name,Object obj, String filedName){
 try {
 Class obj_class = Class.forName(class_name);
 Field field = obj_class.getDeclaredField(filedName);
 field.setAccessible(true);
 return field.get(obj);
 } catch (SecurityException e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 } catch (NoSuchFieldException e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 } catch (IllegalArgumentException e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 } catch (IllegalAccessException e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 } catch (ClassNotFoundException e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 }
 return null;

 }

 public static Object getStaticFieldOjbect(String class_name, String filedName){

 try {
 Class obj_class = Class.forName(class_name);
 Field field = obj_class.getDeclaredField(filedName);
 field.setAccessible(true);
 return field.get(null);
 } catch (SecurityException e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 } catch (NoSuchFieldException e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 } catch (IllegalArgumentException e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 } catch (IllegalAccessException e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 } catch (ClassNotFoundException e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 }
 return null;

 }

 public static void setFieldOjbect(String classname, String filedName, Object obj, Object filedVaule){
 try {
 Class obj_class = Class.forName(classname);
 Field field = obj_class.getDeclaredField(filedName);
 field.setAccessible(true);
 field.set(obj, filedVaule);
 } catch (SecurityException e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 } catch (NoSuchFieldException e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 } catch (IllegalArgumentException e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 } catch (IllegalAccessException e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 } catch (ClassNotFoundException e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 }
 }

 public static void setStaticOjbect(String class_name, String filedName, Object filedVaule){
 try {
 Class obj_class = Class.forName(class_name);
 Field field = obj_class.getDeclaredField(filedName);
 field.setAccessible(true);
 field.set(null, filedVaule);
 } catch (SecurityException e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 } catch (NoSuchFieldException e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 } catch (IllegalArgumentException e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 } catch (IllegalAccessException e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 } catch (ClassNotFoundException e) {
 // TODO Auto-generated catch block
 e.printStackTrace();
 }
 }

}
三、总结

本文代码基本实现了APK文件的加壳及脱壳原理，该代码作为实验代码还有诸多地方需要改进。比如：

1、加壳数据的加密算法的添加。

2、脱壳代码由java语言实现，可通过C代码的实现对脱壳逻辑进行保护，以达到更好的反逆向分析效果。
如果你喜欢本文, 请长按二维码，关注公众号分布式编程.
作者：分布式编程
出处：https://zthinker.com/
本文版权归作者和博客园共有，欢迎转载，但未经作者同意必须保留此段声明，且在文章页面明显位置给出原文连接，否则保留追究法律责任的权利。
查看全文

相关阅读:
Top 10 Product Manager Skills To Boost Your Resume In 2021
大数据知识梳理
 B端产品如何设计权限系统？
华三盒式交换机MAC、ARP、Route性能表项参数查询
 中了传说中的挖矿病毒
 SqlServer 2019 事务日志传送
 docker中生成的pdf中文是方框的解决方案
 The Live Editor is unable to run in the current system configuration
2021 面试题大纲
 五分钟搞定Docker安装ElasticSearch

原文地址：https://www.cnblogs.com/daichangya/p/12959810.html