Decompilation basics

!!!!!!!!! A solemn statement

The relevant decompilation techniques in this paper are only for technical research and shall not be used for illegal purposes, otherwise the consequences shall be borne.

1. Apktool A tool used to reverse APK files

The official website

Apktool is primarily used for reverse APK files, decoding resources and rebuilding them after modification. It can also be used to rebuild APK.

1.1 features

• Decoded resources into nearly primitive form (including resources.arsc, classes.dex, 9.png. And XMLs)
• Repackage the decoded resources into APK/JAR
• Organize and process APKS that depend on framework resources
• Smali debugging
• Perform automated tasks

Install the tutorial

1.2 the use of

• Reverse APK file:apktool d xx.apk, you can only see the smALI format file of the code after reverse. You need to learn the SMALI syntax to understand it.
• Repack:apktool b xxThe package comes with an unsigned APK, which requires a signature to install

1.3 smali grammar

Smali is the Dalvik virtual machine instruction language. When an APk file is decompiled using apkTool, a smali folder is generated, which contains the SMALI code that the VM needs to execute. In case you need to take a look at the cool UI effects someone else has implemented…. Steal a piece of someone else’s code lol.. No, how can a scholar’s business be considered stealing?

Here is the smali directory after decompilation with apktool:

To learn the syntax of an Activity, write an Activity as follows:

public class SmaliActivity extends AppCompatActivity {

    @Override
    protected void onCreate(@Nullable Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_smail);

        initView();
    }

    private void initView(a) {
        int num = 2 + 3;
        String name = "zhangsan";
        Log.w("xfhy666"."initView: num = " + num + " name = " + name);
    }

    @Override
    protected void onDestroy(a) {
        super.onDestroy(); }}Copy the code

Its smali code is as follows:

The name of the class and the name of the parent class are described below
.class public Lcom/xfhy/allinone/smali/SmaliActivity;
.super Landroidx/appcompat/app/AppCompatActivity;
.source "SmaliActivity.java"

Direct Methods from here are all methods defined in the current class
Method indicates that this is a method
This is the default constructor for the current class. The V at the end indicates that the method return type is void
.method public constructor <init>()V
    #.locals indicates how many registers the current method requires
    .locals 0

    .line 16
    invoke-direct {p0}, Landroidx/appcompat/app/AppCompatActivity;-><init>()V

    return-void
.end method

.method private initView()V
    .locals 4

    .line 27
    const/4 v0, 0x5

    .line 28
    .local v0, "num":I
    const-string v1, "lisi"

    .line 29
    .local v1, "name":Ljava/lang/String;
    new-instance v2, Ljava/lang/StringBuilder;

    invoke-direct {v2}, Ljava/lang/StringBuilder;-><init>()V

    const-string v3, "initView: num = "

    invoke-virtual {v2, v3}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    invoke-virtual {v2, v0}, Ljava/lang/StringBuilder;->append(I)Ljava/lang/StringBuilder;

    const-string v3, " name = "

    invoke-virtual {v2, v3}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    invoke-virtual {v2, v1}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    invoke-virtual {v2}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v2

    const-string v3, "xfhy666"

    invoke-static {v3, v2}, Landroid/util/Log;->w(Ljava/lang/String;Ljava/lang/String;)I

    .line 30
    return-void
.end method


Virtual methods from here on out are methods that override the parent class
.method protected onCreate(Landroid/os/Bundle;)V
    .locals 1
    .param p1, "savedInstanceState"    # Landroid/os/Bundle;

    .line 20
    invoke-super {p0, p1}, Landroidx/appcompat/app/AppCompatActivity;->onCreate(Landroid/os/Bundle;)V

    .line 21
    const v0, 0x7f0b001f

    invoke-virtual {p0, v0}, Lcom/xfhy/allinone/smali/SmaliActivity;->setContentView(I)V

    .line 23
    invoke-direct {p0}, Lcom/xfhy/allinone/smali/SmaliActivity;->initView()V

    .line 24
    return-void
.end method

.method protected onDestroy()V
    .locals 0

    .line 35
    invoke-super {p0}, Landroidx/appcompat/app/AppCompatActivity;->onDestroy()V

    .line 36
    return-void
.end method

Copy the code

It can be seen that we can actually understand most of smali grammar, plus some guesses, about 60%. The smALI code above has one more default constructor than the Java code. And then each method starts with.method and ends with.end method.

Smali syntax:

The official documentation

In Davlik bytecode, the register is 32 bits, and a single register is sufficient for ordinary types. Only the 64-bit type requires two registers to store, and Long and Double are 64-bit.

Primitive data type

Type said	The original type
v	void
Z	boolean
B	byte
S	short
C	char
I	int
J	Long (64)
F	float
D	Double (64)

Object type

Type said	Types in Java
Ljava/lang/String;	String
Landroid/os/Bundle;	Bundle

• The object type is preceded by an L
• I’ll add one to the end;
• Package name Full path (in the middle)/separated

An array of

Type said	Types in Java
[I	int[]
[[I	int[][]
[Ljava/lang/String;	String[]

Method definition

Type said	Representation in Java
public getDouble()D	public double getDouble()
public getNum(ILjava/lang/String; Z)Ljava/lang/String;	public String getNum(int a,String b,boolean c)

eg:

.method public getDouble()D
    .locals 2

    .line 45
    const-wide/16 v0, 0x0

    return-wide v0
.end method
Copy the code

Field definition

Type said	Representation in Java
.field private num:I	private int num
.field public text:Ljava/lang/String;	public String text
.field private tvName:Landroid/widget/TextView;	private TextView tvName

You can see that the field definition is preceded by the keyword.field, followed by the modifier + name +:+ type.

Specifies the number of method registers

How many registers are required in a method is specified. There are two ways

• .registersSpecifies the total number of method registers
• .localsThe total number of non-parameter registers in a table name method, usually in the first line of the method

eg:

.method public getNum(ILjava/lang/String;Z)Ljava/lang/String;
    .registers 6
    .param p1, "a"    # I
    .param p2, "b"    # Ljava/lang/String;
    .param p3, "c"    # Z

    .prologue
    .line 40
    const/4 v0, 0x2

    .line 41
    .local v0, "num":I
    const-string v1, ""

    return-object v1
.end method

.method public getNum(ILjava/lang/String;Z)Ljava/lang/String;
    .locals 2
    .param p1, "a"    # I
    .param p2, "b"    # Ljava/lang/String;
    .param p3, "c"    # Z

    .line 40
    const/4 v0, 0x2

    .line 41
    .local v0, "num":I
    const-string v1, ""

    return-object v1
.end method

Copy the code

Methods the reference

The parameters of a method are also stored in registers. The parameters are usually stored in the last N registers of the method. It is worth noting that non-static methods have an implicit this parameter.

Register naming

There are two naming methods,v nomenclature (v0,v1…) And p nomenclature (P0, P1…)

Take a look at some smali code to impress you

.method public getNum(ILjava/lang/String;Z)Ljava/lang/String;
    .locals 2
    .param p1, "a"    # I
    .param p2, "b"    # Ljava/lang/String;
    .param p3, "c"    # Z

    .line 40
    const/4 v0, 0x2

    .line 41
    .local v0, "num":I
    const-string v1, ""

    return-object v1
.end method
Copy the code

• First of all by.locals 2Indicates that there are two V registers in the method.
• And then we define registers P1, P2,p3, and actually there’s a p0 register,p0this(that is, a reference to itself, the this pointer).
• This method has both v names and P names
• Only registers named V need to be in.localsP is not required

tag

tag	meaning
# static fields	Defining static variables
# instance fields	Defining instance variables
# direct methods	Defining static methods
# virtual methods	Define non-static methods

Control condition

statements	meaning
if-eq vA, vB, :cond_**	If vA is equal to vB jump to :cond_**
if-nevA, vB, :cond_**	If vA does not equal vB, skip to :cond_**
if-ltvA, vB, :cond_**	If vA is less than vB, skip to :cond_**
if-gevA, vB, :cond_**	If vA is greater than or equal to vB, skip to :cond_**
if-gtvA, vB, :cond_**	If vA is greater than vB, skip to :cond_**
if-levA, vB, :cond_**	If vA is less than or equal to vB, skip to :cond_**
if-eqz vA, :cond_**	If vA = 0 jump to :cond_**
if-nezvA, :cond_**	If vA is not equal to 0, skip to :cond_**
if-ltzvA, :cond_**	If vA is less than 0 jump to :cond_**
if-gezvA, :cond_**	If vA is greater than or equal to 0, jump to :cond_**
if-gtzvA, :cond_**	If vA is greater than 0 jump to :cond_**
if-lezvA, :cond_**	If vA is less than or equal to 0, skip to :cond_**

It’s hard to remember, so come back when you need it.

Where z stands for zero, it can be 0, null, or false, depending on the context.

1.4 Smali Piling (code injection)

Through smALI peg, we can modify the direction of the original code, such as modifying a logic or modifying the display text of an app, localization and so on.

Here’s a quick example to give you a feel for it:

The showText function has a parameter isVip that skips ads if true or watches them if false. I now want to change this isVip to true forever, then I will skip ads forever, haha…. Test only..

private void showText(boolean isVip) {
    if (isVip) {
        Toast.makeText(this."Skip ad", Toast.LENGTH_SHORT).show();
    } else {
        Toast.makeText(this."Watch ad", Toast.LENGTH_SHORT).show(); }}Copy the code

The Java code above corresponds to the smali code as follows:

.method private showText(Z)V
    .locals 2
    .param p1, "isVip"    # Z

    .line 38
    const/4 v0, 0x0

    if-eqz p1, :cond_0  If p1 is true, skip cond_0

    .line 39
    const-string v1, "Skip ad"

    invoke-static {p0, v1, v0}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast;

    move-result-object v0

    invoke-virtual {v0}, Landroid/widget/Toast;->show()V

    goto :goto_0

    .line 41
    :cond_0
    const-string v1, "Watch ad"

    invoke-static {p0, v1, v0}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast;

    move-result-object v0

    invoke-virtual {v0}, Landroid/widget/Toast;->show()V

    .line 43
    :goto_0
    return-void
.end method

Copy the code

The code above is quite simple, I directly change isVip to true before if-eqz judgment.

.method private showText(Z)V
    .locals 2
    .param p1, "isVip"    # Z

    const/4 p1, 0x1

    .line 38
    const/4 v0, 0x0

    if-eqz p1, :cond_0  
    ..
.end method
Copy the code

Save the smali code after modification, then use the apktool tool, package into apk: apktool b apkFileName.

Once packaged, it cannot be installed on an Android phone immediately and requires a signature. Jar testkey.x509. Pem testkey.pk8 update.apk update_signed. After it is packaged and run on the mobile phone, it is perfect. The output of Toast is Skip AD. The pile insertion was successful.

You can download an Android Reverse Assistant that includes the AutoSign toolkit. Download address:

Link: pan.baidu.com/s/1NW9PAyua… Password: 8 nb7

2.dex2jar

A tool to convert dex into a JAR, downloaded down is a compressed package, there are many tools.

These tools know what they do by name.

It is also easy to use. For example, go to the decompressed folder on the command line and prepare the dex to be converted into a JAR (let’s say classes.dex, and copy it to the current folder). Give all of these files execution permission,chmod +x *(Windows does not require it). Then run./d2j-dex2jar.sh You can convert the dex into a jar and use the JD-GUI tool to view the Java source code for the classes in that jar.

Download address: sourceforge.net/projects/de…

3. jd-gui

Jd-gui is a decomcompiler that can view the Java code corresponding to the class in the JAR. How to use: Directly drag the JAR file into JD-GUI and view the Java code corresponding to the class inside.

Jd – GUI making: github.com/java-decomp…

4. jadx

jadx github : github.com/skylot/jadx

You need to download jADX directly to GitHub page to download the latest Relase package.

Jadx goes even further, dragging apK files directly into it. The following information can be obtained:

• Signature details (type, version, subject, signature algorithm,MD5,SHA-1,SHA-256, etc.)
• All resource files (such as layout files are decompiled and can be viewed directly)
• All classes correspond to the Java code (unshelled only), the Java code corresponding to the smali code can also be seen.
• So the file

Jadx is said to be the best decompiler ever, and in terms of usage, it is. In addition to the features mentioned above, there are some you might prefer, such as:

• Export the Gradle project
• de-obfuscate
• Code jump (Ctrl+ left mouse button)
• Global search text

With JADx I feel I can actually do without the above tools, this has the above tools function.

About 5.

When it comes to shucking, here are a few tools

• Xposed framework
• VirtualXposed
• FDex2

If the phone has root, then select Xposed framework +FDex2. If the phone does not have root, then select VirtualXposed+FDex2.

5.1 Xposed framework

First we have to know what is Xposed framework?

Wikipedia: Xposed framework (Xposed Framework) is a set of open source, in Android high authority mode running framework services, can not modify the APK file under the circumstances of the modification of the program running (modify the system), based on it can make many powerful modules, And operate at the same time without conflict of functions. This framework requires the device to unlock the Bootloader can be installed (root to unlock the Bootloader fully unnecessary conditions, and the Xposed installation only through TWRP and other third-party Recovery card brush installation package without requiring the device to have complete root permission).

Xposed framework is very very cow skin, you can install a variety of plug-ins (Xposed plug-in, there are a lot of www.xda.im/), such as automatic grab red envelope, anti-recall, step modification and so on various SAO operation. The Xpose framework is cumbersome to install. The installation tutorial is not mentioned here, each phone may be different. I remember my phone unlocking the BootLoader and swiping it, please.

The traditional Xposed framework only supports Android N, subsequent Android versions can use EdXposed instead.

5.2 VirtualXposed

Liverpoolfc.tv: vxposed.com/

VirtualXposed is also very cool, it looks to provide a virtual Android environment, but it is actually an app. It provides the Xposed framework environment without the need to put the phone root, do not need to unlock the BootLoader, also do not need to brush. Xposed module provides more applications, game assistance, but suffering from the trouble of Xposed framework installation many users can only give up, the latest version of the VirtualXposed so that users can be very convenient to use all kinds of Xposed module.

5.3 FDex2

FDex2 is a plug-in for Xposed, used to export dex files from the running app tool.

Use: first install FDex2 this APK, and then check the plug-in in the Xposed framework, and then restart the phone. Enter FDex2 and click the app to be unshelled. Then FDex2 will display the dex output directory of the unshelled app. Then run the app that needs to be unshelled, and the dex corresponding to the app can be obtained. Then export dex to your computer and view the decompiled code with JADX.

Of course,FDex2 may not work.

6. Developer assistant

This tool is particularly impressive, but most of the functionality requires root permission to use. The main functions are as follows:

• View any application database and SP in real time
• Network request information
• The log output
• Current Activity or Fragment
• Interface resource analysis (you can see what control is made of)

Apk cool Ann download address: www.coolapk.com/apk/com.tos…

As you can see from the app details, the Developer Assistant also has a PC version and many features

• Support for most of the mobile developer assistant features
• Support screenshots to the computer
• Enable global debug (for dynamic debugging)
• You can view the process priority
• More stable current package name /activity name /fragment name get

Developers assistant computer version download links: pan.baidu.com/s/1MFagBWVb… Extraction code: L4HV

7. Other

That’s about it, but barely enough. There are some other tools that I have included in the download link below.

Link: pan.baidu.com/s/1kuoJ83vo… Password: lc6p

Here is a library, which explains the security of android application is very comprehensive, like you can go to see. github.com/crifan/andr…

The resources

• ApkTool’s official website
• Smali–Dalvik vm instruction language –>
• About smali piling
• Android from development to reverse (IV), Smali stakes
• Android reverse analysis of smALI syntax
• Xposed framework – Wikipedia