The original link
Android reverse may be used to sort out the tools, including root, hook, APK decompilation, shell, network analysis, disassembly, Magisk module, Xposed module and so on.
root
Root has the highest permissions in the system and can help users bypass the phone manufacturer’s restrictions to uninstall their own pre-installed programs or run actions that require system permissions. Since the Android kernel is Linux, Android root is actually the root user permission for Linux.
Generally, the factory machine will disable the normal Bootloader’s direct swiping function, so to achieve root, it is generally necessary to unlock THE BL first. Each manufacturer has different methods and difficulties to unlock the BL, and Xiaomi officially provides a tool to unlock the BL.
Magisk
Is a set of open source tools for customizing Android, including root, boot script, SELinux patch, remove AVB2.0, forced encryption and other functions, support versions of Android4.2 ~ 11.
Magisk implements root as systemless, creating a Magisk partition outside of the system partition without directly modifying /system.
In addition to root and root authorization, Magisk provides other features:
- Magisk Hide Hides root
- Modify hosts in systemless mode
- Change the Magisk app name (to bypass some Magisk detection)
- Pass Google’s SafetyNet check
- Support for functional modules that can be installed to implement Exposed, etc
SuperSU
Once the most popular root acquisition and authorization tool, native ad-free, support simplified Chinese, simple and beautiful interface and stability. However, it basically stops updating at present and does not support Android 8.0 or above.
Xiaomi unlocked the BL tool
Xiaomi officially provides the lock BL tool, which can be very convenient to unlock Xiaomi phone BL, unlocking process:
- Choose Settings > Developer Options > Device Unlock Status to bind the account to the device
- Enter the Bootloader mode manually
- Connect the phone via USB and click the “Unlock” button
hook
Frida
It is a hook framework that supports Windows, MacOS, Linux, Android and ios platforms, adopts dynamic binary peg technology (DBI), and supports native level hook.
Injection scripts are written in javascript, and aspects of Frida can be described and used in the Android Reverse Frida article.
Xposed
Is a famous open source Java layer Hook framework, support function modules, can change the system and application behavior without touching any APK, how official has stopped updating, official support version for Android5.0 ~ 8.1.
Operating principle: By replacing /system/bin/app_process program to control zygote process, app_process will load the JAR package XposedBridge. Jar during startup, so as to complete the hijacking of Zygote process and Dalvik VM created by it.
Hook principle: Modify ART/Davilk virtual machine to register methods requiring hook as Native layer functions. When this method is executed, the virtual machine will first execute Native layer functions, and then execute Java layer functions, so as to complete the hook of methods.
Because it is too popular, also led to a lot of APP for xposed detection.
EdXposed
Riru based on open source ART hook framework, similar to Xposed, provides the OG Xposed consistent API, provide YAHFA and SandHook two ways to achieve, become the official successor to the Xposed stop update, support version for Android 8.0 ~ 11.
Magisk installation module can achieve EdXposed installation, such as EdXposed complete framework.
epic
Javamethod-grained runtime AOP Hook framework (AOP Hook framework) is a virtual machine-level, Java Method-grained runtime AOP Hook framework. In simple terms, Epic is the Dexposed on ART, can intercept the process internal almost any Java method call, can be used to achieve AOP programming, runtime staking, performance analysis, security audit, etc.. Epic is used by VirtualXposed and Tai Chi to achieve non-root scenario Xposed function. The supported versions are Android 5.0 to 11.
VirtualXposed
Is based on VirtualApp and Epic in the non-root environment running Xposed module implementation, support version for Android 5.0 ~ 10.0.
Compared to the Xposed, currently VirtualXposed has two limitations:
- System modification is not supported (you can modify the call to system API in common APP), so gravity toolbox and application controller cannot be used.
- Resource hooks are not currently supported, so resource hooks do not have any effect. Module using resource HOOK, corresponding function does not take effect.
TaiChi tai chi
A class Xposed framework, itself and Xposed does not have any relationship, design ideas, implementation mechanism to operation logic is completely different, but can run the Xposed module framework, both in the traditional Root/ brush mode of operation, can also free Root/ brush free operation. The supported versions are Android 5.0 to 10.0.
There are two working modes: root-free and Magisk. Root-free mode cannot modify the system, while Magisk mode has more powerful functions.
Cydia Substrate
Early Hook framework based on Cydia implementation, support Java, native layer hook, and support ios and Android systems at the same time, support version of Android 2.3 ~ 4.4.
Android-Inline-Hook
A hook Native implementation method can switch the original function to its own function by replacing the instruction at the beginning of the function with the jump instruction, which supports thumb16, thumb32 and ARM32 instructions.
The hook script is written in C language, and the HOOK script is executed by using ndK-build.
SandHook
In Android ART virtual machine Java layer Hook framework, function in the process, do not need Root, support version of Android 4.4 ~ 11.
Inline hook: inline hook: inline hook: inline hook: Inline hook: Inline hook: Inline hook: inline hook: inline hook: inline hook: inline hook: inline hook: inline hook: inline hook: inline hook
xHook
ELF PLT (Procedure Linkage Table) hook library for Android platform ELF (executable and dynamic library), without Root, support versions of Android 4.0 to 10.0.
decompiling
010 Editor
A hexadecimal file editor that can parse binary files using template format and can be used to analyze Android files such as Androidmanifest. XML, resource. Arsc,.dex, etc.
apktool
An APK decompile tool that decodes resources into resource files and.smali files, and can be repackaged as APK.
-
decompiling
apktool d <apkPath> o <outputPath> Copy the code -
repack
apktool b <fileDirPath> -o <apkPath> Copy the code
dex2jar
A set of tools for operating Android. Dex, often used to decompile. Dex files into. Jar files. Change the decompiled APK to.rar or.zip and unzip it to get the classes.dex file.
-
decompiling
d2j-dex2jar <dexFilePath> -o <outputJarFilePath> Copy the code -
recompile
d2j-jar2dex <jarFilePath> -o <outputDexFilePath> Copy the code
jd-gui
A GUI tool to view the.jar source code, you can use dex2jar to get.jar, and then drag into jD-GUI to view the source code.
jadx
A decompiler sharp tool, support command line and graphical interface, support APK, DEX, JAR, AAR and other formats of the file view, can also be decompiled source code export for Gradle project.
AXMLPrinter2
It can be used to obtain package names, version numbers, and ICONS in APK files. It can be decompilated from binary XML files in plain text output, such as decompilation to get Androidmanifest.xml:
java -jar AXMLPrinter2.jar AndroidManifest.xml > ok.xml
Copy the codeapksigner
Android 7.0 introduces the new APK Signature Scheme V2 signer. Apksigner is a dedicated tool for v2 Signature and authentication provided by Google.
-
Sign APK using release.jks (the unique key in the keystore) :
apksigner sign --ks release.jks app.apk Copy the code -
Sign APK using the private key and certificate (stored in a different file) :
apksigner sign --key release.pk8 --cert release.x509.pem app.apk Copy the code -
Verifying APK signature:
apksigner verify app.apk Copy the code
smali/baksmali
It is used to convert dex files to smALI files.
-
Dex turn smali:
java -jar baksmali.jar d classes.dex Copy the code -
Turn smali dex:
java -jar smali.jar a smali-dir Copy the code
bytecode-viewer
A Java implementation of GUI reverse tool. Built-in dj-GUI /Core, Procyon, CFR, Fernflower, Krakatau and JadX-Core six decomcompilers; Bytecode decompilation using CFIDE; Built-in malicious code scanner; Compile and decompilate Java classes with the Ranino compiler; APK can be modified by Smali/Baksmali; Quickly decompilate classes using JD-core.
androguard
A python implementation of reverse engineering, malware analysis tool set. It provides functions such as parsing Androidmanifest.xml, parsing resources.arsc, printing certificate signatures, decomcompiling APK creation flow chart, bytecode disassembly, and creating method call diagrams.
appmon
An automation framework for monitoring and tampering with system API calls for native applications on macOS, iOS and Android, based on Frida implementation. It can be used to scan the system for suspected security problems, and can also modify the system function logic through scripts, such as DeviceID spoofing, GPS spoofing, bypassing TouchID, etc.
The disassembly
IDA Pro
One of the best static decompiler software, the essence is a recursive descent disassembler, support Intel X86, Intel x86-64, MIPS, ARM and other as many as dozens of CPU instruction sets.
Can be used to reverse analyze the Android so dynamic library file, support reverse debugging.
JEB Decompiler
A fee-based reverse engineering platform that supports decompilation of Android applications and Dalvik bytecode, as well as disassembly of ARM 32, ARM-Thumb, Intel x86, Intel x86-64, MIPS 32.
shell
The Android decompiler tool makes it easy to get the source code and resource files, modify the resource code, and repackage them. In order to improve security, APK can be reinforced, including code confusion, DEX file encryption, DEX method extraction to the outside, SO encryption, DEX method dynamic decryption, anti-peeling, VMP, etc. At present, it can be roughly divided into four generations of shells, and various peeling technologies have been studied for these shell reverse personnel.
Before Android 4.4, all Dalvik virtual machines were used, and after 5.0, all ART was used as the default virtual machine. Since most systems in the current market are basically higher than version 5.0, most of the sorting here is for ART peeling technology 5.0 and above.
| The name of the | implementation | The principle of | The Android version is known | Apply to shell |
|---|---|---|---|---|
| frida-unpack | Frida hook | Hook OpenMemory in libart.so or OpenCommon in libdexfile.so to get dex address | 7.0 ~ 10.0 | A generation of shell |
| FRIDA-DEXDump | Frida hook | Complete DEX, direct memory violence search magic magic number; Dex, by matching a few features | 5.0 ~ 12.0 | A generation of shell |
| drizzleDumper | Ptrace injection | The APK process to be shelled is attached by Ptrace, and the dex file feature search is performed in the memory of the shelled APK process. When the dex file is found, the dex file is dumped | 5.0 | A generation of shell |
| WrBug/dumpDex | Xposed hook | According to the APK content characteristics to determine whether it is Tencent, 360, Baidu, bang Bang, love encryption, the other shell does not support. Hook Instrumentation class newApplication() method and ClassLoader class loadClass() method, get Application or Activity in the dex data. | 7.0 ~ 10.0 | One generation specific shell |
| ApkShelling | Xposed hook | Hook java.lang.ClassLoader loadClass method, get the Class object returned by loadClass, reflection call the getDex method of the Class object to get the Dex object, submit the Dex object to the thread that writes the file and deduplicate the Dex. The thread asynchronously reads the byte set from the queue and writes it to a file | 5.1.1 | One generation specific shell |
| DexHunter | Modify Android source code | Locate the dex address by feature string, first from the memory from the odex file header to the file data before class_defs. Data after reading class_defs; Pass through class_def_item and judge whether the method is in dex range by code_ITEM_of; otherwise, it is classified as extra | 4.4.3 | Second generation instruction extraction |
| FUPK3 | Modify Android source code | Iterate through dvmUserDexFiles to get dex,Iterate over the trigger function, plug the parser, intercept the decrypted code_item, and restructure the array into dex | 4.4(Nexus5 Hammerhead) | Three Generation dynamic decryption |
| FART | Modify Android source code | Obtain the Classloader attached to the decrypted dex file at an appropriate time, and then obtain the corresponding DexFile structure through the reflection mechanism of Java, and complete the dex dump.Take the initiative to callClass for each method, and implement the corresponding CodeItem dump; The method extracted from dex is repaired by actively calling the CodeItem of the dumped method. | 6.0(Theory supports any ART) | Three Generation dynamic decryption |
| AUPK | Modify Android source code | Regardless of whether dex2OAT is disabled in the shell, the initialization function of the class always runs the Execute function, which is modified to obtain the ArtMethod object and then the DexFile object. Get all ArtMethod objects from the Class object in dex,Take the initiative to callMake the shell do code_item repair, backfill the code_item, and partially restore the Magic field in dex_header. | 7.1.1 (Nexuse 5 x) | Three Generation dynamic decryption |
In addition to ZjDroid, DexExtractor, Android-Unpacker, Dexdump and many other peeling ways, here is not listed one by one, interested in can go to view the source code to study the implementation principle.
Network analysis
Wireshark
A cross-platform PC network packet analyzer, supporting Windows, MacOS, Linux and other systems, support many protocols are very comprehensive, support HTTPS packet capture but do not support decryption.
Using WinPCAP as interface, data message exchange with network card directly.
Charles
A pc-based packet capture and analysis tool, it is paid software. Implemented by proxy, it supports Windows, MacOS, and Linux operating systems, supports HTTP and HTTPS network packet encapsulation, and decrypts HTTPS.
Fiddler
Fiddler Everywhere is a cross-platform, proxy-based tool that supports HTTP and HTTPS packet capture and analysis.
HttpCanary
A powerful packet capture tool on the Android platform, supports HTTP, HTTPS, WebSocket and other protocols, and supports data filtering, request injection, request export and other functions.
You can capture packets without root, but you still need root permission to install HTTPS certificates on Android 7.0 or higher.
AndroidHttpCapture
Fiddler is a mobile packet capture software developed for mobile traffic hijacking. It can be used as the Android version of Fiddler. Its main functions include: mobile packet capture, PING/DNS/TraceRoute diagnosis, and HAR data capture upload and share.
Burp Suite
Is a Java developed integrated platform for attacking Web applications, containing a number of tools.
Burp Suite has a number of interfaces designed for these tools to speed up the process of attacking applications. All tools share a request and can handle the corresponding HTTP messages, persistence, authentication, proxy, logging, and alerts. Common functions include: packet capture, replay, blasting.
Magisk module
EdXposed complete framework
It is very convenient to install EdXposed complete environment, built-in Riru, EdXposed, EdXposed Manager and other parts.
ADB Root
You can have ADB get root permission through the adb root command.
MagiskFrida
Have Magisk run frida-Server as root on startup.
Xposed module
RootCloak
Hide root to bypass application root detection.
JustTrustMe
To disable or bypass SSL certificate check, Hook all methods of verifying SSL certificates, so as to bypass certificate check.
JustTrustMePlus
JustTrustMe is an updated version that combates OkHttp obfuscation encryption.
TrustMeAlready
Use Mattia Vinci to bypass SSL certificate checking and certificate locking.
AndroidIdChanger
View and modify android device information: IMEI, AndroidID, Wifi Mac, SerialNum, Wifi SSID, Mobile phone Number, Bluetooth Mac, Google Ad Id, Wifi BSSID, IMSI, Sim card status, operator information, machine model, manufacturer, brand, system version, CPU_ABI, CPU_ABI2, SDK, BuildID, resolution, IP, etc.
other
SafetyNet
Google has an anti-abuse API that lets app developers evaluate Android devices running their apps. This API should be used as part of an abuse detection system to help determine whether your server is interacting with a real application running on a real Android device.
ndk_dlopen
An implementation to help bypass Android N’s classloader namespace limitations.
reference
-
Magisk begins to know
-
Android reverse Xposed
-
Android FART sheller process analysis