Home Android 看这个总结篇 反编译 360加固后的脱壳 使用 Frida+葫芦娃的frida Dexdump可以秒级搞定 Apk Decompile Frida Frida Server Android
Post
Cancel

Android 看这个总结篇 反编译 360加固后的脱壳 使用 Frida+葫芦娃的frida Dexdump可以秒级搞定 Apk Decompile Frida Frida Server Android

Posted 2021-06-09 5 min read

参考: https://segmentfault.com/a/1190000039007086

折腾了2天.  终于解决了问题 . 使用路径如标题所示. 

个人备注:放在了我的笔记本linux ubuntu-20目录下。 /workspace/test_frida目录。哈哈

第一步 脱壳

1. 需要将 android 设备root

2. 该设备上安装好magisk (root设备默认是安装的)

3. 安装好magisk module : adb root

4. pc 端 安装好frida-tools

参考: http://siwei.me/blog/posts/frida-frida

( pip3 install frida-server )

5. android端 运行frida-server    (见5.1 , 5.2 ...)

(具体参考这里:http://siwei.me/blog/posts/frida-frida )  , 此时通过pc 端 $ frida-ps -U  命令,可以看到输出.

5.1 PC端:

$ adb root

$ adb shell

5.2 (adb-android) # cd /data/local/tmp (假设你的 frida-server 被解压缩到了这里)

5.3 (adb-android) # su root

5.4 (adb-android) # ./frida-server -v  (注意这里的-v 一定要加上,这样遇到报错就知道了。)

如果没报错,就说明 android 上的frida-server跑起来了。

以上 步骤都可以在我前几篇帖子中看到,不再赘述. 特别是第五步有坑  

6. pc端 下载好 frida-dexdump:  $ git clone https://github.com/hluwa/FRIDA-DEXDump.git

7. android 端运行你希望反编译的app.

8. pc端运行:  

frida_dexdump$ python3 main.py    

然后就可以看到下面的输出. ( 

8.1 耗时几秒吧, 

8.2 需要先把app 运行, 该程序就会自动获得 package name, 不需要手动指定. 

8.3 该步骤有可能报错, 不要紧,再运行一次就好了. )

--------------------------------------------------------------------------------------------------------------------------------------------------
                               ____________ ___________  ___        ______ _______   _______
                               |  ___| ___ \_   _|  _  \/ _ \       |  _  \  ___\ \ / /  _  \
                               | |_  | |_/ / | | | | | / /_\ \______| | | | |__  \ V /| | | |_   _ _ __ ___  _ __
                               |  _| |    /  | | | | | |  _  |______| | | |  __| /   \| | | | | | | '_ ` _ \| '_ \
                               | |   | |\ \ _| |_| |/ /| | | |      | |/ /| |___/ /^\ \ |/ /| |_| | | | | | | |_) |
                               \_|   \_| \_|\___/|___/ \_| |_/      |___/ \____/\/   \/___/  \__,_|_| |_| |_| .__/
                                                                                                            | |
                                                                                                            |_|
                                                   https://github.com/hluwa/FRIDA-DEXDump
--------------------------------------------------------------------------------------------------------------------------------------------------

03-16/18:59:56 INFO [DEXDump]: found target [19593] com.vip.lueluelue
[DEXDump]: DexSize=0x2568, DexMd5=46003f6002c1afd2a00f54397537e779, SavePath=/workspace/test_frida/FRIDA-DEXDump/frida_dexdump/com.vip.lueluelue/0x7423450430.dex
[DEXDump]: DexSize=0x6488a0, DexMd5=0ae7f9a20cd8ed14fed7dd36af445ce7, SavePath=/workspace/test_frida/FRIDA-DEXDump/frida_dexdump/com.vip.lueluelue/0x74836c8000.dex
[DEXDump]: DexSize=0x6aada4, DexMd5=57725757271ebd1b75e6a802d1845ab4, SavePath=/workspace/test_frida/FRIDA-DEXDump/frida_dexdump/com.vip.lueluelue/0x7483d17000.dex
[DEXDump]: DexSize=0xb230, DexMd5=09e0fbff3f0176d2fa3cc32dbb5ee8ca, SavePath=/workspace/test_frida/FRIDA-DEXDump/frida_dexdump/com.vip.lueluelue/0x7484d7a030.dex
[DEXDump]: DexSize=0xb230, DexMd5=3762036104e74864e9f60542d802cf3c, SavePath=/workspace/test_frida/FRIDA-DEXDump/frida_dexdump/com.vip.lueluelue/0x74864c6c80.dex
[DEXDump]: Skip duplicate dex 0x7487ef8030<09e0fbff3f0176d2fa3cc32dbb5ee8ca>
[DEXDump]: DexSize=0x6b1cf4, DexMd5=af286664898ae848f4b1c653a64eb097, SavePath=/workspace/test_frida/FRIDA-DEXDump/frida_dexdump/com.vip.lueluelue/0x74d5e46ce0.dex
[Except] - Error: access violation accessing 0x74dd5dc000
    at  (frida/runtime/core.js:127)
    at memorydump (/script1.js:110)
    at apply (native)
    at  (frida/runtime/message-dispatcher.js:13)
    at c (frida/runtime/message-dispatcher.js:23): {'addr': '0x74dd3c9d00', 'size': 6614352}
[DEXDump]: DexSize=0x11c, DexMd5=f1771b68f5f9b168b79ff59ae2daabe4, SavePath=/workspace/test_frida/FRIDA-DEXDump/frida_dexdump/com.vip.lueluelue/0x74df9c4a8e.dex
[DEXDump]: DexSize=0x6dc, DexMd5=64ef4bb92459668cb1366f3d9e9abb63, SavePath=/workspace/test_frida/FRIDA-DEXDump/frida_dexdump/com.vip.lueluelue/0x74e63a4010.dex
[DEXDump]: DexSize=0x695a8, DexMd5=8345c73b46814e1384ff8462248b23af, SavePath=/workspace/test_frida/FRIDA-DEXDump/frida_dexdump/com.vip.lueluelue/0x74e640702c.dex
[DEXDump]: DexSize=0x1274a4, DexMd5=ecf7cddd075183ac84db1677966211d0, SavePath=/workspace/test_frida/FRIDA-DEXDump/frida_dexdump/com.vip.lueluelue/0x74ed8bc0b8.dex
[DEXDump]: DexSize=0x1557b4, DexMd5=e920130e06b5687afe980ddb8e3b4425, SavePath=/workspace/test_frida/FRIDA-DEXDump/frida_dexdump/com.vip.lueluelue/0x74ed9e402c.dex
[DEXDump]: DexSize=0x3255c8, DexMd5=ae45f4819db6771a26a82e74e06781f4, SavePath=/workspace/test_frida/FRIDA-DEXDump/frida_dexdump/com.vip.lueluelue/0x74edb3a4b4.dex
[DEXDump]: DexSize=0x4b7c0c, DexMd5=35829ed49150ab7d8357288b61c7358f, SavePath=/workspace/test_frida/FRIDA-DEXDump/frida_dexdump/com.vip.lueluelue/0x74ede60554.dex
[DEXDump]: DexSize=0xecfc, DexMd5=2dd14f384bfe4741e5a9463e12c79c89, SavePath=/workspace/test_frida/FRIDA-DEXDump/frida_dexdump/com.vip.lueluelue/0x757225702c.dex
[DEXDump]: DexSize=0x63e40, DexMd5=ff10edb26d2b46ddec856c9e8f42ef8b, SavePath=/workspace/test_frida/FRIDA-DEXDump/frida_dexdump/com.vip.lueluelue/0x7573c4602c.dex

然后, 在PC端当前路径下,会看到生成了一系列的.dex文件:

com.vip.lueluelue/0x74ede60554.dex
com.vip.lueluelue/0x74edb3a4b4.dex
com.vip.lueluelue/0x74864c6c80.dex
com.vip.lueluelue/0x7573c4602c.dex
com.vip.lueluelue/0x74e640702c.dex
com.vip.lueluelue/0x74e63a4010.dex
com.vip.lueluelue/0x74ed9e402c.dex
com.vip.lueluelue/0x757225702c.dex
.....

第二步 dex -> jar 

使用d2j-dex2jar 命令即可.  记得用这个版本  https://github.com/DexPatcher/dex2jar/releases

例如:

$ d2j-dex2jar.sh *.dex -d --skip-exceptions -f

就会执行批处理了

第三步  jar -> java

使用 jd-gui, 找到目标jar, 然后 save all

这里也可以使用命令行( jd-cli , 参考这里:http://siwei.me/blog/posts/java-jd-gui-jar-class-jd-gui )

第四步 获得 AndroidManifest.xml 

这里使用 apktool 

$ apktool d target.apk 

就可以获得 了.

有了AndroidManifest + core source code, 就整齐了.

注意:

1. frida-dex-dump 不是100%会成功. (在获得dex的步骤), 所以,有2个可选:

1.1 unzip apk

1.2 apktool d <apk_file>

1.3 d2j-dex2jar <apk_file>

2. 如果你的 dump server 安装在了 /data/local/tmp 目录下, 然后发现 首次可以脱壳,第二次以后就无法得到正确的dex的话,删掉该目录下的re.frida.server 文件夹 ,应该是这里有缓存的原因

merlin:/data/local/tmp # ls -altrh
total 97M
drwxr-x--x 5 root  root  4.0K 2010-01-01 08:05 ..
-rwxr-xr-x 1 root  root   39M 2021-11-01 17:37 frida-server-14.2.13-android-arm64
-rwxrwxrwx 1 root  root    10 2021-12-19 09:37 hihihi
drwxrwx--x 5 shell shell 4.0K 2021-12-19 09:38 .
drwxr-xr-x 2 root  root  4.0K 2021-12-19 16:03 re.frida.server

3. 重新安装apk 文件. 

This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents