android studio 调试smali

准备

调试中的一些步骤随笔

数据查找
1.函数打日志。。
2.根据数据的长度在malloc申请指定长度(数据长度)的地方打日志,定位函数。。
3.在写内存的地方下断点,查看原。
4.原地址不能下写断点,则在内存位置触发异常。
5.写脚本实时查看内存内容,一旦有内存被修改,则暂停所有线程,然后根据日志函数,推断写内存的函数。
6.或者在每个函数的头部写一个内存检查的代码,一旦发现内存被修改就暂定线程。
7.注入so,dump maps,可能部分dex在本地是被混淆的,在内存中应该是好的,可以尝试dump内存。
    或者用ida远程调试然后dmp(推荐)

 

1.下载最新的apktool.jar将apk解包

  

java -jar apktool_2.4.0.jar d .\app-release.apk -o app

2.通过外部抓包等方式获取app的请求,看看是否可以回放(httpAlalyze、fiddler(8888))

假设可以回放,但是取回的值是密文,则需要对apk内的密文解密等进行再一次分析。

3.假设返回的值当中有关键字xxxx等,则可以去反编译的app中搜索。

  a.搜索到了结果,->继续分析

  b.没有搜索到结果,则应该获取app本身目录下的文件,tar之后取回再次搜索

4.假设是第二种情况,则使用tar命令进行打包

adb shell
su
cd /data/data/xxx
tar -cvf xxx.tar xxx 如果报错,可以把文件cp到sdcard中
cp xxx /sdcard
tar -cvf  /sdcard/bao.tar /sdcard/xxx exit adb pull
/sdcard/bao.tar ./

5.取回的包中搜索xxxx关键字段,可以在摸个dex中或者smali中

  假设都是在dex中,说明app使用了某种壳技术,多次释放或者编译时打包成资源存放在asset等目录中

6.将dex记性反编译,获取到smali文件,后面开始动态调试

7.打开monitor程序,找到xxapk进程,右键8700后,打开as,导入第一步反编译后的目录

  在run-config中,点击+,设置remote端口8700

8.启用app,将需要的smali文件在as中设置为代码(as code)在第3点找到的关键位置下断点,开始调试

  顺利的话获取到重要的函数

ps:如果附加调试后显示不能够连接,使用命令

jdb -connect com.sun.jdi.SocketAttach:hostname=127.0.0.1,port=8700

 

 9.对于使用http请求的app,想要获取它最后的数值,如果是okhttp3的方式,可以在dealCallBackResult下断点

ps:重新打包失败问题

java -jar apktool_2.4.0.jar b .\app\

打包后会报错,各种找不到

W: \.\app\AndroidManifest.xml:1: error: No resource identifier found for attribute 'compileSdkVersion' in package 'android'
W:
W:\.\app\AndroidManifest.xml:1: error: No resource identifier found for attribute 'compileSdkVersionCodename' in package 'android'
W:
W: \.\app\AndroidManifest.xml:36: error: No resource identifier found for attribute 'appComponentFactory' in package 'android'

可以尝试在需要打包的目录下新建一个framework文件夹,然后重新打包

java -jar apktool_2.4.0.jar b .\app\ -p framework -o 123.apk

最后打包成功

java -jar apktool_2.4.0.jar b .\app\ -p framework -o 123.apk
I: Using Apktool 2.4.0
I: Checking whether sources has changed...
I: Checking whether sources has changed...
I: Checking whether sources has changed...
I: Checking whether sources has changed...
I: Checking whether sources has changed...
I: Checking whether sources has changed...
I: Checking whether sources has changed...
I: Checking whether sources has changed...
I: Checking whether sources has changed...
I: Checking whether resources has changed...
I: Building resources...
I: Copying libs... (/lib)
I: Building apk file...
I: Copying unknown files/dir...
I: Built apk...

 附dex2jar等工具下载链接

https://github.com/pxb1988/dex2jar

 https://github.com/JesusFreke/smali/wiki/smalidea

注意事项:
1.当apk中有多个dex时候,目前都是这种情况。
2.如果单独用apk反编译之后看到class2,甚至3等等,说明有多个dex文件。
3.此时不能直接用默认的apk转dex工具去转换,因为这时候转换的dex只有一个class.dex
4.正确的做法是用7z等解压工具,解压apk得到内部多个dex文件【apk本质就是一个压缩包】
5.然后用dex2jar工具转换多个jar,然后再用jdGUI工具去打开,可以看到与android studio smali调试一致的结果。

 

android app maps dump保存dex

IDA远程调试server服务拷贝到android中

127|root@HM2014812:/data/local/tmp # ./android_server

 

idc脚本

static fun1(begin_address, end_address, save_name) 
{
  auto fp,  dexbyte;
  fp = fopen(save_name, "wb");
  for ( dexbyte = begin_address; dexbyte < end_address; dexbyte ++ )
      fputc(Byte(dexbyte), fp);

  fclose(fp);
}


static main()
{
    fun1(0xa40d8000, 0xa492e000, "d:\\xx\\001.dex");
    fun1(0xa40af000, 0xa40d8000, "d:\\xxn\\002.dex");
return 0;
}

如何使用ida调试app获取dmp

1.adb shell

ps|grep xx

获取到pid

cat /proc/pid/maps

adb forward tcp:23946 tcp:23946
jdb -connect com.sun.jdi.SocketAttach:hostname=127.0.0.1,port=8700
adb shell "dumpsys activity top"
adb shell am start -D -n com.qimingpian/.ui.main.MainActivity

 

查看内存位置

https://blog.csdn.net/u010019468/article/details/78491815

 dump出来的dex是odex需要转换

https://blog.csdn.net/u010019468/article/details/78617110

java -jar  baksmali-2.3.jar d 001.odex -o out1
java -jar smali-2.2.2.jar a out1 -o 001.dex
d2j-dex2smali.bat classes0.dex



Debugging an application

Note: Single-instruction stepping is only supported in IDEA 14.1 and greater, and any future version of Android Studio based on IDEA 14.1 or greater. In earlier versions, attempting to single step will step to the next .line directive, instead of stepping to the next instruction.

  1. Manually disassemble an application using baksmali into a "src" subdirectory of a new project directory, e.g. baksmali d myapp.apk -o ~/projects/myapp/src
  2. In IDEA, import a new project, and select the project directory. e.g. ~/projects/myapp
  3. Use the "Create project from existing sources" option when importing the project
  4. Once the project has been created, right click on the src directory and select "Mark Directory As->Sources Root"
  5. Open the project settings and select/create an appropriate JDK
  6. Install/start the application on the device
  7. Run ddms, and select the application's process
  8. In IDEA, Create a new "Remote" debug configuration (Run->Edit Configurations), and change the debug port to 8700
  9. Run->Debug
  10. The application should pause if/when the breakpoint is hit, at which point you can single step, add watches, etc.

or do the following in recent Android Studio 3.2:

  1. Manually disassemble an application using baksmali into a "src" subdirectory of a new project directory, e.g. baksmali d myapp.apk -o ~/projects/myapp/src
  2. In Android Studio, close your current project and select "Open an existing Android Studio project".
  3. Once the project has been created, right click on the src directory and select "Mark Directory As->Sources Root"
  4. Make sure your app has android:debuggable="true" in Android Manifest. Turn on "USB debugging" and use "Select debug app" to select your app in "Developer options" on Android device
  5. Start your application and forward JDWP service to localhost using adb forward tcp:8700 jdwp:$(timeout 0.5 adb jdwp | tail -n 1)
  6. In Android Studio, Create a new "Remote" debug configuration (Run->Edit Configurations), and change the debug port to 8700
  7. In Android Studio, select Run -> Debug
  8. The application should pause if/when the breakpoint is hit, at which point you can single step, add watches, etc.
posted @ 2019-08-12 18:57  _**  阅读(519)  评论(0编辑  收藏  举报