原理

安卓7.1（含，及以下）

Class類對象種含有Dex結構體，利用這個可以脫殼

高版本

inline hook libart.so 中 OpenMemory 函數

const DexFile* DexFile::OpenMemory(const byte* base,size_t size,const std::string& location,uint32_t location_checksum,MemMap* mem_map,const OatFile* oat_file,std::string* error_msg)

問題

dlopen failed: couldn't map "/data/local/tmp/libnativeDump.so" segment 1: Permission denied

方法
1 放到相關應用私有目錄
System.load(“私有目錄”)

2 放到 /system/lib 目錄下，注意64為lib64
System.loadLibrary(“nativeDump”);

步驟

Xposed hook ClassLoader.loadClass 方法即可得到Class對象

在應用attcah Context時后hook，此時殼還未加載代碼，具體可查看參考Android App的啟動流程

public static void hook(final LoadPackageParam lp) throws Throwable {XposedHelpers.findAndHookMethod(Application.class, "attach", Context.class, new XC_MethodHook() {@Overrideprotected void afterHookedMethod(MethodHookParam param) throws Throwable {XposedHelpers.findAndHookMethod(ClassLoader.class, "loadClass", String.class, boolean.class, new XC_MethodHook() {@Overrideprotected void afterHookedMethod(MethodHookParam param) throws Throwable {Class result = (Class) param.getResult();if (result != null) {String name = result.getName();if(name.startsWith("android") || name.startsWith("org") || name.startsWith("java")){return;}dumpdexImp(result);}}});}}); }

dump

private static void dumpdexImp(Class<?> aClass) {Object dexCache = XposedHelpers.getObjectField(aClass, "dexCache");Object o = XposedHelpers.callMethod(dexCache, "getDex");byte[] dexBytes = (byte[]) XposedHelpers.callMethod(o, "getBytes");//Environment.getExternalStorageDirectory().getPath()String sd_dex_path = "/sdcard/Pictures/dex_"+ dexBytes.length +".dex";File dexFile = new File(sd_dex_path);if (dexFile.exists()) {return;}write(dexFile, dexBytes); //偽代碼}

參考

dumpDex
Android App的啟動流程

總結

以上是生活随笔為你收集整理的安卓脱壳原理的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。