问答
发起
提问
文章
攻防
活动
Toggle navigation
首页
(current)
问答
商城
实战攻防技术
漏洞分析与复现
NEW
活动
摸鱼办
搜索
登录
注册
安卓学习思路方法总结(四)
移动安全
分享者才是学习中最大的受益者
这是系列文章的第四篇 我们继续 Android Studio动态调试 ------------------ ### 前言 Android Studio本身并不可以反编译APK 开发用的比较多 它通过导入反编译出来的完整的的Smali代码,然后设置好调试所需的条件,设置断点 断点准备好的条件后,连接模拟器运行待调试的APK的应用程序,然后执行程序的流程运行到Smali代码的时候,断点处会触发一个断点会自动断下来,从而可以进一步分析和调试,整个程序会非常的清晰。 ### 安装 首先来安装一下 ```php https://ibotpeaches.github.io/Apktool/ https://bitbucket.org/JesusFreke/smali/downloads/ https://developer.android.google.cn/studio/ ``` ![image-20210805161808409](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-786bbe1801ff94dd3a3867127248fbabc8390f13.png) 一路默认过去就可以 ![image-20210805161919811](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-d5753b3667c592efe4004cac52288d5f671630b6.png) ![image-20210805161947592](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-7162b0b4aadbdc905d20d5fd75712eedd0791d60.png) ![image-20210805162017553](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-b83bf47cb5d379a24b44e0fa140f746d3f9bc4c9.png) ![image-20210805162042442](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-a04ab13348f0ffe509149be19ab356e4e830c8af.png) 然后一路next ![image-20210805164600449](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-9bf42e26a970da23dc9100131690e28484fb1944.png) ### 导入项目包 既然Android Studio不可以反编译 那么我们就首先把APK丢到Android Killer中 ![image-20210805164909385](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-3ed3694d84044ac6ec3574abea5b7a10ab59261c.png) ![image-20210805164932533](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-1c361c0b7b3f2c9cc619002c22e782689a39cf54.png) ![image-20210805164954328](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-7878adbb33ad9d63f4de9f42dd788cd10855499a.png) 我们要的就是这个 反编译完的项目包--Project ![image-20210805165135999](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-1de79c8130fe07d60ed2cb2e9e8548106d67db4c.png) ![image-20210805165231324](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-c79aa04b00024951ad03897ffae640bd8ec87d95.png) ![image-20210805165252591](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-5c0a406d57492fbf72613fef5f2ac0f71426c2b1.png) 然后继续一路默认即可 ![image-20210805165606553](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-6e946c6a1f92fd421cb240771d4bfe3eaf7a7804.png) ![image-20210805165942265](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-7d56f1201a52cec5ef1dded6274e5fb1a3b9bd46.png) ### 添加插件 ![image-20210805170030847](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-d00a443b6b67c4b6ebe051b777a95db93a70f59f.png) ![image-20210805170250468](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-d43b07af93a30f79621e5be11bef45d02134bdaf.png) ![image-20210805170511650](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-505da51e9a0474d5d4143911ec28b392b49aa7b2.png) ### 给项目root权限 ![image-20210805170646825](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-06d00417edc7ade7881fa8cc3537d22cabd73320.png) ![image-20210805170718958](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-98370d8979bee407f9d0b0145dc002a702998ccb.png) ### 设置sdk ![image-20210805170835000](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-a70ff4174064365563330191948941644c5576e7.png) ![image-20210805170852032](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-b09653b5d43bb33ccab033d397834e804fd2f860.png) ![image-20210805171011400](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-fd7976bbe72aeea8677078a93ead7e6515f08a57.png) ### 远程调试 ![image-20210805171117366](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-8ab6ea7bd20d2c21e6d1ce4a8d11be97deadb2c5.png) ![image-20210805171147129](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-c61298045f8ebb3ae3b1852881c26d646d1ac62c.png) ![image-20210806115137056](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-061e56bfa08f0767b1114886bce4f2f5213e70a3.png) 自定义Name 端口不要被占用 选中项目文件夹 即可 ![image-20210805171407483](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-ebd6bf3311d49f08c02ca2a87c994204e496557a.png) ### 安装补丁 ![image-20210805232842375](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-8f53293d0f61a32d3ad53ba4312453e7ff6b0fe8.png) adb基本操作 ------- #### 识别设备 ```php adb devices ``` ![image-20210806115248075](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-7efb3e106a8904227ec263d5734c125f67910a66.png) 这个就是我的安卓机 #### 进入安卓机 ```php adb shell ``` ![image-20210806115315667](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-0d6594de1d56b6131a6782d89b96ad8dba2f5b44.png) 之前有提到过的 ![image-20210806000641560](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-0ab56e03b5125323397fa026a9f4294ff50000ec.png) 安卓的底层操作系统是Linux操作系统 这个安卓机 我已经将它root过了 #### 查看进程 ```php adb shell ps ``` ![image-20210806115350484](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-f7e7b2ff06aa2c660643e71abc533a5892a4adba.png) 参数解释 ```php adb shell ps PID:ID PPID:父进程ID VSIZE:进程的虚拟内存大小kb单位RSS:实际占用的大小 RSS:实际占用的大小 WCHAN:进程睡眠的函数名称 PC∶电脑内核函数名称 NAME:包名 ``` 注册机破解 ----- 安卓机中打开注册机程序 ### 项目的入口点 我们找一下 ![image-20210805172823537](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-fc232dfca231b17d583e033ad04dfae8eff224e7.png) 然后我们重新看进程 ```php adb shell ps ``` ![image-20210806115419773](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-ff6a95ad5fc81bf54047ff876ddccc173ac4affc.png) PID就是:2550 进行转发端口 进行调试 简单来讲 就是把模拟器中的注册机程序和Android Studio进行联动起来 ```php adb forward tcp:8700 jdwp:13362 ``` ![image-20210806115531211](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-26a8bdd41ee99d39191ddb6507c350019fd85fa2.png) 设置好指定程序后 ### 进行debug ![image-20210806115618788](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-2f59d7902878d0ce06d086c829435cf963f3e742.png) 成功连接 这里记录一个 万能重启命令 ```php adb kill-server adb start-server adb remount ``` 我们找到`checkSN()`下断点 ![image-20210806120336205](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-be59641b525be37a755d25d3849be8bc7c28a27d.png) 然后上安卓机 打开注册机APK ![image-20210806131830131](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-9ce0d49adf8a13b5594bae3c675b5cd7ffbddb04.png) ![image-20210819151705175](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-8714d60c98d7b1f2aca5a2095cf7f0bed732604a.png) 点击注册 ![image-20210806120535690](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-886454c7547e69a4eb8045d4906aab4ed665c3c2.png) 这时候会自动断点跳转到`const/4 v7, 0x0` ![image-20210806120736806](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-818318b3f8d7fc00461199129bfde09c7544ef25.png) ```php F7:单步步入F8:单步步步F9:跳转到下一个断点 ``` 当我们F8 一步步向下走之后 ![image-20210806121942195](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-ae721b6da06906d6dc3da03a19abf24b8fc2faa1.png) 看到了跳转MD5算法 开始拼接sb 继续向下走 ![image-20210806122051127](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-8758199429c68ea82eef8ffc37c7200c2f2443eb.png) 开始循环拼接sb ![image-20210806122241886](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-4f52cd5e003d665cef93d75554010c98f9765cde.png) ![image-20210806122257037](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-def88521021ff698eb6c75e75a18199ef85d8acf.png) ```php userSN="8d9d5d4c03dd33d5" ``` 这个就是我们的注册码 总共循环了32次 在往下走 就跳出循环了 ![image-20210806122329691](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-23ebcea51c904b0d0f89c3a4b6ed34505f2becdb.png) 尝试注册码 注册 ![image-20210806131716293](https://gitee.com/work-hard-every-day/test/raw/master/img/202108121617137.png) IDA动态调试 ------- ### 安装 可以看这里:[安卓(一)](https://www.freebuf.com/articles/mobile/280471.html) ### Android Killer反编译APK 当我们拿到一个APK 进行Android Killer进行反编译 ![image-20210806102309507](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-2137d766314a678f70f233d467f5c3d9208996d3.png) 导出文件 ![image-20210806102403016](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-f80ead7f63c706fa19873ea7bbc181bd60d95d37.png) ![image-20210806102416377](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-7713843895d890bb24794fe83d0a53eb8b5bb01e.png) ![image-20210806102432197](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-84d3bc87c9182c83d9b6bfe9e73aa28a6c8c08dd.png) ![image-20210806104219599](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-4fca64e37afee0e4243416477fbc73dfafadf4c6.png) 我们找的就是这个`.so`文件 ### 打开IDA ![image-20210806101614285](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-ef8b43bc0ac28efbd548953cd369f8b67245417e.png) ![image-20210806101640818](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-1972be4b029e6f60bf58c70a01ba1268dcbd6cd5.png) 当我们把so文件直接丢进来之后 会有一个弹窗 ![image-20210806104415226](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-e5a07c39bcb62a5d202bbb5fb9f5ad5c84ce035b.png) IDA提供了两种方法去解析 `ELF`就是so的一个文件格式 `Binary file`是二进制文件格式 那肯定是选第一个咯 ![image-20210806104723113](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-d98b0cc5c7eeb183f4653f0d1f3a8fb8a4a3487e.png) 然后呢 这个包下除了`.so`文件 还多出好多文件 ![image-20210806104817404](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-769e3dcf924373183fc1fc27695675f3d10366a3.png) IDA是递归下降的反汇编工具 ![image-20210806140455305](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-bb98a8e965712d767e8f64e606d3b434fda7c142.png) 地址越来越大 这里是导航条 ![image-20210806140538676](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-4f61be5c10fb67445488ae070e1869592468f71c.png) ```php 蓝色:表示常规的指令函数- 深蓝:用户写的函数编译后的代码区- 浅蓝:编译器自己添加的函数,像启动函数,异常函数等等黑色:节与节之间的间隙#禁区,不存在任何数据银白色:数据内容粉色:表示外部导入符号#有关输入表的一些数据信息暗黄色:表示IDA未识别的内容 ``` ### 主界面 ```php IDA View三种反汇编视图:文本视图、图表视图、路径视图Hex View:十六进制窗口Imports:导入函数窗口Struceures:结构体窗口Exports:导出函数窗口Enums:枚举窗口Strings:字符串窗口 ``` ![image-20210806140958295](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-8f84f156cdda77c9df84cc92c8d773b3c57f89b7.png) ![image-20210806141437961](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-e5d62b802d947d478bc7c3339adf87218fe063e6.png) 十六进制 修改 按F2即可 默认是6张表 表的添加这里 ![image-20210806141607633](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-a07a80bf786fb56fe489c874a7b6ac7ccc4ad1c2.png) ### 快捷键 ```php 空格键:切换文本视图与图表视图ESC:返回上一个操作地址G:搜索地址和符号N:对符号进行重命名冒号键:常规注释分号键:可重复注释ALt+M:添加标签Ctrl+M:查看标签Ctrl+S:查看段的信息so代码数据切换C--代码D--数据A--ascii字符串U--解析成未定义的内容X:查看交叉应用F5:查看伪代码ALt+T:搜索文本ALt+B:搜索十六进制 ``` **G:搜索地址和符号** ![image-20210806142012795](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-7c6064db301a805ebee110df18bea36256472071.png) **Ctrl+S:查看段的信息so** ![image-20210806142034527](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-443dc549edc9c3742a64235b537d2b31ff5c8548.png) **ALt+T:搜索文本** ![image-20210806142426423](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-6946a0d60fe78e2b133f3a450e507b1727797864.png) **ALt+B:搜索十六进制** ![image-20210806142410895](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-6988c8ed0228d1a0187daff57f0f3eb55509e868.png) 环境安装 ---- ### 上传android\_server 首先来到IDA的`dbgsrv`目录 ```php C:\IDA 7.0\dbgsrv ``` ![image-20210806170510753](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-c7975f568423d6b584a98b48a1e21aa9385ba322.png) 我把它复制到桌面了 然后利用adb把`android_server`push到指定目录下 ```php adb push C:\Users\Administrator\Desktop\android_server data/local/tmp ``` 这边我还是上我的安卓机 ![image-20210806170824849](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-525a7fba7efc5aa7eba5e6cf185817981e6f92ca.png) ![image-20210806171122084](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-0f18dd11dc9d830bb9d74a1959e486f13dffeb09.png) 进行查看 ![image-20210806171139420](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-1a7ecff826f7569437e3647e8e2912b6df9d2aa0.png) ### 进行加权 ```php chmod 777 android_server ``` ![image-20210806171228188](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-7962dcd6c83c9138a9b090399844a97d6f1a7994.png) ![image-20210806171345573](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-bdcdb5c0dba5d2096a737a124dea8a03bd25ad11.png) 这里还要提一句 : 记住安卓的底层是Linux的操作系统 因为安卓的机制问题 进行更名 ```php mv android_server a001 ``` ![image-20210806171537912](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-28c8672d019f9cabe96f2273509f3998c072a813.png) ### 运行a001 ![image-20210806171757944](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-1c29575ff0d770d5105a1f54a621cd16484b8593.png) 可以看到它监听的是23946端口 **注:指定端口:** ```php ./a001 -p1-65535 ``` 我们继续 ### 端口转发 ```php adb forward tcp:23946 tcp:23946 ``` ![image-20210806172132715](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-3bb6a7d2399dccb36cd5d01742b4d3ce0b300500.png) ### 安装APK到安卓机上 这次使用的是install ```php adb install C:\Users\Administrator\Desktop\javandk1.apk ``` ![image-20210806172245243](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-0be7a1cc0729dfd29195c58a6b72ff4888c9260a.png) IDA中Debugger调试 -------------- **进行Debugge选择** ![image-20210806172632757](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-eac542906573cf36148180e8e2f9622d5d2c30de.png) ![image-20210806172702683](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-b7fbf8388dd2c03c627601bb907b09c59742a834.png) 进行配置 ![image-20210806172722601](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-7f02b0c2ca70314feb2b7fd498f276694a8fc582.png) 23946就是默认端口 ![image-20210812022849738](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-250b454851d64cf25f4b032a0b26ef2cc903f9f0.png) 调出安卓机的进程窗口 ctrl+f :进行搜索ndk ![image-20210812022953229](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-fce6fefd679aab131875d3449cc8dfb76317b5cf.png) 双击选择之后进来ndk ![image-20210812023059042](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-c4ac43ce2b8f912e5775b0800c6a16ed5713b588.png) ![image-20210812023124211](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-068c03f67eb762eccb955551e679b9ecf3b27e9e.png) ![image-20210812023309088](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-5f2f6d72dd7cdbf6f7964db173af317129a748c7.png) 加载模块列表 ------ ![image-20210812023400746](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-dbc9b3ab3f0328c4efdc6e845c66b4a661fd399e.png) ![image-20210812023523238](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-ca2650dc40371c7f9d010087ca2cfe7e209f3925.png) 分别代表 ```php 库挂起入口点开始结束加载卸载 ``` 表示程序在运行中只要涉及到进程的入口点、涉及到线程的开始和结束、涉及到库的加载和卸载 都可以让程序进行 debugger(断点)操作! 运行IDA ----- 左上角小三角 或者F9都可以 ![image-20210812023735845](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-5aba808f10ff020b0903657a093a160516a68e60.png) 普通调试 ---- ### 环境调整 运行android\_server 因为安卓的在调试的时候apk等安全机制会对 android\_server进行关键名称检测 所以我做了修改 端口转发 ```php adb forward tcp:23946 tcp:23946 ``` ![image-20210812024837314](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-79da4b7a3abf2cba3096a1ca51ef3a4499b7152e.png) ### 挂起程序 挂起程序(需要程序的包名+类名) 使用AndroidKiller进行反编译APK ![image-20210812024710109](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-dc987b7414861c047142cf22c40ec99c5caa2bc1.png) ```php adb shell am start -D -n com.example.javandk1/.MainActivity ``` **注:类名前面要加斜杠相对路径** 安卓机弹出一个窗口 ![image-20210812031413475](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-7978f05cbf1d4c9dcbe2e65e426d30c38070a478.png) ### 运行ddms ![image-20210812025319178](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-39e7bcfe4cb6b5b8d1a0482a62f417b6bdf96ca3.png) 小图标变红色了 ### 运行IDA 进行连接 ![image-20210812025452886](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-bc9498f8f8791b816435c4b0d061a549589f6340.png) ![image-20210812025511958](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-137a29469e4f759038d8136128b52fffdcf7eaf8.png) 还是要记得加载模块列表 ![image-20210812023523238](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-ca2650dc40371c7f9d010087ca2cfe7e209f3925.png) 然后运行 ![image-20210812025820338](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-026ff3c0ea043d132b42d8577a0c1cf6a1f93f8b.png) IDA加载so文件 --------- ### 打开ddms ![image-20210812025901417](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-71455ce9c216aa99feb406956767fcf4526dc358.png) 查看下调试程序的端口号:8600 命令 ```php jdb -connect com.sun.jdi.SocketAttach:hostname=127.0.0.1,port=8600 ``` ![image-20210812031742779](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-d3c14d905f4de9c70bad1915a9cb7958d51903f0.png) ![image-20210812030017329](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-f4d3f148dba8b8d5e23f0ccb4ade6ae895debe65.png) 图标变成了绿色 ![image-20210812030034323](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-dd437be0fbf7425651457d9a9e2f3cc0125a7075.png) IDA也成功加载so文件 ### Moules模块 ```php ndk1-1/oat/arm/base.odex ``` ![image-20210812030535105](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-b8b4e883edbc299944966e5607d737b4059690e4.png) 双击进入 ![image-20210812032004172](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-05fd3a7c1b9f1b3a6e26fc20619147312e750f78.png) 安卓逆向-JNI -------- ### 1、编写C代码 ```php #include <stdio.h>int main (){printf("a001")return 0;} ``` ### 2、编写.mk文件代码 mk文件就是在构建工具时,会被 Build System解析多次! ```php LOCAL_PATH := $(call my-dir)include $(CLEAR_VARS)LOCAL_MODULE := a001LOCAL_SRC_FILES := a001.c LOCAL_ARM_MODE := arm LOCAL_LDLIBS += -llog include $(BUILD_HARED_LIBRARY) ``` 代码分析 ```php 1、LOCAL_PATH := $(call my-dir):获取JNI文件路径每个mk必须以 local开始,my-dir是由 Build System提供的,返回的是一个包含mk文件的路径,要获取相应的文件目录路径去调用JNI属性2、include $(CLEAR_VARS) :CLEAR VARS变量也是由 Build System提供,指定清理 LOCAL_开头的文件,但不会清理 LOCAL_PATH开头的3、LOCAL_MODULE := a001:定义的模块名称,如果这里编译岀so文件前面+lib后面+so4、LOCAL_SRC_FILES := a001.c:表示同文件目录下c文件5、LOCAL_ARM MODE:=arm:编译后的指令集,arm每个指令有四个字节6、include $(BUILD_HARED_LIBRARY):把文件构建成可执行程序如果是动态链接库就用:include(shared library)如果是静态链接库:include $(static library) ``` ### 3、编写application.mk代码 ```php APP_ABI := x86 armeabi-v7a ``` 这里说明一下 `v7a`是可以兼容`armeabi`的,一般就加上就好 `v7a`的意思是第7代及以上的ARM处理器,目前大部分都支持,为了性能优化,都会写上! x86是可以兼容`armeabi`的 那么在不设计到平台情况下,只需要改`MODULE`和`SRC_FILES`即可! ### 4、进行编译 ![image-20210812135357852](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-8d4b04ff0cfc04999eed27d227bd24d51efabc3b.png) 放在jni目录下 ![image-20210812135425897](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-97eb4ec39246e0e84f4ba7afb1ebcc3dde442ad1.png) 编译 ![image-20210812135312788](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-4b05e559e76e6e7f08919b9017b4b802b51aa5c5.png) 可看到生成了两个文件:`libs`、`obj` ![image-20210812135455392](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-24079e1ae4375816d412b5e7e68c868684650e35.png) `armeabi-v7a`和`x86`下面的文件是ELF文件 ![image-20210812135512350](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-92e624540991ae96cdc37cadbe32318b4cfd809b.png) 都是linux下的文件 注:PIE安全机制从4.1引入 但是 Android L之前的系统版本并不会去检验可执行文件是否基于PIE编译岀的。因此不会报错。 但是 Android L已经开启验证,如果调用的可执行文件不是基于PIE方式编译的,则无法运行。 所以需要在`Android.mk`中加入flag ```php LOCAL_CFLAGS += -pie -fPIELOCAL_LDFLAGS += -pie -fPIE ``` 5、进行adb push上传 -------------- ```php adb push C:\Users\Administrator\Desktop\libs\armeabi-v7a\aaa data/local/tmp ``` ![image-20210812135851654](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-fa4ad2cd64b73307ff5aa0010e77bb5251daf916.png) 加权 ```php chmod +x ``` 执行 ![image-20210812140013359](https://shs3.b.qianxin.com/attack_forum/2021/12/attach-000f8eee787890e0271b2f9f3847d3cc566e30ca.png) **请注意:这里使用的技术仅用于学习知识目的,如果列出的技术用于其他任何目标,我概不负责。** OK!就到这里 转载于:<https://www.freebuf.com/articles/mobile/284486.html>
发表于
阅读 ( 6346 )
分类:
漏洞分析
0 推荐
收藏
0 条评论
请先
登录
后评论
略略略
36 篇文章
×
发送私信
请先
登录
后发送私信
×
举报此文章
垃圾广告信息:
广告、推广、测试等内容
违规内容:
色情、暴力、血腥、敏感信息等内容
不友善内容:
人身攻击、挑衅辱骂、恶意行为
其他原因:
请补充说明
举报原因:
×
如果觉得我的文章对您有用,请随意打赏。你的支持将鼓励我继续创作!