本文章由Jack_Jia編寫，轉(zhuǎn)載請注明出處。??

文章鏈接：http://blog.csdn.net/jiazhijun/article/details/8746917

作者：Jack_Jia ???郵箱：?309zhijun@163.com

?一、序言

? ? ? ? 在上篇“Android APK加殼技術方案”（http://blog.csdn.net/jiazhijun/article/details/8678399）博文中，根據(jù)加殼數(shù)據(jù)在解殼程序Dex文件所處的位置，我提出了兩種Android Dex加殼技術實現(xiàn)方案，本片博文將對方案1代碼實現(xiàn)進行講解。博友可以根據(jù)方案1的代碼實現(xiàn)原理對方案2自行實現(xiàn)。

? ? ? ?在方案1的代碼實現(xiàn)過程中，各種不同的問題接踵出現(xiàn)，最初的方案也在不同問題的出現(xiàn)、解決過程中不斷的得到調(diào)整、優(yōu)化。

? ? ? ?本文的代碼實現(xiàn)了對整個APK包的加殼處理。加殼程序不會對源程序有任何的影響。

二、代碼實現(xiàn)

? ? ?本程序基于Android2.3代碼實現(xiàn)，因為牽扯到系統(tǒng)代碼的反射修改，本程序不保證在其它android版本正常工作，博友可以根據(jù)實現(xiàn)原理，自行實現(xiàn)對其它Android版本的兼容性開發(fā)。

? ? ?1、?加殼程序流程及代碼實現(xiàn)

?

? ? ? ? ? ? ? ? ? 1、加密源程序APK為解殼數(shù)據(jù)

? ? ? ? ? ? ? ? ? 2、把解殼數(shù)據(jù)寫入解殼程序DEX文件末尾，并在文件尾部添加解殼數(shù)據(jù)的大小。

? ? ? ? ? ? ? ? ? 3、修改解殼程序DEX頭中checksum、signature 和file_size頭信息。

? ? ? ?代碼實現(xiàn)如下：

?

package com.android.dexshell;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.zip.Adler32;public class DexShellTool {/*** @param args*/public static void main(String[] args) {// TODO Auto-generated method stubtry {File payloadSrcFile = new File("g:/payload.apk");File unShellDexFile = new File("g:/unshell.dex");byte[] payloadArray = encrpt(readFileBytes(payloadSrcFile));byte[] unShellDexArray = readFileBytes(unShellDexFile);int payloadLen = payloadArray.length;int unShellDexLen = unShellDexArray.length;int totalLen = payloadLen + unShellDexLen +4;byte[] newdex = new byte[totalLen];//添加解殼代碼System.arraycopy(unShellDexArray, 0, newdex, 0, unShellDexLen);//添加加密后的解殼數(shù)據(jù)System.arraycopy(payloadArray, 0, newdex, unShellDexLen,payloadLen);//添加解殼數(shù)據(jù)長度System.arraycopy(intToByte(payloadLen), 0, newdex, totalLen-4, 4);//修改DEX file size文件頭fixFileSizeHeader(newdex);//修改DEX SHA1 文件頭fixSHA1Header(newdex);//修改DEX CheckSum文件頭fixCheckSumHeader(newdex);String str = "g:/classes.dex";File file = new File(str);if (!file.exists()) {file.createNewFile();}FileOutputStream localFileOutputStream = new FileOutputStream(str);localFileOutputStream.write(newdex);localFileOutputStream.flush();localFileOutputStream.close();} catch (Exception e) {// TODO Auto-generated catch blocke.printStackTrace();}}//直接返回數(shù)據(jù)，讀者可以添加自己加密方法private static byte[] encrpt(byte[] srcdata){return srcdata;}private static void fixCheckSumHeader(byte[] dexBytes) {Adler32 adler = new Adler32();adler.update(dexBytes, 12, dexBytes.length - 12);long value = adler.getValue();int va = (int) value;byte[] newcs = intToByte(va);byte[] recs = new byte[4];for (int i = 0; i < 4; i++) {recs[i] = newcs[newcs.length - 1 - i];System.out.println(Integer.toHexString(newcs[i]));}System.arraycopy(recs, 0, dexBytes, 8, 4);System.out.println(Long.toHexString(value));System.out.println();}public static byte[] intToByte(int number) {byte[] b = new byte[4];for (int i = 3; i >= 0; i--) {b[i] = (byte) (number % 256);number >>= 8;}return b;}private static void fixSHA1Header(byte[] dexBytes)throws NoSuchAlgorithmException {MessageDigest md = MessageDigest.getInstance("SHA-1");md.update(dexBytes, 32, dexBytes.length - 32);byte[] newdt = md.digest();System.arraycopy(newdt, 0, dexBytes, 12, 20);String hexstr = "";for (int i = 0; i < newdt.length; i++) {hexstr += Integer.toString((newdt[i] & 0xff) + 0x100, 16).substring(1);}System.out.println(hexstr);}private static void fixFileSizeHeader(byte[] dexBytes) {byte[] newfs = intToByte(dexBytes.length);System.out.println(Integer.toHexString(dexBytes.length));byte[] refs = new byte[4];for (int i = 0; i < 4; i++) {refs[i] = newfs[newfs.length - 1 - i];System.out.println(Integer.toHexString(newfs[i]));}System.arraycopy(refs, 0, dexBytes, 32, 4);}private static byte[] readFileBytes(File file) throws IOException {byte[] arrayOfByte = new byte[1024];ByteArrayOutputStream localByteArrayOutputStream = new ByteArrayOutputStream();FileInputStream fis = new FileInputStream(file);while (true) {int i = fis.read(arrayOfByte);if (i != -1) {localByteArrayOutputStream.write(arrayOfByte, 0, i);} else {return localByteArrayOutputStream.toByteArray();}}}}

? ? 2、?解殼程序流程及代碼實現(xiàn)

? ? ? ? ? 在解殼程序的開發(fā)過程中需要解決如下幾個關鍵的技術問題：

? ? ? ? ?（1）解殼代碼如何能夠第一時間執(zhí)行？

? ? ? ? ? ? ? ? ? Android程序由不同的組件構成，系統(tǒng)在有需要的時候啟動程序組件。因此解殼程序必須在Android系統(tǒng)啟動組件之前運行，完成對解殼數(shù) ? ? ? ? ? ? ? ?據(jù)的解殼及APK文件的動態(tài)加載，否則會使程序出現(xiàn)加載類失敗的異常。

? ? ? ? ? ? ? ? ? Android開發(fā)者都知道Applicaiton做為整個應用的上下文，會被系統(tǒng)第一時間調(diào)用，這也是應用開發(fā)者程序代碼的第一執(zhí)行點。因此通過對 ? ? ? ? ? ? ?AndroidMainfest.xml的application的配置可以實現(xiàn)解殼代碼第一時間運行。

?

    <applicationandroid:icon="@drawable/ic_launcher"android:label="@string/app_name"android:theme="@style/AppTheme" android:name="com.android.dexunshell.ProxyApplication" ></application>

?

?

? ? ? ? ?（2）如何替換回源程序原有的Application?

? ? ? ? ? ? ? ? ? 當在AndroidMainfest.xml文件配置為解殼代碼的Application時。源程序原有的Applicaiton將被替換，為了不影響源程序代碼邏輯，我們需要 ? ? ? ? ? ? ?在解殼代碼運行完成后，替換回源程序原有的Application對象。我們通過在AndroidMainfest.xml文件中配置原有Applicaiton類信息來達到我們 ? ? ? ? ? ? ?的目的。解殼程序要在運行完畢后通過創(chuàng)建配置的Application對象，并通過反射修改回原Application。

?

    <applicationandroid:icon="@drawable/ic_launcher"android:label="@string/app_name"android:theme="@style/AppTheme" android:name="com.android.dexunshell.ProxyApplication" ><meta-data android:name="APPLICATION_CLASS_NAME" android:value="com.***.Application"/></application>

?

? ? ? ? ??

? ? ? ? ? （3）如何通過DexClassLoader實現(xiàn)對apk代碼的動態(tài)加載。

?

? ? ? ? ? ? ? ? ? 我們知道DexClassLoader加載的類是沒有組件生命周期的，也就是說即使DexClassLoader通過對APK的動態(tài)加載完成了對組件類的加載， ? ? ? ? ? ? ?當系統(tǒng)啟動該組件時，還會出現(xiàn)加載類失敗的異常。為什么組件類被動態(tài)加載入虛擬機，但系統(tǒng)卻出現(xiàn)加載類失敗呢？

? ? ? ? ? ? ? ? ? 通過查看Android源代碼我們知道組件類的加載是由另一個ClassLoader來完成的，DexClassLoader和系統(tǒng)組件ClassLoader并不存在關 ? ? ? ? ? ? ? ? ?系，系統(tǒng)組件ClassLoader當然找不到由DexClassLoader加載的類，如果把系統(tǒng)組件ClassLoader的parent修改成DexClassLoader，我們就可 ? ? ? ? ? ? ?以實現(xiàn)對apk代碼的動態(tài)加載。

? ? ? ? ?（4）如何使解殼后的APK資源文件被代碼動態(tài)引用。

? ? ? ? ? ? ? ? ?代碼默認引用的資源文件在最外層的解殼程序中，因此我們要增加系統(tǒng)的資源加載路徑來實現(xiàn)對借殼后APK文件資源的加載。

? ? ? ? 解殼實現(xiàn)代碼：

?

package com.android.dexunshell;import java.io.BufferedInputStream;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.DataInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.lang.ref.WeakReference;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.zip.ZipEntry;
import java.util.zip.ZipInputStream;import dalvik.system.DexClassLoader;
import android.app.Application;
import android.content.pm.ApplicationInfo;
import android.content.pm.PackageManager;
import android.content.pm.PackageManager.NameNotFoundException;
import android.os.Bundle;public class ProxyApplication extends Application {private static final String appkey = "APPLICATION_CLASS_NAME";private String apkFileName;private String odexPath;private String libPath;@Overridepublic void onCreate() {// TODO Auto-generated method stubsuper.onCreate();try {File odex = this.getDir("payload_odex", MODE_PRIVATE);File libs = this.getDir("payload_lib", MODE_PRIVATE);odexPath = odex.getAbsolutePath();libPath = libs.getAbsolutePath();apkFileName = odex.getAbsolutePath()+"/payload.apk";File dexFile = new File(apkFileName);if(!dexFile.exists())dexFile.createNewFile();//讀取程序classes.dex文件byte[] dexdata = this.readDexFileFromApk();//分離出解殼后的apk文件已用于動態(tài)加載this.splitPayLoadFromDex(dexdata);//配置動態(tài)加載環(huán)境this.configApplicationEnv();} catch (Exception e) {// TODO Auto-generated catch blocke.printStackTrace();}}private void configApplicationEnv() throws NameNotFoundException, IllegalAccessException, InstantiationException, ClassNotFoundException, IOException{ Object currentActivityThread = RefInvoke.invokeStaticMethod("android.app.ActivityThread", "currentActivityThread", new Class[]{}, new Object[]{});HashMap mPackages = (HashMap)RefInvoke.getFieldOjbect("android.app.ActivityThread", currentActivityThread, "mPackages");//替換組件類加載器為DexClassLoader，已使動態(tài)加載代碼具有組件生命周期WeakReference wr = (WeakReference) mPackages.get(this.getPackageName());DexClassLoader dLoader = new DexClassLoader(apkFileName,odexPath, libPath, (ClassLoader) RefInvoke.getFieldOjbect("android.app.LoadedApk", wr.get(), "mClassLoader"));RefInvoke.setFieldOjbect("android.app.LoadedApk", "mClassLoader", wr.get(), dLoader);//如果源應用配置有Appliction對象，則替換為源應用Applicaiton，以便不影響源程序邏輯。ApplicationInfo appInfo = this.getPackageManager().getApplicationInfo(this.getPackageName(),PackageManager.GET_META_DATA);Bundle bundle =  appInfo.metaData;if(bundle != null && bundle.containsKey(appkey)){String appClassName = bundle.getString(appkey);Application app = (Application)Class.forName(appClassName).newInstance();RefInvoke.setFieldOjbect("android.app.ContextImpl", "mOuterContext", this.getBaseContext(), app);RefInvoke.setFieldOjbect("android.content.ContextWrapper", "mBase", app, this.getBaseContext());Object mBoundApplication = RefInvoke.getFieldOjbect("android.app.ActivityThread", currentActivityThread, "mBoundApplication");Object info = RefInvoke.getFieldOjbect("android.app.ActivityThread$AppBindData", mBoundApplication, "info");RefInvoke.setFieldOjbect("android.app.LoadedApk", "mApplication", info, app);Object oldApplication = RefInvoke.getFieldOjbect("android.app.ActivityThread", currentActivityThread, "mInitialApplication");RefInvoke.setFieldOjbect("android.app.ActivityThread", "mInitialApplication", currentActivityThread, app);ArrayList<Application> mAllApplications = (ArrayList<Application>)RefInvoke.getFieldOjbect("android.app.ActivityThread", currentActivityThread, "mAllApplications");mAllApplications.remove(oldApplication);mAllApplications.add(app);HashMap mProviderMap = (HashMap) RefInvoke.getFieldOjbect("android.app.ActivityThread", currentActivityThread, "mProviderMap");Iterator it = mProviderMap.values().iterator();while(it.hasNext()){Object providerClientRecord = it.next();Object localProvider = RefInvoke.getFieldOjbect("android.app.ProviderClientRecord", providerClientRecord, "mLocalProvider");RefInvoke.setFieldOjbect("android.content.ContentProvider", "mContext", localProvider, app);}RefInvoke.invokeMethod(appClassName, "onCreate", app, new Class[]{}, new Object[]{});}}private void splitPayLoadFromDex(byte[] data) throws IOException{byte[] apkdata = decrypt(data);int ablen = apkdata.length;byte[] dexlen = new byte[4];System.arraycopy(apkdata, ablen - 4, dexlen, 0, 4);ByteArrayInputStream bais = new ByteArrayInputStream(dexlen);DataInputStream in = new DataInputStream(bais);int readInt = in.readInt();System.out.println(Integer.toHexString(readInt));byte[] newdex = new byte[readInt];System.arraycopy(apkdata, ablen - 4 - readInt, newdex, 0, readInt);File file = new File(apkFileName);try {FileOutputStream localFileOutputStream = new FileOutputStream(file);localFileOutputStream.write(newdex);localFileOutputStream.close();} catch (IOException localIOException) {throw new RuntimeException(localIOException);}ZipInputStream localZipInputStream = new ZipInputStream(new BufferedInputStream(new FileInputStream(file)));while (true) {ZipEntry localZipEntry = localZipInputStream.getNextEntry();if (localZipEntry == null) {localZipInputStream.close();break;}String name = localZipEntry.getName();if (name.startsWith("lib/") && name.endsWith(".so")) {File storeFile = new File(libPath+"/"+name.substring(name.lastIndexOf('/')));storeFile.createNewFile();FileOutputStream fos = new FileOutputStream(storeFile);byte[] arrayOfByte = new byte[1024];while (true) {int i = localZipInputStream.read(arrayOfByte);if (i == -1)break;fos.write(arrayOfByte, 0, i);}fos.flush();fos.close();	}localZipInputStream.closeEntry();}localZipInputStream.close();	}private byte[] readDexFileFromApk() throws IOException {ByteArrayOutputStream dexByteArrayOutputStream = new ByteArrayOutputStream();ZipInputStream localZipInputStream = new ZipInputStream(new BufferedInputStream(new FileInputStream(this.getApplicationInfo().sourceDir)));while (true) {ZipEntry localZipEntry = localZipInputStream.getNextEntry();if (localZipEntry == null) {localZipInputStream.close();break;}if (localZipEntry.getName().equals("classes.dex")) {byte[] arrayOfByte = new byte[1024];while (true) {int i = localZipInputStream.read(arrayOfByte);if (i == -1)break;dexByteArrayOutputStream.write(arrayOfByte, 0, i);}}localZipInputStream.closeEntry();}localZipInputStream.close();return dexByteArrayOutputStream.toByteArray();}直接返回數(shù)據(jù)，讀者可以添加自己解密方法private byte[] decrypt(byte[] data){return data;}
}

? ? ? ? RefInvoke為反射調(diào)用工具類：

package com.android.dexunshell;import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;public class RefInvoke {public static  Object invokeStaticMethod(String class_name, String method_name, Class[] pareTyple, Object[] pareVaules){try {Class obj_class = Class.forName(class_name);Method method = obj_class.getMethod(method_name,pareTyple);return method.invoke(null, pareVaules);} catch (SecurityException e) {// TODO Auto-generated catch blocke.printStackTrace();}  catch (IllegalArgumentException e) {// TODO Auto-generated catch blocke.printStackTrace();} catch (IllegalAccessException e) {// TODO Auto-generated catch blocke.printStackTrace();} catch (NoSuchMethodException e) {// TODO Auto-generated catch blocke.printStackTrace();} catch (InvocationTargetException e) {// TODO Auto-generated catch blocke.printStackTrace();} catch (ClassNotFoundException e) {// TODO Auto-generated catch blocke.printStackTrace();}return null;}public static  Object invokeMethod(String class_name, String method_name, Object obj ,Class[] pareTyple, Object[] pareVaules){try {Class obj_class = Class.forName(class_name);Method method = obj_class.getMethod(method_name,pareTyple);return method.invoke(obj, pareVaules);} catch (SecurityException e) {// TODO Auto-generated catch blocke.printStackTrace();}  catch (IllegalArgumentException e) {// TODO Auto-generated catch blocke.printStackTrace();} catch (IllegalAccessException e) {// TODO Auto-generated catch blocke.printStackTrace();} catch (NoSuchMethodException e) {// TODO Auto-generated catch blocke.printStackTrace();} catch (InvocationTargetException e) {// TODO Auto-generated catch blocke.printStackTrace();} catch (ClassNotFoundException e) {// TODO Auto-generated catch blocke.printStackTrace();}return null;}public static Object getFieldOjbect(String class_name,Object obj, String filedName){try {Class obj_class = Class.forName(class_name);Field field = obj_class.getDeclaredField(filedName);field.setAccessible(true);return field.get(obj);} catch (SecurityException e) {// TODO Auto-generated catch blocke.printStackTrace();} catch (NoSuchFieldException e) {// TODO Auto-generated catch blocke.printStackTrace();} catch (IllegalArgumentException e) {// TODO Auto-generated catch blocke.printStackTrace();} catch (IllegalAccessException e) {// TODO Auto-generated catch blocke.printStackTrace();} catch (ClassNotFoundException e) {// TODO Auto-generated catch blocke.printStackTrace();}return null;}public static Object getStaticFieldOjbect(String class_name, String filedName){try {Class obj_class = Class.forName(class_name);Field field = obj_class.getDeclaredField(filedName);field.setAccessible(true);return field.get(null);} catch (SecurityException e) {// TODO Auto-generated catch blocke.printStackTrace();} catch (NoSuchFieldException e) {// TODO Auto-generated catch blocke.printStackTrace();} catch (IllegalArgumentException e) {// TODO Auto-generated catch blocke.printStackTrace();} catch (IllegalAccessException e) {// TODO Auto-generated catch blocke.printStackTrace();} catch (ClassNotFoundException e) {// TODO Auto-generated catch blocke.printStackTrace();}return null;}public static void setFieldOjbect(String classname, String filedName, Object obj, Object filedVaule){try {Class obj_class = Class.forName(classname);Field field = obj_class.getDeclaredField(filedName);field.setAccessible(true);field.set(obj, filedVaule);} catch (SecurityException e) {// TODO Auto-generated catch blocke.printStackTrace();} catch (NoSuchFieldException e) {// TODO Auto-generated catch blocke.printStackTrace();} catch (IllegalArgumentException e) {// TODO Auto-generated catch blocke.printStackTrace();} catch (IllegalAccessException e) {// TODO Auto-generated catch blocke.printStackTrace();} catch (ClassNotFoundException e) {// TODO Auto-generated catch blocke.printStackTrace();}	}public static void setStaticOjbect(String class_name, String filedName, Object filedVaule){try {Class obj_class = Class.forName(class_name);Field field = obj_class.getDeclaredField(filedName);field.setAccessible(true);field.set(null, filedVaule);} catch (SecurityException e) {// TODO Auto-generated catch blocke.printStackTrace();} catch (NoSuchFieldException e) {// TODO Auto-generated catch blocke.printStackTrace();} catch (IllegalArgumentException e) {// TODO Auto-generated catch blocke.printStackTrace();} catch (IllegalAccessException e) {// TODO Auto-generated catch blocke.printStackTrace();} catch (ClassNotFoundException e) {// TODO Auto-generated catch blocke.printStackTrace();}		}}

三、總結

? ? ? ?本文代碼基本實現(xiàn)了APK文件的加殼及脫殼原理，該代碼作為實驗代碼還有諸多地方需要改進。比如：

? ? ? ? ? ? ?1、加殼數(shù)據(jù)的加密算法的添加。

? ? ? ? ? ? ?2、脫殼代碼由java語言實現(xiàn)，可通過C代碼的實現(xiàn)對脫殼邏輯進行保護，以達到更好的反逆向分析效果。

? ? ? ??

?

轉(zhuǎn)載于:https://www.cnblogs.com/jiangu66/archive/2013/04/12/3017514.html

總結

以上是生活随笔為你收集整理的Android APK加壳技术方案----代码实现的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。