通过smali调试android APK
以微信为例: WeChat?.apk 第一步,在ubuntu下解压缩微信APK, 通过APKTOOL 工具。安装:
- http://connortumbleson.com/2014/02/apktool-2-0-0-beta-9-released/ 从此网站下载APKTOOL package,下载最新版本:
$~/Tools/apktool/chat$ ./apktool -version
2.0.0-Beta9 apktool_2.0.0b9.jar 重命名为:apktool.jar
- 从以下网站下载最新的apktool 和 aapt 脚本,支持linux和windows。
http://code.google.com/p/android-apktool/downloads/detail?name=apktool-install-linux-r05-ibot.tar.bz2 解压后,有两个脚本:apktool 和 aapt.
- 安装jdk,用最新版本,通过以下网址下载。
http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html
package: jdk-7u51-linux-i586.tar.gz $~/Tools/apktool/chat$ javac -version
javac 1.7.0_51
- Linux下为JDK配置新的环境变量
sudo gedit /etc/profile
文件末尾添加以下几句:
export JAVA_HOME=/home/your_name/Tools/jdk1.7.0_51 export JRE_HOME=/home/lyour_name/Tools/jdk1.7.0_51/jre export PATH=$JAVA_HOME/bin:%JAVA_HOME/jre/bin:$PATH export CLASSPATH=$CLASSPATH:.:$JAVA_HOME/lib:$JAVA_HOME/jre/lib 在PATH中添加$JAVA_HOME/bin,注意与PATH原有的值之间用英文冒号:分隔,切勿把原来的值删除然后保存关闭,使用命令source /etc/profile更新.
- 检查新的版本是否生效。
Ubuntu系统默认安装并使用OpenJDK(usr/lib/jvm/),因此需要手动修改系统默认的JDK,
sudo update-alternatives --install /usr/bin/javac javac /home/your_name/Tools/jdk1.7.0_51/bin/javac 300
sudo update-alternatives --install /usr/bin/java java /home/your_name/Tools/jdk1.7.0_51/bin/java 300
sudo update-alternatives --config javac,再选择相应的Priority 300
sudo update-alternatives --config java,再选择相应的Priority 300
至此配置完成,输入java -version、javac或java检查是否配置成功。如果以上配置完成后,接下来就可以解压缩APK了。
- apktool解压缩wechat.apk. NOTE: 在解压缩之前,应该先定义frameworks-res 配置。 ./apktool if ~/mnt_ics_rel/android/out/target/product/sirfsocv7/system/framework/framework-res.apk $ ./apktool d WeChat_380.apk 生成目录: WWW:~/Tools/apktool/chat$ ls
aapt apktool apktool.jar WeChat_380 WeChat_380.apk $ cd WeChat_380
WWW:~/Tools/apktool/chat/WeChat_380$ ls AndroidManifest?.xml apktool.yml assets lib original res smali unknown
解压缩后,一定要有 apktool.yml 和 AndroidManifest?.xml,否则无法压缩回apk。
- apktool 反解压缩 wechat.apk $ ./apktool b WeChat_380
WWW:~/Tools/apktool/chat$ ./apktool b WeChat_380 xxx(可以指定APK name) I: Using Apktool 2.0.0-Beta9 on WeChat_380 I: Checking whether sources has changed... I: Smaling... I: Checking whether resources has changed... I: Building resources... I: Copying libs... I: Building apk file... I: Copying unknown files/dir... :~/Tools/apktool/chat$ cd WeChat_380/ :~/Tools/apktool/chat/WeChat_380$ ls AndroidManifest?.xml apktool.yml assets build dist lib original res smali unknown :~/Tools/apktool/chat/WeChat_380$ cd dist/ :~/Tools/apktool/chat/WeChat_380/dist$ ls
WeChat_380.apk 压缩后在WeChat_380 目录的dist下面生成了 WeChat_380.apk.
- 给APK 签名 java -jar ~/mnt_ics_rel/android/out/host/linux-x86/framework/signapk.jar ~/mnt_ics_rel/android/build/target/product/security/testkey.x509.pem ~/mnt_ics_rel/android/build/target/product/security/testkey.pk8 ./WeChat_380/dist/WeChat_380.apk WeChat_380_sign.apk
最终生成了签名之后打包的 WeChat_380_sign.apk.
- 在了解了如何压缩与解压缩(smali/baksmali)之后,就开始通过smali给APK注入代码,
开始Debug APK的流 程了。首先:我们要了解 smali的一些基本语法。关于Dalvik opcodes 可以参考以下网址。 http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html
- 通过 AndroidManifest?.xml 找到 main Activity
com.tencent.mm.ui.LauncherUI
进入解压后的目录: :~/Tools/apktool/WeChat_380/smali/com/tencent/mm/ui$ vi LauncherUI.smali 从程序的入口 LauncherUI.smali 进入跟踪检查。
======================================================================================
.method public onCreate(Landroid/os/Bundle;)V
.locals 9
.prologue .line 199 const-string v0, "MicroMsg?.LauncherUI"
const-string v1, "KEVIN onCreate "
invoke-static {v0, v1}, Lcom/tencent/mm/sdk/platformtools/aa;->d(Ljava/lang/String;Ljava/lang/String;)V const-string v6, "SSSSS" const-string v7, "+++YYY_onCreate++++" invoke-static {v6, v7}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)I
.line 200 sget-object v0, Lcom/tencent/mm/ui/LauncherUI;->glD:Lcom/tencent/mm/ui/LauncherUI;
if-eqz v0, :cond_0
const-string v7, "MicroMsg?.LauncherUI" invoke-static {v6, v7}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)I const-string v0, "MicroMsg?.LauncherUI"
const-string v1, "finish last mainTabUI"
invoke-static {v0, v1}, Lcom/tencent/mm/sdk/platformtools/aa;->i(Ljava/lang/String;Ljava/lang/String;)V sget-object v0, Lcom/tencent/mm/ui/LauncherUI;->glD:Lcom/tencent/mm/ui/LauncherUI;
invoke-virtual {v0}, Lcom/tencent/mm/ui/LauncherUI;->finish()V const-string v7, "v0=cond_0_finish" invoke-static {v6, v7}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)I
:cond_0 sput-object p0, Lcom/tencent/mm/ui/LauncherUI;->glD:Lcom/tencent/mm/ui/LauncherUI;
sget v0, Lcom/tencent/mm/ui/LauncherUI;->gma:I
add-int/lit8 v0, v0, 0x1
sput v0, Lcom/tencent/mm/ui/LauncherUI;->gma:I
.line 201 invoke-super {p0, p1}, Lcom/tencent/mm/ui/MMFragmentActivity;->onCreate(Landroid/os/Bundle;)V
const-string v7, "++++MMFragmentActivity.onCreate+++" invoke-static {v6, v7}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)I
.line 202 invoke-static {}, Lcom/tencent/mm/app/WorkerProfile;->nM()Lcom/tencent/mm/app/WorkerProfile;
=====================================================================================
通过一步步跟踪,尤其是对分支的细致检查,确定问题点。不过,这个过程是比较繁琐的。