Android学习的第一个java层的shell,理解了不少东西,主要理解了Ref反射机制。学习路径来自F8LEFT视频。
要求
1、手机版本5.0以上
代码
MyApplication
import android.app.Application;
t.Context;
import android.util.Log;
public class MyApplication extends Application {
public void onCreate(){
}
protected void attachBaseContext(Context base)
{
super.attachBaseContext(base);
}
}
MainActivity
import android.support.v7.app.AppCompatActivity;
import android.os.Bundle;
import android.widget.TextView;
public class MainActivity extends AppCompatActivity {
@Override
protected void onCreate(Bundle savedInstanceState) {
setContentView(R.layout.activity_main);
TextView tvinfo = (TextView) findViewById(R.id.tvinfo);
TextView tvwd = (TextView) findViewById(R.id.tvwd);
tvwd.setText("Shell has been loaded");
if(getApplication() instanceof MyApplication)
{
tvinfo.setText("MyApplication has been loaded");
}
}
}
android:id="@+id/tvinfo"
android:layout_width="wrap_content"
android:layout_height="33dp"
android:text="0"
app:layout_constraintBottom_toBottomOf="parent"
app:layout_constraintLeft_toLeftOf="parent"
app:layout_constraintRight_toRightOf="parent"
app:layout_constraintTop_toTopOf="parent" />
android:id="@+id/tvwd"
android:layout_width="wrap_content"
android:layout_height="38dp"
android:layout_marginStart="8dp"
android:layout_marginTop="8dp"
android:layout_marginEnd="8dp"
android:layout_marginBottom="8dp"
android:text="Application not load,Nooo"
app:layout_constraintBottom_toBottomOf="parent"
app:layout_constraintEnd_toEndOf="parent"
app:layout_constraintHorizontal_bias="0.554"
app:layout_constraintStart_toStartOf="parent"
app:layout_constraintTop_toBottomOf="@+id/tvinfo"
app:layout_constraintVertical_bias="1.0" />
android:name=".MyApplication"
生成apk,提取dex
java -jar ShakaApktool.jar bs classes.dex -o classes
保留两个smali:-->MainActivity.smali MyApplication.smali
编译成dex
java -jar ShakaApktool.jar s classes -o encrypt.dex
shell
1、创建一个asset目录,将encrypt.dex复制进去。
2、删除MainActivity.java MyApplication.java
3、模拟系统加载的流程
write
首先、接管程序的Application中的两个函数[这是控制的最开始两个函数]。
1 ---> attachBaseContext(context)
2 ---> onCreate()
ProxyApplication
创建ProxyApplication继承父类android.app.Application,选择重构attachBaseContext()与onCreate()。
ProxyApplication.java
package esebitcoin.yshell;
import android.app.Application;
import android.app.Instrumentation;
t.Context;
t.pm.ApplicationInfo;
import android.util.ArrayMap;
import java.io.File;
import f.WeakReference;
import java.util.ArrayList;
import dalvik.system.DexClassLoader;
public class ProxyApplication extends Application {
@Override
protected void attachBaseContext(Context base) {
super.attachBaseContext(base);
File cache = getDir("eshell",MODE_PRIVATE);
String sDex = cache +"/encrypt.dex";
File dexFile = leaseAssetsFile(this,"encrypt.dex",sDex,null);
ClassLoader cl = new DexClassLoader(sDex,getDir("eshell_aot",MODE_PRIVATE).getAbsolutePath(), getApplicationInfo().nativeLibraryDir,getClassLoader());
Object currentActivityThread = RefInvoke.invokeStaticMethod("android.app.ActivityThread", "currentActivityThread",new Class[]{},new Object[]{});
ArrayMap mPackages = (ArrayMap) FieldOjbect("android.app.ActivityThread", "mPackages",currentActivityThread);
WeakReference wr = (WeakReference) (getPackageName());
RefInvoke.setFieldOjbect("android.app.LoadedApk","mClassLoader",wr.get(),cl);
return;
}
@Override
public void onCreate() {
Object currentActivityThread = RefInvoke.invokeStaticMethod("android.app.ActivityThread", "currentActivityThread",new Class[]{},new Object[]{});
Object mBoundApplication = FieldOjbect("android.app.ActivityThread", "mBoundApplication",currentActivityThread);
Object loadedApkInfo = FieldOjbect("android.app.ActivityThread$AppBindData", "info",mBoundApplication);
RefInvoke.setFieldOjbect("android.app.LoadedApk","mApplication",loadedApkInfo,null);
String srcAppName = "esebitcoin.yshell.MyApplication";
ApplicationInfo appInfo_LoadedApke = (ApplicationInfo) FieldOjbect("android.app.LoadedApk", "mApplicationInfo",loadedApkInfo);
appInfo_LoadedApke.className = srcAppName;
ApplicationInfo appinfo_In_AppBindData = (ApplicationInfo) FieldOjbect("android.app.ActivityThread$AppBindData", "appInfo",mBoundApplication);
appinfo_In_AppBindData.className = srcAppName;
Application oldApplication = (Application) FieldOjbect("android.app.ActivityThread", "mInitialApplication",currentActivityThread);
ArrayList mAllApplications = (ArrayList) FieldOjbect("android.app.ActivityThread", "mAllApplications",currentActivityThread);
Application realApp = (Application) RefInvoke.invokeMethod("android.app.LoadedApk", "makeApplication",new Class[]{boolean.class,Instrumentation.class}, loadedApkInfo,new Object[]{false,null});
RefInvoke.setFieldOjbect("android.app.ActivityThread","mInitialApplication", currentActivityThread,realApp);
return;
}
}
FileManager.java
package esebitcoin.yshell;
t.Context;
t.res.AssetManager;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileOutputStream;
import java.io.InputStream;
import flect.Method;
public class FileManager {
public static File releaseAssetsFile(Context ctx, String assetFile, String releaseFile, Method decMethod)
{
AssetManager manager = Assets();
try{
InputStream is = manager.open(assetFile);
ByteArrayOutputStream os = new ByteArrayOutputStream();
byte[] buf = new byte[1024];
int iRead;
while ((iRead = is.read(buf)) != -1) {
os.write(buf, 0, iRead);
}
byte[] dec = decMethod != null ? (byte[]) decMethod.invoke (null, os. toByteArray()) : os.toByteArray();
is.close();
os.close();
FileOutputStream of = new FileOutputStream(new File(releaseFile));
of.write(dec);
of.close();
return new File(releaseFile);
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
}
修改xml
---> android:name=".ProxyApplication"
Android程序例子下载
本文发布于:2024-02-04 08:17:53,感谢您对本站的认可!
本文链接:https://www.4u4v.net/it/170702903353879.html
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系,我们将在24小时内删除。
| 留言与评论(共有 0 条评论) |
