Repository: OakChen/ApkShelling Branch: master Commit: d64125e23347 Files: 23 Total size: 31.3 KB Directory structure: gitextract_be4gqpa2/ ├── .gitignore ├── README.md ├── app/ │ ├── .gitignore │ ├── build.gradle │ ├── proguard-rules.pro │ └── src/ │ └── main/ │ ├── AndroidManifest.xml │ ├── assets/ │ │ └── xposed_init │ ├── java/ │ │ └── com/ │ │ └── sfysoft/ │ │ └── android/ │ │ └── xposed/ │ │ └── shelling/ │ │ └── XposedEntry.java │ └── res/ │ ├── drawable/ │ │ └── ic_launcher_background.xml │ ├── drawable-v24/ │ │ └── ic_launcher_foreground.xml │ ├── mipmap-anydpi-v26/ │ │ ├── ic_launcher.xml │ │ └── ic_launcher_round.xml │ ├── values/ │ │ ├── colors.xml │ │ ├── strings.xml │ │ └── styles.xml │ └── values-zh-rCN/ │ └── strings.xml ├── build.gradle ├── gradle/ │ └── wrapper/ │ ├── gradle-wrapper.jar │ └── gradle-wrapper.properties ├── gradle.properties ├── gradlew ├── gradlew.bat └── settings.gradle ================================================ FILE CONTENTS ================================================ ================================================ FILE: .gitignore ================================================ *.iml .DS_Store .externalNativeBuild .gradle .idea /build /captures /local.properties ================================================ FILE: README.md ================================================ # 一个脱简单壳的Xposed模块 ## 用法 - 搭建Xposed环境 - 在XposedEntry.java中的targetPackages数组添加需要脱壳的包名 - 编译本模块并安装到手机 - 激活模块后,打开目标应用,随便操作一会儿,等待/data/data/packageName下产生dex文件,可查看logcat看进展:logcat -s Xposed - 把dex文件都复制到电脑上,用jadx反编译,如果有反编译失败的,先用dex2jar转成jar再用jadx反编译可解决部分失败情况 ## 原理 在加载包的时候,匹配是否目标包名及是否加壳,如果是,就hook java.lang.ClassLoader类的loadClass方法,应用如下操作: - 获得loadClass返回的Class对象 - 反射调用Class对象的getDex方法获得Dex对象 - 将Dex对象提交给写文件的线程,在此过程会去除重复的Dex对象并把不同的字节集加到队列 - 线程异步从队列中读取字节集写到文件中,避免了同步写可能导致ANR ## 限制 - 只在Android 5.1.1版本的手机上验证过,其它的版本不一定有对应的getBytes和geDex方法 - 只验证过腾讯乐固、360加固、梆梆加固、百度加固的免费加固工具,都可以脱掉,付费版本没有用过 ## 参考 参考项目:https://github.com/a813630449/dumpDex ================================================ FILE: app/.gitignore ================================================ /build ================================================ FILE: app/build.gradle ================================================ /* * Copyright (c) 2019 - Oak Chen * 2019-07-26 Oak Chen */ apply plugin: 'com.android.application' android { compileSdkVersion 28 buildToolsVersion "28.0.3" defaultConfig { applicationId "com.sfysoft.android.xposed.shelling" minSdkVersion 19 //noinspection OldTargetApi targetSdkVersion 28 versionCode 1 versionName "1.0" } buildTypes { release { minifyEnabled false proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro' } } } dependencies { implementation fileTree(dir: 'libs', include: ['*.jar']) implementation 'androidx.appcompat:appcompat:1.0.2' compileOnly 'de.robv.android.xposed:api:82' compileOnly 'de.robv.android.xposed:api:82:sources' } ================================================ FILE: app/proguard-rules.pro ================================================ # Add project specific ProGuard rules here. # You can control the set of applied configuration files using the # proguardFiles setting in build.gradle. # # For more details, see # http://developer.android.com/guide/developing/tools/proguard.html # If your project uses WebView with JS, uncomment the following # and specify the fully qualified class name to the JavaScript interface # class: #-keepclassmembers class fqcn.of.javascript.interface.for.webview { # public *; #} # Uncomment this to preserve the line number information for # debugging stack traces. #-keepattributes SourceFile,LineNumberTable # If you keep the line number information, uncomment this to # hide the original source file name. #-renamesourcefileattribute SourceFile ================================================ FILE: app/src/main/AndroidManifest.xml ================================================ ================================================ FILE: app/src/main/assets/xposed_init ================================================ com.sfysoft.android.xposed.shelling.XposedEntry ================================================ FILE: app/src/main/java/com/sfysoft/android/xposed/shelling/XposedEntry.java ================================================ /* * Copyright (c) 2019 - Oak Chen * 2019-07-26 Oak Chen Created */ package com.sfysoft.android.xposed.shelling; import android.annotation.SuppressLint; import java.io.File; import java.io.FileOutputStream; import java.io.IOException; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; import java.util.HashSet; import java.util.LinkedList; import java.util.Queue; import java.util.Set; import de.robv.android.xposed.IXposedHookLoadPackage; import de.robv.android.xposed.XC_MethodHook; import de.robv.android.xposed.XposedBridge; import de.robv.android.xposed.XposedHelpers; import de.robv.android.xposed.callbacks.XC_LoadPackage; /** * Xposed entry to shelling app * * @author Oak Chen */ public class XposedEntry implements IXposedHookLoadPackage { private static final boolean DEBUG = false; // 加固应用的初始类,对应AndroidManifests.xml里的 byteSet = new LinkedList<>(); // 跟踪哪些类已经解码过,避免重复写到文件中 private final Set dexSet = new HashSet<>(); // 保存线程自动关闭前的空闲时间,以毫秒计 private final long idleMsToQuit; // dex文件保存目录 private String savingDirectory; private Thread currentThread; private long threadId; DexOutputTask(String savingDirectory) { // 默认5分钟后没有数据,就自动结束 this(savingDirectory, 300000); } DexOutputTask(String savingDirectory, @SuppressWarnings("SameParameterValue") long idleMsToQuit) { this.savingDirectory = savingDirectory; this.idleMsToQuit = idleMsToQuit; } @Override public void run() { currentThread = Thread.currentThread(); threadId = currentThread.getId(); File savingDir = new File(savingDirectory); if (!savingDir.exists()) { if (!savingDir.mkdirs()) { log("Can not mkdir " + savingDirectory); return; } } for (int i = 0; ; ) { byte[] bytes; synchronized (byteSet) { bytes = byteSet.poll(); if (bytes == null) { try { long start = System.currentTimeMillis(); byteSet.wait(idleMsToQuit); // 若是超时则退出,结束线程 if (System.currentTimeMillis() - start >= idleMsToQuit) { break; } else { // 有新的数据,返回重新读取 continue; } } catch (InterruptedException e) { continue; } } } i++; @SuppressLint("DefaultLocale") String targetFile = savingDirectory + String.format("/%05d-%02d.dex", threadId, i); log("Thread: " + threadId + ", File: " + targetFile); try (FileOutputStream fileOutputStream = new FileOutputStream(targetFile)) { fileOutputStream.write(bytes); } catch (IOException e) { log(e); } } log("Thread: " + threadId + ", Dex size: " + dexSet.size()); synchronized (byteSet) { byteSet.clear(); } synchronized (dexSet) { dexSet.clear(); } savingDirectory = null; } void write(Object dex) { if (dex == null) { return; } if (currentThread == null || !currentThread.isAlive()) { log("Thread " + threadId + " is not running"); return; } // 避免重复保存同一个dex synchronized (dexSet) { if (dexSet.contains(dex)) { return; } dexSet.add(dex); } byte[] bytes; try { bytes = (byte[]) getBytes.invoke(dex); } catch (IllegalAccessException | InvocationTargetException e) { log(e); return; } if (bytes == null) { return; } synchronized (byteSet) { byteSet.offer(bytes); byteSet.notifyAll(); } } } } } ================================================ FILE: app/src/main/res/drawable/ic_launcher_background.xml ================================================ ================================================ FILE: app/src/main/res/drawable-v24/ic_launcher_foreground.xml ================================================ ================================================ FILE: app/src/main/res/mipmap-anydpi-v26/ic_launcher.xml ================================================ ================================================ FILE: app/src/main/res/mipmap-anydpi-v26/ic_launcher_round.xml ================================================ ================================================ FILE: app/src/main/res/values/colors.xml ================================================ #008577 #00574B #D81B60 ================================================ FILE: app/src/main/res/values/strings.xml ================================================ Shelling Dump dex from app protected by free tools from baidu, 360, tencent, bangcle.com ================================================ FILE: app/src/main/res/values/styles.xml ================================================ ================================================ FILE: app/src/main/res/values-zh-rCN/strings.xml ================================================ 脱壳 从加固过的应用中提取dex文件,适用于百度、360、腾讯、梆梆等提供的免费版加固工具 ================================================ FILE: build.gradle ================================================ /* * Copyright (c) 2019 - Oak Chen * 2019-07-26 Oak Chen */ // Top-level build file where you can add configuration options common to all sub-projects/modules. buildscript { repositories { google() jcenter() } dependencies { classpath 'com.android.tools.build:gradle:4.2.0' // NOTE: Do not place your application dependencies here; they belong // in the individual module build.gradle files } } allprojects { repositories { google() jcenter() } } task clean(type: Delete) { delete rootProject.buildDir } ================================================ FILE: gradle/wrapper/gradle-wrapper.properties ================================================ # # Copyright (c) 2019 - Oak Chen # 2019-07-26 Oak Chen # #Fri Jul 26 15:05:01 CST 2019 distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists distributionUrl=https\://services.gradle.org/distributions/gradle-6.7.1-all.zip ================================================ FILE: gradle.properties ================================================ # # Copyright (c) 2019 - Oak Chen # 2019-07-26 Oak Chen # # Project-wide Gradle settings. # IDE (e.g. Android Studio) users: # Gradle settings configured through the IDE *will override* # any settings specified in this file. # For more details on how to configure your build environment visit # http://www.gradle.org/docs/current/userguide/build_environment.html # Specifies the JVM arguments used for the daemon process. # The setting is particularly useful for tweaking memory settings. org.gradle.jvmargs=-Xmx1536m # When configured, Gradle will run in incubating parallel mode. # This option should only be used with decoupled projects. More details, visit # http://www.gradle.org/docs/current/userguide/multi_project_builds.html#sec:decoupled_projects # org.gradle.parallel=true # AndroidX package structure to make it clearer which packages are bundled with the # Android operating system, and which are packaged with your app's APK # https://developer.android.com/topic/libraries/support-library/androidx-rn android.useAndroidX=true # Automatically convert third-party libraries to use AndroidX android.enableJetifier=true ================================================ FILE: gradlew ================================================ #!/usr/bin/env sh ############################################################################## ## ## Gradle start up script for UN*X ## ############################################################################## # Attempt to set APP_HOME # Resolve links: $0 may be a link PRG="$0" # Need this for relative symlinks. while [ -h "$PRG" ] ; do ls=`ls -ld "$PRG"` link=`expr "$ls" : '.*-> \(.*\)$'` if expr "$link" : '/.*' > /dev/null; then PRG="$link" else PRG=`dirname "$PRG"`"/$link" fi done SAVED="`pwd`" cd "`dirname \"$PRG\"`/" >/dev/null APP_HOME="`pwd -P`" cd "$SAVED" >/dev/null APP_NAME="Gradle" APP_BASE_NAME=`basename "$0"` # Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. DEFAULT_JVM_OPTS="" # Use the maximum available, or set MAX_FD != -1 to use that value. MAX_FD="maximum" warn () { echo "$*" } die () { echo echo "$*" echo exit 1 } # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false case "`uname`" in CYGWIN* ) cygwin=true ;; Darwin* ) darwin=true ;; MINGW* ) msys=true ;; NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar # Determine the Java command to use to start the JVM. if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables JAVACMD="$JAVA_HOME/jre/sh/java" else JAVACMD="$JAVA_HOME/bin/java" fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else JAVACMD="java" which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi # Increase the maximum file descriptors if we can. if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then MAX_FD_LIMIT=`ulimit -H -n` if [ $? -eq 0 ] ; then if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then MAX_FD="$MAX_FD_LIMIT" fi ulimit -n $MAX_FD if [ $? -ne 0 ] ; then warn "Could not set maximum file descriptor limit: $MAX_FD" fi else warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" fi fi # For Darwin, add options to specify how the application appears in the dock if $darwin; then GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" fi # For Cygwin, switch paths to Windows format before running java if $cygwin ; then APP_HOME=`cygpath --path --mixed "$APP_HOME"` CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` JAVACMD=`cygpath --unix "$JAVACMD"` # We build the pattern for arguments to be converted via cygpath ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` SEP="" for dir in $ROOTDIRSRAW ; do ROOTDIRS="$ROOTDIRS$SEP$dir" SEP="|" done OURCYGPATTERN="(^($ROOTDIRS))" # Add a user-defined pattern to the cygpath arguments if [ "$GRADLE_CYGPATTERN" != "" ] ; then OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" fi # Now convert the arguments - kludge to limit ourselves to /bin/sh i=0 for arg in "$@" ; do CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` else eval `echo args$i`="\"$arg\"" fi i=$((i+1)) done case $i in (0) set -- ;; (1) set -- "$args0" ;; (2) set -- "$args0" "$args1" ;; (3) set -- "$args0" "$args1" "$args2" ;; (4) set -- "$args0" "$args1" "$args2" "$args3" ;; (5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; (6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; (7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; (8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; (9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; esac fi # Escape application args save () { for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done echo " " } APP_ARGS=$(save "$@") # Collect all arguments for the java command, following the shell quoting and substitution rules eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" # by default we should be in the correct project dir, but when run from Finder on Mac, the cwd is wrong if [ "$(uname)" = "Darwin" ] && [ "$HOME" = "$PWD" ]; then cd "$(dirname "$0")" fi exec "$JAVACMD" "$@" ================================================ FILE: gradlew.bat ================================================ @if "%DEBUG%" == "" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @rem @rem ########################################################################## @rem Set local scope for the variables with windows NT shell if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 if "%DIRNAME%" == "" set DIRNAME=. set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. set DEFAULT_JVM_OPTS= @rem Find java.exe if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 if "%ERRORLEVEL%" == "0" goto init echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. echo. echo Please set the JAVA_HOME variable in your environment to match the echo location of your Java installation. goto fail :findJavaFromJavaHome set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe if exist "%JAVA_EXE%" goto init echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% echo. echo Please set the JAVA_HOME variable in your environment to match the echo location of your Java installation. goto fail :init @rem Get command-line arguments, handling Windows variants if not "%OS%" == "Windows_NT" goto win9xME_args :win9xME_args @rem Slurp the command line arguments. set CMD_LINE_ARGS= set _SKIP=2 :win9xME_args_slurp if "x%~1" == "x" goto execute set CMD_LINE_ARGS=%* :execute @rem Setup the command line set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar @rem Execute Gradle "%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% :end @rem End local scope for the variables with windows NT shell if "%ERRORLEVEL%"=="0" goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 exit /b 1 :mainEnd if "%OS%"=="Windows_NT" endlocal :omega ================================================ FILE: settings.gradle ================================================ /* * Copyright (c) 2019 - Oak Chen * 2019-07-26 Oak Chen */ include ':app'