-
-
[分享]发几个Android静态和动态分析的小技巧
-
发表于: 2014-6-13 00:07
-
没有好的调试工具下
对dex后的smali的技巧
。
一、常用插代码
(如果怕影响寄存器值,可以将.locals xxx改多几个或者合适的地方,如返回前添加)
1、
const-string v7, "log.v(xx, yy);"
invoke-static {v7, v7}, Landroid/util/Log;->v(Ljava/lang/String;Ljava/lang/String;)I
const-string v0, "Must ensure vx is Context class, then Toast.makeText(vx, xxx, 1).show();" # CharSequence对象类型
const/4 v1, 0x1 # I int类型
invoke-static {p0, v0, v1}, Landroid/widget/Toast;->makeText(Landroid/content/Context;Ljava/lang/CharSequence;I)Landroid/widget/Toast; # p0 是一个Context
move-result-object v0
invoke-virtual {v0}, Landroid/widget/Toast;->show()V
.class public Lcom/dataviz/dxtg/common/android/launcher/TabbedLauncherActivity; .super Lcom/dataviz/dxtg/common/android/ApplicationActivity; # interfaces .implements Landroid/view/GestureDetector$OnGestureListener; .implements Lcom/dataviz/dxtg/common/android/ar; .implements Lcom/dataviz/dxtg/common/android/bt; .implements Lcom/dataviz/dxtg/common/android/cs; .implements Lcom/dataviz/dxtg/common/android/dv; .implements Lcom/dataviz/dxtg/common/android/iap/d; .implements Lcom/dataviz/dxtg/common/android/iap/z; .method public c()V .end method
.class public interface abstract Lcom/dataviz/dxtg/common/android/dv; .super Ljava/lang/Object; # virtual methods .method public abstract a(Ljava/lang/String;)V .end method .method public abstract a(Z)V .end method .method public abstract c()V .end method
Searching 7287 files for "Lcom/dataviz/dxtg/common/android/dv;->c()V"
D:\com.dataviz.docstogo\smali\com\dataviz\dxtg\common\android\do.smali:
91: invoke-interface {v0}, Lcom/dataviz/dxtg/common/android/dv;->c()V
289: invoke-interface {v0}, Lcom/dataviz/dxtg/common/android/dv;->c()V
2 matches in 1 file
.method public c()V
.locals 1 ## .locals 1 romove desktop tab
const/4 v0, 0x0
#new-instance v0, Lcom/dataviz/dxtg/common/android/bl;
#invoke-direct {v0}, Lcom/dataviz/dxtg/common/android/bl;-><init>()V
invoke-direct {p0, v0}, Lcom/dataviz/dxtg/common/android/launcher/TabbedLauncherActivity;->a(Landroid/support/v4/app/Fragment;)Z
return-void
.end method
const-string/jumbo v0, "4.001"
const v1, 666666
# # VFY: invalid reg type 1073801336 on iput instr (need 12)
# # VFY: rejecting opcode 0x59 at 0x001d
# # 0x59 表示 iput vx,vy, field_id, 0x001d应该是 方法里偏移量,两字节一个偏移量
iput v0, v4, Lxx/yy/clazz;->field:I
<?xml version="1.0" encoding="utf-8"?>
<fs_sr_script>
<fs_sr_options/>
<fs_sr_info case_sensitive="0">
<search_string>Lcom/dataviz/dxtg/common/d/j/</search_string>
<replace_string>Lcom/dataviz/dxtg/common/d/HttpThread_j</replace_string>
</fs_sr_info>
<fs_file_list_info>
<mask>*</mask>
<path>D:\d</path>
</fs_file_list_info>
</fs_sr_script>
#generate a 'suggest' config for rename d2j-init-deobf -f -o init.txt a.jar -o 输出配置文件,这里为init.txt -f 如果存在重写文件 a.jar 待修改的文件
d2j-jar-remap -f -c init.txt -o a-deobf.jar a.jar -c 替换的配置文件 -o 输出文件 -f 如果存在重写文件 a.jar 待修改的文件
## file UTF-8 # format : ? x=y #?为大写貌似是静态吗,因为在public class InitOut里方法private void doMethod(String owner, ClassInfo.MemberInfo member, int x)有句sb.append(AccUtils.isStatic(member.access) ? "M" : "m"); #重命名包a为pa p a=pa #重命名类a为C000_a c a/a=C000_a #重命名方法名a为Ma m a/a.a()=Ma #重命名字段名a为Fa f a/a.a=Fa
## file UTF-8 ## format : pqx=y ## ## p is as follow: ## a comment line config starts with '#'; ## a field or method line config starts with 'F', 'M', 'f',or 'm'; ## a class line config starts with 'C',or 'c'; ## a package line config starts with 'P',or 'p'; ## a @ line config starts with '@'; ## ## q ?, but a space is ok
package a;
public class a
{
static String a = "Hello";
static void a() {
System.out.println(a);
}
public static void main(String[] args) {
a();
}
}
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
回溯堆栈有好一点的办法,注入一个打印回调的类即可,何必要搞崩溃
  |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
