-
-
一招一式讲Android安全--【加固】运行时加载隐藏dex
-
发表于: 2021-4-14 21:54
-
一招一式讲Android安全--【加固】运行时加载隐藏dex
本系列会把Android加固一系列的保护原理和思路讲解一遍,仅作为归档整理。
包括dex、so、反调试等。
本文主要以Android 9.0代码为蓝本进行研究。
希望把加载隐藏dex的思路和原理讲明白,详细的细节,各个步奏,等等。
如有错误的地方,请联系我改正,谢谢。
本文所有权益归chinamima@163.com所有,如需转载请发邮件。
昵称:chinamima
邮箱:chinamima@163.com
经验:从事Android行业10年,Android安全7年,网络安全3年
optimizedDirectory为空,则会在默认位置生成.oat、.odex文件,因此源码里用PathClassLoader作为ClassLoader的实例化类。
BaseDexClassLoader的构造函数并没有把optimizedDirectory传递给DexPathList。
调用createOrUpdateClassLoaderLocked。
调用ApplicationLoaders.getClassLoader获取ClassLoader。
如mLoader已存在,则直接返回。
如mLoader不存在,则调用ClassLoaderFactory.createClassLoader创建。
新建一个PathClassLoader实例。
java/dalvik/system/DexFile.java
/art/runtime/native/dalvik_system_DexFile.cc
cookie通过ConvertJavaArrayToDexFiles(env, cookie, /*out*/ dex_files, /*out*/ oat_file)转换成DexFile*实例。
再通过class_linker->DefineClass从DexFile*里加载类。
可以看到DexFile_defineClassNative里的ConvertJavaArrayToDexFiles函数把cookie和dex_files、oat_file关联了起来。
/art/runtime/native/dalvik_system_DexFile.cc
从这里可以猜测得出,cookie和dex_files、oat_file是一对一关系的。
因此,只需要把cookie替换成另一个dex的值,就可以加载另一个dex的类。
替换cookie值在native层比较难操作,因此我们把目光放到java层。
java/dalvik/system/DexFile.java
在DexFile里也有一个mCookie,通过defineClassNative传参到DexFile_defineClassNative的。
也就是替换mCookie即可达成目的--加载其他dex。
根据DexFile的构造函数可知。
调用DexFile的openDexFile得到一个新的cookie,用于替换原始的mCookie。
由初始化ClassLoader的调用链路可知,LoadedApk保存了ClassLoader的实例,实际上这个实例就是findClass时用到的PathClassLoader。
因此,新new一个ClassLoader并替换掉LoadedApk里的mClassLoader即能实现替换dex效果。
从上面代码可知,ClassLoader是从DexPathList pathList里加载class的。
而DexPathList是由Element[] dexElements组成的,在findClass最先从数组最前面取Element。
因此,我们可以在DexPathList.dexElements的前面插入隐藏dex的Element,从而实现加载隐藏dex。
发现DexFile.openInMemoryDexFile可以直接加载buffer,因此可以从内存中加载dex。
关键点在于ArtDexFileLoader::open,此处传递了一个kNoOatDexFile参数,明显是无oat文件的意思。
dalvik_system_DexFile.cc
art_dex_file_loader.cc
- 1. 概述
- 1.1. 背景
- 1.2. 目的
- 1.3. 作者
- 2. ClassLoader机制介绍
- 2.1. ClassLoader类关系
- 2.2. ClassLoader部分源码
- 3. 初始化ClassLoader
- 3.1. 调用链路
- 3.2. 详细源码
- 3.2.1. ActivityThread.performLaunchActivity
- 3.2.2. ActivityThread.createBaseContextForActivity
- 3.2.3. ContextImpl.createActivityContext
- 3.2.4. LoadedApk.getClassLoader
- 3.2.5. LoadedApk.createOrUpdateClassLoaderLocked
- 3.2.6. ApplicationLoaders.getClassLoader
- 3.2.7. ClassLoaderFactory.createClassLoader
- 4. findClass源码路径
- 4.1. BaseDexClassLoader
- 4.2. DexPathList
- 4.3. Element
- 4.4. DexFile
- 4.5. dalvik_system_DexFile
- 5. 替换mCookie
- 5.1. 关键点
- 5.2. 思路
- 5.3. 实现
- 5.4. 思考
- 6. 替换ClassLoader
- 6.1. 覆盖ClassLoader成员变量
- 6.2. 替换LoadedApk里ClassLoader
- 7. 添加到DexPathList
- 8. 直接加载dex byte
- 8.1. 从内存中加载dex,避免生成oat
- 8.1.1. 调用链路
- 8.1.2. 详细源码
// DexClassLoader.java
public class DexClassLoader extends BaseDexClassLoader {
public DexClassLoader(String dexPath, String optimizedDirectory,
String libraryPath, ClassLoader parent) {
super(dexPath, new File(optimizedDirectory), libraryPath, parent);
}
}// PathClassLoader.java
public class PathClassLoader extends BaseDexClassLoader {
public PathClassLoader(String dexPath, ClassLoader parent) {
super(dexPath, null, null, parent);
}
public PathClassLoader(String dexPath, String libraryPath,
ClassLoader parent) {
super(dexPath, null, libraryPath, parent);
}
}// DexClassLoader.java
public class DexClassLoader extends BaseDexClassLoader {
public DexClassLoader(String dexPath, String optimizedDirectory,
String libraryPath, ClassLoader parent) {
super(dexPath, new File(optimizedDirectory), libraryPath, parent);
}
}// PathClassLoader.java
public class PathClassLoader extends BaseDexClassLoader {
public PathClassLoader(String dexPath, ClassLoader parent) {
super(dexPath, null, null, parent);
}
public PathClassLoader(String dexPath, String libraryPath,
ClassLoader parent) {
super(dexPath, null, libraryPath, parent);
}
}//android 8.0
public BaseDexClassLoader(String dexPath, File optimizedDirectory,
String librarySearchPath, ClassLoader parent) {
this(dexPath, optimizedDirectory, librarySearchPath, parent, false);
}public BaseDexClassLoader(String dexPath, File optimizedDirectory,
String librarySearchPath, ClassLoader parent, boolean isTrusted) {
super(parent);
this.pathList = new DexPathList(this, dexPath, librarySearchPath, null, isTrusted);
if (reporter != null) {
reportClassLoaderChain();
}
}//android 8.0
public BaseDexClassLoader(String dexPath, File optimizedDirectory,
String librarySearchPath, ClassLoader parent) {
this(dexPath, optimizedDirectory, librarySearchPath, parent, false);
}public BaseDexClassLoader(String dexPath, File optimizedDirectory,
String librarySearchPath, ClassLoader parent, boolean isTrusted) {
super(parent);
this.pathList = new DexPathList(this, dexPath, librarySearchPath, null, isTrusted);
if (reporter != null) {
reportClassLoaderChain();
}
}ActivityThread.performLaunchActivity //启动activity
├─ ActivityThread.createBaseContextForActivity //创建ContextImpl,并作为app的Context实现
│ └─ ContextImpl.createActivityContext //从LoadedApk获取ClassLoader,并创建ContextImpl
│ └─ LoadedApk.getClassLoader //判断是否已有ClassLoader,如无则调用createOrUpdateClassLoaderLocked
│ └─ LoadedApk.createOrUpdateClassLoaderLocked
│ └─ ApplicationLoaders.getClassLoader
│ └─ ClassLoaderFactory.createClassLoader
│ └─ new PathClassLoader
└─ ContextImpl.getClassLoader //LoadedApk.getClassLoader已经生成了ClassLoader,并存于ContextImpl的mClassLoader中
ActivityThread.performLaunchActivity //启动activity
├─ ActivityThread.createBaseContextForActivity //创建ContextImpl,并作为app的Context实现
│ └─ ContextImpl.createActivityContext //从LoadedApk获取ClassLoader,并创建ContextImpl
│ └─ LoadedApk.getClassLoader //判断是否已有ClassLoader,如无则调用createOrUpdateClassLoaderLocked
│ └─ LoadedApk.createOrUpdateClassLoaderLocked
│ └─ ApplicationLoaders.getClassLoader
│ └─ ClassLoaderFactory.createClassLoader
│ └─ new PathClassLoader
└─ ContextImpl.getClassLoader //LoadedApk.getClassLoader已经生成了ClassLoader,并存于ContextImpl的mClassLoader中
package android.app;public final class ActivityThread extends ClientTransactionHandler {
/** Core implementation of activity launch. */
private Activity performLaunchActivity(ActivityClientRecord r, Intent customIntent) {
//...省略,chinamima
// ==========>>> 创建ContextImpl <<<==========
ContextImpl appContext = createBaseContextForActivity(r);
Activity activity = null;
try {
//从ContextImpl里获取ClassLoader
java.lang.ClassLoader cl = appContext.getClassLoader();
activity = mInstrumentation.newActivity(
cl, component.getClassName(), r.intent);
//...省略,chinamima
} catch (Exception e) {
//...省略,chinamima
}
try {
Application app = r.packageInfo.makeApplication(false, mInstrumentation);
//...省略,chinamima
if (activity != null) {
//...省略,chinamima
appContext.setOuterContext(activity);
activity.attach(appContext, this, getInstrumentation(), r.token,
r.ident, app, r.intent, r.activityInfo, title, r.parent,
r.embeddedID, r.lastNonConfigurationInstances, config,
r.referrer, r.voiceInteractor, window, r.configCallback);
//...省略,chinamima
if (r.isPersistable()) {
mInstrumentation.callActivityOnCreate(activity, r.state, r.persistentState);
} else {
mInstrumentation.callActivityOnCreate(activity, r.state);
}
//...省略,chinamima
r.activity = activity;
}
mActivities.put(r.token, r);
} catch (SuperNotCalledException e) {
throw e;
} catch (Exception e) {
//...省略,chinamima
}
return activity;
}
}package android.app;public final class ActivityThread extends ClientTransactionHandler {
/** Core implementation of activity launch. */
private Activity performLaunchActivity(ActivityClientRecord r, Intent customIntent) {
//...省略,chinamima
// ==========>>> 创建ContextImpl <<<==========
ContextImpl appContext = createBaseContextForActivity(r);
Activity activity = null;
try {
//从ContextImpl里获取ClassLoader
java.lang.ClassLoader cl = appContext.getClassLoader();
activity = mInstrumentation.newActivity(
cl, component.getClassName(), r.intent);
//...省略,chinamima
} catch (Exception e) {
//...省略,chinamima
}
try {
Application app = r.packageInfo.makeApplication(false, mInstrumentation);
//...省略,chinamima
if (activity != null) {
//...省略,chinamima
appContext.setOuterContext(activity);
activity.attach(appContext, this, getInstrumentation(), r.token,
r.ident, app, r.intent, r.activityInfo, title, r.parent,
r.embeddedID, r.lastNonConfigurationInstances, config,
r.referrer, r.voiceInteractor, window, r.configCallback);
//...省略,chinamima
if (r.isPersistable()) {
mInstrumentation.callActivityOnCreate(activity, r.state, r.persistentState);
} else {
mInstrumentation.callActivityOnCreate(activity, r.state);
}
//...省略,chinamima
r.activity = activity;
}
mActivities.put(r.token, r);
} catch (SuperNotCalledException e) {
throw e;
} catch (Exception e) {
//...省略,chinamima
}
return activity;
}
}package android.app;public final class ActivityThread extends ClientTransactionHandler {
private ContextImpl createBaseContextForActivity(ActivityClientRecord r) {
int displayId = ActivityManager.getService().getActivityDisplayId(r.token);
//...省略,chinamima
// ==========>>> 生成ContextImpl实例,里面会生成一个默认ClassLoader成员变量 <<<==========
ContextImpl appContext = ContextImpl.createActivityContext(
this, r.packageInfo, r.activityInfo, r.token, displayId, r.overrideConfig);
//...省略,chinamima
return appContext;
}
}package android.app;public final class ActivityThread extends ClientTransactionHandler {
private ContextImpl createBaseContextForActivity(ActivityClientRecord r) {
int displayId = ActivityManager.getService().getActivityDisplayId(r.token);
//...省略,chinamima
// ==========>>> 生成ContextImpl实例,里面会生成一个默认ClassLoader成员变量 <<<==========
ContextImpl appContext = ContextImpl.createActivityContext(
this, r.packageInfo, r.activityInfo, r.token, displayId, r.overrideConfig);
//...省略,chinamima
return appContext;
}
}package android.app;class ContextImpl extends Context {
static ContextImpl createActivityContext(ActivityThread mainThread,
LoadedApk packageInfo, ActivityInfo activityInfo, IBinder activityToken, int displayId,
Configuration overrideConfiguration) {
//...省略,chinamima
// ==========>>> 从LoadedApk里获取ClassLoader <<<==========
ClassLoader classLoader = packageInfo.getClassLoader();
//...省略,chinamima
//创建一个ContextImpl实例
ContextImpl context = new ContextImpl(null, mainThread, packageInfo, activityInfo.splitName,
activityToken, null, 0, classLoader);
//...省略,chinamima
return context;
}
}package android.app;class ContextImpl extends Context {
static ContextImpl createActivityContext(ActivityThread mainThread,
LoadedApk packageInfo, ActivityInfo activityInfo, IBinder activityToken, int displayId,
Configuration overrideConfiguration) {
//...省略,chinamima
// ==========>>> 从LoadedApk里获取ClassLoader <<<==========
ClassLoader classLoader = packageInfo.getClassLoader();
//...省略,chinamima
//创建一个ContextImpl实例
ContextImpl context = new ContextImpl(null, mainThread, packageInfo, activityInfo.splitName,
activityToken, null, 0, classLoader);
//...省略,chinamima
return context;
}
}package android.app;public final class LoadedApk {
private ClassLoader mClassLoader;
public ClassLoader getClassLoader() {
synchronized (this) {
if (mClassLoader == null) {
// ==========>>> 关键步奏 <<<==========
createOrUpdateClassLoaderLocked(null /*addedPaths*/);
}
return mClassLoader;
}
}
}package android.app;public final class LoadedApk {
private ClassLoader mClassLoader;
public ClassLoader getClassLoader() {
synchronized (this) {
if (mClassLoader == null) {
// ==========>>> 关键步奏 <<<==========
createOrUpdateClassLoaderLocked(null /*addedPaths*/);
}
return mClassLoader;
}
}
}package android.app;public final class LoadedApk {
private void createOrUpdateClassLoaderLocked(List<String> addedPaths) {
//...省略,chinamima
// If we're not asked to include code, we construct a classloader that has
// no code path included. We still need to set up the library search paths
// and permitted path because NativeActivity relies on it (it attempts to
// call System.loadLibrary() on a classloader from a LoadedApk with
// mIncludeCode == false).
if (!mIncludeCode) {
if (mClassLoader == null) {
//...省略,chinamima
// ==========>>> 关键步奏 <<<==========
mClassLoader = ApplicationLoaders.getDefault().getClassLoader(
"" /* codePath */, mApplicationInfo.targetSdkVersion, isBundledApp,
librarySearchPath, libraryPermittedPath, mBaseClassLoader,
null /* classLoaderName */);
//...省略,chinamima
}
return;
}
//...省略,chinamima
}
}package android.app;public final class LoadedApk {
private void createOrUpdateClassLoaderLocked(List<String> addedPaths) {
//...省略,chinamima
// If we're not asked to include code, we construct a classloader that has
// no code path included. We still need to set up the library search paths
// and permitted path because NativeActivity relies on it (it attempts to
// call System.loadLibrary() on a classloader from a LoadedApk with
// mIncludeCode == false).
if (!mIncludeCode) {
if (mClassLoader == null) {
//...省略,chinamima
// ==========>>> 关键步奏 <<<==========
mClassLoader = ApplicationLoaders.getDefault().getClassLoader(
"" /* codePath */, mApplicationInfo.targetSdkVersion, isBundledApp,
librarySearchPath, libraryPermittedPath, mBaseClassLoader,
null /* classLoaderName */);
//...省略,chinamima
}
return;
}
//...省略,chinamima
}
}package android.app;public class ApplicationLoaders {
public static ApplicationLoaders getDefault() {
return gApplicationLoaders;
}
ClassLoader getClassLoader(String zip, int targetSdkVersion, boolean isBundled,
String librarySearchPath, String libraryPermittedPath,
ClassLoader parent, String classLoaderName) {
// For normal usage the cache key used is the same as the zip path.
// ==========>>> 调用另一个getClassLoader <<<==========
return getClassLoader(zip, targetSdkVersion, isBundled, librarySearchPath,
libraryPermittedPath, parent, zip, classLoaderName);
}
private ClassLoader getClassLoader(String zip, int targetSdkVersion, boolean isBundled,
String librarySearchPath, String libraryPermittedPath,
ClassLoader parent, String cacheKey,
String classLoaderName) {
/*
* This is the parent we use if they pass "null" in. In theory
* this should be the "system" class loader; in practice we
* don't use that and can happily (and more efficiently) use the
* bootstrap class loader.
*/
ClassLoader baseParent = ClassLoader.getSystemClassLoader().getParent();
synchronized (mLoaders) {
if (parent == null) {
parent = baseParent;
}
/*
* If we're one step up from the base class loader, find
* something in our cache. Otherwise, we create a whole
* new ClassLoader for the zip archive.
*/
if (parent == baseParent) {
ClassLoader loader = mLoaders.get(cacheKey);
if (loader != null) {
return loader;
}
//...省略,chinamima
// ==========>>> 工厂模式生成PathClassLoader实例 <<<==========
ClassLoader classloader = ClassLoaderFactory.createClassLoader(
zip, librarySearchPath, libraryPermittedPath, parent,
targetSdkVersion, isBundled, classLoaderName);
//...省略,chinamima
mLoaders.put(cacheKey, classloader);
return classloader;
}
// ==========>>> 工厂模式生成PathClassLoader实例 <<<==========
ClassLoader loader = ClassLoaderFactory.createClassLoader(
zip, null, parent, classLoaderName);
return loader;
}
}
private final ArrayMap<String, ClassLoader> mLoaders = new ArrayMap<>();
private static final ApplicationLoaders gApplicationLoaders = new ApplicationLoaders();
package android.app;public class ApplicationLoaders {
public static ApplicationLoaders getDefault() {
return gApplicationLoaders;
}
ClassLoader getClassLoader(String zip, int targetSdkVersion, boolean isBundled,
String librarySearchPath, String libraryPermittedPath,
ClassLoader parent, String classLoaderName) {
// For normal usage the cache key used is the same as the zip path.
// ==========>>> 调用另一个getClassLoader <<<==========
return getClassLoader(zip, targetSdkVersion, isBundled, librarySearchPath,
libraryPermittedPath, parent, zip, classLoaderName);
}
private ClassLoader getClassLoader(String zip, int targetSdkVersion, boolean isBundled,
String librarySearchPath, String libraryPermittedPath,
ClassLoader parent, String cacheKey,
String classLoaderName) {
/*
* This is the parent we use if they pass "null" in. In theory
* this should be the "system" class loader; in practice we
* don't use that and can happily (and more efficiently) use the
* bootstrap class loader.
*/
ClassLoader baseParent = ClassLoader.getSystemClassLoader().getParent();
synchronized (mLoaders) {
if (parent == null) {
parent = baseParent;
}
/*
* If we're one step up from the base class loader, find
* something in our cache. Otherwise, we create a whole
* new ClassLoader for the zip archive.
*/
if (parent == baseParent) {
ClassLoader loader = mLoaders.get(cacheKey);
if (loader != null) {
return loader;
}
//...省略,chinamima
// ==========>>> 工厂模式生成PathClassLoader实例 <<<==========
ClassLoader classloader = ClassLoaderFactory.createClassLoader(
zip, librarySearchPath, libraryPermittedPath, parent,
targetSdkVersion, isBundled, classLoaderName);
//...省略,chinamima
mLoaders.put(cacheKey, classloader);
return classloader;
}
// ==========>>> 工厂模式生成PathClassLoader实例 <<<==========
ClassLoader loader = ClassLoaderFactory.createClassLoader(
zip, null, parent, classLoaderName);
return loader;
}
}
private final ArrayMap<String, ClassLoader> mLoaders = new ArrayMap<>();
private static final ApplicationLoaders gApplicationLoaders = new ApplicationLoaders();
package com.android.internal.os;public class ClassLoaderFactory {
public static ClassLoader createClassLoader(String dexPath,
String librarySearchPath, ClassLoader parent, String classloaderName) {
if (isPathClassLoaderName(classloaderName)) {
// ==========>>> 新建PathClassLoader实例 <<<==========
return new PathClassLoader(dexPath, librarySearchPath, parent);
} else if (isDelegateLastClassLoaderName(classloaderName)) {
return new DelegateLastClassLoader(dexPath, librarySearchPath, parent);
}
throw new AssertionError("Invalid classLoaderName: " + classloaderName);
}
public static ClassLoader createClassLoader(String dexPath,
String librarySearchPath, String libraryPermittedPath, ClassLoader parent,
int targetSdkVersion, boolean isNamespaceShared, String classloaderName) {
// ==========>>> 调用另一个createClassLoader <<<==========
final ClassLoader classLoader = createClassLoader(dexPath, librarySearchPath, parent,
classloaderName);
//...省略,chinamima
return classLoader;
}
}package com.android.internal.os;public class ClassLoaderFactory {
public static ClassLoader createClassLoader(String dexPath,
String librarySearchPath, ClassLoader parent, String classloaderName) {
if (isPathClassLoaderName(classloaderName)) {
// ==========>>> 新建PathClassLoader实例 <<<==========
return new PathClassLoader(dexPath, librarySearchPath, parent);
} else if (isDelegateLastClassLoaderName(classloaderName)) {
return new DelegateLastClassLoader(dexPath, librarySearchPath, parent);
}
throw new AssertionError("Invalid classLoaderName: " + classloaderName);
}
public static ClassLoader createClassLoader(String dexPath,
String librarySearchPath, String libraryPermittedPath, ClassLoader parent,
int targetSdkVersion, boolean isNamespaceShared, String classloaderName) {
// ==========>>> 调用另一个createClassLoader <<<==========
final ClassLoader classLoader = createClassLoader(dexPath, librarySearchPath, parent,
classloaderName);
//...省略,chinamima
return classLoader;
}
}package dalvik.system;public class BaseDexClassLoader extends ClassLoader {
private final DexPathList pathList;
public BaseDexClassLoader(String dexPath, File optimizedDirectory,
String librarySearchPath, ClassLoader parent, boolean isTrusted) {
super(parent);
this.pathList = new DexPathList(this, dexPath, librarySearchPath, null, isTrusted);
//...省略,chinamima
}
protected Class<?> findClass(String name) throws ClassNotFoundException {
// ==========>>> 从DexPathList里找类 <<<==========
Class c = pathList.findClass(name, suppressedExceptions);
//...省略,chinamima
return c;
}
}package dalvik.system;public class BaseDexClassLoader extends ClassLoader {
private final DexPathList pathList;
public BaseDexClassLoader(String dexPath, File optimizedDirectory,
String librarySearchPath, ClassLoader parent, boolean isTrusted) {
super(parent);
this.pathList = new DexPathList(this, dexPath, librarySearchPath, null, isTrusted);
//...省略,chinamima
}
protected Class<?> findClass(String name) throws ClassNotFoundException {
// ==========>>> 从DexPathList里找类 <<<==========
Class c = pathList.findClass(name, suppressedExceptions);
//...省略,chinamima
return c;
}
}package dalvik.system;final class DexPathList {
private Element[] dexElements;
public Class<?> findClass(String name, List<Throwable> suppressed) {
for (Element element : dexElements) {
// ==========>>> 从Element里找类 <<<==========
Class<?> clazz = element.findClass(name, definingContext, suppressed);
if (clazz != null) {
return clazz;
}
}
//...省略,chinamima
return null;
}
}package dalvik.system;final class DexPathList {
private Element[] dexElements;
public Class<?> findClass(String name, List<Throwable> suppressed) {
for (Element element : dexElements) {
// ==========>>> 从Element里找类 <<<==========
Class<?> clazz = element.findClass(name, definingContext, suppressed);
if (clazz != null) {
return clazz;
}
}
//...省略,chinamima
return null;
}
}static class Element {
private final File path;
private final DexFile dexFile;
public Element(DexFile dexFile, File dexZipPath) {
this.dexFile = dexFile;
this.path = dexZipPath;
}
public Class<?> findClass(String name, ClassLoader definingContext,
List<Throwable> suppressed) {
// ==========>>> 从DexFile里找类 <<<==========
return dexFile != null ? dexFile.loadClassBinaryName(name, definingContext, suppressed)
: null;
}
}static class Element {
private final File path;
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
最后于 2021-4-21 10:59
被chinamima编辑
,原因: 调整格式,提示关键步奏
|
|
|---|---|
|
|
写的很不错 哥哥
|
|
|
|
|
|
|
|
|
哥哥 写的真好!
|
|
|
写的挺好的一篇文章
|
|
|
|
|
|
|
|
|
|
|
|
防dump那是下一步的加固方案了,只要是在内存中还是完整的dex,就能dump |
|
|
|
|
|
|
|
|
|
|
|
|
