博客

Zjdroid定制记录

2015/07/08 技术

Zjdroid修复过程

从github上下载的源码,不能执行,在xposed的log中存在下面的报错 

-----------------
2015年7月9日 上午6:38:17 UTC
Loading Xposed v54 (for Zygote)...
Running ROM 'KXB21.14-L1.40' with fingerprint 'motorola/falcon_asia_ds/falcon_umtsds:4.4.4/KXB21.14-L1.40/34:user/release-keys'
Loading modules from /data/app/com.android.reverse-2.apk
  Loading class com.android.reverse.mod.ReverseXposedModule
java.lang.IllegalAccessError: Class ref in pre-verified class resolved to unexpected implementation
	at dalvik.system.DexFile.defineClassNative(Native Method)
	at dalvik.system.DexFile.defineClass(DexFile.java:222)
	at dalvik.system.DexFile.loadClassBinaryName(DexFile.java:215)
	at dalvik.system.DexPathList.findClass(DexPathList.java:322)
	at dalvik.system.BaseDexClassLoader.findClass(BaseDexClassLoader.java:54)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:497)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:457)
	at de.robv.android.xposed.XposedBridge.loadModule(XposedBridge.java:421)
	at de.robv.android.xposed.XposedBridge.loadModules(XposedBridge.java:386)
	at de.robv.android.xposed.XposedBridge.main(XposedBridge.java:120)
	at dalvik.system.NativeStart.main(Native Method)

解决方案竟然出人意料的简单,就是对xposed的处理不对. 直接看下面的链接就可以:点这里 最后还是建议在开发之前,可以把开发者手册(如果不是很长的话)好好看一下,可以避免走好多弯路

各加固方案对抗zjdroid情况

梆梆加固(齐鲁银行)

  • 运行Zjdroid的效果
    1. dumpdexinfo可以直接运行
    2. dumpclass可以直接看到正常class的名字
    3. 使用dumpdexfile可以正常执行,拿出来的odex文件进行反编译,方向只能反编译一部分,拿不到全部的代码.
    4. 使用backsmali命令,应用直接推出,梆梆肯定对Zjdroid做了对抗.
  • 反Zjdroid的方式(梆梆)
    1. 根据上面的情况推测,应该梆梆直接也注册了广播接收器,如果没有接受到了backsmali,就直接退出环境,初步推测了是使用了广播拦截, 拦截带关键字backsmali的广播,来防止zjroid,通过修改backsmali关键字来进行脱壳,但是发现还是不行,得到下面的报错的信息
    java.lang.NullPointerException
	at com.android.reverse.collecter.DexFileInfoCollecter$1.afterHookedMethod(DexFileInfoCollecter.java:60)
	at com.android.reverse.hook.MethodHookCallBack.afterHookedMethod(MethodHookCallBack.java:22)
	at de.robv.android.xposed.XposedBridge.handleHookedMethod(XposedBridge.java:645)
	at dalvik.system.DexFile.openDexFileNative(Native Method)
	at dalvik.system.DexFile.openDexFile(DexFile.java:296)
	at dalvik.system.DexFile.<init>(DexFile.java:80)
	at com.secneo.guard.ACall.jniCheckRawDexAvailable(Native Method)
	at com.secneo.guard.Util.createChildProcess(Util.java:684)
	at com.secneo.guard.Util.runAll(Util.java:840)
	at com.secneo.guard.ApplicationWrapper.onCreate(ApplicationWrapper.java:253)
	at de.robv.android.xposed.XposedBridge.invokeOriginalMethodNative(Native Method)
	at de.robv.android.xposed.XposedBridge.handleHookedMethod(XposedBridge.java:631)
	at com.secneo.guard.ApplicationWrapper.onCreate(Native Method)
	at android.app.Instrumentation.callApplicationOnCreate(Instrumentation.java:1030)
	at android.app.ActivityThread.handleBindApplication(ActivityThread.java:4409)
	at de.robv.android.xposed.XposedBridge.invokeOriginalMethodNative(Native Method)
	at de.robv.android.xposed.XposedBridge.handleHookedMethod(XposedBridge.java:631)
	at android.app.ActivityThread.handleBindApplication(Native Method)
	at android.app.ActivityThread.access$1500(ActivityThread.java:139)
	at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1270)
	at android.os.Handler.dispatchMessage(Handler.java:102)
	at android.os.Looper.loop(Looper.java:136)
	at android.app.ActivityThread.main(ActivityThread.java:5086)
	at java.lang.reflect.Method.invokeNative(Native Method)
	at java.lang.reflect.Method.invoke(Method.java:515)
	at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:785)
	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:601)
	at de.robv.android.xposed.XposedBridge.main(XposedBridge.java:132)
	at dalvik.system.NativeStart.main(Native Method)
java.lang.NullPointerException
	at com.android.reverse.collecter.DexFileInfoCollecter$1.afterHookedMethod(DexFileInfoCollecter.java:60)
	at com.android.reverse.hook.MethodHookCallBack.afterHookedMethod(MethodHookCallBack.java:22)
	at de.robv.android.xposed.XposedBridge.handleHookedMethod(XposedBridge.java:645)
	at dalvik.system.DexFile.openDexFileNative(Native Method)
	at dalvik.system.DexFile.openDexFile(DexFile.java:296)
	at dalvik.system.DexFile.<init>(DexFile.java:80)
	at com.secneo.guard.ACall.jniCheckRawDexAvailable(Native Method)
	at com.secneo.guard.Util.createChildProcess(Util.java:684)
	at com.secneo.guard.Util.runAll(Util.java:840)
	at com.secneo.guard.ApplicationWrapper.onCreate(ApplicationWrapper.java:253)
	at de.robv.android.xposed.XposedBridge.invokeOriginalMethodNative(Native Method)
	at de.robv.android.xposed.XposedBridge.handleHookedMethod(XposedBridge.java:631)
	at com.secneo.guard.ApplicationWrapper.onCreate(Native Method)
	at android.app.Instrumentation.callApplicationOnCreate(Instrumentation.java:1030)
	at android.app.ActivityThread.handleBindApplication(ActivityThread.java:4409)
	at de.robv.android.xposed.XposedBridge.invokeOriginalMethodNative(Native Method)
	at de.robv.android.xposed.XposedBridge.handleHookedMethod(XposedBridge.java:631)
	at android.app.ActivityThread.handleBindApplication(Native Method)
	at android.app.ActivityThread.access$1500(ActivityThread.java:139)
	at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1270)
	at android.os.Handler.dispatchMessage(Handler.java:102)
	at android.os.Looper.loop(Looper.java:136)
	at android.app.ActivityThread.main(ActivityThread.java:5086)
	at java.lang.reflect.Method.invokeNative(Native Method)
	at java.lang.reflect.Method.invoke(Method.java:515)
	at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:785)
	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:601)
	at de.robv.android.xposed.XposedBridge.main(XposedBridge.java:132)
	at dalvik.system.NativeStart.main(Native Method)
  • 脱壳(齐鲁银行)常用命令
    1. dumpdexInfo:获得dex基本信息
    am broadcast -a com.zjdroid.invoke --ei target pid --es cmd '{"action":"dump_dexinfo"}'
    1. dumpclass:获取指定DEX文件包含可加载类名
    am broadcast -a com.zjdroid.invoke --ei target pid --es cmd '{"action":"dump_class","dexpath":"/data/data/com.rytong.bankql.newql/.cache/classes.dex"}'
    1. backsmali:根据Dalvik相关内存指针动态反编译指定DEX,并以文件形式保存。
    am broadcast -a com.zjdroid.invoke --ei target pid --es cmd '{"action":"backsmali","dexpath":"/data/app/com.rytong.bankbj-1.apk"}'
    1. dumpdexfile:Dump指定DEX内存中的数据并保存到文件(数据为odex格式,可在pc上反编译)
    am broadcast -a com.zjdroid.invoke --ei target pid --es cmd '{"action":"dump_dexfile","dexpath":/data/data/com.rytong.bankql.newql/.cache/classes.dex"}'
    1. getdexfile:同baksmali
    am broadcast -a com.zjdroid.invoke --ei target pid --es cmd '{"action":"backsmali","dexpath":"/data/data/com.rytong.bankql.newql/.cache/classes.dex"}'

Search

    Table of Contents