注射code到APK [英] Injecting code into APK

问题描述

我知道你可以使用apktool反编译code和重新编译它，但我的问题是你会怎么能够注入大量的code到apk文件并执行它。

I know you can decompile code using apktool and recompile it again, but my question is how would you be able to inject large amounts of code into an apk and execute it.

我看到了亚马逊的AppStore DRM是这样做林假设，因为他们说，他们正在包装用自己的code中的APK，一旦你反编译的apk文件，你看到他们增加有自己的阶级com.amazon等

I see that amazon's appstore drm is doing this Im assuming, since they say they are wrapping the apk with their own code, and once you decompile that apk you see that they have added there own class com.amazon etc.

它们是如何acheving呢？

How are they acheving this?

推荐答案

只是为了好玩，我下载的APK从亚马逊商店（今晚之前，我从来没有使用过）和反编译它。你不会找到太多的清单，但有亚马逊类的smali树内的整个文件夹。亚马逊使用主要的机制超出我的了解十分有限，但是我可以指出你的一些数据。

Just for the fun of it, I downloaded an apk from the Amazon store (I never used it before tonight) and decompiled it. You won't find much in the manifest, but there's a whole folder of Amazon classes inside the smali tree. The mechanisms that Amazon uses largely exceed my very limited understanding, but I can point you to some data.

更新：在应用软件需要安装才能发挥作用亚马逊AppStore的APK，所以下面的类使用了一些亚马逊的活动来检查DRM

Update: the apps require the Amazon appstore apk to be installed in order to function, so the classes below uses some amazon activity to check for the drm.

方法

$apktool d xxx.apk
$cd xxx/smali
$grep -RHin 'amazon' *

结果

首先，你可能想看看

.class public Lcom/amazon/mas/kiwi/util/ApkHelpers;

它的方法：

.method public static getApkSignature(Ljava/lang/String;)[B
.method private static getCodeSigners(Ljava/util/jar/JarFile;)[Ljava/security/CodeSigner;
.method public static getContentID(Ljava/util/jar/JarFile;)Ljava/lang/String;
.method public static getContentIDFromName(Ljava/lang/String;)Ljava/lang/String;
.method private static getFirstSigningCert(Ljava/util/jar/JarFile;)Ljava/security/cert/Certificate;
.method public static isSigned(Ljava/util/jar/JarFile;)Z
.method private static scanJar(Ljava/util/jar/JarFile;)V

在同一个COM /亚马逊/ MAS /猕猴桃/ util的文件夹中有几个类，如 DeveloperInfo （不是很有趣），的Base64 和 BC1 （用于校验）。

In the same com/amazon/mas/kiwi/util folder there are a few more classes, such as DeveloperInfo (not that interesting), Base64 and BC1 (for checksums).

在文件夹COM /亚马逊/安卓/，你会发现类新西兰

In the folder com/amazon/android/, you will find the class Kiwi

.class public final Lcom/amazon/android/Kiwi;

有比较明显的领域：

with a quite obvious field:

.field private final drmFull:Z

这班猕猴桃是在应用程序逢原smali文件引用。例如：

That class Kiwi is references in every original smali file in the app. Example:

.method public onCreate(Landroid/os/Bundle;)V
    .locals 1

    invoke-virtual {p0, p1}, Lxxx/xxxx/Xxxx;->xxxxXxxxx(Landroid/os/Bundle;)V

    const/4 v0, 0x1

    invoke-static {p0, v0}, Lcom/amazon/android/Kiwi;->onCreate(Landroid/app/Activity;Z)V

    return-void
.end method

结论

的方法，包括注入code在每类中的apk的，可能是通过反编译所述的apk，解析每个文件，添加必要的类，并使用相同的密钥重新编译。

The method involves injecting code in every class of the apk, probably through decompiling the apk, parsing each file, adding the necessary classes, and recompiling using the same key.

这篇关于注射code到APK的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！