将代码注入 APK [英] Injecting code into APK

问题描述

我知道您可以使用 apktool 反编译代码并重新编译它，但我的问题是您如何能够将大量代码注入 apk 并执行它.

I know you can decompile code using apktool and recompile it again, but my question is how would you be able to inject large amounts of code into an apk and execute it.

我认为亚马逊的 appstore drm 正在这样做，因为他们说他们正在用自己的代码包装 apk，一旦您反编译该 apk，您就会看到他们在那里添加了自己的类 com.amazon 等.

I see that amazon's appstore drm is doing this Im assuming, since they say they are wrapping the apk with their own code, and once you decompile that apk you see that they have added there own class com.amazon etc.

他们是如何做到这一点的?

How are they acheving this?

推荐答案

为了好玩，我从亚马逊商店下载了一个 apk(我今晚之前从未使用过)并反编译它.您不会在清单中找到太多内容，但在 smali 树中有一个完整的 Amazon 类文件夹.亚马逊使用的机制大大超出了我非常有限的理解，但我可以为您提供一些数据.

Just for the fun of it, I downloaded an apk from the Amazon store (I never used it before tonight) and decompiled it. You won't find much in the manifest, but there's a whole folder of Amazon classes inside the smali tree. The mechanisms that Amazon uses largely exceed my very limited understanding, but I can point you to some data.

更新:应用程序需要安装 Amazon appstore apk 才能运行，因此下面的类使用一些亚马逊活动来检查 drm.

Update: the apps require the Amazon appstore apk to be installed in order to function, so the classes below uses some amazon activity to check for the drm.

方法:

$apktool d xxx.apk
$cd xxx/smali
$grep -RHin 'amazon' *

调查结果:

首先，你可能想看看

.class public Lcom/amazon/mas/kiwi/util/ApkHelpers;

及其方法:

.method public static getApkSignature(Ljava/lang/String;)[B
.method private static getCodeSigners(Ljava/util/jar/JarFile;)[Ljava/security/CodeSigner;
.method public static getContentID(Ljava/util/jar/JarFile;)Ljava/lang/String;
.method public static getContentIDFromName(Ljava/lang/String;)Ljava/lang/String;
.method private static getFirstSigningCert(Ljava/util/jar/JarFile;)Ljava/security/cert/Certificate;
.method public static isSigned(Ljava/util/jar/JarFile;)Z
.method private static scanJar(Ljava/util/jar/JarFile;)V

在同一个 com/amazon/mas/kiwi/util 文件夹中还有一些类，例如 DeveloperInfo(不是很有趣)、Base64 和 BC1(用于校验和).

In the same com/amazon/mas/kiwi/util folder there are a few more classes, such as DeveloperInfo (not that interesting), Base64 and BC1 (for checksums).

在文件夹 com/amazon/android/中，您会找到类 Kiwi

.class public final Lcom/amazon/android/Kiwi;

有一个非常明显的字段:

with a quite obvious field:

.field private final drmFull:Z

该类 Kiwi 是应用程序中每个原始 smali 文件中的引用.示例:

That class Kiwi is references in every original smali file in the app. Example:

.method public onCreate(Landroid/os/Bundle;)V
    .locals 1

    invoke-virtual {p0, p1}, Lxxx/xxxx/Xxxx;->xxxxXxxxx(Landroid/os/Bundle;)V

    const/4 v0, 0x1

    invoke-static {p0, v0}, Lcom/amazon/android/Kiwi;->onCreate(Landroid/app/Activity;Z)V

    return-void
.end method

结论:

该方法涉及在apk的每个类中注入代码，可能是通过反编译apk，解析每个文件，添加必要的类，并使用相同的密钥重新编译.

The method involves injecting code in every class of the apk, probably through decompiling the apk, parsing each file, adding the necessary classes, and recompiling using the same key.

这篇关于将代码注入 APK的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！