今日内容

1 今日目标

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# 酒仙网
	-用户名密码登录
    -手机 验证码登录
    	-验证码破解
    -预约茅台功能
    
# frida反调试
	-删so文件方案
# app脱壳



###  预约飞天茅台---》1瓶1k
adb install  酒仙网-v9.1.13.apk

# 预约流程
	-1 登录
    -2 预约
    -3 到时间--》抢购 126日 ---》来到页面抢购

2 抓包分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# 1 账号登录
	-请求地址:
    	https://newappuser.jiuxian.com/user/loginUserNamePassWd.htm
    -请求方式:
    	post
    -请求头:
    	无特殊
    -请求体:
    	appKey	        a4feb647-7e15-35d2-8aa2-79ea171fb707  # 像uuid,使用uuid模拟试一下
        deviceIdentify	a4feb647-7e15-35d2-8aa2-79ea171fb707
        appVersion	9.1.13 # app版本号
        areaId	500        # 地区id
        channelCode	0
        cpsId	tencent
        deviceType	ANDROID
        deviceTypeExtra	0
        equipmentType	Pixel 2 XL
        netEnv	wifi
        pushToken	As2_lpWpxHeRH97ApKeO5wmyxXdDzHih8BxPPiSl39S1 # 感觉挺复杂,可以不带
        screenReslolution	1440x2712
        supportWebp	1
        sysVersion	11
        
        userName	18953675221
        passWord	lqz12345

3 功能实现

3.1 密码登录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
import uuid
import requests
def login_by_pwd(mobile, password, app_key, device_identify):
    res = requests.post(
        url="https://newappuser.jiuxian.com/user/loginUserNamePassWd.htm",

        data={
            "appKey": app_key,
            "appVersion": "9.1.13",
            "areaId": "2707",
            "channelCode": "0",
            "cpsId": "tencent",
            "deviceIdentify": device_identify,
            "deviceType": "ANDROID",
            "deviceTypeExtra": "0",
            "equipmentType": "Pixel 2 XL",
            "netEnv": "wifi",
            "passWord": password,
            "screenReslolution": "1440x2712",
            "supportWebp": "1",
            "sysVersion": "11",
            "userName": mobile
        },
        headers={
            "Content-Type": "application/x-www-form-urlencoded",
            "secure": "false",
        },
        verify=False
    )
    print(res.text)
    data_dict = res.json()
    # print(data_dict)

    token = data_dict['result']['userInfo']['token']
    return token


def run():
    app_key = device_identify = str(uuid.uuid4()) # 生成uuid

    mobile = "18953675221"
    password = "Lqz12345"

    token = login_by_pwd(mobile, password, app_key, device_identify)

    print(token)


if __name__ == '__main__':
    run()
    
    
# 取出token---》后面预约要用到token:93eb9585534a442b88161ab8501d551e210440860

3.2 验证码登录

3.2.1 获取图片验证码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# 分析
	-请求地址:
    	https://newappuser.jiuxian.com/messages/graphCode.htm
    -请求方式:
    	get
    -请求头:
    	没有特殊
    -请求参数:
        appKey	a4feb647-7e15-35d2-8aa2-79ea171fb707
        deviceIdentify	a4feb647-7e15-35d2-8aa2-79ea171fb707
        pushToken	As2_lpWpxHeRH97ApKeO5wmyxXdDzHih8BxPPiSl39S1
        appVersion	9.1.13
        areaId	500
        channelCode	0
        cpsId	tencent
        deviceType	ANDROID
        deviceTypeExtra	0
        equipmentType	Pixel 2 XL
        mobile	18953675221
        netEnv	wifi
        screenReslolution	1440x2712
        supportWebp	1
        sysVersion	11
        type	4
    -返回的数据
    	-有base64编码的图片
        
        
        
 # 把base64编码转成图片

把base64编码转成图片

1
2
3
4
5
6
import base64
s=''
res=base64.b64decode(s)
print(res)
with open('./code01.png','wb') as f:
    f.write(res)

获取图片验证码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
import requests
import uuid
import base64
import ddddocr


def fetch_image_code(mobile, app_key, device_identify):
    res = requests.get(
        url="https://newappuser.jiuxian.com/messages/graphCode.htm",
        params={
            "appKey": app_key,
            "appVersion": "9.1.13",
            "areaId": "2707",
            "channelCode": "0",
            "cpsId": "tencent",
            "deviceIdentify": device_identify,
            "deviceType": "ANDROID",
            "deviceTypeExtra": "0",
            "equipmentType": "Pixel 2 XL",
            "mobile": mobile,
            "netEnv": "wifi",
            "screenReslolution": "1440x2712",
            "supportWebp": "1",
            "sysVersion": "10",
            "type": "4"
        },
        headers={
            "secure": "false",
            "Accept-Encoding": "gzip",
            'user-agent': "okhttp/3.14.9",
            'Host': "newappuser.jiuxian.com",
            'Connection': "keep-alive"
        },
        verify=False
    )

    image_str = res.json()['result']["imgCode"]
    res = base64.b64decode(image_str)
    with open('./code01.png', 'wb') as f:
        f.write(res)



if __name__ == '__main__':
    mobile = "18953675221"
    app_key = device_identify = str(uuid.uuid4())
    fetch_image_code(mobile,app_key,device_identify)

3.2.2 破解验证码方案

3.2.2.1 ddddocr模块

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
https://github.com/sml2h3/ddddocr
    
# 使用步骤:
1 安装:pip install ddddocr
2 编写代码识别
import ddddocr

with open("./code01.png", 'rb') as f:
    img_bytes = f.read()

ocr = ddddocr.DdddOcr(show_ad=False)
code = ocr.classification(img_bytes)

print(code)

3 你们使用会遇到问题--->使用pillow模块---》

'''
pillow的10.0.0版本中,ANTIALIAS方法被删除了
解决办法:

方案一,修改ddddocr的_init_.py文件,将其中的ANTIALIAS替换为新方法:

# image = image.resize((int(image.size[0] * (64 / image.size[1])), 64), Image.ANTIALIAS).convert('L')
image = image.resize((int(image.size[0] * (64 / image.size[1])), 64), Image.LANCZOS).convert('L')



方案二,降级Pillow的版本,比如使用9.5.0版本先卸载,再重新安装

pip uninstall -y Pillow
pip install Pillow==9.5.0

'''

3.2.2.2 pytesseract模块–文字识别-验证码破解

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# pytesseract是基于Python的OCR工具, 底层使用的是Google的Tesseract-OCR 引擎,支持识别图片中的文字,支持jpeg, png, gif, bmp, tiff等图片格式


#### 操作步骤
1 下载安装包:[使用老师提供的]
https://github.com/UB-Mannheim/tesseract/wiki
2 安装,一路下一步
3 选择语言包--至少选择中文和英文
4 安装完成-安装目录是:D:\Program Files\Tesseract-OCR
	-正常加入到环境变量
    -如果没加需要自己加上--》需要加
5 打开cmd执行:
	tesseract
6 使用python操作--安装两个模块
    pip install pytesseract
    pip install Pillow
7 代码实现:做文字识别
import pytesseract
from PIL import Image

image = Image.open("wwz.png")
text = pytesseract.image_to_string(image, lang='chi_sim+en')
print(text)



8 识别不带干扰线的验证码
import pytesseract
from PIL import Image

# image = Image.open("./code01.png")
image = Image.open("./code.png") # 带干扰线的不能识别
# image.show()
text = pytesseract.image_to_string(image)
print(text)

image-20240517183416365

3.2.2.3 muggle_ocr模块–文字识别-验证码破解

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# 1 安装
	-1.1 源码安装--》进入到目录下
    	python setup.py install  # 把这个模块用源码安装成功
        # pip install muggle_ocr
    -1.2 pip安装
    pip install muggle-ocr -i https://mirrors.aliyun.com/pypi/simple --trusted-host pypi.douban.com
        
        
# 2 编写代码测试
import muggle_ocr
from muggle_ocr import ModelType
# 二进制 模式打开文件
with open(r"./oneline.png", "rb") as f:
# with open(r"./code.png", "rb") as f:
    # 方法用于从文件读取指定的字节数
    b = f.read()
# model_type 包含了 ModelType.OCR/ModelType.Captcha 两种
#  ModelType.OCR 可识别光学印刷文本,但是只能单行文字,并且排版需要非常好(不能有很多空白)
# ModelType.Captcha 可识别4-6位验证码,使用的训练模型,很精准,但是不能识别大段文字
sdk = muggle_ocr.SDK(model_type=ModelType.OCR)
# sdk = muggle_ocr.SDK(model_type=ModelType.Captcha)
text = sdk.predict(image_bytes=b)
print(text)

3.2.2.4 第三方打码平台(花钱)

1
2
# 超级鹰
# 云打码

3.2.2.5 验证码登录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
# 1 获取验证码图片---》保存到本地---》使用ddddocr识别

# 2 发送验证码接口
	-请求地址:
    	https://newappuser.jiuxian.com/messages/mobileCode.htm
    -请求方式
    	get
    -请求参数:
        appKey	a4feb647-7e15-35d2-8aa2-79ea171fb707
        appVersion	9.1.13
        areaId	500
        channelCode	0
        code	7458
        cpsId	tencent
        deviceIdentify	a4feb647-7e15-35d2-8aa2-79ea171fb707
        deviceType	ANDROID
        deviceTypeExtra	0
        equipmentType	Pixel 2 XL
        mobile	18953675221
        netEnv	wifi
        pushToken	As2_lpWpxHeRH97ApKeO5wmyxXdDzHih8BxPPiSl39S1
        screenReslolution	1440x2712
        supportWebp	1
        sysVersion	11
        type	1

#3 验证码登录
	-地址:
     https://newappuser.jiuxian.com/user/loginMobileFast.htm
    -请求方式:
    	post
    -请求体:
        appKey	a4feb647-7e15-35d2-8aa2-79ea171fb707
        appVersion	9.1.13
        areaId	500
        channelCode	0
        cpsId	tencent
        deviceIdentify	a4feb647-7e15-35d2-8aa2-79ea171fb707
        deviceType	ANDROID
        deviceTypeExtra	0
        equipmentType	Pixel 2 XL
        mobile	18953675221
        netEnv	wifi
        pushToken	As2_lpWpxHeRH97ApKeO5wmyxXdDzHih8BxPPiSl39S1
        screenReslolution	1440x2712
        supportWebp	1
        sysVersion	11
        verifyCode	249223  # 使用手机接到验证码后输入
    -返回数据中带token
    	token": "71382edfc4b04d3895e2fe10386b042c210440860",
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
import requests
import uuid
import base64
import ddddocr


def fetch_image_code(mobile, app_key, device_identify):
    res = requests.get(
        url="https://newappuser.jiuxian.com/messages/graphCode.htm",
        params={
            "appKey": app_key,
            "appVersion": "9.1.13",
            "areaId": "2707",
            "channelCode": "0",
            "cpsId": "tencent",
            "deviceIdentify": device_identify,
            "deviceType": "ANDROID",
            "deviceTypeExtra": "0",
            "equipmentType": "Pixel 2 XL",
            "mobile": mobile,
            "netEnv": "wifi",
            "screenReslolution": "1440x2712",
            "supportWebp": "1",
            "sysVersion": "10",
            "type": "4"
        },
        headers={
            "secure": "false",
            "Accept-Encoding": "gzip",
            'user-agent': "okhttp/3.14.9",
            'Host': "newappuser.jiuxian.com",
            'Connection': "keep-alive"
        },
        verify=False
    )

    image_str = res.json()['result']["imgCode"]

    img = base64.b64decode(image_str)

    ocr = ddddocr.DdddOcr(show_ad=False)
    code = ocr.classification(img)
    return code


def check_image_code(mobile, code, app_key, device_identify):
    res = requests.get(
        url='https://newappuser.jiuxian.com/messages/mobileCode.htm',
        params={
            "appKey": app_key,
            "appVersion": "9.1.13",
            "areaId": "2707",
            "channelCode": "0",
            "code": code,
            "cpsId": "tencent",
            "deviceIdentify": device_identify,
            "deviceType": "ANDROID",
            "deviceTypeExtra": "0",
            "equipmentType": "Pixel 2 XL",
            "mobile": mobile,
            "netEnv": "wifi",
            "screenReslolution": "1440x2712",
            "supportWebp": "1",
            "sysVersion": "10",
            "type": "1"
        },
        verify=False
    )
    data_dict = res.json()

    # {'result': '', 'errCode': '', 'success': '1', 'errMsg': ''}
    # {'result': '', 'errCode': '1200013', 'success': '0', 'errMsg': '验证码输入错误'}
    # print(data_dict)
    return data_dict.get('success') == "1"


def login_by_sms(mobile, sms_code, app_key, device_identify):
    res = requests.post(
        url="https://newappuser.jiuxian.com/user/loginMobileFast.htm",
        data={
            "appKey": app_key,
             "appVersion": "9.1.13",
            "areaId": "2707",
            "channelCode": "0",
            "cpsId": "tencent",
            "deviceIdentify": device_identify,
            "deviceType": "ANDROID",
            "deviceTypeExtra": "0",
            "equipmentType": "Pixel 2 XL",
            "mobile": mobile,
            "netEnv": "wifi",
            "screenReslolution": "1440x2712",
            "supportWebp": "1",
            "sysVersion": "10",
            "verifyCode": sms_code
        },
        verify=False
    )
    # {"result":"","errCode":"1200003","success":"0","errMsg":"验证码错误或已过期,请重新输入"}
    # {"result":{...},"errCode":"1200093","success":"1","errMsg":"初始化密码"}
    # {"result":{...},"errCode":"","success":"1","errMsg":""}
    data_dict = res.json()
    return data_dict.get("success") == "1", data_dict.get('result')


def run():
    mobile = "18953675221"
    app_key = device_identify = str(uuid.uuid4())
    while True:
        img_code = fetch_image_code(mobile, app_key, device_identify)
        status = check_image_code(mobile, img_code, app_key, device_identify)
        if status:
            break

    sms_code = input("请输入验证码:")

    status, data_dict = login_by_sms(mobile, sms_code, app_key, device_identify)
    if not status:
        print("登录失败")
        return
    print("登录成功")
    print(data_dict)


if __name__ == '__main__':
    run()


'''
{'userInfo': {'apiVersion': 1.0, 'areaId': 500, 'channelCode': '0', 'isClubUser': False, 'isNewUser': False, 'loginUnionFirst': 0, 'loginWay': 2, 'mobile': '18953675221', 'needBindMobile': False, 'rank': 1, 'rankName': '酒虫', 'sex': 0, 'token': '6494ac1cd90b462fbd3c953a69a70861210440860', 'uid': 210440860, 'uname': 'jxw485893769', 'userImg': 'https://misc.jiuxian.com/img/usercenter/sbbgg.jpg'}}

'''

3.3 登录+预约代码实现

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# 抓包:
	-地址:
    https://newappuser.jiuxian.com/reservation/preReservation.htm
    -请求方式:
    get
    -请求参数:
    actId	2020
    appKey	a4feb647-7e15-35d2-8aa2-79ea171fb707
    appVersion	9.1.13
    areaId	500
    channel	1
    channelCode	0
    cpsId	tencent
    deviceIdentify	a4feb647-7e15-35d2-8aa2-79ea171fb707
    deviceType	ANDROID
    deviceTypeExtra	0
    equipmentType	Pixel 2 XL
    netEnv	wifi
    productId	626626
    pushToken	As2_lpWpxHeRH97ApKeO5wmyxXdDzHih8BxPPiSl39S1
    screenReslolution	1440x2712
    supportWebp	1
    sysVersion	11
    token	f45804c364d94f93bd720008c885ea83210440860 # 必须登录后才有的
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
import requests

import requests
import uuid


def login_by_pwd(mobile, password, app_key, device_identify):
    res = requests.post(
        url="https://newappuser.jiuxian.com/user/loginUserNamePassWd.htm",
        data={
            "appKey": app_key,
            "appVersion": "9.1.13",
            "areaId": "2707",
            "channelCode": "0",
            "cpsId": "tencent",
            "deviceIdentify": device_identify,
            "deviceType": "ANDROID",
            "deviceTypeExtra": "0",
            "equipmentType": "Pixel 2 XL",
            "netEnv": "wifi",
            "passWord": password,
            "screenReslolution": "1440x2712",
            "supportWebp": "1",
            "sysVersion": "10",
            "userName": mobile
        },
        headers={
            "Content-Type": "application/x-www-form-urlencoded",
            "secure": "false",
        },
        verify=False
    )
    data_dict = res.json()

    token = data_dict['result']['userInfo']['token']
    return token


def pre_reservation(token, app_key, device_identify):
    res = requests.get(
        url="https://newappuser.jiuxian.com/reservation/preReservation.htm",
        params={
            'actId': '1810',
            'appKey': app_key,
            'appVersion': '9.1.13',
            'areaId': '2707',
            'channel': '1',
            'channelCode': '0',
            'cpsId': 'tencent',
            'deviceIdentify': device_identify,
            'deviceType': 'ANDROID',
            'deviceTypeExtra': '	0',
            'equipmentType': 'Pixel 2 XL',
            'lati': '31.088975',
            'longi': '121.58378',
            'netEnv': 'wifi',
            'productId': '626626',
            # 'pushToken': 'AsLMhsufh3YEmpzPv3S5nHhv0pxuModssTVXvf1TSIsp',
            'screenReslolution': '1440x2712',
            'supportWebp': '1',
            'sysVersion': '11',
            'token': token
        },
        verify=False

    )

    data_dict = res.json()
    print(data_dict)


def run():
    app_key = device_identify = str(uuid.uuid4())
    mobile = "18953675221"
    password = "Lqz12345"
    token = login_by_pwd(mobile, password, app_key, device_identify)
    print(token)

    pre_reservation(token, app_key, device_identify)


if __name__ == '__main__':
    run()


 '''
 {'result': {'verificationState': False}, 'errCode': '1200601', 'success': '0', 'errMsg': '您已预约成功,不需重复预约'}
 
 '''

4 frida反调试

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# 之前做app,有frida的反调试---》打印所有so文件---》删除检测frida的so文件

# 有些app,在运行的时候,检测frida的相关特征,检测到后就直接退出app----》不允许使用frida调试
	#Frida的Hook
    - 正常去运行APP,无额外的其他特征
    - 正常去运行APP + 运行frida进行Hook【在手机上会生成一个文件】
    有些app内部监测是否有这个文件,如果有这个文件,那么就让app强制停止
    
    
# 酒仙网app---》就是检测是否有frida运行的特征:文件

# frida的增强版---》把frida名字改掉---》运行的时候--》没有frida的特征
	strongR-frida-android
	
# 它不针对所有app,只针对于 检测frida特征的app有效
https://github.com/hzzheyang/strongR-frida-android/releases
跟随 FRIDA 上游自动修补程序,并为 Android 构建反检测版本的 frida-server

# strongR-frida-android 它的本质就是frida-server,只是改了名字
	它的版本跟frida-server是一一对应的
    只要frida-server发一个版本,它一定会跟一个版本
    
    电脑上要安装frida-server的模块--》跟firda-server版本一一对应
    以后电脑上安装:frida-server的模块 16.1.7 
    firda-server 版本也是:16.1.7 
    strongR-frida-android版本也要是:16.1.7
    
    
# 使用步骤:
	1 下载 跟python版本对应的 版本
    2 解压:把解压后的文件推送到手机上
    	/data/local/tmp  
        adb push hluda /data/local/tmp/
    3 加执行权限
    	# 查看权限
    	ls -al
    	chomd 755 hluda # 当前文件拥有者 加入可执行权限
        
        文件   rwx    rwx    rwx
        	   属主   数组    其它
               421   421     421
                7     5       5
                7     7       7
                
                
    4 运行它即可---》以后就把这东西当 frida-server用即可
    
    
# 以后可以不使用frida-server了,以后就用hluda 当frida-server用即可

image-20240517183448278

4.1 frida脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
# 枚举手机上的所有进程 & 前台进程
# import frida
#
# # 获取设备信息
# rdev = frida.get_remote_device()
#
# # 枚举所有的进程
# processes = rdev.enumerate_processes()
# for process in processes:
#     print(process)
#
# # 获取在前台运行的APP
# front_app = rdev.get_frontmost_application()
# print(front_app)


# import frida
# import sys
#
# rdev = frida.get_remote_device()
# session = rdev.attach("酒仙")
#
# scr = """
# Java.perform(function () {
#     var m0 = Java.use("com.jiuxian.client.util.m0");
#
#     m0.c.implementation = function(){
#         var res = this.c();
#         console.log('来获取了appKye==>',res);
#     }
# });
# """
# script = session.create_script(scr)
#
#
# def on_message(message, data):
#     print(message, data)
#
#
# script.on("message", on_message)
#
# script.load()
# sys.stdin.read()



import frida
import sys

rdev = frida.get_remote_device()
pid = rdev.spawn(["com.jiuxianapk.ui"])
session = rdev.attach(pid)

scr = """
console.log("======Start HOOK======");
Java.perform(function () {
    var LocaleData = Java.use("libcore.icu.LocaleData");

    LocaleData.getDateFormat.implementation = function(i){
        console.log('=====>',i);
        var res = this.getDateFormat();
        console.log('=====>',res);
    }
});
"""
script = session.create_script(scr)


def on_message(message, data):
    print(message, data)


script.on("message", on_message)
script.load()
rdev.resume(pid)
sys.stdin.read()

5 app脱壳

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# 把 酒仙app,拖到jadx中,发现加壳了--》反编译不了


# 加壳原理:
	安卓开发:
    	java代码+sdk+JNI代码   ----》apk(java代码写的:dex,JNI代码:so文件  资源文件 xml)
        
    app加壳:
    	java代码+sdk+JNI代码--》使用第三方加壳工具---》把dex隐藏到 so文件--》dex很小,so很大
        
    app运行时:未加壳app
    	把dex加载到内存中,执行了
        
    app运行时:加壳app
    	先加载dex--》so文件加载进来---》dex都在so中--》逆操作--》从so中解出dex--》在内存中--》执行逻辑

        
# 脱壳方案(没有一种脱壳方案适用所有app)
    #手动脱壳(难度大):
        通过动态调试,跟踪计算Dex源文件的内存偏移地址,从内存中Dump出Dex文件
        难度大,寄存器,汇编,反调试,反读写
    # 工具脱壳:
        HOOK技术/内存特征寻找
        简单易操作
        基于xposed 脱壳工具:
            Fdex2:Hook ClassLoader loadClass方法 通用脱壳
            dumpDex:https://github.com/WrBug/dumpDex
        基于frida的脱壳工具(咱们学习):
            frida-dexdump:https://github.com/hluwa/FRIDA-DEXDump

        自己定制脱壳机--》aosp刷机后--》自己定制脱壳机
        armPro收费脱壳(花钱)

image-20240517183502011

5.1 frida-dexdump方案脱壳

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
## 使用步骤:
1 安装模块[电脑端]:
	pip install frida-dexdump
2 手机端启动frida-server,端口转发

3 执行脱壳命令即可
# frida-dexdump  -U -f 包名称
frida-dexdump -U -f com.jiuxianapk.ui 
frida-dexdump -U -d -f com.jiuxianapk.ui 

4 使用jadx打开下载后的dex即可

5 有时候一次性把dex拖进去会报错
	-某个dex可能不是这个app或这个dex有问题
    -一个个的把dex拖入,哪个报错,就把哪个删除
    -每个dex都可以反编译成一部分java,但是由于下载的dex,某个可能有问题导致整个项目都反编译不了,找出那个有错的dex把它删除即可
    

### 原理
	只要app运行了---》app就加载到内存中了---》在内存中 原来在so中dex,已经解出来在内存中了--》通过frida-dexdump--》可以去内存中搜索所有dex并下载到本地---》本地会生成很多dex,这些dex就是脱壳后的文件
    
    
    
### 问题
	1 不加壳的app ,可不可以用?
    	可以--没有意义
        
    2 加壳有什么用?
    	反编译不出来了
        必须脱壳---》再反编译

__END__