如何强制修改apk可调试性
研究原因:android上开启调试有2种方式:
1.修改linux系统/default.prop的ro.debuggable=1 该法优点是彻底,开启全局调试权限,缺点是需要刷rom
2.添加/修改AndroidManifest.xml中的application的debuggable属性 该法优点是不需要刷rom,只需要改apk,然而多数情况下,要修改该属性通常通过apktool反编译,修改其中的AndroidManifest.xml,之后回编译,签名并安装,而apktool工具经常会失效(即使用最靠谱的反编译为smali,只要资源解析失败那么没有办法回编译),因此本文提出一种方法,从二进制角度直接修改apk中的xml,apk本质是一种压缩文件格式
C:\Users\lichao26>aapt d xmltree"D:\Program Files\新建文件夹\test1.apk"AndroidManifest.xml
N:android=http://schemas.android.com/apk/res/android
E:manifest (line=2)
A: android:versionCode(0x0101021b)=(type 0x10)0x1
A: android:versionName(0x0101021c)="1.0" (Raw:"1.0")
A: package="com.example.test1" (Raw:"com.example.test1")
A: platformBuildVersionCode=(type 0x10)0x17 (Raw: "23")
A: platformBuildVersionName="6.0-2438415" (Raw:"6.0-2438415")
E: uses-sdk (line=7)
A: android:minSdkVersion(0x0101020c)=(type 0x10)0x8
A: android:targetSdkVersion(0x01010270)=(type 0x10)0x15
E: application (line=11)
A: android:theme(0x01010000)=@0x7f0b0134
A: android:label(0x01010001)=@0x7f0a0014
A: android:icon(0x01010002)=@0x7f020045
A: android:debuggable(0x0101000f)=(type 0x12)0x0
A: android:allowBackup(0x01010280)=(type 0x12)0xffffffff
E: activity (line=17)
A: android:label(0x01010001)=@0x7f0a0014
A: android:name(0x01010003)=".MainActivity" (Raw:".MainActivity")
E: intent-filter (line=20)
E: action (line=21)
A: android:name(0x01010003)="android.intent.action.MAIN" (Raw:"andr
oid.intent.action.MAIN")
E: category (line=23)
A: android:name(0x01010003)="android.intent.category.LAUNCHER"(Raw:
"android.intent.category.LAUNCHER")
0000000002 00 0C 00 C4 E9 02 0001 00 0000 01 00 1C 00 Äé
0000001000 CF 00 00 0E 06 00 0000 00 0000 00 01 00 00 Ï
0000002054 18 00 00 00 00 00 0000 00 0000 32 00 00 00 T 2
000000305D 00 00 00 87 00 00 00B3 00 0000 DF 00 00 00 ] ‡³ ß
0000004002 01 00 00 39 01 00 005D 01 0000 93 01 00 00 9 ]“
00000050B4 01 00 00 E0 01 00 00FF 01 0000 2A 02 00 00 ´ àÿ *
0000006053 02 00 00 84 02 00 00BC 02 0000 E9 02 00 00 S „¼ é
0000007016 03 00 00 4E 03 00 0078 03 0000 B0 03 00 00 N x°
00000080E7 03 00 00 18 04 00 0045 04 0000 78 04 00 00 ç Ex
000018602F 2F 72 65 73 2F 6C 6179 6F 7574 2F 6E 6F 74 //res/layout/not
0000187069 66 69 63 61 74 69 6F6E 5F 6D65 64 69 61 5F ification_media_
0000188063 61 6E 63 65 6C 5F 6163 74 696F 6E 2E 78 6D cancel_action.xm
000018906C 00 28 28 72 65 73 2F6C 61 796F 75 74 2F 61 l ((res/layout/a
000018A062 63 5F 6C 69 73 74 5F6D 65 6E75 5F 69 74 65 bc_list_menu_ite
000018B06D 5F 6C 61 79 6F 75 742E 78 6D6C 00 27 27 72 m_layout.xml ''r
000018C065 73 2F 6C 61 79 6F 7574 2F 6162 63 5F 6C 69 es/layout/abc_li
000018D073 74 5F 6D 65 6E 75 5F69 74 656D 5F 72 61 64 st_menu_item_rad
000018E069 6F 2E 78 6D 6C 00 2929 72 6573 2F 6C 61 79 io.xml ))res/lay
0000CF00 00 0220 01
0000CF10B8 1A 02 00 7F 00 00 0063 00 6F00 6D 00 2E 00 ¸ c o m .
0000CF2065 00 78 00 61 00 6D 0070 00 6C00 65 00 2E 00 e x a m p l e .
0000CF3074 00 65 00 73 00 74 0031 00 0000 00 00 00 00 t e s t 1
0000CF4000 00 00 00 00 00 00 0000 00 0000 00 00 00 00
0000CF5000 00 00 00 00 00 00 0000 00 0000 00 00 00 00
0000CF6000 00 00 00 00 00 00 0000 00 0000 00 00 00 00
0000CF7000 00 00 00 00 00 00 0000 00 0000 00 00 00 00
0000CF8000 00 00 00 00 00 00 0000 00 0000 00 00 00 00
0000CF9000 00 00 00 00 00 00 0000 00 0000 00 00 00 00
0000CFA000 00 00 00 00 00 00 0000 00 0000 00 00 00 00
0000CFB000 00 00 00 00 00 00 0000 00 0000 00 00 00 00
0000CFC000 00 00 00 00 00 00 0000 00 0000 00 00 00 00
0000CFD000 00 00 00 00 00 00 0000 00 0000 00 00 00 00
0000CFE000 00 00 00 00 00 00 0000 00 0000 00 00 00 00
0000CFF000 00 00 00 00 00 00 0000 00 0000 00 00 00 00
0000D00000 00 00 00 00 00 00 0000 00 0000 00 00 00 00
0000D01000 00 00 00 00 00 00 0020 01 0000 0C 00 00 00
0000D020CC 01 00 00 8D 03 00 0000 00 0000 01 00 1C 00 Ì
0000D030AC 00 00 00 0C 00 00 0000 00 0000 00 01 00 00 ¬
0000D0404C 00 00 00 00 00 00 0000 00 0000 07 00 00 00 L
0000D05012 00 00 00 1B 00 00 0022 00 0000 29 00 00 00 " )
0000D06031 00 00 00 39 00 00 0043 00 0000 48 00 00 00 1 9C H
0000D07051 00 00 00 59 00 00 0004 04 6174 74 72 00 08 Q Y attr
0000D08008 64 72 61 77 61 62 6C65 00 0606 6C 61 79 6F drawable layo
0000D09075 74 00 04 04 61 6E 696D 00 0404 62 6F 6F 6C ut animbool
0000D0A000 05 05 63 6F 6C 6F 7200 05 0564 69 6D 65 6E color dimen
0000D0B000 07 07 69 6E 74 65 6765 72 0002 02 69 64 00 integer id
0000D0C006 06 73 74 72 69 6E 6700 05 0573 74 79 6C 65 string style
0000D0D000 04 04 6D 65 6E 75 0001 00 1C00 E8 7B 00 00 menu è{
0000D0E08D 03 00 00 00 00 00 0000 01 0000 50 0E 00 00 P
源码:android-6.0.1_r3\frameworks\base\include\includefw\ResourceType.h ResourceType.cpp
结合源码分析resource.arsc如下:
+00000 type=RES_TABLE_TYPEheadersize=c size=2e9c4ResTable_header
包个数:1
+0000c type=RES_STRING_POOL_TYPEheadersize=1c size=cf00
字符串条目:60e
索引数组偏移范围:0x28-0x1860 (60e*4+头部,偏移占4字节)
字符串内容范围:0x1860-0xcf0c
+0cf0c type=RES_TABLE_PACKAGE_TYPEheadersize=120 size=21AB8 ResTable_package
包名:com.example.test1
+d02c 类型符号表 ResStringPool_header
字符串条目:c 分析类同
+d0d8 键符号表 ResStringPool_header
字符串条目:38d 分析类同
已编译Manifest.xml解析:
0000000003 00 08 00 28 07 00 0001 00 1C00 DC 03 00 00 ( Ü
000000101E 00 00 00 00 00 00 0000 00 0000 94 00 00 00 ”
0000002000 00 00 00 00 00 00 001A 00 0000 34 00 00 00 4
0000003052 00 00 00 76 00 00 008E 00 0000 A8 00 00 00 R vŽ ¨
00000040B4 00 00 00 C2 00 00 00D0 00 0000 DC 00 00 00 ´ ÂÐ Ü
00000050EE 00 00 00 46 01 00 004A 01 0000 5C 01 00 00 î FJ \
0000006090 01 00 00 C4 01 00 00D8 01 0000 FE 01 00 00 Ä Øþ
0000007008 02 00 00 10 02 00 002A 02 0000 3E 02 00 00 * >
0000008058 02 00 00 6C 02 00 008A 02 0000 A8 02 00 00 X lŠ ¨
00000090B8 02 00 00 F0 02 00 0004 03 0000 0B 00 76 00 ¸ ð v
000000A065 00 72 00 73 00 69 006F 00 6E00 43 00 6F 00 e r s i o n C o
000000B064 00 65 00 00 00 0B 0076 00 6500 72 00 73 00 d e v e r s
000000C069 00 6F 00 6E 00 4E 0061 00 6D00 65 00 00 00 i o n N a m e
000000D00D 00 6D 00 69 00 6E 0053 00 6400 6B 00 56 00 m i n S d k V
000003E0 80 01 08 0030 00 00 00 1B 02 01 01 €0
000003F01C 02 01 01 0C 02 01 0170 02 0101 0F 00 01 01 p
0000040080 02 01 01 02 00 01 0101 00 0101 00 00 01 01 €
0000041003 00 01 01 00 01 10 0018 00 0000 02 00 00 00
00000420FF FF FF FF 0A 00 00 000B 00 0000 02 01 10 00 ÿÿÿÿ
0000043088 00 00 00 02 00 00 00FF FF FFFF FF FF FF FF ˆ ÿÿÿÿÿÿÿÿ
0000044010 00 00 00 14 00 14 0005 00 0000 00 00 00 00
000004B0 02 01 10 004C 00 00 00 07 00 00 00 L
000004C0FF FF FF FF FF FF FF FF15 00 0000 14 00 14 00 ÿÿÿÿÿÿÿÿ
000004D002 00 00 00 00 00 00 000B 00 0000 02 00 00 00
000004E0FF FF FF FF 08 00 00 1008 00 0000 0B 00 00 00 ÿÿÿÿ
000004F003 00 00 00 FF FF FF FF08 00 0010 15 00 00 00 ÿÿÿÿ
0000050003 01 10 00 18 00 00 0009 00 0000 FF FF FF FF ÿÿÿÿ
00000510FF FF FF FF 15 00 00 0002 01 1000 88 00 00 00 ÿÿÿÿ ˆ
000005A002 01 10 00 4C 00 00 0011 00 0000 FF FF FF FF L ÿÿÿÿ
000005B0FF FF FF FF 17 00 00 0014 00 1400 02 00 00 00 ÿÿÿÿ
000005C000 00 00 00 0B 00 00 0007 00 0000 FF FF FF FF ÿÿÿÿ
000005D008 00 00 01 14 00 0A 7F0B 00 0000 09 00 00 00
000005E018 00 00 00 08 00 00 0318 00 0000 02 01 10 00
000005F024 00 00 00 14 00 00 00FF FF FFFF FF FF FF FF $ ÿÿÿÿÿÿÿÿ
0000060019 00 00 00 14 00 14 0000 00 0000 00 00 00 00
0000061002 01 10 00 38 00 00 0015 00 0000 FF FF FF FF 8 ÿÿÿÿ
00000640 03 01 10 00 18 0000 00
0000065015 00 00 00 FF FF FF FFFF FF FFFF 1A 00 00 00 ÿÿÿÿÿÿÿÿ
0000066002 01 10 00 38 00 00 0017 00 0000 FF FF FF FF 8 ÿÿÿÿ
00000670FF FF FF FF 1C 00 00 0014 00 1400 01 00 00 00 ÿÿÿÿ
0000068000 00 00 00 0B 00 00 0009 00 0000 1D 00 00 00
0000069008 00 00 03 1D 00 00 0003 01 1000 18 00 00 00
000006A017 00 00 00 FF FF FF FFFF FF FFFF 1C 00 00 00 ÿÿÿÿÿÿÿÿ
000006B003 01 10 00 18 00 00 0018 00 0000 FF FF FF FF ÿÿÿÿ
000006C0FF FF FF FF 19 00 00 0003 01 1000 18 00 00 00 ÿÿÿÿ
000006D019 00 00 00 FF FF FF FFFF FF FFFF 17 00 00 00 ÿÿÿÿÿÿÿÿ
000006E003 01 10 00 18 00 00 001A 00 0000 FF FF FF FF ÿÿÿÿ
000006F0FF FF FF FF 16 00 00 0003 01 1000 18 00 00 00 ÿÿÿÿ
000007001C 00 00 00 FF FF FF FFFF FF FFFF 10 00 00 00 ÿÿÿÿÿÿÿÿ
0000071001 01 10 00 18 00 00 001C 00 0000 FF FF FF FF ÿÿÿÿ
000007200A 00 00 00 0B 00 00 00
结合源码分析Manifest.xml如下:
+000 type=RES_XML_TYPEheadersize=8 size=728
+008 type=RES_STRING_POOL_TYPEheadersize=1c size=3dc
+3e4 type=RES_XML_RESOURCE_MAP_TYPEheadersize=8 size=30
+414 type=RES_XML_START_NAMESPACE_TYPEheadersize=10 size=18 namespace
+42c type=RES_XML_START_ELEMENT_TYPEheadersize=10 size=88 ----manifest
+4b4 type=RES_XML_START_ELEMENT_TYPEheadersize=10 size=4c ----uses-dsk
+500 type=RES_XML_END_ELEMENT_TYPEheadersize=10 size=18 ----uses-dsk
+518 type=RES_XML_START_ELEMENT_TYPEheadersize=10 size=88 ----application
+5a0 type=RES_XML_START_ELEMENT_TYPEheadersize=10 size=4c ----activity
+5ec type=RES_XML_START_ELEMENT_TYPEheadersize=10 size=24 ----intent-filter
+610 type=RES_XML_START_ELEMENT_TYPEheadersize=10 size=38 ----action
+648 type=RES_XML_END_ELEMENT_TYPEheadersize=10 size=18 ----action
+660 type=RES_XML_START_ELEMENT_TYPEheadersize=10 size=38 ----category
+698 type=RES_XML_END_ELEMENT_TYPEheadersize=10 size=18 ----category
+6b0 type=RES_XML_END_ELEMENT_TYPEheadersize=10 size=18 ----intent-filter
+6c8 type=RES_XML_END_ELEMENT_TYPEheadersize=10 size=18 ----activity
+6e0 type=RES_XML_END_ELEMENT_TYPEheadersize=10 size=18 ----application
+6f8 type=RES_XML_END_ELEMENT_TYPEheadersize=10 size=18 ----manifest
+710 type=RES_XML_END_NAMESPACE_TYPEheadersize=10 size=18 namespace
编程得出索引表:
0-versionCode
1-versionName
2-minSdkVersion
3-targetSdkVersion
4-debuggable
5-allowBackup
6-icon
7-label
8-theme
9-name
10-android
11-http://schemas.android.com/apk/res/android
12-
13-package
14-platformBuildVersionCode
15-platformBuildVersionName
16-manifest
17-com.example.test1
18-1.0
19-23
20-6.0-2438415
21-uses-sdk
22-application
23-activity
24-.MainActivity
25-intent-filter
26-action
27-android.intent.action.MAIN
28-category
29-android.intent.category.LAUNCHER
sizeof Res_value=8 sizeof=20
从518处展开,来看application的debuggable属性:
type=RES_XML_START_ELEMENT_TYPEheadersize=10 size=88 ResXMLTree_node+ResXMLTree_attrExt+属性数*ResXMLTree_attribute
00000510 02 01 10 00 88 0000 00 ˆ
000005200B 00 00 00 FF FF FF FFFF FF FFFF 16 00 00 00 ÿÿÿÿÿÿÿÿ
0000053014 00 14 00 05 00 00 0000 00 0000 0B 00 00 00
0000054008 00 00 00 FF FF FF FF08 00 0001 34 01 0B 7F ÿÿÿÿ 4
000005500B 00 00 00 07 00 00 00FF FF FFFF 08 00 00 01 ÿÿÿÿ
0000056014 00 0A 7F 0B 00 00 0006 00 0000 FF FF FF FF ÿÿÿÿ
0000057008 00 00 01 45 00 02 7F0B 00 0000 04 00 00 00 E
00000580FF FF FF FF 08 00 00 1200 00 0000 0B 00 00 00 ÿÿÿÿ
0000059005 00 00 00 FF FF FF FF08 00 0012 FF FF FF FF ÿÿÿÿ ÿÿÿÿ
行号=11
节点名索引=0x16 => application
n
属性开始偏移=0x14每个属性大小=0x14 个数=5
属性1:
namespace=> http://schemas.android.com/apk/res/android
name=> theme
rawValue=> \
typedValue=> TYPE_REFERENCE 0x7f0b0134
属性2:
namespace=> http://schemas.android.com/apk/res/android
name=> label
rawValue=> \
typedValue=> TYPE_REFERENCE 0x7f0a0014
属性3:
namespace=> http://schemas.android.com/apk/res/android
name=> icon
rawValue=> \
typedValue=> TYPE_REFERENCE 0x7f020045
属性4:
namespace=> http://schemas.android.com/apk/res/android
name=> debuggable
rawValue=> \
typedValue=> TYPE_REFERENCE 0x7f020045
属性5:
namespace=> http://schemas.android.com/apk/res/android
name=> allowBackup
rawValue=> \
typedValue=> TYPE_REFERENCE 0x7f020045
可见,只需要修改0x588处为ffffffff即可
修改后用命令签名:java -jarsignapk.jar testkey.x509.pem testkey.pk8input.apk output.apk
运行后,调试器中便能看到改进程 chao神太6了 真的很6学习了
页:
[1]