这篇文章上次修改于 1404 天前,可能其部分内容已经发生变化,如有疑问可询问作者。
title: 去APP升级弹窗
date: 2020/09/04 23:27:41
updated: 2020/09/05 01:23:00
permalink: remove-upgrade-dialog-and-rebuild-apk/
toc: true
环境和工具
- kali linux 2019.4
- frida-server 12.11.14
- Android Studio 4.0.1 (android-studio-ide-193.6626763-linux.tar.gz)
- apktool
- objection
- wallbreaker
步骤
开启frida-server
cd /data/local/tmp
./frida-server-12.11.11-android-arm64
搜索了解常见弹窗形式,例如android.app.AlertDialog
打开APP,等待出现弹窗
通过objection查找弹窗实例
android heap search instances android.app.AlertDialog
{% codeblock 查找弹窗实例 lang:bash %}
Class instance enumeration complete for android.app.AlertDialog
Hashcode Class toString()
170048846 android.app.AlertDialog android.app.AlertDialog@a22bd4e
{% endcodeblock %}
确定实现弹窗的类,然后通过wallbreaker插件查找实例
plugin load /root/.objection/plugins/Wallbreaker
plugin wallbreaker objectsearch android.app.AlertDialog
{% codeblock objectsearch lang:java %}
{% endcodeblock %}
通过wallbreaker对对象进行dump操作
plugin wallbreaker objectdump 0x3216
{% codeblock objectdump lang:java %}
package android.app
class AlertDialog {
/* static fields */
static int DISMISS; => 67
static int CANCEL; => 68
static String DIALOG_HIERARCHY_TAG; => android:dialogHierarchy
static String TAG; => Dialog
static String DIALOG_SHOWING_TAG; => android:dialogShowing
static int SHOW; => 69
static int THEME_DEVICE_DEFAULT_LIGHT; => 5
static int THEME_TRADITIONAL; => 1
static int THEME_DEVICE_DEFAULT_DARK; => 4
static int THEME_HOLO_DARK; => 2
static int LAYOUT_HINT_NONE; => 0
static int THEME_HOLO_LIGHT; => 3
static int LAYOUT_HINT_SIDE; => 1
/* instance fields */
int shadow$_monitor_; => -1977434802
Class shadow$_klass_; => [0x30b6]: class android.app.AlertDialog
DialogInterface$OnKeyListener mOnKeyListener; => null
Message mShowMessage; => null
boolean mShowing; => true
boolean mCancelable; => true
WindowManager mWindowManager; => [0x3082]: android.view.WindowManagerImpl@958a77c
ActionMode mActionMode; => null
boolean mCanceled; => false
Handler mHandler; => [0x328a]: Handler (android.os.Handler) {3af4805}
Runnable mDismissAction; => [0x32aa]: android.app.-$$Lambda$oslF4K8Uk6v-6nTRoaEpCmfAptE@271605a
String mCancelAndDismissTaken; => null
Message mCancelMessage; => null
View mDecor; => [0x32ca]: DecorView@5423033[channel_main]
ActionBar mActionBar; => null
Message mDismissMessage; => null
Activity mOwnerActivity; => null
Context mContext; => [0x32ea]: android.view.ContextThemeWrapper@53da28b
Handler mListenersHandler; => [0x32f6]: Handler (android.app.Dialog$ListenersHandler) {546bf68}
int mActionModeTypeStarting; => 0
Window mWindow; => [0x331a]: com.android.internal.policy.PhoneWindow@fe15f81
SearchEvent mSearchEvent; => null
boolean mCreated; => true
AlertController mAlert; => [0x333a]: com.android.internal.app.AlertController@cd52826
/* constructor methods */
void AlertDialog(Context);
void AlertDialog(Context, int);
void AlertDialog(Context, int, boolean);
void AlertDialog(Context, boolean, DialogInterface$OnCancelListener);
/* static methods */
static int identityHashCodeNative(Object);
static int identityHashCode(Object);
static void lambda$new$0(Dialog);
static AlertController access$000(AlertDialog);
static int resolveDialogTheme(Context, int);
/* instance methods */
int hashCode();
void wait();
void wait(long);
void wait(long, int);
void notify();
void notifyAll();
boolean equals(Object);
Object clone();
void finalize();
Object internalClone();
String toString();
Class getClass();
void openContextMenu(View);
void onPanelClosed(int, Menu);
boolean onPreparePanel(int, View, Menu);
void create();
void onBackPressed();
boolean dispatchTouchEvent(MotionEvent);
void hide();
void show();
boolean onTouchEvent(MotionEvent);
View onCreatePanelView(int);
ActionMode onWindowStartingActionMode(ActionMode$Callback);
ActionMode onWindowStartingActionMode(ActionMode$Callback, int);
void updateWindowForCancelable();
boolean onKeyShortcut(int, KeyEvent);
boolean onSearchRequested();
boolean onSearchRequested(SearchEvent);
void onCreate(Bundle);
void onStop();
void setCancelMessage(Message);
void setDismissMessage(Message);
boolean dispatchKeyEvent(KeyEvent);
void onWindowFocusChanged(boolean);
void dispatchOnCreate(Bundle);
void dismiss();
Object findViewById(int);
boolean dispatchGenericMotionEvent(MotionEvent);
void takeKeyEvents(boolean);
void invalidateOptionsMenu();
boolean onMenuOpened(int, Menu);
boolean dispatchPopulateAccessibilityEvent(AccessibilityEvent);
ComponentName getAssociatedActivity();
void openOptionsMenu();
void onAttachedToWindow();
boolean onKeyLongPress(int, KeyEvent);
boolean dispatchTrackballEvent(MotionEvent);
void onActionModeStarted(ActionMode);
Activity getOwnerActivity();
void setFeatureDrawable(int, Drawable);
void sendShowMessage();
ActionBar getActionBar();
boolean requestWindowFeature(int);
void onStart();
void onCreateContextMenu(ContextMenu, View, ContextMenu$ContextMenuInfo);
void onActionModeFinished(ActionMode);
boolean onTrackballEvent(MotionEvent);
void setFeatureDrawableUri(int, Uri);
void unregisterForContextMenu(View);
Object requireViewById(int);
boolean onCreatePanelMenu(int, Menu);
void setOnDismissListener(DialogInterface$OnDismissListener);
boolean onContextItemSelected(MenuItem);
void setTitle(CharSequence);
void onWindowDismissed(boolean, boolean);
void setOwnerActivity(Activity);
void registerForContextMenu(View);
boolean onGenericMotionEvent(MotionEvent);
boolean takeCancelAndDismissListeners(String, DialogInterface$OnCancelListener, DialogInterface$OnDismissListener);
boolean onKeyUp(int, KeyEvent);
void onWindowAttributesChanged(WindowManager$LayoutParams);
Bundle onSaveInstanceState();
SearchEvent getSearchEvent();
void cancel();
View getCurrentFocus();
boolean isShowing();
void dismissDialog();
void onOptionsMenuClosed(Menu);
boolean onOptionsItemSelected(MenuItem);
boolean onMenuItemSelected(int, MenuItem);
Window getWindow();
Context getContext();
int getVolumeControlStream();
void closeOptionsMenu();
boolean onKeyDown(int, KeyEvent);
boolean onPrepareOptionsMenu(Menu);
void setCanceledOnTouchOutside(boolean);
void sendDismissMessage();
void onRestoreInstanceState(Bundle);
boolean onCreateOptionsMenu(Menu);
void setOnKeyListener(DialogInterface$OnKeyListener);
void onDetachedFromWindow();
void onContentChanged();
void setFeatureDrawableAlpha(int, int);
void setFeatureDrawableResource(int, int);
void setOnShowListener(DialogInterface$OnShowListener);
boolean onKeyMultiple(int, int, KeyEvent);
void setVolumeControlStream(int);
void addContentView(View, ViewGroup$LayoutParams);
void setContentView(int);
void setContentView(View);
void setContentView(View, ViewGroup$LayoutParams);
void setCancelable(boolean);
boolean dispatchKeyShortcutEvent(KeyEvent);
void setOnCancelListener(DialogInterface$OnCancelListener);
LayoutInflater getLayoutInflater();
void onContextMenuClosed(Menu);
void setCustomTitle(View);
void setButtonPanelLayoutHint(int);
void setIcon(int);
void setIcon(Drawable);
ListView getListView();
void setIconAttribute(int);
void setButton2(CharSequence, DialogInterface$OnClickListener);
void setButton2(CharSequence, Message);
void setButton(int, CharSequence, DialogInterface$OnClickListener);
void setButton(int, CharSequence, Message);
void setButton(CharSequence, DialogInterface$OnClickListener);
void setButton(CharSequence, Message);
Button getButton(int);
void setView(View);
void setView(View, int, int, int, int);
void setButton3(CharSequence, DialogInterface$OnClickListener);
void setButton3(CharSequence, Message);
void setMessage(CharSequence);
void setInverseBackgroundForced(boolean);
void setMessageHyphenationFrequency(int);
void setMessageMovementMethod(MovementMethod);
}
{% endcodeblock %}
通过观察
AlertController mAlert; => [0x333a]: com.android.internal.app.AlertController@cd52826
然后objectdump 0x333a,确认结果与弹窗的内容相符
查看对象类的信息,确认就是这个类后,观察类被调用过程
由于是在APP启动时就会弹出,使用--startup-command注入watch class指令
objection -g com.hd.zhibo explore --startup-command "android hooking watch class android.app.AlertDialog"
可以看到调用了android.app.AlertDialog.onCreate这个方法
定位弹窗逻辑
对android.app.AlertDialog.onCreate方法进行watch
这个时候发现了关键逻辑:com.zhibo.media.channel_main.update_show(Unknown Source:83)
使用apktool解包apk
apktool d zhibo.apk
修改smali代码逻辑实现不弹窗
定位到com.zhibo.media.channel_main.update_show,然后修改smali文件,修改部分略
使用apktool重新打包
apktool b zhibo/
使用keytool生成keystore文件
keytool -genkey -alias abc.keystore -keyalg RSA -validity 20000 -keystore abc.keystore
使用jarsigner对apk签名
jarsigner -verbose -keystore abc.keystore -signedjar new_zhibo.apk repack_zhibo.apk abc.keystore
没有评论