早期自己弄的一些東西,大牛繞過。
入門寫殼的同學可以參考看看。
效果如下:
Java 層:
package com.droider.crackme0201;
import java.lang.String;
import android.app.Application;
import android.content.Context;
import android.content.res.Configuration;
public class TestApplication extends Application {
static{
System.loadLibrary("Nothing");
}
@Override
protected void attachBaseContext(Context base) {
super.attachBaseContext(base);
ErickyGuard(base);
ErickyProtect(base);
}
public native void ErickyGuard(Context context);
public native Object ErickyProtect(Context context);
}
C層:
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <jni.h>
#include <android/log.h>
#include <sys/stat.h>
#include <unistd.h>
#include <sys/types.h>
#include <elf.h>
#include <sys/mman.h>
#include <assert.h>
#define DEBUG
#define LOG_TAG "LOG_TEST"
#define LOGI(...) __android_log_print(ANDROID_LOG_INFO,LOG_TAG,__VA_ARGS__)
#define LOGE(...) __android_log_print(ANDROID_LOG_ERROR,LOG_TAG,__VA_ARGS__)
// 獲取數組的大小
# define NELEM(x) ((int) (sizeof(x) / sizeof((x)[0])))
// 指定要註冊的類,對應完整的java類名
#define JNIREG_CLASS "com/droider/crackme0201/TestApplication"
//Function Statements
jstring CharTojstring(JNIEnv* env, char* str);
jobject invokeStaticMethodss (JNIEnv *env,jstring class_name, jstring method_name, jobjectArray pareTyple, jobjectArray pareVaules);
jobject getFieldOjbect(JNIEnv *env, jstring class_name, jobject obj, jstring fieldName);
void setFieldOjbect(JNIEnv *env, jstring class_name, jstring fieldName, jobject obj, jobject filedVaule);
void guard( JNIEnv* env,jobject thiz,jobject context );
JNIEXPORT jobject JNICALL sub_2222( JNIEnv* env,
jobject thiz,jobject context )
{
jclass native_clazz = env->GetObjectClass(context);
jmethodID methodID_func = env->GetMethodID(native_clazz,"getPackageName", "()Ljava/lang/String;");
jstring packagename =(jstring)(env->CallObjectMethod(context, methodID_func));
//**************************************
char *aa="android.app.ActivityThread", *bb = "currentActivityThread";
jstring jaa= CharTojstring(env,aa);
jstring jbb = CharTojstring(env,bb);
jobjectArray pareTyple;
jobjectArray pareVaules;
jobject currentActivityThread = invokeStaticMethodss(env,jaa,jbb,pareTyple,pareVaules );
char *cc="android.app.ActivityThread", *dd = "mPackages";
jstring jcc= CharTojstring(env,cc);
jstring jdd = CharTojstring(env,dd);
jclass class_hashmap=env->FindClass("java/util/HashMap");
jmethodID hashmap_construct_method=env->GetMethodID(class_hashmap, "<init>","()V");
jobject obj_hashmap =env->NewObject(class_hashmap, hashmap_construct_method, "");
obj_hashmap = getFieldOjbect(env,jcc, currentActivityThread,jdd);
// new一个WeakReference对象java.lang.ref.WeakReference get_get_obj ==wr.get();
jclass class_WeakReference=env->FindClass("java/lang/ref/WeakReference");
if(class_WeakReference==NULL){
LOGI("class_WeakReference Not Found ");
}
jmethodID WeakReference_get_method=env->GetMethodID(class_WeakReference, "get","()Ljava/lang/Object;");
if(WeakReference_get_method==NULL){
LOGI("WeakReference_get_method Not Found ");
}
jmethodID get_func = env->GetMethodID(class_hashmap,"get","(Ljava/lang/Object;)Ljava/lang/Object;");
if(get_func==NULL){
LOGI("get_func Not Found ");
}
jobject get_obj =env->CallObjectMethod(obj_hashmap, get_func,packagename);
if(get_obj==NULL){
LOGI("get_obj Not Found ");
}
jobject get_get_obj = env->CallObjectMethod(get_obj, WeakReference_get_method);
if(get_get_obj==NULL){
LOGI("get_get_obj Not Found ");
}
//Strings prepared
const char *str = env->GetStringUTFChars(packagename, 0);
char parameter1[128];
char parameter2[128];
char parameter3[128];
const char *qz ="/data/data/", *hz1 = "/.cache/classdex.jar" ,*hz2 = "/.cache",*hz3 = "/.cache/";
strcpy(parameter1, qz);
strcat(parameter1, str);
strcat(parameter1, hz1);
strcpy(parameter2, qz);
strcat(parameter2, str);
strcat(parameter2, hz2);
strcpy(parameter3, qz);
strcat(parameter3, str);
strcat(parameter3, hz3);
env->ReleaseStringUTFChars(packagename, str);
jstring jparameter1 = CharTojstring(env,parameter1);
jstring jparameter2 = CharTojstring(env,parameter2);
jstring jparameter3 = CharTojstring(env,parameter3);
char *loadapk = "android.app.LoadedApk",*mClassLoader = "mClassLoader";
jstring jloadapk= CharTojstring(env,loadapk);
jstring jmClassLoader = CharTojstring(env,mClassLoader);
jclass class_DexClassloader=env->FindClass("dalvik/system/DexClassLoader");
if(class_DexClassloader==NULL){
LOGI("class_DexClassloader Not Found ");
}
jmethodID DexClassloader_construct_method=env->GetMethodID(class_DexClassloader, "<init>","(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/ClassLoader;)V");
if(DexClassloader_construct_method==NULL){
LOGI("DexClassloader_construct_method Not Found ");
}
jobject obj_DexClassloader =env->NewObject(class_DexClassloader, DexClassloader_construct_method,jparameter1,jparameter2,jparameter3,getFieldOjbect(env,jloadapk,get_get_obj,jmClassLoader));
if(obj_DexClassloader==NULL){
LOGI("obj_DexClassloader Not Found ");
}
setFieldOjbect(env,jloadapk,jmClassLoader,get_get_obj, obj_DexClassloader);
return get_get_obj;
}
JNIEXPORT void JNICALL sub_1111( JNIEnv* env,
jobject thiz,jobject context )
{
guard(env,thiz,context );
}
// Java和JNI函數的綁定表
static JNINativeMethod method_table[] = {
{ "ErickyProtect", "(Landroid/content/Context;)Ljava/lang/Object;", (void*)sub_2222 },//綁定Ericky3
{ "ErickyGuard", "(Landroid/content/Context;)V", (void*)sub_1111 },//Ericky1
};
// 註冊native方法到java中
static int registerNativeMethods(JNIEnv* env, const char* className,
JNINativeMethod* gMethods, int numMethods)
{
jclass clazz;
clazz = env->FindClass( className);
if (clazz == NULL) {
return JNI_FALSE;
}
if (env->RegisterNatives(clazz, gMethods, numMethods) < 0) {
return JNI_FALSE;
}
return JNI_TRUE;
}
int register_ndk_load(JNIEnv *env)
{
// 調用註冊方法
return registerNativeMethods(env, JNIREG_CLASS,
method_table, NELEM(method_table));
}
JNIEXPORT jint JNI_OnLoad(JavaVM* vm, void* reserved)
{
JNIEnv* env = NULL;
jint result = -1;
if (vm->GetEnv((void**) &env, JNI_VERSION_1_4) != JNI_OK) {
return result;
}
register_ndk_load(env);
// 返回jni的版本
return JNI_VERSION_1_4;
}
//Copy fuctions and initial fuctions
void guard( JNIEnv* env,jobject thiz,jobject context )
{
jclass native_clazz = env->GetObjectClass(context);
jmethodID methodID_func = env->GetMethodID(native_clazz,"getPackageName", "()Ljava/lang/String;");
jstring packagename =(jstring)(env->CallObjectMethod(context, methodID_func));
const char *str = env->GetStringUTFChars(packagename, 0);
char destination[128];
const char *blank ="/data/data/", *c = "/.cache/";
strcpy(destination, blank);
strcat(destination, str);
strcat(destination, c);
LOGI("stringcccccccccccccccc %s",destination);//去å—符串s%
env->ReleaseStringUTFChars(packagename, str);
jint a = mkdir(destination,777);
LOGI("Created a file in android! %d",a);//去å—符串s%
const char *pre = "chmod 755 ";
char cmd[128];
strcpy(cmd, pre);
strcat(cmd, destination);
LOGI("cmd %s",cmd);//去å—符串s%
jstring jcmd = CharTojstring(env,cmd);
//exec
jclass Runtime = env->FindClass("java/lang/Runtime");
jmethodID Runtime_func = env->GetStaticMethodID(Runtime,"getRuntime","()Ljava/lang/Runtime;");
jobject class_obj = env->CallStaticObjectMethod(Runtime, Runtime_func);
jclass class_java = env->GetObjectClass(class_obj);
jmethodID exec_func = env->GetMethodID(class_java,"exec","(Ljava/lang/String;)Ljava/lang/Process;");
jobject method_obj =env->CallObjectMethod(class_obj, exec_func,jcmd);
jclass class_method_obj= env->GetObjectClass(method_obj);
jmethodID waitfor_func = env->GetMethodID(class_method_obj,"waitFor","()I");
jint result = env->CallIntMethod(method_obj,waitfor_func);
LOGI("CallIntMethod %d",result);//去å—符串s%
//***************************************************************************************Copy fuctions
//************************despath
// 获得 Context 类
jclass native_clazz2 = env->GetObjectClass(context);
jmethodID methodID_func2 = env->GetMethodID(native_clazz2,"getPackageName", "()Ljava/lang/String;");
jstring packagename2 =(jstring)(env->CallObjectMethod(context, methodID_func2));
const char *str2 = env->GetStringUTFChars(packagename2, 0);
char destination2[128];
const char *blank2 ="/data/data/", *c2 = "/.cache/classdex.jar";
strcpy(destination2, blank2);
strcat(destination2, str2);
strcat(destination2, c2);
LOGI("string %s",destination2);
LOGI("log test ok ");
env->ReleaseStringUTFChars(packagename2, str2);
jstring jdestination = CharTojstring(env,destination2);
jmethodID methodID_getApplicationInfo = env->GetMethodID(native_clazz2,"getApplicationInfo", "()Landroid/content/pm/ApplicationInfo;");
jobject ApplicationInfo =env->CallObjectMethod(context, methodID_getApplicationInfo);
jclass cls_ApplicationInfo=env->GetObjectClass(ApplicationInfo);
jfieldID JarFieldId = env->GetFieldID(cls_ApplicationInfo,"publicSourceDir", "Ljava/lang/String;");
jstring SourceDir =(jstring)(env->GetObjectField(ApplicationInfo,JarFieldId));
const char *strs = env->GetStringUTFChars(SourceDir, 0);
char destinations[128];
strcpy(destinations, strs);
jbyteArray bytes = env->NewByteArray(65536);
LOGI("HAHAHAHHAHAHAHA %s",destinations);//
env->ReleaseStringUTFChars(SourceDir, strs);
LOGI("HAHAHAHHAHAHAHA222222222222222“");
//initial strings
char *classdex_jar2="assets/ErickyProtect.so";//包裏的文件
jstring jclassdex_jar = CharTojstring(env,classdex_jar2);
////////////new JarFile
jclass cls_JarFile = env->FindClass("java/util/jar/JarFile");
jmethodID methodID_JarFile = env->GetMethodID(cls_JarFile,"<init>", "(Ljava/lang/String;)V");
jobject localJarFile = env->NewObject(cls_JarFile, methodID_JarFile,SourceDir);
//localjarFile getEntry method
jmethodID methodID_getentry = env->GetMethodID(cls_JarFile,"getEntry", "(Ljava/lang/String;)Ljava/util/zip/ZipEntry;");
jobject LocalZipEntry = env->CallObjectMethod(localJarFile,methodID_getentry,jclassdex_jar);
//localjarFile getInputStream method
jmethodID methodID_getInputStream = env->GetMethodID(cls_JarFile,"getInputStream", "(Ljava/util/zip/ZipEntry;)Ljava/io/InputStream;");
jobject BufferinputstreamParam = env->CallObjectMethod(localJarFile,methodID_getInputStream,LocalZipEntry);
//new a File class
jclass cls_File = env->FindClass("java/io/File");
jmethodID methodID_File = env->GetMethodID(cls_File,"<init>", "(Ljava/lang/String;)V");
jobject localFile = env->NewObject(cls_File, methodID_File,jdestination);
//new BufferedInputStream
jclass cls_BufferedInputStream = env->FindClass("java/io/BufferedInputStream");
jmethodID methodID_BufferedInputStream = env->GetMethodID(cls_BufferedInputStream,"<init>", "(Ljava/io/InputStream;)V");
jobject localBufferedInputStream = env->NewObject(cls_BufferedInputStream, methodID_BufferedInputStream,BufferinputstreamParam);
//new FileoutputStream
jclass cls_FileOutputStream = env->FindClass("java/io/FileOutputStream");
jmethodID methodID_FileOutputStream= env->GetMethodID(cls_FileOutputStream,"<init>", "(Ljava/io/File;)V");
jobject BufferoutputstreamParam = env->NewObject(cls_FileOutputStream, methodID_FileOutputStream,localFile);
//new BufferedOutputStream
jclass cls_BufferedOutputStream = env->FindClass("java/io/BufferedOutputStream");
jmethodID methodID_BufferedOutputStream = env->GetMethodID(cls_BufferedOutputStream,"<init>", "(Ljava/io/OutputStream;)V");
jobject localBufferedOutputStream = env->NewObject(cls_BufferedOutputStream, methodID_BufferedOutputStream,BufferoutputstreamParam);
//some preparations
jmethodID methodID_write = env->GetMethodID(cls_BufferedOutputStream,"write", "([BII)V");
jmethodID methodID_read = env->GetMethodID(cls_BufferedInputStream,"read", "([B)I");
jmethodID output_flush = env->GetMethodID(cls_BufferedOutputStream,"flush", "()V");
jmethodID output_close = env->GetMethodID(cls_BufferedOutputStream,"close", "()V");
jmethodID input_close = env->GetMethodID(cls_BufferedInputStream,"close", "()V");
while(true){
jint i =env->CallIntMethod(localBufferedInputStream,methodID_read,bytes);
LOGI("IIIIIIIIII %d",i);
if (i <= 0){
env->CallVoidMethod(localBufferedOutputStream,output_flush);
env->CallVoidMethod(localBufferedOutputStream,output_close);
env->CallVoidMethod(localBufferedInputStream,input_close);
return;
}
env->CallVoidMethod(localBufferedOutputStream,methodID_write,bytes,0,i);
LOGI("afterwrite %d",i);
}
}
jstring CharTojstring(JNIEnv* env, char* str)
{
jsize len = strlen(str);
jclass clsstring = env->FindClass("java/lang/String");
jstring strencode = env->NewStringUTF("GB2312");
jmethodID mid = env->GetMethodID(clsstring, "<init>", "([BLjava/lang/String;)V");
jbyteArray barr = env-> NewByteArray(len);
env-> SetByteArrayRegion(barr,0,len,(jbyte*)str);
return (jstring)env-> NewObject(clsstring,mid,barr,strencode);
}
jobject getFieldOjbect(JNIEnv *env,
jstring class_name, jobject obj, jstring fieldName)
{
jclass context = env->FindClass("java/lang/Class");
jmethodID forName_func = env->GetStaticMethodID(context,"forName","(Ljava/lang/String;)Ljava/lang/Class;");
jobject class_obj = env->CallStaticObjectMethod(context, forName_func,class_name);
jclass class_java = env->GetObjectClass(class_obj);
jmethodID getField_func = env->GetMethodID(class_java,"getDeclaredField","(Ljava/lang/String;)Ljava/lang/reflect/Field;");
jobject method_obj =env->CallObjectMethod(class_obj, getField_func,fieldName);
jclass class_method_obj= env->GetObjectClass(method_obj);
jmethodID setaccess_func = env->GetMethodID(class_method_obj,"setAccessible","(Z)V");
env->CallVoidMethod(method_obj,setaccess_func,true);
jmethodID get_func = env->GetMethodID(class_method_obj,"get","(Ljava/lang/Object;)Ljava/lang/Object;");
jobject get_obj =env->CallObjectMethod(method_obj,get_func,obj);
env->DeleteLocalRef(class_java);
env->DeleteLocalRef(method_obj);
return get_obj;
}
jobject invokeStaticMethodss (JNIEnv *env,jstring class_name, jstring method_name, jobjectArray pareTyple, jobjectArray pareVaules)
{
jclass context = env->FindClass("java/lang/Class");
jmethodID forName_func = env->GetStaticMethodID(context,"forName","(Ljava/lang/String;)Ljava/lang/Class;");
jobject class_obj = env->CallStaticObjectMethod(context, forName_func,class_name);
jclass class_java = env->GetObjectClass(class_obj);
jmethodID getMethod_func = env->GetMethodID(class_java,"getMethod","(Ljava/lang/String;[Ljava/lang/Class;)Ljava/lang/reflect/Method;");
jobject method_obj =env->CallObjectMethod(class_obj, getMethod_func,method_name,pareTyple);
jclass class_method_obj= env->GetObjectClass(method_obj);
jmethodID invoke_func = env->GetMethodID(class_method_obj,"invoke","(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;");
jobject invoke_obj =env->CallObjectMethod(method_obj,invoke_func,NULL,pareVaules);
env->DeleteLocalRef(class_java);
env->DeleteLocalRef(method_obj);
return invoke_obj;
}
void setFieldOjbect(JNIEnv *env, jstring class_name, jstring fieldName, jobject obj, jobject filedVaule)
{
jclass context = env->FindClass("java/lang/Class");
jmethodID forName_func = env->GetStaticMethodID(context,"forName","(Ljava/lang/String;)Ljava/lang/Class;");
jobject class_obj = env->CallStaticObjectMethod(context, forName_func,class_name);
jclass class_java = env->GetObjectClass(class_obj);
jmethodID getField_func = env->GetMethodID(class_java,"getDeclaredField","(Ljava/lang/String;)Ljava/lang/reflect/Field;");
jobject method_obj =env->CallObjectMethod(class_obj, getField_func,fieldName);
jclass class_method_obj= env->GetObjectClass(method_obj);
jmethodID setaccess_func = env->GetMethodID(class_method_obj,"setAccessible","(Z)V");
env->CallVoidMethod(method_obj,setaccess_func,true);
jmethodID set_func = env->GetMethodID(class_method_obj,"set","(Ljava/lang/Object;Ljava/lang/Object;)V");
env->CallVoidMethod(method_obj,set_func,obj,filedVaule);
env->DeleteLocalRef(class_java);
env->DeleteLocalRef(method_obj);
}