Android 反编译资料整理

Made by 李文栋

2010-12-13  Monday 于北京

一、反编译流程图​​​​

二、工具使用方法(命令)

准备工作

假设我的工作目录为 $AndroidDecompile，首先要将system.img中(或者说从源码中编译好的)几个重要的odex文件拷贝到工作目录中，他们是：core.odex, ext.odex, framework.odex, android.policy.odex, services.odex(也可以放在别的目录，通过设置BOOTCLASSPATH指定，默认就是当前目录，关于BOOTCLASSPATH请参考baksmali的帮助信息)。

下载以下工具到 $AndroidDecompile中：

Baksmali :

​​https://code.google.com/p/smali/downloads/list​​

Smali :

​​https://code.google.com/p/smali/downloads/list​​

Dex2jar :

​​https://code.google.com/p/dex2jar/downloads/list​​

JD-GUI (Java Decompile GUI) :

​​https://java.decompiler.free.fr/?q=jdgui​​<!--[if !supportNestedAnchors]--><!--[endif]-->

Apktool

​​https://code.google.com/p/android-apktool/downloads/list​​

假设我们有一个应用，它的类文件编译后被单独拿了出来，即有两个文件app.apk和app.odex，把他们放在 $AndroidDecompile下。

1.

使用 baksmali.jar

将 odex

文件分解为 smali

文件

$ java –jar baksmali-1.2.5.jar –x app.odex

如果成功的话，会在 $AndroidDecompile下生成一个 out目录，里面是一些以“.smali”为后缀名的文件，在此不深究这些文件的作用。

2.

使用 smali.jar

将 out/

目录下的smali

文件转换为 classes.dex

$ java -Xmx512M –jar smali-1.2.5.jar out –o classes.dex

classes.dex便是Dalvik VM所使用的编译后的类文件格式，在正常的apk文件里都会有。

3.

使用 dex2jar

将classes.dex

反编译为jar

文件

将下载后的dex2jar压缩包解压后，里面会有dex2jar.sh(和dex2jar.bat)文件，假如classes.dex文件与dex2jar.sh在同一目录下，使用以下方式将classes.dex反编译为jar文件：

$dex2jar.sh classes.dex

如果执行成功，则会在当前目录下生成反编译后的文件classes.dex.dex2jar.jar。

dex2jar即可以操作dex文件，也可以直接操作apk文件，它的使用规则为：

dex2jar file1.dexORapk file2.dexORapk ...

4.

使用JD-GUI

查看反编译后的jar

文件

JD-GUI是一个可视化的Java反编译代码查看器，它可以实时的将class文件反编译成java文件进行查看。解压下载的jd-gui文件，执行目录中的jd-gui可执行文件启动，然后加载上一步中反编译好的classes.dex.dex2jar.jar文件即可。

5.

将从odex

反编译后的classes.dex

与其他资源文件重新打包成一个完整的apk

以上我们假设的情况是应用程序编译后的类文件从apk文件中被剥离出来，下面要做的是如何将上述步骤中得到的classes.dex与apk中的其他文件重新打包成一个可用的apk。

首先将反编译后的classes.dex和原先的app.apk(不含classes.dex)重新压缩成一个完整的app.apk(apk文件可用压缩工具打开)，也就是说将classes.dex放进app.apk中。

将下载的AutoSign文件解压，可以看到有signapk.jar(还有个Sign.bat)文件，执行以下命令给app.apk文件签名，就可以生成一个可以运行的apk文件了。

$ java -jar signapk.jar testkey.x509.pem testkey.pk8 app.apk app_signed.apk

6. apktool

的使用

网上还有个工具是apktool，可以对apk进行解析，反编译资源文件，并将类文件解析成smali文件；同时还可以将解析后的文件重新打包成apk。功能和以上介绍的几个工具类似，它的使用方法如下：

apktool d app.apk and    反编译 app.apk到文件夹and

apktool b app                从文件夹app重建APK，输出到ABC\dist\out.apk

具体的使用方法在此不再赘述，请参考官方网站，或者：

​​https://www.geeka.net/2010/05/apktool-decode-android-google-code/​​

7. 我的 $AndroidDecompile目录下的文件的截图

三、一些工具的帮助信息​

1. baksmali

的帮助信息

usage: java -jar baksmali.jar [options] <dex-file>

disassembles and/or dumps a dex file

-?,--help                                 Prints the help message then exits.

-b,--no-debug-info                         Specify twice for debug options

don't write out debug info (.local,

.param, .line, etc.)

-c,--bootclasspath <BOOTCLASSPATH>      The bootclasspath jars to use, for

analysis. Defaults to

core.jar:ext.jar:framework.jar:andro

id.policy.jar:services.jar. If the

value begins with a :, it will be

appended to the default

bootclasspath instead of replacing it

-d,--bootclasspath-dir <DIR>                The base folder to look for the

bootclasspath files in. Defaults to

the current directory

-f,--code-offsets                           Add comments to the disassembly

containing the code offset for each address

-l,--use-locals                             Output the .locals directive with

the number of non-parameter

registers, rather than the .register

-o,--output <DIR>                         Directive with the total number of  register

the directory where the disassembled

files will be placed. The default is out

-p,--no-parameter-registers                  Use the v<n> syntax instead of the

p<n> syntax for registers mapped to

method parameters

-r,--register-info <REGISTER_INFO_TYPES>  Print the specificed type(s) of

register information for each

instruction. "ARGS,DEST" is the

default if no types are specified.

Valid values are:

ALL: all pre- and post-instruction registers.

ALLPRE: all pre-instruction registers

ALLPOST: all post-instruction registers

ARGS: any pre-instruction registers

used as arguments to the instruction

DEST: the post-instruction

destination register, if any

MERGE: Any pre-instruction register

has been merged from more than 1

different post-instruction register

from its predecessors

FULLMERGE: For each register that

would be printed by MERGE, also show

the incoming register types that

were merged

-s,--sequential-labels                       Create label names using a

sequential numbering scheme per

label type, rather than using the

bytecode address

-v,--version                               Prints the version then exits

-x,--deodex                               Deodex the given odex file. This

option is ignored if the input file

is not an odex file

2. smali

的帮助信息

usage: java -jar smali.jar [options] [--] [<smali-file>folder]*

assembles a set of smali files into a dex file

-?,--help            prints the help message then exits. Specify twice for

debug options

-o,--output <FILE>   the name of the dex file that will be written. The default

is out.dex

-v,--version         prints the version then exits

3. auto-sign

的帮助信息

SignApk.jar is a tool included with the Android platform source bundle.

testkey.pk8 is the private key that is compatible with the recovery image included in this zip file

testkey.x509.pem is the corresponding certificate/public key

Usage:

java -jar signapk.jar testkey.x509.pem testkey.pk8 update.zip update_signed.zip

4. apktool

的帮助信息

Apktool v1.3.2 - a tool for reengineering Android apk files

Copyright 2010 Ryszard Wi?niewski <[email protected]>

Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0)

Usage: apktool [-v--verbose] COMMAND [...]

COMMANDs are:

d[ecode] [OPTS] <file.apk> [<dir>]

Decode <file.apk> to <dir>.

OPTS:

-s, --no-src

Do not decode sources.

-r, --no-res

Do not decode resources.

-d, --debug

Decode in debug mode. Check project page for more info.

-f, --force

Force delete destination directory.

-t <tag>, --frame-tag <tag>

Try to use framework files tagged by <tag>.

--keep-broken-res

Use if there was an error and some resources were dropped, e.g.:

"Invalid config flags detected. Dropping resources", but you

want to decode them anyway, even with errors. You will have to

fix them manually before building.

b[uild] [OPTS] [<app_path>] [<out_file>]

Build an apk from already decoded application located in <app_path>.

It will automatically detect, whether files was changed and perform

needed steps only.

If you omit <app_path> then current directory will be used.

If you omit <out_file> then <app_path>/dist/<name_of_original.apk>

will be used.

OPTS:

-f, --force-all

Skip changes detection and build all files.

-d, --debug

Build in debug mode. Check project page for more info.

ifinstall-framework <framework.apk> [<tag>]

Install framework file to your system.

For additional info, see:

​​https://code.google.com/p/android-apktool/​​

四、参考资料

1. Smali

​​https://code.google.com/p/smali/​​

​​https://www.geeka.net/2010/05/android-apk-odex-classes-dex/​​

2. ApkTool

​​https://code.google.com/p/android-apktool/​​

​​https://www.geeka.net/2010/05/apktool-decode-android-google-code/​​