##############1###############
//混淆時按照順序來的、變量混淆後依次爲a、b、c、d
public bs(String str, String str2, String str3, String str4) {
this.a = str;
this.b = str2;
this.c = str3;
this.d = str4;
}
對應的混淆前代碼是這樣子的
/* public JSEntry(String fm, String js, String pid, String key) {
this.fm = fm;
this.js = js;
this.pid = pid;
this.key = key;
}*/
##############2###############
//直接用ascii碼、看到數字不要覺得奇怪
boolean question = this.url.indexOf(63) > 0;//63是ascii編碼
看看混淆前的樣子
boolean question = url.indexOf('?') > 0;
##############3###############
//讓android killer和jadx直接反編譯成java時都失效的代碼、我們可以在smali中刪除這段、
//就可以順利反編譯出java代碼、不過最好是自己能夠解讀smali
FileOutputStream fos123 = null;
Object obj123456 = null;
try {
if (fos123 != null || obj123456 == null) {
fos123 = new FileOutputStream("");
fos123.flush();
}
} catch (IOException var12) {
var12.printStackTrace();
} finally {
try {
if (fos123 != null) {
fos123.close();
}
} catch (IOException var11) {
var11.printStackTrace();
}
}
//對應smali長這樣
/*
r1 = 0;
if (r5 != 0) goto L_0x008f;
L_0x0003:
r0 = new java.io.FileOutputStream; Catch:{ IOException -> 0x0038, all -> 0x0042 }
r2 = "";
r0.<init>(r2); Catch:{ IOException -> 0x0038, all -> 0x0042 }
r0.flush(); Catch:{ IOException -> 0x008d, all -> 0x0089 }
L_0x000d:
if (r0 == 0) goto L_0x0012;
L_0x000f:
r0.close(); Catch:{ IOException -> 0x0087 }
##############4###############
//數組的優化、因爲數字默認值爲0、所以只存儲不爲0的部分
//源碼是這樣
public static final byte[] KEY_VI = new byte[]{5, 0, 2, 2, 0, 1, 7, 0, 7, 1, 4, 6, 6, 6, 6, 6};
//dex文件中長這樣
static {
byte[] bArr = new byte[16];
bArr[0] = (byte) 5;
bArr[2] = (byte) 2;
bArr[3] = (byte) 2;
bArr[5] = (byte) 1;
bArr[6] = (byte) 7;
bArr[8] = (byte) 7;
bArr[9] = (byte) 1;
bArr[10] = (byte) 4;
bArr[11] = (byte) 6;
bArr[12] = (byte) 6;
bArr[13] = (byte) 6;
bArr[14] = (byte) 6;
bArr[15] = (byte) 6;
a = bArr;
}
##############5###############
//突然冒出兩個參數、而且放在形式不同的參數位置上
// (dex中一個變量會反覆用、你要跟蹤每一次值的變化、不要以爲所有的student都是指學生)
this.a.m.a(this.a.l, student, (String) student, "cap_err_2", exception);
//看看源碼
student.onOtherEvent(mContext, null, null, "cap_err_2", e.toString());
##############6###############
//判斷的時候是用非來判斷的、你寫的等於最後轉換爲先看不等於
r0 = 100;
r1 = r5.what;
if (r0 != r1) goto L_0x0033;
//看看源碼
if (100 == message.what)
##############7###############
//看一段含有跳轉的smali代碼、不要怕直接看
/*
r0 = 100;
r1 = r5.what;
if (r0 != r1) goto L_0x0033;
L_0x0006:
r0 = r5.obj;
r0 = (java.util.Map) r0;
r1 = new java.util.HashMap;
r1.<init>(r0);
r0 = r4;
r0 = (com.a.b.ftjtc.mvitbl.ah) r0;
r2 = new com.a.b.ftjtc.mvitbl.aj;
r2.<init>(r5);
r3 = com.a.b.ftjtc.mvitbl.af.U;
r1.put(r3, r2);
r0.a(r1);
//源碼是這樣
if (100 == message.what) {
map = (Map)message.obj;
map2 = new HashMap(map);
ah ahx = (ah)callback;
map2.put(af.U, new com.a.b.ftjtc.mvitbl.aj(message));
ahx.a(map2);
}
##############8###############
//爲什麼你反編譯後代碼邏輯不對?因爲dex優化代碼再還原的時候,
//有些代碼順序錯誤、比如重載函數的第一行是調用父類的對應函數、
//然而Dex反編譯後的這個super函數調用卻是放在函數的最後一行、
//在比如下面這個return 就是順序錯了、然後最後一行的
// view.loadUrl(url)一直執行不到、這樣程序邏輯就錯了
private boolean beginLoad(WebView view, String url, String refererUrl) {
if (url.startsWith("market://")) {
url = url.replace("market://", "https://play.google.com/store/apps/");
} else if (url.startsWith("sms")) {
return true;
} else if (url.equals("about:blank") || url.equals("data:text/html,chromewebdata")) {
return true;
} else if (url.startsWith("javascript:")) {
} else {
}
try {
Thread.sleep(50);
} catch (Exception ignore) {
}
view.loadUrl(url);
return true;
}
看看源碼
private boolean a(WebView webView, String str) {
if (str.startsWith(al.a("bWFya2V0Oi8v"))) {
str = str.replace(al.a("bWFya2V0Oi8v"), al.a("aHR0cHM6Ly9wbGF5Lmdvb2dsZS5jb20vc3RvcmUvYXBwcy8="));
} else {
if (str.startsWith("sms")) {
bw.a("s:" + str);
this.a.sendMessage(str);
} else if (str.equals("about:blank") || str.equals("data:text/html,chromewebdata")) {
bw.a("errorurl:" + str);
} else if (str.startsWith("javascript:")) {
bw.a("javascript:");
} else {
bw.a(str);
}
return true;
}
if (dl.a(this.l).a == null) {
try {
Thread.sleep(50);
} catch (Exception e) {
}
}
webView.loadUrl(str);
return true;
}
//總結 :不要怕 就是多練習!你可以搞定的!最好直接上smali
混淆還原的那些坑
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章