##############1###############
//混淆时按照顺序来的、变量混淆后依次为a、b、c、d
public bs(String str, String str2, String str3, String str4) {
this.a = str;
this.b = str2;
this.c = str3;
this.d = str4;
}
对应的混淆前代码是这样子的
/* public JSEntry(String fm, String js, String pid, String key) {
this.fm = fm;
this.js = js;
this.pid = pid;
this.key = key;
}*/
##############2###############
//直接用ascii码、看到数字不要觉得奇怪
boolean question = this.url.indexOf(63) > 0;//63是ascii编码
看看混淆前的样子
boolean question = url.indexOf('?') > 0;
##############3###############
//让android killer和jadx直接反编译成java时都失效的代码、我们可以在smali中删除这段、
//就可以顺利反编译出java代码、不过最好是自己能够解读smali
FileOutputStream fos123 = null;
Object obj123456 = null;
try {
if (fos123 != null || obj123456 == null) {
fos123 = new FileOutputStream("");
fos123.flush();
}
} catch (IOException var12) {
var12.printStackTrace();
} finally {
try {
if (fos123 != null) {
fos123.close();
}
} catch (IOException var11) {
var11.printStackTrace();
}
}
//对应smali长这样
/*
r1 = 0;
if (r5 != 0) goto L_0x008f;
L_0x0003:
r0 = new java.io.FileOutputStream; Catch:{ IOException -> 0x0038, all -> 0x0042 }
r2 = "";
r0.<init>(r2); Catch:{ IOException -> 0x0038, all -> 0x0042 }
r0.flush(); Catch:{ IOException -> 0x008d, all -> 0x0089 }
L_0x000d:
if (r0 == 0) goto L_0x0012;
L_0x000f:
r0.close(); Catch:{ IOException -> 0x0087 }
##############4###############
//数组的优化、因为数字默认值为0、所以只存储不为0的部分
//源码是这样
public static final byte[] KEY_VI = new byte[]{5, 0, 2, 2, 0, 1, 7, 0, 7, 1, 4, 6, 6, 6, 6, 6};
//dex文件中长这样
static {
byte[] bArr = new byte[16];
bArr[0] = (byte) 5;
bArr[2] = (byte) 2;
bArr[3] = (byte) 2;
bArr[5] = (byte) 1;
bArr[6] = (byte) 7;
bArr[8] = (byte) 7;
bArr[9] = (byte) 1;
bArr[10] = (byte) 4;
bArr[11] = (byte) 6;
bArr[12] = (byte) 6;
bArr[13] = (byte) 6;
bArr[14] = (byte) 6;
bArr[15] = (byte) 6;
a = bArr;
}
##############5###############
//突然冒出两个参数、而且放在形式不同的参数位置上
// (dex中一个变量会反复用、你要跟踪每一次值的变化、不要以为所有的student都是指学生)
this.a.m.a(this.a.l, student, (String) student, "cap_err_2", exception);
//看看源码
student.onOtherEvent(mContext, null, null, "cap_err_2", e.toString());
##############6###############
//判断的时候是用非来判断的、你写的等于最后转换为先看不等于
r0 = 100;
r1 = r5.what;
if (r0 != r1) goto L_0x0033;
//看看源码
if (100 == message.what)
##############7###############
//看一段含有跳转的smali代码、不要怕直接看
/*
r0 = 100;
r1 = r5.what;
if (r0 != r1) goto L_0x0033;
L_0x0006:
r0 = r5.obj;
r0 = (java.util.Map) r0;
r1 = new java.util.HashMap;
r1.<init>(r0);
r0 = r4;
r0 = (com.a.b.ftjtc.mvitbl.ah) r0;
r2 = new com.a.b.ftjtc.mvitbl.aj;
r2.<init>(r5);
r3 = com.a.b.ftjtc.mvitbl.af.U;
r1.put(r3, r2);
r0.a(r1);
//源码是这样
if (100 == message.what) {
map = (Map)message.obj;
map2 = new HashMap(map);
ah ahx = (ah)callback;
map2.put(af.U, new com.a.b.ftjtc.mvitbl.aj(message));
ahx.a(map2);
}
##############8###############
//为什么你反编译后代码逻辑不对?因为dex优化代码再还原的时候,
//有些代码顺序错误、比如重载函数的第一行是调用父类的对应函数、
//然而Dex反编译后的这个super函数调用却是放在函数的最后一行、
//在比如下面这个return 就是顺序错了、然后最后一行的
// view.loadUrl(url)一直执行不到、这样程序逻辑就错了
private boolean beginLoad(WebView view, String url, String refererUrl) {
if (url.startsWith("market://")) {
url = url.replace("market://", "https://play.google.com/store/apps/");
} else if (url.startsWith("sms")) {
return true;
} else if (url.equals("about:blank") || url.equals("data:text/html,chromewebdata")) {
return true;
} else if (url.startsWith("javascript:")) {
} else {
}
try {
Thread.sleep(50);
} catch (Exception ignore) {
}
view.loadUrl(url);
return true;
}
看看源码
private boolean a(WebView webView, String str) {
if (str.startsWith(al.a("bWFya2V0Oi8v"))) {
str = str.replace(al.a("bWFya2V0Oi8v"), al.a("aHR0cHM6Ly9wbGF5Lmdvb2dsZS5jb20vc3RvcmUvYXBwcy8="));
} else {
if (str.startsWith("sms")) {
bw.a("s:" + str);
this.a.sendMessage(str);
} else if (str.equals("about:blank") || str.equals("data:text/html,chromewebdata")) {
bw.a("errorurl:" + str);
} else if (str.startsWith("javascript:")) {
bw.a("javascript:");
} else {
bw.a(str);
}
return true;
}
if (dl.a(this.l).a == null) {
try {
Thread.sleep(50);
} catch (Exception e) {
}
}
webView.loadUrl(str);
return true;
}
//总结 :不要怕 就是多练习!你可以搞定的!最好直接上smali
混淆还原的那些坑
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章