安卓

安卓刷机购机指北

https://twrp.me/Devices/

安卓抓包

tcpdump
http://www.androidtcpdump.com/
./tcpdump -i any -p -s 0 -w /sdcard/capture.pcap

解决 burp 证书问题 https://github.com/Magisk-Modules-Repo/movecert
Android 7.0 Nougat 之后,不再信任用户空间装的证书,需要移动到系统目录/system/etc/security/cacerts。系统目录里是 PEM 格式的证书,而 burp 导出是 DER 格式的。
对某些手机,burp 生成的证书会有问题,需要在 burp 前套一个其他的代理。

用户安装的证书有效期不能太久。
https://www.entrustdatacard.com/blog/2018/february/chrome-requires-ct-after-april-2018

adb 强制安装

adb install -r wx.apk

frida

1
2
3
4
5
6
7
8
adb push frida-server /data/local/tmp/
adb shell
su
cd /data/local/tmp/
chmod 777 frida-server
setenforce 0
./frida-server &
adb forward tcp:27042 tcp:27042

syscalls https://github.com/dpnishant/appmon

提示 sudo sysctl kernel.yama.ptrace_scope=0

This could also be due to Magisk Hide. Try disabling it and rebooting before running your command.

https://github.com/ceres-c/frida-website/blob/41c04f558e918fcbbc95fa7986fadb58dd56503a/_docs/troubleshooting.md

frida 脚本

https://codeshare.frida.re/browse
https://github.com/Nightbringer21/fridump
https://github.com/lyxhh/lxhToolHTTPDecrypt
https://github.com/iddoeldor/frida-snippets
https://github.com/sensepost/objection

js api

函数重载和构造函数

1
2
var sclass = Java.use("xxx.class");
sclass.$new.overload('java.lang.String', 'int').implementation = function() {

Hashmap构造和类型转换

1
2
3
4
5
6
7
var HashMap = Java.use("java.util.HashMap");
var Map = Java.use("java.util.Map");

hashmap = HashMap.$new()
var map = Java.cast(hashmap, Map);
map.put("a", "1");
map.put("b", "2");

docs

https://pypkg.com/pypi/frida/api/
https://github.com/frida/frida-java/blob/master/index.js
https://docs.oracle.com/javase/specs/jvms/se8/html/jvms-4.html#jvms-4.3.2

安卓命令

查看窗口栈

1
2
adb shell
dumpsys window

查看窗口的activity

dumpsys activity top

调起activity

am start -n 包名/activity名 参数

有的activity可能需要flags
http://gityuan.com/2016/02/27/am-command/

xposed

https://github.com/ac-pm/Inspeckage
开启debug https://github.com/pylerSM/XInstaller
修改硬件信息 https://github.com/1998lixin/Hardwarecode
ssl pinning https://github.com/Fuzion24/JustTrustMe

脱壳

patch 安卓模拟器源码进行脱壳 https://github.com/CheckPointSW/android_unpacker
dex逆向辅助(Dalvik) https://github.com/CalebFenton/dex-oracle
安卓反混淆辅助 https://github.com/CalebFenton/simplify
https://github.com/WrBug/dumpDex

抓包解密

https://github.com/federicodotta/Brida/
http://bobao.360.cn/learning/detail/4209.html

so 逆向辅助

https://github.com/feicong/jni_helper
根据.dynamic修复 section table https://github.com/freakishfox/xAnSo (https://bbs.pediy.com/thread-221741.htm)

jadx

因为Jadx打开apk文件会解析资源文件,如果一个app有很多资源文件,那么Jadx打开就会卡死,所以很多同学问我为什么Jadx打开apk文件就出现卡死状态,主要是因为解析资源文件导致的。所以为了防止卡死,直接解压出dex文件,然后打开就不会卡死了。

工具

安卓shell https://termux.com/
adb下载 https://developer.android.com/studio/releases/platform-tools.html
源码静态分析(可能可以改造) https://github.com/blackarbiter/Android_Code_Arbiter (https://tech.meituan.com/Android-Code-Arbiter.html)
Android SDK https://developer.android.com/studio/index.html?hl=zh-cn
busybox https://busybox.net/downloads/binaries/
PackageManager.getPackageInfo().signature方式签名验证 https://github.com/L-JINBIN/ApkSignatureKiller
apk自身安全drozer https://github.com/mwrlabs/drozer
jadx https://github.com/skylot/jadx
GDA(windows) http://www.gda.wiki:9090/
https://github.com/MobSF/Mobile-Security-Framework-MobSF

安卓 exploits

https://github.com/ele7enxxh/poc-exp
https://github.com/ScottyBauer/Android_Kernel_CVE_POCs

免 root hook

https://github.com/android-hacker/VirtualXposed

Genymotion

Google Apps

http://opengapps.org/
https://github.com/opengapps/opengapps

ARM_Translation

https://forum.xda-developers.com/showthread.php?t=2528952

adb

在设置里指定adb的path,或者用自带的adb

安卓学习

https://github.com/iwannabetop/Awesome-Android-Learning-Guide
https://github.com/OWASP/owasp-mstg

装机软件

黑域 https://piebridge.me/br/
原生相机 https://www.celsoazevedo.com/files/android/google-camera/
流量控制 https://github.com/ukanth/afwall
XPrivacy https://github.com/M66B/XPrivacyLua
谷歌框架 http://opengapps.org/
绿色守护 https://forum.xda-developers.com/showthread.php?t=2155737
代理切换 https://play.google.com/store/apps/details?id=org.proxydroid
root 管理 https://forum.xda-developers.com/apps/magisk
ProxyDroid https://github.com/madeye/proxydroid
AdBlocker

刷机

On your device, go into Settings -> About and find the Build Number and tap on it 7 times to enable developer settings. Press back and go into Developer Options and enable USB debugging. From your computer, open a command prompt and type:

adb reboot bootloader

You should now be in fastboot mode.

Your device needs to be unlocked before it can flash custom images. To unlock your device type:

fastboot oem unlock

Download the correct image file and copy the file into the same folder as your adb and fastboot binaries. Rename the image to twrp.img and type:

进入临时的 twrp: fastboot boot twrp.img

然后用临时的 twrp 刷入 twrp 的 zip 包。

adb reboot recovery

在 recovery 里选择 adb sideload刷机模式。

直接下载 Google play 软件

https://apps.evozi.com/apk-downloader/

其他

mount -o rw,remount /system

分享到 评论