Android第一代DEX落地加固技术详解<\/h1>

一、DEX加固基础理论<\/h2>

1.1 DEX文件关键字段<\/h3>

DEX加固主要涉及DEX头部的三个关键字段：<\/p>

checksum<\/strong>：文件校验码，使用alder32算法校验文件除去magic、checksum外余下的所有文件区域<\/li>
signature<\/strong>：使用SHA-1算法hash除去magic、checksum和signature外余下的所有文件区域<\/li>

file_size<\/strong>：DEX文件的大小<\/li> <\/ol>
1.2 加固基本原理<\/h3>
DEX加固的核心是一个拼接过程：<\/p>
成品 = 待加固app(加密后) + 解密dex <\/code><\/pre> 加固后需要手动修改上述三个字段以保证DEX文件的合法性。<\/p> 二、加固流程<\/h2> 2.1 加密源APP流程<\/h3> 加密源APP<\/li> 将加密后的源APP放在壳(classes.dex)后面，最后4个字节填充源APP大小<\/li> 修改壳的checksum、signature和file_size<\/li> <\/ol> 2.2 解壳流程<\/h3> 主动读取classes.dex末端的加密数据<\/li> 调用本APK的解密方法进行解密<\/li> 动态加载解密之后的APK<\/li> <\/ol> 三、关键技术实现<\/h2> 3.1 动态加载解密APK<\/h3> 使用DexClassLoader加载解密后的APK，并替换LoadedApk中的mClassLoader字段：<\/p> RefInvoke.<\/span>setFieldOjbect<\/span>(<\/span>"android.app.LoadedApk"<\/span>,<\/span>"mClassLoader"<\/span>,<\/span> <\/span><\/span> weakReference.<\/span>get<\/span>(),<\/span> DexClassLoader);<\/span> <\/span><\/span><\/code><\/pre>3.2 加密和组装实现<\/h3> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> \/\/ 读取源APK和壳DEX <\/span><\/span><\/span><\/span> File payloadSrcFile =<\/span> new<\/span> File(<\/span>"原apk路径"<\/span>);<\/span> <\/span><\/span> File unShellDexFile =<\/span> new<\/span> File(<\/span>"壳dex路径"<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 加密源APK（此处使用异或加密示例） <\/span><\/span><\/span><\/span> byte<\/span>[]<\/span> payloadArray =<\/span> encrpt(<\/span>readFileBytes(<\/span>payloadSrcFile),<\/span> 0x66<\/span>);<\/span> <\/span><\/span> byte<\/span>[]<\/span> unShellDexArray =<\/span> readFileBytes(<\/span>unShellDexFile);<\/span> <\/span><\/span> <\/span><\/span> int<\/span> payloadLen =<\/span> payloadArray.<\/span>length<\/span>;<\/span> <\/span><\/span> int<\/span> unShellDexLen =<\/span> unShellDexArray.<\/span>length<\/span>;<\/span> <\/span><\/span> int<\/span> totalLen =<\/span> payloadLen +<\/span> unShellDexLen +<\/span> 4<\/span>;<\/span> \/\/ 最后4字节存储源APP大小 <\/span><\/span><\/span><\/span> <\/span><\/span> byte<\/span>[]<\/span> newdex =<\/span> new<\/span> byte<\/span>[<\/span>totalLen];<\/span> <\/span><\/span> <\/span><\/span> \/\/ 组装新DEX <\/span><\/span><\/span><\/span> System.<\/span>arraycopy<\/span>(<\/span>unShellDexArray,<\/span> 0<\/span>,<\/span> newdex,<\/span> 0<\/span>,<\/span> unShellDexLen);<\/span> <\/span><\/span> System.<\/span>arraycopy<\/span>(<\/span>payloadArray,<\/span> 0<\/span>,<\/span> newdex,<\/span> unShellDexLen,<\/span> payloadLen);<\/span> <\/span><\/span> System.<\/span>arraycopy<\/span>(<\/span>intToByte(<\/span>payloadLen),<\/span> 0<\/span>,<\/span> newdex,<\/span> totalLen-<\/span>4<\/span>,<\/span> 4<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 修正DEX头 <\/span><\/span><\/span><\/span> fixFileSizeHeader(<\/span>newdex);<\/span> <\/span><\/span> fixSHA1Header(<\/span>newdex);<\/span> <\/span><\/span> fixCheckSumHeader(<\/span>newdex);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 保存新DEX <\/span><\/span><\/span><\/span> File file =<\/span> new<\/span> File(<\/span>"输出路径"<\/span>);<\/span> <\/span><\/span> if<\/span> (!<\/span>file.<\/span>exists<\/span>())<\/span> {<\/span> <\/span><\/span> file.<\/span>createNewFile<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> FileOutputStream localFileOutputStream =<\/span> new<\/span> FileOutputStream(<\/span>file);<\/span> <\/span><\/span> localFileOutputStream.<\/span>write<\/span>(<\/span>newdex);<\/span> <\/span><\/span> localFileOutputStream.<\/span>flush<\/span>();<\/span> <\/span><\/span> localFileOutputStream.<\/span>close<\/span>();<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span> <\/span><\/span> e.<\/span>printStackTrace<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3.3 System.arraycopy方法详解<\/h3> 方法原型：<\/p> public<\/span> static<\/span> void<\/span> arraycopy<\/span>(<\/span>Object src,<\/span> int<\/span> srcPos,<\/span> Object dest,<\/span> int<\/span> destPos,<\/span> int<\/span> length)<\/span> <\/span><\/span><\/code><\/pre>参数说明：<\/p> src: 源数组<\/li> srcPos: 源数组开始复制的位置<\/li> dest: 目标数组<\/li> destPos: 目标数组开始粘贴的位置<\/li> length: 要复制的元素数量<\/li> <\/ul> 四、解壳APK实现要点<\/h2> 4.1 AndroidManifest.xml配置<\/h3> 解壳APP不需要启动界面，直接配置主启动Activity为待加固APP的入口：<\/p> <activity<\/span> android:name=<\/span>"待加固APP的主Activity"<\/span>><\/span> <\/span><\/span> <intent-filter><\/span> <\/span><\/span> <action<\/span> android:name=<\/span>"android.intent.action.MAIN"<\/span> \/><\/span> <\/span><\/span> <category<\/span> android:name=<\/span>"android.intent.category.LAUNCHER"<\/span> \/><\/span> <\/span><\/span> <\/intent-filter><\/span> <\/span><\/span><\/activity><\/span> <\/span><\/span><\/code><\/pre>4.2 Application类配置<\/h3> 在解壳APP的AndroidManifest.xml中添加描述信息：<\/p> <meta-data<\/span> <\/span><\/span> android:name=<\/span>"APPLICATION_CLASS_NAME"<\/span> <\/span><\/span> android:value=<\/span>"com.android.sourceapp.XApplication"<\/span>\/><\/span> <\/span><\/span><\/code><\/pre>其中com.android.sourceapp.XApplication<\/code>是源APP的一个简单Application类：<\/p> package<\/span> com.android.sourceapp;<\/span> <\/span><\/span> <\/span><\/span>import<\/span> android.app.Application;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> XApplication<\/span> extends<\/span> Application {<\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> void<\/span> onCreate<\/span>()<\/span> {<\/span> <\/span><\/span> super<\/span>.<\/span>onCreate<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>五、实践注意事项<\/h2> 加固后处理<\/strong>：生成加密后的dex后，直接替换原APP的classes.dex，无需重新签名<\/li> 首次运行<\/strong>：第一次运行会进行解密操作，后续运行直接使用解密后的APK（落地加载特性）<\/li> 测试环境<\/strong>：建议在Android 9环境（如雷电模拟器9）进行测试<\/li> <\/ol> 六、参考实现<\/h2> DEX头修改函数<\/strong>：<\/p> fixFileSizeHeader()<\/code>：修正DEX文件大小<\/li> fixSHA1Header()<\/code>：重新计算SHA1签名<\/li> fixCheckSumHeader()<\/code>：重新计算校验和<\/li> <\/ul> <\/li> 辅助函数<\/strong>：<\/p> readFileBytes()<\/code>：读取文件为字节数组<\/li> intToByte()<\/code>：整型转字节数组<\/li> encrpt()<\/code>：加密函数（示例中使用简单异或加密）<\/li> <\/ul> <\/li> <\/ol> 七、常见问题解决<\/h2> Application替换失败<\/strong>：确保meta-data中的APPLICATION_CLASS_NAME指向源APP的正确Application类<\/li> 类加载问题<\/strong>：检查DexClassLoader的路径设置和权限<\/li> 签名验证<\/strong>：某些APP可能有签名校验，需要在源APP中处理或绕过<\/li> <\/ol> 通过以上步骤和注意事项，可以实现Android第一代DEX落地加固方案，有效保护APK中的代码安全。<\/p>