APK逆向分析教学 - 以某GIF工具为例<\/h1>

1. 准备工作<\/h2>

1.1 工具准备<\/h3>

MT管理器：用于查看APK信息<\/li>
Activity记录器：用于追踪Activity跳转<\/li>
Frida：用于动态Hook和调试<\/li>
NP管理器：用于修改smali代码<\/li>

JD-GUI\/JADX：用于反编译查看Java\/Kotlin代码<\/li> <\/ul>

1.2 目标应用分析<\/h3>

目标应用：某GIF处理工具<\/li>
主要功能：MP4转GIF、文字GIF等功能<\/li>

限制：部分功能需要VIP会员<\/li> <\/ul>

2. 去除启动广告<\/h2>

2.1 定位启动Activity<\/h3>

使用Activity记录器发现启动流程：

SplashAdActivity<\/code> → MainActivity<\/code><\/li>
<\/ul>
2.2 分析广告逻辑<\/h3>

发现使用了TopOn广告SDK：

private final com.ad.topon.kt.g topOnSplash = new com.ad.topon.kt.g();<\/code><\/li>
<\/ul>
2.3 关键判断逻辑<\/h3>

广告显示条件判断：
if<\/span> (<\/span>repository.<\/span>p<\/span>()<\/span> &&<\/span> repository.<\/span>j<\/span>())<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
2.4 使用Frida Hook验证<\/h3>

Frida脚本示例：
function<\/span> carhook3<\/span>(){
<\/span><\/span>  let<\/span> Repository<\/span> =<\/span> Java<\/span>.use<\/span>("com.didikee.gifparser.data.Repository"<\/span>);
<\/span><\/span>  Repository<\/span>["p"<\/span>].implementation<\/span> =<\/span> function<\/span> () {
<\/span><\/span>    console<\/span>.log<\/span>('p is called'<\/span>);
<\/span><\/span>    let<\/span> ret<\/span> =<\/span> this<\/span>.p<\/span>();
<\/span><\/span>    console<\/span>.log<\/span>('p ret value is '<\/span> +<\/span> ret<\/span>);
<\/span><\/span>    return<\/span> ret<\/span>;
<\/span><\/span>  };
<\/span><\/span>};
<\/span><\/span>
<\/span><\/span>function<\/span> carhook4<\/span>(){
<\/span><\/span>  let<\/span> Repository<\/span> =<\/span> Java<\/span>.use<\/span>("com.didikee.gifparser.data.Repository"<\/span>);
<\/span><\/span>  Repository<\/span>["j"<\/span>].implementation<\/span> =<\/span> function<\/span> () {
<\/span><\/span>    console<\/span>.log<\/span>('j is called'<\/span>);
<\/span><\/span>    let<\/span> ret<\/span> =<\/span> this<\/span>.j<\/span>();
<\/span><\/span>    console<\/span>.log<\/span>('j ret value is '<\/span> +<\/span> ret<\/span>);
<\/span><\/span>    return<\/span> ret<\/span>;
<\/span><\/span>  };
<\/span><\/span>};
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
2.5 修改smali代码绕过广告<\/h3>

修改p()<\/code>和j()<\/code>的判断条件：

将if-eqz<\/code>改为if-nez<\/code><\/li>
或在判断前直接赋值0x1<\/code><\/li>
<\/ul>
<\/li>
<\/ul>
3. 绕过会员限制<\/h2>
3.1 定位VIP判断逻辑<\/h3>

关键Activity：com.didikee.gifparser.ui.animation.LottieAnimationActivity2<\/code><\/li>
关键函数：repository.j()<\/code>用于VIP判断<\/li>
<\/ul>
3.2 分析VIP判断函数<\/h3>
public<\/span> final<\/span> boolean<\/span> j<\/span>()<\/span> {<\/span>
<\/span><\/span>    Object obj;<\/span>
<\/span><\/span>    o.<\/span>c<\/span> value =<\/span> f24491d.<\/span>getValue<\/span>();<\/span>
<\/span><\/span>    if<\/span> (<\/span>value ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            obj =<\/span> com.<\/span>blankj<\/span>.<\/span>utilcode<\/span>.<\/span>util<\/span>.<\/span>f0<\/span>.<\/span>h<\/span>(<\/span>g().<\/span>decodeString<\/span>(<\/span>a.<\/span>f24521c<\/span>),<\/span> o.<\/span>c<\/span>.<\/span>class<\/span>);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception unused)<\/span> {<\/span>
<\/span><\/span>            obj =<\/span> null<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        value =<\/span> (<\/span>o.<\/span>c<\/span>)<\/span> obj;<\/span>
<\/span><\/span>        if<\/span> (<\/span>value ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            return<\/span> false<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    if<\/span> (<\/span>f0.<\/span>g<\/span>(<\/span>value.<\/span>l0<\/span>(),<\/span> Boolean.<\/span>TRUE<\/span>))<\/span> {<\/span>
<\/span><\/span>        return<\/span> true<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    Long b02 =<\/span> value.<\/span>b0<\/span>();<\/span>
<\/span><\/span>    if<\/span> (<\/span>b02 ==<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        return<\/span> false<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    if<\/span> (<\/span>System.<\/span>currentTimeMillis<\/span>()<\/span> ><\/span> b02.<\/span>longValue<\/span>()<\/span> *<\/span> 1000<\/span>)<\/span> {<\/span>
<\/span><\/span>        return<\/span> false<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> true<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3.3 修改VIP判断<\/h3>

修改所有return false<\/code>为return true<\/code><\/li>
或修改判断条件使函数始终返回true<\/code><\/li>
<\/ul>
4. 去除应用内广告<\/h2>
4.1 定位广告Activity<\/h3>

目标Activity：com.didikee.gifparser.ui.ResultShareActivity<\/code><\/li>
<\/ul>
4.2 分析广告初始化<\/h3>

关键函数：initAds()<\/code><\/li>
调用位置：startFlow()<\/code>函数中<\/li>
<\/ul>
4.3 修改广告初始化<\/h3>

在initAds()<\/code>函数开头添加return-void<\/code><\/li>
这将跳过所有广告初始化代码<\/li>
<\/ul>
5. 总结与关键点<\/h2>
5.1 关键修改点<\/h3>


启动广告<\/strong>：<\/p>

修改SplashAdActivity<\/code>中的repository.p()<\/code>和repository.j()<\/code>判断<\/li>
<\/ul>
<\/li>

VIP功能<\/strong>：<\/p>

修改repository.j()<\/code>函数使其始终返回true<\/code><\/li>
<\/ul>
<\/li>

应用内广告<\/strong>：<\/p>

在initAds()<\/code>函数开头添加return-void<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
5.2 技术要点<\/h3>

Activity跳转分析<\/strong>：使用Activity记录器追踪应用流程<\/li>
Frida动态Hook<\/strong>：验证函数返回值和行为<\/li>
smali代码修改<\/strong>：

条件判断修改(if-eqz<\/code>→if-nez<\/code>)<\/li>
函数返回值修改<\/li>
添加提前返回指令(return-void<\/code>)<\/li>
<\/ul>
<\/li>
<\/ul>
5.3 注意事项<\/h3>

修改后需要重新签名APK才能安装<\/li>
对于Kotlin编写的应用，smali代码可能较为复杂<\/li>
不同版本的应用可能需要调整修改点<\/li>
本文内容仅供学习研究使用<\/li>
<\/ol>
5.4 扩展思路<\/h3>

可以进一步分析网络请求，找到VIP验证的API并模拟响应<\/li>
对于更复杂的广告SDK，可能需要分析广告加载和显示的全部流程<\/li>
可以尝试修改资源文件来改变UI显示<\/li>
<\/ul>

APK逆向分析教学 - 以某GIF工具为例<\/h1>

1. 准备工作<\/h2>

2. 去除启动广告<\/h2>

3. 绕过会员限制<\/h2>

4. 去除应用内广告<\/h2>

5. 总结与关键点<\/h2>

5.4 扩展思路<\/h3> 可以进一步分析网络请求，找到VIP验证的API并模拟响应<\/li> 对于更复杂的广告SDK，可能需要分析广告加载和显示的全部流程<\/li> 可以尝试修改资源文件来改变UI显示<\/li> <\/ul>

5.4 扩展思路<\/h3>

可以进一步分析网络请求，找到VIP验证的API并模拟响应<\/li>
对于更复杂的广告SDK，可能需要分析广告加载和显示的全部流程<\/li>
可以尝试修改资源文件来改变UI显示<\/li> <\/ul>