[Android] decompile APK + eclipse to debug SmalI

Never thought of APK decompiler is so convenient, and also can be modified to compile and run, this is easier than modifying the PE in win much, thanks to apktool and SmalI tools the author provides such a good tool.


Tracking APK general practice is to insert the log output in the anti compiled SmalI code, then recompile and run output log, this method is time-consuming and laborious, if can real-time debugging is the best. Search, the better method is to use the NetBeans+DDMS. I tried to debug, but had little understanding of the operation of NetBeans, eclipse estimated that many people will, in fact more or less the same settings with NetBeans.

Debugging steps:

1 on the APK using the apktool anti compile debug SmalI code to the out folder, the current version of apktool is 2.0.0b7.

java -jar apktool_2.0.0b7.jar d -d test.apk -o out

Here you must use the -d parameter, the code suffix such anti compiler is Java, because only java files can only be recognized by the eclipse/netbeans debugging.

2 set debug mark and find the main class

In the output of the out folder, open the AndroidManifest.xml with a text editor, set the android:debuggable attribute in the application node="true".

In AndroidManifest.xml, the keyword search

<intent-filter>
    <action android:name="android.intent.action.MAIN"/>
    <category android:name="android.intent.category.LAUNCHER"/>
</intent-filter>

Find the activity node containing the above information, record the value of the android:name property, the value is the main class of the application. As shown in the examples below, the main class for the com.acids.helloworld.MainActivity.

<?xml version="1.0" encoding="utf-8" standalone="no"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.acids.helloworld">
    <application android:debuggable="true" android:allowBackup="true" android:icon="@drawable/ic_launcher" android:label="@string/app_name" android:theme="@style/AppTheme">
        <activity android:label="@string/app_name" android:name="com.acids.helloworld.MainActivity">
            <intent-filter>
                <action android:name="android.intent.action.MAIN"/>
                <category android:name="android.intent.category.LAUNCHER"/>
            </intent-filter>
        </activity>
    </application>
</manifest>

3 in the main class of the onCreate event to add debug wait.

Open the main class file in a text editor, find onCreate method, insert the invoke-static {}, in the first sentence of Landroid/os/Debug; -> waitForDebugger (V), remember to add a=0; // prefix maintains a consistent, the results are as follows:

a=0;// # virtual methods
a=0;// .method protected onCreate(Landroid/os/Bundle;)V
a=0;//     invoke-static {}, Landroid/os/Debug;->waitForDebugger()V
a=0;// 
a=0;//     .locals 1
a=0;//     .param p1, "savedInstanceState"    # Landroid/os/Bundle;
a=0;// 
a=0;//     .prologue
a=0;//     .line 11
a=0;//     invoke-super {p0, p1}, Landroid/app/Activity;->onCreate(Landroid/os/Bundle;)V

4 save file, recompile using apktool package for debug.apk

java -jar apktool_2.0.0b7.jar b -d out -o debug.apk

5 on the debug.apk signature (need to download signature tool), I put it in the signapk folder under the signature tool, debug.sign.apk generation

java -jar .\signapk\signapk.jar .\signapk\testkey.x509.pem .\signapk\testkey.pk8 .\debug.apk .\debug.sign.apk

6 upload debug.sign.apk to mobile phone or simulator, and then installed and running. Can you see the program running in the white screen, then don't move equipment and exit the program, because the program is now running to just add the waitForDebugger code, this code means has been suspended, waiting for the debugger.


The following set up real-time debugging environment.

7 enter the first step of the out folder, the build and dist inside the folder to delete, this is a apktool compiler apk.

8 start eclipse, building Java projects

  1) File -> New -> Project -> Java Project -> Next

2) Project Name at Use default location, remove the Location option, select the out folder, and then Next

3) The SmalI folder for the Source Folder, and Finish

In eclipse 9, the main class open second step to find, and find the onCreate method, the first method in waitForDebugger to add breakpoints later. The following diagram

10 open DDMS (path in%android-sdks%\tools\ddms.bat), if in the sixth step operation of the modified program, display can debug program in the DDMS equipment list.

The last column corresponding to the program for 8600/8700, of which 8600 is the debugging the program port.

11 now to do is put the association can code and debugging program. Back in eclipse, configure the remote debugging

1) Menu Run> Debug -> Debug Configurations

2) Double click the Remote Java Application, Host the default localhost on the line, 8600 Port in tenth steps to get, and then Apply> Debug.

12 then eclipse automatically switch to the debug view, and see the program is already running and interrupt can be executed on the next line of code, you can directly see the relevant variables.

Have you can debug SmalI with eclipse, the above example is from a program where we start debugging to debug, but to the code they concerned local indeed trouble. It is recommended to use jd-gui software directly view the compiled Java code debugging, to determine the location, and then enter the SmalI location breakpoint and real-time debugging, can be twice the result with half the effort.

Related tools inHere to download

  apktool: https://code.google.com/p/android-apktool/

  jd-gui

Posted by Berton at March 21, 2014 - 10:09 AM