Android's Reverse Way: Change the apk Packet Name to Achieve Multi-Open Effect

Preface

Recently, somebody almost asked me how to change the package name of the packages I had typed. Understanding my classmates probably know that I like to do experiments by myself, and then share my way with you, this time I chose a reading type app, randomly selected. First look at the effect.



How to do that, then share my thoughts with you.
ps: Invasion and deletion! It is only for personal study and not suitable for commercial use.

Dead work

Migu Reading v7.1.1 app
apktool
An editor. (I installed smali highlighting plug-in with vscode)

thinking

  • Reading with apktool
  • First change the package name in Android Manifest. XML
  • Global change of package names similar to com.xxx.xxxx
  • Global change of package name string Lcom/xxx/xxxx for smali type code
  • Change the name of all com/xxx/xxxx folders globally because the package name and folder path are required to correspond in the java file
  • Change the smali code associated with deleting the original package name or signature verification of app
  • apktool b packaged apk
  • jarsigner signature, install apk

Start reverse

Unpacking

apktool d com.ophone.reader.ui_7.1.1_129.apk

Change package name

In AndroidMaifest.xml, we found that his package name was com.ophone.reader.ui.
Let me change my package name to com.ophone.reader.ui01.

Replace all com.ophone.reader.ui with com.ophone.reader.ui01

Change smali's package name

Replace all Lcom/ophone/reader/ui with
Lcom/ophone/reader/ui01

Change folder name

Change the UI folder name of all com/ophone/reader/ui to ui01
ps: In fact, the above three steps can be written into a program, the general idea is about the reading and writing of documents, as well as renaming and so on.

Start packing

Having changed the package name of app, we are ready to pack it.

apktool b com.ophone.reader.ui_7.1.1_129

Packed bags. My path is
In com.ophone.reader.ui_7.1.1_129/dist,
See the apk that we've reversed our hands and feet.

Then sign and execute the following command

jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore "MartinHanKey.jks" -signedjar _signed.apk ".\com.ophone.reader.ui01_7.1.1_129.apk" "MartinHan"

I will not explain the above order, you can specific inquiries.

Function

Start running and find the following problems, as shown in the figure

Obviously, developers add signature checks, or package name checks.

thinking

Later I searched for the following string: "You install version xxx" and found the following string

<string name="check_sign_notice"> The version you installed is not the official version. It is recommended that you visit the wap.cmread.com official website to download and install (note: installing the new version requires uninstalling the current version)</string>.

Follow this name=check_sign_notice and see this in public.xml

<public type="string" name="check_sign_notice" id="0x7f0701bf" />

Thus, in fact, his id is 7f0701bf.
Continuing to search for this id globally, I found the following code in WelcomePageActivity. This code is more critical, and we need to read it carefully.

    #Here the setContentView method is called
    invoke-virtual {p0, v0}, Lcom/cmread/bplusc/bookshelf/WelcomePageActivity;->setContentView(Landroid/view/View;)V

    #This calls the method a of the com.cmread.bplusc.layout.as class and passes the result to v0, which is based on this
    #v0 to determine the following conditions
    .line 171
    invoke-static {p0}, Lcom/cmread/bplusc/layout/as;->a(Landroid/content/Context;)Z

    move-result v0
    #Jump according to the result just now
    if-nez v0, :cond_3
    #Setting the E variable of WelcomePageActivity
    .line 172
    iput-boolean v4, p0, Lcom/cmread/bplusc/bookshelf/WelcomePageActivity;->E:Z
    #The following explanation is not specific. It's actually the creation of the dialog box.
    .line 173
    iget-object v0, p0, Lcom/cmread/bplusc/bookshelf/WelcomePageActivity;->g:Landroid/content/Context;

    .line 175
    invoke-virtual {p0}, Lcom/cmread/bplusc/bookshelf/WelcomePageActivity;->getResources()Landroid/content/res/Resources;

    move-result-object v2
    #That's the message for the unofficial edition.
    const v3, 0x7f0701bf

    invoke-virtual {v2, v3}, Landroid/content/res/Resources;->getString(I)Ljava/lang/String;

    move-result-object v2

    .line 176
    invoke-virtual {p0}, Lcom/cmread/bplusc/bookshelf/WelcomePageActivity;->getResources()Landroid/content/res/Resources;

    move-result-object v3

    const v4, 0x7f070278

    invoke-virtual {v3, v4}, Landroid/content/res/Resources;->getString(I)Ljava/lang/String;

    move-result-object v3

    .line 177
    invoke-virtual {p0}, Lcom/cmread/bplusc/bookshelf/WelcomePageActivity;->getResources()Landroid/content/res/Resources;

    move-result-object v4

    const v5, 0x7f070156

    invoke-virtual {v4, v5}, Landroid/content/res/Resources;->getString(I)Ljava/lang/String;

    move-result-object v4

    new-instance v5, Lcom/cmread/bplusc/bookshelf/hu;

    invoke-direct {v5, p0}, Lcom/cmread/bplusc/bookshelf/hu;-><init>(Lcom/cmread/bplusc/bookshelf/WelcomePageActivity;)V

    new-instance v6, Lcom/cmread/bplusc/bookshelf/hw;

    invoke-direct {v6, p0}, Lcom/cmread/bplusc/bookshelf/hw;-><init>(Lcom/cmread/bplusc/bookshelf/WelcomePageActivity;)V

    new-instance v7, Lcom/cmread/bplusc/bookshelf/hx;

    invoke-direct {v7, p0}, Lcom/cmread/bplusc/bookshelf/hx;-><init>(Lcom/cmread/bplusc/bookshelf/WelcomePageActivity;)V

    .line 173
    invoke-static/range {v0 .. v8}, Lcom/cmread/uilib/dialog/h;->a(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Lcom/cmread/uilib/dialog/CommonReaderDialog$a;Lcom/cmread/uilib/dialog/CommonReaderDialog$a;Lcom/cmread/uilib/dialog/CommonReaderDialog$b;Z)Lcom/cmread/uilib/dialog/CommonReaderDialog;

    goto/16 :goto_0


    ......
    ......
    ......
    ......
    ......
    # The specific location code for goto_0 is as follows. In fact, it calls the method onKeyDown of the parent class, and then return s.

    .line 1071
    :cond_0
    :goto_0
    invoke-super {p0, p1, p2}, Lcom/cmread/uilib/activity/CMActivity;->onKeyDown(ILandroid/view/KeyEvent;)Z

    move-result v0

    :goto_1
    return v0

So far, we have understood the above methods, we know that the key point is if-nez v0,: cond_3,
Now change if-nez to if-eqz, and then pack and run again
As shown in the picture:

Write at the end

Everything has been completely completed, hit the effect of the beginning of this article, Migu read double open, changed his package name, but also passed the check.

About me

Personal blog: Martin Han's station
Know: MartinHan01

Keywords: xml Android Java SHA1

Added by 88fingers on Wed, 22 May 2019 23:36:49 +0300