Android 逆向体验优化

Posted by API Caller on July 7, 2019

adb shell 过于难用, 想想办法.

默认开启无线调试(重启依然有效)

1
adb shell su -c "setprop persist.adb.tcp.port 5555"

有时候似乎会连接不上, 重新连接 wifi 即可.

抓包

配置 Charles

配置 socks5 代理

安装 ProxyDroid (年久失修, 推荐 Drony)

当然也可以配置翻墙.

Drony

Drony之Wifi环境下设置教程

Magisk

Nano for Android NDK

Magisk 的下载里搜索 nano, 即 Magisk-Modules-Repo/nano-ndk.

SSH for Magisk

Magisk 的下载里搜索 ssh, 即 d4rcm4rc/MagiskSSH.

安装重启

配置公钥

1
2
3
4
5
6
7
8
ssh-keygen -t rsa

adb push id_rsa.pub /data/ssh/shell/.ssh/authorized_keys
chmod 600 /data/ssh/shell/.ssh/authorized_keys

adb push id_rsa.pub /data/ssh/root/.ssh/authorized_keys
chmod 600 /data/ssh/root/.ssh/authorized_keys

修改 /data/ssh/sshd_config

1
2
3
PasswordAuthentication yes
PermitEmptyPasswords yes
PermitUserEnvironment yes

添加环境变量

1
2
3
echo "LD_LIBRARY_PATH=.:/vendor/lib:/system/lib\nPATH=/sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin:/system/bin:/system/xbin:/system/sbin:/sbin/.magisk/modules/ssh/usr/bin\nANDROID_DATA=/data\nANDROID_ROOT=/system" > /data/ssh/root/.ssh/environment

echo "LD_LIBRARY_PATH=.:/vendor/lib:/system/lib\nPATH=/sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin:/system/bin:/system/xbin:/system/sbin:/sbin/.magisk/modules/ssh/usr/bin\nANDROID_DATA=/data\nANDROID_ROOT=/system" > /data/ssh/shell/.ssh/environment

重启 sshd

1
/sbin/.magisk/modules/ssh/opensshd.init restart

然后直接连接

GNU Utils For Android

Magisk 的下载里搜索 gnu, 即 Zackptg5/GNU-Utils-Android.

Curl For Android

Magisk 的下载里搜索 curl, 即 Zackptg5/Curl-For-Android.

Move Certificates

Magisk 的下载里搜索 move, 即 yochananmarqos/Move-Certificates.

可以把证书从 user certificate store 移到 system store, 可以消除网络可能会受到监控的警告.

MagiskFrida

AeonLucid/MagiskFrida.

开机自动运行 frida-server

Binary

unzip

https://github.com/therealsaumil/static-arm-bins https://github.com/jakev/android-binaries https://forum.xda-developers.com/showthread.php?t=1612760 https://forum.xda-developers.com/android/software/utils-data-recovery-tools-testdisk-t3709380

1
2
3
4
5
6
7
8
# 下载 unzip
curl -k -O https://a.downloader.workers.dev/proxy/raw.githubusercontent.com/jakev/android-binaries/master/unzip
mv unzip /vendor/bin/unzip
chmod u=rwx,g=rx,o=rx /vendor/bin/unzip
chgrp root /vendor/bin/unzip
chown root /vendor/bin/unzip

unzip -h
1
2
3
4
5
6
7
8
# 下载 tar
curl -k -O https://a.downloader.workers.dev/proxy/raw.githubusercontent.com/jakev/android-binaries/master/tar
mv tar /vendor/bin/tar
chmod u=rwx,g=rx,o=rx /vendor/bin/tar
chgrp root /vendor/bin/tar
chown root /vendor/bin/tar

tar --help

降级刷机 erase 一下:

1
2
3
4
5
6
7
fastboot erase radio
fastboot erase system
fastboot erase vendor
fastboot erase userdata
fastboot erase recovery
fastboot erase boot
fastboot erase cache

精简一哈

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
# 
mount -o rw,remount /system

rm -rf /system/app/Books
rm -rf /system/app/Drive
rm -rf /system/app/EditorsDocsStub
rm -rf /system/app/EditorsSheetsStub
rm -rf /system/app/EditorsSlidesStub
rm -rf /system/app/FitnessPrebuilt
rm -rf /system/app/Hangouts
rm -rf /system/app/KoreanIME
rm -rf /system/app/Maps
rm -rf /system/app/PlayGames
rm -rf /system/app/PlusOne
rm -rf /system/app/NewsstandStub
rm -rf /system/app/PrebuiltGmail
rm -rf /system/app/PrebuiltKeepStub
rm -rf /system/app/PrebuiltNewsWeather
rm -rf /system/app/YouTube
rm -rf /system/app/Videos
rm -rf /system/app/Wallet
rm -rf /system/app/PrebuiltDeskClockGoogle
rm -rf /system/app/CalculatorGoogle
rm -rf /system/app/FaceLock
rm -rf /system/app/Music2
rm -rf /system/app/CalendarGooglePrebuilt
rm -rf /system/app/CloudPrint2
rm -rf /system/app/GoogleContactsSyncAdapter
rm -rf /system/app/GoogleEars
rm -rf /system/app/GoogleHindiIME
rm -rf /system/app/GoogleTTS
rm -rf /system/app/LiveWallpapersPicker
rm -rf /system/app/MediaShortcuts
rm -rf /system/app/Photos
rm -rf /system/app/PrebuiltExchange3Google
rm -rf /system/app/talkback
rm -rf /system/app/iWnnIME


# rm -rf /system/app/BasicDreams
# rm -rf /system/app/Bluetooth
# rm -rf /system/app/BluetoothMidiService
# rm -rf /system/app/CaptivePortalLogin
# rm -rf /system/app/CertInstaller
# rm -rf /system/app/Chrome
# rm -rf /system/app/DMAgent
# rm -rf /system/app/DocumentsUI
# rm -rf /system/app/DownloadProviderUi
# rm -rf /system/app/GoogleCamera
# rm -rf /system/app/GoogleHome
# rm -rf /system/app/GooglePinyinIME
# rm -rf /system/app/HTMLViewer
# rm -rf /system/app/KeyChain
# rm -rf /system/app/LatinImeGoogle
# rm -rf /system/app/NfcNci
# rm -rf /system/app/PacProcessor
# rm -rf /system/app/PartnerBookmarksProvider
# rm -rf /system/app/PrebuiltBugleStub
# rm -rf /system/app/PrintSpooler
# rm -rf /system/app/Stk
# rm -rf /system/app/SunBeam
# rm -rf /system/app/TimeService
# rm -rf /system/app/UpdateSetting
# rm -rf /system/app/UserDictionaryProvider
# rm -rf /system/app/WebViewGoogle
# rm -rf /system/app/qcrilmsgtunnel
# rm -rf /system/app/shutdownlistener


# rm -rf /system/priv-app/BackupRestoreConfirmation
# rm -rf /system/priv-app/CalendarProvider
# rm -rf /system/priv-app/CallLogBackup
# rm -rf /system/priv-app/CarrierConfig
# rm -rf /system/priv-app/CellBroadcastReceiver
# rm -rf /system/priv-app/ConfigUpdater
# rm -rf /system/priv-app/ContactsProvider
# rm -rf /system/priv-app/DefaultContainerService
# rm -rf /system/priv-app/DownloadProvider
# rm -rf /system/priv-app/ExternalStorageProvider
# rm -rf /system/priv-app/FusedLocation
# rm -rf /system/priv-app/GCS
# rm -rf /system/priv-app/GoogleBackupTransport
# rm -rf /system/priv-app/GoogleContacts
# rm -rf /system/priv-app/GoogleDialer
# rm -rf /system/priv-app/GoogleFeedback
# rm -rf /system/priv-app/GoogleLoginService
# rm -rf /system/priv-app/GoogleOneTimeInitializer
# rm -rf /system/priv-app/GooglePackageInstaller
# rm -rf /system/priv-app/GooglePartnerSetup
# rm -rf /system/priv-app/GoogleServicesFramework
# rm -rf /system/priv-app/InputDevices
# rm -rf /system/priv-app/Launcher2
# rm -rf /system/priv-app/ManagedProvisioning
# rm -rf /system/priv-app/MediaProvider
# rm -rf /system/priv-app/MmsService
# rm -rf /system/priv-app/MusicFX
# rm -rf /system/priv-app/OmaDmclient
# rm -rf /system/priv-app/Phonesky
# rm -rf /system/priv-app/PrebuiltGmsCore
# rm -rf /system/priv-app/ProxyHandler
# rm -rf /system/priv-app/Settings
# rm -rf /system/priv-app/SettingsProvider
# rm -rf /system/priv-app/SetupWizard
# rm -rf /system/priv-app/SharedStorageBackup
# rm -rf /system/priv-app/Shell
# rm -rf /system/priv-app/SprintHiddenMenu
# rm -rf /system/priv-app/StatementService
# rm -rf /system/priv-app/SystemUI
# rm -rf /system/priv-app/TagGoogle
# rm -rf /system/priv-app/TeleService
# rm -rf /system/priv-app/Telecom
# rm -rf /system/priv-app/TelephonyProvider
# rm -rf /system/priv-app/Velvet
# rm -rf /system/priv-app/VpnDialogs
# rm -rf /system/priv-app/WallpaperCropper
# rm -rf /system/priv-app/twrpapp


chmod u=rw,g=r,o=r mark.via.apk
chgrp root mark.via.apk
chown root mark.via.apk



mount -o ro,remount /system


function set_mode ()
{
    if [ -d "$1" ]; then
        chmod u=rw,g=r,o=r $1
        chgrp root $1
        chown root $1
    fi
}

替换默认 shell 为 bash

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
git clone https://github.com/SuperDethByte/Bash-for-ARM.git        
cd Bash-for-ARM                
echo "Make sure your phone is plugged into your computer."          
sleep 5s                
echo "Remounting /system partition as r/w..."       
adb shell su -c "mount -o remount,rw /system"          
echo "Making A Backup..."              
adb shell su -c "cp /system/bin/sh /system/bin/sh.bak"         
echo "checking if backup was made..."          
if [ adb shell 'ls /system/bin/ | grep "sh.bak"' ]; then     
echo "pushing bash binary to android..."          
adb push bash /system/bin/sh             
adb push bash /system/bin/bash    
echo "Remounting /system partition as r/o..."         
adb shell su -c "mount -o remount,ro /system"          
echo "DONE"        
else         
echo "Backup Failed"           
echo "Remounting /system partition as r/o..."     
adb shell su -c "mount -o remount,ro /system"        
fi 

Ref