免责声明：内容仅供学习参考，请合法利用知识，禁止进行违法犯罪活动！

内容参考于：图灵Python学院

本人写的内容纯属胡编乱造，全都是合成造假，仅仅只是为了娱乐，请不要盲目相信。第一次接触安卓逆向写的很烂，后面有机会再全部重写。

工具下载：

链接：https://pan.baidu.com/s/1rEEJnt85npn7N38Ai0_F2Q?pwd=6tw3

提取码：6tw3

复制这段内容后打开百度网盘手机App，操作更方便哦

上一个内容：34.安卓逆向-壳-frida-Dexdump脱壳

上一个内容里写了使用frida-Dexdump脱壳，使用frida-Dexdump脱壳的时候下载源码的时候会报错，报错之后dex源码在jadx-gui里就没法识别了，这个问题可以使用下方的Frida脚本下载源码来解决，源码下载的位置在电脑控制台，如下图红框，源码文件下载到了手机里，所以需要手动把手机里的源码文件复制到电脑里，然后再使用jadx-gui反编译源码，注意脚本运行的时候需要在app里刷一刷（就是玩一玩app，玩到不会再下载新的dex文件为止）

frida下载app源码脚本，指令 frida -UF -l 这里写js文件名（也就是下方Frida脚本的文件名和目录），运行这个指令之后会把手机上当前运行的app的源码下载下来

function get_self_process_name() {var openPtr = Module.getExportByName('libc.so', 'open');var open = new NativeFunction(openPtr, 'int', ['pointer', 'int']);var readPtr = Module.getExportByName("libc.so", "read");var read = new NativeFunction(readPtr, "int", ["int", "pointer", "int"]);var closePtr = Module.getExportByName('libc.so', 'close');var close = new NativeFunction(closePtr, 'int', ['int']);var path = Memory.allocUtf8String("/proc/self/cmdline");var fd = open(path, 0);if (fd != -1) {var buffer = Memory.alloc(0x1000);var result = read(fd, buffer, 0x1000);close(fd);result = ptr(buffer).readCString();return result;}return "-1";
}function mkdir(path) {var mkdirPtr = Module.getExportByName('libc.so', 'mkdir');var mkdir = new NativeFunction(mkdirPtr, 'int', ['pointer', 'int']);var opendirPtr = Module.getExportByName('libc.so', 'opendir');var opendir = new NativeFunction(opendirPtr, 'pointer', ['pointer']);var closedirPtr = Module.getExportByName('libc.so', 'closedir');var closedir = new NativeFunction(closedirPtr, 'int', ['pointer']);var cPath = Memory.allocUtf8String(path);var dir = opendir(cPath);if (dir != 0) {closedir(dir);return 0;}mkdir(cPath, 755);chmod(path);
}function chmod(path) {var chmodPtr = Module.getExportByName('libc.so', 'chmod');var chmod = new NativeFunction(chmodPtr, 'int', ['pointer', 'int']);var cPath = Memory.allocUtf8String(path);chmod(cPath, 755);
}function dump_dex() {var libart = Process.findModuleByName("libart.so");var addr_DefineClass = null;var symbols = libart.enumerateSymbols();for (var index = 0; index < symbols.length; index++) {var symbol = symbols[index];var symbol_name = symbol.name;//这个DefineClass的函数签名是Android9的//_ZN3art11ClassLinker11DefineClassEPNS_6ThreadEPKcmNS_6HandleINS_6mirror11ClassLoaderEEERKNS_7DexFileERKNS9_8ClassDefEif (symbol_name.indexOf("ClassLinker") >= 0 &&symbol_name.indexOf("DefineClass") >= 0 &&symbol_name.indexOf("Thread") >= 0 &&symbol_name.indexOf("DexFile") >= 0) {console.log(symbol_name, symbol.address);addr_DefineClass = symbol.address;}}var dex_maps = {};var dex_count = 1;console.log("[DefineClass:]", addr_DefineClass);if (addr_DefineClass) {Interceptor.attach(addr_DefineClass, {onEnter: function(args) {var dex_file = args[5];//ptr(dex_file).add(Process.pointerSize) is "const uint8_t* const begin_;"//ptr(dex_file).add(Process.pointerSize + Process.pointerSize) is "const size_t size_;"var base = ptr(dex_file).add(Process.pointerSize).readPointer();var size = ptr(dex_file).add(Process.pointerSize + Process.pointerSize).readUInt();if (dex_maps[base] == undefined) {dex_maps[base] = size;var magic = ptr(base).readCString();if (magic.indexOf("dex") == 0) {var process_name = get_self_process_name();if (process_name != "-1") {var dex_dir_path = "/data/data/" + process_name + "/files/dump_dex_" + process_name;mkdir(dex_dir_path);var dex_path = dex_dir_path + "/class" + (dex_count == 1 ? "" : dex_count) + ".dex";console.log("[find dex]:", dex_path);var fd = new File(dex_path, "wb");if (fd && fd != null) {dex_count++;var dex_buffer = ptr(base).readByteArray(size);fd.write(dex_buffer);fd.flush();fd.close();console.log("[dump dex]:", dex_path);}}}}},onLeave: function(retval) {}});}
}var is_hook_libart = false;function hook_dlopen() {Interceptor.attach(Module.findExportByName(null, "dlopen"), {onEnter: function(args) {var pathptr = args[0];if (pathptr !== undefined && pathptr != null) {var path = ptr(pathptr).readCString();//console.log("dlopen:", path);if (path.indexOf("libart.so") >= 0) {this.can_hook_libart = true;console.log("[dlopen:]", path);}}},onLeave: function(retval) {if (this.can_hook_libart && !is_hook_libart) {dump_dex();is_hook_libart = true;}}})Interceptor.attach(Module.findExportByName(null, "android_dlopen_ext"), {onEnter: function(args) {var pathptr = args[0];if (pathptr !== undefined && pathptr != null) {var path = ptr(pathptr).readCString();//console.log("android_dlopen_ext:", path);if (path.indexOf("libart.so") >= 0) {this.can_hook_libart = true;console.log("[android_dlopen_ext:]", path);}}},onLeave: function(retval) {if (this.can_hook_libart && !is_hook_libart) {dump_dex();is_hook_libart = true;}}});
}setImmediate(dump_dex);

---