0X00 前言
在分析android的时候，开发者为了增加软件破解的难度会增加一些检测调试或者后期直接加固APK。对于JAVA层的的调试检测比如判断是否Android.os.Debug.isDebuggerConnected(),对应的我们可以修改Smali代码去掉这个检测函数，或者改变函数返回的逻辑，二次打包Apk去掉检测，在不能二次打包的时候我们可以通过Xposed 框架Hook java函数方法，同样可以绕过检测。对于Jni层，大多数应用都是通过检测TracerPid这个值去判断，比如这篇文章里面讲的，abfK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3c8J5L8%4m8K6i4K6u0W2N6$3!0G2P5i4g2F1i4K6u0W2L8%4u0Y4i4K6u0r3L8h3!0T1K9h3I4W2i4K6u0r3x3e0j5&6y4U0W2Q4c8f1k6Q4b7V1y4Q4z5p5y4Q4c8e0W2Q4z5o6m8Q4z5f1q4Q4c8e0S2Q4b7V1k6Q4z5o6N6Q4c8e0g2Q4z5o6S2Q4b7e0c8Q4c8e0k6Q4z5e0k6Q4b7f1c8f1M7X3q4U0k6i4u0b7K9h3c8Q4c8f1k6Q4b7V1y4Q4z5p5y4Q4c8e0W2Q4b7V1u0Q4z5e0S2Q4c8e0S2Q4b7f1g2Q4b7e0c8Q4c8e0k6Q4z5o6y4Q4z5o6g2Q4c8e0g2Q4z5o6k6Q4b7U0g2Q4c8e0c8Q4b7U0S2Q4z5p5u0Q4c8f1k6Q4b7V1y4Q4z5p5y4Q4c8e0S2Q4b7V1k6Q4z5e0W2Q4c8e0c8Q4b7U0S2Q4b7f1q4Q4c8e0g2Q4z5o6m8Q4b7V1y4Q4c8e0k6Q4z5e0S2Q4b7f1j5H3i4@1g2r3i4@1u0o6i4K6S2o6i4@1f1#2i4@1p5$3i4K6R3J5i4@1f1$3i4K6W2q4i4K6W2o6i4@1f1$3i4K6R3^5i4K6V1I4i4@1f1@1i4@1u0n7i4@1q4o6i4@1f1#2i4K6W2o6i4@1p5^5i4@1f1%4i4K6V1@1i4@1p5^5c8@1c8n7i4@1g2r3i4@1u0o6i4K6S2o6d9f1c8m8i4@1f1^5i4@1u0r3i4K6V1&6i4@1f1$3i4@1p5H3i4@1t1%4i4@1f1^5i4@1t1H3i4K6R3K6i4@1f1^5i4@1q4r3i4K6V1#2i4@1f1#2i4@1t1%4i4@1p5#2i4@1f1#2i4K6R3#2i4@1t1%4i4@1f1&6i4K6V1&6i4K6R3@1i4@1f1#2i4K6S2m8i4@1p5H3b7g2m8b7i4@1f1%4i4K6W2m8i4K6R3@1i4@1f1$3i4K6V1%4i4@1t1$3i4@1f1#2i4K6R3H3i4K6V1&6i4@1g2r3i4@1u0o6i4K6S2o6i4@1f1%4i4@1t1K6i4@1u0n7i4@1f1%4i4@1u0n7i4K6W2r3i4@1f1@1i4@1u0o6i4K6W2m8i4@1f1$3i4K6S2m8i4K6S2m8i4@1f1^5i4@1u0r3i4K6V1&6i4@1f1@1i4@1t1^5i4@1q4m8i4@1f1#2i4K6R3H3i4@1u0o6i4@1f1@1i4@1u0r3i4@1q4q4i4@1f1$3i4K6V1@1i4@1t1&6i4@1f1^5i4@1u0r3i4K6W2n7i4@1f1%4i4@1p5^5i4K6S2n7i4@1f1%4i4K6W2m8i4K6R3@1M7r3W2V1i4@1f1#2i4K6R3H3i4@1u0o6i4@1g2r3i4@1u0o6i4K6S2o6i4@1f1^5i4@1u0r3i4K6V1&6i4@1f1$3i4@1p5H3i4@1t1%4i4@1f1%4i4K6V1@1i4@1p5^5i4@1f1$3i4K6W2p5i4@1p5#2i4@1f1$3i4@1p5K6i4K6R3H3i4@1f1$3i4@1t1#2i4K6S2n7i4@1f1$3i4K6V1^5i4@1q4r3i4@1f1#2i4K6V1H3i4@1p5$3i4@1f1^5i4@1p5J5i4@1q4n7i4@1f1^5i4@1t1H3i4K6R3K6i4@1f1^5i4@1q4r3i4K6V1#2i4@1f1K6i4K6R3H3i4K6R3J5i4@1f1#2i4K6W2n7i4@1p5H3i4@1f1$3i4@1q4p5i4@1p5@1i4@1f1$3i4K6R3^5i4K6V1I4i4@1f1@1i4@1u0n7i4@1q4o6i4@1f1#2i4K6W2o6i4@1p5^5i4@1f1#2i4K6R3$3i4K6R3#2i4@1f1$3i4@1p5H3i4@1t1^5i4@1f1@1i4@1t1^5i4@1q4p5i4@1f1@1i4@1u0r3i4@1q4q4i4@1f1$3i4K6V1@1i4@1t1&6i4@1f1^5i4@1u0r3i4K6V1&6i4@1f1@1i4@1t1^5i4@1q4m8i4@1f1#2i4K6R3H3i4@1u0o6i4@1g2r3i4@1u0o6i4K6S2o6i4@1f1^5i4@1q4q4i4@1p5&6i4@1f1#2i4K6R3#2i4@1t1$3i4@1f1#2i4@1p5%4i4K6S2n7i4@1f1%4i4@1u0n7i4K6R3^5i4@1f1@1i4@1t1^5i4@1u0m8x3q4)9J5k6g2!0q4z5q4!0n7c8W2)9&6z5g2!0q4y4W2!0m8x3q4!0n7y4#2!0q4y4#2!0n7b7W2)9&6y4g2!0q4z5q4!0n7c8W2)9^5y4#2!0q4z5g2)9^5x3q4)9&6b7g2!0q4z5q4!0n7c8W2)9^5y4#2!0q4y4W2!0m8x3#2)9^5x3q4!0q4y4W2!0n7y4g2)9^5b7W2c8J5j5h3y4W2M7W2m8A6k6q4!0q4y4#2)9&6b7g2)9^5y4p5q4F1N6r3W2Q4x3X3c8p5k6h3u0#2k6#2!0q4x3#2)9^5x3q4)9^5x3R3`.`.
0X01 内核的修改编译与刷机
整个操作是在ubuntu 14.04 64位系统上，我的手机是Google Nexus4，高通的芯片，当你的手机型号不同的时候，你要选择自己的版本，具体可以看这里7bfK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6K6L8%4g2J5j5$3g2Q4x3X3g2S2L8X3c8J5L8$3W2V1i4K6u0W2j5$3!0E0i4K6u0r3M7$3!0#2M7X3y4W2i4K6u0r3j5Y4g2A6L8r3c8A6L8X3N6Q4x3X3c8C8k6i4u0F1k6h3I4K6i4K6u0W2K9s2c8E0L8l9`.`.

下载源码，创建一个文件夹，执行

`$ git clone f2cK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6S2L8X3c8J5L8$3W2V1i4K6u0W2k6$3!0G2k6$3I4W2M7$3!0#2M7X3y4W2i4K6u0W2j5$3!0E0i4K6u0r3K9$3g2J5L8X3g2D9i4K6u0r3L8i4y4E0i4K6u0W2k6$3W2@1i4K6j5H3
这里有的会提示网络拒绝连接，我们选择清华的aosp源，

`$ git clone b62K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6S2L8%4y4H3i4K6u0W2N6s2g2F1j5g2)9J5k6i4c8K6K9h3&6Y4K9s2g2S2i4K6u0W2k6h3c8#2i4K6u0W2j5$3&6Q4x3V1k6C8k6i4u0F1k6h3I4Q4x3V1k6E0M7$3#2Q4x3X3g2Y4K9i4c8Q4y4U0l9`.

`$ git branch -a` 

`$ git checkout origin/android-msm-mako-3.4-jb-mr2`
代码下载好以后，通过全局查找TracerPid，在源码的的fs/proc/array.c文件里面，找到了TracerPid的修改过程，

pid_t ppid, tpid = 0, tgid, ngid;
if (tracer)
    tpid = task_pid_nr_ns(tracer, ns);
    .....
    seq_printf(m,
    "State:\t%s\n"
    "Tgid:\t%d\n"
    "Ngid:\t%d\n"
    "Pid:\t%d\n"
    "PPid:\t%d\n"
    "TracerPid:\t%d\n"
    "Uid:\t%d\t%d\t%d\t%d\n"
    "Gid:\t%d\t%d\t%d\t%d\n"
    "FDSize:\t%d\nGroups:\t",
    get_task_state(p),
    tgid, ngid, pid_nr_ns(pid, ns), ppid, tpid,
    from_kuid_munged(user_ns, cred->uid),
    from_kuid_munged(user_ns, cred->euid),
    from_kuid_munged(user_ns, cred->suid),
    from_kuid_munged(user_ns, cred->fsuid),
    from_kgid_munged(user_ns, cred->gid),
    from_kgid_munged(user_ns, cred->egid),
    from_kgid_munged(user_ns, cred->sgid),
    from_kgid_munged(user_ns, cred->fsgid),
    max_fds);
开始的时候tpid初始化为0，然后有个if判断，重新赋值tpid，因此，在这个if判断后面，我们再次添加

tpid = 0；
这样无论前面怎么操作，TracerPid始终为0.修改好代码后，下面设置环境变量，注意每次编译之前都得设置一下，如果你没有编译过android源码，你还得下载这个工具，

$ git clone 7c1K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6S2L8X3c8J5L8$3W2V1i4K6u0W2k6$3!0G2k6$3I4W2M7$3!0#2M7X3y4W2i4K6u0W2j5$3!0E0i4K6u0r3M7r3I4S2N6r3k6G2M7X3#2Q4x3V1k6H3M7X3g2T1N6h3W2D9N6s2y4Q4x3V1k6Y4j5$3y4Q4x3V1k6D9K9h3&6#2P5q4)9J5k6s2R3^5y4W2)9J5c8X3q4J5L8g2)9J5c8X3q4J5L8g2)9J5k6r3g2S2j5X3W2Q4x3X3b7@1i4K6u0W2y4R3`.`.

$ export PATH=$(pwd)/prebuilts/gcc/linux-x86/arm/arm-eabi-4.6/bin:$PATH
$ export ARCH=arm
$ export SUBARCH=arm
$ export CROSS_COMPILE=arm-eabi-
$ make mako_defconfig
$ make -j12
一切顺利的话，会在当前子目录arch/arm/boot 目录下面生成zImage，我们的kernel文件。 有了kernel，怎么刷入手机中，两种方式，如果你是android源码编译的话，将这个zImage替换android源码的device/lge/mako-kernel文件夹的中kernel文件，这样你编译出来的系统内核被替换我们自己编译的内核。还有一种方式，我们手机刷入recovery以后，用卡包的方式刷机，在这个zip文件中，有个boot.img文件，通过解包得到内核和文件系统，然后替换内核，在重新打包得到boot.img,再把这个boot.img刷入到手机就可以。下载所需要的工具

$ git clone d5dK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6H3j5X3q4@1j5i4u0V1i4K6u0r3j5X3!0G2N6r3W2E0k6#2)9J5k6s2c8G2L8$3I4K6i4K6u0W2k6$3W2@1
$ cd bootimg-tools/
$ make 
解包boot.img

$ unmkbootimg -i boot_img/boot.img

kernel written to 'kernel' (8331496 bytes)
ramdisk written to 'ramdisk.cpio.gz' (498796 bytes)

To rebuild this boot image, you can use the command:
mkbootimg --base 0 --pagesize 2048 --kernel_offset 0x00008000 --ramdisk_offset 0x02900000 --second_offset 0x00f00000 --tags_offset 0x02700000 --cmdline 'console=ttyHSL0,115200,n8 androidboot.hardware=hammerhead  user_debug=31 maxcpus=2 msm_watchdog_v2.enable=1' --kernel kernel --ramdisk ramdisk.cpio.gz -o boot_img/boot.img
重新打包boot.img

$ cp msm/arch/arm/boot/zImage-dtb kernel
$ mkbootimg --base 0 --pagesize 2048 --kernel_offset 0x00008000 --ramdisk_offset 0x02900000 --second_offset 0x00f00000 --tags_offset 0x02700000 --cmdline 'console=ttyHSL0,115200,n8 androidboot.hardware=hammerhead  user_debug=31 maxcpus=2 msm_watchdog_v2.enable=1' --kernel kernel --ramdisk ramdisk.cpio.gz -o boot.img
选择新的boot.img启动或者直接刷入

fastboot boot boot.img
或者
fastboot flash boot boot.img
如果一切顺利，手机可能正常启动，也可能变为砖。我遇到的问题的是WIFI挂了，启动不了。XD

0X02 测试一个APK
这里我们以ALimsc的题目验证一下，题目的详情和解析思路可以参看蒸米大大写的文章，a89K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3c8J5L8%4m8K6i4K6u0W2N6$3!0G2P5i4g2F1i4K6u0W2L8%4u0Y4i4K6u0r3N6r3W2H3M7#2)9J5c8U0j5^5y4o6m8Q4c8e0y4Q4z5o6m8Q4z5o6u0Q4c8e0W2Q4b7e0u0Q4z5e0S2Q4c8e0N6Q4z5f1u0Q4b7f1g2Q4c8e0g2Q4b7e0c8Q4b7e0N6Q4c8e0c8Q4b7V1c8Q4z5e0y4Q4c8e0k6Q4z5e0S2Q4b7f1k6Q4c8e0k6Q4z5o6S2Q4z5e0q4Q4c8e0c8Q4b7V1u0Q4b7f1y4Q4c8e0N6Q4z5f1q4Q4z5o6c8Q4c8e0S2Q4b7V1g2Q4z5e0y4Q4c8e0g2Q4z5o6g2Q4b7e0g2Q4c8e0c8Q4b7U0S2Q4z5p5g2Q4c8e0c8Q4b7U0S2Q4z5o6m8Q4c8e0c8Q4b7U0S2Q4b7f1q4Q4c8e0g2Q4b7f1c8Q4z5e0N6Q4c8e0N6Q4b7f1y4Q4b7e0k6Q4c8e0c8Q4b7U0S2Q4b7U0u0Q4c8e0k6Q4b7f1k6Q4z5e0c8Q4c8e0S2Q4b7V1g2Q4z5o6y4Q4c8f1k6Q4b7V1y4Q4z5p5y4Q4c8e0c8Q4b7V1c8Q4z5o6k6Q4c8e0k6Q4z5e0S2Q4b7f1k6Q4c8e0S2Q4b7V1k6Q4z5e0W2Q4c8e0c8Q4b7U0S2Q4b7f1q4Q4c8e0g2Q4b7f1c8Q4z5e0N6Q4c8e0N6Q4b7f1y4Q4b7e0k6Q4c8e0c8Q4b7U0S2Q4b7U0u0Q4c8e0g2Q4z5f1y4Q4b7e0S2Q4c8e0S2Q4b7V1k6Q4z5e0m8Q4c8e0S2Q4b7e0q4Q4z5p5y4Q4c8e0k6Q4z5e0N6Q4b7U0k6Q4c8e0S2Q4b7e0u0Q4b7f1u0Q4c8e0c8Q4b7V1k6Q4b7f1g2Q4c8e0k6Q4z5e0c8Q4b7U0W2Q4c8f1k6Q4b7V1y4Q4z5p5y4Q4c8e0g2Q4b7U0W2Q4b7U0k6Q4c8e0c8Q4b7U0S2Q4z5e0c8Q4c8e0c8Q4b7V1y4Q4z5f1q4Q4c8e0W2Q4z5o6m8Q4z5f1q4Q4c8e0S2Q4b7V1k6Q4z5o6N6Q4c8e0S2Q4b7f1k6Q4b7V1u0Q4c8e0g2Q4z5p5k6Q4z5e0k6Q4c8e0g2Q4b7V1c8Q4z5e0y4Q4c8e0g2Q4z5o6W2Q4z5p5c8Q4c8e0S2Q4b7V1k6Q4z5f1u0Q4c8e0N6Q4b7e0S2Q4z5p5u0Q4c8e0N6Q4z5f1q4Q4z5o6c8f1M7X3q4U0k6i4u0b7K9h3c8Q4c8e0g2Q4z5o6S2Q4b7e0c8Q4c8e0k6Q4z5e0k6Q4b7f1c8Q4c8e0k6Q4z5e0S2Q4b7f1k6Q4c8e0g2Q4z5e0m8Q4b7e0k6Q4c8e0S2Q4b7e0u0Q4b7f1u0Q4c8e0S2Q4b7U0m8Q4z5o6y4Q4c8e0S2Q4b7f1k6Q4z5e0g2Q4c8f1k6Q4b7V1y4Q4z5p5y4Q4c8e0g2Q4b7e0k6Q4z5o6u0Q4c8e0k6Q4z5f1g2Q4z5f1y4Q4c8e0S2Q4b7e0u0Q4b7f1u0Q4c8e0S2Q4b7U0m8Q4z5o6y4Q4c8e0S2Q4b7f1k6Q4z5e0g2Q4c8f1k6Q4b7V1y4Q4z5p5y4Q4c8e0g2Q4b7U0m8Q4b7U0q4C8K9h3I4D9i4@1f1^5i4K6R3%4i4@1q4m8i4@1f1#2i4@1t1%4i4@1t1I4i4@1f1K6i4K6R3H3i4K6R3J5i4@1f1%4i4K6S2q4i4@1t1H3i4@1f1#2i4K6W2o6i4@1p5^5i4@1f1$3i4K6R3^5i4K6V1I4i4@1f1@1i4@1u0n7i4@1q4o6i4@1f1%4i4K6V1@1i4@1p5^5d9f1c8m8i4@1f1&6i4K6V1&6i4K6R3@1i4@1f1#2i4K6S2m8i4@1p5H3i4@1f1%4i4K6W2o6i4K6S2n7i4@1f1$3i4K6R3^5i4K6V1I4i4@1f1@1i4@1u0n7i4@1q4o6i4@1f1%4i4K6W2m8i4K6R3@1i4@1f1@1i4@1u0r3i4@1q4q4i4@1f1$3i4K6V1@1i4@1t1&6i4@1f1$3i4K6V1^5i4@1q4r3i4@1f1#2i4K6V1H3i4@1p5$3i4@1f1^5i4@1t1#2i4@1t1%4i4@1f1@1i4@1u0p5i4K6W2o6i4@1f1%4i4K6V1@1i4@1p5^5i4@1f1K6i4K6R3H3i4K6R3J5

这里讲个技巧，如果你是mac，又没有IDA for mac，像我一样，可以装个win系统，通过端口转发的方式，在/etc/pf.anchors/目录下面新建个com.my文件，并写入下面的内容

rdr pass on vmnet8 inet proto tcp from any to self port 2333 -> 127.0.0.1 port 23946
然后执行 pfctl -ef /etc/pf.anchors/com.my即可，其他步骤和常规调试一样，只是在hostname选择你的mac id地址，附加成功我们发现程序并没有退出，我们在比较的地方下个断点。成功获取到正确的比较值。也就是说我们的修改成功了。 


我们看下此时的TracerPid也为0。

0X03 小结&参考
这样的修改方式在调试APP的时候简化了一些操作分析。

0c2K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3#2S2M7X3y4A6L8W2)9J5k6h3A6S2j5Y4u0*7P5h3E0Q4x3X3g2W2N6g2)9J5c8Y4m8G2M7%4c8K6i4K6u0r3x3U0l9I4y4q4)9J5c8U0l9#2i4K6u0r3j5Y4g2A6L8r3c8A6L8X3N6Q4x3X3c8S2L8X3c8Q4x3X3c8T1L8$3!0@1K9h3&6Y4i4K6u0V1L8X3g2^5N6i4y4Q4x3X3b7#2i4K6u0V1K9$3g2J5L8X3g2D9
758K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6K6L8%4g2J5j5$3g2Q4x3X3g2S2L8X3c8J5L8$3W2V1i4K6u0W2j5$3!0E0i4K6u0r3M7$3!0#2M7X3y4W2i4K6u0r3j5Y4g2A6L8r3c8A6L8X3N6Q4x3X3c8C8k6i4u0F1k6h3I4K6i4K6u0W2K9s2c8E0L8l9`.`.
7a0K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3c8J5L8%4m8K6i4K6u0W2N6$3!0G2P5i4g2F1i4K6u0W2L8%4u0Y4i4K6u0r3L8h3!0T1K9h3I4W2i4K6u0r3x3e0j5&6y4U0V1`.
2e3K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3c8J5L8%4m8K6i4K6u0W2N6$3!0G2P5i4g2F1i4K6u0W2L8%4u0Y4i4K6u0r3N6r3W2H3M7#2)9J5c8U0j5^5y4o6l9`.

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课