Android 代码和资源混淆

发布于 2024-11-01 13:38:33 字数 248 浏览 10 评论 0原文

Google 推荐并打包在 ProGuard 中以进行代码混淆。然而,它附带的默认配置似乎很小,并且可以在一定程度上进行逆向工程。大多数寻求逆向工程的人并不是真正在寻找详细代码,而可能是提取逻辑。是否有任何指导方针可以更有效地配置 ProGuard?(尽量减少 Javascript 就更好了。)

其次,有像 apktool 这样的工具可以提取 Manifest 和资源文件。而且它们没有任何程度的混淆。这些当然可以揭示一些事情。有什么方法可以避免这种情况的发生吗?

Google recommends and packs in ProGuard for code obfuscation. However the default configuration that it comes with seems minimal and one can reverse engineer to certain extent. Most people looking to reverse engineer are not really looking for detail code, but may be extract the logic. Are there any guidelines so as to configure ProGuard more efficiently ?(Something to the extent Javascript is minimized would be good.)

Secondly, there are tools like apktool that enable extracting the Manifest as well as the resource files. And there is no level of obfuscation in them. These can certainly reveal few things. Are there any ways to avoid this from happening ?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

自演自醉 2024-11-08 13:38:34

对于第一部分,我建议您检查这个问题:Android Game Keeps Getting Hacked 。它并不直接涉及 ProGuard,但它确实为您提供了一些关于如何减少盗版的想法。

对于第二部分,恐怕不,这实际上是不可能的,因为那些是纯 xml 文件。你能做的就是减少资源的使用,直接在java中创建逻辑。这将以三种方式减少代码的暴露:

(1) 显而易见,它显示的 xml 代码不太容易阅读

(2) 它会创建更长的 smali 文件,这些文件一开始就不容易理解:考虑一下smali文件中的变量没有名称,而是数字,并且被重复使用多次,从而使它们更难理解。 V1可以先是一个TextView,然后是一个int,然后是一个私有静态方法。

(3) 它减少了十六进制 ID 的使用,这些 ID 可以使用 public.xml 中的表在 smali 文件上轻松搜索。

当我将 TouchWiz 框架移植到一些自定义 ROM 时,我什至制作了一个小型 java 应用程序来自动进行 ID 识别(xda-developers 帖子为 此处),因此您可以想象遵循它们是多么容易。

For the first part, I suggest you to check this question: Android Game Keeps Getting Hacked . It does not address directly ProGuard, but it does give you some ideas on how to reduce pirating.

For the second part, I'm afraid no, it's not really possible, since those are plain xml files. What you can do is to reduce the use of resources and create the logic directly in java. That will reduce the exposure of your code in three ways:

(1) the obvious, it shows less easy-to-read xml code

(2) it creates much longer smali files, which are not easy to follow to begin with: consider that the variables in the smali file do not have names, but numbers, and are reused several times, thus making them even harder to understand. V1 can be a TextView first, and then an int, and then a private static method.

(3) it reduces the use of hex IDs that are very easily searchable on the smali file using the table from public.xml.

When I was porting the TouchWiz framework to some custom ROMs, I even made a small java app to automate the ID recognition (the xda-developers post is here), so you can imagin how easy is to follow them.

薔薇婲 2024-11-08 13:38:34

您现在可以使用新的 gradle 插件 + 库来有效地混淆类中的字符串,请在此处查看

https:// github.com/MichaelRocks/paranoid

另外,现在有一个新插件也可以混淆资源,请在下面查看

https://github.com/shwenzhang/AndResGuard

并帮助分享这个重要的信息,以便更多的开发人员可以使用它,从而越来越多的开发人员将为这些插件的进一步开发做出贡献,因此我们可以共同改进这些插件。

You can now use a new gradle plugin + library to effectively obfuscate Strings in a class, Please check it here

https://github.com/MichaelRocks/paranoid

Also now there is a new plugin which can obfuscate resources also, please check it below

https://github.com/shwenzhang/AndResGuard

And help share this great information, so more developers can use it and thus more and more developers will contribute for further development of these plugins, and thus we can collectively improve these plugins.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文