android common shelling methods

Posted by lipsius at 2020-02-24

Shandong new trend information

Professional focus excellence safety

Statement: original article of tide security team, reprint please state the source! The technologies, ideas and tools involved in this article are only for learning and exchange for safety purposes, and no one is allowed to use them for illegal purposes and profit purposes, or the consequences will be borne by themselves!

1、 Drizzledumper

ADB connecting night God simulator

1. Turn on the night God simulator, turn on the settings, and set it to mobile mode. If you enter for the first time, enter the settings, click the version number 5 times, you can activate the developer mode, and then turn on the USB debugging function

2. Open the file explorer, enter the installation location of the night God simulator, enter CMD in the address bar, enter, and the CMD window will open, and the path to enter is the installation location of the night God simulator. My default installation location: e: \ program files \ yeshen \ NOx \ bin

3. Enter nox_adb.exe connect to connect to the ADB

Or ADB connect

adb connect

4. ADB devices view the connected devices

Drag into simulator

1. Under the simulator, execute ADB push e: \ 01 installation package \ 02app \ Android shell smashing \ drizzledumper master / data / local / TMP (before is the address of the drizzledumper tool under the physical machine, after is the address specified under the simulator)

2. The ADB shell enters the shell mode. Check:

3. Execute the command exit to exit the shell mode, and use the command ADB pushc: \ users \ administrator \ desktop \ apk \ anma'u driver.apk/data/local/tmp in step 1 to put the app to be shelled into the simulator

4. Give drizzledumper super permission Chmod 777 / data / local / TMP / drizzledumpe / LIBS / x86 / drizzledumper


1. Execute / data / local / TMP / drizzledumpe / LIBS / x86 / drizzledumper com.amcx.driver under ADB shell

2. It can be seen that the file without shell is saved in the / data / local / tmp file

2、 Xposed frame and fdex2 shelling

Install configuration environment

1. Baidu searches fdex2, MT manager, Developer Assistant, xposed installer, software to be tested (simultaneous translation super version), downloads the corresponding app installation package, and installs it in the mobile phone or simulator

2. The basic principle of xposed installer is to modify the art / davilk virtual machine and register the functions requiring hook as the native layer functions. When this function is executed, the virtual opportunity will first execute the native layer function, and then execute the Java layer function, so as to complete the function hook. When installing xposed, you will encounter the following problems:

(1) The xposed framework is not installed.please download the latest zip file from xdaand flash it manually via recovery

Download SDK platform 23 and put it in the platforms folder of the simulator installation directory

(2) After installing xposedinstaller, open the software, and the status is xposed framework is not installed

Click official and select the version we need to install

After installation, restart the simulator to take effect

Check fdex2 software in the module and it will take effect after restarting the simulator

Shelling step

1. Open the developer assistant, give the corresponding permission and suspension window

2. Open the target app to be shelled and click the developer assistant suspension window to check whether the app is shelled

3. Open fdex2, click the name of the app to be shelled, pop up the DEX output directory and other information, and save the path

4. Open MT manager, enter / data / user / 0 / android.translate.xuedianba, and view the DEX file from hook

5. The DEX file in the red box above cannot be compiled, so we need to move it to the file list on the left

6. Find the target package to be shelled under the path of / data / APP / android.translate.xuedianba-1, and click base.apk to view its details

7. Click view to enter each file path of the target software

8. Find the DEX file with the same size as the classes.dex file in step 7 in step 5, open it with the DEX editor, and check whether it contains the hook package name in step 3

9. Find the corresponding DEX file and delete the redundant DEX file. Rename the file to classes.dex file,

And move it to the software installation package (if no permission is reported, the corresponding permission can be modified in the attribute)

10. Android manifest.xml is opened in Decompilation mode, replacing com.tencent.stushell.txappentry in line 15 with android.translate.xuedianba.baseapplication in line 18, and deleting lines 16-18 after replacement

Save and exit file

11. Tip: update in the compressed file, click OK

12. Open the function options of the software and click APK to sign

13. After signing successfully, click Install (to uninstall the previously installed version here, install after uninstalling)

Three Frida shelling

Frida installation

Frida is easy to install. You need to install Frida client in windows and Frida server in Android.

1. Install the client in Windows

Install Python and pip, add environment variables, open PIP installation package, and enter Python install

After installation, configure environment variables

After installing Python and pip, open CMD, and use the command pipinstall Frida. After installation, see the figure below.

Install Frida tools and execute the command PIP install Frida tools

Note: solve the problem of unknown or unsupported command 'install'

1. Where PIP finds the path of all pips;

2. Find and enter PIP Lujin in Python;

3. Then install it through pipingstall selenium;

2) install the server in the mobile phone

First, Download Frida server from GitHub. The website is Frida provides servers of various system platforms. My mobile phone is red rice 5plus, which is 64 arm, so I download arm64 (the download version should correspond to Frida version)

After decompression, use ADB to put Frida server in the mobile directory / data / local / tmp,

Then change the property to executable

3) Test the installation environment

First, start the Frida server on your phone, remember to start it with root permission,

Then open another CMD in the python > scripts directory on the windows host computer, and enter the command frida-ps-u. this line of command lists all the process information on the phone. If the process information appears, it indicates that the environment configuration is successful:


Start Frida server on the mobile phone

Execute shelling script

The de X after shelling is saved in / data / data / application package name / directory.




G an








Tide security team was formally established in January 2019. It is a security team under the banner of new information, aiming at the research of Internet attack and defense technology. At present, it has gathered more than ten professional security attack and defense technology researchers, focusing on network attack and defense, web security, mobile terminals, security development, IOT / Internet of things / industrial control security and other directions.

For more Tide security teams, please pay attention to team official website: or long by two-dimensional code, pay attention to official account number: