androidmanifest.xml 解碼工具又來一發
背景:
最近這幾天在研究facebook的協議,但是facebook的采用 SSL Pinning 技術,正常通過fiddler是不能解開SSL觀察協議。
聽說facebook app在 manifest里面使用了android新的配置,<application android:networkSecurityConfig="@xml/network_security_config">
因此,特別想看看facebook apk的manifest,有沒有這個新配置。
但是用apktool來分析facebook apk又報錯,于是自己擼一個小工具吧。
官方針對 networkSecurityConfig 配置說明
簡要說明,androidmanifest.xml二進制數據結構:
關于androidmanifest的定義基本在/frameworks/base/libs/androidfw/include/androidfw/ResourceTypes.h 這個文件里
仔細看看這個文件發現androidmanifest文件結構很簡單,不復雜。
androidmanifest.xml 頭定義如下,共8個字節,后面就是獨立的不同類型的chunk組成
/**
* Header that appears at the front of every data chunk in a resource.
*/
struct ResChunk_header
{
// Type identifier for this chunk. The meaning of this value depends
// on the containing chunk.
uint16_t type;
// Size of the chunk header (in bytes). Adding this value to
// the address of the chunk allows you to find its associated data
// (if any).
uint16_t headerSize;
// Total size of this chunk (in bytes). This is the chunkSize plus
// the size of any data associated with the chunk. Adding this value
// to the chunk allows you to completely skip its contents (including
// any child chunks). If this value is the same as chunkSize, there is
// no data associated with the chunk.
uint32_t size;
};
如 ResStringPool_header:
/** ********************************************************************
* String Pool
*
* A set of strings that can be references by others through a
* ResStringPool_ref.
*
*********************************************************************** */
/**
* Definition for a pool of strings. The data of this chunk is an
* array of uint32_t providing indices into the pool, relative to
* stringsStart. At stringsStart are all of the UTF-16 strings
* concatenated together; each starts with a uint16_t of the string's
* length and each ends with a 0x0000 terminator. If a string is >
* 32767 characters, the high bit of the length is set meaning to take
* those 15 bits as a high word and it will be followed by another
* uint16_t containing the low word.
*
* If styleCount is not zero, then immediately following the array of
* uint32_t indices into the string table is another array of indices
* into a style table starting at stylesStart. Each entry in the
* style table is an array of ResStringPool_span structures.
*/
struct ResStringPool_header
{
struct ResChunk_header header;
// Number of strings in this pool (number of uint32_t indices that follow
// in the data).
uint32_t stringCount;
// Number of style span arrays in the pool (number of uint32_t indices
// follow the string indices).
uint32_t styleCount;
// Flags.
enum {
// If set, the string index is sorted by the string values (based
// on strcmp16()).
SORTED_FLAG = 1<<0,
// String pool is encoded in UTF-8
UTF8_FLAG = 1<<8
};
uint32_t flags;
// Index from header of the string data.
uint32_t stringsStart;
// Index from header of the style data.
uint32_t stylesStart;
};
知道了定義,就可以很方便寫一個工具來解開二進制的androidmanifest.xml,轉成純文本的androidmanifest.xml
果然在facebook里面發現了最新的安全配置 android:networkSecurityConfig。
它表示facebook是采用自己的根證書,防止中間人攻擊。
因此fiddler是不能解開facebook的ssl協議,只能是patch so文件來達到這個目的了。
我的小工具:
使用的方法很簡單,md 二進制androidmanifest.xml文件路徑,即可以解開。
浙公網安備 33010602011771號