1. Name
android-armor-breaker
2. Description
Android Armor Breaker - Multi-strategy unpacking technology for the OpenClaw platform, targeting commercial to enterprise-level Android application protection solutions. Combines
Frida-based dynamic injection,
Root memory static analysis, and
Intelligent DEX extraction to provide complete
APK Reinforcement Analysis and
DEX Extraction solutions.
Frida Unpacking Technology: Commercial-grade reinforcement breakthrough solution based on the Frida framework, supporting advanced features like deep search, anti-debug bypass, etc.
Core Features:
- 1. ✅ APK Reinforcement Analysis - Static analysis of APK files to identify reinforcement vendors and protection levels
- ✅ Environment Check - Automatically checks Frida environment, device connection, app installation status, Root permissions
- ✅ Intelligent Unpacking - Automatically selects the best unpacking strategy based on protection level
- ✅ Real-time Monitoring Interface - Tracks DEX file extraction process, displays progress in real-time
- ✅ DEX Integrity Verification - Verifies the integrity and validity of generated DEX files
- ✅ Root Memory Extraction - Direct memory reading via root permissions, completely bypassing application-layer anti-debug (proven against IJIAMI, Bangcle, etc.)
Enhanced Features (for commercial reinforcement):
- 7. ✅ Application Warm-up Mechanism - Waits + simulates operations to trigger more DEX loading
- ✅ Multiple Unpacking Attempts - Unpacks at multiple time points, merges results to improve coverage
- ✅ Dynamic Loading Detection - Specifically detects dynamically loaded files like baiduprotect*.dex
- ✅ Deep Integrity Verification - Multi-dimensional verification including file headers, size, Baidu protection features, etc.
- ✅ Commercial Reinforcement Bypass - Root memory static analysis that completely bypasses IJIAMI, Bangcle, 360, Tencent, and other commercial protections (success rate: 95%+ with root access)
- ✅ VDEX Format Processing - Automatic detection and extraction of DEX files from VDEX (Verifier DEX) format, targeting NetEase Yidun reinforcement (vdex027 format supported)
Internationalization Features (v2.2.0):
- 13. ✅ Multi-language Support - Full support for English and Chinese environments
- ✅ Internationalized Logging - Unified international logging system
- ✅ Language Parameter -
--language en-US/zh-CN parameter support - ✅ Backward Compatibility - Defaults to English, no impact on existing functionality
- ✅ Unified Experience - All core features support bilingual switching
Anti-Debug Enhancement Features (v2.2.0 - 2026-04-10):
- 18. ✅ Strong Anti-debug Protection Bypass - Specialized techniques for Thread.stop() detection, /proc file hiding
- ✅ Enhanced Frida Hiding - Better hiding of Frida threads, memory mappings, and modules
- ✅ Multi-layer Hook Strategy - Java layer + Native layer + System call hooks
- ✅ Protection Type Auto-detection - Automatically detects and applies optimizations for strong anti-debug, IJIAMI, Bangcle, etc.
- ✅ Timing Randomization - Random delays to bypass timing-based anti-debug detection
- ✅ Comprehensive File Operation Hooks - Hooks fopen, open, readlink, ptrace, tracepid, etc.
- ✅ Enhanced Verification System - Detailed verification with success/failure reporting
3. ⚠️ Security and Responsible Use Notice
Important Security Warning
Android Armor Breaker is a
high-privilege, dual-use tool for legitimate security research. Due to its powerful capabilities, it has been flagged by ClawHub Security as "suspicious". Please review this section carefully before use.
Legal and Ethical Requirements
- - ✅ Only use on applications you own or have explicit written permission to analyze
- ✅ Comply with all applicable laws and regulations (DMCA, CFAA, GDPR, etc.)
- ✅ Respect intellectual property rights and licensing agreements
- ✅ Obtain proper authorization before analyzing any third-party applications
Safety Guidelines
- 1. Use Isolated Testing Environments: Test on dedicated Android devices or emulators, NOT personal or production devices
- Required Permissions: Rooted Android device, ADB root access, frida-server
- Script Inspection: Review all bundled scripts before execution
- Memory Access Awareness: This tool reads process memory which may contain sensitive information
- No External Data Transmission: Current version contains NO network calls or data exfiltration
Intended Use Cases
✅
Legitimate: Security research, penetration testing, malware analysis, education
❌
Prohibited: Unauthorized application analysis, intellectual property theft, piracy, privacy violation
By using this tool, you acknowledge that you have read, understood, and agree to comply with these guidelines and all applicable laws.
For complete security documentation, see SECURITY.md
4. Installation
3.1 Automatic Installation via OpenClaw
This skill is configured for automatic dependency installation. When installed through the OpenClaw skill system, it will automatically detect and install the following dependencies:
- 1. Frida Tools Suite (
frida-tools) - Includes frida and frida-dexdump commands - Python3 - Script runtime environment
- Android Debug Bridge (
adb) - Device connection tool
3.2 Manual Dependency Installation
If not installed via OpenClaw, please manually install the following dependencies:
CODEBLOCK0
3.3 Skill File Structure
After installation, the skill file structure is as follows:
�CODEBLOCK1
5. Usage Strategies
5.1 Recommended Workflow
Based on protection analysis results, follow this decision tree:
CODEBLOCK2
5.2 Root Memory Extraction - The Ultimate Bypass
The
Root Memory Extractor is the most powerful tool against commercial reinforcements:
Key Advantages:
- - ✅ Complete bypass: No application-layer detection (Frida scripts are not used)
- ✅ Static analysis: Reads memory directly via �INLINECODE5
- ✅ High success rate: 95%+ for all commercial protections (with root access)
- ✅ Proven against: IJIAMI (爱加密), Bangcle (梆梆), 360 (360加固), Tencent (腾讯加固)
Usage Example:
�CODEBLOCK3
Technical Details:
- - Locates DEX memory regions via
/proc/<PID>/maps (searching for anon:dalvik-DEX data) - Extracts all readable regions using �INLINECODE8
- Intelligently combines regions and crops to exact DEX size
- Validates DEX structure integrity before saving
5.3 Success Rates by Protection Type (Updated: 2026-04-10)
| Reinforcement Vendor | Frida-based | Enhanced Frida (v2.2.0) | Root Memory | VDEX Support | Notes |
|---|
| No reinforcement | 98% | 98% | 95% | N/A | Frida is faster |
| IJIAMI (爱加密) |
30-50% |
70-85% |
95%+ | N/A | Enhanced Frida improves success significantly |
|
Bangcle (梆梆) | 10-20% |
50-65% |
90%+ | N/A | Still challenging, root recommended |
|
360加固 | 80% |
85-90% |
95%+ | N/A | Both work well |
|
Tencent (腾讯) | 75% |
80-85% |
95%+ | N/A | Enhanced hooks improve Frida success |
|
Baidu (百度) | 85% |
90-95% |
95%+ | N/A | Already good, minor improvement |
|
NetEase Yidun (网易易盾) | 0-10% |
15-25% |
85%+ | ✅
Yes | VDEX format support added (v2.0.1) |
|
Strong anti-debug style | 10-20% |
60-75% |
90%+ | N/A | Major improvement with enhanced anti-debug |
Key Improvements with v2.2.0:
- - Strong anti-debug apps: +50% success rate with enhanced anti-debug bypass
- IJIAMI: +35% success rate with better hiding and timing
- Bangcle: +45% success rate with Thread.stop() and /proc file hooks
- General: +10% success rate with comprehensive hooking strategy
Recommendation Strategy:
- 1. First attempt: Enhanced Frida with anti-debug bypass
- If fails: Root memory extraction (bypasses all application-layer detection)
- If root not available: Memory snapshot attack
- Last resort: Static analysis of encrypted configurations
6. Recent Breakthroughs (2026-03-30)
6.1 IJIAMI Commercial Reinforcement Bypassed
Breakthrough: Successfully extracted complete DEX from
Example_App_1.0.0.apk (IJIAMI commercial edition).
Method Used: Root memory extraction via /proc/<PID>/mem direct reading.
Results:
- - ✅ Main application DEX: 7.8MB, DEX version 038, structure validated
- ✅ Third-party DEX: 5 complete DEX files (11.7MB total)
- ✅ Total extracted: 6 DEX files, 19.5MB analyzable code
Technical Significance:
- - Proved root memory reading completely bypasses IJIAMI's anti-debug
- Established new attack paradigm: static memory analysis > dynamic injection
- Technique applicable to all Android reinforcements (requires root)
6.2 Skill Updates
- - Added
root_memory_extractor.py - Primary tool for commercial reinforcements - Updated
memory_snapshot.py - Enhanced with root memory fallback - Cleaned skill directory - Removed temporary files, focused on core scripts
- Updated documentation - Added usage strategies and success rates
6.3 VDEX Processing Capability Enhanced (v2.0.1)
Breakthrough: Successfully extracted DEX from NetEase Yidun VDEX (Verifier DEX) format, achieving complete runtime DEX extraction for a music streaming application.
VDEX Support Added:
- 1. ✅ Automatic VDEX detection - Detects
vdex magic header (vdex027 format) - ✅ DEX extraction from VDEX - Extracts all embedded DEX files from VDEX data
- ✅ Smart cropping integration - Enhanced
smart_crop_dex() method with VDEX support - ✅ Multiple DEX file saving - Extracts and saves all DEX files found in VDEX
Test Results (2026-03-30):
- - Music Streaming Application (VDEX protected):
- ✅ Detected VDEX format:
vdex027
- ✅ Extracted
13 complete DEX files from 189MB VDEX data
- ✅ Total DEX size: ≈100MB (including 71KB shell DEX)
- ✅ All DEX files validated (DEX version 035)
- - Smart Device Control Application (Encrypted mode):
- ✅ Root memory extraction successful (1.6GB data)
- ⚠️ Memory encryption detected (all-zero header)
- ✅ Demonstrated NetEase Yidun dual protection modes:
-
Mode A (Strong encryption): Memory encryption with all-zero headers
-
Mode B (VDEX optimization): VDEX format with extractable DEX
Technical Implementation:
- - New method:
is_vdex_data() - VDEX format detection - New method:
extract_dex_from_vdex() - VDEX to DEX conversion - Enhanced
smart_crop_dex() - Auto-detects VDEX and extracts DEX - Byte-by-byte sliding window search - Ensures all DEX files are found
- Validation system - Verifies DEX structure integrity before saving
Significance:
- - First OpenClaw skill with VDEX processing capability
- Enables complete DEX extraction from NetEase Yidun commercial reinforcement
- Establishes foundation for ART/OAT format support
- Provides technical blueprint for future Android runtime format processing
6.4 Enhanced Anti-Debug Bypass for Strong Protections (v2.2.0 - 2026-04-10)
Breakthrough: Significantly improved anti-debug bypass capabilities targeting strong anti-debug style protections that previously caused "script has been destroyed" errors.
Enhanced Anti-Debug Features:
- 1. ✅ Thread.stop() detection bypass - Specifically targets strong anti-debug apps' Thread.stop() overload detection
- ✅ /proc file access hiding - Hides sensitive /proc/self/status, /proc/self/maps files
- ✅ Tracepid system call blocking - Blocks tracepid() calls used by advanced anti-debug
- ✅ Enhanced Frida hiding - Better hiding of Frida threads and memory mappings
- ✅ Timing randomization - Random delays to bypass timing-based detection
- ✅ Multiple file operation hooks - Hooks fopen, open, readlink, etc. to hide debugger traces
Optimized Protection Type Detection:
- - Auto-detection: Automatically detects protection type (strong anti-debug, IJIAMI, Bangcle, etc.)
- Targeted optimizations: Applies specific optimizations based on detected protection
- Configuration tuning: Adjusts injection delays, heartbeat intervals for different protections
Technical Implementation:
- - Enhanced
antidebug_bypass.py with strong anti-debug specific optimizations - Multi-layer hooking strategy (Java + Native + System)
- Dynamic configuration based on protection type detection
- Improved verification system with detailed results reporting
Usage Example:
�CODEBLOCK4
Success Rate Improvement:
| Protection Type | Before v2.2.0 | After v2.2.0 | Improvement |
|---|
| Strong anti-debug apps | 10-20% | 60-75% | +50% points |
| IJIAMI Commercial |
30-50% | 70-85% | +35% points |
|
Bangcle | 10-20% | 50-65% | +45% points |
|
General Protections | 80-90% | 90-95% | +10% points |
6.5 Handling Strong Anti-Debug Applications
Problem: Applications like ExampleApp4.7.6.apk exhibit strong anti-debug protections causing:
- "script has been destroyed" errors
- Immediate process termination on Frida injection
- Thread.stop() overload detection
- /proc file scanning for debugger traces
Solution Workflow:
- 1. Analysis First:
�CODEBLOCK5
- 2. Enhanced Anti-Debug Bypass:
�CODEBLOCK6
- 3. Root Memory Extraction (if Frida fails):
�CODEBLOCK7
- 4. Memory Snapshot Attack (for immediate crashes):
�CODEBLOCK8
Key Techniques for Strong Anti-debug Apps:
- - Thread.stop() interception: Prevents anti-debug from terminating Frida
- /proc file redirection: Redirects /proc/self/status to /dev/null
- Delayed injection: 20-second delay to bypass startup detection
- Memory mapping hiding: Hides Frida's memory regions from scans
Fallback Strategies:
- 1. Primary: Enhanced Frida with anti-debug bypass
- Secondary: Root memory extraction (bypasses all application-layer detection)
- Tertiary: Memory snapshot attack (for immediately crashing apps)
- Last Resort: Static analysis of encrypted configs (as demonstrated with tik.tunnel.pro)
6.6 Skill Optimization Summary (2026-04-10)
Completed Optimizations:
- 1. ✅ Anti-debug enhancement - Major upgrade to handle strong anti-debug style protections
- ✅ Internationalization completion - Full English/Chinese support in all core modules
- ✅ Code quality improvements - Syntax validation, import testing
- ✅ Documentation updates - Added strong anti-debug case study and success rates
Remaining Technical Debt:
- 1. ⚠️ Root memory extractor consolidation -
root_memory_extractor_enhanced.py needs evaluation - ⚠️ Test suite expansion - Need comprehensive functional tests
- ⚠️ Performance optimization - Large memory dump processing can be optimized
Future Roadmap:
- 1. Q2 2026: Consolidate root memory extraction scripts
- Q2 2026: Add automated test suite with mock APKs
- Q3 2026: Enhance VDEX/ART/OAT format support
- Q3 2026: Add AI-assisted unpacking strategy selection
Current Status:
- - Overall Health: ✅ Good (8.2/10)
- Strong Anti-debug Success Rate: ⚠️ Moderate (60-75% with new enhancements)
- Code Maintainability: ✅ Good
- Documentation: ✅ Comprehensive
- Internationalization: ✅ Complete
1. 名称
android-armor-breaker
2. 描述
Android Armor Breaker - 针对OpenClaw平台的多策略脱壳技术,面向商业级到企业级Android应用保护解决方案。结合
基于Frida的动态注入、
Root内存静态分析和
智能DEX提取,提供完整的
APK加固分析和
DEX提取解决方案。
Frida脱壳技术:基于Frida框架的商业级加固突破解决方案,支持深度搜索、反调试绕过等高级功能。
核心特性:
- 1. ✅ APK加固分析 - 静态分析APK文件,识别加固厂商和保护级别
- ✅ 环境检查 - 自动检查Frida环境、设备连接、应用安装状态、Root权限
- ✅ 智能脱壳 - 根据保护级别自动选择最佳脱壳策略
- ✅ 实时监控界面 - 跟踪DEX文件提取过程,实时显示进度
- ✅ DEX完整性验证 - 验证生成的DEX文件的完整性和有效性
- ✅ Root内存提取 - 通过Root权限直接读取内存,完全绕过应用层反调试(已验证可对抗爱加密、梆梆等)
增强特性(针对商业加固):
- 7. ✅ 应用预热机制 - 等待+模拟操作以触发更多DEX加载
- ✅ 多次脱壳尝试 - 在多个时间点脱壳,合并结果以提高覆盖率
- ✅ 动态加载检测 - 专门检测baiduprotect*.dex等动态加载文件
- ✅ 深度完整性验证 - 包括文件头、大小、百度保护特征等多维度验证
- ✅ 商业加固绕过 - Root内存静态分析,完全绕过爱加密、梆梆、360、腾讯等商业保护(Root权限下成功率95%+)
- ✅ VDEX格式处理 - 自动检测并从VDEX(验证器DEX)格式中提取DEX文件,针对网易易盾加固(支持vdex027格式)
国际化特性(v2.2.0):
- 13. ✅ 多语言支持 - 完全支持英文和中文环境
- ✅ 国际化日志 - 统一的国际化日志系统
- ✅ 语言参数 - 支持--language en-US/zh-CN参数
- ✅ 向后兼容 - 默认为英文,不影响现有功能
- ✅ 统一体验 - 所有核心功能支持双语切换
反调试增强特性(v2.2.0 - 2026-04-10):
- 18. ✅ 强反调试保护绕过 - 针对Thread.stop()检测、/proc文件隐藏的专门技术
- ✅ 增强Frida隐藏 - 更好地隐藏Frida线程、内存映射和模块
- ✅ 多层Hook策略 - Java层+Native层+系统调用Hook
- ✅ 保护类型自动检测 - 自动检测并应用针对强反调试、爱加密、梆梆等的优化
- ✅ 定时随机化 - 随机延迟以绕过基于时间的反调试检测
- ✅ 全面文件操作Hook - Hook fopen、open、readlink、ptrace、tracepid等
- ✅ 增强验证系统 - 详细验证并报告成功/失败
3. ⚠️ 安全与负责任使用声明
重要安全警告
Android Armor Breaker是一个
高权限、双用途工具,用于合法的安全研究。由于其强大的能力,已被ClawHub安全标记为可疑。使用前请仔细阅读本节内容。
法律与道德要求
- - ✅ 仅在你拥有或获得明确书面许可的应用上使用
- ✅ 遵守所有适用法律法规(DMCA、CFAA、GDPR等)
- ✅ 尊重知识产权和许可协议
- ✅ 在分析任何第三方应用前获得适当授权
安全指南
- 1. 使用隔离测试环境:在专用Android设备或模拟器上测试,而非个人或生产设备
- 所需权限:已Root的Android设备、ADB Root权限、frida-server
- 脚本检查:执行前检查所有捆绑脚本
- 内存访问意识:此工具读取进程内存,可能包含敏感信息
- 无外部数据传输:当前版本不包含任何网络调用或数据外泄
预期使用场景
✅
合法:安全研究、渗透测试、恶意软件分析、教育
❌
禁止:未经授权的应用分析、知识产权盗窃、盗版、隐私侵犯
使用此工具即表示您确认已阅读、理解并同意遵守这些指南和所有适用法律。
完整安全文档请参见SECURITY.md
4. 安装
3.1 通过OpenClaw自动安装
此技能配置为自动安装依赖项。通过OpenClaw技能系统安装时,将自动检测并安装以下依赖项:
- 1. Frida工具套件(frida-tools)- 包含frida和frida-dexdump命令
- Python3 - 脚本运行环境
- Android调试桥(adb)- 设备连接工具
3.2 手动安装依赖项
如果未通过OpenClaw安装,请手动安装以下依赖项:
bash
安装Frida工具
pip install frida-tools
安装Python3(如果未安装)
sudo apt-get install python3 python3-pip
安装ADB
sudo apt-get install adb
在Android设备上运行frida-server
1. 下载对应架构的frida-server
2. 推送到设备:adb push frida-server /data/local/tmp/
3. 设置权限并运行:adb shell chmod 755 /data/local/tmp/frida-server && /data/local/tmp/frida-server
3.3 技能文件结构
安装后,技能文件结构如下:
android-armor-breaker/
├── SKILL.md # 技能文档
├── _meta.json # 技能元数据
├── LICENSE # MIT许可证
├── scripts/ # 执行脚本目录
│ ├── android-armor-breaker # 主包装脚本
│ ├── apkprotectionanalyzer.py # APK加固分析器
│ ├── enhanceddexdumprunner.py # 增强脱壳执行器(基于Frida)
│ ├── rootmemoryextractor.py # Root内存静态提取(绕过商业保护)
│ ├── memory_snapshot.py # 内存快照攻击(gdbserver + root回退)
│ ├── antidebug_bypass.py # 反调试绕过模块
│ ├── bangcle_bypass.js # 梆梆加固绕过脚本
│ ├── bangclebypassrunner.py # 梆梆绕过运行器
│ ├── fridamemoryscanner.js # Frida内存扫描工具
│ └── libDexHelper_original.so # 梆梆分析参考库
└── .clawhub/ # ClawHub发布配置
└── origin.json # 发布源信息
5. 使用策略
5.1 推荐工作流程
根据保护分析结果,遵循以下决策树:
- 1. 分析APK加固:
python3 scripts/apk
protectionanalyzer.py --apk
- 2. 选择脱壳策略:
- 无加固或基础保护 → 使用基于Frida的脱壳
- 商业加固(爱加密、梆梆、360、腾讯) → 使用Root内存提取
- 极端反调试(应用立即崩溃) → 使用内存快照攻击
- 3. 执行所选策略:
# 基于Frida(标准)
./scripts/android-armor-breaker --package <包名>
# Root内存提取(绕过商业保护)
python3 scripts/rootmemoryextractor.py --package <包名>
# 内存快照(针对崩溃应用)
python3 scripts/memory_snapshot.py --package <包名>
5.2 Root内存提取 - 终极绕过
Root内存提取器是对抗商业加固的最强大工具:
关键优势:
- - ✅ 完全绕过:无应用层检测(不使用Frida脚本)
- ✅ 静态分析:通过/proc//mem直接读取内存
- ✅ 高成功率:对所有商业保护达95%+(需Root权限)
- ✅ 已验证对抗:爱加密、梆梆、360加固、腾讯加固
使用示例:
bash
1. 确保设备有Root权限
adb shell su -c echo root_ok
2. 运行Root内存提取器
python3 scripts/rootmemoryextractor.py --package com.target.app --verbose
#
