[实战破解]白描-动态代{过}{滤}理Hook签名校验
本帖最后由 正己 于 2021-10-13 11:02 编辑1.白描3.2.1
2.MT管理器
3.Android Studio
# 一、日志分析
***
老规矩,先签个名,果不其然,闪退。
起初看了日志我以为是so层的校验
![](https://zhengji666.coding.net/p/jiaochengtuchuang/d/img/git/raw/master/Screenshot_2021-10-11-12-33-26-158_com.jpg
)
于是乎,对这这个类里的几个方法进行了hook,倒是顺利输出了结果,但当我把这几个结果写死的时候,它还是闪退了
![](https://zhengji666.coding.net/p/jiaochengtuchuang/d/img/git/raw/master/Screenshot_2021-10-12-19-21-05-291_bin.jpg
)
![](https://cdn.jsdelivr.net/gh/ZJ595/Picgo-img@main/img/20211012194101.png)
# 二、java分析与动态dl
***
在几番尝试之后,还是闪退,于是我去请教了芽衣大神,他说java层还没处理好。所以,又回到了java层,鉴于最近我看到了一篇帖子,关于hookPMS的签名对抗,所以我想自己亲手试试这个方法。
[帖子链接](https://www.jianshu.com/p/C559852c4878)
根据帖子里说讲,关键的就是这两个点
```
使用动态代理的方式替换掉这里的两个属性
ActivityThread的静态变量sPackageManager
ApplicationPackageManager对象里面的mPM变量
```
所以我们按照帖子里的做法,先新建两个类,一个是ServiceManagerWraper ,另一个是PmsHookBinderInvocationHandler ,并且用AS的java2smali插件把java代码转化为smali
![](https://cdn.jsdelivr.net/gh/ZJ595/Picgo-img@main/img/20211012201013.png)
代码如下:
```
.class public Lzhengji/Hook/PmsHookBinderInvocationHandler;
.super Ljava/lang/Object;
.source "PmsHookBinderInvocationHandler.java"
# interfaces
.implements Ljava/lang/reflect/InvocationHandler;
# static fields
.field public static final SHARK:Ljava/lang/String; = "\u6b63\u5df1"
# instance fields
.field private SIGN:Ljava/lang/String;
.field private appPkgName:Ljava/lang/String;
.field private base:Ljava/lang/Object;
# direct methods
.method public constructor <init>(Ljava/lang/Object;Ljava/lang/String;Ljava/lang/String;I)V
.registers 9
.param p1, "base" # Ljava/lang/Object;
.param p2, "sign" # Ljava/lang/String;
.param p3, "appPkgName" # Ljava/lang/String;
.param p4, "hashCode" # I
.prologue
.line 20
invoke-direct {p0}, Ljava/lang/Object;-><init>()V
.line 18
const-string v1, ""
iput-object v1, p0, Lzhengji/Hook/PmsHookBinderInvocationHandler;->appPkgName:Ljava/lang/String;
.line 22
:try_start_7
iput-object p1, p0, Lzhengji/Hook/PmsHookBinderInvocationHandler;->base:Ljava/lang/Object;
.line 23
iput-object p2, p0, Lzhengji/Hook/PmsHookBinderInvocationHandler;->SIGN:Ljava/lang/String;
.line 24
iput-object p3, p0, Lzhengji/Hook/PmsHookBinderInvocationHandler;->appPkgName:Ljava/lang/String;
:try_end_d
.catch Ljava/lang/Exception; {:try_start_7 .. :try_end_d} :catch_e
.line 28
:goto_d
return-void
.line 25
:catch_e
move-exception v0
.line 26
.local v0, "e":Ljava/lang/Exception;
const-string v1, "\u6b63\u5df1"
new-instance v2, Ljava/lang/StringBuilder;
invoke-direct {v2}, Ljava/lang/StringBuilder;-><init>()V
const-string v3, "error:"
invoke-virtual {v2, v3}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
move-result-object v2
invoke-static {v0}, Landroid/util/Log;->getStackTraceString(Ljava/lang/Throwable;)Ljava/lang/String;
move-result-object v3
invoke-virtual {v2, v3}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
move-result-object v2
invoke-virtual {v2}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;
move-result-object v2
invoke-static {v1, v2}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)I
goto :goto_d
.end method
# virtual methods
.method public invoke(Ljava/lang/Object;Ljava/lang/reflect/Method;[Ljava/lang/Object;)Ljava/lang/Object;
.registers 11
.param p1, "proxy" # Ljava/lang/Object;
.param p2, "method" # Ljava/lang/reflect/Method;
.param p3, "args" # [Ljava/lang/Object;
.annotation system Ldalvik/annotation/Throws;
value = {
Ljava/lang/Throwable;
}
.end annotation
.prologue
const/4 v6, 0x0
.line 32
const-string v4, "\u6b63\u5df1"
invoke-virtual {p2}, Ljava/lang/reflect/Method;->getName()Ljava/lang/String;
move-result-object v5
invoke-static {v4, v5}, Landroid/util/Log;->i(Ljava/lang/String;Ljava/lang/String;)I
.line 34
const-string v4, "getPackageInfo"
invoke-virtual {p2}, Ljava/lang/reflect/Method;->getName()Ljava/lang/String;
move-result-object v5
invoke-virtual {v4, v5}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z
move-result v4
if-eqz v4, :cond_43
.line 35
aget-object v2, p3, v6
check-cast v2, Ljava/lang/String;
.line 36
.local v2, "pkgName":Ljava/lang/String;
const/4 v4, 0x1
aget-object v0, p3, v4
check-cast v0, Ljava/lang/Integer;
.line 38
.local v0, "flag":Ljava/lang/Integer;
invoke-virtual {v0}, Ljava/lang/Integer;->intValue()I
move-result v4
const/16 v5, 0x40
if-ne v4, v5, :cond_43
iget-object v4, p0, Lzhengji/Hook/PmsHookBinderInvocationHandler;->appPkgName:Ljava/lang/String;
invoke-virtual {v4, v2}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z
move-result v4
if-eqz v4, :cond_43
.line 40
new-instance v3, Landroid/content/pm/Signature;
iget-object v4, p0, Lzhengji/Hook/PmsHookBinderInvocationHandler;->SIGN:Ljava/lang/String;
invoke-direct {v3, v4}, Landroid/content/pm/Signature;-><init>(Ljava/lang/String;)V
.line 41
.local v3, "sign":Landroid/content/pm/Signature;
iget-object v4, p0, Lzhengji/Hook/PmsHookBinderInvocationHandler;->base:Ljava/lang/Object;
invoke-virtual {p2, v4, p3}, Ljava/lang/reflect/Method;->invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;
move-result-object v1
check-cast v1, Landroid/content/pm/PackageInfo;
.line 42
.local v1, "info":Landroid/content/pm/PackageInfo;
iget-object v4, v1, Landroid/content/pm/PackageInfo;->signatures:[Landroid/content/pm/Signature;
aput-object v3, v4, v6
.line 46
.end local v0 # "flag":Ljava/lang/Integer;
.end local v1 # "info":Landroid/content/pm/PackageInfo;
.end local v2 # "pkgName":Ljava/lang/String;
.end local v3 # "sign":Landroid/content/pm/Signature;
:goto_42
return-object v1
:cond_43
iget-object v4, p0, Lzhengji/Hook/PmsHookBinderInvocationHandler;->base:Ljava/lang/Object;
invoke-virtual {p2, v4, p3}, Ljava/lang/reflect/Method;->invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;
move-result-object v1
goto :goto_42
.end method
```
```
.class public Lzhengji/Hook/ServiceManagerWraper;
.super Ljava/lang/Object;
.source "ServiceManagerWraper.java"
# static fields
.field public static final SHARK:Ljava/lang/String; = "\u6b63\u5df1"
# direct methods
.method public constructor <init>()V
.registers 1
.prologue
.line 11
invoke-direct {p0}, Ljava/lang/Object;-><init>()V
return-void
.end method
.method public static hookPMS(Landroid/content/Context;)V
.registers 4
.param p0, "context" # Landroid/content/Context;
.prologue
.line 45
const-string v0, "30820303308201EBA00302010202044B210BAB300D06092A864886F70D01010B05003032310E300C060355040A1305555A65726F310E300C060355040B1305555A65726F3110300E060355040313074261696D69616F301E170D3137313131363031333632345A170D3432313131303031333632345A3032310E300C060355040A1305555A65726F310E300C060355040B1305555A65726F3110300E060355040313074261696D69616F30820122300D06092A864886F70D01010105000382010F003082010A0282010100A0D3BD451B61FC925A286E509C5A75E6F43A712A5FF425387698C08AB47FBFD9708DDA98001FAE785DBDBA18F835B56311C804E63CBA0C6BC9DB507FB6B93C8FB61C0DA673E19ADD17E05EB3C53A49BF0CB4C938926BEA5EAD20BF83FCEB195DB26A7F36053C524ABBEBCEEC7CF041A2B77C96F148088DBD3DBCFA7F37C78821A64D45716CA60276D6BCF9C5DA90A99DDD915BA8F50500FD59DC8E05F66CE76A4A140C3AEA944E5C17545B0A36B03CC7D3CB4B764A83577C7785EB139C44F5A8B635CA086367DAEDA04618EC253182438A5D764411B0374FA7FD7E1B713E09EE9211E21F27B54883C5F4D5DB17E67A1E43439EE42AB87FEEF2635E96F1CBD58D0203010001A321301F301D0603551D0E04160414D818E807B0D49EEE11D8EF8491165AEE850F34A1300D06092A864886F70D01010B050003820101001CE8696D01F84B2E87396701E9696101670250F387DD6D3657C7251398A8BD21F3523BB027E0CDE118738D869422E1C413889C5ABDDF6F11E64FE4C6CE38D0DB02EBB7454C60331546455D19BECDBADEFF8C8BC711A30C5CA4357E1C2D56E38A5B6E0516D900DBEBEBD35A88D58ADAE94BCF58A786BABBF561A10ABFA5E49A47EEC4312DACA202380B0545181072F5C5D4E4B75C2DADF630FB80414D70AA397F5C12779DF424471B6560F828F249336F27E75AA736DAEF81F7DBD8A51A9323EF4A34ECFA904EC5F791E39E5A09E1AEC9F6AEE93784EC9CE41E35C4F3F8918B65007A18A8E775115F9A7AC09DC886FF7586E19E53AA5E3C7972E82E38C35D2329"
.line 46
.local v0, "Sign":Ljava/lang/String;
const-string v1, "com.uzero.baimiao"
const/4 v2, 0x0
invoke-static {p0, v0, v1, v2}, Lzhengji/Hook/ServiceManagerWraper;->hookPMS(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;I)V
.line 47
return-void
.end method
.method public static hookPMS(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;I)V
.registers 20
.param p0, "context" # Landroid/content/Context;
.param p1, "signed" # Ljava/lang/String;
.param p2, "appPkgName" # Ljava/lang/String;
.param p3, "hashCode" # I
.prologue
.line 18
:try_start_0
const-string v12, "android.app.ActivityThread"
invoke-static {v12}, Ljava/lang/Class;->forName(Ljava/lang/String;)Ljava/lang/Class;
move-result-object v2
.line 19
.local v2, "activityThreadClass":Ljava/lang/Class;, "Ljava/lang/Class<*>;"
const-string v12, "currentActivityThread"
const/4 v13, 0x0
new-array v13, v13, [Ljava/lang/Class;
.line 20
invoke-virtual {v2, v12, v13}, Ljava/lang/Class;->getDeclaredMethod(Ljava/lang/String;[Ljava/lang/Class;)Ljava/lang/reflect/Method;
move-result-object v4
.line 21
.local v4, "currentActivityThreadMethod":Ljava/lang/reflect/Method;
const/4 v12, 0x0
const/4 v13, 0x0
new-array v13, v13, [Ljava/lang/Object;
invoke-virtual {v4, v12, v13}, Ljava/lang/reflect/Method;->invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;
move-result-object v3
.line 23
.local v3, "currentActivityThread":Ljava/lang/Object;
const-string v12, "sPackageManager"
invoke-virtual {v2, v12}, Ljava/lang/Class;->getDeclaredField(Ljava/lang/String;)Ljava/lang/reflect/Field;
move-result-object v11
.line 24
.local v11, "sPackageManagerField":Ljava/lang/reflect/Field;
const/4 v12, 0x1
invoke-virtual {v11, v12}, Ljava/lang/reflect/Field;->setAccessible(Z)V
.line 25
invoke-virtual {v11, v3}, Ljava/lang/reflect/Field;->get(Ljava/lang/Object;)Ljava/lang/Object;
move-result-object v10
.line 27
.local v10, "sPackageManager":Ljava/lang/Object;
const-string v12, "android.content.pm.IPackageManager"
invoke-static {v12}, Ljava/lang/Class;->forName(Ljava/lang/String;)Ljava/lang/Class;
move-result-object v6
.line 29
.local v6, "iPackageManagerInterface":Ljava/lang/Class;, "Ljava/lang/Class<*>;"
invoke-virtual {v6}, Ljava/lang/Class;->getClassLoader()Ljava/lang/ClassLoader;
move-result-object v12
const/4 v13, 0x1
new-array v13, v13, [Ljava/lang/Class;
const/4 v14, 0x0
aput-object v6, v13, v14
new-instance v14, Lzhengji/Hook/PmsHookBinderInvocationHandler;
const/4 v15, 0x0
move-object/from16 v0, p1
move-object/from16 v1, p2
invoke-direct {v14, v10, v0, v1, v15}, Lzhengji/Hook/PmsHookBinderInvocationHandler;-><init>(Ljava/lang/Object;Ljava/lang/String;Ljava/lang/String;I)V
.line 28
invoke-static {v12, v13, v14}, Ljava/lang/reflect/Proxy;->newProxyInstance(Ljava/lang/ClassLoader;[Ljava/lang/Class;Ljava/lang/reflect/InvocationHandler;)Ljava/lang/Object;
move-result-object v9
.line 33
.local v9, "proxy":Ljava/lang/Object;
invoke-virtual {v11, v3, v9}, Ljava/lang/reflect/Field;->set(Ljava/lang/Object;Ljava/lang/Object;)V
.line 35
invoke-virtual/range {p0 .. p0}, Landroid/content/Context;->getPackageManager()Landroid/content/pm/PackageManager;
move-result-object v8
.line 36
.local v8, "pm":Landroid/content/pm/PackageManager;
invoke-virtual {v8}, Ljava/lang/Object;->getClass()Ljava/lang/Class;
move-result-object v12
const-string v13, "mPM"
invoke-virtual {v12, v13}, Ljava/lang/Class;->getDeclaredField(Ljava/lang/String;)Ljava/lang/reflect/Field;
move-result-object v7
.line 37
.local v7, "mPmField":Ljava/lang/reflect/Field;
const/4 v12, 0x1
invoke-virtual {v7, v12}, Ljava/lang/reflect/Field;->setAccessible(Z)V
.line 38
invoke-virtual {v7, v8, v9}, Ljava/lang/reflect/Field;->set(Ljava/lang/Object;Ljava/lang/Object;)V
:try_end_5b
.catch Ljava/lang/Exception; {:try_start_0 .. :try_end_5b} :catch_5c
.line 42
.end local v2 # "activityThreadClass":Ljava/lang/Class;, "Ljava/lang/Class<*>;"
.end local v3 # "currentActivityThread":Ljava/lang/Object;
.end local v4 # "currentActivityThreadMethod":Ljava/lang/reflect/Method;
.end local v6 # "iPackageManagerInterface":Ljava/lang/Class;, "Ljava/lang/Class<*>;"
.end local v7 # "mPmField":Ljava/lang/reflect/Field;
.end local v8 # "pm":Landroid/content/pm/PackageManager;
.end local v9 # "proxy":Ljava/lang/Object;
.end local v10 # "sPackageManager":Ljava/lang/Object;
.end local v11 # "sPackageManagerField":Ljava/lang/reflect/Field;
:goto_5b
return-void
.line 39
:catch_5c
move-exception v5
.line 40
.local v5, "e":Ljava/lang/Exception;
const-string v12, "\u6b63\u5df1"
new-instance v13, Ljava/lang/StringBuilder;
invoke-direct {v13}, Ljava/lang/StringBuilder;-><init>()V
const-string v14, "hook pms error:"
invoke-virtual {v13, v14}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
move-result-object v13
invoke-static {v5}, Landroid/util/Log;->getStackTraceString(Ljava/lang/Throwable;)Ljava/lang/String;
move-result-object v14
invoke-virtual {v13, v14}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
move-result-object v13
invoke-virtual {v13}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;
move-result-object v13
invoke-static {v12, v13}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)I
goto :goto_5b
.end method
```
在ServiceManagerWraper类的hookPMS方法里有两个需要注意的点,传入的参数里第二个参数sign可以直接用mt获取,获取方法如下
![](https://zhengji666.coding.net/p/jiaochengtuchuang/d/img/git/raw/master/IMG_20211012_165803.jpg)
![](https://zhengji666.coding.net/p/jiaochengtuchuang/d/img/git/raw/master/IMG_20211012_165836.jpg)
![](https://zhengji666.coding.net/p/jiaochengtuchuang/d/img/git/raw/master/IMG_20211012_165932.jpg)
第二点就是传入的第三个参数是包名。
接下来,在mt里新建导入我打包好的dex文件
最后一步,根据文章的说法,我们需要在attachBaseContext方法里调用我们的hookPMS,于是,我们在dex里搜索这个方法,结果有两个,两个都可以,在这里我们选择第一个
![](https://zhengji666.coding.net/p/jiaochengtuchuang/d/img/git/raw/master/Screenshot_2021-10-12-20-38-01-251_bin.png)
调用代码如下:
`invoke-static {p1}, Lcom/zhengji/Hook/ServiceManagerWraper;->hookPMS(Landroid/content/Context;)V`
![](https://zhengji666.coding.net/p/jiaochengtuchuang/d/img/git/raw/master/Screenshot_2021-10-12-20-39-27-356_bin.png
)
至此签名校验对抗完毕,打开软件正常运行
![](https://zhengji666.coding.net/p/jiaochengtuchuang/d/img/git/raw/master/Screenshot_2021-10-12-20-41-17-855_com.jpg
)
# **三、总结**
***
这个方法仅限于一些简单的java层校验,实际上这就是MT管理器的去签名原理(后面我才发现,而且早在5年前,四哥就已经将思路开源出来了,现在的我才学会五年前的开源项目,实在是太菜了(呜呜呜))
没有破解成品,软件还是很良心的,大家有能力还是去支持正版
[项目地址](https://github.com/fourbrother/HookPmsSignature)
(https://www.lanzouw.com/iT0hkv9ht7i
) 在几番尝试之后,还是闪退,于是我去请教了芽衣大神,他说java层还没处理好。所以,又回到了java层,鉴于最近我看到了一篇帖子,关于hookPMS的签名对抗,所以我想自己亲手试试这个方法。
写的好有感觉啊,点赞 侃遍天下无二人 发表于 2021-10-13 09:44
不是很懂,也许哪天要用上就能突然搞明白了,毕竟我之前也从没碰过安卓逆向,然后因为要山寨某插件接触了, ...
改的多了,你就会遇到各种签名对抗,混淆加固{:301_997:} 沙发沙发 学习一下好 回头我试试我那个能不能行。 5年前的东西我都看不懂,我实在太菜了(呜呜呜){:301_972:} zhangxu888 发表于 2021-10-12 21:14
回头我试试我那个能不能行。
mt去签搞不定,这个就搞不定哈哈哈 lianquke 发表于 2021-10-12 21:14
在几番尝试之后,还是闪退,于是我去请教了芽衣大神,他说java层还没处理好。所以,又回到了java层,鉴于最 ...
多动手多实践,实践出真知 前排围观大佬操作了属于是:lol yuanyxh 发表于 2021-10-12 21:15
5年前的东西我都看不懂,我实在太菜了(呜呜呜)
看不懂就再看几遍