正己 发表于 2021-10-12 20:50

[实战破解]白描-动态代{过}{滤}理Hook签名校验

本帖最后由 正己 于 2021-10-13 11:02 编辑

1.白描3.2.1
2.MT管理器
3.Android Studio
# 一、日志分析
***
老规矩,先签个名,果不其然,闪退。
起初看了日志我以为是so层的校验
![](https://zhengji666.coding.net/p/jiaochengtuchuang/d/img/git/raw/master/Screenshot_2021-10-11-12-33-26-158_com.jpg
)
于是乎,对这这个类里的几个方法进行了hook,倒是顺利输出了结果,但当我把这几个结果写死的时候,它还是闪退了
![](https://zhengji666.coding.net/p/jiaochengtuchuang/d/img/git/raw/master/Screenshot_2021-10-12-19-21-05-291_bin.jpg
)
![](https://cdn.jsdelivr.net/gh/ZJ595/Picgo-img@main/img/20211012194101.png)
# 二、java分析与动态dl
***
在几番尝试之后,还是闪退,于是我去请教了芽衣大神,他说java层还没处理好。所以,又回到了java层,鉴于最近我看到了一篇帖子,关于hookPMS的签名对抗,所以我想自己亲手试试这个方法。
[帖子链接](https://www.jianshu.com/p/C559852c4878)
根据帖子里说讲,关键的就是这两个点
```
使用动态代理的方式替换掉这里的两个属性
ActivityThread的静态变量sPackageManager
ApplicationPackageManager对象里面的mPM变量
```
所以我们按照帖子里的做法,先新建两个类,一个是ServiceManagerWraper ,另一个是PmsHookBinderInvocationHandler ,并且用AS的java2smali插件把java代码转化为smali
![](https://cdn.jsdelivr.net/gh/ZJ595/Picgo-img@main/img/20211012201013.png)
代码如下:
```
.class public Lzhengji/Hook/PmsHookBinderInvocationHandler;
.super Ljava/lang/Object;
.source "PmsHookBinderInvocationHandler.java"

# interfaces
.implements Ljava/lang/reflect/InvocationHandler;


# static fields
.field public static final SHARK:Ljava/lang/String; = "\u6b63\u5df1"


# instance fields
.field private SIGN:Ljava/lang/String;

.field private appPkgName:Ljava/lang/String;

.field private base:Ljava/lang/Object;


# direct methods
.method public constructor <init>(Ljava/lang/Object;Ljava/lang/String;Ljava/lang/String;I)V
    .registers 9
    .param p1, "base"    # Ljava/lang/Object;
    .param p2, "sign"    # Ljava/lang/String;
    .param p3, "appPkgName"    # Ljava/lang/String;
    .param p4, "hashCode"    # I

    .prologue
    .line 20
    invoke-direct {p0}, Ljava/lang/Object;-><init>()V

    .line 18
    const-string v1, ""

    iput-object v1, p0, Lzhengji/Hook/PmsHookBinderInvocationHandler;->appPkgName:Ljava/lang/String;

    .line 22
    :try_start_7
    iput-object p1, p0, Lzhengji/Hook/PmsHookBinderInvocationHandler;->base:Ljava/lang/Object;

    .line 23
    iput-object p2, p0, Lzhengji/Hook/PmsHookBinderInvocationHandler;->SIGN:Ljava/lang/String;

    .line 24
    iput-object p3, p0, Lzhengji/Hook/PmsHookBinderInvocationHandler;->appPkgName:Ljava/lang/String;
    :try_end_d
    .catch Ljava/lang/Exception; {:try_start_7 .. :try_end_d} :catch_e

    .line 28
    :goto_d
    return-void

    .line 25
    :catch_e
    move-exception v0

    .line 26
    .local v0, "e":Ljava/lang/Exception;
    const-string v1, "\u6b63\u5df1"

    new-instance v2, Ljava/lang/StringBuilder;

    invoke-direct {v2}, Ljava/lang/StringBuilder;-><init>()V

    const-string v3, "error:"

    invoke-virtual {v2, v3}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v2

    invoke-static {v0}, Landroid/util/Log;->getStackTraceString(Ljava/lang/Throwable;)Ljava/lang/String;

    move-result-object v3

    invoke-virtual {v2, v3}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v2

    invoke-virtual {v2}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v2

    invoke-static {v1, v2}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)I

    goto :goto_d
.end method


# virtual methods
.method public invoke(Ljava/lang/Object;Ljava/lang/reflect/Method;[Ljava/lang/Object;)Ljava/lang/Object;
    .registers 11
    .param p1, "proxy"    # Ljava/lang/Object;
    .param p2, "method"    # Ljava/lang/reflect/Method;
    .param p3, "args"    # [Ljava/lang/Object;
    .annotation system Ldalvik/annotation/Throws;
      value = {
            Ljava/lang/Throwable;
      }
    .end annotation

    .prologue
    const/4 v6, 0x0

    .line 32
    const-string v4, "\u6b63\u5df1"

    invoke-virtual {p2}, Ljava/lang/reflect/Method;->getName()Ljava/lang/String;

    move-result-object v5

    invoke-static {v4, v5}, Landroid/util/Log;->i(Ljava/lang/String;Ljava/lang/String;)I

    .line 34
    const-string v4, "getPackageInfo"

    invoke-virtual {p2}, Ljava/lang/reflect/Method;->getName()Ljava/lang/String;

    move-result-object v5

    invoke-virtual {v4, v5}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z

    move-result v4

    if-eqz v4, :cond_43

    .line 35
    aget-object v2, p3, v6

    check-cast v2, Ljava/lang/String;

    .line 36
    .local v2, "pkgName":Ljava/lang/String;
    const/4 v4, 0x1

    aget-object v0, p3, v4

    check-cast v0, Ljava/lang/Integer;

    .line 38
    .local v0, "flag":Ljava/lang/Integer;
    invoke-virtual {v0}, Ljava/lang/Integer;->intValue()I

    move-result v4

    const/16 v5, 0x40

    if-ne v4, v5, :cond_43

    iget-object v4, p0, Lzhengji/Hook/PmsHookBinderInvocationHandler;->appPkgName:Ljava/lang/String;

    invoke-virtual {v4, v2}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z

    move-result v4

    if-eqz v4, :cond_43

    .line 40
    new-instance v3, Landroid/content/pm/Signature;

    iget-object v4, p0, Lzhengji/Hook/PmsHookBinderInvocationHandler;->SIGN:Ljava/lang/String;

    invoke-direct {v3, v4}, Landroid/content/pm/Signature;-><init>(Ljava/lang/String;)V

    .line 41
    .local v3, "sign":Landroid/content/pm/Signature;
    iget-object v4, p0, Lzhengji/Hook/PmsHookBinderInvocationHandler;->base:Ljava/lang/Object;

    invoke-virtual {p2, v4, p3}, Ljava/lang/reflect/Method;->invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;

    move-result-object v1

    check-cast v1, Landroid/content/pm/PackageInfo;

    .line 42
    .local v1, "info":Landroid/content/pm/PackageInfo;
    iget-object v4, v1, Landroid/content/pm/PackageInfo;->signatures:[Landroid/content/pm/Signature;

    aput-object v3, v4, v6

    .line 46
    .end local v0    # "flag":Ljava/lang/Integer;
    .end local v1    # "info":Landroid/content/pm/PackageInfo;
    .end local v2    # "pkgName":Ljava/lang/String;
    .end local v3    # "sign":Landroid/content/pm/Signature;
    :goto_42
    return-object v1

    :cond_43
    iget-object v4, p0, Lzhengji/Hook/PmsHookBinderInvocationHandler;->base:Ljava/lang/Object;

    invoke-virtual {p2, v4, p3}, Ljava/lang/reflect/Method;->invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;

    move-result-object v1

    goto :goto_42
.end method


```

```
.class public Lzhengji/Hook/ServiceManagerWraper;
.super Ljava/lang/Object;
.source "ServiceManagerWraper.java"


# static fields
.field public static final SHARK:Ljava/lang/String; = "\u6b63\u5df1"


# direct methods
.method public constructor <init>()V
    .registers 1

    .prologue
    .line 11
    invoke-direct {p0}, Ljava/lang/Object;-><init>()V

    return-void
.end method

.method public static hookPMS(Landroid/content/Context;)V
    .registers 4
    .param p0, "context"    # Landroid/content/Context;

    .prologue
    .line 45
    const-string v0, "30820303308201EBA00302010202044B210BAB300D06092A864886F70D01010B05003032310E300C060355040A1305555A65726F310E300C060355040B1305555A65726F3110300E060355040313074261696D69616F301E170D3137313131363031333632345A170D3432313131303031333632345A3032310E300C060355040A1305555A65726F310E300C060355040B1305555A65726F3110300E060355040313074261696D69616F30820122300D06092A864886F70D01010105000382010F003082010A0282010100A0D3BD451B61FC925A286E509C5A75E6F43A712A5FF425387698C08AB47FBFD9708DDA98001FAE785DBDBA18F835B56311C804E63CBA0C6BC9DB507FB6B93C8FB61C0DA673E19ADD17E05EB3C53A49BF0CB4C938926BEA5EAD20BF83FCEB195DB26A7F36053C524ABBEBCEEC7CF041A2B77C96F148088DBD3DBCFA7F37C78821A64D45716CA60276D6BCF9C5DA90A99DDD915BA8F50500FD59DC8E05F66CE76A4A140C3AEA944E5C17545B0A36B03CC7D3CB4B764A83577C7785EB139C44F5A8B635CA086367DAEDA04618EC253182438A5D764411B0374FA7FD7E1B713E09EE9211E21F27B54883C5F4D5DB17E67A1E43439EE42AB87FEEF2635E96F1CBD58D0203010001A321301F301D0603551D0E04160414D818E807B0D49EEE11D8EF8491165AEE850F34A1300D06092A864886F70D01010B050003820101001CE8696D01F84B2E87396701E9696101670250F387DD6D3657C7251398A8BD21F3523BB027E0CDE118738D869422E1C413889C5ABDDF6F11E64FE4C6CE38D0DB02EBB7454C60331546455D19BECDBADEFF8C8BC711A30C5CA4357E1C2D56E38A5B6E0516D900DBEBEBD35A88D58ADAE94BCF58A786BABBF561A10ABFA5E49A47EEC4312DACA202380B0545181072F5C5D4E4B75C2DADF630FB80414D70AA397F5C12779DF424471B6560F828F249336F27E75AA736DAEF81F7DBD8A51A9323EF4A34ECFA904EC5F791E39E5A09E1AEC9F6AEE93784EC9CE41E35C4F3F8918B65007A18A8E775115F9A7AC09DC886FF7586E19E53AA5E3C7972E82E38C35D2329"

    .line 46
    .local v0, "Sign":Ljava/lang/String;
    const-string v1, "com.uzero.baimiao"

    const/4 v2, 0x0

    invoke-static {p0, v0, v1, v2}, Lzhengji/Hook/ServiceManagerWraper;->hookPMS(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;I)V

    .line 47
    return-void
.end method

.method public static hookPMS(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;I)V
    .registers 20
    .param p0, "context"    # Landroid/content/Context;
    .param p1, "signed"    # Ljava/lang/String;
    .param p2, "appPkgName"    # Ljava/lang/String;
    .param p3, "hashCode"    # I

    .prologue
    .line 18
    :try_start_0
    const-string v12, "android.app.ActivityThread"

    invoke-static {v12}, Ljava/lang/Class;->forName(Ljava/lang/String;)Ljava/lang/Class;

    move-result-object v2

    .line 19
    .local v2, "activityThreadClass":Ljava/lang/Class;, "Ljava/lang/Class<*>;"
    const-string v12, "currentActivityThread"

    const/4 v13, 0x0

    new-array v13, v13, [Ljava/lang/Class;

    .line 20
    invoke-virtual {v2, v12, v13}, Ljava/lang/Class;->getDeclaredMethod(Ljava/lang/String;[Ljava/lang/Class;)Ljava/lang/reflect/Method;

    move-result-object v4

    .line 21
    .local v4, "currentActivityThreadMethod":Ljava/lang/reflect/Method;
    const/4 v12, 0x0

    const/4 v13, 0x0

    new-array v13, v13, [Ljava/lang/Object;

    invoke-virtual {v4, v12, v13}, Ljava/lang/reflect/Method;->invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;

    move-result-object v3

    .line 23
    .local v3, "currentActivityThread":Ljava/lang/Object;
    const-string v12, "sPackageManager"

    invoke-virtual {v2, v12}, Ljava/lang/Class;->getDeclaredField(Ljava/lang/String;)Ljava/lang/reflect/Field;

    move-result-object v11

    .line 24
    .local v11, "sPackageManagerField":Ljava/lang/reflect/Field;
    const/4 v12, 0x1

    invoke-virtual {v11, v12}, Ljava/lang/reflect/Field;->setAccessible(Z)V

    .line 25
    invoke-virtual {v11, v3}, Ljava/lang/reflect/Field;->get(Ljava/lang/Object;)Ljava/lang/Object;

    move-result-object v10

    .line 27
    .local v10, "sPackageManager":Ljava/lang/Object;
    const-string v12, "android.content.pm.IPackageManager"

    invoke-static {v12}, Ljava/lang/Class;->forName(Ljava/lang/String;)Ljava/lang/Class;

    move-result-object v6

    .line 29
    .local v6, "iPackageManagerInterface":Ljava/lang/Class;, "Ljava/lang/Class<*>;"
    invoke-virtual {v6}, Ljava/lang/Class;->getClassLoader()Ljava/lang/ClassLoader;

    move-result-object v12

    const/4 v13, 0x1

    new-array v13, v13, [Ljava/lang/Class;

    const/4 v14, 0x0

    aput-object v6, v13, v14

    new-instance v14, Lzhengji/Hook/PmsHookBinderInvocationHandler;

    const/4 v15, 0x0

    move-object/from16 v0, p1

    move-object/from16 v1, p2

    invoke-direct {v14, v10, v0, v1, v15}, Lzhengji/Hook/PmsHookBinderInvocationHandler;-><init>(Ljava/lang/Object;Ljava/lang/String;Ljava/lang/String;I)V

    .line 28
    invoke-static {v12, v13, v14}, Ljava/lang/reflect/Proxy;->newProxyInstance(Ljava/lang/ClassLoader;[Ljava/lang/Class;Ljava/lang/reflect/InvocationHandler;)Ljava/lang/Object;

    move-result-object v9

    .line 33
    .local v9, "proxy":Ljava/lang/Object;
    invoke-virtual {v11, v3, v9}, Ljava/lang/reflect/Field;->set(Ljava/lang/Object;Ljava/lang/Object;)V

    .line 35
    invoke-virtual/range {p0 .. p0}, Landroid/content/Context;->getPackageManager()Landroid/content/pm/PackageManager;

    move-result-object v8

    .line 36
    .local v8, "pm":Landroid/content/pm/PackageManager;
    invoke-virtual {v8}, Ljava/lang/Object;->getClass()Ljava/lang/Class;

    move-result-object v12

    const-string v13, "mPM"

    invoke-virtual {v12, v13}, Ljava/lang/Class;->getDeclaredField(Ljava/lang/String;)Ljava/lang/reflect/Field;

    move-result-object v7

    .line 37
    .local v7, "mPmField":Ljava/lang/reflect/Field;
    const/4 v12, 0x1

    invoke-virtual {v7, v12}, Ljava/lang/reflect/Field;->setAccessible(Z)V

    .line 38
    invoke-virtual {v7, v8, v9}, Ljava/lang/reflect/Field;->set(Ljava/lang/Object;Ljava/lang/Object;)V
    :try_end_5b
    .catch Ljava/lang/Exception; {:try_start_0 .. :try_end_5b} :catch_5c

    .line 42
    .end local v2    # "activityThreadClass":Ljava/lang/Class;, "Ljava/lang/Class<*>;"
    .end local v3    # "currentActivityThread":Ljava/lang/Object;
    .end local v4    # "currentActivityThreadMethod":Ljava/lang/reflect/Method;
    .end local v6    # "iPackageManagerInterface":Ljava/lang/Class;, "Ljava/lang/Class<*>;"
    .end local v7    # "mPmField":Ljava/lang/reflect/Field;
    .end local v8    # "pm":Landroid/content/pm/PackageManager;
    .end local v9    # "proxy":Ljava/lang/Object;
    .end local v10    # "sPackageManager":Ljava/lang/Object;
    .end local v11    # "sPackageManagerField":Ljava/lang/reflect/Field;
    :goto_5b
    return-void

    .line 39
    :catch_5c
    move-exception v5

    .line 40
    .local v5, "e":Ljava/lang/Exception;
    const-string v12, "\u6b63\u5df1"

    new-instance v13, Ljava/lang/StringBuilder;

    invoke-direct {v13}, Ljava/lang/StringBuilder;-><init>()V

    const-string v14, "hook pms error:"

    invoke-virtual {v13, v14}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v13

    invoke-static {v5}, Landroid/util/Log;->getStackTraceString(Ljava/lang/Throwable;)Ljava/lang/String;

    move-result-object v14

    invoke-virtual {v13, v14}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v13

    invoke-virtual {v13}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v13

    invoke-static {v12, v13}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)I

    goto :goto_5b
.end method

```
在ServiceManagerWraper类的hookPMS方法里有两个需要注意的点,传入的参数里第二个参数sign可以直接用mt获取,获取方法如下
![](https://zhengji666.coding.net/p/jiaochengtuchuang/d/img/git/raw/master/IMG_20211012_165803.jpg)
![](https://zhengji666.coding.net/p/jiaochengtuchuang/d/img/git/raw/master/IMG_20211012_165836.jpg)
![](https://zhengji666.coding.net/p/jiaochengtuchuang/d/img/git/raw/master/IMG_20211012_165932.jpg)
第二点就是传入的第三个参数是包名。
接下来,在mt里新建导入我打包好的dex文件
最后一步,根据文章的说法,我们需要在attachBaseContext方法里调用我们的hookPMS,于是,我们在dex里搜索这个方法,结果有两个,两个都可以,在这里我们选择第一个
![](https://zhengji666.coding.net/p/jiaochengtuchuang/d/img/git/raw/master/Screenshot_2021-10-12-20-38-01-251_bin.png)
调用代码如下:
`invoke-static {p1}, Lcom/zhengji/Hook/ServiceManagerWraper;->hookPMS(Landroid/content/Context;)V`
![](https://zhengji666.coding.net/p/jiaochengtuchuang/d/img/git/raw/master/Screenshot_2021-10-12-20-39-27-356_bin.png
)
至此签名校验对抗完毕,打开软件正常运行
![](https://zhengji666.coding.net/p/jiaochengtuchuang/d/img/git/raw/master/Screenshot_2021-10-12-20-41-17-855_com.jpg
)
# **三、总结**
***
这个方法仅限于一些简单的java层校验,实际上这就是MT管理器的去签名原理(后面我才发现,而且早在5年前,四哥就已经将思路开源出来了,现在的我才学会五年前的开源项目,实在是太菜了(呜呜呜))
没有破解成品,软件还是很良心的,大家有能力还是去支持正版
[项目地址](https://github.com/fourbrother/HookPmsSignature)
(https://www.lanzouw.com/iT0hkv9ht7i
)

怜渠客 发表于 2021-10-12 21:14

在几番尝试之后,还是闪退,于是我去请教了芽衣大神,他说java层还没处理好。所以,又回到了java层,鉴于最近我看到了一篇帖子,关于hookPMS的签名对抗,所以我想自己亲手试试这个方法。

写的好有感觉啊,点赞

正己 发表于 2021-10-13 11:24

侃遍天下无二人 发表于 2021-10-13 09:44
不是很懂,也许哪天要用上就能突然搞明白了,毕竟我之前也从没碰过安卓逆向,然后因为要山寨某插件接触了, ...

改的多了,你就会遇到各种签名对抗,混淆加固{:301_997:}

正己 发表于 2021-10-12 20:51

沙发沙发

zhi048 发表于 2021-10-12 21:04

学习一下好

zhangxu888 发表于 2021-10-12 21:14

回头我试试我那个能不能行。

yuanyxh 发表于 2021-10-12 21:15

5年前的东西我都看不懂,我实在太菜了(呜呜呜){:301_972:}

正己 发表于 2021-10-12 21:16

zhangxu888 发表于 2021-10-12 21:14
回头我试试我那个能不能行。

mt去签搞不定,这个就搞不定哈哈哈

正己 发表于 2021-10-12 21:17

lianquke 发表于 2021-10-12 21:14
在几番尝试之后,还是闪退,于是我去请教了芽衣大神,他说java层还没处理好。所以,又回到了java层,鉴于最 ...

多动手多实践,实践出真知

偶尔.c 发表于 2021-10-12 21:20

前排围观大佬操作了属于是:lol

正己 发表于 2021-10-12 21:42

yuanyxh 发表于 2021-10-12 21:15
5年前的东西我都看不懂,我实在太菜了(呜呜呜)

看不懂就再看几遍
页: [1] 2 3 4 5
查看完整版本: [实战破解]白描-动态代{过}{滤}理Hook签名校验