BT种子搜索1.5.7签名校验破解过程简介
本帖最后由 落华无痕 于 2014-7-29 23:33 编辑软件有积分限制,有广告,这里不做破解介绍。只简单介绍签名破解部分。
反编译软件,在smali\com\txbnx(软件代码目录)搜索“signatures”,定位到getSign方法:
.method public static getSign(Landroid/content/Context;)Ljava/lang/String;
.locals 6
.param p0, "context" # Landroid/content/Context;
.prologue
.line 374
const-string v4, ""
sget-object v5, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;
invoke-virtual {v4, v5}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z
move-result v4
if-nez v4, :cond_0
.line 375
sget-object v4, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;
.line 385
:goto_0
return-object v4
.line 376
:cond_0
invoke-virtual {p0}, Landroid/content/Context;->getPackageManager()Landroid/content/pm/PackageManager;
move-result-object v2
.line 378
.local v2, "pm":Landroid/content/pm/PackageManager;
:try_start_0
invoke-virtual {p0}, Landroid/content/Context;->getPackageName()Ljava/lang/String;
move-result-object v4
const/16 v5, 0x40
invoke-virtual {v2, v4, v5}, Landroid/content/pm/PackageManager;->getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;
move-result-object v1
.line 380
.local v1, "packageinfo":Landroid/content/pm/PackageInfo;
iget-object v4, v1, Landroid/content/pm/PackageInfo;->signatures:[Landroid/content/pm/Signature;
const/4 v5, 0x0
aget-object v3, v4, v5
.line 382
.local v3, "sign":Landroid/content/pm/Signature;
invoke-virtual {v3}, Landroid/content/pm/Signature;->toCharsString()Ljava/lang/String;
move-result-object v4
sput-object v4, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;
.line 383
sget-object v4, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;
:try_end_0
.catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_0
goto :goto_0
.line 384
.end local v1 # "packageinfo":Landroid/content/pm/PackageInfo;
.end local v3 # "sign":Landroid/content/pm/Signature;
:catch_0
move-exception v0
.line 385
.local v0, "e":Ljava/lang/Exception;
const/4 v4, 0x0
goto :goto_0
.end method
上面方法大概意思就是获取软件的签名,然后将签名转为字符串,并保存到V4寄存器中(红色字体部分)。
想过签名校验,必须知道官方签名时V4的值。
参考我的另一篇smali注入帖(http://www.52pojie.cn/thread-255754-1-1.html),这里构造个crack.smali,代码如下:
.class public Lcrack;
.super Ljava/lang/Object;
.source "crack.java"
.method public static puts(Ljava/lang/String;)V
.locals 7
.prologue
:try_start_0
const-string v3, "/sdcard/debug.txt"
new-instance v2, Ljava/io/FileOutputStream;
const/4 v5, 0x0
invoke-direct {v2, v3, v5}, Ljava/io/FileOutputStream;-><init>(Ljava/lang/String;Z)V
.line 19
new-instance v4, Ljava/io/OutputStreamWriter;
const-string v5, "gb2312"
invoke-direct {v4, v2, v5}, Ljava/io/OutputStreamWriter;-><init>(Ljava/io/OutputStream;Ljava/lang/String;)V
.line 21
invoke-virtual {v4, p0}, Ljava/io/OutputStreamWriter;->write(Ljava/lang/String;)V
.line 23
invoke-virtual {v4}, Ljava/io/OutputStreamWriter;->flush()V
.line 25
invoke-virtual {v4}, Ljava/io/OutputStreamWriter;->close()V
.line 27
invoke-virtual {v2}, Ljava/io/FileOutputStream;->close()V
:try_end_0
.catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_0
.line 37
:cond_0
:goto_0
return-void
.line 30
:catch_0
move-exception v0
.line 34
const-string v5, "debug"
const-string v6, "file write error"
invoke-static {v5, v6}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I
goto :goto_0
.end method
上面代码大概作用是保存字符串寄存器的值vx到/sdcard/debug.txt。
把构造好的crack.smali放入smali根目录。
修改getSign方法,如下(红色部分为修改内容):
.method public static getSign(Landroid/content/Context;)Ljava/lang/String;
.locals 6
.param p0, "context" # Landroid/content/Context;
.prologue
.line 374
const-string v4, ""
sget-object v5, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;
invoke-virtual {v4, v5}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z
move-result v4
if-nez v4, :cond_0
.line 375
sget-object v4, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;
.line 385
:goto_0
return-object v4
.line 376
:cond_0
invoke-virtual {p0}, Landroid/content/Context;->getPackageManager()Landroid/content/pm/PackageManager;
move-result-object v2
.line 378
.local v2, "pm":Landroid/content/pm/PackageManager;
:try_start_0
invoke-virtual {p0}, Landroid/content/Context;->getPackageName()Ljava/lang/String;
move-result-object v4
const-string v4, "/sdcard/download/bt.apk"
const/16 v5, 0x40
invoke-virtual {v2, v4, v5}, Landroid/content/pm/PackageManager;->getPackageArchiveInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;
move-result-object v1
.line 380
.local v1, "packageinfo":Landroid/content/pm/PackageInfo;
iget-object v4, v1, Landroid/content/pm/PackageInfo;->signatures:[Landroid/content/pm/Signature;
const/4 v5, 0x0
aget-object v3, v4, v5
.line 382
.local v3, "sign":Landroid/content/pm/Signature;
invoke-virtual {v3}, Landroid/content/pm/Signature;->toCharsString()Ljava/lang/String;
move-result-object v4
invoke-static {v4}, Lcrack;->puts(Ljava/lang/String;)V
sput-object v4, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;
.line 383
sget-object v4, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;
:try_end_0
.catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_0
goto :goto_0
.line 384
.end local v1 # "packageinfo":Landroid/content/pm/PackageInfo;
.end local v3 # "sign":Landroid/content/pm/Signature;
:catch_0
move-exception v0
.line 385
.local v0, "e":Ljava/lang/Exception;
const/4 v4, 0x0
goto :goto_0
.end method
保存修改后,回编译软件并签名。把官方版apk改名为“bt.apk”并放到/sdcard/download/目录下。
上面修改主要利用了getPackageInfo和getPackageArchiveInfo的相同点与不同点。
两者都可以用来获取软件的签名信息。getPackageInfo根据包名读取已安装的软件的签名,getPackageArchiveInfo根据路径读取APK压缩包的签名。详情查看谷歌安卓文档。
安装并运行编译好的软件。
打开/sdcard/debug.txt,大致内容如下:
30820241308201aaa0030201020204529c4740300d06092a864886f70d01010505003064310b300906035504061302434e310f300d06035504080c06e995bfe698a5310f300d06035504070c06e995bfe698a5310e300c060355040a13057478626e78310e300c060355040b13057478626e78311330110603550403130a5375706572205469616e3020170d3133313230323038333932385a180f32313133313130383038333932385a3064310b300906035504061302434e310f300d06035504080c06e995bfe698a5310f300d06035504070c06e995bfe698a5310e300c060355040a13057478626e78310e300c060355040b13057478626e78311330110603550403130a5375706572205469616e30819f300d06092a864886f70d010101050003818d0030818902818100c397d7d03201ed740daf59d196541f61642243f3153cf5138b6dcde581487a0b894509a8631db75fadb6b8ccaa2e9914f3b3fb7266faee0982282e13e3435d3f774ff5aafcd0c6b8bad15964681bed2a82f442294ae537848bcb8fdcf3317f3989526c21ffc5f29b3a50c2a5f904ca4932d1e5060c206c6c14ec3a20815f2e370203010001300d06092a864886f70d01010505000381810004253771a3f6510e73ff76eee94f81ee1491813140c7930d89e70a8ba53d19418abfd30d2b3afc0a97288c53d4adeab08c34a05e55507ef16ab51431b33295c7c2faf8b84e4f7e2cd927bb1184cdd84ca2ef2b2d16191cabdb649ee592b26521c8b1d09b0f4d24b332885fad12b4289d83742ecac5e696604d6a3b9013b97415
复制该内容。
重新修改getSign方法,如下:
.method public static getSign(Landroid/content/Context;)Ljava/lang/String;
.locals 6
.param p0, "context" # Landroid/content/Context;
.prologue
.line 374
const-string v4, ""
sget-object v5, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;
invoke-virtual {v4, v5}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z
move-result v4
if-nez v4, :cond_0
.line 375
sget-object v4, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;
.line 385
:goto_0
return-object v4
.line 376
:cond_0
invoke-virtual {p0}, Landroid/content/Context;->getPackageManager()Landroid/content/pm/PackageManager;
move-result-object v2
.line 378
.local v2, "pm":Landroid/content/pm/PackageManager;
:try_start_0
invoke-virtual {p0}, Landroid/content/Context;->getPackageName()Ljava/lang/String;
move-result-object v4
const/16 v5, 0x40
invoke-virtual {v2, v4, v5}, Landroid/content/pm/PackageManager;->getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;
move-result-object v1
.line 380
.local v1, "packageinfo":Landroid/content/pm/PackageInfo;
iget-object v4, v1, Landroid/content/pm/PackageInfo;->signatures:[Landroid/content/pm/Signature;
const/4 v5, 0x0
aget-object v3, v4, v5
.line 382
.local v3, "sign":Landroid/content/pm/Signature;
invoke-virtual {v3}, Landroid/content/pm/Signature;->toCharsString()Ljava/lang/String;
move-result-object v4
const-string v4, "30820241308201aaa0030201020204529c4740300d06092a864886f70d01010505003064310b300906035504061302434e310f300d06035504080c06e995bfe698a5310f300d06035504070c06e995bfe698a5310e300c060355040a13057478626e78310e300c060355040b13057478626e78311330110603550403130a5375706572205469616e3020170d3133313230323038333932385a180f32313133313130383038333932385a3064310b300906035504061302434e310f300d06035504080c06e995bfe698a5310f300d06035504070c06e995bfe698a5310e300c060355040a13057478626e78310e300c060355040b13057478626e78311330110603550403130a5375706572205469616e30819f300d06092a864886f70d010101050003818d0030818902818100c397d7d03201ed740daf59d196541f61642243f3153cf5138b6dcde581487a0b894509a8631db75fadb6b8ccaa2e9914f3b3fb7266faee0982282e13e3435d3f774ff5aafcd0c6b8bad15964681bed2a82f442294ae537848bcb8fdcf3317f3989526c21ffc5f29b3a50c2a5f904ca4932d1e5060c206c6c14ec3a20815f2e370203010001300d06092a864886f70d01010505000381810004253771a3f6510e73ff76eee94f81ee1491813140c7930d89e70a8ba53d19418abfd30d2b3afc0a97288c53d4adeab08c34a05e55507ef16ab51431b33295c7c2faf8b84e4f7e2cd927bb1184cdd84ca2ef2b2d16191cabdb649ee592b26521c8b1d09b0f4d24b332885fad12b4289d83742ecac5e696604d6a3b9013b97415"
sput-object v4, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;
.line 383
sget-object v4, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;
:try_end_0
.catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_0
goto :goto_0
.line 384
.end local v1 # "packageinfo":Landroid/content/pm/PackageInfo;
.end local v3 # "sign":Landroid/content/pm/Signature;
:catch_0
move-exception v0
.line 385
.local v0, "e":Ljava/lang/Exception;
const/4 v4, 0x0
goto :goto_0
.end method
相比官方版getSign方法,修改部分为红色字体(无换行)。删除crack.smali,保存并回编译。到此签名校验破解结束。
官方版链接: http://pan.baidu.com/s/1ntLqkDr 密码: c1ut
破解版不上传,需要的自己破解,也别找我要。
看不懂 太复杂啊 期待@落华无痕 更多更精彩的帖子! Sreac.L 发表于 2014-7-29 23:35
一头雾水
说了,只是简介。重在体会。 犀利 一个帖子说明了两种破解签名验证的方法:
1、将正版的APK放在“/sdcard/download/”路径下 然后在获取签名时,将需验证签名的APK路径设为/sdcard/download/ 即添加
invoke-virtual {p0}, Landroid/content/Context;->getPackageName()Ljava/lang/String;
move-result-object v4
const-string v4, "/sdcard/download/bt.apk" //添加代码
const/16 v5, 0x40
invoke-virtual {v2, v4, v5}, Landroid/content/pm/PackageManager;->getPackageArchiveInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;2、通过Smali注入的手段获取正版签名的字符串,然后在签名获取后赋值
.local v3, "sign":Landroid/content/pm/Signature;
invoke-virtual {v3}, Landroid/content/pm/Signature;->toCharsString()Ljava/lang/String;
move-result-object v4
const-string v4, "30.local v3, "sign":Landroid/content/pm/Signature;
invoke-virtual {v3}, Landroid/content/pm/Signature;->toCharsString()Ljava/lang/String;
move-result-object v4
const-string v4, "3082...3742ecac5e696604d6a3b9013b97415"//赋值操作膜拜,学习了..
不懂,,绑定后 一头雾水 确实大神。。。 学习了,感谢 太复杂,, 淡然出尘 发表于 2014-7-30 13:41
犀利 一个帖子说明了两种破解签名验证的方法:
1、将正版的APK放在“/sdcard/download/”路径下 然后在获 ...
多谢大神提醒,捕鱼达人2的签名验证可以搞定了。 膜拜大神。。。。 确实大神。。。 非常好感谢分享