吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 8805|回复: 49
上一主题 下一主题
收起左侧

[Android 原创] [实战破解]白描-动态代{过}{滤}理Hook签名校验

  [复制链接]
跳转到指定楼层
楼主
正己 发表于 2021-10-12 20:50 回帖奖励
本帖最后由 正己 于 2021-10-13 11:02 编辑
1.白描3.2.1
2.MT管理器
3.Android Studio

一、日志分析


老规矩,先签个名,果不其然,闪退。
起初看了日志我以为是so层的校验

于是乎,对这这个类里的几个方法进行了hook,倒是顺利输出了结果,但当我把这几个结果写死的时候,它还是闪退了

二、java分析与动态dl


在几番尝试之后,还是闪退,于是我去请教了芽衣大神,他说java层还没处理好。所以,又回到了java层,鉴于最近我看到了一篇帖子,关于hookPMS的签名对抗,所以我想自己亲手试试这个方法。
帖子链接
根据帖子里说讲,关键的就是这两个点

使用动态代理的方式替换掉这里的两个属性
ActivityThread的静态变量sPackageManager
ApplicationPackageManager对象里面的mPM变量

所以我们按照帖子里的做法,先新建两个类,一个是ServiceManagerWraper ,另一个是PmsHookBinderInvocationHandler ,并且用AS的java2smali插件把java代码转化为smali

代码如下:

.class public Lzhengji/Hook/PmsHookBinderInvocationHandler;
.super Ljava/lang/Object;
.source "PmsHookBinderInvocationHandler.java"

# interfaces
.implements Ljava/lang/reflect/InvocationHandler;

# static fields
.field public static final SHARK:Ljava/lang/String; = "\u6b63\u5df1"

# instance fields
.field private SIGN:Ljava/lang/String;

.field private appPkgName:Ljava/lang/String;

.field private base:Ljava/lang/Object;

# direct methods
.method public constructor <init>(Ljava/lang/Object;Ljava/lang/String;Ljava/lang/String;I)V
    .registers 9
    .param p1, "base"    # Ljava/lang/Object;
    .param p2, "sign"    # Ljava/lang/String;
    .param p3, "appPkgName"    # Ljava/lang/String;
    .param p4, "hashCode"    # I

    .prologue
    .line 20
    invoke-direct {p0}, Ljava/lang/Object;-><init>()V

    .line 18
    const-string v1, ""

    iput-object v1, p0, Lzhengji/Hook/PmsHookBinderInvocationHandler;->appPkgName:Ljava/lang/String;

    .line 22
    :try_start_7
    iput-object p1, p0, Lzhengji/Hook/PmsHookBinderInvocationHandler;->base:Ljava/lang/Object;

    .line 23
    iput-object p2, p0, Lzhengji/Hook/PmsHookBinderInvocationHandler;->SIGN:Ljava/lang/String;

    .line 24
    iput-object p3, p0, Lzhengji/Hook/PmsHookBinderInvocationHandler;->appPkgName:Ljava/lang/String;
    :try_end_d
    .catch Ljava/lang/Exception; {:try_start_7 .. :try_end_d} :catch_e

    .line 28
    :goto_d
    return-void

    .line 25
    :catch_e
    move-exception v0

    .line 26
    .local v0, "e":Ljava/lang/Exception;
    const-string v1, "\u6b63\u5df1"

    new-instance v2, Ljava/lang/StringBuilder;

    invoke-direct {v2}, Ljava/lang/StringBuilder;-><init>()V

    const-string v3, "error:"

    invoke-virtual {v2, v3}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v2

    invoke-static {v0}, Landroid/util/Log;->getStackTraceString(Ljava/lang/Throwable;)Ljava/lang/String;

    move-result-object v3

    invoke-virtual {v2, v3}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v2

    invoke-virtual {v2}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v2

    invoke-static {v1, v2}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)I

    goto :goto_d
.end method

# virtual methods
.method public invoke(Ljava/lang/Object;Ljava/lang/reflect/Method;[Ljava/lang/Object;)Ljava/lang/Object;
    .registers 11
    .param p1, "proxy"    # Ljava/lang/Object;
    .param p2, "method"    # Ljava/lang/reflect/Method;
    .param p3, "args"    # [Ljava/lang/Object;
    .annotation system Ldalvik/annotation/Throws;
        value = {
            Ljava/lang/Throwable;
        }
    .end annotation

    .prologue
    const/4 v6, 0x0

    .line 32
    const-string v4, "\u6b63\u5df1"

    invoke-virtual {p2}, Ljava/lang/reflect/Method;->getName()Ljava/lang/String;

    move-result-object v5

    invoke-static {v4, v5}, Landroid/util/Log;->i(Ljava/lang/String;Ljava/lang/String;)I

    .line 34
    const-string v4, "getPackageInfo"

    invoke-virtual {p2}, Ljava/lang/reflect/Method;->getName()Ljava/lang/String;

    move-result-object v5

    invoke-virtual {v4, v5}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z

    move-result v4

    if-eqz v4, :cond_43

    .line 35
    aget-object v2, p3, v6

    check-cast v2, Ljava/lang/String;

    .line 36
    .local v2, "pkgName":Ljava/lang/String;
    const/4 v4, 0x1

    aget-object v0, p3, v4

    check-cast v0, Ljava/lang/Integer;

    .line 38
    .local v0, "flag":Ljava/lang/Integer;
    invoke-virtual {v0}, Ljava/lang/Integer;->intValue()I

    move-result v4

    const/16 v5, 0x40

    if-ne v4, v5, :cond_43

    iget-object v4, p0, Lzhengji/Hook/PmsHookBinderInvocationHandler;->appPkgName:Ljava/lang/String;

    invoke-virtual {v4, v2}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z

    move-result v4

    if-eqz v4, :cond_43

    .line 40
    new-instance v3, Landroid/content/pm/Signature;

    iget-object v4, p0, Lzhengji/Hook/PmsHookBinderInvocationHandler;->SIGN:Ljava/lang/String;

    invoke-direct {v3, v4}, Landroid/content/pm/Signature;-><init>(Ljava/lang/String;)V

    .line 41
    .local v3, "sign":Landroid/content/pm/Signature;
    iget-object v4, p0, Lzhengji/Hook/PmsHookBinderInvocationHandler;->base:Ljava/lang/Object;

    invoke-virtual {p2, v4, p3}, Ljava/lang/reflect/Method;->invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;

    move-result-object v1

    check-cast v1, Landroid/content/pm/PackageInfo;

    .line 42
    .local v1, "info":Landroid/content/pm/PackageInfo;
    iget-object v4, v1, Landroid/content/pm/PackageInfo;->signatures:[Landroid/content/pm/Signature;

    aput-object v3, v4, v6

    .line 46
    .end local v0    # "flag":Ljava/lang/Integer;
    .end local v1    # "info":Landroid/content/pm/PackageInfo;
    .end local v2    # "pkgName":Ljava/lang/String;
    .end local v3    # "sign":Landroid/content/pm/Signature;
    :goto_42
    return-object v1

    :cond_43
    iget-object v4, p0, Lzhengji/Hook/PmsHookBinderInvocationHandler;->base:Ljava/lang/Object;

    invoke-virtual {p2, v4, p3}, Ljava/lang/reflect/Method;->invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;

    move-result-object v1

    goto :goto_42
.end method
.class public Lzhengji/Hook/ServiceManagerWraper;
.super Ljava/lang/Object;
.source "ServiceManagerWraper.java"

# static fields
.field public static final SHARK:Ljava/lang/String; = "\u6b63\u5df1"

# direct methods
.method public constructor <init>()V
    .registers 1

    .prologue
    .line 11
    invoke-direct {p0}, Ljava/lang/Object;-><init>()V

    return-void
.end method

.method public static hookPMS(Landroid/content/Context;)V
    .registers 4
    .param p0, "context"    # Landroid/content/Context;

    .prologue
    .line 45
    const-string v

    .line 46
    .local v0, "Sign":Ljava/lang/String;
    const-string v1, "com.uzero.baimiao"

    const/4 v2, 0x0

    invoke-static {p0, v0, v1, v2}, Lzhengji/Hook/ServiceManagerWraper;->hookPMS(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;I)V

    .line 47
    return-void
.end method

.method public static hookPMS(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;I)V
    .registers 20
    .param p0, "context"    # Landroid/content/Context;
    .param p1, "signed"    # Ljava/lang/String;
    .param p2, "appPkgName"    # Ljava/lang/String;
    .param p3, "hashCode"    # I

    .prologue
    .line 18
    :try_start_0
    const-string v12, "android.app.ActivityThread"

    invoke-static {v12}, Ljava/lang/Class;->forName(Ljava/lang/String;)Ljava/lang/Class;

    move-result-object v2

    .line 19
    .local v2, "activityThreadClass":Ljava/lang/Class;, "Ljava/lang/Class<*>;"
    const-string v12, "currentActivityThread"

    const/4 v13, 0x0

    new-array v13, v13, [Ljava/lang/Class;

    .line 20
    invoke-virtual {v2, v12, v13}, Ljava/lang/Class;->getDeclaredMethod(Ljava/lang/String;[Ljava/lang/Class;)Ljava/lang/reflect/Method;

    move-result-object v4

    .line 21
    .local v4, "currentActivityThreadMethod":Ljava/lang/reflect/Method;
    const/4 v12, 0x0

    const/4 v13, 0x0

    new-array v13, v13, [Ljava/lang/Object;

    invoke-virtual {v4, v12, v13}, Ljava/lang/reflect/Method;->invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;

    move-result-object v3

    .line 23
    .local v3, "currentActivityThread":Ljava/lang/Object;
    const-string v12, "sPackageManager"

    invoke-virtual {v2, v12}, Ljava/lang/Class;->getDeclaredField(Ljava/lang/String;)Ljava/lang/reflect/Field;

    move-result-object v11

    .line 24
    .local v11, "sPackageManagerField":Ljava/lang/reflect/Field;
    const/4 v12, 0x1

    invoke-virtual {v11, v12}, Ljava/lang/reflect/Field;->setAccessible(Z)V

    .line 25
    invoke-virtual {v11, v3}, Ljava/lang/reflect/Field;->get(Ljava/lang/Object;)Ljava/lang/Object;

    move-result-object v10

    .line 27
    .local v10, "sPackageManager":Ljava/lang/Object;
    const-string v12, "android.content.pm.IPackageManager"

    invoke-static {v12}, Ljava/lang/Class;->forName(Ljava/lang/String;)Ljava/lang/Class;

    move-result-object v6

    .line 29
    .local v6, "iPackageManagerInterface":Ljava/lang/Class;, "Ljava/lang/Class<*>;"
    invoke-virtual {v6}, Ljava/lang/Class;->getClassLoader()Ljava/lang/ClassLoader;

    move-result-object v12

    const/4 v13, 0x1

    new-array v13, v13, [Ljava/lang/Class;

    const/4 v14, 0x0

    aput-object v6, v13, v14

    new-instance v14, Lzhengji/Hook/PmsHookBinderInvocationHandler;

    const/4 v15, 0x0

    move-object/from16 v0, p1

    move-object/from16 v1, p2

    invoke-direct {v14, v10, v0, v1, v15}, Lzhengji/Hook/PmsHookBinderInvocationHandler;-><init>(Ljava/lang/Object;Ljava/lang/String;Ljava/lang/String;I)V

    .line 28
    invoke-static {v12, v13, v14}, Ljava/lang/reflect/Proxy;->newProxyInstance(Ljava/lang/ClassLoader;[Ljava/lang/Class;Ljava/lang/reflect/InvocationHandler;)Ljava/lang/Object;

    move-result-object v9

    .line 33
    .local v9, "proxy":Ljava/lang/Object;
    invoke-virtual {v11, v3, v9}, Ljava/lang/reflect/Field;->set(Ljava/lang/Object;Ljava/lang/Object;)V

    .line 35
    invoke-virtual/range {p0 .. p0}, Landroid/content/Context;->getPackageManager()Landroid/content/pm/PackageManager;

    move-result-object v8

    .line 36
    .local v8, "pm":Landroid/content/pm/PackageManager;
    invoke-virtual {v8}, Ljava/lang/Object;->getClass()Ljava/lang/Class;

    move-result-object v12

    const-string v13, "mPM"

    invoke-virtual {v12, v13}, Ljava/lang/Class;->getDeclaredField(Ljava/lang/String;)Ljava/lang/reflect/Field;

    move-result-object v7

    .line 37
    .local v7, "mPmField":Ljava/lang/reflect/Field;
    const/4 v12, 0x1

    invoke-virtual {v7, v12}, Ljava/lang/reflect/Field;->setAccessible(Z)V

    .line 38
    invoke-virtual {v7, v8, v9}, Ljava/lang/reflect/Field;->set(Ljava/lang/Object;Ljava/lang/Object;)V
    :try_end_5b
    .catch Ljava/lang/Exception; {:try_start_0 .. :try_end_5b} :catch_5c

    .line 42
    .end local v2    # "activityThreadClass":Ljava/lang/Class;, "Ljava/lang/Class<*>;"
    .end local v3    # "currentActivityThread":Ljava/lang/Object;
    .end local v4    # "currentActivityThreadMethod":Ljava/lang/reflect/Method;
    .end local v6    # "iPackageManagerInterface":Ljava/lang/Class;, "Ljava/lang/Class<*>;"
    .end local v7    # "mPmField":Ljava/lang/reflect/Field;
    .end local v8    # "pm":Landroid/content/pm/PackageManager;
    .end local v9    # "proxy":Ljava/lang/Object;
    .end local v10    # "sPackageManager":Ljava/lang/Object;
    .end local v11    # "sPackageManagerField":Ljava/lang/reflect/Field;
    :goto_5b
    return-void

    .line 39
    :catch_5c
    move-exception v5

    .line 40
    .local v5, "e":Ljava/lang/Exception;
    const-string v12, "\u6b63\u5df1"

    new-instance v13, Ljava/lang/StringBuilder;

    invoke-direct {v13}, Ljava/lang/StringBuilder;-><init>()V

    const-string v14, "hook pms error:"

    invoke-virtual {v13, v14}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v13

    invoke-static {v5}, Landroid/util/Log;->getStackTraceString(Ljava/lang/Throwable;)Ljava/lang/String;

    move-result-object v14

    invoke-virtual {v13, v14}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v13

    invoke-virtual {v13}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v13

    invoke-static {v12, v13}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)I

    goto :goto_5b
.end method

在ServiceManagerWraper类的hookPMS方法里有两个需要注意的点,传入的参数里第二个参数sign可以直接用mt获取,获取方法如下



第二点就是传入的第三个参数是包名。
接下来,在mt里新建导入我打包好的dex文件
最后一步,根据文章的说法,我们需要在attachBaseContext方法里调用我们的hookPMS,于是,我们在dex里搜索这个方法,结果有两个,两个都可以,在这里我们选择第一个

调用代码如下:
invoke-static {p1}, Lcom/zhengji/Hook/ServiceManagerWraper;->hookPMS(Landroid/content/Context;)V

至此签名校验对抗完毕,打开软件正常运行

三、总结


这个方法仅限于一些简单的java层校验,实际上这就是MT管理器的去签名原理(后面我才发现,而且早在5年前,四哥就已经将思路开源出来了,现在的我才学会五年前的开源项目,实在是太菜了(呜呜呜))
没有破解成品,软件还是很良心的,大家有能力还是去支持正版
项目地址
HookPMSdex下载地址

免费评分

参与人数 15威望 +1 吾爱币 +39 热心值 +15 收起 理由
小十二 + 2 + 1 谢谢@Thanks!
qtfreet00 + 1 + 20 + 1 感谢发布原创作品,吾爱破解论坛因你更精彩!
浪漫前奏 + 1 + 1 谢谢@Thanks!
GenW + 4 + 1 用心讨论,共获提升!
_小白 + 1 + 1 我很赞同!
努力加载中 + 1 + 1 热心回复!
唐小样儿 + 1 + 1 我很赞同!
huiye123 + 1 我还不会
hy8051hy + 1 我很赞同!
芽衣 + 3 + 1 原来是这个软件。。
溯雪 + 1 + 1 谢谢@Thanks!
笙若 + 1 + 1 谢谢@Thanks!
偶尔.c + 2 + 1 热心回复!
yuanyxh + 1 + 1 看完帖子去实践,临到头来看不懂
zhangxu888 + 1 + 1 我很赞同!

查看全部评分

本帖被以下淘专辑推荐:

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

推荐
怜渠客 发表于 2021-10-12 21:14
在几番尝试之后,还是闪退,于是我去请教了芽衣大神,他说java层还没处理好。所以,又回到了java层,鉴于最近我看到了一篇帖子,关于hookPMS的签名对抗,所以我想自己亲手试试这个方法。

写的好有感觉啊,点赞

点评

多动手多实践,实践出真知  详情 回复 发表于 2021-10-12 21:17
推荐
 楼主| 正己 发表于 2021-10-13 11:24 |楼主
侃遍天下无二人 发表于 2021-10-13 09:44
不是很懂,也许哪天要用上就能突然搞明白了,毕竟我之前也从没碰过安卓逆向,然后因为要山寨某插件接触了, ...

改的多了,你就会遇到各种签名对抗,混淆加固
3#
 楼主| 正己 发表于 2021-10-12 20:51 |楼主
4#
zhi048 发表于 2021-10-12 21:04
学习一下好
5#
zhangxu888 发表于 2021-10-12 21:14
回头我试试我那个能不能行。

点评

mt去签搞不定,这个就搞不定哈哈哈  详情 回复 发表于 2021-10-12 21:16
6#
yuanyxh 发表于 2021-10-12 21:15
5年前的东西我都看不懂,我实在太菜了(呜呜呜)

点评

看不懂就再看几遍  详情 回复 发表于 2021-10-12 21:42
7#
 楼主| 正己 发表于 2021-10-12 21:16 |楼主
zhangxu888 发表于 2021-10-12 21:14
回头我试试我那个能不能行。

mt去签搞不定,这个就搞不定哈哈哈
8#
 楼主| 正己 发表于 2021-10-12 21:17 |楼主
lianquke 发表于 2021-10-12 21:14
在几番尝试之后,还是闪退,于是我去请教了芽衣大神,他说java层还没处理好。所以,又回到了java层,鉴于最 ...

多动手多实践,实践出真知
9#
偶尔.c 发表于 2021-10-12 21:20
前排围观大佬操作了属于是
10#
 楼主| 正己 发表于 2021-10-12 21:42 |楼主
yuanyxh 发表于 2021-10-12 21:15
5年前的东西我都看不懂,我实在太菜了(呜呜呜)

看不懂就再看几遍
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-12-18 15:57

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表