BT种子搜索1.5.7签名校验破解过程简介

落华无痕 · 发表于 2014-7-29 23:21

本帖最后由落华无痕于 2014-7-29 23:33 编辑

软件有积分限制，有广告，这里不做破解介绍。只简单介绍签名破解部分。

反编译软件，在smali\com\txbnx（软件代码目录）搜索“signatures”，定位到getSign方法：

.method public static getSign(Landroid/content/Context;)Ljava/lang/String;
.locals 6
.param p0, "context" # Landroid/content/Context;

.prologue
.line 374
const-string v4, ""

sget-object v5, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;

invoke-virtual {v4, v5}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z

move-result v4

if-nez v4, :cond_0

.line 375
sget-object v4, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;

.line 385
:goto_0
return-object v4

.line 376
:cond_0
invoke-virtual {p0}, Landroid/content/Context;->getPackageManager()Landroid/content/pm/PackageManager;

move-result-object v2

.line 378
.local v2, "pm":Landroid/content/pm/PackageManager;
:try_start_0
invoke-virtual {p0}, Landroid/content/Context;->getPackageName()Ljava/lang/String;

move-result-object v4

const/16 v5, 0x40

invoke-virtual {v2, v4, v5}, Landroid/content/pm/PackageManager;->getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;

move-result-object v1

.line 380
.local v1, "packageinfo":Landroid/content/pm/PackageInfo;
iget-object v4, v1, Landroid/content/pm/PackageInfo;->signatures:[Landroid/content/pm/Signature;

const/4 v5, 0x0

aget-object v3, v4, v5

.line 382
.local v3, "sign":Landroid/content/pm/Signature;
invoke-virtual {v3}, Landroid/content/pm/Signature;->toCharsString()Ljava/lang/String;

move-result-object v4

sput-object v4, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;

.line 383
sget-object v4, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;
:try_end_0
.catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_0

goto :goto_0

.line 384
.end local v1 # "packageinfo":Landroid/content/pm/PackageInfo;
.end local v3 # "sign":Landroid/content/pm/Signature;
:catch_0
move-exception v0

.line 385
.local v0, "e":Ljava/lang/Exception;
const/4 v4, 0x0

goto :goto_0
.end method

上面方法大概意思就是获取软件的签名，然后将签名转为字符串，并保存到V4寄存器中（红色字体部分）。

想过签名校验，必须知道官方签名时V4的值。

参考我的另一篇smali注入帖（http://www.52pojie.cn/thread-255754-1-1.html），这里构造个crack.smali，代码如下：

[Java] 纯文本查看 复制代码

.class public Lcrack;
.super Ljava/lang/Object;
.source "crack.java"

.method public static puts(Ljava/lang/String;)V
    .locals 7

    .prologue
    :try_start_0

    const-string v3, "/sdcard/debug.txt"


    new-instance v2, Ljava/io/FileOutputStream;

    const/4 v5, 0x0

    invoke-direct {v2, v3, v5}, Ljava/io/FileOutputStream;-><init>(Ljava/lang/String;Z)V

    .line 19
    new-instance v4, Ljava/io/OutputStreamWriter;

    const-string v5, "gb2312"

    invoke-direct {v4, v2, v5}, Ljava/io/OutputStreamWriter;-><init>(Ljava/io/OutputStream;Ljava/lang/String;)V

    .line 21
    invoke-virtual {v4, p0}, Ljava/io/OutputStreamWriter;->write(Ljava/lang/String;)V

    .line 23
    invoke-virtual {v4}, Ljava/io/OutputStreamWriter;->flush()V

    .line 25
    invoke-virtual {v4}, Ljava/io/OutputStreamWriter;->close()V

    .line 27
    invoke-virtual {v2}, Ljava/io/FileOutputStream;->close()V
    :try_end_0
    .catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_0

    .line 37

    :cond_0
    :goto_0
    return-void

    .line 30
    :catch_0
    move-exception v0

    .line 34
    const-string v5, "debug"

    const-string v6, "file write error"

    invoke-static {v5, v6}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I

    goto :goto_0
.end method

上面代码大概作用是保存字符串寄存器的值vx到/sdcard/debug.txt。

把构造好的crack.smali放入smali根目录。

修改getSign方法，如下（红色部分为修改内容）：

.method public static getSign(Landroid/content/Context;)Ljava/lang/String;
.locals 6
.param p0, "context" # Landroid/content/Context;

.prologue
.line 374
const-string v4, ""

sget-object v5, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;

invoke-virtual {v4, v5}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z

move-result v4

if-nez v4, :cond_0

.line 375
sget-object v4, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;

.line 385
:goto_0
return-object v4

.line 376
:cond_0
invoke-virtual {p0}, Landroid/content/Context;->getPackageManager()Landroid/content/pm/PackageManager;

move-result-object v2

.line 378
.local v2, "pm":Landroid/content/pm/PackageManager;
:try_start_0
invoke-virtual {p0}, Landroid/content/Context;->getPackageName()Ljava/lang/String;

move-result-object v4
const-string v4, "/sdcard/download/bt.apk"

const/16 v5, 0x40

invoke-virtual {v2, v4, v5}, Landroid/content/pm/PackageManager;->getPackageArchiveInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;

move-result-object v1

.line 380
.local v1, "packageinfo":Landroid/content/pm/PackageInfo;
iget-object v4, v1, Landroid/content/pm/PackageInfo;->signatures:[Landroid/content/pm/Signature;

const/4 v5, 0x0

aget-object v3, v4, v5

.line 382
.local v3, "sign":Landroid/content/pm/Signature;
invoke-virtual {v3}, Landroid/content/pm/Signature;->toCharsString()Ljava/lang/String;

move-result-object v4

invoke-static {v4}, Lcrack;->puts(Ljava/lang/String;)V

sput-object v4, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;
.line 383
sget-object v4, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;
:try_end_0
.catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_0

goto :goto_0

.line 384
.end local v1 # "packageinfo":Landroid/content/pm/PackageInfo;
.end local v3 # "sign":Landroid/content/pm/Signature;
:catch_0
move-exception v0

.line 385
.local v0, "e":Ljava/lang/Exception;
const/4 v4, 0x0

goto :goto_0
.end method

保存修改后，回编译软件并签名。把官方版apk改名为“bt.apk”并放到/sdcard/download/目录下。

上面修改主要利用了getPackageInfo和getPackageArchiveInfo的相同点与不同点。

两者都可以用来获取软件的签名信息。getPackageInfo根据包名读取已安装的软件的签名，getPackageArchiveInfo根据路径读取APK压缩包的签名。详情查看谷歌安卓文档。

安装并运行编译好的软件。

打开/sdcard/debug.txt，大致内容如下：

[Asm] 纯文本查看 复制代码

30820241308201aaa0030201020204529c4740300d06092a864886f70d01010505003064310b300906035504061302434e310f300d06035504080c06e995bfe698a5310f300d06035504070c06e995bfe698a5310e300c060355040a13057478626e78310e300c060355040b13057478626e78311330110603550403130a5375706572205469616e3020170d3133313230323038333932385a180f32313133313130383038333932385a3064310b300906035504061302434e310f300d06035504080c06e995bfe698a5310f300d06035504070c06e995bfe698a5310e300c060355040a13057478626e78310e300c060355040b13057478626e78311330110603550403130a5375706572205469616e30819f300d06092a864886f70d010101050003818d0030818902818100c397d7d03201ed740daf59d196541f61642243f3153cf5138b6dcde581487a0b894509a8631db75fadb6b8ccaa2e9914f3b3fb7266faee0982282e13e3435d3f774ff5aafcd0c6b8bad15964681bed2a82f442294ae537848bcb8fdcf3317f3989526c21ffc5f29b3a50c2a5f904ca4932d1e5060c206c6c14ec3a20815f2e370203010001300d06092a864886f70d01010505000381810004253771a3f6510e73ff76eee94f81ee1491813140c7930d89e70a8ba53d19418abfd30d2b3afc0a97288c53d4adeab08c34a05e55507ef16ab51431b33295c7c2faf8b84e4f7e2cd927bb1184cdd84ca2ef2b2d16191cabdb649ee592b26521c8b1d09b0f4d24b332885fad12b4289d83742ecac5e696604d6a3b9013b97415

复制该内容。

重新修改getSign方法，如下：

.method public static getSign(Landroid/content/Context;)Ljava/lang/String;
.locals 6
.param p0, "context" # Landroid/content/Context;

.prologue
.line 374
const-string v4, ""

sget-object v5, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;

invoke-virtual {v4, v5}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z

move-result v4

if-nez v4, :cond_0

.line 375
sget-object v4, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;

.line 385
:goto_0
return-object v4

.line 376
:cond_0
invoke-virtual {p0}, Landroid/content/Context;->getPackageManager()Landroid/content/pm/PackageManager;

move-result-object v2

.line 378
.local v2, "pm":Landroid/content/pm/PackageManager;
:try_start_0
invoke-virtual {p0}, Landroid/content/Context;->getPackageName()Ljava/lang/String;

move-result-object v4

const/16 v5, 0x40

invoke-virtual {v2, v4, v5}, Landroid/content/pm/PackageManager;->getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;

move-result-object v1

.line 380
.local v1, "packageinfo":Landroid/content/pm/PackageInfo;
iget-object v4, v1, Landroid/content/pm/PackageInfo;->signatures:[Landroid/content/pm/Signature;

const/4 v5, 0x0

aget-object v3, v4, v5

.line 382
.local v3, "sign":Landroid/content/pm/Signature;
invoke-virtual {v3}, Landroid/content/pm/Signature;->toCharsString()Ljava/lang/String;

move-result-object v4

const-string v4, "30820241308201aaa0030201020204529c4740300d06092a864886f70d01010505003064310b300906035504061302434e310f300d06035504080c06e995bfe698a5310f300d06035504070c06e995bfe698a5310e300c060355040a13057478626e78310e300c060355040b13057478626e78311330110603550403130a5375706572205469616e3020170d3133313230323038333932385a180f32313133313130383038333932385a3064310b300906035504061302434e310f300d06035504080c06e995bfe698a5310f300d06035504070c06e995bfe698a5310e300c060355040a13057478626e78310e300c060355040b13057478626e78311330110603550403130a5375706572205469616e30819f300d06092a864886f70d010101050003818d0030818902818100c397d7d03201ed740daf59d196541f61642243f3153cf5138b6dcde581487a0b894509a8631db75fadb6b8ccaa2e9914f3b3fb7266faee0982282e13e3435d3f774ff5aafcd0c6b8bad15964681bed2a82f442294ae537848bcb8fdcf3317f3989526c21ffc5f29b3a50c2a5f904ca4932d1e5060c206c6c14ec3a20815f2e370203010001300d06092a864886f70d01010505000381810004253771a3f6510e73ff76eee94f81ee1491813140c7930d89e70a8ba53d19418abfd30d2b3afc0a97288c53d4adeab08c34a05e55507ef16ab51431b33295c7c2faf8b84e4f7e2cd927bb1184cdd84ca2ef2b2d16191cabdb649ee592b26521c8b1d09b0f4d24b332885fad12b4289d83742ecac5e696604d6a3b9013b97415"

sput-object v4, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;

.line 383
sget-object v4, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;
:try_end_0
.catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_0

goto :goto_0

.line 384
.end local v1 # "packageinfo":Landroid/content/pm/PackageInfo;
.end local v3 # "sign":Landroid/content/pm/Signature;
:catch_0
move-exception v0

.line 385
.local v0, "e":Ljava/lang/Exception;
const/4 v4, 0x0

goto :goto_0
.end method

相比官方版getSign方法，修改部分为红色字体（无换行）。删除crack.smali，保存并回编译。到此签名校验破解结束。

官方版链接: http://pan.baidu.com/s/1ntLqkDr 密码: c1ut
破解版不上传，需要的自己破解，也别找我要。

wandw3 · 发表于 2014-7-29 23:23

看不懂太复杂啊

小试锋芒 · 发表于 2014-7-30 10:22

期待@落华无痕更多更精彩的帖子！

落华无痕 · 发表于 2014-7-29 23:44

Sreac.L 发表于 2014-7-29 23:35
一头雾水

说了，只是简介。重在体会。

淡然出尘 · 发表于 2014-7-30 13:41

犀利一个帖子说明了两种破解签名验证的方法：
1、将正版的APK放在“/sdcard/download/”路径下然后在获取签名时，将需验证签名的APK路径设为/sdcard/download/ 即添加

invoke-virtual {p0}, Landroid/content/Context;->getPackageName()Ljava/lang/String;

move-result-object v4
const-string v4, "/sdcard/download/bt.apk" //添加代码

const/16 v5, 0x40

invoke-virtual {v2, v4, v5}, Landroid/content/pm/PackageManager;->getPackageArchiveInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;

2、通过Smali注入的手段获取正版签名的字符串，然后在签名获取后赋值

.local v3, "sign":Landroid/content/pm/Signature;
invoke-virtual {v3}, Landroid/content/pm/Signature;->toCharsString()Ljava/lang/String;

move-result-object v4

const-string v4, "30.local v3, "sign":Landroid/content/pm/Signature;
invoke-virtual {v3}, Landroid/content/pm/Signature;->toCharsString()Ljava/lang/String;

move-result-object v4

const-string v4, "3082...3742ecac5e696604d6a3b9013b97415" //赋值操作

膜拜，学习了..

954995880 · 发表于 2014-7-29 23:35

不懂，，绑定后

Sreac.L · 发表于 2014-7-29 23:35

一头雾水

bxw00004 · 发表于 2014-7-31 09:48

确实大神。。。

kalachi · 发表于 2014-7-31 05:33

学习了，感谢

1009538006 · 发表于 2014-7-30 19:21

太复杂，，

悲伤还是快乐 · 发表于 2014-7-30 18:58

淡然出尘发表于 2014-7-30 13:41
犀利一个帖子说明了两种破解签名验证的方法：
1、将正版的APK放在“/sdcard/download/”路径下然后在获 ...

多谢大神提醒，捕鱼达人2的签名验证可以搞定了。

Hslim · 发表于 2014-7-30 13:00

膜拜大神。。。。

yuan6990 · 发表于 2014-7-30 13:16

确实大神。。。

suchunping · 发表于 2014-7-30 14:37

非常好感谢分享

帐号		自动登录	找回密码
密码			注册[Register]

[Android 原创] BT种子搜索1.5.7签名校验破解过程简介

免费评分

本帖被以下淘专辑推荐: