吾爱破解 - LCG - LSG |安卓破解|病毒分析|www.52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 55062|回复: 143
收起左侧

[Android 原创] BT种子搜索1.5.7签名校验破解过程简介

    [复制链接]
落华无痕 发表于 2014-7-29 23:21
本帖最后由 落华无痕 于 2014-7-29 23:33 编辑

软件有积分限制,有广告,这里不做破解介绍。只简单介绍签名破解部分。

反编译软件,在smali\com\txbnx(软件代码目录)搜索“signatures”,定位到getSign方法:

.method public static getSign(Landroid/content/Context;)Ljava/lang/String;
.locals 6
.param p0, "context" # Landroid/content/Context;

.prologue
.line 374
const-string v4, ""

sget-object v5, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;

invoke-virtual {v4, v5}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z

move-result v4

if-nez v4, :cond_0

.line 375
sget-object v4, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;

.line 385
:goto_0
return-object v4

.line 376
:cond_0
invoke-virtual {p0}, Landroid/content/Context;->getPackageManager()Landroid/content/pm/PackageManager;

move-result-object v2

.line 378
.local v2, "pm":Landroid/content/pm/PackageManager;
:try_start_0
invoke-virtual {p0}, Landroid/content/Context;->getPackageName()Ljava/lang/String;

move-result-object v4

const/16 v5, 0x40

invoke-virtual {v2, v4, v5}, Landroid/content/pm/PackageManager;->getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;

move-result-object v1

.line 380
.local v1, "packageinfo":Landroid/content/pm/PackageInfo;
iget-object v4, v1, Landroid/content/pm/PackageInfo;->signatures:[Landroid/content/pm/Signature;

const/4 v5, 0x0

aget-object v3, v4, v5

.line 382
.local v3, "sign":Landroid/content/pm/Signature;
invoke-virtual {v3}, Landroid/content/pm/Signature;->toCharsString()Ljava/lang/String;

move-result-object v4

sput-object v4, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;

.line 383
sget-object v4, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;
:try_end_0
.catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_0

goto :goto_0

.line 384
.end local v1 # "packageinfo":Landroid/content/pm/PackageInfo;
.end local v3 # "sign":Landroid/content/pm/Signature;
:catch_0
move-exception v0

.line 385
.local v0, "e":Ljava/lang/Exception;
const/4 v4, 0x0

goto :goto_0
.end method

上面方法大概意思就是获取软件的签名,然后将签名转为字符串,并保存到V4寄存器中(红色字体部分)。

想过签名校验,必须知道官方签名时V4的值。

参考我的另一篇smali注入帖(http://www.52pojie.cn/thread-255754-1-1.html),这里构造个crack.smali,代码如下:

[Java] 纯文本查看 复制代码
.class public Lcrack;
.super Ljava/lang/Object;
.source "crack.java"

.method public static puts(Ljava/lang/String;)V
    .locals 7

    .prologue
    :try_start_0

    const-string v3, "/sdcard/debug.txt"


    new-instance v2, Ljava/io/FileOutputStream;

    const/4 v5, 0x0

    invoke-direct {v2, v3, v5}, Ljava/io/FileOutputStream;-><init>(Ljava/lang/String;Z)V

    .line 19
    new-instance v4, Ljava/io/OutputStreamWriter;

    const-string v5, "gb2312"

    invoke-direct {v4, v2, v5}, Ljava/io/OutputStreamWriter;-><init>(Ljava/io/OutputStream;Ljava/lang/String;)V

    .line 21
    invoke-virtual {v4, p0}, Ljava/io/OutputStreamWriter;->write(Ljava/lang/String;)V

    .line 23
    invoke-virtual {v4}, Ljava/io/OutputStreamWriter;->flush()V

    .line 25
    invoke-virtual {v4}, Ljava/io/OutputStreamWriter;->close()V

    .line 27
    invoke-virtual {v2}, Ljava/io/FileOutputStream;->close()V
    :try_end_0
    .catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_0

    .line 37

    :cond_0
    :goto_0
    return-void

    .line 30
    :catch_0
    move-exception v0

    .line 34
    const-string v5, "debug"

    const-string v6, "file write error"

    invoke-static {v5, v6}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I

    goto :goto_0
.end method
 


上面代码大概作用是保存字符串寄存器的值vx到/sdcard/debug.txt。

把构造好的crack.smali放入smali根目录。

修改getSign方法,如下(红色部分为修改内容):
.method public static getSign(Landroid/content/Context;)Ljava/lang/String;
.locals 6
.param p0, "context" # Landroid/content/Context;

.prologue
.line 374
const-string v4, ""

sget-object v5, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;

invoke-virtual {v4, v5}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z

move-result v4

if-nez v4, :cond_0

.line 375
sget-object v4, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;

.line 385
:goto_0
return-object v4

.line 376
:cond_0
invoke-virtual {p0}, Landroid/content/Context;->getPackageManager()Landroid/content/pm/PackageManager;

move-result-object v2

.line 378
.local v2, "pm":Landroid/content/pm/PackageManager;
:try_start_0
invoke-virtual {p0}, Landroid/content/Context;->getPackageName()Ljava/lang/String;

move-result-object v4
const-string v4, "/sdcard/download/bt.apk"

const/16 v5, 0x40

invoke-virtual {v2, v4, v5}, Landroid/content/pm/PackageManager;->getPackageArchiveInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;

move-result-object v1

.line 380
.local v1, "packageinfo":Landroid/content/pm/PackageInfo;
iget-object v4, v1, Landroid/content/pm/PackageInfo;->signatures:[Landroid/content/pm/Signature;

const/4 v5, 0x0

aget-object v3, v4, v5

.line 382
.local v3, "sign":Landroid/content/pm/Signature;
invoke-virtual {v3}, Landroid/content/pm/Signature;->toCharsString()Ljava/lang/String;

move-result-object v4

invoke-static {v4}, Lcrack;->puts(Ljava/lang/String;)V

sput-object v4, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;
.line 383
sget-object v4, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;
:try_end_0
.catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_0

goto :goto_0

.line 384
.end local v1 # "packageinfo":Landroid/content/pm/PackageInfo;
.end local v3 # "sign":Landroid/content/pm/Signature;
:catch_0
move-exception v0

.line 385
.local v0, "e":Ljava/lang/Exception;
const/4 v4, 0x0

goto :goto_0
.end method

保存修改后,回编译软件并签名。把官方版apk改名为“bt.apk”并放到/sdcard/download/目录下。

上面修改主要利用了getPackageInfo和getPackageArchiveInfo的相同点与不同点。


两者都可以用来获取软件的签名信息。getPackageInfo根据包名读取已安装的软件的签名,getPackageArchiveInfo根据路径读取APK压缩包的签名。详情查看谷歌安卓文档。


安装并运行编译好的软件。


打开/sdcard/debug.txt,大致内容如下:


[Asm] 纯文本查看 复制代码
30820241308201aaa0030201020204529c4740300d06092a864886f70d01010505003064310b300906035504061302434e310f300d06035504080c06e995bfe698a5310f300d06035504070c06e995bfe698a5310e300c060355040a13057478626e78310e300c060355040b13057478626e78311330110603550403130a5375706572205469616e3020170d3133313230323038333932385a180f32313133313130383038333932385a3064310b300906035504061302434e310f300d06035504080c06e995bfe698a5310f300d06035504070c06e995bfe698a5310e300c060355040a13057478626e78310e300c060355040b13057478626e78311330110603550403130a5375706572205469616e30819f300d06092a864886f70d010101050003818d0030818902818100c397d7d03201ed740daf59d196541f61642243f3153cf5138b6dcde581487a0b894509a8631db75fadb6b8ccaa2e9914f3b3fb7266faee0982282e13e3435d3f774ff5aafcd0c6b8bad15964681bed2a82f442294ae537848bcb8fdcf3317f3989526c21ffc5f29b3a50c2a5f904ca4932d1e5060c206c6c14ec3a20815f2e370203010001300d06092a864886f70d01010505000381810004253771a3f6510e73ff76eee94f81ee1491813140c7930d89e70a8ba53d19418abfd30d2b3afc0a97288c53d4adeab08c34a05e55507ef16ab51431b33295c7c2faf8b84e4f7e2cd927bb1184cdd84ca2ef2b2d16191cabdb649ee592b26521c8b1d09b0f4d24b332885fad12b4289d83742ecac5e696604d6a3b9013b97415


复制该内容。

重新修改getSign方法,如下:
.method public static getSign(Landroid/content/Context;)Ljava/lang/String;
.locals 6
.param p0, "context" # Landroid/content/Context;

.prologue
.line 374
const-string v4, ""

sget-object v5, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;

invoke-virtual {v4, v5}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z

move-result v4

if-nez v4, :cond_0

.line 375
sget-object v4, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;

.line 385
:goto_0
return-object v4

.line 376
:cond_0
invoke-virtual {p0}, Landroid/content/Context;->getPackageManager()Landroid/content/pm/PackageManager;

move-result-object v2

.line 378
.local v2, "pm":Landroid/content/pm/PackageManager;
:try_start_0
invoke-virtual {p0}, Landroid/content/Context;->getPackageName()Ljava/lang/String;

move-result-object v4

const/16 v5, 0x40

invoke-virtual {v2, v4, v5}, Landroid/content/pm/PackageManager;->getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;

move-result-object v1

.line 380
.local v1, "packageinfo":Landroid/content/pm/PackageInfo;
iget-object v4, v1, Landroid/content/pm/PackageInfo;->signatures:[Landroid/content/pm/Signature;

const/4 v5, 0x0

aget-object v3, v4, v5

.line 382
.local v3, "sign":Landroid/content/pm/Signature;
invoke-virtual {v3}, Landroid/content/pm/Signature;->toCharsString()Ljava/lang/String;

move-result-object v4

const-string v4, "30820241308201aaa0030201020204529c4740300d06092a864886f70d01010505003064310b300906035504061302434e310f300d06035504080c06e995bfe698a5310f300d06035504070c06e995bfe698a5310e300c060355040a13057478626e78310e300c060355040b13057478626e78311330110603550403130a5375706572205469616e3020170d3133313230323038333932385a180f32313133313130383038333932385a3064310b300906035504061302434e310f300d06035504080c06e995bfe698a5310f300d06035504070c06e995bfe698a5310e300c060355040a13057478626e78310e300c060355040b13057478626e78311330110603550403130a5375706572205469616e30819f300d06092a864886f70d010101050003818d0030818902818100c397d7d03201ed740daf59d196541f61642243f3153cf5138b6dcde581487a0b894509a8631db75fadb6b8ccaa2e9914f3b3fb7266faee0982282e13e3435d3f774ff5aafcd0c6b8bad15964681bed2a82f442294ae537848bcb8fdcf3317f3989526c21ffc5f29b3a50c2a5f904ca4932d1e5060c206c6c14ec3a20815f2e370203010001300d06092a864886f70d01010505000381810004253771a3f6510e73ff76eee94f81ee1491813140c7930d89e70a8ba53d19418abfd30d2b3afc0a97288c53d4adeab08c34a05e55507ef16ab51431b33295c7c2faf8b84e4f7e2cd927bb1184cdd84ca2ef2b2d16191cabdb649ee592b26521c8b1d09b0f4d24b332885fad12b4289d83742ecac5e696604d6a3b9013b97415"

sput-object v4, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;

.line 383
sget-object v4, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;
:try_end_0
.catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_0

goto :goto_0

.line 384
.end local v1 # "packageinfo":Landroid/content/pm/PackageInfo;
.end local v3 # "sign":Landroid/content/pm/Signature;
:catch_0
move-exception v0

.line 385
.local v0, "e":Ljava/lang/Exception;
const/4 v4, 0x0

goto :goto_0
.end method

相比官方版getSign方法,修改部分为红色字体(无换行)。删除crack.smali,保存并回编译。到此签名校验破解结束。

官方版链接: http://pan.baidu.com/s/1ntLqkDr 密码: c1ut
破解版不上传,需要的自己破解,也别找我要。

免费评分

参与人数 5热心值 +5 收起 理由
我爱逆向 + 1 感谢发布原创作品,吾爱破解论坛因你更精彩!
独行风云 + 1 感谢楼主分享
低调奢华 + 1 谢谢@Thanks!
q2234037172 + 1 我很赞同!
zammm + 1 我很赞同!

查看全部评分

本帖被以下淘专辑推荐:

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

wandw3 发表于 2014-7-29 23:23
看不懂 太复杂啊
小试锋芒 发表于 2014-7-30 10:22
 楼主| 落华无痕 发表于 2014-7-29 23:44
淡然出尘 发表于 2014-7-30 13:41
犀利 一个帖子说明了两种破解签名验证的方法:
1、将正版的APK放在“/sdcard/download/”路径下 然后在获取签名时,将需验证签名的APK路径设为/sdcard/download/ 即添加
invoke-virtual {p0}, Landroid/content/Context;->getPackageName()Ljava/lang/String;

move-result-object v4
const-string v4, "/sdcard/download/bt.apk" //添加代码

const/16 v5, 0x40

invoke-virtual {v2, v4, v5}, Landroid/content/pm/PackageManager;->getPackageArchiveInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;
2、通过Smali注入的手段获取正版签名的字符串,然后在签名获取后赋值
.local v3, "sign":Landroid/content/pm/Signature;
invoke-virtual {v3}, Landroid/content/pm/Signature;->toCharsString()Ljava/lang/String;

move-result-object v4

const-string v4, "30.local v3, "sign":Landroid/content/pm/Signature;
invoke-virtual {v3}, Landroid/content/pm/Signature;->toCharsString()Ljava/lang/String;

move-result-object v4

const-string v4, "3082...3742ecac5e696604d6a3b9013b97415"  //赋值操作
膜拜,学习了..
954995880 发表于 2014-7-29 23:35
不懂,,绑定后
Sreac.L 发表于 2014-7-29 23:35
一头雾水
bxw00004 发表于 2014-7-31 09:48
确实大神。。。
kalachi 发表于 2014-7-31 05:33
学习了,感谢
1009538006 发表于 2014-7-30 19:21 来自手机
太复杂,,
悲伤还是快乐 发表于 2014-7-30 18:58
淡然出尘 发表于 2014-7-30 13:41
犀利 一个帖子说明了两种破解签名验证的方法:
1、将正版的APK放在“/sdcard/download/”路径下 然后在获 ...

多谢大神提醒,捕鱼达人2的签名验证可以搞定了。
Hslim 发表于 2014-7-30 13:00
膜拜大神。。。。
yuan6990 发表于 2014-7-30 13:16
确实大神。。。
suchunping 发表于 2014-7-30 14:37
非常好感谢分享
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则 警告:本版块禁止灌水或回复与主题无关内容,违者重罚!

快速回复 收藏帖子 返回列表 搜索

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-3-19 15:12

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表