官方bilibiliWindows破解入门Android逆向入门
【网络诊断修复工具】切换到窄版

吾爱破解 - LCG - LSG |安卓破解|病毒分析|www.52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

吾爱破解 - LCG - LSG |安卓破解|病毒分析|www.52pojie.cn»网站 【 软件安全 】 『移动安全区』 元气骑士签名验证
123456下一页
返回列表 发新帖
查看: 14902|回复: 52
收起左侧

[Android 分享] 元气骑士签名验证

  [复制链接]
message00
message00 发表于 2019-7-24 09:46
本帖最后由 message00 于 2019-8-29 16:44 编辑

身边暂时没电脑,手机码字,图少见谅。


论坛上的大部分帖子采用的是在getkeyhash中插入return-void的方法,但是此方法存在弊端,即存档是一次性存档。例如,解锁人物后重启游戏,人物会重新变成未解锁状态。


介绍一下我的方法。


使用 android killer反编译apk,接着打开android killer工程目录,找到yqqs对应的文件夹。然后找到smali文件夹以及AndroidManifest.xml文件。


在smali文件夹里新建cc文件夹,在cc文件夹中建立binmt文件夹,在binmt文件夹中建立signature文件夹,再在signature文件夹中建立PmsHookApplication.smali文件,将其中的内容修改为以下代码。
[Asm] 纯文本查看 复制代码
.class public Lcc/binmt/signature/PmsHookApplication;
.super Landroid/app/Application;
.source "PmsHookApplication.java"

# interfaces
.implements Ljava/lang/reflect/InvocationHandler;


# static fields
.field private static final GET_SIGNATURES:I = 0x40


# instance fields
.field private appPkgName:Ljava/lang/String;

.field private base:Ljava/lang/Object;

.field private sign:[[B


# direct methods
.method public constructor <init>()V
    .registers 2

    .prologue
    .line 20
    invoke-direct {p0}, Landroid/app/Application;-><init>()V

    .line 25
    const-string/jumbo v0, ""

    iput-object v0, p0, Lcc/binmt/signature/PmsHookApplication;->appPkgName:Ljava/lang/String;

    return-void
.end method

.method private hook(Landroid/content/Context;)V
    .registers 22
    .param p1, "context"    # Landroid/content/Context;

    .prologue
    .line 52
    :try_start_0
    const-string/jumbo v6, "AQAAAdcwggHTMIIBPKADAgECAgRWk/uYMA0GCSqGSIb3DQEBBQUAMC0xEjAQBgNVBAMMCVpleWFu\nZyBMaTEXMBUGA1UECgwOQ2hpbGx5Um9vbSBJbmMwIBcNMTYwODAzMDUxNjE3WhgPMjA2NjA3MjIw\nNTE2MTdaMC0xEjAQBgNVBAMMCVpleWFuZyBMaTEXMBUGA1UECgwOQ2hpbGx5Um9vbSBJbmMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN3i6iwy81LR1NUgJ0xGRbTw0Iyb1JIR1kg9ioaiba6H\nHoCAYcbdtp7+dNIeGkeSElq4EOnnhS1g1j8tQyaZql5Nm3bMCHcMbua2JcKsh7eSRda3L45rfX1j\nQZxfzsaNZi8EzSA9uDHAIsAL0txozlXOIQ5NzKWxFjIhlNjvb46lAgMBAAEwDQYJKoZIhvcNAQEF\nBQADgYEAzN75igRMwQmrgwPCwQtLDqW/4PtgITvGKWr9m/hQCL0Sapo0q1KDn1ZcGIY5mwAweTsT\n75OAmm0pBmeX3CAL97H27jck/IIXoz+kDx3z+shftckjqppVzqlFoPRdKeAN2cXjrm1LEPD3pSHQ\nAxcsxJ4ndojuc4nPyKOnMmWYH7k=\n"

    .line 53
    .local v6, "data":Ljava/lang/String;
    new-instance v10, Ljava/io/DataInputStream;

    new-instance v17, Ljava/io/ByteArrayInputStream;

    const/16 v18, 0x0

    move/from16 v0, v18

    invoke-static {v6, v0}, Landroid/util/Base64;->decode(Ljava/lang/String;I)[B

    move-result-object v18

    invoke-direct/range {v17 .. v18}, Ljava/io/ByteArrayInputStream;-><init>([B)V

    move-object/from16 v0, v17

    invoke-direct {v10, v0}, Ljava/io/DataInputStream;-><init>(Ljava/io/InputStream;)V

    .line 54
    .local v10, "is":Ljava/io/DataInputStream;
    invoke-virtual {v10}, Ljava/io/DataInputStream;->read()I

    move-result v17

    move/from16 v0, v17

    and-int/lit16 v0, v0, 0xff

    move/from16 v17, v0

    move/from16 v0, v17

    new-array v0, v0, [[B

    move-object/from16 v16, v0

    .line 55
    .local v16, "sign":[[B
    const/4 v8, 0x0

    .local v8, "i":I
    :goto_28
    move-object/from16 v0, v16

    array-length v0, v0

    move/from16 v17, v0

    move/from16 v0, v17

    if-ge v8, v0, :cond_47

    .line 56
    invoke-virtual {v10}, Ljava/io/DataInputStream;->readInt()I

    move-result v17

    move/from16 v0, v17

    new-array v0, v0, [B

    move-object/from16 v17, v0

    aput-object v17, v16, v8

    .line 57
    aget-object v17, v16, v8

    move-object/from16 v0, v17

    invoke-virtual {v10, v0}, Ljava/io/DataInputStream;->readFully([B)V

    .line 55
    add-int/lit8 v8, v8, 0x1

    goto :goto_28

    .line 61
    :cond_47
    const-string/jumbo v17, "android.app.ActivityThread"

    invoke-static/range {v17 .. v17}, Ljava/lang/Class;->forName(Ljava/lang/String;)Ljava/lang/Class;

    move-result-object v3

    .line 62
    .local v3, "activityThreadClass":Ljava/lang/Class;, "Ljava/lang/Class<*>;"
    const-string/jumbo v17, "currentActivityThread"

    const/16 v18, 0x0

    move/from16 v0, v18

    new-array v0, v0, [Ljava/lang/Class;

    move-object/from16 v18, v0

    .line 63
    move-object/from16 v0, v17

    move-object/from16 v1, v18

    invoke-virtual {v3, v0, v1}, Ljava/lang/Class;->getDeclaredMethod(Ljava/lang/String;[Ljava/lang/Class;)Ljava/lang/reflect/Method;

    move-result-object v5

    .line 64
    .local v5, "currentActivityThreadMethod":Ljava/lang/reflect/Method;
    const/16 v17, 0x0

    const/16 v18, 0x0

    move/from16 v0, v18

    new-array v0, v0, [Ljava/lang/Object;

    move-object/from16 v18, v0

    move-object/from16 v0, v17

    move-object/from16 v1, v18

    invoke-virtual {v5, v0, v1}, Ljava/lang/reflect/Method;->invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;

    move-result-object v4

    .line 67
    .local v4, "currentActivityThread":Ljava/lang/Object;
    const-string/jumbo v17, "sPackageManager"

    move-object/from16 v0, v17

    invoke-virtual {v3, v0}, Ljava/lang/Class;->getDeclaredField(Ljava/lang/String;)Ljava/lang/reflect/Field;

    move-result-object v15

    .line 68
    .local v15, "sPackageManagerField":Ljava/lang/reflect/Field;
    const/16 v17, 0x1

    move/from16 v0, v17

    invoke-virtual {v15, v0}, Ljava/lang/reflect/Field;->setAccessible(Z)V

    .line 69
    invoke-virtual {v15, v4}, Ljava/lang/reflect/Field;->get(Ljava/lang/Object;)Ljava/lang/Object;

    move-result-object v14

    .line 72
    .local v14, "sPackageManager":Ljava/lang/Object;
    const-string/jumbo v17, "android.content.pm.IPackageManager"

    invoke-static/range {v17 .. v17}, Ljava/lang/Class;->forName(Ljava/lang/String;)Ljava/lang/Class;

    move-result-object v9

    .line 73
    .local v9, "iPackageManagerInterface":Ljava/lang/Class;, "Ljava/lang/Class<*>;"
    move-object/from16 v0, p0

    iput-object v14, v0, Lcc/binmt/signature/PmsHookApplication;->base:Ljava/lang/Object;

    .line 74
    move-object/from16 v0, v16

    move-object/from16 v1, p0

    iput-object v0, v1, Lcc/binmt/signature/PmsHookApplication;->sign:[[B

    .line 75
    invoke-virtual/range {p1 .. p1}, Landroid/content/Context;->getPackageName()Ljava/lang/String;

    move-result-object v17

    move-object/from16 v0, v17

    move-object/from16 v1, p0

    iput-object v0, v1, Lcc/binmt/signature/PmsHookApplication;->appPkgName:Ljava/lang/String;

    .line 78
    invoke-virtual {v9}, Ljava/lang/Class;->getClassLoader()Ljava/lang/ClassLoader;

    move-result-object v17

    const/16 v18, 0x1

    move/from16 v0, v18

    new-array v0, v0, [Ljava/lang/Class;

    move-object/from16 v18, v0

    const/16 v19, 0x0

    aput-object v9, v18, v19

    .line 77
    move-object/from16 v0, v17

    move-object/from16 v1, v18

    move-object/from16 v2, p0

    invoke-static {v0, v1, v2}, Ljava/lang/reflect/Proxy;->newProxyInstance(Ljava/lang/ClassLoader;[Ljava/lang/Class;Ljava/lang/reflect/InvocationHandler;)Ljava/lang/Object;

    move-result-object v13

    .line 83
    .local v13, "proxy":Ljava/lang/Object;
    invoke-virtual {v15, v4, v13}, Ljava/lang/reflect/Field;->set(Ljava/lang/Object;Ljava/lang/Object;)V

    .line 86
    invoke-virtual/range {p1 .. p1}, Landroid/content/Context;->getPackageManager()Landroid/content/pm/PackageManager;

    move-result-object v12

    .line 87
    .local v12, "pm":Landroid/content/pm/PackageManager;
    invoke-virtual {v12}, Ljava/lang/Object;->getClass()Ljava/lang/Class;

    move-result-object v17

    const-string/jumbo v18, "mPM"

    invoke-virtual/range {v17 .. v18}, Ljava/lang/Class;->getDeclaredField(Ljava/lang/String;)Ljava/lang/reflect/Field;

    move-result-object v11

    .line 88
    .local v11, "mPmField":Ljava/lang/reflect/Field;
    const/16 v17, 0x1

    move/from16 v0, v17

    invoke-virtual {v11, v0}, Ljava/lang/reflect/Field;->setAccessible(Z)V

    .line 89
    invoke-virtual {v11, v12, v13}, Ljava/lang/reflect/Field;->set(Ljava/lang/Object;Ljava/lang/Object;)V

    .line 90
    sget-object v17, Ljava/lang/System;->out:Ljava/io/PrintStream;

    const-string/jumbo v18, "PmsHook success."

    invoke-virtual/range {v17 .. v18}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V
    :try_end_e0
    .catch Ljava/lang/Exception; {:try_start_0 .. :try_end_e0} :catch_e1

    .line 95
    .end local v3    # "activityThreadClass":Ljava/lang/Class;, "Ljava/lang/Class<*>;"
    .end local v4    # "currentActivityThread":Ljava/lang/Object;
    .end local v5    # "currentActivityThreadMethod":Ljava/lang/reflect/Method;
    .end local v6    # "data":Ljava/lang/String;
    .end local v8    # "i":I
    .end local v9    # "iPackageManagerInterface":Ljava/lang/Class;, "Ljava/lang/Class<*>;"
    .end local v10    # "is":Ljava/io/DataInputStream;
    .end local v11    # "mPmField":Ljava/lang/reflect/Field;
    .end local v12    # "pm":Landroid/content/pm/PackageManager;
    .end local v13    # "proxy":Ljava/lang/Object;
    .end local v14    # "sPackageManager":Ljava/lang/Object;
    .end local v15    # "sPackageManagerField":Ljava/lang/reflect/Field;
    .end local v16    # "sign":[[B
    :goto_e0
    return-void

    .line 91
    :catch_e1
    move-exception v7

    .line 92
    .local v7, "e":Ljava/lang/Exception;
    sget-object v17, Ljava/lang/System;->err:Ljava/io/PrintStream;

    const-string/jumbo v18, "PmsHook failed."

    invoke-virtual/range {v17 .. v18}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V

    .line 93
    invoke-virtual {v7}, Ljava/lang/Exception;->printStackTrace()V

    goto :goto_e0
.end method


# virtual methods
.method protected attachBaseContext(Landroid/content/Context;)V
    .registers 2
    .param p1, "base"    # Landroid/content/Context;

    .prologue
    .line 29
    invoke-direct {p0, p1}, Lcc/binmt/signature/PmsHookApplication;->hook(Landroid/content/Context;)V

    .line 30
    invoke-super {p0, p1}, Landroid/app/Application;->attachBaseContext(Landroid/content/Context;)V

    .line 31
    return-void
.end method

.method public invoke(Ljava/lang/Object;Ljava/lang/reflect/Method;[Ljava/lang/Object;)Ljava/lang/Object;
    .registers 11
    .param p1, "proxy"    # Ljava/lang/Object;
    .param p2, "method"    # Ljava/lang/reflect/Method;
    .param p3, "args"    # [Ljava/lang/Object;
    .annotation system Ldalvik/annotation/Throws;
        value = {
            Ljava/lang/Throwable;
        }
    .end annotation

    .prologue
    .line 35
    const-string/jumbo v4, "getPackageInfo"

    invoke-virtual {p2}, Ljava/lang/reflect/Method;->getName()Ljava/lang/String;

    move-result-object v5

    invoke-virtual {v4, v5}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z

    move-result v4

    if-eqz v4, :cond_4c

    .line 36
    const/4 v4, 0x0

    aget-object v3, p3, v4

    check-cast v3, Ljava/lang/String;

    .line 37
    .local v3, "pkgName":Ljava/lang/String;
    const/4 v4, 0x1

    aget-object v0, p3, v4

    check-cast v0, Ljava/lang/Integer;

    .line 38
    .local v0, "flag":Ljava/lang/Integer;
    invoke-virtual {v0}, Ljava/lang/Integer;->intValue()I

    move-result v4

    and-int/lit8 v4, v4, 0x40

    if-eqz v4, :cond_4c

    iget-object v4, p0, Lcc/binmt/signature/PmsHookApplication;->appPkgName:Ljava/lang/String;

    invoke-virtual {v4, v3}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z

    move-result v4

    if-eqz v4, :cond_4c

    .line 39
    iget-object v4, p0, Lcc/binmt/signature/PmsHookApplication;->base:Ljava/lang/Object;

    invoke-virtual {p2, v4, p3}, Ljava/lang/reflect/Method;->invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;

    move-result-object v2

    check-cast v2, Landroid/content/pm/PackageInfo;

    .line 40
    .local v2, "info":Landroid/content/pm/PackageInfo;
    iget-object v4, p0, Lcc/binmt/signature/PmsHookApplication;->sign:[[B

    array-length v4, v4

    new-array v4, v4, [Landroid/content/pm/Signature;

    iput-object v4, v2, Landroid/content/pm/PackageInfo;->signatures:[Landroid/content/pm/Signature;

    .line 41
    const/4 v1, 0x0

    .local v1, "i":I
    :goto_37
    iget-object v4, v2, Landroid/content/pm/PackageInfo;->signatures:[Landroid/content/pm/Signature;

    array-length v4, v4

    if-ge v1, v4, :cond_52

    .line 42
    iget-object v4, v2, Landroid/content/pm/PackageInfo;->signatures:[Landroid/content/pm/Signature;

    new-instance v5, Landroid/content/pm/Signature;

    iget-object v6, p0, Lcc/binmt/signature/PmsHookApplication;->sign:[[B

    aget-object v6, v6, v1

    invoke-direct {v5, v6}, Landroid/content/pm/Signature;-><init>([B)V

    aput-object v5, v4, v1

    .line 41
    add-int/lit8 v1, v1, 0x1

    goto :goto_37

    .line 47
    .end local v0    # "flag":Ljava/lang/Integer;
    .end local v1    # "i":I
    .end local v2    # "info":Landroid/content/pm/PackageInfo;
    .end local v3    # "pkgName":Ljava/lang/String;
    :cond_4c
    iget-object v4, p0, Lcc/binmt/signature/PmsHookApplication;->base:Ljava/lang/Object;

    invoke-virtual {p2, v4, p3}, Ljava/lang/reflect/Method;->invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;

    move-result-object v2

    :cond_52
    return-object v2
.end method

再打开 AndroidManifest.xml 找到<application···>部分,也就是类似如图的地方
o.png

其中包括一些属性,我们要关注的是android:name
将android:name="···"改为
android:name="cc.binmt.signature.PmsHookApplication"

IMG_20190724_094033.jpg
IMG_20190724_094117.png
注意:本文使用的是2.2.0版本。在一些低版本的yqqs中,不存在android:name项,那么此时直接添加
android:name="cc.binmt.signature.PmsHookApplication"在其中就行了。

然后回到android killer 开始编译,搞定。

声明:

那个smali中的方法不是我原创的,最开始是在一个破解版文件中提取的,但是后来发现cc.binmt其实就是mt管理器的网址啊,看来mt管理器中的去除签名验证就是用的此方法,大致原理可以去mt官网查看。其实刚刚不用新建那么多文件夹,但为了表明此方法的来源,我还是依照原样建立了目录。

免费评分

参与人数 11吾爱币 +14 热心值 +10 收起 理由
冷鸟的逗猫辫 + 1 + 1 欢迎分析讨论交流,吾爱破解论坛有你更精彩!
StevenK + 1 欢迎分析讨论交流,吾爱破解论坛有你更精彩!
骚气的御风 + 1 + 1 我很赞同!
windows24777 + 1 + 1 欢迎分析讨论交流,吾爱破解论坛有你更精彩!
qtfreet00 + 6 + 1 感谢发布原创作品,吾爱破解论坛因你更精彩!
知了哥哥 + 1 + 1 额 眼睛有点花
绿手先生 + 1 我很赞同!
_小白 + 1 + 1 用心讨论,共获提升!
houyajie + 1 谢谢@Thanks!
GAOKAI + 1 + 1 我很赞同!
horizon2281 + 1 + 1 用心讨论,共获提升!

查看全部评分

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。
回复

举报

2165998
2165998 发表于 2019-8-20 18:21
okhjwok 发表于 2019-7-31 17:25
请问别的签名验证的游戏,也可以复制这个代码,去除签名验证吗

很明显不能,里面的那个字节码我猜与原来的签名有关,不知道怎么提取的
【吾爱破解论坛总版规】 - [让你充分了解吾爱破解论坛行为规则]
回复 支持

举报

message00
 楼主| message00 发表于 2019-7-24 10:06
吾爱破解论坛没有任何官方QQ群,禁止留联系方式,禁止任何商业交易。
Gentlewang 发表于 2019-7-24 10:00
看着像将bin的mt签名文件手动提取导入里面的?

按照mt官网的说法是hook了原signature数据
如何升级?如何获得积分?积分对应解释说明!
回复 支持

举报

壊丶壊
壊丶壊 发表于 2019-7-24 09:48
《站点帮助文档》有什么问题来这里看看吧,这里有你想知道的内容!
我是一楼吗
呼吁大家发布原创作品添加吾爱破解论坛标识!
回复 支持

举报

十一七
十一七 发表于 2019-7-24 09:53
我是二楼:小白仰观大佬
如何快速判断一个文件是否为病毒!
回复 支持

举报

絕情
絕情 发表于 2019-7-24 09:54
我要重新学习英语了
回复 支持

举报

真是我的
真是我的 发表于 2019-7-24 09:54
我是三楼,仰望沙发
回复 支持

举报

我来了起风了
我来了起风了 发表于 2019-7-24 09:54
围观大佬                        
回复 支持

举报

社会峰哥
社会峰哥 发表于 2019-7-24 09:58
天书啊   看着就不懂   但是很厉害
回复 支持

举报

GenW
GenW 发表于 2019-7-24 10:00
看着像将bin的mt签名文件手动提取导入里面的?
回复 支持

举报

smile1q88
smile1q88 发表于 2019-7-24 10:01
仰望大佬
回复 支持

举报

下一页 »
123456下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则 警告:本版块禁止灌水或回复与主题无关内容,违者重罚!


免责声明:
吾爱破解所发布的一切破解补丁、注册机和注册信息及软件的解密分析文章仅限用于学习和研究目的;不得将上述内容用于商业或者非法用途,否则,一切后果请用户自负。本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑中彻底删除上述内容。如果您喜欢该程序,请支持正版软件,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。

Mail To:Service@52pojie.cn

快速回复 收藏帖子 返回列表 搜索

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-5-4 02:17

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表