馬上加入Android 台灣中文網,立即免費下載應用遊戲。
您需要 登錄 才可以下載或查看,沒有帳號?註冊
x
軟體有積分限制,有廣告,這裡不做破解介紹。只簡單介紹簽名破解部分。
反編譯軟體,在smalicom xbnx(軟體代碼目錄)搜尋「signatures」,定位到getSign方法:
.method public static getSign(Landroid/content/Context;)Ljava/lang/String;
.locals 6
.param p0, "context" # Landroid/content/Context;
.prologue
.line 374
const-string v4, ""
sget-object v5, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;
invoke-virtual {v4, v5}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z
move-result v4
if-nez v4, :cond_0
.line 375
sget-object v4, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;
.line 385
:goto_0
return-object v4
.line 376
:cond_0
invoke-virtual {p0}, Landroid/content/Context;->getPackageManager()Landroid/content/pm/PackageManager;
move-result-object v2
.line 378
.local v2, "pm":Landroid/content/pm/PackageManager;
:try_start_0
invoke-virtual {p0}, Landroid/content/Context;->getPackageName()Ljava/lang/String;
move-result-object v4
const/16 v5, 0x40
invoke-virtual {v2, v4, v5}, Landroid/content/pm/PackageManager;->getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;
move-result-object v1
.line 380
.local v1, "packageinfo":Landroid/content/pm/PackageInfo;
iget-object v4, v1, Landroid/content/pm/PackageInfo;->signatures:[Landroid/content/pm/Signature;
const/4 v5, 0x0
aget-object v3, v4, v5
.line 382
.local v3, "sign":Landroid/content/pm/Signature;
invoke-virtual {v3}, Landroid/content/pm/Signature;->toCharsString()Ljava/lang/String;
move-result-object v4
sput-object v4, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;
.line 383
sget-object v4, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;
:try_end_0
.catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_0
goto :goto_0
.line 384
.end local v1 # "packageinfo":Landroid/content/pm/PackageInfo;
.end local v3 # "sign":Landroid/content/pm/Signature;
:catch_0
move-exception v0
.line 385
.local v0, "e":Ljava/lang/Exception;
const/4 v4, 0x0
goto :goto_0
.end method
上面方法大概意思就是獲取軟體的簽名,然後將簽名轉為字符串,並保存到V4寄存器中(紅色字體部分)。
想過簽名校驗,必須知道官方簽名時V4的值。
參考另一篇smali注入帖(http://apk.tw/thread-758504-1-1.html),這裡構造個crack.smali,代碼如下:
- .class public Lcrack;
- .super Ljava/lang/Object;
- .source "crack.java"
-
- .method public static puts(Ljava/lang/String;)V
- .locals 7
-
- .prologue
- :try_start_0
-
- const-string v3, "/sdcard/debug.txt"
-
-
- new-instance v2, Ljava/io/FileOutputStream;
-
- const/4 v5, 0x0
-
- invoke-direct {v2, v3, v5}, Ljava/io/FileOutputStream;-><init>(Ljava/lang/String;Z)V
-
- .line 19
- new-instance v4, Ljava/io/OutputStreamWriter;
-
- const-string v5, "gb2312"
-
- invoke-direct {v4, v2, v5}, Ljava/io/OutputStreamWriter;-><init>(Ljava/io/OutputStream;Ljava/lang/String;)V
-
- .line 21
- invoke-virtual {v4, p0}, Ljava/io/OutputStreamWriter;->write(Ljava/lang/String;)V
-
- .line 23
- invoke-virtual {v4}, Ljava/io/OutputStreamWriter;->flush()V
-
- .line 25
- invoke-virtual {v4}, Ljava/io/OutputStreamWriter;->close()V
-
- .line 27
- invoke-virtual {v2}, Ljava/io/FileOutputStream;->close()V
- :try_end_0
- .catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_0
-
- .line 37
-
- :cond_0
- :goto_0
- return-void
-
- .line 30
- :catch_0
- move-exception v0
-
- .line 34
- const-string v5, "debug"
-
- const-string v6, "file write error"
-
- invoke-static {v5, v6}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I
-
- goto :goto_0
- .end method
複製代碼
上面代碼大概作用是保存字符串寄存器的值vx到/sdcard/debug.txt。
把構造好的crack.smali放入smali根目錄。
修改getSign方法,如下(紅色部分為修改內容):
.method public static getSign(Landroid/content/Context;)Ljava/lang/String;
.locals 6
.param p0, "context" # Landroid/content/Context;
.prologue
.line 374
const-string v4, ""
sget-object v5, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;
invoke-virtual {v4, v5}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z
move-result v4
if-nez v4, :cond_0
.line 375
sget-object v4, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;
.line 385
:goto_0
return-object v4
.line 376
:cond_0
invoke-virtual {p0}, Landroid/content/Context;->getPackageManager()Landroid/content/pm/PackageManager;
move-result-object v2
.line 378
.local v2, "pm":Landroid/content/pm/PackageManager;
:try_start_0
invoke-virtual {p0}, Landroid/content/Context;->getPackageName()Ljava/lang/String;
move-result-object v4
const-string v4, "/sdcard/download/bt.apk"
const/16 v5, 0x40
invoke-virtual {v2, v4, v5}, Landroid/content/pm/PackageManager;->getPackageArchiveInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;
move-result-object v1
.line 380
.local v1, "packageinfo":Landroid/content/pm/PackageInfo;
iget-object v4, v1, Landroid/content/pm/PackageInfo;->signatures:[Landroid/content/pm/Signature;
const/4 v5, 0x0
aget-object v3, v4, v5
.line 382
.local v3, "sign":Landroid/content/pm/Signature;
invoke-virtual {v3}, Landroid/content/pm/Signature;->toCharsString()Ljava/lang/String;
move-result-object v4
invoke-static {v4}, Lcrack;->puts(Ljava/lang/String;)V
sput-object v4, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;
.line 383
sget-object v4, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;
:try_end_0
.catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_0
goto :goto_0
.line 384
.end local v1 # "packageinfo":Landroid/content/pm/PackageInfo;
.end local v3 # "sign":Landroid/content/pm/Signature;
:catch_0
move-exception v0
.line 385
.local v0, "e":Ljava/lang/Exception;
const/4 v4, 0x0
goto :goto_0
.end method
保存修改後,回編譯軟體並簽名。把官方版apk改名為「bt.apk」並放到/sdcard/download/目錄下。
上面修改主要利用了getPackageInfo和getPackageArchiveInfo的相同點與不同點。
兩者都可以用來獲取軟體的簽名訊息。getPackageInfo根據包名讀取已安裝的軟體的簽名,getPackageArchiveInfo根據路徑讀取APK壓縮包的簽名。詳情查看Google安卓文件。
安裝並執行編譯好的軟體。
開啟/sdcard/debug.txt,大致內容如下:
- 30820241308201aaa0030201020204529c4740300d06092a864886f70d01010505003064310b300906035504061302434e310f300d06035504080c06e995bfe698a5310f300d06035504070c06e995bfe698a5310e300c060355040a13057478626e78310e300c060355040b13057478626e78311330110603550403130a5375706572205469616e3020170d3133313230323038333932385a180f32313133313130383038333932385a3064310b300906035504061302434e310f300d06035504080c06e995bfe698a5310f300d06035504070c06e995bfe698a5310e300c060355040a13057478626e78310e300c060355040b13057478626e78311330110603550403130a5375706572205469616e30819f300d06092a864886f70d010101050003818d0030818902818100c397d7d03201ed740daf59d196541f61642243f3153cf5138b6dcde581487a0b894509a8631db75fadb6b8ccaa2e9914f3b3fb7266faee0982282e13e3435d3f774ff5aafcd0c6b8bad15964681bed2a82f442294ae537848bcb8fdcf3317f3989526c21ffc5f29b3a50c2a5f904ca4932d1e5060c206c6c14ec3a20815f2e370203010001300d06092a864886f70d01010505000381810004253771a3f6510e73ff76eee94f81ee1491813140c7930d89e70a8ba53d19418abfd30d2b3afc0a97288c53d4adeab08c34a05e55507ef16ab51431b33295c7c2faf8b84e4f7e2cd927bb1184cdd84ca2ef2b2d16191cabdb649ee592b26521c8b1d09b0f4d24b332885fad12b4289d83742ecac5e696604d6a3b9013b97415
複製代碼
複製該內容。
重新修改getSign方法,如下:
.method public static getSign(Landroid/content/Context;)Ljava/lang/String;
.locals 6
.param p0, "context" # Landroid/content/Context;
.prologue
.line 374
const-string v4, ""
sget-object v5, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;
invoke-virtual {v4, v5}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z
move-result v4
if-nez v4, :cond_0
.line 375
sget-object v4, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;
.line 385
:goto_0
return-object v4
.line 376
:cond_0
invoke-virtual {p0}, Landroid/content/Context;->getPackageManager()Landroid/content/pm/PackageManager;
move-result-object v2
.line 378
.local v2, "pm":Landroid/content/pm/PackageManager;
:try_start_0
invoke-virtual {p0}, Landroid/content/Context;->getPackageName()Ljava/lang/String;
move-result-object v4
const/16 v5, 0x40
invoke-virtual {v2, v4, v5}, Landroid/content/pm/PackageManager;->getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;
move-result-object v1
.line 380
.local v1, "packageinfo":Landroid/content/pm/PackageInfo;
iget-object v4, v1, Landroid/content/pm/PackageInfo;->signatures:[Landroid/content/pm/Signature;
const/4 v5, 0x0
aget-object v3, v4, v5
.line 382
.local v3, "sign":Landroid/content/pm/Signature;
invoke-virtual {v3}, Landroid/content/pm/Signature;->toCharsString()Ljava/lang/String;
move-result-object v4
const-string v4, "30820241308201aaa0030201020204529c4740300d06092a864886f70d01010505003064310b300906035504061302434e310f300d06035504080c06e995bfe698a5310f300d06035504070c06e995bfe698a5310e300c060355040a13057478626e78310e300c060355040b13057478626e78311330110603550403130a5375706572205469616e3020170d3133313230323038333932385a180f32313133313130383038333932385a3064310b300906035504061302434e310f300d06035504080c06e995bfe698a5310f300d06035504070c06e995bfe698a5310e300c060355040a13057478626e78310e300c060355040b13057478626e78311330110603550403130a5375706572205469616e30819f300d06092a864886f70d010101050003818d0030818902818100c397d7d03201ed740daf59d196541f61642243f3153cf5138b6dcde581487a0b894509a8631db75fadb6b8ccaa2e9914f3b3fb7266faee0982282e13e3435d3f774ff5aafcd0c6b8bad15964681bed2a82f442294ae537848bcb8fdcf3317f3989526c21ffc5f29b3a50c2a5f904ca4932d1e5060c206c6c14ec3a20815f2e370203010001300d06092a864886f70d01010505000381810004253771a3f6510e73ff76eee94f81ee1491813140c7930d89e70a8ba53d19418abfd30d2b3afc0a97288c53d4adeab08c34a05e55507ef16ab51431b33295c7c2faf8b84e4f7e2cd927bb1184cdd84ca2ef2b2d16191cabdb649ee592b26521c8b1d09b0f4d24b332885fad12b4289d83742ecac5e696604d6a3b9013b97415"
sput-object v4, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;
.line 383
sget-object v4, Lcom/txbnx/torrentsearcher/Utils;->mPublicKey:Ljava/lang/String;
:try_end_0
.catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_0
goto :goto_0
.line 384
.end local v1 # "packageinfo":Landroid/content/pm/PackageInfo;
.end local v3 # "sign":Landroid/content/pm/Signature;
:catch_0
move-exception v0
.line 385
.local v0, "e":Ljava/lang/Exception;
const/4 v4, 0x0
goto :goto_0
.end method
相比官方版getSign方法,修改部分為紅色字體(無換行)。刪除crack.smali,保存並回編譯。到此簽名校驗破解結束。 |