【Android逆向】破解黑宝宝apk,绕过签名校验
这是52pojie的一道题,实现输入任何密码都可以登录成功
他知道你最近在学习Android逆向 他想在游戏上线前让你测试一下他新加的签名验证是否能防住别人的破解。
下面是李华编写的黑宝宝apk
链接:https://pan.baidu.com/s/1h6pX2ARE3qtiKiYbcnJ-3g 密码:duv5
1. apk拖入到jadx中, 关键逻辑
//MainActivity.java
Button_regist.setOnClickListener(new View.OnClickListener() { // from class: demo2.jni.com.myapplication.MainActivity.1
@Override // android.view.View.OnClickListener
public void onClick(View view) {
Toast.makeText(MainActivity.this,
MainActivity.this.mj.check(
MainActivity.this.ct,
MainActivity.this.User_Name.getText().toString().trim(),
MainActivity.this.User_Pass.getText().toString().trim()), 0)
.show();
}
});
//myJNI.java
public class myJNI {
public native String check(Object obj, String str, String str2);
static {
System.loadLibrary("JniTest");
}
}
2. 看来答案在JniTest.so中,将so拖入到idapro中,稍微整理一下代码,反汇编可得
整理步骤:
1. 入参重命名, a1 改为 JNIEnv *env 等
2. 对于显示位乱码的数据,或者展示不出来的,多半可能是中文,可以按住alt+A键打开ASCII string style窗口
然后点击set default encodings 在弹出框中选择8-bit的change 选择utf-8后点击ok回到c语言界面按f5刷新一下界面 乱码问题解决
反汇编代码
int __fastcall Java_demo2_jni_com_myapplication_myJNI_check(
JNIEnv *env,
jobject object,
int context,
int username,
int password)
{
void *Signature; // r0
const char *v8; // r6
const char *v9; // r8
const char *v10; // r7
int v11; // r0
JNIEnv v12; // r5
Signature = (void *)getSignature(env, object, context);
v8 = (*env)->GetStringUTFChars(env, Signature, 0);
v9 = (*env)->GetStringUTFChars(env, username, 0);
v10 = (*env)->GetStringUTFChars(env, password, 0);
_android_log_print(4, "JNI_LOG", aJni, v8);
if ( !strcmp(
v8,
"308201dd30820146020101300d06092a864886f70d010105050030373116301406035504030c0d416e64726f6964204465627567311030"
"0e060355040a0c07416e64726f6964310b3009060355040613025553301e170d3138303332313033303431385a170d3438303331333033"
"303431385a30373116301406035504030c0d416e64726f69642044656275673110300e060355040a0c07416e64726f6964310b30090603"
"5504061302555330819f300d06092a864886f70d010101050003818d00308189028181008270f53e2cf8c7d7ed200863deb85a054defde"
"773be0b848ee792839d9a81da098dd9b74bbb9679c19ea30b63fe3bb74aabb270a5c9b3359ebe3fdf278b82fe576a6677f0d77f0eb5b08"
"8d0711b15d03cadae08b3b980f28055d0cde4bbc4a0b4b208b0f30f170b6ea77a8620269fa1d375442653663e1dd41293aa1c4910e3502"
"03010001300d06092a864886f70d010105050003818100044b9ab7e85346a147926c2d1c6c30e8ffcce174f88acb9763cb776fb1f4dd62"
"183c9524346738ff1aea16c5fa218c68da76d05a2422aee12fc23563b5e28925c3d96dff855a584fc1ec462aa768277bd25739085d52fe"
"3fedfd396e38180c13fbb289786e524535933dd8a99ed3154880544f3e41f044acc43ceefbbce3af59") )
{
_android_log_print(4, "JNI_LOG", byte_23BA);
exit(0);
}
_android_log_print(4, "JNI_LOG", byte_23A6);
v11 = strcmp(v9, "koudai");
v12 = *env;
if ( !v11 || !strcmp(v10, "black") )
return (int)v12->NewStringUTF(env, byte_23EA);
else
return (int)v12->NewStringUTF(env, byte_23DD);
}
3. 这里可以看到,首先做了一个签名校验,那么只要我们重打包,必然运行失败,然后做了账号密码的校验
这里留的题目是输入任何密码都可以登录成功,那么我们可以看看汇编代码的条件处
.text:00000EB8
.text:00000EB8 ; =============== S U B R O U T I N E =======================================
.text:00000EB8
.text:00000EB8
.text:00000EB8 ; int __fastcall Java_demo2_jni_com_myapplication_myJNI_check(int *, int, int, int, int)
.text:00000EB8 EXPORT Java_demo2_jni_com_myapplication_myJNI_check
.text:00000EB8 Java_demo2_jni_com_myapplication_myJNI_check
.text:00000EB8 ; DATA XREF: LOAD:000001FC↑o
.text:00000EB8
.text:00000EB8 arg_0= 0
.text:00000EB8
.text:00000EB8 ; __unwind {
.text:00000EB8 2D E9 F0 41 PUSH.W {R4-R8,LR}
.text:00000EBC 04 46 MOV R4, R0
.text:00000EBE 1F 46 MOV R7, R3
.text:00000EC0 FF F7 5C FF BL getSignature
.text:00000EC0
.text:00000EC4 22 68 LDR R2, [R4]
.text:00000EC6 D2 F8 A4 32 LDR.W R3, [R2,#0x2A4]
.text:00000ECA 00 22 MOVS R2, #0
.text:00000ECC 01 46 MOV R1, R0
.text:00000ECE 20 46 MOV R0, R4
.text:00000ED0 98 47 BLX R3
.text:00000ED0
.text:00000ED2 22 68 LDR R2, [R4]
.text:00000ED4 39 46 MOV R1, R7
.text:00000ED6 D2 F8 A4 52 LDR.W R5, [R2,#0x2A4]
.text:00000EDA 00 22 MOVS R2, #0
.text:00000EDC 06 46 MOV R6, R0
.text:00000EDE 20 46 MOV R0, R4
.text:00000EE0 A8 47 BLX R5
.text:00000EE0
.text:00000EE2 23 68 LDR R3, [R4]
.text:00000EE4 06 99 LDR R1, [SP,#0x18+arg_0]
.text:00000EE6 00 22 MOVS R2, #0
.text:00000EE8 1F 4D LDR R5, =(aJniLog - 0xEF2) ; "JNI_LOG"
.text:00000EEA D3 F8 A4 32 LDR.W R3, [R3,#0x2A4]
.text:00000EEE 7D 44 ADD R5, PC ; "JNI_LOG"
.text:00000EF0 80 46 MOV R8, R0
.text:00000EF2 20 46 MOV R0, R4
.text:00000EF4 98 47 BLX R3
.text:00000EF4
.text:00000EF6 1D 4A LDR R2, =(aJni - 0xF00) ; "JNI"
.text:00000EF8 29 46 MOV R1, R5 ; tag
.text:00000EFA 33 46 MOV R3, R6
.text:00000EFC 7A 44 ADD R2, PC ; "JNI" ; fmt
.text:00000EFE 07 46 MOV R7, R0
.text:00000F00 04 20 MOVS R0, #4 ; prio
.text:00000F02 FF F7 CC EE BLX __android_log_print
.text:00000F02
.text:00000F06 1A 49 LDR R1, =(a308201dd308201 - 0xF0E) ; "308201dd30820146020101300d06092a864886f"...
.text:00000F08 30 46 MOV R0, R6 ; char *
.text:00000F0A 79 44 ADD R1, PC ; "308201dd30820146020101300d06092a864886f"...
.text:00000F0C FF F7 CC EE BLX strcmp
.text:00000F0C
.text:00000F10 68 B9 CBNZ R0, loc_F2E
.text:00000F10
.text:00000F12 18 4A LDR R2, =(byte_23A6 - 0xF1C)
.text:00000F14 29 46 MOV R1, R5 ; tag
.text:00000F16 04 20 MOVS R0, #4 ; prio
.text:00000F18 7A 44 ADD R2, PC ; byte_23A6 ; fmt
.text:00000F1A FF F7 C0 EE BLX __android_log_print
.text:00000F1A
.text:00000F1E 16 49 LDR R1, =(aKoudai - 0xF26) ; "koudai"
.text:00000F20 40 46 MOV R0, R8 ; char *
.text:00000F22 79 44 ADD R1, PC ; "koudai"
.text:00000F24 FF F7 C0 EE BLX strcmp
.text:00000F24
.text:00000F28 25 68 LDR R5, [R4]
.text:00000F2A 48 B1 CBZ R0, loc_F40
.text:00000F2A
.text:00000F2C 14 E0 B loc_F58
.text:00000F2C
.text:00000F2E ; ---------------------------------------------------------------------------
.text:00000F2E
.text:00000F2E loc_F2E ; CODE XREF: Java_demo2_jni_com_myapplication_myJNI_check+58↑j
.text:00000F2E 13 4A LDR R2, =(byte_23BA - 0xF38)
.text:00000F30 04 20 MOVS R0, #4 ; prio
.text:00000F32 29 46 MOV R1, R5 ; tag
.text:00000F34 7A 44 ADD R2, PC ; byte_23BA ; fmt
.text:00000F36 FF F7 B2 EE BLX __android_log_print
.text:00000F36
.text:00000F3A 00 20 MOVS R0, #0 ; int
.text:00000F3C FF F7 BA EE BLX exit
.text:00000F3C
.text:00000F40 ; ---------------------------------------------------------------------------
.text:00000F40
.text:00000F40 loc_F40 ; CODE XREF: Java_demo2_jni_com_myapplication_myJNI_check+72↑j
.text:00000F40 0F 49 LDR R1, =(aBlack - 0xF48) ; "black"
.text:00000F42 38 46 MOV R0, R7 ; char *
.text:00000F44 79 44 ADD R1, PC ; "black"
.text:00000F46 FF F7 B0 EE BLX strcmp
.text:00000F46
.text:00000F4A 28 B9 CBNZ R0, loc_F58
.text:00000F4A
.text:00000F4C 0D 49 LDR R1, =(unk_23DD - 0xF58)
.text:00000F4E 20 46 MOV R0, R4
.text:00000F50 D5 F8 9C 32 LDR.W R3, [R5,#0x29C]
.text:00000F54 79 44 ADD R1, PC ; unk_23DD
.text:00000F56 04 E0 B loc_F62
.text:00000F56
.text:00000F58 ; ---------------------------------------------------------------------------
.text:00000F58
.text:00000F58 loc_F58 ; CODE XREF: Java_demo2_jni_com_myapplication_myJNI_check+74↑j
.text:00000F58 ; Java_demo2_jni_com_myapplication_myJNI_check+92↑j
.text:00000F58 0B 49 LDR R1, =(unk_23EA - 0xF64)
.text:00000F5A 20 46 MOV R0, R4
.text:00000F5C D5 F8 9C 32 LDR.W R3, [R5,#0x29C]
.text:00000F60 79 44 ADD R1, PC ; unk_23EA
.text:00000F60
.text:00000F62
.text:00000F62 loc_F62 ; CODE XREF: Java_demo2_jni_com_myapplication_myJNI_check+9E↑j
.text:00000F62 98 47 BLX R3
.text:00000F62
.text:00000F64 BD E8 F0 81 POP.W {R4-R8,PC}
.text:00000F64
.text:00000F64 ; End of function Java_demo2_jni_com_myapplication_myJNI_check
要修改的行
[1] 对应着签名条件的跳转
.text:00000F10 68 B9 CBNZ R0, loc_F2E
[2] 对应着username判断条件的跳转
.text:00000F2A 48 B1 CBZ R0, loc_F40
[3] 对应着password判断条件的跳转
.text:00000F4A 28 B9 CBNZ R0, loc_F58
查汇编与机器码对应关系可知
B9 对应 CBNZ
B1 对应 CBZ
那么只要把它们反过来就可以了
鼠标点住那行命令 View->Open subviews->Hex dump打开16进制编辑 ,
选中要改的机器码,按F2, 修改完毕后再按F2,表示修改完毕
