【Android逆向】破解看雪test3.apk方案二

方案二就是要hook那三个条件,不让追加字符串变成false

 v20 = "REAL";
  clazz = _JNIEnv::FindClass(env, "android/os/Build");
  fieldID = _JNIEnv::GetStaticFieldID(env, clazz, "FINGERPRINT", "Ljava/lang/String;");
  StaticObjectField = (_jstring *)_JNIEnv::GetStaticObjectField(env, clazz, fieldID);
  if ( function_check_tracerPID()
    || system_getproperty_check()
    || (StringUTFChars = (char *)_JNIEnv::GetStringUTFChars(env, StaticObjectField, 0), strstr(StringUTFChars, "aosp")) )
  {
    v20 = "FAKE";
  }
  1. hook Build 类的FINGERPRINT
  2. hook function_check_tracerPID
  3. hook system_getproperty_check

代码如下

function main() {
    Java.perform(function () {
        hookCheck()
        var MainActivityHandler = Java.use('com.roysue.easyso1.MainActivity')

        for (var i = 87650; i <= 87700; i++) {
            var str = i + ""
            var ret = MainActivityHandler.Sign(str)
            if (i % 1000 == 0) {
                console.log("now is", str);
            }
            //console.log(ret)
            if (ret == "57fdeca2cac0509b2e9e5c52a5b573c1608a33ac1ffb9e8210d2e129557e7f1b") {
                console.log("find it : " + str)
                break
            }
        }
        
        console.log("end : ")
    })

}

function hookCheck() {
    var lib_hanlder = Process.findModuleByName("libroysue.so");
    console.log("lib_handler: " + lib_hanlder)
    
    if (lib_hanlder) {     
        var symbols = lib_hanlder.enumerateExports()
        for (var i = 0; i < symbols.length; i++) {
            var f_symbol = symbols[i]
            //function_check_tracerPID()
            if (f_symbol.name.indexOf("function_check_tracerPID") >= 0) {
                var f_func_addr = f_symbol.address
                console.log("function_check_tracerPID is at ", f_symbol.address, f_symbol.name);
                Interceptor.attach(f_func_addr, {
                    onEnter: function(args) {

                    },
                    onLeave: function(retVal) {
                        console.log("function_check_tracer retval is => ", retVal)
                        //兩種都行
                        //retVal.replace(new NativePointer(0));
                        retVal.replace(0);
                    }
                })
            }
            //system_getproperty_check()
            if (f_symbol.name.indexOf("system_getproperty_check") >= 0) {
                var f2_func_addr = f_symbol.address
                console.log("system_getproperty_check is at ", f_symbol.address, f_symbol.name);
                Interceptor.attach(f2_func_addr, {
                    onEnter: function(args) {

                    },
                    onLeave: function(retVal) {
                        console.log("system_getproperty_check retval is => ", retVal)
                        //兩種都行
                        //retVal.replace(new NativePointer(0));
                        retVal.replace(0);
                    }
                })
            }
        }
    }

    var BuildHandler = Java.use("android.os.Build")
    if (BuildHandler) {
        console.log("=== FINGERPRINT: " + JSON.stringify(BuildHandler.FINGERPRINT.value)) 
        BuildHandler.FINGERPRINT.value = "1234"
    }
}

setTimeout(main, 2000)

日志

lib_handler: [object Object]
function_check_tracerPID is at  0xc7004aad _Z24function_check_tracerPIDv
system_getproperty_check is at  0xc7005001 _Z24system_getproperty_checkv
=== FINGERPRINT: "1234"
function_check_tracer retval is =>  0x1
system_getproperty_check retval is =>  0x0
function_check_tracer retval is =>  0x1
system_getproperty_check retval is =>  0x0
function_check_tracer retval is =>  0x1
system_getproperty_check retval is =>  0x0
function_check_tracer retval is =>  0x1
system_getproperty_check retval is =>  0x0
function_check_tracer retval is =>  0x1
system_getproperty_check retval is =>  0x0
find it : 87654
end : 
posted @ 2023-02-27 11:52  明月照江江  阅读(26)  评论(0编辑  收藏  举报