【Android逆向】破解看雪test3.apk方案二
方案二就是要hook那三个条件,不让追加字符串变成false
v20 = "REAL";
clazz = _JNIEnv::FindClass(env, "android/os/Build");
fieldID = _JNIEnv::GetStaticFieldID(env, clazz, "FINGERPRINT", "Ljava/lang/String;");
StaticObjectField = (_jstring *)_JNIEnv::GetStaticObjectField(env, clazz, fieldID);
if ( function_check_tracerPID()
|| system_getproperty_check()
|| (StringUTFChars = (char *)_JNIEnv::GetStringUTFChars(env, StaticObjectField, 0), strstr(StringUTFChars, "aosp")) )
{
v20 = "FAKE";
}
- hook Build 类的FINGERPRINT
- hook function_check_tracerPID
- hook system_getproperty_check
代码如下
function main() {
Java.perform(function () {
hookCheck()
var MainActivityHandler = Java.use('com.roysue.easyso1.MainActivity')
for (var i = 87650; i <= 87700; i++) {
var str = i + ""
var ret = MainActivityHandler.Sign(str)
if (i % 1000 == 0) {
console.log("now is", str);
}
//console.log(ret)
if (ret == "57fdeca2cac0509b2e9e5c52a5b573c1608a33ac1ffb9e8210d2e129557e7f1b") {
console.log("find it : " + str)
break
}
}
console.log("end : ")
})
}
function hookCheck() {
var lib_hanlder = Process.findModuleByName("libroysue.so");
console.log("lib_handler: " + lib_hanlder)
if (lib_hanlder) {
var symbols = lib_hanlder.enumerateExports()
for (var i = 0; i < symbols.length; i++) {
var f_symbol = symbols[i]
//function_check_tracerPID()
if (f_symbol.name.indexOf("function_check_tracerPID") >= 0) {
var f_func_addr = f_symbol.address
console.log("function_check_tracerPID is at ", f_symbol.address, f_symbol.name);
Interceptor.attach(f_func_addr, {
onEnter: function(args) {
},
onLeave: function(retVal) {
console.log("function_check_tracer retval is => ", retVal)
//兩種都行
//retVal.replace(new NativePointer(0));
retVal.replace(0);
}
})
}
//system_getproperty_check()
if (f_symbol.name.indexOf("system_getproperty_check") >= 0) {
var f2_func_addr = f_symbol.address
console.log("system_getproperty_check is at ", f_symbol.address, f_symbol.name);
Interceptor.attach(f2_func_addr, {
onEnter: function(args) {
},
onLeave: function(retVal) {
console.log("system_getproperty_check retval is => ", retVal)
//兩種都行
//retVal.replace(new NativePointer(0));
retVal.replace(0);
}
})
}
}
}
var BuildHandler = Java.use("android.os.Build")
if (BuildHandler) {
console.log("=== FINGERPRINT: " + JSON.stringify(BuildHandler.FINGERPRINT.value))
BuildHandler.FINGERPRINT.value = "1234"
}
}
setTimeout(main, 2000)
日志
lib_handler: [object Object]
function_check_tracerPID is at 0xc7004aad _Z24function_check_tracerPIDv
system_getproperty_check is at 0xc7005001 _Z24system_getproperty_checkv
=== FINGERPRINT: "1234"
function_check_tracer retval is => 0x1
system_getproperty_check retval is => 0x0
function_check_tracer retval is => 0x1
system_getproperty_check retval is => 0x0
function_check_tracer retval is => 0x1
system_getproperty_check retval is => 0x0
function_check_tracer retval is => 0x1
system_getproperty_check retval is => 0x0
function_check_tracer retval is => 0x1
system_getproperty_check retval is => 0x0
find it : 87654
end :
