apk 反编译尝试
最近她再玩植物大战僵尸,老是弹出广告,很烦…
在网上找了教程,跟着做.
1. 反编译apk
apktool.bat d act1596525811036wKYC.apk
2. 修改AndroidManifest.xml
<activity android:configChanges="keyboard|layoutDirection|navigation|orientation|screenSize" android:label="植物大战僵尸2高清版" android:name="com.talkweb.twOfflineSdk.activity.PermisionActivity" android:screenOrientation="landscape" android:theme="@android:style/Theme.NoTitleBar" android:windowSoftInputMode="stateAlwaysHidden"/>
<activity android:label="@string/app_name" android:name="com.bamenshenqi.bmcloudapp.BmSplashActivity">
<intent-filter>
<action android:name="android.intent.action.MAIN"/>
<category android:name="android.intent.category.LAUNCHER"/>
</intent-filter>
</activity>
3. 打包
apktool.bat d act1596525811036wKYC.apk
4. 签名
//生成签名
keytool -genkey -alias keystore -keyalg RSA -validity 20000 -keystore keystore
//签名
jarsigner -verbose -keystore keystore -signedjar act1596525811036wKYC.apk act1596525811036wKYC.apk keystore
到了这个一步,我以为已经可以了. 但是安装好后, 打不开, 百度说是签名的问题.
5. 删除签名
按照其他博主的说法,“找到META-INF文件夹,删除MANIFEST.MF之外的所有其他文件即可”,还是不行.
Apk去签名校验详解,感谢这位博主.
某些apk为了防止重打包,使用了签名校验。所以在破解的时候我们需要破解签名校验。在定位签名校验位置时常用的关键词有sign,signature,checkSign,signCheck,getPackageManager,getPackageInfo,verify,same等。
6. 利用工具将.dex解析成jar
d2j-dex2jar.bat classes.dex
7. 试用jd-gui打开jar文件
private void hook(Context paramContext) {
try {
DataInputStream dataInputStream = new DataInputStream(new ByteArrayInputStream(Base64.decode("AQAAA2YwggNiMIICSqADAgECAgRQUn1jMA0GCSqGSIb3DQEBBQUAMHIxCzAJBgNVBAYTAlVTMQsw\nCQYDVQQIEwJXQTEQMA4GA1UEBxMHU2VhdHRsZTEYMBYGA1UEChMPRWxlY3Ryb25pYyBBcnRzMRUw\nEwYDVQQLEwxQb3BDYXAgR2FtZXMxEzARBgNVBAMTCkpvZSBNb2JsZXkwIBcNMTIwOTE0MDA0MjEx\nWhgPMjA2MjA5MDIwMDQyMTFaMHIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJXQTEQMA4GA1UEBxMH\nU2VhdHRsZTEYMBYGA1UEChMPRWxlY3Ryb25pYyBBcnRzMRUwEwYDVQQLEwxQb3BDYXAgR2FtZXMx\nEzARBgNVBAMTCkpvZSBNb2JsZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxnJ8i\nNZfUKW+d6z9lqcmkr3Edp2FWdsDOjggBBr+6uUo/7kr4t1zo7yxmeNWMNAXjca+muNnMiTxFT+MG\n9abXJpbNeFcJgiZ+iMh28lHjcjXYDpCmWMzFC6UDiiVnkk/FTh869XqjVfKEqLhIKx/P5k2q1A7C\nO3oK/H9jlexmBXFfVUtJbyt5yoDgr6/rZQhlaGYA2abWHnlaVM9qnfE7Rc+UJmM9klKcvH/Vf1ZM\n348xI7wTMugaG9o8RD8k98lAWIlNwG99lSJZ+iQwlwAvEGQmDpbdlfddYzOisswOAASNW7mlqd9+\nGMqfWN9D/TgwDpPKQej3HLly8xxnUDlhAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAJzqbbwaR1X4\nMx9lA4UJv5VvTbd6GEYxRxCxF2DafDCFwb3yuMCfIylMr+V2P1ptZIBVvkY4PyZgojbeXaUZalem\nKjbMaCsOn7VO/mJwsyzHSaTa50hzkec1C8xqF1/ofSIPV3JAAgQFJAU8jIXJEwrvcduLVXjaaRhb\nTm5l68aaElZhhKL9rYzO86O7twgvS9u4wb5mC9+gfJiwgCIbMOJ4F1NUaDX//EG05yUXv6P5+wAD\nnLEGoGEl0ZSNBGXaJCGajHvGXQEkmdvGTSnH3HkLidQRJzXq4jaZa/FcNk9CYgVt2CAqUWLhPY1P\noQ3Mq7x89quKzm5dtslT8LR3sHk=\n", 0)));
byte[][] arrayOfByte = new byte[dataInputStream.read() & 0xFF][];
for (int i = 0; i < arrayOfByte.length; i++) {
arrayOfByte[i] = new byte[dataInputStream.readInt()];
dataInputStream.readFully(arrayOfByte[i]);
}
Class<?> clazz1 = Class.forName("android.app.ActivityThread");
Object object2 = clazz1.getDeclaredMethod("currentActivityThread", new Class[0]).invoke(null, new Object[0]);
Field field = clazz1.getDeclaredField("sPackageManager");
field.setAccessible(true);
Object object3 = field.get(object2);
Class<?> clazz2 = Class.forName("android.content.pm.IPackageManager");
this.base = object3;
this.sign = arrayOfByte;
this.appPkgName = paramContext.getPackageName();
Object object1 = Proxy.newProxyInstance(clazz2.getClassLoader(), new Class[] { clazz2 }, this);
field.set(object2, object1);
PackageManager packageManager = paramContext.getPackageManager();
object2 = packageManager.getClass().getDeclaredField("mPM");
object2.setAccessible(true);
object2.set(packageManager, object1);
System.out.println("PmsHook success.");
return;
} catch (Exception exception) {
System.err.println("PmsHook failed.");
exception.printStackTrace();
return;
}
}
修改对应的汇编文件. 打包签名后,安装不上…
8. apk签名绕过
在讲签名绕过的方式前,需要先明确DEX校验和签名校验:
1.将apk以压缩包的形式打开删除原签名后,再签名,安装能够正常打开,但是用IDE(即apk改之理,会自动反编译dex)工具二次打包,却出现非正常情况的,如:闪退/弹出非正版提示框。可以确定是dex文件的校验
2、将apk以压缩包的形式打开删除原签名再签名,安装之后打开异常的,则基本可以断定是签名检验。如果在断网的情况下同样是会出现异常,则是本地的签名检验;如果首先出现的是提示网络没有连接,则是服务器端的签名校验.
引用自 APK签名校验绕过
经过测试,确定是DEX校验.
待跟新…