xhs过签名校验

Android
Created At :
Views 👀 :
  1. 过小某书6.8版本签名校验

过小某书6.8版本签名校验

下载好apk后重新签名一下,打开算法助手读取签名

查看日志发现了三个签名,看看最新的签名中调用的堆栈

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
调用堆栈:
        at de.robv.android.xposed.XposedBridge$AdditionalHookInfo.callback(Unknown Source:147)
        at LSPHooker_.getPackageInfo(Unknown Source:18)
        at java.lang.Runtime.nativeLoad(Native Method)
        at java.lang.Runtime.nativeLoad(Runtime.java:1131)
        at java.lang.Runtime.loadLibrary0(Runtime.java:1085)
        at java.lang.Runtime.loadLibrary0(Runtime.java:1008)
        at java.lang.System.loadLibrary(System.java:1664)
        at n.n.a.d.loadLibrary(SystemLibraryLoader.java:1)
        at n.n.a.c.c(ReLinkerInstance.java:3)
        at n.n.a.c.a(ReLinkerInstance.java:5)
        at n.n.a.b.a(ReLinker.java:2)
        at n.n.a.b.a(ReLinker.java:1)
        at n.d0.x1.e0.r$b.loadLibrary(SecurityHelper.kt:1)
        at n.d0.h1.a.b.a(Shield.java:5)
        at n.d0.x1.e0.r.b(SecurityHelper.kt:3)
        at n.d0.x1.e0.r.d(SecurityHelper.kt:1)
        at com.xingin.xhs.app.SkynetApplication.onCreate(SkynetApplication.kt:1)
        at com.xingin.xhs.app.MainApplication.onCreate(MainApplication.kt:4)
        at com.xingin.xhs.app.XhsApplication.initApplication(XhsApplication.kt:17)
        at com.xingin.xhs.app.XhsApplication.beforeInitApplication(XhsApplication.kt:16)
        at com.xingin.xhs.app.XhsApplication.onCreate(XhsApplication.kt:6)
        at android.app.Instrumentation.callApplicationOnCreate(Instrumentation.java:1193)
        at android.app.ActivityThread.handleBindApplication(ActivityThread.java:6993)
        at android.app.ActivityThread.access$1500(ActivityThread.java:258)
        at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1983)
        at android.os.Handler.dispatchMessage(Handler.java:106)
        at android.os.Looper.loop(Looper.java:236)
        at android.app.ActivityThread.main(ActivityThread.java:8060)
        at java.lang.reflect.Method.invoke(Native Method)
        at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:656)
        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:967)

结合logcat

1
2
3
4
5
6
DEBUG                   pid-25398                            A  pid: 25267, tid: 25267, name: com.xingin.xhs  >>> com.xingin.xhs <<<
2024-06-26 13:14:27.128 25398-25398 DEBUG                   pid-25398                            A        #01 pc 000933cb  /data/app/~~vIW4Wc2LDNyyWipX31Ylkw==/com.xingin.xhs-fOxWncztAaDrshHsMH85UA==/lib/arm/libshield.so (BuildId: 4937f1fa8cd0be6451817f5d9f4fdaa54b4c1180)
2024-06-26 13:14:27.128 25398-25398 DEBUG                   pid-25398                            A        #02 pc 000102c3  /data/app/~~vIW4Wc2LDNyyWipX31Ylkw==/com.xingin.xhs-fOxWncztAaDrshHsMH85UA==/lib/arm/libshield.so (BuildId: 4937f1fa8cd0be6451817f5d9f4fdaa54b4c1180)
2024-06-26 13:14:27.128 25398-25398 DEBUG                   pid-25398                            A        #03 pc 00010319  /data/app/~~vIW4Wc2LDNyyWipX31Ylkw==/com.xingin.xhs-fOxWncztAaDrshHsMH85UA==/lib/arm/libshield.so (JNI_OnLoad+44) (BuildId: 4937f1fa8cd0be6451817f5d9f4fdaa54b4c1180)
2024-06-26 13:14:27.128 25398-25398 DEBUG                   pid-25398                            A        #17 pc 019ec474  /data/app/~~vIW4Wc2LDNyyWipX31Ylkw==/com.xingin.xhs-fOxWncztAaDrshHsMH85UA==/oat/arm/base.vdex (com.tencent.luggage.wxa.azv$1.h)
2024-06-26 13:14:27.128 25398-25398 DEBUG                   pid-25398                            A        #20 pc 01c178c8  /data/app/~~vIW4Wc2LDNyyWipX31Ylkw==/com.xingin.xhs-fOxWncztAaDrshHsMH85UA==/oat/arm/base.vdex (n.n.a.c.c+54)

可以看到是加载了so之后出现的异常

ida分析Shield.so

通过搜索sign找到关键函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
v18 = (JNIEnv *)sub_F93C((int)a1[19]);
  v17 = sub_F9A0(v18, "android/app/Application");
  v16 = sub_F9EC(v18, v17, "getPackageManager", "()Landroid/content/pm/PackageManager;");
  v15 = sub_FA60(v18, a1[20], v16);
  v14 = sub_F9A0(v18, "android/content/pm/PackageManager");
  v2 = sub_F9EC(v18, v14, "getPackageInfo", "(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;");
  sub_FAE0(a1);
  v13 = sub_FA60(v18, v15, v2);
  v12 = sub_F9A0(v18, "android/content/pm/PackageInfo");
  v11 = sub_FB5C(v18, v12, "signatures", "[Landroid/content/pm/Signature;");
  v10 = sub_F9A0(v18, "android/content/pm/Signature");
  v9 = sub_F9EC(v18, v10, "hashCode", "()I");
  v8 = sub_FBD0(v18, v13, v11);
  v7 = sub_FC2C(v18, v8);
  v6 = 0;
  time(&timer);
  while ( 1 )
  {
    if ( v6 >= v7 )
    {
      sub_FD64(v18, v17);
      sub_FD64(v18, v15);
      sub_FD64(v18, v13);
      sub_FD64(v18, v8);
      sub_FD64(v18, v10);
      abort();
    }
    v5 = sub_FC88(v18, v8, v6);
    v4 = sub_FCE4(v18, v5, v9);
    if ( v4 == -1083242518 || v4 == -1075459295 || v4 == -815670264 )
      break;
    sub_FD64(v18, v5);
    ++v6;
  }
  return 1;

校验的逻辑还是非常清晰的,可以看到很多关键的信息

getPackageManager

1
v16 = sub_F9EC(v18, v17, "getPackageManager", "()Landroid/content/pm/PackageManager;");

getPackageInfo获取安装包信息

1
v2 = sub_F9EC(v18, v14, "getPackageInfo", "(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;");

获取签名信息

1
v11 = sub_FB5C(v18, v12, "signatures", "[Landroid/content/pm/Signature;");

最后的比较就是这里

1
2
if ( v4 == -1083242518 || v4 == -1075459295 || v4 == -815670264 )
      break;

这三个值就是正确的签名哈希值和前面算法助手获取到的签名数正好对上,如果正确就break并且返回1即签名没有问题

查找引用,然后直接将调用函数的汇编给nop掉,然后apply patch,将修改后的shield.so放回apk包中重新安装即可

xhs

转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。可以在下面评论区评论,也可以邮件至 3049155267@qq.com

💰

©n1ng

Built with Hexo and 3-hexo theme

×

Help us with donation