身边暂时没电脑,手机码字,图少见谅。
论坛上的大部分帖子采用的是在getkeyhash中插入return-void的方法,但是此方法存在弊端,即存档是一次性存档。例如,解锁人物后重启游戏,人物会重新变成未解锁状态。
介绍一下我的方法。
使用 Android killer反编译apk,接着打开android killer工程目录,找到yqqs对应的文件夹。然后找到smali文件夹以及AndroidManifest.xml文件。
在smali文件夹里新建cc文件夹,在cc文件夹中建立binmt文件夹,在binmt文件夹中建立signature文件夹,再在signature文件夹中建立PmsHookApplication.smali文件,将其中的内容修改为以下代码。
[Asm] 纯文本查看 复制代码
.class public Lcc/binmt/signature/PmsHookApplication;
.super Landroid/app/Application;
.source "PmsHookApplication.java"
# interfaces
.implements Ljava/lang/reflect/InvocationHandler;
# static fields
.field private static final GET_SIGNATURES:I = 0x40
# instance fields
.field private appPkgName:Ljava/lang/String;
.field private base:Ljava/lang/Object;
.field private sign:[[B
# direct methods
.method public constructor <init>()V
.registers 2
.prologue
.line 20
invoke-direct {p0}, Landroid/app/Application;-><init>()V
.line 25
const-string/jumbo v0, ""
iput-object v0, p0, Lcc/binmt/signature/PmsHookApplication;->appPkgName:Ljava/lang/String;
return-void
.end method
.method private hook(Landroid/content/Context;)V
.registers 22
.param p1, "context" # Landroid/content/Context;
.prologue
.line 52
:try_start_0
const-string/jumbo v6, "AQAAAdcwggHTMIIBPKADAgECAgRWk/uYMA0GCSqGSIb3DQEBBQUAMC0xEjAQBgNVBAMMCVpleWFu\nZyBMaTEXMBUGA1UECgwOQ2hpbGx5Um9vbSBJbmMwIBcNMTYwODAzMDUxNjE3WhgPMjA2NjA3MjIw\nNTE2MTdaMC0xEjAQBgNVBAMMCVpleWFuZyBMaTEXMBUGA1UECgwOQ2hpbGx5Um9vbSBJbmMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN3i6iwy81LR1NUgJ0xGRbTw0Iyb1JIR1kg9ioaiba6H\nHoCAYcbdtp7+dNIeGkeSElq4EOnnhS1g1j8tQyaZql5Nm3bMCHcMbua2JcKsh7eSRda3L45rfX1j\nQZxfzsaNZi8EzSA9uDHAIsAL0txozlXOIQ5NzKWxFjIhlNjvb46lAgMBAAEwDQYJKoZIhvcNAQEF\nBQADgYEAzN75igRMwQmrgwPCwQtLDqW/4PtgITvGKWr9m/hQCL0Sapo0q1KDn1ZcGIY5mwAweTsT\n75OAmm0pBmeX3CAL97H27jck/IIXoz+kDx3z+shftckjqppVzqlFoPRdKeAN2cXjrm1LEPD3pSHQ\nAxcsxJ4ndojuc4nPyKOnMmWYH7k=\n"
.line 53
.local v6, "data":Ljava/lang/String;
new-instance v10, Ljava/io/DataInputStream;
new-instance v17, Ljava/io/ByteArrayInputStream;
const/16 v18, 0x0
move/from16 v0, v18
invoke-static {v6, v0}, Landroid/util/Base64;->decode(Ljava/lang/String;I)[B
move-result-object v18
invoke-direct/range {v17 .. v18}, Ljava/io/ByteArrayInputStream;-><init>([B)V
move-object/from16 v0, v17
invoke-direct {v10, v0}, Ljava/io/DataInputStream;-><init>(Ljava/io/InputStream;)V
.line 54
.local v10, "is":Ljava/io/DataInputStream;
invoke-virtual {v10}, Ljava/io/DataInputStream;->read()I
move-result v17
move/from16 v0, v17
and-int/lit16 v0, v0, 0xff
move/from16 v17, v0
move/from16 v0, v17
new-array v0, v0, [[B
move-object/from16 v16, v0
.line 55
.local v16, "sign":[[B
const/4 v8, 0x0
.local v8, "i":I
:goto_28
move-object/from16 v0, v16
array-length v0, v0
move/from16 v17, v0
move/from16 v0, v17
if-ge v8, v0, :cond_47
.line 56
invoke-virtual {v10}, Ljava/io/DataInputStream;->readInt()I
move-result v17
move/from16 v0, v17
new-array v0, v0, [B
move-object/from16 v17, v0
aput-object v17, v16, v8
.line 57
aget-object v17, v16, v8
move-object/from16 v0, v17
invoke-virtual {v10, v0}, Ljava/io/DataInputStream;->readFully([B)V
.line 55
add-int/lit8 v8, v8, 0x1
goto :goto_28
.line 61
:cond_47
const-string/jumbo v17, "android.app.ActivityThread"
invoke-static/range {v17 .. v17}, Ljava/lang/Class;->forName(Ljava/lang/String;)Ljava/lang/Class;
move-result-object v3
.line 62
.local v3, "activityThreadClass":Ljava/lang/Class;, "Ljava/lang/Class<*>;"
const-string/jumbo v17, "currentActivityThread"
const/16 v18, 0x0
move/from16 v0, v18
new-array v0, v0, [Ljava/lang/Class;
move-object/from16 v18, v0
.line 63
move-object/from16 v0, v17
move-object/from16 v1, v18
invoke-virtual {v3, v0, v1}, Ljava/lang/Class;->getDeclaredMethod(Ljava/lang/String;[Ljava/lang/Class;)Ljava/lang/reflect/Method;
move-result-object v5
.line 64
.local v5, "currentActivityThreadMethod":Ljava/lang/reflect/Method;
const/16 v17, 0x0
const/16 v18, 0x0
move/from16 v0, v18
new-array v0, v0, [Ljava/lang/Object;
move-object/from16 v18, v0
move-object/from16 v0, v17
move-object/from16 v1, v18
invoke-virtual {v5, v0, v1}, Ljava/lang/reflect/Method;->invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;
move-result-object v4
.line 67
.local v4, "currentActivityThread":Ljava/lang/Object;
const-string/jumbo v17, "sPackageManager"
move-object/from16 v0, v17
invoke-virtual {v3, v0}, Ljava/lang/Class;->getDeclaredField(Ljava/lang/String;)Ljava/lang/reflect/Field;
move-result-object v15
.line 68
.local v15, "sPackageManagerField":Ljava/lang/reflect/Field;
const/16 v17, 0x1
move/from16 v0, v17
invoke-virtual {v15, v0}, Ljava/lang/reflect/Field;->setAccessible(Z)V
.line 69
invoke-virtual {v15, v4}, Ljava/lang/reflect/Field;->get(Ljava/lang/Object;)Ljava/lang/Object;
move-result-object v14
.line 72
.local v14, "sPackageManager":Ljava/lang/Object;
const-string/jumbo v17, "android.content.pm.IPackageManager"
invoke-static/range {v17 .. v17}, Ljava/lang/Class;->forName(Ljava/lang/String;)Ljava/lang/Class;
move-result-object v9
.line 73
.local v9, "iPackageManagerInterface":Ljava/lang/Class;, "Ljava/lang/Class<*>;"
move-object/from16 v0, p0
iput-object v14, v0, Lcc/binmt/signature/PmsHookApplication;->base:Ljava/lang/Object;
.line 74
move-object/from16 v0, v16
move-object/from16 v1, p0
iput-object v0, v1, Lcc/binmt/signature/PmsHookApplication;->sign:[[B
.line 75
invoke-virtual/range {p1 .. p1}, Landroid/content/Context;->getPackageName()Ljava/lang/String;
move-result-object v17
move-object/from16 v0, v17
move-object/from16 v1, p0
iput-object v0, v1, Lcc/binmt/signature/PmsHookApplication;->appPkgName:Ljava/lang/String;
.line 78
invoke-virtual {v9}, Ljava/lang/Class;->getClassLoader()Ljava/lang/ClassLoader;
move-result-object v17
const/16 v18, 0x1
move/from16 v0, v18
new-array v0, v0, [Ljava/lang/Class;
move-object/from16 v18, v0
const/16 v19, 0x0
aput-object v9, v18, v19
.line 77
move-object/from16 v0, v17
move-object/from16 v1, v18
move-object/from16 v2, p0
invoke-static {v0, v1, v2}, Ljava/lang/reflect/Proxy;->newProxyInstance(Ljava/lang/ClassLoader;[Ljava/lang/Class;Ljava/lang/reflect/InvocationHandler;)Ljava/lang/Object;
move-result-object v13
.line 83
.local v13, "proxy":Ljava/lang/Object;
invoke-virtual {v15, v4, v13}, Ljava/lang/reflect/Field;->set(Ljava/lang/Object;Ljava/lang/Object;)V
.line 86
invoke-virtual/range {p1 .. p1}, Landroid/content/Context;->getPackageManager()Landroid/content/pm/PackageManager;
move-result-object v12
.line 87
.local v12, "pm":Landroid/content/pm/PackageManager;
invoke-virtual {v12}, Ljava/lang/Object;->getClass()Ljava/lang/Class;
move-result-object v17
const-string/jumbo v18, "mPM"
invoke-virtual/range {v17 .. v18}, Ljava/lang/Class;->getDeclaredField(Ljava/lang/String;)Ljava/lang/reflect/Field;
move-result-object v11
.line 88
.local v11, "mPmField":Ljava/lang/reflect/Field;
const/16 v17, 0x1
move/from16 v0, v17
invoke-virtual {v11, v0}, Ljava/lang/reflect/Field;->setAccessible(Z)V
.line 89
invoke-virtual {v11, v12, v13}, Ljava/lang/reflect/Field;->set(Ljava/lang/Object;Ljava/lang/Object;)V
.line 90
sget-object v17, Ljava/lang/System;->out:Ljava/io/PrintStream;
const-string/jumbo v18, "PmsHook success."
invoke-virtual/range {v17 .. v18}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V
:try_end_e0
.catch Ljava/lang/Exception; {:try_start_0 .. :try_end_e0} :catch_e1
.line 95
.end local v3 # "activityThreadClass":Ljava/lang/Class;, "Ljava/lang/Class<*>;"
.end local v4 # "currentActivityThread":Ljava/lang/Object;
.end local v5 # "currentActivityThreadMethod":Ljava/lang/reflect/Method;
.end local v6 # "data":Ljava/lang/String;
.end local v8 # "i":I
.end local v9 # "iPackageManagerInterface":Ljava/lang/Class;, "Ljava/lang/Class<*>;"
.end local v10 # "is":Ljava/io/DataInputStream;
.end local v11 # "mPmField":Ljava/lang/reflect/Field;
.end local v12 # "pm":Landroid/content/pm/PackageManager;
.end local v13 # "proxy":Ljava/lang/Object;
.end local v14 # "sPackageManager":Ljava/lang/Object;
.end local v15 # "sPackageManagerField":Ljava/lang/reflect/Field;
.end local v16 # "sign":[[B
:goto_e0
return-void
.line 91
:catch_e1
move-exception v7
.line 92
.local v7, "e":Ljava/lang/Exception;
sget-object v17, Ljava/lang/System;->err:Ljava/io/PrintStream;
const-string/jumbo v18, "PmsHook failed."
invoke-virtual/range {v17 .. v18}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V
.line 93
invoke-virtual {v7}, Ljava/lang/Exception;->printStackTrace()V
goto :goto_e0
.end method
# virtual methods
.method protected attachBaseContext(Landroid/content/Context;)V
.registers 2
.param p1, "base" # Landroid/content/Context;
.prologue
.line 29
invoke-direct {p0, p1}, Lcc/binmt/signature/PmsHookApplication;->hook(Landroid/content/Context;)V
.line 30
invoke-super {p0, p1}, Landroid/app/Application;->attachBaseContext(Landroid/content/Context;)V
.line 31
return-void
.end method
.method public invoke(Ljava/lang/Object;Ljava/lang/reflect/Method;[Ljava/lang/Object;)Ljava/lang/Object;
.registers 11
.param p1, "proxy" # Ljava/lang/Object;
.param p2, "method" # Ljava/lang/reflect/Method;
.param p3, "args" # [Ljava/lang/Object;
.annotation system Ldalvik/annotation/Throws;
value = {
Ljava/lang/Throwable;
}
.end annotation
.prologue
.line 35
const-string/jumbo v4, "getPackageInfo"
invoke-virtual {p2}, Ljava/lang/reflect/Method;->getName()Ljava/lang/String;
move-result-object v5
invoke-virtual {v4, v5}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z
move-result v4
if-eqz v4, :cond_4c
.line 36
const/4 v4, 0x0
aget-object v3, p3, v4
check-cast v3, Ljava/lang/String;
.line 37
.local v3, "pkgName":Ljava/lang/String;
const/4 v4, 0x1
aget-object v0, p3, v4
check-cast v0, Ljava/lang/Integer;
.line 38
.local v0, "flag":Ljava/lang/Integer;
invoke-virtual {v0}, Ljava/lang/Integer;->intValue()I
move-result v4
and-int/lit8 v4, v4, 0x40
if-eqz v4, :cond_4c
iget-object v4, p0, Lcc/binmt/signature/PmsHookApplication;->appPkgName:Ljava/lang/String;
invoke-virtual {v4, v3}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z
move-result v4
if-eqz v4, :cond_4c
.line 39
iget-object v4, p0, Lcc/binmt/signature/PmsHookApplication;->base:Ljava/lang/Object;
invoke-virtual {p2, v4, p3}, Ljava/lang/reflect/Method;->invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;
move-result-object v2
check-cast v2, Landroid/content/pm/PackageInfo;
.line 40
.local v2, "info":Landroid/content/pm/PackageInfo;
iget-object v4, p0, Lcc/binmt/signature/PmsHookApplication;->sign:[[B
array-length v4, v4
new-array v4, v4, [Landroid/content/pm/Signature;
iput-object v4, v2, Landroid/content/pm/PackageInfo;->signatures:[Landroid/content/pm/Signature;
.line 41
const/4 v1, 0x0
.local v1, "i":I
:goto_37
iget-object v4, v2, Landroid/content/pm/PackageInfo;->signatures:[Landroid/content/pm/Signature;
array-length v4, v4
if-ge v1, v4, :cond_52
.line 42
iget-object v4, v2, Landroid/content/pm/PackageInfo;->signatures:[Landroid/content/pm/Signature;
new-instance v5, Landroid/content/pm/Signature;
iget-object v6, p0, Lcc/binmt/signature/PmsHookApplication;->sign:[[B
aget-object v6, v6, v1
invoke-direct {v5, v6}, Landroid/content/pm/Signature;-><init>([B)V
aput-object v5, v4, v1
.line 41
add-int/lit8 v1, v1, 0x1
goto :goto_37
.line 47
.end local v0 # "flag":Ljava/lang/Integer;
.end local v1 # "i":I
.end local v2 # "info":Landroid/content/pm/PackageInfo;
.end local v3 # "pkgName":Ljava/lang/String;
:cond_4c
iget-object v4, p0, Lcc/binmt/signature/PmsHookApplication;->base:Ljava/lang/Object;
invoke-virtual {p2, v4, p3}, Ljava/lang/reflect/Method;->invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;
move-result-object v2
:cond_52
return-object v2
.end method
再打开 AndroidManifest.xml 找到<application···>部分,也就是类似如图的地方
其中包括一些属性,我们要关注的是android:name
将android:name="···"改为
android:name="cc.binmt.signature.PmsHookApplication"
[size=33.8422px]
注意:本文使用的是2.2.0版本。在一些低版本的yqqs中,不存在android:name项,那么此时直接添加
android:name="cc.binmt.signature.PmsHookApplication"在其中就行了。
然后回到android killer 开始编译,搞定。
声明:
那个smali中的方法不是我原创的,最开始是在一个破解版文件中提取的,但是后来发现cc.binmt其实就是mt管理器的网址啊,看来mt管理器中的去除签名验证就是用的此方法,大致原理可以去mt官网查看。其实刚刚不用新建那么多文件夹,但为了表明此方法的来源,我还是依照原样建立了目录。
THE END
喜欢就支持以下吧
