元气骑士签名验证

身边暂时没电脑,手机码字,图少见谅。


论坛上的大部分帖子采用的是在getkeyhash中插入return-void的方法,但是此方法存在弊端,即存档是一次性存档。例如,解锁人物后重启游戏,人物会重新变成未解锁状态。


介绍一下我的方法。


使用 Android killer反编译apk,接着打开android killer工程目录,找到yqqs对应的文件夹。然后找到smali文件夹以及AndroidManifest.xml文件。


在smali文件夹里新建cc文件夹,在cc文件夹中建立binmt文件夹,在binmt文件夹中建立signature文件夹,再在signature文件夹中建立PmsHookApplication.smali文件,将其中的内容修改为以下代码。
[Asm] 纯文本查看 复制代码

.class public Lcc/binmt/signature/PmsHookApplication;
.super Landroid/app/Application;
.source "PmsHookApplication.java"

# interfaces
.implements Ljava/lang/reflect/InvocationHandler;


# static fields
.field private static final GET_SIGNATURES:I = 0x40


# instance fields
.field private appPkgName:Ljava/lang/String;

.field private base:Ljava/lang/Object;

.field private sign:[[B


# direct methods
.method public constructor <init>()V
    .registers 2

    .prologue
    .line 20
    invoke-direct {p0}, Landroid/app/Application;-><init>()V

    .line 25
    const-string/jumbo v0, ""

    iput-object v0, p0, Lcc/binmt/signature/PmsHookApplication;->appPkgName:Ljava/lang/String;

    return-void
.end method

.method private hook(Landroid/content/Context;)V
    .registers 22
    .param p1, "context"    # Landroid/content/Context;

    .prologue
    .line 52
    :try_start_0
    const-string/jumbo v6, "AQAAAdcwggHTMIIBPKADAgECAgRWk/uYMA0GCSqGSIb3DQEBBQUAMC0xEjAQBgNVBAMMCVpleWFu\nZyBMaTEXMBUGA1UECgwOQ2hpbGx5Um9vbSBJbmMwIBcNMTYwODAzMDUxNjE3WhgPMjA2NjA3MjIw\nNTE2MTdaMC0xEjAQBgNVBAMMCVpleWFuZyBMaTEXMBUGA1UECgwOQ2hpbGx5Um9vbSBJbmMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN3i6iwy81LR1NUgJ0xGRbTw0Iyb1JIR1kg9ioaiba6H\nHoCAYcbdtp7+dNIeGkeSElq4EOnnhS1g1j8tQyaZql5Nm3bMCHcMbua2JcKsh7eSRda3L45rfX1j\nQZxfzsaNZi8EzSA9uDHAIsAL0txozlXOIQ5NzKWxFjIhlNjvb46lAgMBAAEwDQYJKoZIhvcNAQEF\nBQADgYEAzN75igRMwQmrgwPCwQtLDqW/4PtgITvGKWr9m/hQCL0Sapo0q1KDn1ZcGIY5mwAweTsT\n75OAmm0pBmeX3CAL97H27jck/IIXoz+kDx3z+shftckjqppVzqlFoPRdKeAN2cXjrm1LEPD3pSHQ\nAxcsxJ4ndojuc4nPyKOnMmWYH7k=\n"

    .line 53
    .local v6, "data":Ljava/lang/String;
    new-instance v10, Ljava/io/DataInputStream;

    new-instance v17, Ljava/io/ByteArrayInputStream;

    const/16 v18, 0x0

    move/from16 v0, v18

    invoke-static {v6, v0}, Landroid/util/Base64;->decode(Ljava/lang/String;I)[B

    move-result-object v18

    invoke-direct/range {v17 .. v18}, Ljava/io/ByteArrayInputStream;-><init>([B)V

    move-object/from16 v0, v17

    invoke-direct {v10, v0}, Ljava/io/DataInputStream;-><init>(Ljava/io/InputStream;)V

    .line 54
    .local v10, "is":Ljava/io/DataInputStream;
    invoke-virtual {v10}, Ljava/io/DataInputStream;->read()I

    move-result v17

    move/from16 v0, v17

    and-int/lit16 v0, v0, 0xff

    move/from16 v17, v0

    move/from16 v0, v17

    new-array v0, v0, [[B

    move-object/from16 v16, v0

    .line 55
    .local v16, "sign":[[B
    const/4 v8, 0x0

    .local v8, "i":I
    :goto_28
    move-object/from16 v0, v16

    array-length v0, v0

    move/from16 v17, v0

    move/from16 v0, v17

    if-ge v8, v0, :cond_47

    .line 56
    invoke-virtual {v10}, Ljava/io/DataInputStream;->readInt()I

    move-result v17

    move/from16 v0, v17

    new-array v0, v0, [B

    move-object/from16 v17, v0

    aput-object v17, v16, v8

    .line 57
    aget-object v17, v16, v8

    move-object/from16 v0, v17

    invoke-virtual {v10, v0}, Ljava/io/DataInputStream;->readFully([B)V

    .line 55
    add-int/lit8 v8, v8, 0x1

    goto :goto_28

    .line 61
    :cond_47
    const-string/jumbo v17, "android.app.ActivityThread"

    invoke-static/range {v17 .. v17}, Ljava/lang/Class;->forName(Ljava/lang/String;)Ljava/lang/Class;

    move-result-object v3

    .line 62
    .local v3, "activityThreadClass":Ljava/lang/Class;, "Ljava/lang/Class<*>;"
    const-string/jumbo v17, "currentActivityThread"

    const/16 v18, 0x0

    move/from16 v0, v18

    new-array v0, v0, [Ljava/lang/Class;

    move-object/from16 v18, v0

    .line 63
    move-object/from16 v0, v17

    move-object/from16 v1, v18

    invoke-virtual {v3, v0, v1}, Ljava/lang/Class;->getDeclaredMethod(Ljava/lang/String;[Ljava/lang/Class;)Ljava/lang/reflect/Method;

    move-result-object v5

    .line 64
    .local v5, "currentActivityThreadMethod":Ljava/lang/reflect/Method;
    const/16 v17, 0x0

    const/16 v18, 0x0

    move/from16 v0, v18

    new-array v0, v0, [Ljava/lang/Object;

    move-object/from16 v18, v0

    move-object/from16 v0, v17

    move-object/from16 v1, v18

    invoke-virtual {v5, v0, v1}, Ljava/lang/reflect/Method;->invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;

    move-result-object v4

    .line 67
    .local v4, "currentActivityThread":Ljava/lang/Object;
    const-string/jumbo v17, "sPackageManager"

    move-object/from16 v0, v17

    invoke-virtual {v3, v0}, Ljava/lang/Class;->getDeclaredField(Ljava/lang/String;)Ljava/lang/reflect/Field;

    move-result-object v15

    .line 68
    .local v15, "sPackageManagerField":Ljava/lang/reflect/Field;
    const/16 v17, 0x1

    move/from16 v0, v17

    invoke-virtual {v15, v0}, Ljava/lang/reflect/Field;->setAccessible(Z)V

    .line 69
    invoke-virtual {v15, v4}, Ljava/lang/reflect/Field;->get(Ljava/lang/Object;)Ljava/lang/Object;

    move-result-object v14

    .line 72
    .local v14, "sPackageManager":Ljava/lang/Object;
    const-string/jumbo v17, "android.content.pm.IPackageManager"

    invoke-static/range {v17 .. v17}, Ljava/lang/Class;->forName(Ljava/lang/String;)Ljava/lang/Class;

    move-result-object v9

    .line 73
    .local v9, "iPackageManagerInterface":Ljava/lang/Class;, "Ljava/lang/Class<*>;"
    move-object/from16 v0, p0

    iput-object v14, v0, Lcc/binmt/signature/PmsHookApplication;->base:Ljava/lang/Object;

    .line 74
    move-object/from16 v0, v16

    move-object/from16 v1, p0

    iput-object v0, v1, Lcc/binmt/signature/PmsHookApplication;->sign:[[B

    .line 75
    invoke-virtual/range {p1 .. p1}, Landroid/content/Context;->getPackageName()Ljava/lang/String;

    move-result-object v17

    move-object/from16 v0, v17

    move-object/from16 v1, p0

    iput-object v0, v1, Lcc/binmt/signature/PmsHookApplication;->appPkgName:Ljava/lang/String;

    .line 78
    invoke-virtual {v9}, Ljava/lang/Class;->getClassLoader()Ljava/lang/ClassLoader;

    move-result-object v17

    const/16 v18, 0x1

    move/from16 v0, v18

    new-array v0, v0, [Ljava/lang/Class;

    move-object/from16 v18, v0

    const/16 v19, 0x0

    aput-object v9, v18, v19

    .line 77
    move-object/from16 v0, v17

    move-object/from16 v1, v18

    move-object/from16 v2, p0

    invoke-static {v0, v1, v2}, Ljava/lang/reflect/Proxy;->newProxyInstance(Ljava/lang/ClassLoader;[Ljava/lang/Class;Ljava/lang/reflect/InvocationHandler;)Ljava/lang/Object;

    move-result-object v13

    .line 83
    .local v13, "proxy":Ljava/lang/Object;
    invoke-virtual {v15, v4, v13}, Ljava/lang/reflect/Field;->set(Ljava/lang/Object;Ljava/lang/Object;)V

    .line 86
    invoke-virtual/range {p1 .. p1}, Landroid/content/Context;->getPackageManager()Landroid/content/pm/PackageManager;

    move-result-object v12

    .line 87
    .local v12, "pm":Landroid/content/pm/PackageManager;
    invoke-virtual {v12}, Ljava/lang/Object;->getClass()Ljava/lang/Class;

    move-result-object v17

    const-string/jumbo v18, "mPM"

    invoke-virtual/range {v17 .. v18}, Ljava/lang/Class;->getDeclaredField(Ljava/lang/String;)Ljava/lang/reflect/Field;

    move-result-object v11

    .line 88
    .local v11, "mPmField":Ljava/lang/reflect/Field;
    const/16 v17, 0x1

    move/from16 v0, v17

    invoke-virtual {v11, v0}, Ljava/lang/reflect/Field;->setAccessible(Z)V

    .line 89
    invoke-virtual {v11, v12, v13}, Ljava/lang/reflect/Field;->set(Ljava/lang/Object;Ljava/lang/Object;)V

    .line 90
    sget-object v17, Ljava/lang/System;->out:Ljava/io/PrintStream;

    const-string/jumbo v18, "PmsHook success."

    invoke-virtual/range {v17 .. v18}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V
    :try_end_e0
    .catch Ljava/lang/Exception; {:try_start_0 .. :try_end_e0} :catch_e1

    .line 95
    .end local v3    # "activityThreadClass":Ljava/lang/Class;, "Ljava/lang/Class<*>;"
    .end local v4    # "currentActivityThread":Ljava/lang/Object;
    .end local v5    # "currentActivityThreadMethod":Ljava/lang/reflect/Method;
    .end local v6    # "data":Ljava/lang/String;
    .end local v8    # "i":I
    .end local v9    # "iPackageManagerInterface":Ljava/lang/Class;, "Ljava/lang/Class<*>;"
    .end local v10    # "is":Ljava/io/DataInputStream;
    .end local v11    # "mPmField":Ljava/lang/reflect/Field;
    .end local v12    # "pm":Landroid/content/pm/PackageManager;
    .end local v13    # "proxy":Ljava/lang/Object;
    .end local v14    # "sPackageManager":Ljava/lang/Object;
    .end local v15    # "sPackageManagerField":Ljava/lang/reflect/Field;
    .end local v16    # "sign":[[B
    :goto_e0
    return-void

    .line 91
    :catch_e1
    move-exception v7

    .line 92
    .local v7, "e":Ljava/lang/Exception;
    sget-object v17, Ljava/lang/System;->err:Ljava/io/PrintStream;

    const-string/jumbo v18, "PmsHook failed."

    invoke-virtual/range {v17 .. v18}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V

    .line 93
    invoke-virtual {v7}, Ljava/lang/Exception;->printStackTrace()V

    goto :goto_e0
.end method


# virtual methods
.method protected attachBaseContext(Landroid/content/Context;)V
    .registers 2
    .param p1, "base"    # Landroid/content/Context;

    .prologue
    .line 29
    invoke-direct {p0, p1}, Lcc/binmt/signature/PmsHookApplication;->hook(Landroid/content/Context;)V

    .line 30
    invoke-super {p0, p1}, Landroid/app/Application;->attachBaseContext(Landroid/content/Context;)V

    .line 31
    return-void
.end method

.method public invoke(Ljava/lang/Object;Ljava/lang/reflect/Method;[Ljava/lang/Object;)Ljava/lang/Object;
    .registers 11
    .param p1, "proxy"    # Ljava/lang/Object;
    .param p2, "method"    # Ljava/lang/reflect/Method;
    .param p3, "args"    # [Ljava/lang/Object;
    .annotation system Ldalvik/annotation/Throws;
        value = {
            Ljava/lang/Throwable;
        }
    .end annotation

    .prologue
    .line 35
    const-string/jumbo v4, "getPackageInfo"

    invoke-virtual {p2}, Ljava/lang/reflect/Method;->getName()Ljava/lang/String;

    move-result-object v5

    invoke-virtual {v4, v5}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z

    move-result v4

    if-eqz v4, :cond_4c

    .line 36
    const/4 v4, 0x0

    aget-object v3, p3, v4

    check-cast v3, Ljava/lang/String;

    .line 37
    .local v3, "pkgName":Ljava/lang/String;
    const/4 v4, 0x1

    aget-object v0, p3, v4

    check-cast v0, Ljava/lang/Integer;

    .line 38
    .local v0, "flag":Ljava/lang/Integer;
    invoke-virtual {v0}, Ljava/lang/Integer;->intValue()I

    move-result v4

    and-int/lit8 v4, v4, 0x40

    if-eqz v4, :cond_4c

    iget-object v4, p0, Lcc/binmt/signature/PmsHookApplication;->appPkgName:Ljava/lang/String;

    invoke-virtual {v4, v3}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z

    move-result v4

    if-eqz v4, :cond_4c

    .line 39
    iget-object v4, p0, Lcc/binmt/signature/PmsHookApplication;->base:Ljava/lang/Object;

    invoke-virtual {p2, v4, p3}, Ljava/lang/reflect/Method;->invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;

    move-result-object v2

    check-cast v2, Landroid/content/pm/PackageInfo;

    .line 40
    .local v2, "info":Landroid/content/pm/PackageInfo;
    iget-object v4, p0, Lcc/binmt/signature/PmsHookApplication;->sign:[[B

    array-length v4, v4

    new-array v4, v4, [Landroid/content/pm/Signature;

    iput-object v4, v2, Landroid/content/pm/PackageInfo;->signatures:[Landroid/content/pm/Signature;

    .line 41
    const/4 v1, 0x0

    .local v1, "i":I
    :goto_37
    iget-object v4, v2, Landroid/content/pm/PackageInfo;->signatures:[Landroid/content/pm/Signature;

    array-length v4, v4

    if-ge v1, v4, :cond_52

    .line 42
    iget-object v4, v2, Landroid/content/pm/PackageInfo;->signatures:[Landroid/content/pm/Signature;

    new-instance v5, Landroid/content/pm/Signature;

    iget-object v6, p0, Lcc/binmt/signature/PmsHookApplication;->sign:[[B

    aget-object v6, v6, v1

    invoke-direct {v5, v6}, Landroid/content/pm/Signature;-><init>([B)V

    aput-object v5, v4, v1

    .line 41
    add-int/lit8 v1, v1, 0x1

    goto :goto_37

    .line 47
    .end local v0    # "flag":Ljava/lang/Integer;
    .end local v1    # "i":I
    .end local v2    # "info":Landroid/content/pm/PackageInfo;
    .end local v3    # "pkgName":Ljava/lang/String;
    :cond_4c
    iget-object v4, p0, Lcc/binmt/signature/PmsHookApplication;->base:Ljava/lang/Object;

    invoke-virtual {p2, v4, p3}, Ljava/lang/reflect/Method;->invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;

    move-result-object v2

    :cond_52
    return-object v2
.end method

再打开 AndroidManifest.xml 找到<application···>部分,也就是类似如图的地方

其中包括一些属性,我们要关注的是android:name
将android:name="···"改为
android:name="cc.binmt.signature.PmsHookApplication"

[size=33.8422px]
注意:本文使用的是2.2.0版本。在一些低版本的yqqs中,不存在android:name项,那么此时直接添加
android:name="cc.binmt.signature.PmsHookApplication"在其中就行了。
然后回到android killer 开始编译,搞定。

声明:

那个smali中的方法不是我原创的,最开始是在一个破解版文件中提取的,但是后来发现cc.binmt其实就是mt管理器的网址啊,看来mt管理器中的去除签名验证就是用的此方法,大致原理可以去mt官网查看。其实刚刚不用新建那么多文件夹,但为了表明此方法的来源,我还是依照原样建立了目录。


THE END
喜欢就支持以下吧
点赞0
分享
评论 抢沙发
  • 管埋员的头像-小北的自留地

    昵称

  • 取消
    昵称