游戏蜂窝破解记录
原APK重打包测试
下载ApkTool:
ApkTool下载地址
ApkTool安装说明
1. 运行apktool d target.apk反编译资源
2.
运行apktool b
youxifengwo -o ReYXFW.apk 重打包APK
3.
uiautomatorviewer在sdk的tool目录下
生成签名密钥:
唤出CMD: 开始—运行—输入CMD后点确定或按ENTER回车键,唤出CMD后输入下面命令后按回车键:
cd /d C:\Program Files\Java\jdk1.7.0\bin
输入后按回车再输入下面命令后按回车
keytool -genkey -alias abc.keystore
-keyalg RSA -validity 20000 -keystore abc.keystore
abc可改为abc等,命令区分大小写。
执行命令后会出现下面步骤:
输入keystore密码:[密码不显示,输入密码按回车即可开
再次输入新密码:[密码
不显示,输入密码按回车即可开
您的名字与姓氏是什么?
[Unknown]: tttabc
您的组织单位名称是什么?
[Unknown]: www.tttabc.com
您的组织名称是什么?
[Unknown]: www.tttabc.com
您的组织名称是什么?
[Unknown]: www.tttabc.com
您所在的城市或区域名称是什么?
[Unknown]: New
York
您所在的州或省份名称是什么?
[Unknown]: New
York
该单位的两字母国家代码是什么
[Unknown]: CN
CN=abc, OU=www.tttabc.com, O=www.tttabc.com, L=New York,
ST
=New York, C=CN 正确吗?
[否]: Y
输入<abc.keystore>的主密码
(如果和 keystore 密码相同,按回车):
成功后将会在C:\Program Files\Java\jdk1.7.0\bin 下产生一个名为abc.keystore的文件
其中参数-validity为证书有效天数,这里我们写的大些20000天。还有在输入密码时没有回显,只管输入就可以了,一般位数建议使用20位,最后需要记下来后面还要用,整个过程如图:
接下来我们开始为apk文件签名了。
签名apk文件:
将要签名的APK放到C:\Program Files\Java\jdk1.7.0\bin 下
apk最好命名为简单的名字 如123.apk
唤出CMD: 开始—运行—输入CMD后点确定或按ENTER回车键,唤出CMD后输入下面命令后按回车键:
cd C:\Program Files\Java\jdk1.7.0\bin
输入后按回车
再输入下面命令后按回车
jarsigner
-verbose -keystore abc.keystore -signedjar 123x.apk new_target.apk abc.keystore
然后输入密码按回车
就可以生 成签名的apk文件,这里输入文件abc.apk,最终生成123x.apk为android签名后的APK执行文件。下面提示输入的密码和keytool输入的一样就行了 。
如果是修改APK或ZIP格式刷机ROM需要签名推荐用auto-sign签名,简单方便:
下载 auto-sign.zip ,运行需安装JAVA jdk,auto-sign解压到如E盘下,将需要签名的APK或ZIP放到 auto-sign签名工具同目录下,运行auto-sign签名批处理工具即可自动签名。
安装APK测试:
Adb install 123x.apk
安卓设备上运行重打包过的apk正常登录提示签名错误,说明APK文件有检查apk的签名,第一步绕过重打包签名验证.
开始逆向和反编译破解加密解密的数据
抓取登录数据包:
下载数据包抓取工具charles,工具的使用请自行搜索;通过数据包发现登录请求的数据回答是显示签名错误,现在开始对比正常的数据包,一个正常登录的数据包里面的数据是被加密过了的;现在开始尝试解密数据包,先反编译APK,如果没被加密,反编译的方法请自行搜索;现在开始寻找APK里面的登录验证解密函数.
调试和反编译APK查看加密解密函数:
先上传IDAPRO的调试支持,使用SU权限运行.
adb
push android_server /data/local/tmp/
adb
shell chmod 777 /data/local/tmp/android_server
su /data/local/tmp/android_server
adb forward tcp:23946 tcp:23946
1.
d2j-dex2jar.bat classes2.dex
生成classes2-dex2jar.jar
2.
下载jd-gui打开classes2-dex2jar.jar
写个SO
HOOK掉解密函数:
下载xposed编译一个Hook插件拦截解密函数,分析整理解密函数与原始数据包并对应到URL(范例).
去掉APK自校验重新打包(lib/xxx/ libcjencrypt.so):
.text:F3E69478
decrypt; DATA XREF: .data:F3E7D030↓o
.text:F3E69478
;
__unwind {
.text:F3E69478
PUSH
{R4-R7,LR}
.text:F3E6947A
ADD
R7, SP, #0xC
.text:F3E6947C
PUSH.W
{R8,R9,R11}
.text:F3E69480
MOV
R9, R1
.text:F3E69482
MOV
R1, R3
.text:F3E69484
MOV
R8, R2
.text:F3E69486
MOV
R6, R0
.text:F3E69488
BL
sub_F3E694C4
.text:F3E6948C
MOV
R4, R0
.text:F3E6948E
LDR
R0, =(off_F3E7D004 - 0xF3E69494)
.text:F3E69490
ADD
R0, PC;
off_F3E7D004
.text:F3E69492
LDR
R1, [R0]; "8CF8BD517174351E61BBCF776B3B83376195D65"
.text:F3E69494
MOV
R0, R4; s1
.text:F3E69496
BLX
strcmp; apk checksum
.text:F3E6949A
MOV
R5, R0
.text:F3E6949C
MOV
R0, R4; ptr
.text:F3E6949E
BLX
free
.text:F3E694A2
CBZ
R5, loc_F3E694AC
.text:F3E694A4
MOVS
R0, #0
.text:F3E694A6
POP.W
{R8,R9,R11}
.text:F3E694AA
POP
{R4-R7,PC}
.text:F3E694AC
;
---------------------------------------------------------------------------
.text:F3E694AC
.text:F3E694AC
loc_F3E694AC; CODE XREF:
decrypt+2A↑j
.text:F3E694AC
MOV
R0, R6
.text:F3E694AE
MOV
R1, R9
.text:F3E694B0
MOV
R2, R8
.text:F3E694B2
POP.W
{R8,R9,R11}
.text:F3E694B6
POP.W
{R4-R7,LR}
.text:F3E694BA
B.W
sub_F3E68C88
.text:F3E694BA
; End
of function decrypt
VIP权限:
.method
public setIsVip(I)V
.locals 4
.param p1, "isVip" # I
.prologue
.line 274
iput p1, p0, Lcom/cyjh/gundam/model/UserInfo;->IsVip:I
const
v0, 0x1
iput
v0, p0, Lcom/cyjh/gundam/model/UserInfo;->IsVip:I
.line 275
return-void
.end method
CODE:00704F1C
# Source file: UserInfo.java
CODE:00704F1C
public int com.cyjh.gundam.model.UserInfo.getIsVip()
CODE:00704F1C
this =
v1
# CODE XREF: VipPresenter_setUserInfo@VL+A↑p
CODE:00704F1C
# LeftMenuFragment_setInfo@VL:loc_6BE372↑p ...
CODE:00704F1C
.prologue_end
CODE:00704F1C
.line 270
CODE:00704F1C
iget
v0, this, stru_B09E4
CODE:00704F20
const/4
v0, 1
CODE:00704F22
CODE:00704F22
locret:
CODE:00704F22
return
v0
CODE:00705046
Method End
VIP过期时间:
.method
public setVIPExpireTime(Ljava/lang/String;)V
.locals 4
.param p1, "VIPExpireTime" # Ljava/lang/String;
.prologue
.line 282
iput-object p1, p0,
Lcom/cyjh/gundam/model/UserInfo;->VIPExpireTime:Ljava/lang/String;
const-string/jumbo
v0, "2022-12-31"
iput
v0, p0, Lcom/cyjh/gundam/model/UserInfo;->VIPExpireTime:Ljava/lang/String;
.line 283
return-void
.end
method
CODE:0070503C
# Source file: UserInfo.java
CODE:0070503C
public java.lang.String com.cyjh.gundam.model.UserInfo.getVIPExpireTime()
CODE:0070503C
this =
v1
# CODE XREF: LeftMenuFragment_setInfo@VL+DE↑p
CODE:0070503C
# LeftMenuFragment_setInfo@VL+F2↑p ...
CODE:0070503C
.prologue_end
CODE:0070503C
.line 278
CODE:0070503C
iget-object
v0, this, stru_B0A4C
CODE:00705040
const-string/jumbo
v0, a20221231 # "2022-12-31"
CODE:00705046
CODE:00705046
locret:
CODE:00705046
return-object
v0
CODE:00705046
Method End
VIP类型:
.method
public setVIPType(I)V
.locals 4
.param p1, "VIPType" # I
.prologue
.line 110
iput p1, p0, Lcom/cyjh/gundam/model/UserInfo;->VIPType:I
const
v0, 0x2
iput
v0, p0, Lcom/cyjh/gundam/model/UserInfo;->VIPType:I
.line 111
return-void
.end
method
CODE:00705058
# Source file: UserInfo.java
CODE:00705058
public int com.cyjh.gundam.model.UserInfo.getVIPType()
CODE:00705058
this =
v1
# CODE XREF: LeftMenuFragment_setInfo@VL+162↑p
CODE:00705058
# LoginManager_updateUserInfo@VLL+3C↑p
CODE:00705058
.prologue_end
CODE:00705058
.line 106
CODE:00705058
iget
v0, this, stru_B0A54
CODE:0070505C
const/4
v0, 2
CODE:0070505E
CODE:0070505E
locret:
CODE:0070505E
return
v0
CODE:0070505E
Method End
去除时间限制:
com.cyjh.gundam.manager. LoginManager.java
.method
public getDisCountSecond()J
.locals 2
.prologue
.line 965
invoke-virtual {p0}, Lcom/cyjh/gundam/manager/LoginManager;->isLoginV70()Z
move-result v0
if-eqz v0, :cond_0
.line 966
iget-object v0, p0,
Lcom/cyjh/gundam/manager/LoginManager;->mInfo:Lcom/cyjh/gundam/model/LoginResultInfo;
iget-wide v0, v0, Lcom/cyjh/gundam/model/LoginResultInfo;->DisCountSecond:J
.line 968
:goto_0
const-wide/32
v0, 0x10000
return-wide v0
:cond_0
const-wide/16 v0, 0x0
const-wide/32
v0, 0x10000
goto :goto_0
.end
method
.method
public getFreeSecond()J
.locals 2
.prologue
.line 975
invoke-virtual {p0}, Lcom/cyjh/gundam/manager/LoginManager;->isLoginV70()Z
move-result v0
if-eqz v0, :cond_0
.line 976
iget-object v0, p0,
Lcom/cyjh/gundam/manager/LoginManager;->mInfo:Lcom/cyjh/gundam/model/LoginResultInfo;
iget-wide v0, v0, Lcom/cyjh/gundam/model/LoginResultInfo;->FreeSecond:J
.line 978
:goto_0
const-wide/32
v0, 0x10000
return-wide v0
:cond_0
const-wide/16 v0, 0x0
const-wide/32
v0, 0x10000
goto :goto_0
.end
method
免登录打开脚本支持的游戏:
a) 源码文件夹(com.cyjh.gundam.fengwo,“com\cyjh\gundam\fengwo”)
b) 搜索isLoginV70
函数调用,smali里面修改返回值免登录.
“我的脚本”免登录:
a) 源码com.cyjh.gundam.utils.IntentUtil.java
b) 定位函数toMyScriptActivity里面的isLoginV70,修改返回值
强制免费使用脚本.
a) 源码文件夹(com\cyjh\gundam\fengwoscript\)
b) 搜索isLogin函数调用, 修改返回值.
c) 源码文件夹(com.cyjh.gundam.fengwoscript.model.manager. HeartAndPermManager.java)
d) 搜索函数checkRunPerm,修改里面的判断语句viprunperminfo.KickedOut、viprunperminfo.BanRun、viprunperminfo.TryExpired实现强制选择目标脚本,进入
“本地挂机”按钮界面,按钮默认状态被禁止.
e) 源码文件夹(com.cyjh.gundam.fengwoscript.ui.help. SzScriptInfoSetHelp.java)
f) 搜索函数setInfo,修改vipadresultinfo.RunPerm.Run和vipadresultinfo.RunPerm.Try实现恢复“本地挂机”按钮,但是无法弹出外挂对话框.
g) 源码文件夹(com.cyjh.gundam.fengwoscript.model.manager. HeartAndPermManager.java)
h) 找到函数isRun,修改viprunperminfo.KickedOut、viprunperminfo.BanRun、viprunperminfo.TryExpired,实现弹出外挂设置对话框.
i) 源码文件夹(com.cyjh.gundam.fengwo.pxkj.script.ui.presenter. ScriptRunPresenter.java)
j) 搜索vipadresultinfo.RunPerm.KickedOut,修改掉判断语句.
k) 源码文件夹(com.cyjh.gundam.fengwoscript.presenter. ScriptInfoPresenter.java)
l) 找到函数startScriptOnClick,修改vipadresultinfo.RunPerm.Run和vipadresultinfo.RunPerm.Try触发“本地挂机”按钮事件强制运行脚本,脚本运行后马上停止.
m) 源码文件夹(com.cyjh.gundam.fengwoscript.model.manager. HeartAndPermManager.java)
n) 搜索onEventMainThread检测线程函数,修改vipscriptheartinfo.Status状态值为3,即可实现强制使用脚本.
o) 找到源码文件夹(com.cyjh.gundam.activity. GunDamMainActivity.java)
p) 定位到函数setBottomDataByPreData,(首页、"TargetType": 6),(云手机、TargetType": 8),(我的、"TargetType":
7,),(免Root脚本、"TargetType":
11),(变态游戏、 "TargetType":
9)。分别对应到APK的底下菜单栏处理。
q) 找到源码文件夹(com.cyjh.gundam.fengwoscript.ui.help. SzScriptInfoSetHelp.java)
r) 找到函数setInfo,修改vipadresultinfo.EachTryTime语句关闭剩余试用的提示.
s) 找到源码文件夹(com.cyjh.gundam.fengwoscript.ui.help. ScriptTopRaqViewHelp.java)
t) 找到函数setData,改为mFaqTv.setVisibility(0)关闭脚本使用常见问题.
u) 找到源码文件夹(com.cyjh.gundam.fengwoscript.presenter. ScriptInfoPresenter.java)
v) 找到函数isShowAd,改为返回false关闭非会员运行脚本展示广告.
心跳包线程:
com.cyjh.gundam.fengwoscript.presenter. ScriptInfoPresenter.java
{
boolean
flag = true;
String
s = com/cyjh/gundam/fengwoscript/presenter/ScriptInfoPresenter.getSimpleName();
StringBuilder
stringbuilder = (new StringBuilder()).append("PermStatueEvent --
\u5FC3\u8DF3\u662F\u5426\u8C03\u7528\uFF1A");
if(permstatueevent.resultInfo
!= null)
flag
= false;
CLog.i(s,
stringbuilder.append(flag).toString());
try
{
SZScriptInfo
szscriptinfo = permstatueevent.resultInfo.ScriptInfo;
if(szscriptinfo
!= null)
{
mInfo.EncryptKey
= szscriptinfo.EncryptKey;
mInfo.IsEncrypt
= szscriptinfo.IsEncrypt;
mInfo.NewEncryptKey
= szscriptinfo.NewEncryptKey;
mInfo.ScriptPath
= szscriptinfo.ScriptPath;
loadScript(true);
}
else
{
loadScript(false);
}
}
catch(Exception
exception) { }
}
心跳包检测跳过:
com.cyjh.gundam.fengwoscript.model. ScriptHeartModel.java
以下4个函数直接返回.
.method
private load()V
.locals 1
.prologue
.line 137
return-void
iget-object v0, p0,
Lcom/cyjh/gundam/fengwoscript/model/ScriptHeartModel;->mListener:Lcom/kaopu/core/basecontent/http/inf/IUIDataListener;
invoke-virtual {p0, v0},
Lcom/cyjh/gundam/fengwoscript/model/ScriptHeartModel;->loadData(Lcom/kaopu/core/basecontent/http/inf/IUIDataListener;)V
.line 138
return-void
.end
method
.method
private pauseHear()V
.locals 0
.prologue
.line 116
return-void
invoke-direct {p0},
Lcom/cyjh/gundam/fengwoscript/model/ScriptHeartModel;->removeHeart()V
.line 117
return-void
.end
method
.method
private resumeHear()V
.locals 2
.prologue
.line 122
return-void
const/4 v0, 0x2
iput v0, p0,
Lcom/cyjh/gundam/fengwoscript/model/ScriptHeartModel;->mStartOrStop:I
.line 123
iget-object v0, p0,
Lcom/cyjh/gundam/fengwoscript/model/ScriptHeartModel;->mPathModel:Lcom/cyjh/gundam/fengwoscript/model/ScriptHeartPathModel;
const/4 v1, 0x0
invoke-virtual {v0, v1},
Lcom/cyjh/gundam/fengwoscript/model/ScriptHeartPathModel;->setCount(I)V
.line 128
iget v0, p0,
Lcom/cyjh/gundam/fengwoscript/model/ScriptHeartModel;->mHeartbeatInterval:I
if-gtz v0, :cond_0
.line 129
const/16 v0, 0x12c
iput v0, p0,
Lcom/cyjh/gundam/fengwoscript/model/ScriptHeartModel;->mHeartbeatInterval:I
.line 131
:cond_0
iget v0, p0,
Lcom/cyjh/gundam/fengwoscript/model/ScriptHeartModel;->mHeartbeatInterval:I
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2018-9-14 16:35
被猪会被杀掉编辑
,原因: 重新排版
