Android reverse 115 Network Disk 5.2.2apk signature verification so cracking and killing long ads

Android reverse 115 Network Disk 5.2.2apk signature verification so cracking and killing long ads

When using the 115 online drive, I found that the online video watching function of the offline download function had 10 minutes of advertisement time. So I started to think about how to crack it. First, I declare that, this post is only used for technical research. Please observe relevant laws and regulations and do not infringe on cracking behaviors aimed at the commercial interests of others.

Since we have cracked too many apk files and modified the smali code to study related technologies, when I first unwrapped the 115 online storage apk, although the Code in it was confusing, after some research, I found two key positions of the advertisement, one is the advertisement that was played for 10 minutes before, and the other is the random length advertisement of 5 to 11 seconds during the sliding progress bar, both are in the VideoVitamioPlayActivity class, such:

Find VideoVitamioPlayActivity. smali file, find the smali code in the above two locations, delete the code, and recompile it into classes. dex file, replace the corresponding file in the original apk package, re-sign the file, and put it on the mobile phone for installation. But I couldn't open it all the time. I immediately connected my cell phone to my computer and looked at the logcat output. I found an error in it, which is a big "Illigal APP... I was so excited that I decided to continue playing it.

In logcat, I can see that this is an error reported in the native layer. I thought it must be calling the native code in the first activity or application, the onCreate method of the DiskApplication class found a line of code EncryptNative. init (getApplicationContext:

<喎?http: www.bkjia.com kf ware vc " target="_blank" class="keylink"> VcD4KPHByZSBjbGFzcz0 = "brush: java;"> public static native String getLoginSign (String paramString1, String paramString2, String paramString3); public static native void init (Object paramObject );I tried to delete the EncryptNative. init (getApplicationContext () in DiskApplication and re-compile and run it. As expected, the APP can run, but it was forcibly disabled during login, and logcat still output a large "Illigal APP ...".

This will start to throw yyw_encrypt.so into IDA pro and study the implementation logic of these two methods, as shown in

As can be seen from the method, the init method obtains the current apk signature and compares it with the two sha1 values after sha1 conversion, and puts the comparison result in the IS_CORRECT global variable, if one is equal, the method ends normally. Otherwise, a prompt is displayed at the loc_1720 address and the APP is closed. The second method:

From the execution process of the getLoginSign method, we can see that this method will first determine whether IS_CORRECT is equal to 1. If it is not equal to 1, it will jump to loc_1458 for execution. The execution prompt is "Illigal APP... and disable the app action. If the value is equal to the value, the login sign string is directly converted, and this is precisely because no calculation is performed with the sha1 value of the current signature, only return a result by performing related operations on several strings in the parameter, so the method for cracking the parameter is easy to see. You only need to change the R9 processed by the init CMP to 1, in order to achieve this goal, we can start from many places. After some research, I finally chose the equals function, because it is the simplest and most convenient, and only two calls in the init method are available, it will not affect other places:

At the end of the equals method execution, R0 is used as the register for storing the returned data. It stores the judgment result. As long as R0 is saved to the number 1 immediately, equal judgment results can be returned, so I started to check the ARM instruction machine code (ARMv7-M Architecture Application Level Reference Manual), query the 16-bit Thumb instruction MOV number immediately, in A6.7.75 chapter found the instruction description:

According to the instructions in the document, the machine code of MOV R0, #1 is: 20 01. Then find the equals method MOV R0, R5 command is located at Listen 15fb, open Ultraedit, change 2846 of listen 15fb to 01 20, and then open libyyw_encrypt from IDA. The command in it has changed to MOVS R0, #1, as shown in:

Because the modification is the so in the armeabi-v7a, also need to modify the so in armeabi, although it will be a little different, but this MOVS R0, #1 commands are the same in two versions of ARM commands. Replace the original machine code with the same method, replace the so file in the original apk, re-sign, run, log on, offline playback: Everything works normally. Long advertisements are successfully killed. Now, the attack is finally completed.