Android Reverse 115 network disk 5.2.2apk signature check so crack and kill the long ad

In the use of 115 network disk, found that the offline download function of the online video viewing function has 10 minutes of advertising time, and began to crack the idea of its inception, first of all, this post only as a technical study, readers to comply with the relevant laws and regulations, Do not infringe on the business interests of others for the purpose of the relevant cracking behavior.

As a result of the previous hack too many apk modified inside the Smali code research related technology, so just at the beginning I untie 115 network disk APK, although see inside of code confusion, after some research, still found the advertisement two key position, a start play 10 minutes before the advertisement, One is the 5-11-second random-length ad that slides the progress bar, and two are in the Videovitamioplayactivity class, such as:

Locate the Videovitamioplayactivity.smali file and find the Smali code in the two locations above and delete it, recompile it to Classes.dex file, replace the corresponding file in the original APK package, re-sign it, and put it on the phone to install successfully. Can always open, I immediately connect the phone to the computer, see Logcat output, found inside input an error, big "Illigal APP ..." A few words appeared in front of my eyes, I suddenly excited, decided to continue to play it down.

In Logcat, I saw that this was the error in the native layer, and thought it was a call to native code in the first activity or application, Sure enough, in diskapplication this class of OnCreate method found a line of code Encryptnative.init (Getapplicationcontext ()), and then tracked in, found that it called Yyw_ Encrypt.so Library, and there are two external methods:

public static native String Getloginsign (string paramString1, String paramString2, String paramString3);p ublic static NAT ive void init (Object paramobject);

I began to try sex to put diskapplication inside the Encryptnative.init (Getapplicationcontext ()), delete and recompile, run. As expected, the APP can be run up, but when the landing is still forced to shut down, Logcat still output big "illigal APP ...".

This is where I started throwing yyw_encrypt.so into Ida Pro and studying the implementation logic of the two methods, such as

From the method can be seen, the Init method inside get apk current signature after SHA1 conversion and set two SHA1 value for equality comparison, and put the comparison results in the Is_correct global variable, as long as an equal, will normally end the method, otherwise jump to LOC_ 1720 pop-up tips at address and close the app. And the second method:

From the execution process of the Getloginsign method can be seen that this method first will determine whether the is_correct equals 1, if not equal to jump to loc_1458 to execute, "Illigal APP ..." and close the app action. and equal words directly to the login sign string conversion, and this place is exactly not with the current signature of the SHA1 value of the relevant operation, just the parameters inside the string to carry out the relevant operation to return a result, so the method to crack it easily see out, Only to the INIT CMP processing R9 changed to 1, and in order to achieve this goal, can be in many places to start, after some research, finally I chose the equals function to start, because this is the simplest and most convenient, only the Init method inside the two calls, will not affect the other places:

, in the last side of the execution of the Equals method, R0 as the register of the return data, which is deposited in the judgment result, as long as the R0 deposit immediately 1, you can return the same judgment results, then began to consult arm's instruction machine code (ARMV7-M Architecture Application level Reference Manual), query the MOV immediate number of 16-bit thumb instructions, found in the A6.7.75 chapter related instructions for this directive:

According to the documentation can get MOV R0, #1的机器码为: 20 01, and then find the Equals method mov r0,r5 instruction location is 000015FB, open UltraEdit, 000015FB 28 46 to 01 20, changed and then opened from Ida Libyyw_encrypt, the instructions have become Movs R0, #1, as shown:

Because the change is armeabi-v7a inside so, but also need to modify armeabi inside so, although there will be a little difference, but this Movs R0, #1指令在两个版本的ARM指令中是一样的, the same way to replace the original machine code, After replacing the original apk in the so file, re-signing, running, landing, offline playback, all normal, successful kill long ads, at this point, the crack finally completed.

Android Reverse 115 network disk 5.2.2apk signature check so crack and kill the long ad