Android takes you to develop an automatic burst signature Verification tool Kstools

First, technical review

for security reasons, some applications will use their own signature information to protect the application layer, in order to prevent the application is two times packaging operations, has introduced a lot of application of signature verification blasting method, a basic principle can not be forgotten: Global search for "signature" strings , where you can open the APK search in JADX or open so search in Ida. After finding this information, you can manually modify the check logic, but there is a problem with this rule, that is, if an application in the code many places have done signature verification, such as a previous introduction of a blasting game article: Android blasting application signature information case analysis, then will find that Application in many places have done a signature check, then the solution is a place to modify, this will feel the operation is very cumbersome, so I invented a better way, is the direct hook application of the PMS service, intercept its access to the signature method, and then replace the correct signature information can be. This technology benefits from the technology described earlier: Android in the root-free hook application of its own system services, the technical principle is very simple, is the use of dynamic Agent technology + reflection mechanism. This technology can be used for this automatic blasting function, we just need to add this hook code at the entrance of the program. This technique has been practiced in the previous article: a new posture for the application of signature verification in Android. In that article I ended up saying that this procedure can be fully automated, so this article will turn this procedure into automation, develop a one-click Operation Tool, I named it: Kill_signed_tools (kstools);

Second, tool process development

Before introducing the development of this tool, we must also understand a knowledge point, that is, I developed an automatic injection code tool icodetools principle, do not know the classmate can go to view this article: Android Automatic Injection Code tool icodetools principle Analysis, The main use of ASM technology and Dex2jar tools to operate. Because we need to insert the hook code at the entrance to the application, we need something like this. The principle and preparation work has been introduced, the following begins the formal development process: Anhui plate surface

First step: Get the correct signature information applied

Because we intercept the signature method after the hook code, we have to return the correct signature information of the application itself, so we have to get the application signature information in the first step, there is a lot of code can directly get the APK file signature information, there is not much to say.

Step two: Get app entry Information

This need to use the Axmlprinter.jar tool to parse the APK file Androidmanifest.xml file information, and then get the program entrance, where the use of pullxml parsing, it should be noted that: the application of the entrance generally have two, one is a custom application, One is to start the activity. So when parsing here, the priority is to determine whether there is a custom application entrance, if not, to get the activation of the activity can be. After you find the portal, be sure to get the full name of the Ingress class: Package name + class name.

Step three: Inserting the hook function code

With the help of the Icodetools tool, as well as the program entry class information obtained in the second step, to begin the dynamic insertion of the hook code, it is important to note that: it is best to add in the Attachbasecontext method, if the Ingress class does not implement this method, You can add it in the OnCreate method, but be sure to add it at the first line of the method. The inserted ASM code is also simple and can be viewed with the bytecode plugin:

We just need to add this ASM code to the entrance:

And the Servicemanagerwraper class here is given later.

Fourth Step: Two-time package signature

There are many steps in the middle, such as converting the jar to Dex, and then replacing Dex with the APK, which is already in the Icodetools, exactly the same, there is no need to introduce, the last step is two times packaging signature operations.

Three, Hook code analysis

Here we will introduce the operation procedures, the following is to introduce the hook code logic, hook code is relatively simple, two classes, one is a reflection class, a dynamic proxy class, followed by:

The code here is very simple to replace the binder object of the service with the reflection mechanism by passing in the context variable, and then the dynamic proxy object:

Intercept the method that obtains the signature information, replace the correct signature information. The two classes are then compiled with the corresponding class file and placed in the tool directory:

So the final tool directory is such a structure, as long as the operation of the APK file is copied here, renamed to SRC.APK, and then run Kstools.bat can:

This operation and Icodetools operation is exactly the same, after the completion of the operation, will generate a signed.apk signed, there is an unsigned unsigned.apk file, if you want to sign, you can use this file.

At this time we can use the JADX tool to view the signed.apk file:

Added successfully.

Iv. instructions for use of the tool

The list of tools to get down from GitHub is as follows:

Because so many apps are now hardened, here are a few things to keep in mind:

The first question: If the app is found to be hardened, the first step you have to shell, again, this tool is not suitable for strengthening the app, you need to manually shell repair APK to continue operation. to strengthen the app, first put the reinforcement app in the current directory, drag the apk file directly to the Apksign.bat to run, get the correct signature information, will be saved to the Apksign.txt file, and then go to the shelling repair apk, In the current directory under the name src.apk, then run the Kstools.bat file here. The operation process is not chaotic, otherwise it will be wrong.

Second question: If you find that the app is not hardened, Then directly to the APK named src.apk into the current directory, directly run Kstools.bat can, here also note, if you run the Kstools tool directly, the current directory may exist in your last operation to strengthen the application of the Apksign.txt file, this time need to manually delete, remember, do not The operation failed.

The third question: do not ask how to distinguish is reinforced or not reinforced, the skills of pupils will be, here is not introduced.

Question fourth: What should I do if I fail to get the app signature information? We need to get it manually, there are many ways to do it, and you can use this code in Android:

This will give you the signature information, and then copy the signature information to the directory's Apksign.txt file.

Description: Tool first release, there must be some problems, please use, ask questions, if you encounter any problems in the operation of the project, please provide the wrong sample in the small ring, I am good to carry out research blasting!

V. Summary of the tool development process

Here, we are finished, automatic blasting signature Verification tool principle, the following with a picture to summarize:

The following in terms of the shortcomings of this tool, in fact, for some of the reinforcement of the application is no effect, I tried some of the reinforcement app, eventually failed, but this does not mean that there is no use, because not all applications will be reinforced, as long as not reinforced, then this tool has effect, And no matter where the signature check is, it can be successfully blasted.

Android takes you to develop an automatic burst signature Verification tool Kstools