APK signature verification Bypass

APK signature verification Bypass
0x01 Android signature mechanism

Rename the APK as a zip file and you will see a folder with a META-INF named MANIFEST. MF, CERT. SF and CERT. RSA, which uses signapk. the signature file generated by jar.

1. MANIFEST. MF file:

The program traverses all the files (entries) in the update.apk package. For non-Folder unsigned files, generate the digital signature information of SHA1 one by one, and then encode it with base64. For specific code, see this method:

private static Manifest addDigestsToManifest(JarFile jar)

The key code is

for (JarEntry entry: byName.values()) {     String name = entry.getName();     if (!entry.isDirectory() && !name.equals(JarFile.MANIFEST_NAME) &&         !name.equals(CERT_SF_NAME) && !name.equals(CERT_RSA_NAME) &&         (stripPattern == null ||!stripPattern.matcher(name).matches())){         InputStream data = jar.getInputStream(entry);         while ((num = data.read(buffer)) > 0) {         md.update(buffer, 0, num);       }       Attributes attr = null;       if (input != null) attr = input.getAttributes(name);       attr = attr != null ? new Attributes(attr) : new Attributes();       attr.putValue("SHA1-Digest", base64.encode(md.digest()));       output.getEntries().put(name, attr);    }}

Then, write the generated signature to the MANIFEST. MF file. The key code is as follows:

Manifest manifest = addDigestsToManifest(inputJar);je = new JarEntry(JarFile.MANIFEST_NAME);je.setTime(timestamp);outputJar.putNextEntry(je);manifest.write(outputJar);

2. Generate the CERT. SF file:

The Manifest generated in the previous step is signed with the private key using the SHA1-RSA algorithm. The key code is as follows:

Signature signature = Signature.getInstance("SHA1withRSA");signature.initSign(privateKey);je = new JarEntry(CERT_SF_NAME);je.setTime(timestamp);outputJar.putNextEntry(je);writeSignatureFile(manifest,new SignatureOutputStream(outputJar, signature));

3. Generate the CERT. RSA file:

No key information is used to generate MANIFEST. MF. The private key file is used to generate the CERT. SF file. We can easily guess that the generation of the CERT. RSA file must be related to the public key. The CERT. RSA file stores information such as the public key and the encryption algorithm used. The core code is as follows:

je = new JarEntry(CERT_RSA_NAME);je.setTime(timestamp);outputJar.putNextEntry(je);writeSignatureBlock(signature, publicKey, outputJar);

 

When obtaining the APK signature in the program, use the signature method to obtain it, as follows:

packageInfo = manager.getPackageInfo(pkgname,PackageManager.GET_SIGNATURES);signatures = packageInfo.signatures;for (Signature signature : signatures) {    builder.append(signature.toCharsString());}signature = builder.toString();

Therefore, the general program is to judge the value of signature in the code to determine whether the APK has been repackaged.

0x02 signature Bypass Method

Before talking about the signature Bypass Method, you must specify the DEX checksum and Signature Verification:

1. open and delete the original signature in the form of a compressed apk, and then sign the file. The installation can be opened normally. However, the IDE (I .e., the apk will automatically decompile dex) tool is used for secondary packaging, but there is an abnormal situation, such as: Flash back/pop-up non-genuine prompt box. Check the dex file.

2. Open the apk in the form of a compressed package, delete the original signature, and then sign the apk. if an exception is opened after installation, it can be determined that it is a signature test. If an exception occurs when the network is disconnected, the local signature is checked. If the first error is that the network is not connected, the server signature is verified.

2.1.Java layer Verification

The methods for obtaining signature information and verification are written in the java layer of android. Example:

1. Use APKIDE to decompile the APK without any operation. Then, directly recompile it and run it after installation. The prompt is as follows:

3. Here the signature is obtained, and then the program determines the signature and modifies it. For example, if-nez is the place where the judgment is made and the ne is changed to eq. That is, if-eqz v2,: cond_0. Then the program can bypass the local signature transaction.

 

2.2.NDK Verification

Put the key code in so, get the signature information at the underlying layer, and verify the code. Because the methods of obtaining and verifying are closed in a safer so library, it can play a protective role in a certain sense. Example:

1. Use APKIDE to decompile the APK without any operation, and then directly recompile it. After installation, run the program and exit without any prompts.

2. Search for signatures (or the search error prompt) in APKIDE and locate the signature verification code.

 

3. Enable the handler to open the AppActivity with the JD-GUI. You can see that the package name is obtained here, and then the MD5 calculation is performed on the handler.

4. Search for getSignature in the program and find that the caller who calls the callback function does not use this function. I guess the loadLibrary is searched in the so keystore file.

5. You can search in the code. You can find libcocos2dcpp. so is used to call the callback.

6. Enable the handler to open libcocos2dcpp. so with IDA, search getSiganture and find the place where the handler is called.

The Code shows that the callback function uses org. cocos2dx. cpp. AppActivity. getSignature.

7. Check the F5 code and find that this function is the function for determining the signature. Then we double-click the handler of this function. Some codes are as follows.

 

8. As you can see, you only need to modify BEQ loc_11F754 so that it does not jump to jjni --> error to bypass signature verification. View HEX and redirect 010editor to 0011F73E. Change D0 to D1. Signature Verification is bypassed.

2. 3. Server Verification

Obtain the signature information on the java layer of android. Upload the server to sign the information on the server and return the verification result.

For example, if the network is not connected during network verification, an error is prompted.

Since it is network verification, you must send the verification information to the server and then verify it. First, let's take a look at a simple instance. It will be difficult next time.

1. Configure the mobile phone to capture packets and then capture packets. The first figure is the data packet when the APK is normal, and the second figure is the data packet of the decompiled APK. Through comparison, we find that the public_key in the cookie is different, so let's replace it, the APK function can be used normally.

 

2. Add the correct public_key to the APK. Open the decompiled code, search for signatures, and locate the signature code.

 

As you can see, the Code passes the signatures value to V4 and then to the Utils-> mPublicKey function. Therefore, we pass the correct public_key to V4.

Then Package the package again and reinstall it.

0x03. Summary

Java-layer verification can be easily cracked. In the so-layer verification, analysis is more difficult, and network verification is easy to crack if it is only a string comparison.