1.还是和往常一样,先看看加固了没。
2.发现没加固,那省事了,直接拖进jadx里看看,确实没加固。
3.还是和之前一样,上算法助手,看看情况。
4.找到了一个地方,jadx看看,没发现啥。
5.使用查找用例,看看啥地方还用了它,跳转过去一看,没反编译出来。
6.上JEB看看,这边是啥逻辑。
7.看到个isVip,跳转过去看看,发现几个vip相关的东西。
8.到jadx上搜一下这个isVip,我们去hook它一下
function main() {Java.perform(function () {console.log("启动");let Membership = Java.use("com.xxxx.xxxx.xxxx.data.Membership");Membership["isVip"].implementation = function () {console.log(`Membership.isVip is called`);let result = this["isVip"]();console.log(`Membership.isVip result=${result}`);return result;};Membership["getVipExpireDate"].implementation = function () {console.log(`Membership.getVipExpireDate is called`);let result = this["getVipExpireDate"]();console.log(`Membership.getVipExpireDate result=${result}`);return result;};Membership["getVipLevel"].implementation = function () {console.log(`Membership.getVipLevel is called`);let result = this["getVipLevel"]();console.log(`Membership.getVipLevel result=${result}`);return result;};Membership["getMaxLoginNum"].implementation = function () {console.log(`Membership.getMaxLoginNum is called`);let result = this["getMaxLoginNum"]();console.log(`Membership.getMaxLoginNum result=${result}`);return result;};Membership["getChannel"].implementation = function () {console.log(`Membership.getChannel is called`);let result = this["getChannel"]();console.log(`Membership.getChannel result=${result}`);return result;};Membership["isBeta"].implementation = function () {console.log(`Membership.isBeta is called`);let result = this["isBeta"]();console.log(`Membership.isBeta result=${result}`);return result;};});}setTimeout(main, 500);
9.根据返回的值,对脚本进行修改,返回false的改成true,返回数值的修改成大值等,还有个返回一串数字,经过观察怀疑是时间戳,拿去转换一下看看值,发现正好和VIP到期日期对上了。
10.所以,我们对脚本进行修改,修改后的脚本如下:
function main() {Java.perform(function () {console.log("启动");let Membership = Java.use("com.xxxx.xxxx.xxxx.data.Membership");Membership["isVip"].implementation = function () {console.log(`Membership.isVip is called`);let result = this["isVip"]();console.log(`Membership.isVip result=${result}`);return true;};Membership["getVipExpireDate"].implementation = function () {console.log(`Membership.getVipExpireDate is called`);let result = this["getVipExpireDate"]();console.log(`Membership.getVipExpireDate result=${result}`);return 17694248497;};Membership["getVipLevel"].implementation = function () {console.log(`Membership.getVipLevel is called`);let result = this["getVipLevel"]();console.log(`Membership.getVipLevel result=${result}`);return 5;};Membership["getMaxLoginNum"].implementation = function () {console.log(`Membership.getMaxLoginNum is called`);let result = this["getMaxLoginNum"]();console.log(`Membership.getMaxLoginNum result=${result}`);return 10;};Membership["getChannel"].implementation = function () {console.log(`Membership.getChannel is called`);let result = this["getChannel"]();console.log(`Membership.getChannel result=${result}`);return result;};Membership["isBeta"].implementation = function () {console.log(`Membership.isBeta is called`);let result = this["isBeta"]();console.log(`Membership.isBeta result=${result}`);return result;};});}setTimeout(main, 1000);
11.hook修改完成后,发现我们获得了永久VIP。
12.接下来我们还是去做持久化,还是使用xposed写插件,关键代码如下:
if (loadPackageParam.packageName.equals("com.xxxx.xxxx"))Log.d(tag, "xxxx已選中");XposedHelpers.findAndHookMethod("com.xxxx.xxxx.xxxx.data.Membership", loadPackageParam.classLoader, "isVip", new XC_MethodHook() {protected void afterHookedMethod(MethodHookParam param) throws Throwable {param.setResult(true);}});XposedHelpers.findAndHookMethod("com.xxxx.xxxx.xxxx.data.Membership", loadPackageParam.classLoader, "getVipLevel", new XC_MethodHook() {protected void afterHookedMethod(MethodHookParam param) throws Throwable {param.setResult(5);}});XposedHelpers.findAndHookMethod("com.xxxx.xxxx.xxxx.data.Membership", loadPackageParam.classLoader, "getMaxLoginNum", new XC_MethodHook() {protected void afterHookedMethod(MethodHookParam param) throws Throwable {param.setResult(10);}});XposedHelpers.findAndHookMethod("com.xxxx.xxxx.xxxx.data.Membership", loadPackageParam.classLoader, "getVipExpireDate", new XC_MethodHook() {protected void afterHookedMethod(MethodHookParam param) throws Throwable {param.setResult(Long.valueOf(17694248497L));}});
13.突然想起来,它没加固,那我们直接给它去签名校验,修改包里的内容,重新打包不就好了,说干就干,先用apktool解包
14.然后在文件夹中搜索这些参数,第一个我们搜索修改isVip这个值。
修改前
修改后
15.修改第二个值
修改前
修改后
16.修改第三个值
修改前
修改后
17.修改第四个值
修改前
修改后
18.这里的值0x8500aa31,是怎么来的呢?先用实际时间转换出一个时间戳,再把这个时间戳转换为16进制
19.改完之后,进行重打包即可,若遇到下面报错,说明你太贪心了时间戳改太大了
20.重打包,重签名之后,进行安装即可使用。
21.打出包之后自己随意注册个账号,就能用,若出现负值,则是改的太大了,我这里用的2030年的不会出现这个问题
· 今 日 推 荐 ·
本文内容来自网络,如有侵权请联系删除
原文始发于微信公众号(逆向有你):安卓逆向 -- 某手柄映射软件永久VIP会员获取
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论