在分析某android软件的时候发现重打包的时候出现闪退现象,我就怀疑是签名校验,下面讲解一下分析过程。不对之错还请高手指出。工具/原料IDAWinHex方法/步骤1大家都知道Java端获得签名的代码如下:PackageInfoinfo=context.getPackageManager().getPackageInfo(context.getPackageName(),64);                              Signaturesign=info.signatures[0];从而我就从smali代码中搜索“signatures”,没找到,难道猜错了,看到有so文件,就拖进IDA中分析,然后在ida中搜索字符串”signatures”步骤阅读2有关键字出现, 然后我们跳转到对应的代码处,发现此程序是通过反射机制来获得签名的,使用Jni反射获得签名的代码如下:intgetSignHashCode(JNIEnv*env,jobjectcontext){         //Context的类         jclasscontext_clazz=(*env)->GetObjectClass(env,context);         //得到getPackageManager方法的ID         jmethodIDmethodID_getPackageManager=(*env)->GetMethodID(env,context_clazz,                           \"getPackageManager\",\"()Landroid/content/pm/PackageManager;\");         //获得PackageManager对象         jobjectpackageManager=(*env)->CallObjectMethod(env,context,                           methodID_getPackageManager);//       //获得PackageManager类         jclasspm_clazz=(*env)->GetObjectClass(env,packageManager);         //得到getPackageInfo方法的ID         jmethodIDmethodID_pm=(*env)->GetMethodID(env,pm_clazz,\"getPackageInfo\",                           \"(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;\");////       //得到getPackageName方法的ID         jmethodIDmethodID_pack=(*env)->GetMethodID(env,context_clazz,                           \"getPackageName\",\"()Ljava/lang/String;\");         //获得当前应用的包名         jstringapplication_package=(*env)->CallObjectMethod(env,context,                           methodID_pack);         constchar*str=(*env)->GetStringUTFChars(env,application_package,0);         __android_log_print(ANDROID_LOG_DEBUG,\"JNI\",\"packageName:%s\\n\",str);         //获得PackageInfo         jobjectpackageInfo=(*env)->CallObjectMethod(env,packageManager,                           methodID_pm,application_package,64);         jclasspackageinfo_clazz=(*env)->GetObjectClass(env,packageInfo);         jfieldIDfieldID_signatures=(*env)->GetFieldID(env,packageinfo_clazz,                           \"signatures\",\"[Landroid/content/pm/Signature;\");         jobjectArraysignature_arr=(jobjectArray)(*env)->GetObjectField(env,                           packageInfo,fieldID_signatures);         //Signature数组中取出第一个元素         jobjectsignature=(*env)->GetObjectArrayElement(env,signature_arr,0);         //读signature的hashcode         jclasssignature_clazz=(*env)->GetObjectClass(env,signature);         jmethodIDmethodID_hashcode=(*env)->GetMethodID(env,signature_clazz,                           \"hashCode\",\"()I\");         jinthashCode=(*env)->CallIntMethod(env,signature,methodID_hashcode);         __android_log_print(ANDROID_LOG_DEBUG,\"JNI\",\"hashcode:%d\\n\",hashCode);         returnhashCode;};步骤阅读3是一个简单的校验过程,这里我本以为很简单的把0x23366地址的代码NOP掉,然后重新打包测试发现软件会直接发生错误,看来这样直接NOP不行,那么我们就换种思路,我这边是直接将r8中正确的签名值复制到r5中, 我们需要Patch汇编代码进去,可直接修改getSigns函数, 首先我们编写一段复制的汇编代码.globl_start.align2_start:.code16   PUSH   {R4-R7,LR}         movr2,r0         movr3,r8         movr1,#0loop:         ldrbr1,[r3]         strbr1,[r2]         addr2,#1         addr3,#1         cmpr1,#0         bneloop         POP    {R4-R7,PC}然后我们使用as.exe来编译这段代码asstrcpy.asm-ostrcpy.o在使用IDA反编译 strcpy.o文件步骤阅读4获得代码的16进制值为“F0B5021C4346002119781170013201330029F9D1F0BD”然后WinHex打开libxiangqi.so文件定位到getSigns函数文件偏移为0xB04A8,然后使用我们代码覆盖之,结果如下图步骤阅读5 再重打包就OK了.步骤阅读END