Tutorial Modifying Android APKs which does self certificate checking

Kaustuv 90

Kaustuv 90

Platinian
Original poster
Dec 30, 2019
10
16
13
29
India
When I modify an Android app which is not mine, I use apktool to unpack the APK, modify the smali, use apktool to pack it, and finally sign it using my own key. This works for most of the Apps. However, some Apps explicitly perform certificate checking in their code. The following code snippet illustrates such checking:

Code: 
PackageManager pm = myContext.getPackageManager();
PackageInfo info = pm.getPackageInfo("my.package.name", PackageManager.GET_SIGNATURES);
String expectedSig = "308203a5...";
if (!expectedSig.equals(info.signatures[0].toCharsString()) {
  quit();
}
One way to fix this is by removing the “if” block, but it’s difficult to locate all such if blocks, especially in smali. A more convenient way is to hook the PackageManager.getPackageInfo() API and change info.signatures to the original APK’s signature. The following code snippet illustrates such hooking:

Code: 
PackageManager pm = myContext.getPackageManager();
PackageInfo info = PatchSignature.getPackageInfo(pm, "my.package.name", PackageManager.GET_SIGNATURES);
...
public class PatchSignature {
  public static PackageInfo getPackageInfo (PackageManager pm, String packageName, int flags) throws PackageManager.NameNotFoundException
  {
    PackageInfo info = pm.getPackageInfo(packageName, flags);
    if ("my.package.name".equals(packageName) &&
        info.signatures != null && info.signatures.length > 0 &&
        info.signatures[0] != null)
      info.signatures[0] = new Signature("308203b6...");
    return info;
  }
}
Three things need to be done here:

  1. Change all PackageManager.getPackageInfo() to PatchSignature.getPackageInfo().
  2. Add class PatchSignature.
  3. Find out the correct signature.
It is very easy to locate and replace all PackageManager.getPackageInfo() calls in the smali code. All we need to do is replacing:
Code: 
invoke-virtual {PARAM1, PARAM2, PARAM3}, Landroid/content/pm/PackageManager;->getPackageInfo(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;
with

Code: 
invoke-static {PARAM1, PARAM2, PARAM3}, LPatchSignature;->getPackageInfo(Landroid/content/pm/PackageManager;Ljava/lang/String;I)Landroid/content/pm/PackageInfo;

The smali code for PatchSignature can be easily obtained by writing a simple app with the java code and disassemble it. Now we have only one problem remaining, how to obtain the original certificate? I.e. what should we put in new Signature("...")?

Here’s what I found the most convenient way:

Code: 
openssl pkcs7 -inform DER -print_certs -in unpacked-app-using-apktool/original/META-INF/CERT.RSA | openssl x509 -inform PEM -outform DER | xxd -p
 
  • Like
Reactions: Polar.Bear, Numark, Amitsaha and 5 others
Eliseu Felisberto

Eliseu Felisberto

Rookie
Nov 6, 2019
1
0
1
25
Brasil
how to create this text ??


const-string/jumbo v0, "308205873082036fa003020102021500eba7fcba162201a19b5ac9cbd788b27b29c52c41300d06092a864886f70d01010b05003074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f6964301e170d3138303330353136343331345a170d3438303330353136343331345a3074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f696430820222300d06092a864886f70d01010105000382020f003082020a02820201009ca1e1d27e6420fdb9d76f18f9eef5a4728b79342be3bc4a8989ff288668736fe112ba14c038c486ec8aad8e6c859f63fd43f7add087bb0c9bf14996bb70ef61db33c6373d84957a01c4ef4187d237b87e5904f652e7f5e28a93b48c702e0dd574799658832a3ccb8fac72fc07efbdbfc7d2b52cc0f62e19c03bc3e22da35fffd97535f903139e34ebcd5abde90278de8fedb90cbbda8d00cb473b8b3f00fc6e6ffd8643474cef9ae3beff19551affc88e81aab5accba489ef7a625e564f516752dd49cc611080fcdbc26db31558de679bfc7e1e887474e10672446ec262132dd9307924a4724fa85ad06c7721dce1df268d9ed487b13aaebb0ebadd5a812133e3a96e19c47858801a539eab7679cfc773c8e8e4eee3d9b8057c4ae509830c93d1fa7414d8562edc221eddbedd23241540f37c9c7d2890d8966f2bb44a5a8be182f47bd74f95125d4c267b37bab680502038bdcd8a6f122cbb9aafcf6352fa460eb057ea7f74a5caf3b4f2048ee3892125e34044e0656b779dc97fb4c0a71c0b30ad473887eeb440a0add0c0ec82d704d03c39f51eee6a8abac79913b943eef3a931d4acb91dd207a0dc4f8396b4888bc6bd54498d237dfc5f9c9a5925524b3e6528ce1b14b5d56e7bd5d52dbc7944ff6611fce79af91f22b2ac68f8a2323d9b63bd13b8ff2ef54d7c08f76e1418e3f0690f1a90105ee4f56b324eb2795f8e730203010001a310300e300c0603551d13040530030101ff300d06092a864886f70d01010b0500038202010066ebde2e898c222134da9d90d7b83af0fb3a0da8f13206f8a1237912adcf6b4e855df6453fd93e04ea275cf21350e582d8db5bd9ff84e0e1b906893b5ea88d23ff18d3dbf41f95c53ecb44a6a62668a89e4cd147978df617c5dde96379cb841bd1c87e5334abd1600d8631ceb1582985965c8205d32648fe73d786caa2a35428a1089d113838487df2ac2e04a5411e070d4000289a84c61cad9c1b39d382b0fb1ba8b74887c688dc1abbd4fc12c3e36e93aba5275ab5576450cf810e535c21282c82c2845606587cfb68089a235dac54c55ae2c0c62e044e089b9fcdb585b6f8ea0d99251ea7f36a6fa3bd402c2595994b01006002b0a37d397e798f543d0e95f606a6c81076b4779082391bd077a563bf717f737a36615c5f1fb6227b7463c881400572914c91a6887a868521c0ee0758fc5b9762ddaf686c4e496c00855f92b3c6fba97cb2f28773dc6c6d4c34e556144eff94692816df0ce875f5fde840522741e0159c0bee5b77ed50175c176b030ca4a956248ad5db0e9e32fa4089285c7148c31d7725992cc09e6b2455efd3359c538a16d4fb65ed1ddb263d3392bd75100bda41f1254376459e9d4359fb5ad05f71dbad6297f3c376e39cb7a7e4d47cf09c845ded80c174597c26a52381245352cff90659fae42d85c5ea9b82df49c55871af0a553d7917bf9d046c2c55b631046cf2b30ace4ea8209d8f853773dfd5"
 
You must log in or register to reply here.
Top Bottom