前言中提到的相关工具和脚本同步请参见: https://github.com/Chen ls/crack-Android-system-signature,linux上提供的一站式脚本: run.sh
如果需要使用系统级API (如HIDL服务),APK会在APP应用程序的AndroidManifest.xml的manifest节点上显示Android 3360 shared userid=' Android.uid.syid
如果未使用系统签名,安装将报告以下错误:
$ adbinstalloutputtxbjv3_ double.apkperformingstreamedinstalladb : failedtoinstalloutputtxbjv3_ double.apk : fail utxbjv tion failed . reconcile failed : package com.example.testhasnosignaturesthatmatation ignoring ]对应的日志目录日志如下
04-1516336038336035.09917161815 wpackagemanager 3360 com.Android.server.pm.packagemanagerservice $ reconcile failure 335 ignoring 04-1516336038336035.09917161815 wpackagemanager : atcom.Android.server.pm.packagemanagerserservice.reconcile 04-1516336038336035.09917161815 wpackagemanager : atcom.Android.server.pm.packagemanagerservice.installllpackagesionager 04-1516336038336035.09917161815 wpackagemanager : atcom.Android.server.pm.packagemanagerservice.installllpackagesionager 04-1516336038336035.09917161815 wpackagemanager 3360 atcom.Android.server.pm.packagemanagerservice.lambda $ proces essess 04-1516336038336035.09917161815 wpackagemanager 3360 atcom.Android.server.pm.- $ $ lambda $ packagemanagerservice $ $ 7161815 wpackagemanager : at Android.OS.handler.handle callback (handler 04-1516336038336035.09917161815 wpackagemager 04-1516336038336035.09917161815 wpackagemanager : at Android.OS.looper.loop (04-151633603836035.09917161815 wpackagage 04-1516336038336035.09917161815 wpackagemanager 3360 atcom.Android.server.service thread.run (更正错误位置并解密Android系统签名
何操作吧! 思路总共分为7个步骤:
通过Android源码找到PackageManagerService.java最终编译出来对应到设备的文件,也就是/system/framework/services.jar;从设备中pull出services.jar,提取services.jar中的classes.dex的文件;使用baksmali工具将classes.dex转成smali文件;修改smali文件中验证签名时报错的代码;使用smali工具将smali文件转回dex文件;将修改后的dex文件,重新打包成services.jar;push修改后的services.jar到设备,然后重启,此时就可以直接安装未系统签名的APK了。 过程 查看android源码根据报错信息"has no signatures that match those in shared user"我们可以查到对应的源码PackageManagerServiceUtils.java;
通过源码位置,我们倒推查看编译脚本。services/core/Android.bp 中编译了PackageManagerServiceUtils.java文件,生成services.core library,services/Android.bp 中依赖了services.core library,生成services library,也就是services.jar,对应到设备中/system/framework/services.jar文件。
我们要想对其原有逻辑修改,可以直接修改Android原生源码,编译后再push到设备中验证,但是由于一般的厂家都会对Android原生源码进行定制,导致源码不匹配。所以我们只能将设备当前的/system/framework/services.jar文件pull出来对其修改后,再push到原设备(注意此处需要root权限),以此保证其兼容性。
pull services.jar文件,并解压:
echo "pull /system/framework/services.jar"adb pull /system/framework/services.jarecho "backup services.jar to services_bak.jar"cp services.jar services_bak.jarecho "unzip services.jar to ./services dir"rm -rf servicesunzip services.jar -d services &>/dev/null 解压services.jar得到classes.dex查看services文件夹内容,其中有两个dex文件:
$ tree servicesservices├── classes2.dex├── classes.dex├── com│ └── ...└── META-INF └── MANIFEST.MF12 directories, 12 files根据报错信息,查找我们要修改源码对应的dex文件:
$ tree dex=$(grep -lr "has no signatures that match those in shared user" services)echo "need modify file: $dex" baksmali反编译jar工具包:smali和baksmali,下载地址:https://bitbucket.org/JesusFreke/smali/downloads/,此处我们使用目前最新版本:2.5.2。
使用baksmali-2.5.2.jar反编译dex得到smali文件:
echo "dex2smali to ./out dir"rm -rf outjava -jar baksmali-2.5.2.jar d $dex 修改smali文件PackageManagerServiceUtils.java的源码:
public static boolean verifySignatures(PackageSetting pkgSetting, PackageSetting disabledPkgSetting, PackageParser.SigningDetails parsedSignatures, boolean compareCompat, boolean compareRecover) throws PackageManagerException { ... // line:689 if (!match) { throw new PackageManagerException(INSTALL_FAILED_SHARED_USER_INCOMPATIBLE, "Package " + packageName + " has no signatures that match those in shared user " + pkgSetting.getSharedUser().name + "; ignoring!"); } ... // line:725 if (!parsedSignatures.hasCommonAncestor( pkgSetting.getSharedUser().signatures.mSigningDetails)) { throw new PackageManagerException(INSTALL_FAILED_SHARED_USER_INCOMPATIBLE, "Package " + packageName + " has a signing lineage " + "that diverges from the lineage of the sharedUserId"); } ...}我们可以直接修改verifySignatures()方法中如上两个if处,使其条件不成立,从而不会抛出异常。
对应到的smali代码,将if-eqz改成if-nez ,即将if==0 改成 if!=0:
.line 725 invoke-virtual {p2, v5}, Landroid/content/pm/PackageParser$SigningDetails;->hasCommonAncestor(Landroid/content/pm/PackageParser$SigningDetails;)Z move-result v5 if-eqz v5, :cond_16f // 将其改成if-nez v2, :cond_16f,即将if==0 改成 if!=0 goto :goto_1b1 .line 727 :cond_16f ... const-string v3, " has a signing lineage that diverges from the lineage of the sharedUserId" ... invoke-direct {v5, v4, v3}, Lcom/android/server/pm/PackageManagerException;-><init>(ILjava/lang/String;)V throw v5 ... .line 689 :cond_105 const/4 v4, -0x8 if-eqz v2, :cond_189 // 将其改成if-nez v2, :cond_189 ,即将if==0 改成 if!=0 ... :cond_189 new-instance v5, Lcom/android/server/pm/PackageManagerException; ... const-string v3, " has no signatures that match those in shared user " invoke-virtual {v6, v3}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;smali相关语法可参考:Smali基础语法总结。
对应bash修改脚本:
modify() { # 文件和行号 file_and_line=$(grep -nr "$1" out) if [ -n "$file_and_line" ]; then # 文件 file=$(echo $file_and_line | awk -F ":" '{print $1}') # 行号 line_e=$(echo $file_and_line | awk -F ":" '{print $2}') # 倒推30行 let "line_s=line_e-30" # 部分内容 # cat $file | head -n $line_e | tail -n +$line_s modify_content=$(cat $file | head -n $line_e | tail -n +$line_s | grep ':cond_' | tail -1) # 需要修改的所在行号 modify_content_str=$(grep -n $modify_content $file) modify_content_line=$(echo $modify_content_str | awk -F ":" '{print $1}') # 进行修改 sed -i "${modify_content_line}s/if-eqz/if-nez/g" $file echo "$file:$modify_content_line modify 'if-eqz --> if-nez'" else echo "!!! not found: $1" fi}modify "has no signatures that match those in shared user"modify "has a signing lineage that diverges from the lineage of the sharedUserId" smali编译将修改后的smali文件,编译成dex文件:
echo "smali2dex to ./out.dex file"java -jar smali-2.5.2.jar a outecho "move ./out.dex to $dex file"mv out.dex $dex 重新打包jar将修改后的classes.dex,打包成jar:
echo "re tar ./services ./services.jar file"# 也可以归档管理器直接打开,不解压替换classes2.dexjar cvfm services.jar services/META-INF/MANIFEST.MF -C services/ . &>/dev/null push services.jar并重启将修改后的services.jar push到设备并重启:
echo "push ./services.jar file"adb wait-for-device rootadb remountadb push services.jar /system/framework/services.jaradb reboot 总结在有root权限情况下,我们通过smali相关工具反编译services.jar后,对其修改后,达到了直接安装需要系统签名的APK。