一种针对网易我的世界的新hook方式+去除签名校验

2026-01-01 3 条评论

全文共 5355 字，阅读约 22 分钟

已知目前网易我的世界通用的HOOK方式有传统的脱壳修补注入Smail和LSPosed同款的通过AppComponentFactory HOOK到MainActivity的Context，更高深的shadowhook就不用我说了，但针对目前两种方式都有着各自的不足，脱壳Hook在经历每个版本更新都需要重新通过实体机针对游戏进行脱壳十分麻烦，而AppComponentFactory固然方便，但是也无法通过 getPackageSignMd5进行定点Hook，传统的PMS去签在加载时也有可能会出现Hook失败的现象，xphook由于网易的3.6.5版本新加入的xp检测暂时不做讨论

由于在我的世界中网易易盾的加固并没有通过dex2c进行，而是通过加密成so文件通过ClassLoader进行加载，所以在运行进程中会有含有MainActivity的dex进行加载，那么我们可以事先将已脱壳的MainActivity打包成jar点击下载，然后打开安卓开发软件新建一个Android项目，在grade里引入

implementation fileTree(dir: 'libs', include: ['*.jar'])

接着我们创建一个新的Activity，并将继承的Activity改为com.mojang.minecraftpe.MainActivity，然后OnCreat(以CuteActivity为例)

public class CuteActivity extends MainActivity{

@Override
public void onCreate(Bundle arg0) {
    super.onCreate(arg0);
    // TODO: Implement this method
    hook(this);
}
private void hook(Context context){
    //自定义注入内容
    Toast.makeText(activity,"MainActivity进程Hook成功",500).show();
}

}

接着打包，生成APK文件，然后打开dex文件，删除除CuteActivity类名外的其他所有类名，将仅含有CuteActivity的dex文件放入目标APK的axml同级目录下

接着我们前往AndroidManifest.xml下，把所有com.mojang.minecraftpe.MainActivity都改为CuteActivity路径，我们就注入成功了

接下来就是如何去签了

我们首先通过逆向软件获取到改应用的签名为

"MIIDcTCCAlmgAwIBAgIEC63MDTANBgkqhkiG9w0BAQsFADBoMQswCQYDVQQGEwJjbjEPMA0GA1UE"+
"CBMGdGlhbmhlMRIwEAYDVQQHEwlndWFuZ3pob3UxEDAOBgNVBAoTB25ldGVhc2UxEDAOBgNVBAsT"+
"B25ldGVhc2UxEDAOBgNVBAMTB25ldGVhc2UwIBcNMTcwNjA4MDIzMjE2WhgPMjEyNjEyMTQwMjMy"+
"MTZaMGgxCzAJBgNVBAYTAmNuMQ8wDQYDVQQIEwZ0aWFuaGUxEjAQBgNVBAcTCWd1YW5nemhvdTEQ"+
"MA4GA1UEChMHbmV0ZWFzZTEQMA4GA1UECxMHbmV0ZWFzZTEQMA4GA1UEAxMHbmV0ZWFzZTCCASIw"+
"DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKbqcReMeGJPxpBiSCmFhsgsXEoj1B39sTsz7Ons"+
"B6I79EGTp4k7x/yFL15eHlRMkG+cfMROz/ABbQdPkxFXh+CCuXueqoGDzWzPVrXYUidYuT4RPSHX"+
"GEv68tRkdZzNVeuKn1WYloD5US48u3jGCSVxVBxfKJ5IV5T2zrncaASfhGV+ZqiGearkx2Ij+foc"+
"GDCJs3Je2go939u+dP7xM8Ppw0GhFgCbly6s0Q0ut4kDeIYlavWZXTwFZ4vW3Zo38QIpBjLeVQ5z"+
"0bhWbsZnrUvF5tcNwTMXQiMaZB60bafaMUJTqQmQ9Esnd0h7O4C9FqTaLF6bkYK/gWD7SSESCYsC"+
"AwEAAaMhMB8wHQYDVR0OBBYEFFe9bosGS7bXshbmXZVCDuDJQhnHMA0GCSqGSIb3DQEBCwUAA4IB"+
"AQBi8jEYoSbGXiUgoaKSbmfd7l8Mu8cjSj+DLZ8hN3jUkfs1oXA6qjDWfJmnemLx/IdAZxSPi88x"+
"Y5iWxOxgRvhfYy0wbqEmhh/fa16iCU8LT+ip6qKfPX06SP8g0Qh1TcrpRC8Vzr9670A0Nc0sflKb"+
"yk0y1DA/s7iPMTQvB9C7id52XXkmdVtqzwdFQSlAetiF7pgfFXIamTj3rCBZ30UgaNiI1CZEcTWU"+
"0XyQ2beVV26O17qYxYLRg2FKBwmaON4QSUbaip/K8k6/9hU1NugKXw/2Cbj41sO9mQCwKAudLQI6"+
"uMcNMOtZpF2E9WyOd0k9F7xS7I3rrk/9WVatKiWD"`

通过观察原代码中的getPackageSignMd5

我们可以知道他是返回一个MD5格式的签名的String值，那么我们可以直接通过以下代码进行去签

public class CuteActivity extends MainActivity{
private String getNeteaseSignature = "MIIDcTCCAlmgAwIBAgIEC63MDTANBgkqhkiG9w0BAQsFADBoMQswCQYDVQQGEwJjbjEPMA0GA1UE"+
"CBMGdGlhbmhlMRIwEAYDVQQHEwlndWFuZ3pob3UxEDAOBgNVBAoTB25ldGVhc2UxEDAOBgNVBAsT"+
"B25ldGVhc2UxEDAOBgNVBAMTB25ldGVhc2UwIBcNMTcwNjA4MDIzMjE2WhgPMjEyNjEyMTQwMjMy"+
"MTZaMGgxCzAJBgNVBAYTAmNuMQ8wDQYDVQQIEwZ0aWFuaGUxEjAQBgNVBAcTCWd1YW5nemhvdTEQ"+
"MA4GA1UEChMHbmV0ZWFzZTEQMA4GA1UECxMHbmV0ZWFzZTEQMA4GA1UEAxMHbmV0ZWFzZTCCASIw"+
"DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKbqcReMeGJPxpBiSCmFhsgsXEoj1B39sTsz7Ons"+
"B6I79EGTp4k7x/yFL15eHlRMkG+cfMROz/ABbQdPkxFXh+CCuXueqoGDzWzPVrXYUidYuT4RPSHX"+
"GEv68tRkdZzNVeuKn1WYloD5US48u3jGCSVxVBxfKJ5IV5T2zrncaASfhGV+ZqiGearkx2Ij+foc"+
"GDCJs3Je2go939u+dP7xM8Ppw0GhFgCbly6s0Q0ut4kDeIYlavWZXTwFZ4vW3Zo38QIpBjLeVQ5z"+
"0bhWbsZnrUvF5tcNwTMXQiMaZB60bafaMUJTqQmQ9Esnd0h7O4C9FqTaLF6bkYK/gWD7SSESCYsC"+
"AwEAAaMhMB8wHQYDVR0OBBYEFFe9bosGS7bXshbmXZVCDuDJQhnHMA0GCSqGSIb3DQEBCwUAA4IB"+
"AQBi8jEYoSbGXiUgoaKSbmfd7l8Mu8cjSj+DLZ8hN3jUkfs1oXA6qjDWfJmnemLx/IdAZxSPi88x"+
"Y5iWxOxgRvhfYy0wbqEmhh/fa16iCU8LT+ip6qKfPX06SP8g0Qh1TcrpRC8Vzr9670A0Nc0sflKb"+
"yk0y1DA/s7iPMTQvB9C7id52XXkmdVtqzwdFQSlAetiF7pgfFXIamTj3rCBZ30UgaNiI1CZEcTWU"+
"0XyQ2beVV26O17qYxYLRg2FKBwmaON4QSUbaip/K8k6/9hU1NugKXw/2Cbj41sO9mQCwKAudLQI6"+
"uMcNMOtZpF2E9WyOd0k9F7xS7I3rrk/9WVatKiWD";

@Override
public void onCreate(Bundle arg0) {
    super.onCreate(arg0);
    // TODO: Implement this method
    hook(this);
}
@Override
public String getPackageSignMd5() {
    // TODO: Implement this method
    return getPackageSignMd5FromBase64(getNeteaseSignature);
}
private String getPackageSignMd5FromBase64(String base64Cert) {
    try {
        byte[] certBytes = Base64.decode(base64Cert, Base64.DEFAULT);
        MessageDigest md = MessageDigest.getInstance("MD5");
        md.update(certBytes);
        byte[] digest = md.digest();
        StringBuilder sb = new StringBuilder();
        for (byte b : digest) {
            sb.append(String.format("%02x", b & 0xff));
        }
        return sb.toString();

    } catch (Exception e) {
        e.printStackTrace();
        return "";
    }
}
private void hook(Context context){
    //自定义注入内容
    Toast.makeText(activity,"MainActivity进程Hook成功",500).show();
}

}

重复上述amxl的操作那么我们也将签名校验完美绕过了