破解_AutoJSPro_9.1.20

破解 AutoJS Pro 9.1.20

之前有篇记录破解AutoJS Pro 8.x的,但是有些错误的地方,本地修改过,但找不到原始文档了,于是重新记录一遍破解AutoJS Pro 9.1.20的过程。

Patch .so

Patch libflutter.so 中的证书校验代码。
参考:
https://blog.csdn.net/yhsnihao/article/details/110477720
https://github.com/google/boringssl/blob/7e7e6b693f15a2191e4854223d11add2a3dc0a8e/ssl/ssl_x509.cc#L389

arm64-v8a

原始:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
.text:0000000000393DA4 FF C3 01 D1                                   SUB             SP, SP, #0x70
.text:0000000000393DA8 FD 7B 01 A9                                   STP             X29, X30, [SP,#0x70+var_60]
.text:0000000000393DAC FC 6F 02 A9                                   STP             X28, X27, [SP,#0x70+var_50]
.text:0000000000393DB0 FA 67 03 A9                                   STP             X26, X25, [SP,#0x70+var_40]
.text:0000000000393DB4 F8 5F 04 A9                                   STP             X24, X23, [SP,#0x70+var_30]
.text:0000000000393DB8 F6 57 05 A9                                   STP             X22, X21, [SP,#0x70+var_20]
.text:0000000000393DBC F4 4F 06 A9                                   STP             X20, X19, [SP,#0x70+var_10]
.text:0000000000393DC0 08 0A 80 52                                   MOV             W8, #0x50 ; 'P'
.text:0000000000393DC4 48 00 00 39                                   STRB            W8, [X2]
.text:0000000000393DC8 1A 54 40 F9                                   LDR             X26, [X0,#0xA8]
.text:0000000000393DCC DA 02 00 B4                                   CBZ             X26, loc_393E24
.text:0000000000393DD0 48 03 40 F9                                   LDR             X8, [X26]
.text:0000000000393DD4 88 02 00 B4                                   CBZ             X8, loc_393E24
.text:0000000000393DD8 39 20 40 A9                                   LDP             X25, X8, [X1]


.text:0000000000393E24                               loc_393E24                              ; CODE XREF: sub_393DA4+28↑j
.text:0000000000393E24                                                                       ; sub_393DA4+30↑j
.text:0000000000393E24 F4 03 1F 2A                                   MOV             W20, WZR
.text:0000000000393E28 41 00 00 14                                   B               loc_393F2C

.text:0000000000393F2C                               loc_393F2C                              ; CODE XREF: sub_393DA4+84↑j
.text:0000000000393F2C E0 03 14 2A                                   MOV             W0, W20
.text:0000000000393F30 79 08 10 94                                   BL              sub_796114
.text:0000000000393F34 FD 7B 41 A9                                   LDP             X29, X30, [SP,#0x70+var_60]
.text:0000000000393F38 C5 0A 10 14                                   B               loc_796A4C

Patch后:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
.text:0000000000393DA4 FF C3 01 D1                                   SUB             SP, SP, #0x70
.text:0000000000393DA8 FD 7B 01 A9                                   STP             X29, X30, [SP,#0x70+var_60]
.text:0000000000393DAC FC 6F 02 A9                                   STP             X28, X27, [SP,#0x70+var_50]
.text:0000000000393DB0 FA 67 03 A9                                   STP             X26, X25, [SP,#0x70+var_40]
.text:0000000000393DB4 F8 5F 04 A9                                   STP             X24, X23, [SP,#0x70+var_30]
.text:0000000000393DB8 F6 57 05 A9                                   STP             X22, X21, [SP,#0x70+var_20]
.text:0000000000393DBC F4 4F 06 A9                                   STP             X20, X19, [SP,#0x70+var_10]
.text:0000000000393DC0 08 0A 80 52                                   MOV             W8, #0x50 ; 'P'
.text:0000000000393DC4 48 00 00 39                                   STRB            W8, [X2]
.text:0000000000393DC8 1A 54 40 F9                                   LDR             X26, [X0,#0xA8]
.text:0000000000393DCC 16 00 00 14                                   B               loc_393E24  ;<----------无条件跳转
.text:0000000000393DD0                               ; ---------------------------------------------------------------------------
.text:0000000000393DD0 48 03 40 F9                                   LDR             X8, [X26]
.text:0000000000393DD4 88 02 00 B4                                   CBZ             X8, loc_393E24
.text:0000000000393DD8 39 20 40 A9                                   LDP             X25, X8, [X1]
...

.text:0000000000393E24                               loc_393E24                              ; CODE XREF: sub_393DA4+28↑j
.text:0000000000393E24                                                                       ; sub_393DA4+30↑j
.text:0000000000393E24 F4 03 1F 2A                                   MOV             W20, WZR
.text:0000000000393E28 41 00 00 14                                   B               loc_393F2C


.text:0000000000393F2C                               loc_393F2C                              ; CODE XREF: sub_393DA4+84↑j
.text:0000000000393F2C 20 00 80 52                                   MOV             W0, #1  ;<----------修改返回值
.text:0000000000393F30 79 08 10 94                                   BL              sub_796114
.text:0000000000393F34 FD 7B 41 A9                                   LDP             X29, X30, [SP,#0x70+var_60]
.text:0000000000393F38 C5 0A 10 14                                   B               loc_796A4C

armeabi-v7a

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
.text:001EB350 2D E9 F0 4F                                   PUSH.W          {R4-R11,LR}
.text:001EB354 85 B0                                         SUB             SP, SP, #0x14
.text:001EB356 06 46                                         MOV             R6, R0
.text:001EB358 50 20                                         MOVS            R0, #0x50 ; 'P'
.text:001EB35A 10 70                                         STRB            R0, [R2]
.text:001EB35C D6 F8 98 40                                   LDR.W           R4, [R6,#0x98]
.text:001EB360 0C B3                                         CBZ             R4, loc_1EB3A6
.text:001EB362 20 68                                         LDR             R0, [R4]
.text:001EB364 F8 B1                                         CBZ             R0, loc_1EB3A6
.text:001EB366 60 68                                         LDR             R0, [R4,#4]
.text:001EB368 93 46                                         MOV             R11, R2
.text:001EB36A 03 91                                         STR             R1, [SP,#0x38+var_2C]
.text:001EB36C D0 F8 00 80                                   LDR.W           R8, [R0]
.text:001EB370 D1 E9 00 50                                   LDRD.W          R5, R0, [R1]
.text:001EB374 00 69                                         LDR             R0, [R0,#0x10]
.text:001EB376 6A 6B                                         LDR             R2, [R5,#0x34]
.text:001EB378 D0 F8 2C A0                                   LDR.W           R10, [R0,#0x2C]
.text:001EB37C 95 F8 58 00                                   LDRB.W          R0, [R5,#0x58]
.text:001EB380 D2 F8 4C 90                                   LDR.W           R9, [R2,#0x4C]
.text:001EB384 C0 07                                         LSLS            R0, R0, #0x1F
.text:001EB386 01 92                                         STR             R2, [SP,#0x38+var_34]
.text:001EB388 0F D1                                         BNE             loc_1EB3AA
.text:001EB38A A9 69                                         LDR             R1, [R5,#0x18]
.text:001EB38C D1 F8 D8 00                                   LDR.W           R0, [R1,#0xD8]
.text:001EB390 58 B1                                         CBZ             R0, loc_1EB3AA
.text:001EB392 D1 F8 B0 10                                   LDR.W           R1, [R1,#0xB0]
.text:001EB396 02 29                                         CMP             R1, #2
.text:001EB398 07 D1                                         BNE             loc_1EB3AA
.text:001EB39A D0 F8 20 05                                   LDR.W           R0, [R0,#0x520]
.text:001EB39E 01 69                                         LDR             R1, [R0,#0x10]
.text:001EB3A0 40 69                                         LDR             R0, [R0,#0x14]
.text:001EB3A2 00 91                                         STR             R1, [SP,#0x38+var_38]
.text:001EB3A4 04 E0                                         B               loc_1EB3B0
.text:001EB3A6                               ; ---------------------------------------------------------------------------
.text:001EB3A6
.text:001EB3A6                               loc_1EB3A6                              ; CODE XREF: sub_1EB350+10↑j
.text:001EB3A6                                                                       ; sub_1EB350+14↑j
.text:001EB3A6 00 24                                         MOVS            R4, #0
.text:001EB3A8 5A E0                                         B               loc_1EB460

.text:001EB460                               loc_1EB460                              ; CODE XREF: sub_1EB350+58↑j
.text:001EB460 20 46                                         MOV             R0, R4
.text:001EB462 05 B0                                         ADD             SP, SP, #0x14
.text:001EB464 BD E8 F0 8F                                   POP.W           {R4-R11,PC}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
.text:001EB350 2D E9 F0 4F                                   PUSH.W          {R4-R11,LR}
.text:001EB354 85 B0                                         SUB             SP, SP, #0x14
.text:001EB356 06 46                                         MOV             R6, R0
.text:001EB358 50 20                                         MOVS            R0, #0x50 ; 'P'
.text:001EB35A 10 70                                         STRB            R0, [R2]
.text:001EB35C D6 F8 98 40                                   LDR.W           R4, [R6,#0x98]
.text:001EB360 21 E0                                         B               loc_1EB3A6 ;<-----------无条件跳转
.text:001EB362 20 68                                         LDR             R0, [R4]
.text:001EB364 F8 B1                                         CBZ             R0, loc_1EB3A6
.text:001EB366 60 68                                         LDR             R0, [R4,#4]
.text:001EB368 93 46                                         MOV             R11, R2
.text:001EB36A 03 91                                         STR             R1, [SP,#0x38+var_2C]
.text:001EB36C D0 F8 00 80                                   LDR.W           R8, [R0]
.text:001EB370 D1 E9 00 50                                   LDRD.W          R5, R0, [R1]
.text:001EB374 00 69                                         LDR             R0, [R0,#0x10]
.text:001EB376 6A 6B                                         LDR             R2, [R5,#0x34]
.text:001EB378 D0 F8 2C A0                                   LDR.W           R10, [R0,#0x2C]
.text:001EB37C 95 F8 58 00                                   LDRB.W          R0, [R5,#0x58]
.text:001EB380 D2 F8 4C 90                                   LDR.W           R9, [R2,#0x4C]
.text:001EB384 C0 07                                         LSLS            R0, R0, #0x1F
.text:001EB386 01 92                                         STR             R2, [SP,#0x38+var_34]
.text:001EB388 0F D1                                         BNE             loc_1EB3AA
.text:001EB38A A9 69                                         LDR             R1, [R5,#0x18]
.text:001EB38C D1 F8 D8 00                                   LDR.W           R0, [R1,#0xD8]
.text:001EB390 58 B1                                         CBZ             R0, loc_1EB3AA
.text:001EB392 D1 F8 B0 10                                   LDR.W           R1, [R1,#0xB0]
.text:001EB396 02 29                                         CMP             R1, #2
.text:001EB398 07 D1                                         BNE             loc_1EB3AA
.text:001EB39A D0 F8 20 05                                   LDR.W           R0, [R0,#0x520]
.text:001EB39E 01 69                                         LDR             R1, [R0,#0x10]
.text:001EB3A0 40 69                                         LDR             R0, [R0,#0x14]
.text:001EB3A2 00 91                                         STR             R1, [SP,#0x38+var_38]
.text:001EB3A4 04 E0                                         B               loc_1EB3B0
.text:001EB3A6                               ; ---------------------------------------------------------------------------
.text:001EB3A6
.text:001EB3A6                               loc_1EB3A6                              ; CODE XREF: sub_1EB350+10↑j
.text:001EB3A6                                                                       ; sub_1EB350+14↑j
.text:001EB3A6 01 24                                         MOVS            R4, #1 ;<--------修改R4
.text:001EB3A8 5A E0                                         B               loc_1EB460

.text:001EB460                               loc_1EB460                              ; CODE XREF: sub_1EB350+58↑j
.text:001EB460 20 46                                         MOV             R0, R4
.text:001EB462 05 B0                                         ADD             SP, SP, #0x14
.text:001EB464 BD E8 F0 8F                                   POP.W           {R4-R11,PC}

hook

校验是否购买的关键函数:

image-20220728103303657

黑名单APP:

image-20220728103341933

image-20220728105447810

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
try{
    findAndHookMethod("okhttp3.internal.io.ut2", classLoader, URLDecoder.decode("%D4%AB"), new XC_MethodHook() {
        @Override
        protected void afterHookedMethod(MethodHookParam param) throws Throwable {
            super.afterHookedMethod(param);
            XposedBridge.log("okhttp3.internal.io.ut2.ԫ() called2222222....");
            Log.d(TAG, "okhttp3.internal.io.ut2.ԫ() called2222222....");
            param.setResult(true);
        }
    });
}catch (Exception e){
    Log.e(TAG, Log.getStackTraceString(e));
    e.printStackTrace();
}


try{
    findAndHookMethod("okhttp3.internal.io.vv",classLoader, URLDecoder.decode("%CD%BF"), Object.class, Object.class, new XC_MethodHook() {
        @Override
        protected void afterHookedMethod(MethodHookParam param) throws Throwable {
            super.afterHookedMethod(param);
            Log.d(TAG, "okhttp3.internal.io.vv.J() called....");

            Object object0 = param.args[0];
            Object object1 = param.args[1];
            if(object0==null || object1 ==null){
                return;
            }
            Log.d(TAG, "arg0: "+object0+" arg1"+object1);
            if((object0.equals("com.tencent.mm") && object0.equals(object1)) ||(object0.equals("com.tencent.mobileqq") && object0.equals(object1))){
                param.setResult(false);
            }
        }
    });
}catch (Exception e){
    Log.e(TAG, Log.getStackTraceString(e));
    e.printStackTrace();
}


try{
    findAndHookMethod("okhttp3.internal.io." + URLDecoder.decode("%E1%81%B8"), classLoader, URLDecoder.decode("%CD%BF"), String.class, new XC_MethodReplacement() {
        @Override
        protected Object replaceHookedMethod(MethodHookParam methodHookParam) throws Throwable {
            return false;
        }
    });
}catch (Exception e){
    Log.e(TAG, Log.getStackTraceString(e));
    e.printStackTrace();
}

image-20220728112948418

成品

autojspro_9.1.20_crack.zip