Bypassing Signature Check [Signature.hashCode()]

<3OPStaff#1518027
<head> This tutorial is extending Lohan+ post about calculate Signature.hashCode() in CERT.RSA under apk file, http://androidcracking.blogspot.com/2010/12/getting-apk-signature-outside-of.html

<include>Requirements:
  1. A Computer
  2. The apk file, obviously
  3. Primary tools (choose one)
    1. GetSignature, got this tool on Chinese RE forum. Download. (how to use) hit Open apk, and locate apk you want mod. It'll give you the hashCode. (in case you dont want to build from java source included in Lohan+ post)
    2. ApkVer.jar download link here. How to use and sidenote are included in download link.
  4. dex/Apk decompiler eg.(Apktool, baksmali, smali)
  5. Text editor with advanced search functions eg.(Notepad++, Sublime Text, Atom)

<desc> Before we go any further, this is just a simple hashCode spoof used for application like GLTools(Old) and some games that require integrity check while login(usually). No, this method won't work with Google Play login.

<body> Check if you have all the tools mentioned above, then you're good to go.
1. Decompile apk with any apk decompiler you usually use for decompiling.
2. Get calculated hashCode from the tools metioned, write it down somewhere.
3. Find string in files under smali folder, search for "Landroid/content/pm/Signature;->hashCode()I"
4. Then the code may look like this
Code:
.local v2, "sig":Landroid/content/pm/Signature;

invoke-virtual {v2}, Landroid/content/pm/Signature;->hashCode()I

move-result v3
5. If your calculated hashCode is not higher than 0x7fffffff, then skip to Step 7
6. Use Windows Calculator with programmer view(Alt +3), copy and paste your hashCode value to Calculator, click "±"
Only Imgur and Google hosted images may be embedded. Original URL: http://image.prntscr.com/image/5e834501b2824ad487331594aa15e8b0.png

The value will be FFFFFFFF7FFFFFFF, just delete the 8 first F and add -0x at start, then the final hashCode will be -0x7fffffff
7. Spoof the hashCode in dalvik/smali with your final calculated hasCode, put it under move-result vx
Code:
.local v2, "sig":Landroid/content/pm/Signature;

invoke-virtual {v2}, Landroid/content/pm/Signature;->hashCode()I

move-result v3
#magick things happen here
const v3, -0x7fffffff #change v3 relating to vx in move-result vx and change -0x7fffffff with your final calculated hashCode
8. Save the file, recompile and sign the apk. #profit :jimmy:

<!EOF>
 
Last edited by a moderator:
Thanks for sharing this cool tut bro.

One question, how we know if the value of hashcode is more than0x7fffffff?
Like 0x8ffff?
 
OPStaff#1519734
Thanks for sharing this cool tut bro.

One question, how we know if the value of hashcode is more than0x7fffffff?
Like 0x8ffff?
If you confused with these hex number(base 16), you can use calculator for converting hex to dec and compare them
 
@Xtreme Myst @circleous thank u guys for all your help .. i'dk what it is but it's still asking to update after redoing the whole process and added what u guys said about version checker
 
@Xtreme Myst @circleous thank u guys for all your help .. i'dk what it is but it's still asking to update after redoing the whole process and added what u guys said about version checker
I believe you post this in wrong thread :D
Regarding to your problem, I've been posting for the last solution and @Haege confirmed it fully working. Have take a look in here.
 
I tried to search in smali folder using notepad++ but i cant find the Landroid/content/pm/Signature;->hashCode()I. . instead it is Landroid/content/pm/Signature;->toCharString.
If you confused with these hex number(base 16), you can use calculator for converting hex to dec and compare them
 
If you confused with these hex number(base 16), you can use calculator for converting hex to dec and compare them


I tried to search in smali folder using notepad++ but i cant find the Landroid/content/pm/Signature;->hashCode()I. . instead it is Landroid/content/pm/Signature;->toCharString.
 
OPStaff#1628544
I tried to search in smali folder using notepad++ but i cant find the Landroid/content/pm/Signature;->hashCode()I. . instead it is Landroid/content/pm/Signature;->toCharString.
You cant do this method then. Like i said in <desc>
Before we go any further, this is just a simple hashCode spoof used for application like GLTools and some games that require integrity check while login(usually).
 
Help.., can't download the tools update the link please..