We have used AndroidNativeEmu to simulate and execute the value of sign, but whether this value is correct or not, in addition to sending it directly to the server, it is best to compare it with the calculation of the real machine, so as to be assured whether other small moves have been made.

Assistant of algorithm restoration (1) We first fixed the result of mobile phone signature in the article of stopping time, so we also need Hook gettimeofday and lrand48 in AndroidNativeEmu.

From the analysis of IDA, we can see that when calling the gettimeofday function, the pointer of tv is in R5 register, so we only need to disconnect it at address 0x 129C0 after the function returns, and then change the memory value pointed by R5 address to the fixed value we need.

Lrand48 is relatively simple. Usually, the return value of a function is stored in the R0 register. When the function returns, we only need to write R0 at 0x000 12A72 and 0x 00 12A8C as the fixed value we need.

Ok, after running for a while, the calculated results are consistent with the results of mobile phone signing, so let's call it a day.

It is a good habit to check the calculation.

Add me wx: fenfei33 1 if you have any questions.