zoukankan      html  css  js  c++  java
  • 某地理位置模拟APP从壳流程分析到破解

    工具与环境

    Xposed

    IDA 6.8

    JEB 2.2.5

    Fiddler2

    010Editor

    NEXUS 5  Android 4.4

    好久不玩逆向怕调试器生锈,拿出来磨磨!

    高手莫要见笑,仅供小菜玩乐,有不对或不足的地方还请多多指教,不胜感激!

    0x00: 程序大概情况分析

    在我们拿到一个APP准备破解时一般得安装运行,程序运行后须要注册用户,随便注册一个用户登录,以下是APP须要购买vip才能使用的大概情况。

    通过简单的查看可以知道是要通过网络支付后才能使用VIP,可以使用Fiddler进行抓包分析,但是请求体与返回值都是加密了的,目前还看不懂。

    用JEB反编译app发现被加固了。

    通过上面简单的分析后,该款应用为了防止被破解,主要做了以下几点防护。

    利用第三方加固将app加固,网络验证是否为VIP权限。

    0x01:壳反调试分析

    通过第一部分的介绍,发现软件被加固了,接下来就是要脱掉壳才能更好地分析下去,挂上IDA在JNI_Onload下断点,反调试主要有,获取rtld_db_dlactivity判断是否为空,过反调试将获取到的内容清零就成了、time时间比较,将返回值清零,过/proc/self/status反调试将open函数返回0,过/proc/net/tcp也是将open函数返回0,文件监控不用管,还有一处比较隐藏的反调试raise,直接将函数改成返回。

     1 LOAD:75A6A038 F0 41 2D E9                 STMFD           SP!, {R4-R8,LR}
     2 LOAD:75A6A03C F0 81 BD E8                 LDMFD           SP!, {R4-R8,PC};改成返回
     3 LOAD:75A6A040             ; ---------------------------------------------------------------------------
     4 LOAD:75A6A040 70 50 9F E5                 LDR             R5, =(off_75A72ED4 - 0x75A6A05C)
     5 LOAD:75A6A044 70 20 9F E5                 LDR             R2, =(is_androidserver_prot - 0x75A6A058)
     6 LOAD:75A6A048 70 60 9F E5                 LDR             R6, =0xE7F001F0
     7 LOAD:75A6A04C 10 D0 4D E2                 SUB             SP, SP, #0x10
     8 LOAD:75A6A050 02 20 8F E0                 ADD             R2, PC, R2 ; is_androidserver_prot
     9 LOAD:75A6A054 05 50 9F E7                 LDR             R5, [PC,R5] ; off_75A72ED4
    10 LOAD:75A6A058 03 30 9F E7                 LDR             R3, [PC,R3] ; off_75A72ED0
    11 LOAD:75A6A05C 04 50 8D E5                 STR             R5, [SP,#0x10+var_C]
    12 LOAD:75A6A060 08 30 8D E5                 STR             R3, [SP,#0x10+var_8]
    13 LOAD:75A6A064 0C 20 8D E5                 STR             R2, [SP,#0x10+var_4]
    14 LOAD:75A6A068 04 70 8D E2                 ADD             R7, SP, #4
    15 LOAD:75A6A06C 0C 80 8D E2                 ADD             R8, SP, #0x10+var_4
    16 LOAD:75A6A070
    17 LOAD:75A6A070             loc_75A6A070                            ; CODE XREF: Anti_raise+70j
    18 LOAD:75A6A070 04 40 45 E2                 SUB             R4, R5, #4
    19 LOAD:75A6A074 24 50 85 E2                 ADD             R5, R5, #0x24
    20 LOAD:75A6A078 01 00 00 EA                 B               loc_75A6A084
    21 LOAD:75A6A07C             ; ---------------------------------------------------------------------------
    22 LOAD:75A6A07C
    23 LOAD:75A6A07C             loc_75A6A07C                            ; CODE XREF: Anti_raise+54j
    24 LOAD:75A6A07C 05 00 54 E1                 CMP             R4, R5
    25 LOAD:75A6A080 06 00 00 0A                 BEQ             loc_75A6A0A0
    26 LOAD:75A6A084
    27 LOAD:75A6A084             loc_75A6A084                            ; CODE XREF: Anti_raise+40j
    28 LOAD:75A6A084                                                     ; Anti_raise+64j
    29 LOAD:75A6A084 04 30 B4 E5                 LDR             R3, [R4,#4]!
    30 LOAD:75A6A088 06 00 53 E1                 CMP             R3, R6
    31 LOAD:75A6A08C FA FF FF 1A                 BNE             loc_75A6A07C
    32 LOAD:75A6A090 09 00 A0 E3                 MOV             R0, #9  ; sig
    33 LOAD:75A6A094 25 F6 FF EB                 BL              raise
    34 LOAD:75A6A098 05 00 54 E1                 CMP             R4, R5
    35 LOAD:75A6A09C F8 FF FF 1A                 BNE             loc_75A6A084
    36 LOAD:75A6A0A0
    37 LOAD:75A6A0A0             loc_75A6A0A0                            ; CODE XREF: Anti_raise+48j
    38 LOAD:75A6A0A0 08 00 57 E1                 CMP             R7, R8
    39 LOAD:75A6A0A4 04 50 B7 15                 LDRNE           R5, [R7,#0xC+var_8]!
    40 LOAD:75A6A0A8 F0 FF FF 1A                 BNE             loc_75A6A070
    41 LOAD:75A6A0AC 10 D0 8D E2                 ADD             SP, SP, #0x10
    42 LOAD:75A6A0B0 F0 81 BD E8                 LDMFD           SP!, {R4-R8,PC}
    43 LOAD:75A6A0B0             ; End of function Anti_raise
    44 LOAD:75A6A0B0

    以上就是过掉所有主要的反调试了

    0x02:壳大致流程分析与Dump出解密后的dex

    过掉反调试后在Case 29 与case33下好断点,代码如下:

     1 //case 29 文件偏移:9DB8
     2 /data/app-lib/com.txy.anywhere-1/libjiagu_old.so 75A66000 00050000
     3 LOAD:75A6FDB8
     4 LOAD:75A6FDB8             loc_75A6FDB8                            ; CODE XREF: __fun_a_18(char *,uint):loc_75A6F8CCj
     5 LOAD:75A6FDB8                                                     ; __fun_a_18(char *,uint):loc_75A6F8DCj ...
     6 LOAD:75A6FDB8 01 30 8C E2 ADD             R3, R12, #1             ; jumptable 75A6F8DC case 29
     7 LOAD:75A6FDBC 03 20 D4 E7 LDRB            R2, [R4,R3]
     8 LOAD:75A6FDC0 1C 30 8D E5 STR             R3, [SP,#0xCC+var_B0]
     9 LOAD:75A6FDC4 00 00 52 E3 CMP             R2, #0
    10 LOAD:75A6FDC8 C9 01 00 0A BEQ             loc_75A704F4
    11 LOAD:75A6FDCC 80 05 95 E9 LDMIB           R5, {R7,R8,R10}
    12 LOAD:75A6FDD0 0C 20 84 E0 ADD             R2, R4, R12
    13 LOAD:75A6FDD4 05 B0 92 E5 LDR             R11, [R2,#5]
    14 LOAD:75A6FDD8 38 20 95 E5 LDR             R2, [R5,#0x38]
    15 LOAD:75A6FDDC 03 30 94 E7 LDR             R3, [R4,R3]
    16 LOAD:75A6FDE0 09 C0 8C E2 ADD             R12, R12, #9
    17 LOAD:75A6FDE4 1C C0 8D E5 STR             R12, [SP,#0xCC+var_B0]
    18 LOAD:75A6FDE8 02 B0 8B E0 ADD             R11, R11, R2
    19 LOAD:75A6FDEC 0B B0 63 E0 RSB             R11, R3, R11
    20 LOAD:75A6FDF0 00 C0 95 E5 LDR             R12, [R5]
    21 LOAD:75A6FDF4 0C 00 A0 E1 MOV             R0, R12
    22 LOAD:75A6FDF8 07 10 A0 E1 MOV             R1, R7
    23 LOAD:75A6FDFC 08 20 A0 E1 MOV             R2, R8
    24 LOAD:75A6FE00 0A 30 A0 E1 MOV             R3, R10
    25 LOAD:75A6FE04 0B E0 A0 E1 MOV             LR, R11
    26 LOAD:75A6FE08 3E FF 2F E1 BLX             LR
    27 LOAD:75A6FE0C 00 70 A0 E1 MOV             R7, R0
    28 LOAD:75A6FE10 01 C0 A0 E1 MOV             R12, R1
    29 LOAD:75A6FE14 00 70 85 E5 STR             R7, [R5]                ; jumptable 000098CC case 28
    30 LOAD:75A6FE18 04 C0 85 E5 STR             R12, [R5,#4]
    31 LOAD:75A6FE1C 1C C0 9D E5 LDR             R12, [SP,#0xCC+var_B0]
    32 LOAD:75A6FE20 A9 FE FF EA B               loc_75A6F8CC
     1 //case 33 执行解压函数与执行解密后第二个so的JNI_OnLoad函数 文件偏移: 9B44
     2 /data/app-lib/com.txy.anywhere-1/libjiagu_old.so 75A66000 00050000
     3 LOAD:75A6FB44             loc_75A6FB44                            ; CODE XREF: __fun_a_18(char *,uint):loc_75A6F8CCj
     4 LOAD:75A6FB44                                                     ; __fun_a_18(char *,uint):loc_75A6F8DCj ...
     5 LOAD:75A6FB44 01 30 8C E2 ADD             R3, R12, #1             ; jumptable 75A6F8DC case 33
     6 LOAD:75A6FB48 03 20 D4 E7 LDRB            R2, [R4,R3]
     7 LOAD:75A6FB4C 1C 30 8D E5 STR             R3, [SP,#0xCC+var_B0]
     8 LOAD:75A6FB50 00 00 52 E3 CMP             R2, #arg_0
     9 LOAD:75A6FB54 66 02 00 0A BEQ             loc_75A704F4
    10 LOAD:75A6FB58 02 30 8C E2 ADD             R3, R12, #2
    11 LOAD:75A6FB5C 03 20 94 E7 LDR             R2, [R4,R3]
    12 LOAD:75A6FB60 1C 30 8D E5 STR             R3, [SP,#0xCC+var_B0]
    13 LOAD:75A6FB64 06 C0 8C E2 ADD             R12, R12, #6
    14 LOAD:75A6FB68 02 B1 95 E7 LDR             R11, [R5,R2,LSL#2]
    15 LOAD:75A6FB6C 1C C0 8D E5 STR             R12, [SP,#0xCC+var_B0]
    16 LOAD:75A6FB70 80 15 95 E8 LDMIA           R5, {R7,R8,R10,R12}
    17 LOAD:75A6FB74 07 00 A0 E1 MOV             R0, R7
    18 LOAD:75A6FB78 08 10 A0 E1 MOV             R1, R8
    19 LOAD:75A6FB7C 0A 20 A0 E1 MOV             R2, R10
    20 LOAD:75A6FB80 0C 30 A0 E1 MOV             R3, R12
    21 LOAD:75A6FB84 0B E0 A0 E1 MOV             LR, R11
    22 LOAD:75A6FB88 3E FF 2F E1 BLX             LR
    23 LOAD:75A6FB8C 00 C0 A0 E1 MOV             R12, R0                 ; jumptable 000098CC case 32
    24 LOAD:75A6FB90 00 C0 85 E5 STR             R12, [R5]
    25 LOAD:75A6FB94 1C C0 9D E5 LDR             R12, [SP,#0x50+var_34]

    下好断点后一直F9会发现主是逻辑就是获取解压函数(uncompressc)解压第二个so数据,解压后就是解密第二个SO了。接下来就是在内存中加载第二个SO并获取JNI_OnLoad函数。

     1 LOAD:401030A8 F0 40 2D E9                 STMFD           SP!, {R4-R7,LR}
     2 LOAD:401030AC C8 40 9F E5                 LDR             R4, =(off_40109EC0 - 0x401030C0)
     3 LOAD:401030B0 9C D0 4D E2                 SUB             SP, SP, #0x9C
     4 LOAD:401030B4 00 70 A0 E1                 MOV             R7, R0
     5 LOAD:401030B8 04 40 9F E7                 LDR             R4, [PC,R4]
     6 LOAD:401030BC 00 30 94 E5                 LDR             R3, [R4]
     7 LOAD:401030C0
     8 LOAD:401030C0             loc_401030C0                            ; DATA XREF: LOAD:4010317Co
     9 LOAD:401030C0 01 60 A0 E1                 MOV             R6, R1
    10 LOAD:401030C4 94 20 A0 E3                 MOV             R2, #0x94 ; '
    11 LOAD:401030C8 00 10 A0 E3                 MOV             R1, #0
    12 LOAD:401030CC 0D 00 A0 E1                 MOV             R0, SP
    13 LOAD:401030D0 94 30 8D E5                 STR             R3, [SP,#0x94]
    14 LOAD:401030D4 B5 ED FF EB                 BL              memset
    15 LOAD:401030D8 A0 30 9F E5                 LDR             R3, =0x6F732E2A
    16 LOAD:401030DC 00 20 A0 E3                 MOV             R2, #0
    17 LOAD:401030E0 0D 00 A0 E1                 MOV             R0, SP
    18 LOAD:401030E4 0C 30 8D E5                 STR             R3, [SP,#0xC]
    19 LOAD:401030E8 10 20 CD E5                 STRB            R2, [SP,#0x10]
    20 LOAD:401030EC 00 70 8D E5                 STR             R7, [SP]
    21 LOAD:401030F0 04 60 8D E5                 STR             R6, [SP,#4]
    22 LOAD:401030F4 EB F2 FF EB                 BL              sub_400FFCA8
    23 LOAD:401030F8 84 30 9F E5                 LDR             R3, =(dword_4014D740 - 0x40103108)
    24 LOAD:401030FC 84 10 9F E5                 LDR             R1, =(aMakekey - 0x4010310C)
    25 LOAD:40103100 03 30 8F E0                 ADD             R3, PC, R3
    26 LOAD:40103104 01 10 8F E0                 ADD             R1, PC, R1
    27 LOAD:40103108
    28 LOAD:40103108             loc_40103108                            ; DATA XREF: LOAD:40103184o
    29 LOAD:40103108 00 00 83 E5                 STR             R0, [R3]
    30 LOAD:4010310C
    31 LOAD:4010310C             loc_4010310C                            ; DATA XREF: LOAD:40103188o
    32 LOAD:4010310C F2 F2 FF EB                 BL              my_dlsym
    33 LOAD:40103110 00 30 50 E2                 SUBS            R3, R0, #0
    34 LOAD:40103114 08 00 00 0A                 BEQ             loc_4010313C
    35 LOAD:40103118 FF 0E C3 E3                 BIC             R0, R3, #0xFF0
    36 LOAD:4010311C 0F 00 C0 E3                 BIC             R0, R0, #0xF
    37 LOAD:40103120 01 1A A0 E3                 MOV             R1, #0x1000
    38 LOAD:40103124 03 20 A0 E3                 MOV             R2, #3
    39 LOAD:40103128 7D 70 A0 E3                 MOV             R7, #0x7D ; '}'
    40 LOAD:4010312C 00 00 00 EF                 SVC             0
    41 LOAD:40103130 54 20 9F E5                 LDR             R2, =(loc_40102C0C - 0x4010313C)
    42 LOAD:40103134 02 20 8F E0                 ADD             R2, PC, R2
    43 LOAD:40103138 00 20 83 E5                 STR             R2, [R3]
    44 LOAD:4010313C
    45 LOAD:4010313C             loc_4010313C                            ; DATA XREF: LOAD:4010318Co
    46 LOAD:4010313C 4C 30 9F E5                 LDR             R3, =(dword_4014D740 - 0x4010314C)
    47 LOAD:40103140 4C 10 9F E5                 LDR             R1, =(aJni_onload - 0x40103150)
    48 LOAD:40103144 03 30 8F E0                 ADD             R3, PC, R3
    49 LOAD:40103148 01 10 8F E0                 ADD             R1, PC, R1
    50 LOAD:4010314C
    51 LOAD:4010314C             loc_4010314C                            ; DATA XREF: LOAD:40103190o
    52 LOAD:4010314C 00 00 93 E5                 LDR             R0, [R3]
    53 LOAD:40103150
    54 LOAD:40103150             loc_40103150                            ; DATA XREF: LOAD:40103194o
    55 LOAD:40103150 E1 F2 FF EB                 BL              my_dlsym ; 获取第二个SO的JNI_OnLoad函数
    56 LOAD:40103154 94 10 9D E5                 LDR             R1, [SP,#0x94]
    57 LOAD:40103158 38 30 9F E5                 LDR             R3, =(dword_4014D744 - 0x40103168)
    58 LOAD:4010315C 00 20 94 E5                 LDR             R2, [R4]
    59 LOAD:40103160 03 30 8F E0                 ADD             R3, PC, R3
    60 LOAD:40103164 02 00 51 E1                 CMP             R1, R2
    61 LOAD:40103168
    62 LOAD:40103168             loc_40103168                            ; DATA XREF: LOAD:40103198o
    63 LOAD:40103168 00 00 83 E5                 STR             R0, [R3]
    64 LOAD:4010316C 01 00 00 1A                 BNE             loc_40103178
    65 LOAD:40103170 9C D0 8D E2                 ADD             SP, SP, #0x9C
    66 LOAD:40103174 F0 80 BD E8                 LDMFD           SP!, {R4-R7,PC}
    67 LOAD:40103178
    68 LOAD:40103178             loc_40103178

    获取到第二个SO的JNI_OnLoad函数地址后走到Case 33处跳到第二个SO的JNI_OnLoad去执行了,到此第一个SO的主要工作就基本完成了。

    第二个SO的JNI_OnLoad主要工作就是注册壳本身的 Native函数与被Native的onCreate函数

     1 //注册 Native onCreate  文件偏移 C252
     2 debug190 76174000 761DA000 R . X D . byte 00 public CODE 32 00 01
     3 debug190:76180252             loc_76180252                            ; CODE XREF: debug190:7618028Aj
     4 debug190:76180252                                                     ; debug190:76180292j ...
     5 debug190:76180252 D7 23       MOVS            R3, #0xD7 ; '
     6 debug190:76180254 09 98       LDR             R0, [SP,#0x24]
     7 debug190:76180256 9B 00       LSLS            R3, R3, #2
     8 debug190:76180258 01 68       LDR             R1, [R0]
     9 debug190:7618025A CB 58       LDR             R3, [R1,R3]
    10 debug190:7618025C 21 1C       MOVS            R1, R4
    11 debug190:7618025E 9C 46       MOV             R12, R3
    12 debug190:76180260 01 23       MOVS            R3, #1
    13 debug190:76180262 E0 47       BLX             R12                     ; Native onCreate R2:存放注册信息,签名等
    14 debug190:76180264 5B 46       MOV             R3, R11
    15 debug190:76180266 01 22       MOVS            R2, #1
    16 debug190:76180268 1B 78       LDRB            R3, [R3]
    17 debug190:7618026A 1A 42       TST             R2, R3
    18 debug190:7618026C 00 D0       BEQ             loc_76180270
    19 debug190:7618026E A7 E1       B               loc_761805C0

    下面是我通过hook注册函数打印出来的对应类的Native函数,在后面SO劫持会有说:

     1 class-Ldalvik/system/DexFile; ->name=getClassNameList  address=75FE10F9
     2 class-Lcom/qihoo/bugreport/javacrash/CrashReportDataFactory; ->name=interface9  address=7600917D
     3 class-Lcom/qihoo/util/StubApp296881940; ->name=mark  address=75FF75FD
     4 class-Lcom/qihoo/util/StubApp296881940; ->name=mark  address=75FFBE45
     5 class-Lcom/qihoo/util/StubApp296881940; ->name=mark  address=75FFBD91
     6 class-Lcom/qihoo/util/StubApp296881940; ->name=interface10  address=75FFE819
     7 class-Lcom/qihoo/util/StubApp296881940; ->name=interface5  address=75FE0375
     8 class-Lcom/qihoo/util/StubApp296881940; ->name=interface6  address=75FDD95D
     9 class-Lcom/qihoo/util/StubApp296881940; ->name=interface7  address=75FE1801
    10 class-Lcom/qihoo/util/StubApp296881940; ->name=interface8  address=75FDDCFD
    11 class-Lcom/mob/tools/MobUIShell; ->name=onCreate  address=75FDF729
    12 class-Lcom/txy/anywhere/activity/GreenHandGuideActivity; ->name=onCreate  address=75FDF6F1
    13 class-Lcom/txy/anywhere/activity/MainActivity; ->name=onCreate  address=75FDF6B9
    14 class-Lcom/txy/anywhere/activity/PanoramaActivity; ->name=onCreate  address=75FDF681
    15 class-Lcom/txy/anywhere/activity/move/MoveDetailActivity; ->name=onCreate  address=75FDF649
    16 class-Lcom/txy/anywhere/activity/move/MoveSettingsMapChoiceActivity; ->name=onCreate  address=75FDF611
    17 class-Lcom/txy/anywhere/activity/specific/SpecificProgramDetailActivity; ->name=onCreate  address=75FDF5D9
    18 class-Lcom/txy/anywhere/wxapi/WXPayEntryActivity; ->name=onCreate  address=75FDF5A1
    19 class-Lcom/common/customp/PullEntry; ->name=getAppkey  address=75FE1439

    接下来就是解密原始DEX了,解密逻辑如下:

      1 //解密dex
      2  密钥 A0 EC E6 CC FB A6 F1 A2  EC A3 E7 AF E1 5A EA 2F
      3 debug190:761BB0E0             ; ---------------------------------------------------------------------------
      4 debug190:761BB0E0 F0 B5       PUSH            {R4-R7,LR}
      5 debug190:761BB0E2 57 46       MOV             R7, R10
      6 debug190:761BB0E4 4E 46       MOV             R6, R9
      7 debug190:761BB0E6 45 46       MOV             R5, R8
      8 debug190:761BB0E8 E0 B4       PUSH            {R5-R7}
      9 debug190:761BB0EA 16 1C       MOVS            R6, R2
     10 debug190:761BB0EC 80 22       MOVS            R2, #0x80 ; '€'
     11 debug190:761BB0EE 80 46       MOV             R8, R0
     12 debug190:761BB0F0 24 4C       LDR             R4, =(dword_761DCD20 - 0x761BB0FA)
     13 debug190:761BB0F2 C2 B0       SUB             SP, SP, #0x108
     14 debug190:761BB0F4 1F 1C       MOVS            R7, R3
     15 debug190:761BB0F6 7C 44       ADD             R4, PC ; dword_761DCD20
     16 debug190:761BB0F8 4A 9B       LDR             R3, [SP,#0x128]
     17 debug190:761BB0FA 24 68       LDR             R4, [R4]
     18 debug190:761BB0FC 01 AD       ADD             R5, SP, #4
     19 debug190:761BB0FE 99 46       MOV             R9, R3
     20 debug190:761BB100 23 68       LDR             R3, [R4]
     21 debug190:761BB102 8A 46       MOV             R10, R1
     22 debug190:761BB104 28 1C       MOVS            R0, R5
     23 debug190:761BB106 00 21       MOVS            R1, #0
     24 debug190:761BB108 52 00       LSLS            R2, R2, #1
     25 debug190:761BB10A 41 93       STR             R3, [SP,#0x104]
     26 debug190:761BB10C 10 F0 4E FA BL              j_j_memset_1
     27 debug190:761BB110 43 46       MOV             R3, R8
     28 debug190:761BB112 59 68       LDR             R1, [R3,#4]
     29 debug190:761BB114 00 29       CMP             R1, #0
     30 debug190:761BB116 2D D0       BEQ             loc_761BB174
     31 debug190:761BB118 28 1C       MOVS            R0, R5
     32 debug190:761BB11A 10 22       MOVS            R2, #0x10
     33 debug190:761BB11C 00 F0 94 F8 BL              Rc4_Key_Init            ; A0 EC E6 CC FB A6 F1 A2  EC A3 E7 AF E1 5A EA 2F
     34 debug190:761BB120 3B 68       LDR             R3, [R7]
     35 debug190:761BB122 00 2B       CMP             R3, #0
     36 debug190:761BB124 11 D0       BEQ             loc_761BB14A
     37 debug190:761BB126 28 1C       MOVS            R0, R5
     38 debug190:761BB128 51 46       MOV             R1, R10
     39 debug190:761BB12A 32 1C       MOVS            R2, R6
     40 debug190:761BB12C 00 F0 D6 F8 BL              Rc4_Dec
     41 debug190:761BB130 4B 46       MOV             R3, R9
     42 debug190:761BB132 00 20       MOVS            R0, #0
     43 debug190:761BB134 1E 60       STR             R6, [R3]
     44 debug190:761BB136
     45 debug190:761BB136             loc_761BB136                            ; CODE XREF: debug190:761BB172j
     46 debug190:761BB136                                                     ; debug190:761BB178j ...
     47 debug190:761BB136 41 9A       LDR             R2, [SP,#0x104]
     48 debug190:761BB138 23 68       LDR             R3, [R4]
     49 debug190:761BB13A 9A 42       CMP             R2, R3
     50 debug190:761BB13C 20 D1       BNE             loc_761BB180
     51 debug190:761BB13E 42 B0       ADD             SP, SP, #0x108
     52 debug190:761BB140 1C BC       POP             {R2-R4}
     53 debug190:761BB142 90 46       MOV             R8, R2
     54 debug190:761BB144 99 46       MOV             R9, R3
     55 debug190:761BB146 A2 46       MOV             R10, R4
     56 debug190:761BB148 F0 BD       POP             {R4-R7,PC}
     57 debug190:761BB14A             ; ---------------------------------------------------------------------------
     58 debug190:761BB14A
     59 debug190:761BB14A             loc_761BB14A                            ; CODE XREF: debug190:761BB124j
     60 debug190:761BB14A 30 1C       MOVS            R0, R6
     61 debug190:761BB14C 10 F0 96 FA BL              malloc_0
     62 debug190:761BB150 80 46       MOV             R8, R0
     63 debug190:761BB152 00 28       CMP             R0, #0
     64 debug190:761BB154 11 D0       BEQ             loc_761BB17A
     65 debug190:761BB156 51 46       MOV             R1, R10
     66 debug190:761BB158 32 1C       MOVS            R2, R6
     67 debug190:761BB15A 10 F0 17 FA BL              memcpy_0                ; 拷贝加密的dex内容
     68 debug190:761BB15E 28 1C       MOVS            R0, R5
     69 debug190:761BB160 41 46       MOV             R1, R8
     70 debug190:761BB162 32 1C       MOVS            R2, R6
     71 debug190:761BB164 00 F0 BA F8 BL              Rc4_Dec                 ; 解密Dex内容
     72 debug190:761BB168 4B 46       MOV             R3, R9
     73 debug190:761BB16A 1E 60       STR             R6, [R3]
     74 debug190:761BB16C 43 46       MOV             R3, R8
     75 debug190:761BB16E 00 20       MOVS            R0, #0
     76 debug190:761BB170 3B 60       STR             R3, [R7]
     77 debug190:761BB172 E0 E7       B               loc_761BB136
     78 debug190:761BB174             ; ---------------------------------------------------------------------------
     79 debug190:761BB174
     80 
     81 //再次解密dex  文件偏移  EDF4
     82 debug190 76174000 761DA000 R . X D . byte 00 public CODE 32 00 01
     83 debug190:76182DF4             loc_76182DF4                            ; CODE XREF: debug190:76182DB6j
     84 debug190:76182DF4 51 46       MOV             R1, R10
     85 debug190:76182DF6 34 F0 F3 FA BL              loc_761B73E0
     86 debug190:76182DFA 00 28       CMP             R0, #0
     87 debug190:76182DFC DC DB       BLT             loc_76182DB8
     88 debug190:76182DFE 53 46       MOV             R3, R10
     89 debug190:76182E00 1B 68       LDR             R3, [R3]
     90 debug190:76182E02 58 46       MOV             R0, R11
     91 debug190:76182E04 9A 46       MOV             R10, R3
     92 debug190:76182E06 5B 46       MOV             R3, R11
     93 debug190:76182E08 1B 68       LDR             R3, [R3]
     94 debug190:76182E0A 05 99       LDR             R1, [SP,#0x14]
     95 debug190:76182E0C 06 9A       LDR             R2, [SP,#0x18]
     96 debug190:76182E0E DB 68       LDR             R3, [R3,#0xC]
     97 debug190:76182E10 9C 46       MOV             R12, R3
     98 debug190:76182E12 53 46       MOV             R3, R10
     99 debug190:76182E14 E0 47       BLX             R12                     ; 又是解密
    100 debug190:76182E16 00 28       CMP             R0, #0
    101 debug190:76182E18 CE DB       BLT             loc_76182DB8
    102 debug190:76182E1A 05 98       LDR             R0, [SP,#0x14]
    103 debug190:76182E1C 48 F0 0E FC BL              free_0
    104 debug190:76182E20 5B 46       MOV             R3, R11
    105 debug190:76182E22 1B 68       LDR             R3, [R3]
    106 debug190:76182E24 58 46       MOV             R0, R11
    107 debug190:76182E26 5B 68       LDR             R3, [R3,#4]
    108 debug190:76182E28 98 47       BLX             R3
    109 debug190:76182E2A 03 9B       LDR             R3, [SP,#0xC]
    110 debug190:76182E2C 4D 44       ADD             R5, R9
    111 debug190:76182E2E 53 44       ADD             R3, R10
    112 debug190:76182E30 18 1C       MOVS            R0, R3
    113 debug190:76182E32 9D 42       CMP             R5, R3
    114 debug190:76182E34 05 D0       BEQ             loc_76182E42            ; 解密dex
    115 debug190:76182E36 00 2E       CMP             R6, #0
    116 debug190:76182E38 03 D0       BEQ             loc_76182E42            ; 解密dex
    117 debug190:76182E3A 29 1C       MOVS            R1, R5
    118 debug190:76182E3C 32 1C       MOVS            R2, R6
    119 debug190:76182E3E FE F7 49 FF BL              loc_76181CD4
    120 
    121 
    122 //解密dex 头0x70字节  文件偏移  EE42
    123 debug190 76174000 761DA000 R . X D . byte 00 public CODE 32 00 01
    124 debug190:76182E42             loc_76182E42                            ; CODE XREF: sub_76182C48+1ECj
    125 debug190:76182E42                                                     ; sub_76182C48+1F0j
    126 debug190:76182E42 7A 69       LDR             R2, [R7,#0x14]          ; 解密dex
    127 debug190:76182E44 50 46       MOV             R0, R10
    128 debug190:76182E46 70 21       MOVS            R1, #0x70 ; 'p'
    129 debug190:76182E48 38 F0 90 F8 BL              sub_761BAF6C            ; 解密dex头70字节
    130 debug190:76182E4C 01 25       MOVS            R5, #1
    131 debug190:76182E4E B9 E7       B               loc_76182DC4

    这时就可以将DEX数据dump出来,其实后面每个onCreate中也会出现明文的DEX。

    将dump出来的dex通过JDE反编译后发现很多Activity中的onCreate函数变成了Native了,从上面打印的类与对应函数可以看得出。

    0x03:被Native后的onCreate分析, 尝试修复与猜想

    在上面分析到注册Native函数时就对onCreate函数下好了断点,直接F9来到onCreate断下。

    1 //出现解密后dex 文件偏移 A910
    2 debug098 75DC6000 75E2C000 R . X D . byte 00 public CODE 32 00 01
    3 debug098:75DD0910             loc_75DD0910                            ; CODE XREF: debug098:75DD08F2j
    4 debug098:75DD0910 05 9B       LDR             R3, [SP,#0x14]
    5 debug098:75DD0912 1C 20       MOVS            R0, #0x1C
    6 debug098:75DD0914 1F 68       LDR             R7, [R3]                ; 出现解密后dex
    7 debug098:75DD0916 B3 68       LDR             R3, [R6,#8]
    8 debug098:75DD0918 9C 46       MOV             R12, R3
    9 debug098:75DD091A 67 44       ADD             R7, R12

    一直单步走到定位指令的地方。

     1 //定位到dex中的onCreate方法在内存中的指令,获取dex中的onCreate指令并解密。 文件偏移 2F9F8
     2 debug098 75DC6000 75E2C000 R . X D . byte 00 public CODE 32 00 01
     3 debug098:75DF59F8
     4 debug098:75DF59F8             loc_75DF59F8                            ; CODE XREF: debug098:75DF5988j
     5 debug098:75DF59F8                                                     ; debug098:75DF59CAj
     6 debug098:75DF59F8 A3 68       LDR             R3, [R4,#8]
     7 debug098:75DF59FA 10 33       ADDS            R3, #0x10               ; 定位到onCreate指令
     8 debug098:75DF59FC 1E 1C       MOVS            R6, R3
     9 debug098:75DF59FE 0C 93       STR             R3, [SP,#0x30]
    10 debug098:75DF5A00
    11 debug098:75DF5A00             loc_75DF5A00                            ; CODE XREF: debug098:75DF5E54j
    12 debug098:75DF5A00                                                     ; debug098:75DF5EF4j ...
    13 debug098:75DF5A00 0C 9B       LDR             R3, [SP,#0x30]
    14 debug098:75DF5A02 00 21       MOVS            R1, #0
    15 debug098:75DF5A04 F0 1A       SUBS            R0, R6, R3
    16 debug098:75DF5A06 43 10       ASRS            R3, R0, #1
    17 debug098:75DF5A08 30 1C       MOVS            R0, R6
    18 debug098:75DF5A0A 06 93       STR             R3, [SP,#0x18]
    19 debug098:75DF5A0C FE F7 29 FE BL              GetCode                 ; 获取dex中的onCreate指令并解密
    20 debug098:75DF5A10 05 90       STR             R0, [SP,#0x14]
    21 debug098:75DF5A12 00 06       LSLS            R0, R0, #0x18
    22 debug098:75DF5A14 00 0E       LSRS            R0, R0, #0x18
    23 debug098:75DF5A16 01 38       SUBS            R0, #1                  ; switch 255 cases
    24 debug098:75DF5A18 FE 28       CMP             R0, #0xFE ; '        ;判断是否超出表示指令范围
    25 debug098:75DF5A1A 01 D9       BLS             loc_75DF5A20
    26 debug098:75DF5A1C 02 F0 8D FF BL              def_75DF5A20            ; jumptable 75DF5A20 default case

    比如 下面是dex中OnCreate的指令,

    读取上面的指令并解密。

     1 //获取指令,并解密 文件偏移 2E662
     2 debug098 75DC6000 75E2C000 R . X D . byte 00 public CODE 32 00 01
     3 debug098:75DF4662             GetCode                                 ; CODE XREF: debug098:75DF5A0Cp
     4 debug098:75DF4662                                                     ; debug098:75DF5E40p ...
     5 debug098:75DF4662 38 B5       PUSH            {R3-R5,LR}
     6 debug098:75DF4664 05 1C       MOVS            R5, R0
     7 debug098:75DF4666 0C 1C       MOVS            R4, R1
     8 debug098:75DF4668 FD F7 D6 FC BL              loc_75DF2018
     9 debug098:75DF466C 00 7E       LDRB            R0, [R0,#0x18]          ; 密钥
    10 debug098:75DF466E 64 00       LSLS            R4, R4, #1
    11 debug098:75DF4670 02 1C       MOVS            R2, R0
    12 debug098:75DF4672 03 02       LSLS            R3, R0, #8
    13 debug098:75DF4674 1A 43       ORRS            R2, R3
    14 debug098:75DF4676 63 5B       LDRH            R3, [R4,R5]             ; 取指令
    15 debug098:75DF4678 5A 40       EORS            R2, R3              ;解密
    16 debug098:75DF467A 10 1C       MOVS            R0, R2
    17 debug098:75DF467C 38 BD       POP             {R3-R5,PC}

    解密后判断指令类型,获取执行须要的数据,每一种操作码(OPCode)都对应有一个处理逻辑(是一段代码,但不一定是函数),然后跳转到对应的处理逻辑去处理它,简单说一个正常没加壳的指令格式。

    71 20  06 00  02 00  invoke-static {v2, v0}, int aurora.view.AuroraTest.Test2(int, java.lang.String)

    71操作码

    2  参数个数

    0006 method idx

    02参数V2

    00参数 V0

    对应Android官方指令表

    但是加壳后的指令被变成了自己定义的了,我第一次想法是想通过分析加壳前与加壳后指令对应关系,只要找到足够多的指令就能将其还原,我简单加了两个apk测试,从第一个中找到了如下的指令对应关系。

    真实指令    自定义指令
    6f          =     74
    6E           =     22
    0c           =     cc
    1f           =     9c
    60           =     5a
    39           =     9c
    1a           =     89
    22           =     4B
    71           =     0b
    70           =     33
    15           =     5b
    5b           =     e4
    54           =     5c
    6f           =     74
    14           =     08
    0e           =     8e

    将第一个apk中找到的指令来修复第二个指令,不知道是免费版的原因,还是巧合,我成功修复了第二个apk,但是当我用这个关系来尝试修复要破解的程序时根本不行,后来想了想,这种方法应当不行,都自己实现了解释器,为什么还要让指令固定呢?不科学呀,放弃了这种想法。

    其实壳读取并解密一条指令后主要是使用JNI接口函数来实现解析执行。

    如果指令类型是调用函数的话就会做如下动作,其它的调用其它接口(简单示例)

    1 jclass clazz=(*env)->FindClass(env,"com/example/test");
    2     jmethodID methodId=(*env)->GetMethodID(env,clazz,"Add","(II)I");
    3     // jint        (*CallIntMethod)(JNIEnv*, jobject, jmethodID, ...);
    4     (*env)->CallIntMethod(env,jobject,methodId,3,5);

    主要流程如下:

     1 //获取dex中的类名、函数名、签名  文件偏移 2E648
     2 debug098 75DC6000 75E2C000 R . X D . byte 00 public CODE 32 00 01
     3 debug098:75DF4648
     4 debug098:75DF4648             GetString                               ; CODE XREF: debug098:75DF4C52p
     5 debug098:75DF4648                                                     ; debug098:75DF4C78p ...
     6 debug098:75DF4648 03 69       LDR             R3, [R0,#0x10]
     7 debug098:75DF464A 02 68       LDR             R2, [R0]
     8 debug098:75DF464C 89 00       LSLS            R1, R1, #2
     9 debug098:75DF464E DB 6B       LDR             R3, [R3,#0x3C]
    10 debug098:75DF4650 C9 18       ADDS            R1, R1, R3
    11 debug098:75DF4652 8B 58       LDR             R3, [R1,R2]
    12 debug098:75DF4654 D0 18       ADDS            R0, R2, R3
    13 debug098:75DF4656
    14 debug098:75DF4656             loc_75DF4656                            ; CODE XREF: debug098:75DF465Ej
    15 debug098:75DF4656 01 30       ADDS            R0, #1
    16 debug098:75DF4658 43 1E       SUBS            R3, R0, #1
    17 debug098:75DF465A 1B 78       LDRB            R3, [R3]
    18 debug098:75DF465C 7F 2B       CMP             R3, #0x7F ; ''
    19 debug098:75DF465E FA D8       BHI             loc_75DF4656
    20 debug098:75DF4660 70 47       BX              LR
    21 
    22 FindClass  文件偏移 18956
    23 debug098 75DC6000 75E2C000 R . X D . byte 00 public CODE 32 00 01
    24 debug098:75DDE956             sub_75DDE956                            ; CODE XREF: debug098:75DF4CBAp
    25 debug098:75DDE956                                                     ; debug098:75DF5092p ...
    26 debug098:75DDE956 08 B5       PUSH            {R3,LR}
    27 debug098:75DDE958 03 68       LDR             R3, [R0]
    28 debug098:75DDE95A 9B 69       LDR             R3, [R3,#0x18]
    29 debug098:75DDE95C 98 47       BLX             R3                      ; FindClass
    30 debug098:75DDE95E 08 BD       POP             {R3,PC}
    31 
    32 ExceptionCheck 文件偏移  1802E
    33 debug096 75DC6000 75E2C000 R . X D . byte 00 public CODE 32 00 01
    34 debug096:75DDE02E             loc_75DDE02E                            ; CODE XREF: debug096:75DDE046p
    35 debug096:75DDE02E                                                     ; debug096:75DF4BECp ...
    36 debug096:75DDE02E 08 B5       PUSH            {R3,LR}
    37 debug096:75DDE030 E4 23       MOVS            R3, #0xE4 ; '
    38 debug096:75DDE032 02 68       LDR             R2, [R0]
    39 debug096:75DDE034 9B 00       LSLS            R3, R3, #2
    40 debug096:75DDE036 D3 58       LDR             R3, [R2,R3]
    41 debug096:75DDE038 98 47       BLX             R3                      ; ExceptionCheck
    42 debug096:75DDE03A 08 BD       POP             {R3,PC}
    43 
    44 //GetMethodID 文件偏移
    45 debug098 75DC6000 75E2C000 R . X D . byte 00 public CODE 32 00 01
    46 debug098:75DFB11E             loc_75DFB11E                            ; CODE XREF: debug098:75DFB10Ej
    47 debug098:75DFB11E 00 98       LDR             R0, [SP]
    48 debug098:75DFB120 04 99       LDR             R1, [SP,#0x10]
    49 debug098:75DFB122 01 9A       LDR             R2, [SP,#4]
    50 debug098:75DFB124 B0 47       BLX             R6                      ; GetMethodID
    51 debug098:75DFB126 06 1C       MOVS            R6, R0
    52 debug098:75DFB128 28 1C       MOVS            R0, R5
    53 
    54 //DeleteLocalRef 文件偏移 18018
    55 debug096 75DC6000 75E2C000 R . X D . byte 00 public CODE 32 00 01
    56 debug096:75DDE018             loc_75DDE018                            ; CODE XREF: debug096:75DDE062p
    57 debug096:75DDE018                                                     ; debug096:75DF528Ap ...
    58 debug096:75DDE018 08 B5       PUSH            {R3,LR}
    59 debug096:75DDE01A 03 68       LDR             R3, [R0]
    60 debug096:75DDE01C DB 6D       LDR             R3, [R3,#0x5C]
    61 debug096:75DDE01E 98 47       BLX             R3                      ; DeleteLocalRef
    62 debug096:75DDE020 08 BD       POP             {R3,PC}
    63 
    64 //CallNonvirtualVoidMethodA  文件偏移 2EFEC
    65 debug096 75DC6000 75E2C000 R . X D . byte 00 public CODE 32 00 01
    66 debug096:75DF4FEC             loc_75DF4FEC                            ; CODE XREF: sub_75DF4B50:loc_75DF4F0Cj
    67 debug096:75DF4FEC 23 68       LDR             R3, [R4]                ; jumptable 75DF4F0C case 86
    68 debug096:75DF4FEE 02 9A       LDR             R2, [SP,#0x108+var_100]
    69 debug096:75DF4FF0 20 1C       MOVS            R0, R4
    70 debug096:75DF4FF2 FC 33       ADDS            R3, #0xFC ; '
    71 debug096:75DF4FF4 00 92       STR             R2, [SP,#0x108+var_108]
    72 debug096:75DF4FF6 9D 6F       LDR             R5, [R3,#0x78]
    73 debug096:75DF4FF8 04 99       LDR             R1, [SP,#0x108+var_F8]
    74 debug096:75DF4FFA 18 9A       LDR             R2, [SP,#0x108+var_A8]
    75 debug096:75DF4FFC 03 9B       LDR             R3, [SP,#0x108+var_FC]
    76 debug096:75DF4FFE A8 47       BLX             R5                      ; CallNonvirtualVoidMethodA
    77 debug096:75DF5000 4D E1       B               def_75DF4F0C            ; jumptable 75DF4F0C default case

    通过上面的流程分析后,我猜想能不能hook或者用其它方法来监控JNI接口,得到对应的执行流程与调用了那那些JNI函数,在对应着Android  Dalvik bytecode指令表来反推出真实的指令,其实就是看一条指令执行完成后调用的JNI接口能不能确定是什么指令,目前还没有试,如果大牛们有什么好办法还请多多指教,目的是破解程序,静态分析己经可以了,先不考虑还原。(^_^)

    来回顾下壳的主要流程:

    壳主soà反调试à解压并解密第二个soà从主so中跳到第二个so中执行à第二人so注册native函数à解密原始DEXà程序跑起来后到Native onCreateà定位到自定义的指令à读取指令并解密à解析指令格式à获取执行指令须要的参数à调用JNI接口执行。

    0x04:通过SO劫持跳过烦人的反调试快速到达要分析的函数

    我想要是你玩过windows上破解都知道DLL劫持吧,先伪造一个同名的DLL,提供同样的输出函数,每个输出函数中转向真正的DLL函数,不错,我也是用这种方法来实现注入SO来Hook函数,过掉反调试,会省去很多时间反调试上面,直接到你想要分析的关键函数。

    分析壳java层代码就知道它主要是通过读取从资源目中把壳so拷到指定目录中加载,

    我的做法是hook getAssets().open()函数,将资源中的so替换成我的so,然后将壳so改名放在app-lib目录中给我的so加载。

      1 XposedHelpers.findAndHookMethod(
      2                     AssetManager.class, //被Hook函数所在的类
      3                     "open",     //被Hook函数的名称
      4                     String.class,
      5                     new XC_MethodHook(){
      6                         @Override
      7                         protected void beforeHookedMethod(MethodHookParam param)
      8                                 throws Throwable {
      9                             // Hook函数之前执行的代码    
     10                             String path = param.args[0].toString();
     11                             if(path.equals("libjiagu.so")){
     12                                 param.args[0] = "/data/local/tmp/libjiagu.so";
     13                             }
     14                             Yfw_DebugLog.d("open  beforeHookedMethod--->0 "+param.args[0].toString());
     15                         }
     16                         
     17                         @Override
     18                         protected void afterHookedMethod(MethodHookParam param) throws Throwable {
     19                             
     20                             File file = new File(param.args[0].toString());  
     21                             InputStream input = new FileInputStream(file);
     22                             param.setResult(input);
     23                             Yfw_DebugLog.d("open afterHookedMethod--->"+param.getResult().toString());
     24 
     25                         }
     26                     });
     27 
     28 So的代码也很简单:
     29 /*
     30 调用原始JNI_OnLoad
     31 */
     32 jint LoadSo_InitJni(char* SoFilePath, JavaVM* vm, void* reserved)
     33 {
     34     jint ret;
     35     void *pHandle = NULL;
     36     pHandle = dlopen(SoFilePath, RTLD_LAZY);
     37     if (NULL == pHandle)
     38     {
     39         LOGD("dlopen %s error!", SoFilePath);
     40         return NULL;
     41     }
     42     _JNI_OnLoad old_JNI_OnLoad = NULL;
     43     old_JNI_OnLoad = (_JNI_OnLoad)dlsym(pHandle, "JNI_OnLoad");
     44     if (NULL == old_JNI_OnLoad)
     45     {
     46         LOGD("old_JNI_OnLoad error!");
     47         return NULL;
     48     }
     49     LOGD("old_JNI_OnLoad address=%X   env...%X", old_JNI_OnLoad, g_env);
     50     ret = old_JNI_OnLoad(vm, reserved);
     51     LOGD("old_JNI_OnLoad end...%d", ret);
     52     return ret;
     53 
     54 }
     55 
     56 Hook open函数过反调试
     57 int new_open(const char *pathname, int oflag, mode_t mode)
     58 {
     59     if (NULL == pathname)
     60     {
     61         goto exitret;
     62     }
     63 
     64     LOGD("new_open..%s", pathname); 
     65     if (strstr(pathname, "net/tcp") != NULL) 
     66     {
     67         return 0;
     68     }
     69     if (strstr(pathname, "status") != NULL)
     70     {
     71         return 0;
     72     }
     73     if (strstr(pathname, "stat") != NULL)
     74     {
     75         return 0;
     76     }
     77     if (strstr(pathname, "schedstat") != NULL)
     78     {
     79         return 0;
     80     }
     81 
     82 exitret:
     83     return old_open(pathname, oflag, mode);
     84 }
     85 Hook time过反调试
     86 time_t new_time(time_t * timer) {
     87     LOGD("new_time------->");
     88     return 0;
     89 }
     90 Hook dvmUseJNIBridge 方便在 native下断点,打印出对应类的方法
     91 void new_dvmUseJNIBridge(Method* method, void* func)
     92 {
     93     LOGD("my_dvmUseJNIBridge class-%s ->name=%s  address=%08X", method->clazz->descriptor, method->name, func);
     94     //LOGD("my_dvmUseJNIBridge nativeFunc-%s", method->nativeFunc);
     95     if (0 == strcmp(method->name, "getClassNameList"))
     96     {
     97         sleep(8); //等待附加调试器
     98     }
     99     return old_dvmUseJNIBridge(method, func);
    100 }

    这样当我们的so加载时用IDA附加上就可以在new_dvmUseJNIBridge下断点,就能在想要分析的Native函数上下断点了。

    上面的代码就完成了整个劫持的过程,开心地调试吧!!!!!!

    0x05:静态分析APP的注册验证流程与编写Xposed插件。

    通过JEB反编译该应用dump出来的的classes.dex文件,直接搜索登录时用到的网址字符串 7658/api/entrance,找到如下的字符串,双击第一个字符串进去 。

    其中的a函数是返回网址的,当参数为10时是要找到网址。

     1 public static String a(int arg1) {
     2         switch(arg1) {
     3             case 10: {
     4                 goto label_4; //返回登录地址
     5             }
     6             case 11: {
     7                 goto label_6;
     8             }
     9             case 12: {
    10                 goto label_8;
    11             }
    12             case 13: {
    13                 goto label_10;
    14             }
    15             case 14: {
    16                 goto label_12;
    17             }
    18             case 15: {
    19                 goto label_14;
    20             }
    21             case 16: {
    22                 goto label_16;
    23             }
    24             case 17: {
    25                 goto label_18;
    26             }
    27             case 19: {
    28                 goto label_20;
    29             }
    30             case 20: {
    31                 goto label_22;
    32             }
    33         }

    按JEB快捷键 x 找到传入参数为10调用上面函数的地方,找到如下的类:

     1 public class g extends j {
     2     private static String login;
     3     private ThreadPoolExecutor d;
     4     private static g e;
     5 
     6     static {
     7         g.login = i.a(10);
     8         g.e = null;
     9 }
    10 在这个类中找到了网络登录请求并解密返回值的函数。
    11 private String b(h arg5, String arg6) {
    12         String v0 = null;
    13         if(arg5 != null && (arg6 != null && (AndroidHelper.isNetworkActive(this.b)))) {
    14             String v1 = this.a(arg6, arg5.a());  // 组合请求参数
    15             if(v1 == null) {
    16                 return v0;
    17             }
    18 
    19             try {
    20                 JSONObject v2 = new JSONObject(a.a(g.login_address, v1.getBytes("UTF-8"), this.c));  // 传入网址,应该就是网络请求了
    21                 if(v2.getInt("status") != 0) {
    22                     return v0;
    23                 }
    24 
    25                 v0 = j.b(v2.getString("data"));  // 解密登录返回值
    26             }
    27             catch(Exception v0_1) {
    28                 d.a(((Throwable)v0_1));
    29                 v0 = "server_error";
    30             }
    31         }
    32 
    33         return v0;
    34     }

    分析下请求参数都有些什么东西,组合请求参数的函数实现在父类j中。

     1  String a(String arg9, int arg10) {
     2         String v0 = null;
     3         if(arg9 != null) {
     4             String v1 = j.a(this.c(arg9));  // aes加密后再base64
     5             if(TextUtils.isEmpty(((CharSequence)v1))) {
     6                 return v0;
     7             }
     8 
     9             try {
    10                 StringBuffer v2 = new StringBuffer();
    11                 v2.append("body=");
    12                 v2.append(URLEncoder.encode(v1, "UTF-8"));
    13                 v2.append("&t1=");
    14                 v2.append(System.currentTimeMillis() / 1000);
    15                 v2.append("&t2=");
    16                 v2.append(this.d(arg9));
    17                 v2.append("&type=");
    18                 v2.append(arg10);
    19                 v2.append("&flag=");
    20                 v2.append(4);
    21                 v0 = v2.toString();
    22             }
    23             catch(UnsupportedEncodingException v1_1) {
    24                 d.a(((Throwable)v1_1));
    25             }
    26         }
    27 
    28         return v0;
    29     }

    用Xposed hook 加函数打印参数,

     1     //aes加密参数
     2             XposedHelpers.findAndHookMethod(Application.class, "attach", Context.class, new XC_MethodHook() {
     3                 @Override
     4                 protected void afterHookedMethod(MethodHookParam param) throws Throwable {
     5                     ClassLoader cl = ((Context)param.args[0]).getClassLoader();
     6                     Class<?> hookclass = null;
     7                     try {
     8                         hookclass = cl.loadClass("com.txyapp.client.j");
     9                     } catch (Exception e) {
    10                         Yfw_DebugLog.d("寻找com.txyapp.client.j 报错"+ e);
    11                         return;
    12                     }
    13                     Yfw_DebugLog.d("寻找com.txyapp.client.j成功");
    14                     
    15                     XposedHelpers.findAndHookMethod(
    16                             hookclass, //被Hook函数所在的类
    17                             "a",     //被Hook函数的名称
    18                             String.class,
    19                             new XC_MethodHook(){
    20                                 @Override
    21                                 protected void beforeHookedMethod(MethodHookParam param)
    22                                         throws Throwable {
    23                                     // Hook函数之前执行的代码    
    24                                     Yfw_DebugLog.d("a_Aesenc_data  beforeHookedMethod--->0 "+param.args[0].toString());
    25                                 }
    26                                 
    27                                 @Override
    28                                 protected void afterHookedMethod(MethodHookParam param) throws Throwable {
    29                                     Yfw_DebugLog.d("a_Aesenc_data afterHookedMethod--->"+param.getResult().toString());
    30                                 }
    31                             });
    32                 }
    33             });

    主要是将用户名密码,还有一些机器信息aes与base加密后请求过去,格式如下:

    {"data":"{"clientid":"7e7884f241c96051958cb776d6f780d9","password":"xxxxxxxxxx","username":"crack8888"}","header":{"model":"Nexus 5","root":1,"mcc":"460","uptime":1492303101,"sysapi":19,"corever":546,"vername":"13.1.2","un":"","cn":"guanfang","cl":"zh-CN","brand":"google","mnc":"02","uuid":"7FDC501E4B3xxxxx","cpuabi1":"armeabi-v7a","cpuabi2":"armeabi","vercode":322}}

    然后服务器返回一些加密后的数据,从上面的g类b函数中可以看出,判断如果请求成功,就解密返回数据,通过hook该解密函数得到解密后的数据格式为json

     

     1     XposedHelpers.findAndHookMethod(Application.class, "attach", Context.class, new XC_MethodHook() {
     2                 @Override
     3                 protected void afterHookedMethod(MethodHookParam param) throws Throwable {
     4                     ClassLoader cl = ((Context)param.args[0]).getClassLoader();
     5                     Class<?> hookclass = null;
     6                     try {
     7                         hookclass = cl.loadClass("com.txyapp.client.j");
     8                     } catch (Exception e) {
     9                         Yfw_DebugLog.d("寻找com.txyapp.client.j 报错"+ e);
    10                         return;
    11                     }
    12                     Yfw_DebugLog.d("寻找com.txyapp.client.j成功");
    13                     //解密vip
    14                     XposedHelpers.findAndHookMethod(
    15                             hookclass, //被Hook函数所在的类
    16                             "b",     //被Hook函数的名称
    17                             String.class,
    18                             new XC_MethodHook(){
    19                                 @Override
    20                                 protected void beforeHookedMethod(MethodHookParam param)
    21                                         throws Throwable {
    22                                     // Hook函数之前执行的代码    
    23                                     Yfw_DebugLog.d("b_Aesdec_data  beforeHookedMethod--->0 "+param.args[0].toString());
    24                                 }
    25                                 
    26                                 @Override
    27                                 protected void afterHookedMethod(MethodHookParam param) throws Throwable {
    28                                     Yfw_DebugLog.d("b_Aesdec_data afterHookedMethod--->"+param.getResult().toString());
    29                         
    30                                     JSONObject jsonObj = new JSONObject(param.getResult().toString());
    31                                     if(0 == (int)jsonObj.get("vip") ){
    32                                         jsonObj.put("vip", 1);
    33                                         jsonObj.put("expiretime", 1999077441);// 2033-05-07
    34                             
    35                                         Yfw_DebugLog.d("b_Aesdec_data result--->"+jsonObj.toString());
    36                                         viptag = 1;
    37                                         param.setResult(jsonObj.toString());
    38                                     }
    39                                     
    40                                 }
    41                             });
    42                 }
    43             });
    44 //解密后数据
    45 {"status":0,"token":"49436a44d85f46c7e458a6b071af470a","username":"crack8888","vip":0,"expiretime":0}

    从上面格式可以看出 vip:=0代表不是vip, expiretime:到期时间,所以我的在hook函数中将这两个参数修改如下。

    {"vip":1,"username":"crack8888","token":"db9ea6e12936463d722fb7bcda7e97ab","status":0,"expiretime":1999077441}

    这样就成功破解了,会员功能也正常使用。

    还有一个地方就是显示个人信息,hook函数进行修改

     1     //刷新个人信息显示
     2             XposedHelpers.findAndHookMethod(Application.class, "attach", Context.class, new XC_MethodHook() {
     3                 @Override
     4                 protected void afterHookedMethod(MethodHookParam param) throws Throwable {
     5                     ClassLoader cl = ((Context)param.args[0]).getClassLoader();
     6                     Class<?> hookclass = null;
     7                     try {
     8                         hookclass = cl.loadClass("com.txy.anywhere.activity.login.PersonalInfoActivity");
     9                     } catch (Exception e) {
    10                         Yfw_DebugLog.d("寻找com.txy.anywhere.activity.login.PersonalInfoActivity报错"+ e);
    11                         return;
    12                     }
    13                     Yfw_DebugLog.d("寻找com.txy.anywhere.activity.login.PersonalInfoActivity成功");
    14                     //判断是否为vip
    15                     XposedHelpers.findAndHookMethod(
    16                             hookclass, //被Hook函数所在的类
    17                             "a",     //被Hook函数的名称
    18                             String.class,
    19                             new XC_MethodHook(){
    20                                 @Override
    21                                 protected void beforeHookedMethod(MethodHookParam param)
    22                                         throws Throwable {
    23                                     // Hook函数之前执行的代码    
    24                                     Yfw_DebugLog.d("login  beforeHookedMethod--->0 "+param.args[0].toString());
    25                                     
    26                                     
    27                                     JSONObject container1 = new JSONObject();
    28  
    29                                     JSONObject v0_1 = new JSONObject(param.args[0].toString());
    30                                     JSONObject v0_2 = new JSONObject(param.args[0].toString());
    31                                     v0_2 = v0_1.getJSONObject("user_info");
    32                                     v0_2.put("vip", 1);//是否为vip 0:为普通会员, 1:为vip
    33                                     v0_2.put("expire_time", 1999077441);//到期时间
    34                                     v0_2.put("phonenumber", "110");
    35                                     v0_1.put("user_info", v0_2);
    36                                     param.args[0] = v0_1.toString();
    37                                     Yfw_DebugLog.d("login  beforeHookedMethod 1--->0 "+param.args[0].toString());
    38 
    39                                 }
    40                                 
    41                                 @Override
    42                                 protected void afterHookedMethod(MethodHookParam param) throws Throwable {
    43             
    44                                     Yfw_DebugLog.d("login afterHookedMethod--->");
    45                                 }
    46                             });
    47                 }
    48             });

    到这里就算破解完成了,简单测试了会员功能,都能正常使用。

     

    0x06:总结

    由于水平有限,未能更好的分析与表达,不过,通过前面几部分的简单分析,其实我们已经知道只是Native onCreate函数是不够的,主要还是得保护好关键函数不被分析。

     百度网盘 链接: https://pan.baidu.com/s/1c2KiYsg 密码: 2rft

  • 相关阅读:
    bzoj2763 [JLOI]飞行路线 分层图最短路
    [模板]分块/可修改莫队 (数颜色种类)
    gcd步数
    洛谷2378 因式分解 字符串
    bzoj1090 字符串折叠
    洛谷1034 NOIP2002 矩形覆盖
    Codeforces#441 Div.2 四*题
    SPFA的小优化
    洛谷1073 NOIP2009 最优贸易
    bzoj2100 [Usaco2010 DEC]Apple Delivery苹果贸易
  • 原文地址:https://www.cnblogs.com/2014asm/p/6718821.html
Copyright © 2011-2022 走看看