fulao2定位加解密---违法应用分析

fulao2定位加解密反调试

这块暂时不太熟悉，用大佬的脚本过了

据说检测点是 maps、status

通过hook libc.so的open函数将参数进行替换

替换后检测内存中的maps和status变成检测sdcard中的maps和status

把正常的maps和正常的status重定向到sdcard中

打开app

查看包名

adb shell dumpsys window |grep mCurrentFocus

进入adb shell 查看进程

ps -e |grep com.X2uXsmr2f.k1MULKVZd

看这个下面的守护进程4746

将这个maps、status重定向到sd卡中并给运行权限

bullhead:/ # cat /proc/4746/maps > /sdcard/maps
bullhead:/ # cat /proc/4746/status  > /sdcard/status
bullhead:/ # chmod 777 /sdcard/maps
bullhead:/ # chmod 777 /sdcard/status

再次运行

正常运行这样就过掉了检测

Objection与frida同时注入这里要注意因为frida已经注入了一个进程在同时开启objection的时候要直接用 -g指定应用的pid

objection -g 6452 explore

Objection 定位加解密代码

加解密的代码定位思路：

1、先在内存中搜索安卓开发中加解密常用的类

2、hook所有疑似加密的类

3、手机触发加解密函数查看调用频率确定疑似的类

4、将疑似的类的方法进行hook 打调用栈

5、脱壳静态分析算法还原

具体如下：
1 先在内存中搜索安卓开发中加解密常用的类

cipher是安卓开发加解密常用的

android hooking search classes cipher

2 、hook这些疑似的类

保存到cipher.txt--->加上android hooking watch class

nano cipher.txt

sed -i -e 's/^/android hooking watch class /' cipher.txt

注意class后面的一个空格

启动objection 若是崩了先把这个类单独拿出来最后测试

objection -g 6452 explore -c cipher.txt

3、触发加解密查看疑似的类

点我的即可触发

可以发现以这个类为主的加解密javax.crypto.Cipher
4、将疑似的类的方法进行hook 打调用栈

随便找个方法进行hookjavax.crypto.Cipher.createCipher

objection -g 6452 explore

`android hooking watch class_method javax.crypto.Cipher.createCipher --dump-args --dump-backtrace --dump-return

再次点击触发

javax.crypto.Cipher.createCipher(Native Method)roid Commands specific to Android
      javax.crypto.Cipher.getInstance(Cipher.java:414)    Change the current working directory
      com.ilulutv.fulao2.other.k.b.j(EncodeUtility.kt:3)
      com.ilulutv.fulao2.other.k.b.o(EncodeUtility.kt:6)
      com.AppGuard.andjni.JniLib.cV(Native Method)
      com.ilulutv.fulao2.other.h.b.h.i(Unknown Source:15)
      com.AppGuard.andjni.JniLib.cV(Native Method)
      com.ilulutv.fulao2.other.h.b.h.u(Unknown Source:15)
      com.ilulutv.fulao2.membership.contract.ContractManagementActivity.s2(ContractManagementActivity.kt:14)
      com.ilulutv.fulao2.membership.contract.ContractManagementActivity.u2(ContractManagementActivity.kt:2)
      com.AppGuard.andjni.JniLib.cV(Native Method)
      com.ilulutv.fulao2.membership.contract.ContractManagementActivity.onCreate(Unknown Source:18)
      android.app.Activity.performCreate(Activity.java:6999)
      android.app.Activity.performCreate(Activity.java:6990)
      android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1214)
      android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2731)
      android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:2856)
      android.app.ActivityThread.-wrap11(Unknown Source:0)
      android.app.ActivityThread$H.handleMessage(ActivityThread.java:1589)
      android.os.Handler.dispatchMessage(Handler.java:106)
      android.os.Looper.loop(Looper.java:164)
      android.app.ActivityThread.main(ActivityThread.java:6494)
      java.lang.reflect.Method.invoke(Native Method)
      com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:438)
      com.android.internal.os.ZygoteInit.main(ZygoteInit.java:807)

(agent) [bu0icef4v4g] Arguments javax.crypto.Cipher.createCipher(AES/CBC/PKCS5Padding, (none))
(agent) [bu0icef4v4g] Return Value: javax.crypto.Cipher@d41049c
(agent) [bu0icef4v4g] Called javax.crypto.Cipher.createCipher(java.lang.String, java.security.Provider)
(agent) [bu0icef4v4g] Backtrace:
      javax.crypto.Cipher.createCipher(Native Method)
      javax.crypto.Cipher.getInstance(Cipher.java:414)
      com.ilulutv.fulao2.other.k.b.g(EncodeUtility.kt:1)
      com.ilulutv.fulao2.other.k.b.f(EncodeUtility.kt:2)
      com.AppGuard.andjni.JniLib.cL(Native Method)
      com.ilulutv.fulao2.other.h.b.a.a(Unknown Source:18)
      h.g0.g.g.j(RealInterceptorChain.java:9)
      h.g0.g.g.d(RealInterceptorChain.java:1)
      h.z.f(RealCall.java:13)
      h.z.c(RealCall.java:9)
      l.l.c(OkHttpCall.java:18)
      l.x.a.c.C(CallExecuteObservable.java:5)
      f.a.m.e(Observable.java:4)
      f.a.a0.e.d.o$b.run(ObservableSubscribeOn.java:1)
      f.a.q$a.run(Scheduler.java:2)
      f.a.a0.g.l.run(ScheduledRunnable.java:2)
      f.a.a0.g.l.call(ScheduledRunnable.java:1)
      java.util.concurrent.FutureTask.run(FutureTask.java:266)
      java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:301)
      java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1162)
      java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:636)
      java.lang.Thread.run(Thread.java:764)

(agent) [bu0icef4v4g] Arguments javax.crypto.Cipher.createCipher(AES/CBC/PKCS5Padding, (none))
(agent) [bu0icef4v4g] Return Value: javax.crypto.Cipher@39c6bfb
(agent) [bu0icef4v4g] Called javax.crypto.Cipher.createCipher(java.lang.String, java.security.Provider)
(agent) [bu0icef4v4g] Backtrace:
      javax.crypto.Cipher.createCipher(Native Method)
      javax.crypto.Cipher.getInstance(Cipher.java:414)
      com.ilulutv.fulao2.other.k.b.j(EncodeUtility.kt:3)
      com.ilulutv.fulao2.other.k.b.o(EncodeUtility.kt:6)
      com.AppGuard.andjni.JniLib.cV(Native Method)
      com.ilulutv.fulao2.other.h.b.h.i(Unknown Source:15)
      com.AppGuard.andjni.JniLib.cV(Native Method)
      com.ilulutv.fulao2.other.h.b.h.u(Unknown Source:15)
      com.ilulutv.fulao2.membership.contract.ContractManagementActivity.q2(ContractManagementActivity.kt:13)
      com.ilulutv.fulao2.membership.contract.ContractManagementActivity.t2(ContractManagementActivity.kt:4)
      com.ilulutv.fulao2.membership.contract.ContractManagementActivity.o2(Unknown Source:0)
      com.ilulutv.fulao2.membership.contract.d.a(Unknown Source:2)
      com.AppGuard.andjni.JniLib.cV(Native Method)
      com.ilulutv.fulao2.other.h.b.h$d$a.b(Unknown Source:18)
      com.AppGuard.andjni.JniLib.cV(Native Method)
      com.ilulutv.fulao2.other.h.b.c.a(Unknown Source:31)
      com.AppGuard.andjni.JniLib.cV(Native Method)
      com.ilulutv.fulao2.other.h.b.c.b(Unknown Source:21)
      com.AppGuard.andjni.JniLib.cV(Native Method)
      com.ilulutv.fulao2.other.h.b.h.h(Unknown Source:18)
      com.AppGuard.andjni.JniLib.cV(Native Method)
      com.ilulutv.fulao2.other.h.b.h.n(Unknown Source:35)
      com.ilulutv.fulao2.other.h.b.h.c(RetrofitConnectionHelper.kt:1)
      com.AppGuard.andjni.JniLib.cV(Native Method)
      com.ilulutv.fulao2.other.h.b.h$a.e(Unknown Source:18)
      com.ilulutv.fulao2.other.h.b.h$a.d(RetrofitConnectionHelper.kt:1)
      f.a.a0.e.d.j$a.h(ObservableObserveOn.java:8)
      f.a.a0.e.d.j$a.run(ObservableObserveOn.java:3)
      f.a.w.b.b$b.run(HandlerScheduler.java:1)
      android.os.Handler.handleCallback(Handler.java:790)
      android.os.Handler.dispatchMessage(Handler.java:99)
      android.os.Looper.loop(Looper.java:164)
      android.app.ActivityThread.main(ActivityThread.java:6494)
      java.lang.reflect.Method.invoke(Native Method)
      com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:438)
      com.android.internal.os.ZygoteInit.main(ZygoteInit.java:807)

(agent) [bu0icef4v4g] Arguments javax.crypto.Cipher.createCipher(AES/CBC/PKCS5Padding, (none))
(agent) [bu0icef4v4g] Return Value: javax.crypto.Cipher@aaa70ad
(agent) [bu0icef4v4g] Called javax.crypto.Cipher.createCipher(java.lang.String, java.security.Provider)
(agent) [bu0icef4v4g] Backtrace:
      javax.crypto.Cipher.createCipher(Native Method)
      javax.crypto.Cipher.getInstance(Cipher.java:414)
      com.ilulutv.fulao2.other.k.b.g(EncodeUtility.kt:1)
      com.ilulutv.fulao2.other.k.b.f(EncodeUtility.kt:2)
      com.AppGuard.andjni.JniLib.cL(Native Method)
      com.ilulutv.fulao2.other.h.b.a.a(Unknown Source:18)
      h.g0.g.g.j(RealInterceptorChain.java:9)
      h.g0.g.g.d(RealInterceptorChain.java:1)
      h.z.f(RealCall.java:13)
      h.z.c(RealCall.java:9)
      l.l.c(OkHttpCall.java:18)
      l.x.a.c.C(CallExecuteObservable.java:5)
      f.a.m.e(Observable.java:4)
      f.a.a0.e.d.o$b.run(ObservableSubscribeOn.java:1)
      f.a.q$a.run(Scheduler.java:2)
      f.a.a0.g.l.run(ScheduledRunnable.java:2)
      f.a.a0.g.l.call(ScheduledRunnable.java:1)
      java.util.concurrent.FutureTask.run(FutureTask.java:266)
      java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:301)
      java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1162)
      java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:636)
      java.lang.Thread.run(Thread.java:764)

(agent) [bu0icef4v4g] Arguments javax.crypto.Cipher.createCipher(AES/CBC/PKCS5Padding, (none))
(agent) [bu0icef4v4g] Return Value: javax.crypto.Cipher@515c49f

直接定位到这个类com.ilulutv.fulao2.other.k.b.j
5、脱壳静态分析算法还原

直接用大佬的frida-dexdump注意：上面已经开了frida了直接用attach模式

基础中的基础，frida有两种模式：

attach模式，直接附加到已知已存在的进程：

frida -U com.example.android

spawn模式，找到指定包名的app并在启动前注入脚本进去，加“--no-pause”表示直接启动，不暂停在app启动时：

frida -U -f com.example.android --no-pause -l _agent.js

frida-dexdump -UF -d -F 直接attach前台进程 -d深度搜索

过程有点久

查看MainActivity在哪个dex中

adb shell dumpsys window |grep mCurrentFocus

grep -ril "com.ilulutv.fulao2.main.MainActivity"

用jadx打开测试是在02这个dex文件中

jadx-gui classes02.dex
新版的jadx可能打不开百度搜checksum jadx

定位到刚刚的类com.ilulutv.fulao2.other.k.b.j

大概就在这

算法还原直接问chatgpt !!!

自己改改补补差不多就ok了

加解密, 进程

fulao2定位加解密---违法应用分析

相关帖子

热门主题

港版 iPhone 16 的 AI 能力，如何回国内使

请教做 Unity 游戏的，你们的服务器端都用

cloudns 申请的域名突然不能 ping 通了

Hyper-V GPU 分区玩游戏，游戏内通过 Direc

机箱风扇最低负载有 12 分贝的哒哒响正常吗

美亚海淘打算直接邮寄国内注册时候地址写国

A 股有交易 API 吗

兄弟们人麻了，网站配置证书浏览器正常，但

女子与多人发生关系后勒索钱财

关于使用 AI 和本地大模型总结聊天记录的办

热门板块

公告

网站帮助 - Yoo趣儿

我们的愿景

在 Yoo趣儿投放广告

Yoo趣儿网站用户应遵守规则

fulao2定位加解密---违法应用分析

相关帖子

热门主题

港版 iPhone 16 的 AI 能力，如何回国内使

请教做 Unity 游戏的，你们的服务器端都用

cloudns 申请的域名突然不能 ping 通了

Hyper-V GPU 分区玩游戏，游戏内通过 Direc

机箱风扇最低负载有 12 分贝的哒哒响正常吗

美亚海淘打算直接邮寄国内注册时候地址写国

A 股有交易 API 吗

兄弟们人麻了，网站配置证书浏览器正常，但

女子与多人发生关系后勒索钱财

关于使用 AI 和本地大模型总结聊天记录的办

热门板块

公告

网站帮助 - Yoo趣儿

我们的愿景

在 Yoo趣儿 投放广告

Yoo趣儿网站用户应遵守规则

在 Yoo趣儿投放广告