fulao2定位加解密---违法应用分析

查看 131|回复 6
作者:胡凯莉   
fulao2定位加解密反调试
  • 这块暂时不太熟悉 ,用大佬的脚本过了
  • 据说检测点是 maps、status
  • 通过hook libc.so的open函数 将参数进行替换
  • 替换后 检测内存中的maps和status变成检测sdcard中的maps和status
  • 把正常的maps和正常的status重定向到sdcard中
  • 打开app
  • 查看包名
  • adb shell dumpsys window |grep mCurrentFocus

  • 进入adb shell 查看进程
  • ps -e |grep com.X2uXsmr2f.k1MULKVZd

  • 看这个下面的守护进程4746
  • 将这个maps、status重定向到sd卡中 并给运行权限
  • bullhead:/ # cat /proc/4746/maps > /sdcard/maps               
    bullhead:/ # cat /proc/4746/status  > /sdcard/status            
    bullhead:/ # chmod 777 /sdcard/maps                              
    bullhead:/ # chmod 777 /sdcard/status
  • 再次运行
  • 正常运行  这样就过掉了检测


    Objection与frida同时注入这里要注意 因为frida已经注入了一个进程  在同时开启objection的时候要直接用 -g指定应用的pid
  • objection -g 6452 explore

  • Objection 定位加解密代码
  • 加解密的代码定位思路:
  • 1、先在内存中搜索安卓开发中加解密常用的类
  • 2、hook所有疑似加密的类
  • 3、手机触发加解密函数 查看调用频率 确定疑似的类
  • 4、将疑似的类的方法进行hook 打调用栈
  • 5、脱壳 静态分析 算法还原
  • 具体如下:
    1 先在内存中搜索安卓开发中加解密常用的类
  • cipher是安卓开发加解密常用的
  • android hooking search classes cipher

  • 2 、hook这些疑似的类
  • 保存到cipher.txt--->加上android hooking watch class
  • nano cipher.txt
  • sed -i -e 's/^/android hooking watch class /' cipher.txt
  • 注意class后面的一个空格

  • 启动objection 若是崩了先把这个类单独拿出来最后测试
  • objection -g 6452 explore -c cipher.txt


  • 3、触发加解密 查看疑似的类
  • 点我的即可触发
  • 可以发现以这个类为主的加解密javax.crypto.Cipher
    4、将疑似的类的方法进行hook 打调用栈
  • 随便找个方法进行hookjavax.crypto.Cipher.createCipher
  • objection -g 6452 explore
  • `android hooking watch class_method javax.crypto.Cipher.createCipher --dump-args --dump-backtrace --dump-return  

  • 再次点击触发
  • javax.crypto.Cipher.createCipher(Native Method)roid    Commands specific to Android                    
            javax.crypto.Cipher.getInstance(Cipher.java:414)       Change the current working directory                                                         
            com.ilulutv.fulao2.other.k.b.j(EncodeUtility.kt:3)
            com.ilulutv.fulao2.other.k.b.o(EncodeUtility.kt:6)
            com.AppGuard.andjni.JniLib.cV(Native Method)
            com.ilulutv.fulao2.other.h.b.h.i(Unknown Source:15)
            com.AppGuard.andjni.JniLib.cV(Native Method)
            com.ilulutv.fulao2.other.h.b.h.u(Unknown Source:15)
            com.ilulutv.fulao2.membership.contract.ContractManagementActivity.s2(ContractManagementActivity.kt:14)
            com.ilulutv.fulao2.membership.contract.ContractManagementActivity.u2(ContractManagementActivity.kt:2)
            com.AppGuard.andjni.JniLib.cV(Native Method)
            com.ilulutv.fulao2.membership.contract.ContractManagementActivity.onCreate(Unknown Source:18)
            android.app.Activity.performCreate(Activity.java:6999)
            android.app.Activity.performCreate(Activity.java:6990)
            android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1214)
            android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2731)
            android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:2856)
            android.app.ActivityThread.-wrap11(Unknown Source:0)
            android.app.ActivityThread$H.handleMessage(ActivityThread.java:1589)
            android.os.Handler.dispatchMessage(Handler.java:106)
            android.os.Looper.loop(Looper.java:164)
            android.app.ActivityThread.main(ActivityThread.java:6494)
            java.lang.reflect.Method.invoke(Native Method)
            com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:438)
            com.android.internal.os.ZygoteInit.main(ZygoteInit.java:807)
    ​
    (agent) [bu0icef4v4g] Arguments javax.crypto.Cipher.createCipher(AES/CBC/PKCS5Padding, (none))
    (agent) [bu0icef4v4g] Return Value: javax.crypto.Cipher@d41049c
    (agent) [bu0icef4v4g] Called javax.crypto.Cipher.createCipher(java.lang.String, java.security.Provider)
    (agent) [bu0icef4v4g] Backtrace:
            javax.crypto.Cipher.createCipher(Native Method)
            javax.crypto.Cipher.getInstance(Cipher.java:414)
            com.ilulutv.fulao2.other.k.b.g(EncodeUtility.kt:1)
            com.ilulutv.fulao2.other.k.b.f(EncodeUtility.kt:2)
            com.AppGuard.andjni.JniLib.cL(Native Method)
            com.ilulutv.fulao2.other.h.b.a.a(Unknown Source:18)
            h.g0.g.g.j(RealInterceptorChain.java:9)
            h.g0.g.g.d(RealInterceptorChain.java:1)
            h.z.f(RealCall.java:13)
            h.z.c(RealCall.java:9)
            l.l.c(OkHttpCall.java:18)
            l.x.a.c.C(CallExecuteObservable.java:5)
            f.a.m.e(Observable.java:4)
            f.a.a0.e.d.o$b.run(ObservableSubscribeOn.java:1)
            f.a.q$a.run(Scheduler.java:2)
            f.a.a0.g.l.run(ScheduledRunnable.java:2)
            f.a.a0.g.l.call(ScheduledRunnable.java:1)
            java.util.concurrent.FutureTask.run(FutureTask.java:266)
            java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:301)
            java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1162)
            java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:636)
            java.lang.Thread.run(Thread.java:764)
    ​
    (agent) [bu0icef4v4g] Arguments javax.crypto.Cipher.createCipher(AES/CBC/PKCS5Padding, (none))
    (agent) [bu0icef4v4g] Return Value: javax.crypto.Cipher@39c6bfb
    (agent) [bu0icef4v4g] Called javax.crypto.Cipher.createCipher(java.lang.String, java.security.Provider)
    (agent) [bu0icef4v4g] Backtrace:
            javax.crypto.Cipher.createCipher(Native Method)
            javax.crypto.Cipher.getInstance(Cipher.java:414)
            com.ilulutv.fulao2.other.k.b.j(EncodeUtility.kt:3)
            com.ilulutv.fulao2.other.k.b.o(EncodeUtility.kt:6)
            com.AppGuard.andjni.JniLib.cV(Native Method)
            com.ilulutv.fulao2.other.h.b.h.i(Unknown Source:15)
            com.AppGuard.andjni.JniLib.cV(Native Method)
            com.ilulutv.fulao2.other.h.b.h.u(Unknown Source:15)
            com.ilulutv.fulao2.membership.contract.ContractManagementActivity.q2(ContractManagementActivity.kt:13)
            com.ilulutv.fulao2.membership.contract.ContractManagementActivity.t2(ContractManagementActivity.kt:4)
            com.ilulutv.fulao2.membership.contract.ContractManagementActivity.o2(Unknown Source:0)
            com.ilulutv.fulao2.membership.contract.d.a(Unknown Source:2)
            com.AppGuard.andjni.JniLib.cV(Native Method)
            com.ilulutv.fulao2.other.h.b.h$d$a.b(Unknown Source:18)
            com.AppGuard.andjni.JniLib.cV(Native Method)
            com.ilulutv.fulao2.other.h.b.c.a(Unknown Source:31)
            com.AppGuard.andjni.JniLib.cV(Native Method)
            com.ilulutv.fulao2.other.h.b.c.b(Unknown Source:21)
            com.AppGuard.andjni.JniLib.cV(Native Method)
            com.ilulutv.fulao2.other.h.b.h.h(Unknown Source:18)
            com.AppGuard.andjni.JniLib.cV(Native Method)
            com.ilulutv.fulao2.other.h.b.h.n(Unknown Source:35)
            com.ilulutv.fulao2.other.h.b.h.c(RetrofitConnectionHelper.kt:1)
            com.AppGuard.andjni.JniLib.cV(Native Method)
            com.ilulutv.fulao2.other.h.b.h$a.e(Unknown Source:18)
            com.ilulutv.fulao2.other.h.b.h$a.d(RetrofitConnectionHelper.kt:1)
            f.a.a0.e.d.j$a.h(ObservableObserveOn.java:8)
            f.a.a0.e.d.j$a.run(ObservableObserveOn.java:3)
            f.a.w.b.b$b.run(HandlerScheduler.java:1)
            android.os.Handler.handleCallback(Handler.java:790)
            android.os.Handler.dispatchMessage(Handler.java:99)
            android.os.Looper.loop(Looper.java:164)
            android.app.ActivityThread.main(ActivityThread.java:6494)
            java.lang.reflect.Method.invoke(Native Method)
            com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:438)
            com.android.internal.os.ZygoteInit.main(ZygoteInit.java:807)
    ​
    (agent) [bu0icef4v4g] Arguments javax.crypto.Cipher.createCipher(AES/CBC/PKCS5Padding, (none))
    (agent) [bu0icef4v4g] Return Value: javax.crypto.Cipher@aaa70ad
    (agent) [bu0icef4v4g] Called javax.crypto.Cipher.createCipher(java.lang.String, java.security.Provider)
    (agent) [bu0icef4v4g] Backtrace:
            javax.crypto.Cipher.createCipher(Native Method)
            javax.crypto.Cipher.getInstance(Cipher.java:414)
            com.ilulutv.fulao2.other.k.b.g(EncodeUtility.kt:1)
            com.ilulutv.fulao2.other.k.b.f(EncodeUtility.kt:2)
            com.AppGuard.andjni.JniLib.cL(Native Method)
            com.ilulutv.fulao2.other.h.b.a.a(Unknown Source:18)
            h.g0.g.g.j(RealInterceptorChain.java:9)
            h.g0.g.g.d(RealInterceptorChain.java:1)
            h.z.f(RealCall.java:13)
            h.z.c(RealCall.java:9)
            l.l.c(OkHttpCall.java:18)
            l.x.a.c.C(CallExecuteObservable.java:5)
            f.a.m.e(Observable.java:4)
            f.a.a0.e.d.o$b.run(ObservableSubscribeOn.java:1)
            f.a.q$a.run(Scheduler.java:2)
            f.a.a0.g.l.run(ScheduledRunnable.java:2)
            f.a.a0.g.l.call(ScheduledRunnable.java:1)
            java.util.concurrent.FutureTask.run(FutureTask.java:266)
            java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:301)
            java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1162)
            java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:636)
            java.lang.Thread.run(Thread.java:764)
    ​
    (agent) [bu0icef4v4g] Arguments javax.crypto.Cipher.createCipher(AES/CBC/PKCS5Padding, (none))
    (agent) [bu0icef4v4g] Return Value: javax.crypto.Cipher@515c49f
  • 直接定位到这个类com.ilulutv.fulao2.other.k.b.j
    5、脱壳 静态分析 算法还原
  • 直接用大佬的frida-dexdump注意:上面已经开了frida了  直接用attach模式
  • 基础中的基础,frida有两种模式:
  • attach模式,直接附加到已知已存在的进程:
  • frida -U  com.example.android
  • spawn模式,找到指定包名的app并在启动前注入脚本进去,加“--no-pause”表示直接启动,不暂停在app启动时:
  • frida -U -f com.example.android --no-pause -l _agent.js
  • frida-dexdump -UF -d  -F 直接attach前台进程  -d深度搜索
  • 过程有点久
  • 查看MainActivity在哪个dex中
  • adb shell dumpsys window |grep mCurrentFocus
  • grep -ril "com.ilulutv.fulao2.main.MainActivity"
  • 用jadx打开 测试是在02这个dex文件中
  • jadx-gui classes02.dex     
    新版的jadx可能打不开 百度搜checksum jadx

  • 定位到刚刚的类com.ilulutv.fulao2.other.k.b.j
  • 大概就在这
  • 算法还原直接问chatgpt !!!
  • 自己改改补补差不多就ok了

  • 加解密, 进程

  • 我为52pojie狂   

    这是取精软件,营养不够的尽量少看。一旦开车,刹车就会失灵。
    laustar   

            谢谢@Thanks!
    sdieedu   

    干啥呢?不知道啥APP?虽然很牛
    deffedyy   

    注意节制!!!
    感受老司机的爱   

    成功了嘛?成功了的话,发给我帮你测试一下,我最近想学习软件测试。
    adjclubyb   

    fulao2。。。我还以为是什么新的逆向工具,原来是扶弟弟,笑死
    您需要登录后才可以回帖 登录 | 立即注册