Hōʻike
I ka hopena o Malaki mākou , ua ʻike lākou i kahi hiki huna ke hoʻouka a holo i nā code i hōʻoia ʻole ʻia ma UC Browser. I kēia lā, e nānā mākou i nā kikoʻī i ke ʻano o kēia download a pehea e hiki ai i nā mea hacker ke hoʻohana iā ia no kā lākou hana ponoʻī.
I kekahi manawa i hala aku nei, ua hoʻolaha a hoʻolaha ʻia ʻo UC Browser me ka ikaika loa: ua hoʻokomo ʻia ma nā polokalamu o nā mea hoʻohana me ka hoʻohana ʻana i ka malware, kahele ʻia mai nā pūnaewele like ʻole ma lalo o ke ʻano o nā faila wikiō (ʻo ia hoʻi, ua manaʻo nā mea hoʻohana e hoʻoiho nei lākou, no ka laʻana, kahi wikiō porn, akā. ua loaʻa i kahi APK me kēia polokalamu kele pūnaewele), ua hoʻohana i nā hae weliweli me nā memo i ka wā kahiko, nāwaliwali, a me nā mea like. Aia ma ka hui UC Browser mana ma VK , kahi e hiki ai i nā mea hoʻohana ke hoʻopiʻi e pili ana i ka hoʻolaha kūpono ʻole, he nui nā hiʻohiʻona ma laila. I ka makahiki 2016 aia nō ma ka ʻōlelo Lūkini (ʻae, hoʻolaha no kahi polokalamu hoʻolaha hoʻolaha).
I ka manawa kākau, ua loaʻa iā UC Browser ma mua o 500 mau mea hoʻokomo ma Google Play. He mea kupanaha kēia - ʻo Google Chrome wale nō ka nui. Ma waena o nā loiloi hiki iā ʻoe ke ʻike i ka nui o nā hoʻopiʻi e pili ana i ka hoʻolaha a me ka hoʻihoʻi ʻana i kekahi mau noi ma Google Play. ʻO kēia ke kumu o kā mākou noiʻi: ua hoʻoholo mākou e ʻike inā he hana ʻino ʻo UC Browser. A ua ʻike ʻia ua hana ʻo ia!
Ma ka palapala noi, ua ʻike ʻia ka hiki ke hoʻoiho a holo i ka code executable, ma Google Play. Ma waho aʻe o ka hoʻoiho ʻana i nā code executable, hana ʻo UC Browser ma kahi ʻano palekana, hiki ke hoʻohana ʻia e hoʻomaka i kahi hoʻouka MitM. E nānā inā hiki iā mākou ke hana i kēlā hoʻouka kaua.
Pono nā mea a pau i kākau ʻia ma lalo no ka mana o UC Browser i loaʻa ma Google Play i ka manawa o ke aʻo ʻana.
package: com.UCMobile.intl
versionName: 12.10.8.1172
versionCode: 10598
sha1 APK-файла: f5edb2243413c777172f6362876041eb0c3a928cHoʻouka kaua
Ma ka hōʻike UC Browser hiki iā ʻoe ke loaʻa kahi lawelawe me kahi inoa wehewehe ponoʻī com.uc.deployment.UpgradeDeployService.
<service android_exported="false" android_name="com.uc.deployment.UpgradeDeployService" android_process=":deploy" />
Ke hoʻomaka kēia lawelawe, hana ka polokalamu kele pūnaewele i kahi noi POST i , hiki ke ʻike ʻia i ke kaʻa i kekahi manawa ma hope o ka hoʻomaka. I ka pane ʻana, loaʻa iā ia kahi kauoha e hoʻoiho i kekahi mea hou a i ʻole module hou. I ka wā o ka nānā ʻana, ʻaʻole i hāʻawi ka server i kēlā mau kauoha, akā ua ʻike mākou i ka wā e hoʻāʻo ai mākou e wehe i kahi PDF i ka polokalamu kele pūnaewele, hana ia i kahi noi lua i ka helu i hōʻike ʻia ma luna, a laila e hoʻoiho i ka waihona maoli. No ka hoʻokō ʻana i ka hoʻouka ʻana, ua hoʻoholo mākou e hoʻohana i kēia hiʻohiʻona o UC Browser: ka hiki ke wehe i ka PDF me ka hoʻohana ʻana i kahi waihona maoli, ʻaʻole i loko o ka APK a hoʻoiho ʻia mai ka Pūnaewele inā pono. He mea pono e hoʻomaopopo i ka manaʻo, hiki ke koi ʻia ʻo UC Browser e hoʻoiho i kekahi mea me ka ʻole o ka launa pū ʻana o ka mea hoʻohana - inā hāʻawi ʻoe i kahi pane i hoʻokumu ʻia i kahi noi i hoʻokō ʻia ma hope o ka hoʻomaka ʻana o ka polokalamu. Akā no ka hana ʻana i kēia, pono mākou e aʻo i ka protocol o ka launa pū ʻana me ka server i nā kikoʻī hou aku, no laila ua hoʻoholo mākou e maʻalahi ka hoʻoponopono ʻana i ka pane intercepted a hoʻololi i ka waihona no ka hana ʻana me PDF.
No laila, inā makemake ka mea hoʻohana e wehe pololei i kahi PDF ma ka polokalamu kele pūnaewele, hiki ke ʻike ʻia nā noi aʻe ma ke kaʻa:
ʻO ka mua he noi POST e mahope iho
Hoʻoiho ʻia kahi waihona me kahi waihona no ka nānā ʻana i nā palapala PDF a me nā keʻena. He mea kūpono ke manaʻo e hoʻouna ka noi mua i ka ʻike e pili ana i ka ʻōnaehana (ma ka liʻiliʻi o ka hale hoʻolālā e hāʻawi i ka waihona i makemake ʻia), a ma ka pane ʻana iā ia e loaʻa i ka polokalamu ke loaʻa kekahi ʻike e pili ana i ka waihona e pono e hoʻoiho ʻia: ka helu wahi a, malia paha. , mea e ae. ʻO ka pilikia, ua hoʻopili ʻia kēia noi.
Noi ʻāpana
ʻāpana pane
Hoʻopili ʻia ka waihona ma ZIP a ʻaʻole i hoʻopili ʻia.
E ʻimi i ke code decryption traffic
E ho'āʻo kākou e wehewehe i ka pane kikowaena. E nānā kākou i ke code papa com.uc.deployment.UpgradeDeployService: mai ke ala onStartCommand e hele com.uc.deployment.bx, a mai ia mea a com.uc.browser.core.dcfe:
public final void e(l arg9) {
int v4_5;
String v3_1;
byte[] v3;
byte[] v1 = null;
if(arg9 == null) {
v3 = v1;
}
else {
v3_1 = arg9.iGX.ipR;
StringBuilder v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]product:");
v4.append(arg9.iGX.ipR);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]version:");
v4.append(arg9.iGX.iEn);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]upgrade_type:");
v4.append(arg9.iGX.mMode);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]force_flag:");
v4.append(arg9.iGX.iEo);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_mode:");
v4.append(arg9.iGX.iDQ);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_type:");
v4.append(arg9.iGX.iEr);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_state:");
v4.append(arg9.iGX.iEp);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_file:");
v4.append(arg9.iGX.iEq);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apk_md5:");
v4.append(arg9.iGX.iEl);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]download_type:");
v4.append(arg9.mDownloadType);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]download_group:");
v4.append(arg9.mDownloadGroup);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]download_path:");
v4.append(arg9.iGH);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_child_version:");
v4.append(arg9.iGX.iEx);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_series:");
v4.append(arg9.iGX.iEw);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_cpu_arch:");
v4.append(arg9.iGX.iEt);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_cpu_vfp3:");
v4.append(arg9.iGX.iEv);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_cpu_vfp:");
v4.append(arg9.iGX.iEu);
ArrayList v3_2 = arg9.iGX.iEz;
if(v3_2 != null && v3_2.size() != 0) {
Iterator v3_3 = v3_2.iterator();
while(v3_3.hasNext()) {
Object v4_1 = v3_3.next();
StringBuilder v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_name:");
v5.append(((au)v4_1).getName());
v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_ver_name:");
v5.append(((au)v4_1).aDA());
v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_ver_code:");
v5.append(((au)v4_1).gBl);
v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_req_type:");
v5.append(((au)v4_1).gBq);
}
}
j v3_4 = new j();
m.b(v3_4);
h v4_2 = new h();
m.b(v4_2);
ay v5_1 = new ay();
v3_4.hS("");
v3_4.setImsi("");
v3_4.hV("");
v5_1.bPQ = v3_4;
v5_1.bPP = v4_2;
v5_1.yr(arg9.iGX.ipR);
v5_1.gBF = arg9.iGX.mMode;
v5_1.gBI = arg9.iGX.iEz;
v3_2 = v5_1.gAr;
c.aBh();
v3_2.add(g.fs("os_ver", c.getRomInfo()));
v3_2.add(g.fs("processor_arch", com.uc.b.a.a.c.getCpuArch()));
v3_2.add(g.fs("cpu_arch", com.uc.b.a.a.c.Pb()));
String v4_3 = com.uc.b.a.a.c.Pd();
v3_2.add(g.fs("cpu_vfp", v4_3));
v3_2.add(g.fs("net_type", String.valueOf(com.uc.base.system.a.Jo())));
v3_2.add(g.fs("fromhost", arg9.iGX.iEm));
v3_2.add(g.fs("plugin_ver", arg9.iGX.iEn));
v3_2.add(g.fs("target_lang", arg9.iGX.iEs));
v3_2.add(g.fs("vitamio_cpu_arch", arg9.iGX.iEt));
v3_2.add(g.fs("vitamio_vfp", arg9.iGX.iEu));
v3_2.add(g.fs("vitamio_vfp3", arg9.iGX.iEv));
v3_2.add(g.fs("plugin_child_ver", arg9.iGX.iEx));
v3_2.add(g.fs("ver_series", arg9.iGX.iEw));
v3_2.add(g.fs("child_ver", r.aVw()));
v3_2.add(g.fs("cur_ver_md5", arg9.iGX.iEl));
v3_2.add(g.fs("cur_ver_signature", SystemHelper.getUCMSignature()));
v3_2.add(g.fs("upgrade_log", i.bjt()));
v3_2.add(g.fs("silent_install", String.valueOf(arg9.iGX.iDQ)));
v3_2.add(g.fs("silent_state", String.valueOf(arg9.iGX.iEp)));
v3_2.add(g.fs("silent_file", arg9.iGX.iEq));
v3_2.add(g.fs("silent_type", String.valueOf(arg9.iGX.iEr)));
v3_2.add(g.fs("cpu_archit", com.uc.b.a.a.c.Pc()));
v3_2.add(g.fs("cpu_set", SystemHelper.getCpuInstruction()));
boolean v4_4 = v4_3 == null || !v4_3.contains("neon") ? false : true;
v3_2.add(g.fs("neon", String.valueOf(v4_4)));
v3_2.add(g.fs("cpu_cores", String.valueOf(com.uc.b.a.a.c.Jl())));
v3_2.add(g.fs("ram_1", String.valueOf(com.uc.b.a.a.h.Po())));
v3_2.add(g.fs("totalram", String.valueOf(com.uc.b.a.a.h.OL())));
c.aBh();
v3_2.add(g.fs("rom_1", c.getRomInfo()));
v4_5 = e.getScreenWidth();
int v6 = e.getScreenHeight();
StringBuilder v7 = new StringBuilder();
v7.append(v4_5);
v7.append("*");
v7.append(v6);
v3_2.add(g.fs("ss", v7.toString()));
v3_2.add(g.fs("api_level", String.valueOf(Build$VERSION.SDK_INT)));
v3_2.add(g.fs("uc_apk_list", SystemHelper.getUCMobileApks()));
Iterator v4_6 = arg9.iGX.iEA.entrySet().iterator();
while(v4_6.hasNext()) {
Object v6_1 = v4_6.next();
v3_2.add(g.fs(((Map$Entry)v6_1).getKey(), ((Map$Entry)v6_1).getValue()));
}
v3 = v5_1.toByteArray();
}
if(v3 == null) {
this.iGY.iGI.a(arg9, "up_encode", "yes", "fail");
return;
}
v4_5 = this.iGY.iGw ? 0x1F : 0;
if(v3 == null) {
}
else {
v3 = g.i(v4_5, v3);
if(v3 == null) {
}
else {
v1 = new byte[v3.length + 16];
byte[] v6_2 = new byte[16];
Arrays.fill(v6_2, 0);
v6_2[0] = 0x5F;
v6_2[1] = 0;
v6_2[2] = ((byte)v4_5);
v6_2[3] = -50;
System.arraycopy(v6_2, 0, v1, 0, 16);
System.arraycopy(v3, 0, v1, 16, v3.length);
}
}
if(v1 == null) {
this.iGY.iGI.a(arg9, "up_encrypt", "yes", "fail");
return;
}
if(TextUtils.isEmpty(this.iGY.mUpgradeUrl)) {
this.iGY.iGI.a(arg9, "up_url", "yes", "fail");
return;
}
StringBuilder v0 = new StringBuilder("[");
v0.append(arg9.iGX.ipR);
v0.append("]url:");
v0.append(this.iGY.mUpgradeUrl);
com.uc.browser.core.d.c.i v0_1 = this.iGY.iGI;
v3_1 = this.iGY.mUpgradeUrl;
com.uc.base.net.e v0_2 = new com.uc.base.net.e(new com.uc.browser.core.d.c.i$a(v0_1, arg9));
v3_1 = v3_1.contains("?") ? v3_1 + "&dataver=pb" : v3_1 + "?dataver=pb";
n v3_5 = v0_2.uc(v3_1);
m.b(v3_5, false);
v3_5.setMethod("POST");
v3_5.setBodyProvider(v1);
v0_2.b(v3_5);
this.iGY.iGI.a(arg9, "up_null", "yes", "success");
this.iGY.iGI.b(arg9);
}ʻIke mākou i ke kūkulu ʻia ʻana o kahi noi POST ma aneʻi. Hoʻolohe mākou i ka hana ʻana i kahi ʻano o 16 bytes a me kona hoʻopiha: 0x5F, 0, 0x1F, -50 (=0xCE). Kūlike me ka mea a mākou i ʻike ai ma ka noi ma luna.
Ma ka papa hoʻokahi hiki iā ʻoe ke ʻike i kahi papa nested i loaʻa kahi ala hoihoi:
public final void a(l arg10, byte[] arg11) {
f v0 = this.iGQ;
StringBuilder v1 = new StringBuilder("[");
v1.append(arg10.iGX.ipR);
v1.append("]:UpgradeSuccess");
byte[] v1_1 = null;
if(arg11 == null) {
}
else if(arg11.length < 16) {
}
else {
if(arg11[0] != 0x60 && arg11[3] != 0xFFFFFFD0) {
goto label_57;
}
int v3 = 1;
int v5 = arg11[1] == 1 ? 1 : 0;
if(arg11[2] != 1 && arg11[2] != 11) {
if(arg11[2] == 0x1F) {
}
else {
v3 = 0;
}
}
byte[] v7 = new byte[arg11.length - 16];
System.arraycopy(arg11, 16, v7, 0, v7.length);
if(v3 != 0) {
v7 = g.j(arg11[2], v7);
}
if(v7 == null) {
goto label_57;
}
if(v5 != 0) {
v1_1 = g.P(v7);
goto label_57;
}
v1_1 = v7;
}
label_57:
if(v1_1 == null) {
v0.iGY.iGI.a(arg10, "up_decrypt", "yes", "fail");
return;
}
q v11 = g.b(arg10, v1_1);
if(v11 == null) {
v0.iGY.iGI.a(arg10, "up_decode", "yes", "fail");
return;
}
if(v0.iGY.iGt) {
v0.d(arg10);
}
if(v0.iGY.iGo != null) {
v0.iGY.iGo.a(0, ((o)v11));
}
if(v0.iGY.iGs) {
v0.iGY.a(((o)v11));
v0.iGY.iGI.a(v11, "up_silent", "yes", "success");
v0.iGY.iGI.a(v11);
return;
}
v0.iGY.iGI.a(v11, "up_silent", "no", "success");
}
}
Lawe ʻia ke ʻano o nā byte ma ke ʻano he hoʻokomo a nānā ʻo ka zero byte he 0x60 a i ʻole ke kolu o ka byte ʻo 0xD0, a ʻo ka byte ʻelua he 1, 11 a i ʻole 0x1F. Nānā mākou i ka pane mai ke kikowaena: ʻo ka zero byte ʻo 0x60, ʻo ka lua ka 0x1F, ʻo ke kolu ʻo 0x60. Ke kani nei mākou e pono ai. Ke hoʻoholo nei ma nā laina ("up_decrypt", no ka laʻana), pono e kāhea ʻia kahi ala e hoʻokaʻawale i ka pane a ke kikowaena.
E neʻe kākou i ke ʻano gj. E hoʻomaopopo ʻo ka pane mua ka byte ma offset 2 (ʻo ia hoʻi 0x1F i kā mākou hihia), a ʻo ka lua ka pane o ka server me ka ʻole.
mua 16 bytes.
public static byte[] j(int arg1, byte[] arg2) {
if(arg1 == 1) {
arg2 = c.c(arg2, c.adu);
}
else if(arg1 == 11) {
arg2 = m.aF(arg2);
}
else if(arg1 != 0x1F) {
}
else {
arg2 = EncryptHelper.decrypt(arg2);
}
return arg2;
}
ʻIke loa, eia mākou e koho i kahi algorithm decryption, a me ka byte like i loko o kā mākou
hihia e like me 0x1F, hōʻike i hoʻokahi o ʻekolu mau koho.
Hoʻomau mākou i ka nānā ʻana i ke code. Ma hope o nā lele ʻelua, ʻike mākou iā mākou iho i kahi ʻano me ka inoa wehewehe ponoʻī decryptBytesByKey.
Eia ʻelua paita hou i hoʻokaʻawale ʻia mai kā mākou pane, a loaʻa kahi kaula mai ia mau mea. Ua akaka ma keia ala ke ki no ka decrypting ka memo ua koho.
private static byte[] decryptBytesByKey(byte[] bytes) {
byte[] v0 = null;
if(bytes != null) {
try {
if(bytes.length < EncryptHelper.PREFIX_BYTES_SIZE) {
}
else if(bytes.length == EncryptHelper.PREFIX_BYTES_SIZE) {
return v0;
}
else {
byte[] prefix = new byte[EncryptHelper.PREFIX_BYTES_SIZE]; // 2 байта
System.arraycopy(bytes, 0, prefix, 0, prefix.length);
String keyId = c.ayR().d(ByteBuffer.wrap(prefix).getShort()); // Выбор ключа
if(keyId == null) {
return v0;
}
else {
a v2 = EncryptHelper.ayL();
if(v2 == null) {
return v0;
}
else {
byte[] enrypted = new byte[bytes.length - EncryptHelper.PREFIX_BYTES_SIZE];
System.arraycopy(bytes, EncryptHelper.PREFIX_BYTES_SIZE, enrypted, 0, enrypted.length);
return v2.l(keyId, enrypted);
}
}
}
}
catch(SecException v7_1) {
EncryptHelper.handleDecryptException(((Throwable)v7_1), v7_1.getErrorCode());
return v0;
}
catch(Throwable v7) {
EncryptHelper.handleDecryptException(v7, 2);
return v0;
}
}
return v0;
}Ke nānā nei mākou i mua, ʻike mākou i kēia manawa ʻaʻole i loaʻa iā mākou kahi kī, akā ʻo kāna "identifier" wale nō. ʻOi aku ka paʻakikī o ka loaʻa ʻana o ke kī.
Ma ke ala aʻe, ua hoʻohui ʻia ʻelua mau ʻāpana i nā mea i loaʻa, e hana ana i ʻehā o lākou: ʻo ka helu kilokilo 16, ka mea hōʻike kī, ka ʻikepili i hoʻopili ʻia, a me kahi kaula hiki ʻole ke hoʻomaopopo ʻia (i kā mākou hihia, nele).
public final byte[] l(String keyId, byte[] encrypted) throws SecException {
return this.ayJ().staticBinarySafeDecryptNoB64(16, keyId, encrypted, "");
}Ma hope o ke ʻano o ka hoʻololi ʻana hiki mākou i ke ʻano staticBinarySafeDecryptNoB64 mau ' com.alibaba.wireless.security.open.staticdataencrypt.IStaticDataEncryptComponent. ʻAʻohe papa ma ke code noi nui e hoʻokō nei i kēia interface. Aia kekahi papa i loko o ka faila lib/armeabi-v7a/libsgmain.so, ʻaʻole ia he .so, akā he .jar. ʻO ke ʻano o kā mākou makemake e hoʻokō ʻia penei:
package com.alibaba.wireless.security.a.i;
// ...
public class a implements IStaticDataEncryptComponent {
private ISecurityGuardPlugin a;
// ...
private byte[] a(int mode, int magicInt, int xzInt, String keyId, byte[] encrypted, String magicString) {
return this.a.getRouter().doCommand(10601, new Object[]{Integer.valueOf(mode), Integer.valueOf(magicInt), Integer.valueOf(xzInt), keyId, encrypted, magicString});
}
// ...
private byte[] b(int magicInt, String keyId, byte[] encrypted, String magicString) {
return this.a(2, magicInt, 0, keyId, encrypted, magicString);
}
// ...
public byte[] staticBinarySafeDecryptNoB64(int magicInt, String keyId, byte[] encrypted, String magicString) throws SecException {
if(keyId != null && keyId.length() > 0 && magicInt >= 0 && magicInt < 19 && encrypted != null && encrypted.length > 0) {
return this.b(magicInt, keyId, encrypted, magicString);
}
throw new SecException("", 301);
}
//...
}
Eia kā mākou papa inoa o nā ʻāpana i hoʻohui ʻia me ʻelua mau helu helu ʻē aʻe: 2 a me 0. Hoʻoholo ʻia e
nā mea a pau, ʻo 2 ke ʻano o ka decryption, e like me ke ʻano hana hope papa ʻōnaehana javax.crypto.Cipher. A ua hoʻoili ʻia kēia mau mea a pau i kahi Router me ka helu 10601 - ʻo ia ka helu kauoha.
Ma hope o ke kaulahao o nā hoʻololi aʻe, ʻike mākou i kahi papa e hoʻokō i ka interface IRouterComponent a me ke ʻano doCommand:
package com.alibaba.wireless.security.mainplugin;
import com.alibaba.wireless.security.framework.IRouterComponent;
import com.taobao.wireless.security.adapter.JNICLibrary;
public class a implements IRouterComponent {
public a() {
super();
}
public Object doCommand(int arg2, Object[] arg3) {
return JNICLibrary.doCommandNative(arg2, arg3);
}
}A papa pū kekahi JNICLipalapalapala, kahi i haiia ai ke ano maoli doCommandNative:
package com.taobao.wireless.security.adapter;
public class JNICLibrary {
public static native Object doCommandNative(int arg0, Object[] arg1);
}'O ia ho'i, pono mākou e 'imi i ke ala ma ke code maoli doCommandNative. A ma laila e hoʻomaka ai ka leʻaleʻa.
Hoʻopili i ke code mīkini
Ma ka waihona libsgmain.so (ʻo ia ka .jar a ma laila mākou i ʻike ai i ka hoʻokō ʻana i kekahi mau pilina pili i ka hoʻopili ʻana ma luna pono) aia hoʻokahi hale waihona puke. libsgmainso-6.4.36.so. Wehe mākou iā ia ma IDA a loaʻa i kahi hui o nā pahu kamaʻilio me nā hewa. ʻO ka pilikia, ʻaʻole kūpono ka papa poʻo ʻāpana. Hana ʻia kēia no ka paʻakikī o ka nānā ʻana.
Akā ʻaʻole pono: no ka hoʻouka pololei ʻana i kahi faila ELF a nānā iā ia, ua lawa kahi papa poʻomanaʻo papahana. No laila, hoʻopau wale mākou i ka papa ʻāpana, e hoʻokaʻawale i nā kahua pili i ke poʻo.
E wehe hou i ka faila ma IDA.
ʻElua ala e haʻi aku ai i ka mīkini virtual Java kahi i loko o ka hale waihona puke maoli ka hoʻokō ʻana i kahi ʻano i haʻi ʻia ma ka code Java ma ke ʻano he kamaʻāina. ʻO ka mea mua e hāʻawi iā ia i kahi inoa ʻano Java_package_name_ClassName_MethodName.
ʻO ka lua e hoʻopaʻa inoa iā ia i ka wā e hoʻouka ai i ka waihona (ma ka hana JNI_OnLoad)
me ka hoʻohana ʻana i kahi kelepona hana Kakauinoa.
I kā mākou hihia, inā mākou e hoʻohana i ke ʻano mua, pono ka inoa e like me kēia: Java_com_taobao_wireless_security_adapter_JNICLlibrary_doCommandNative.
ʻAʻohe hana like ma waena o nā hana i lawe ʻia aku, ʻo ia ka mea pono ʻoe e ʻimi i kahi kelepona Kakauinoa.
E hele kāua i ka hana JNI_OnLoad a ʻike mākou i kēia kiʻi:
He aha ka hana ma ʻaneʻi? I ka nānā mua ʻana, ʻo ka hoʻomaka a me ka hopena o ka hana maʻamau no ka hoʻolālā ARM. ʻO ka ʻōlelo aʻo mua ma ka waihona e mālama i nā ʻike o nā papa inoa e hoʻohana ai ka hana i kāna hana (ma kēia hihia, R0, R1 a me R2), a me nā mea o ka papa inoa LR, aia ka helu hoʻihoʻi mai ka hana. . Hoʻihoʻi ka ʻōlelo aʻoaʻo hope i nā papa inoa i mālama ʻia, a waiho koke ʻia ka helu hoʻihoʻi i ka papa inoa PC - pēlā e hoʻi mai ka hana. Akā inā ʻoe e nānā pono, e ʻike ʻoe ua hoʻololi ke aʻo penultimate i ka helu hoʻihoʻi i mālama ʻia ma ka waihona. E helu kākou i kona ʻano ma hope
hoʻokō code. Hoʻokomo ʻia kahi helu helu 1xB0 i R130, unuhi ʻia ka 5 mai ia mea, a laila hoʻololi ʻia i R0 a hoʻohui ʻia ʻo 0x10 iā ia. ʻIke ʻia ʻo 0xB13B. No laila, manaʻo ʻo IDA ʻo ka ʻōlelo aʻoaʻo hope he hoʻihoʻi hana maʻamau, akā ʻoiaʻiʻo ke hele nei i ka helu helu helu 0xB13B.
He mea pono ke hoʻomanaʻo ma aneʻi he ʻelua mau ʻano a me ʻelua mau ʻōlelo aʻoaʻo: ARM a me Thumb. ʻO ka mea liʻiliʻi liʻiliʻi o ka helu wahi e haʻi i ke kaʻina hana e hoʻohana ʻia nei ka hoʻonohonoho aʻo. ʻO ia hoʻi, ʻo 0xB13A ka helu wahi, a ʻo kahi mea liʻiliʻi liʻiliʻi e hōʻike ana i ke ʻano Thumb.
Ua hoʻohui ʻia kahi "adapter" like i ka hoʻomaka o kēlā me kēia hana ma kēia waihona a
code ʻōpala. ʻAʻole mākou e noʻonoʻo hou iā lākou - hoʻomanaʻo wale mākou
ʻo ka hoʻomaka maoli o nā hana a pau he mamao iki.
No ka mea ʻaʻole i lele pololei ke code i 0xB13A, ʻaʻole ʻike ʻo IDA ponoʻī aia ke code ma kēia wahi. No ke kumu hoʻokahi, ʻaʻole ia e ʻike i ka hapa nui o ke code i loko o ka waihona ma ke ʻano he code, kahi e paʻakikī ai ka nānā ʻana. Haʻi mākou iā IDA ʻo ia ke code, a ʻo ia ka mea e hana nei:
Hoʻomaka maopopo ka papa ma 0xB144. He aha ka sub_494C?
Ke kāhea nei i kēia hana ma ka papa inoa LR, loaʻa iā mākou ka helu o ka papa i ʻōlelo ʻia ma mua (0xB144). Ma R0 - kuhikuhi ma keia papa. ʻO ia, lawe ʻia ka waiwai mai ka papaʻaina, hoʻohui ʻia i LR a ʻo ka hopena
ka helu wahi e hele ai. E ho'āʻo kākou e helu: 0xB144 + [0xB144 + 8* 4] = 0xB144 + 0x120 = 0xB264. Hele mākou i ka helu i loaʻa a ʻike maoli i kekahi mau ʻōlelo aʻoaʻo a hele hou i 0xB140:
I kēia manawa, e hoʻololi i ka offset me ka index 0x20 mai ka papaʻaina.
Ma ka hoʻoholo ʻana i ka nui o ka papaʻaina, e nui nā hoʻololi like ʻole i ke code. Piʻi ka nīnau inā hiki ke hana maʻalahi i kēia, me ka helu ʻole ʻana i nā helu helu. A ʻo nā palapala a me ka hiki ke hoʻopaʻa i ka code ma IDA e kōkua mai iā mākou:
def put_unconditional_branch(source, destination):
offset = (destination - source - 4) >> 1
if offset > 2097151 or offset < -2097152:
raise RuntimeError("Invalid offset")
if offset > 1023 or offset < -1024:
instruction1 = 0xf000 | ((offset >> 11) & 0x7ff)
instruction2 = 0xb800 | (offset & 0x7ff)
patch_word(source, instruction1)
patch_word(source + 2, instruction2)
else:
instruction = 0xe000 | (offset & 0x7ff)
patch_word(source, instruction)
ea = here()
if get_wide_word(ea) == 0xb503: #PUSH {R0,R1,LR}
ea1 = ea + 2
if get_wide_word(ea1) == 0xbf00: #NOP
ea1 += 2
if get_operand_type(ea1, 0) == 1 and get_operand_value(ea1, 0) == 0 and get_operand_type(ea1, 1) == 2:
index = get_wide_dword(get_operand_value(ea1, 1))
print "index =", hex(index)
ea1 += 2
if get_operand_type(ea1, 0) == 7:
table = get_operand_value(ea1, 0) + 4
elif get_operand_type(ea1, 1) == 2:
table = get_operand_value(ea1, 1) + 4
else:
print "Wrong operand type on", hex(ea1), "-", get_operand_type(ea1, 0), get_operand_type(ea1, 1)
table = None
if table is None:
print "Unable to find table"
else:
print "table =", hex(table)
offset = get_wide_dword(table + (index << 2))
put_unconditional_branch(ea, table + offset)
else:
print "Unknown code", get_operand_type(ea1, 0), get_operand_value(ea1, 0), get_operand_type(ea1, 1) == 2
else:
print "Unable to detect first instruction"E kau i ka cursor ma ka laina 0xB26A, e holo i ka palapala a ʻike i ka hoʻololi i 0xB4B0:
ʻAʻole ʻike hou ʻo IDA i kēia wahi ma ke ʻano he code. Kōkua mākou iā ia a ʻike i kahi hoʻolālā ʻē aʻe ma laila:
ʻAʻole manaʻo nui nā ʻōlelo aʻoaʻo ma hope o BLX, ua like ia me kekahi ʻano neʻe. E nānā kākou ma sub_4964:
A ʻoiaʻiʻo, eia kahi dword i lawe ʻia ma ka helu e waiho ana ma LR, i hoʻohui ʻia i kēia helu helu, a laila lawe ʻia ka waiwai ma ka helu i hoʻopuka ʻia a kau ʻia ma ka waihona. Eia kekahi, hoʻohui ʻia ka 4 i ka LR a ma hope o ka hoʻi ʻana mai ka hana, ua hoʻokuʻu ʻia kēia offset. Ma hope o ke kauoha POP {R1} lawe i ka waiwai i loaʻa mai ka waihona. Inā ʻoe e nānā i ka mea i loaʻa ma ka helu helu 0xB4BA + 0xEA = 0xB5A4, e ʻike ʻoe i kahi mea like me kahi papa helu helu:
No ka hoʻopili ʻana i kēia hoʻolālā, pono ʻoe e kiʻi i ʻelua mau ʻāpana mai ke code: ka offset a me ka helu inoa āu e makemake ai e kau i ka hopena. No kēlā me kēia papa inoa hiki, pono ʻoe e hoʻomākaukau i kahi ʻāpana code ma mua.
patches = {}
patches[0] = (0x00, 0xbf, 0x01, 0x48, 0x00, 0x68, 0x02, 0xe0)
patches[1] = (0x00, 0xbf, 0x01, 0x49, 0x09, 0x68, 0x02, 0xe0)
patches[2] = (0x00, 0xbf, 0x01, 0x4a, 0x12, 0x68, 0x02, 0xe0)
patches[3] = (0x00, 0xbf, 0x01, 0x4b, 0x1b, 0x68, 0x02, 0xe0)
patches[4] = (0x00, 0xbf, 0x01, 0x4c, 0x24, 0x68, 0x02, 0xe0)
patches[5] = (0x00, 0xbf, 0x01, 0x4d, 0x2d, 0x68, 0x02, 0xe0)
patches[8] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0x80, 0xd8, 0xf8, 0x00, 0x80, 0x01, 0xe0)
patches[9] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0x90, 0xd9, 0xf8, 0x00, 0x90, 0x01, 0xe0)
patches[10] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0xa0, 0xda, 0xf8, 0x00, 0xa0, 0x01, 0xe0)
patches[11] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0xb0, 0xdb, 0xf8, 0x00, 0xb0, 0x01, 0xe0)
ea = here()
if (get_wide_word(ea) == 0xb082 #SUB SP, SP, #8
and get_wide_word(ea + 2) == 0xb503): #PUSH {R0,R1,LR}
if get_operand_type(ea + 4, 0) == 7:
pop = get_bytes(ea + 12, 4, 0)
if pop[1] == 'xbc':
register = -1
r = get_wide_byte(ea + 12)
for i in range(8):
if r == (1 << i):
register = i
break
if register == -1:
print "Unable to detect register"
else:
address = get_wide_dword(ea + 8) + ea + 8
for b in patches[register]:
patch_byte(ea, b)
ea += 1
if ea % 4 != 0:
ea += 2
patch_dword(ea, address)
elif pop[:3] == 'x5dxf8x04':
register = ord(pop[3]) >> 4
if register in patches:
address = get_wide_dword(ea + 8) + ea + 8
for b in patches[register]:
patch_byte(ea, b)
ea += 1
patch_dword(ea, address)
else:
print "POP instruction not found"
else:
print "Wrong operand type on +4:", get_operand_type(ea + 4, 0)
else:
print "Unable to detect first instructions"Hoʻonoho mākou i ka cursor i ka hoʻomaka ʻana o ka hale a mākou e makemake ai e pani - 0xB4B2 - a holo i ka palapala:
Ma waho aʻe o nā hale i haʻi mua ʻia, aia nō ka code i kēia mau mea:
E like me ka hihia ma mua, ma hope o ke aʻo ʻana BLX aia kahi offset:
Lawe mākou i ka offset i ka helu mai LR, hoʻohui iā LR a hele i laila. 0x72044 + 0xC = 0x72050. He mea maʻalahi ka palapala no kēia hoʻolālā:
def put_unconditional_branch(source, destination):
offset = (destination - source - 4) >> 1
if offset > 2097151 or offset < -2097152:
raise RuntimeError("Invalid offset")
if offset > 1023 or offset < -1024:
instruction1 = 0xf000 | ((offset >> 11) & 0x7ff)
instruction2 = 0xb800 | (offset & 0x7ff)
patch_word(source, instruction1)
patch_word(source + 2, instruction2)
else:
instruction = 0xe000 | (offset & 0x7ff)
patch_word(source, instruction)
ea = here()
if get_wide_word(ea) == 0xb503: #PUSH {R0,R1,LR}
ea1 = ea + 6
if get_wide_word(ea + 2) == 0xbf00: #NOP
ea1 += 2
offset = get_wide_dword(ea1)
put_unconditional_branch(ea, (ea1 + offset) & 0xffffffff)
else:
print "Unable to detect first instruction"Ka hopena o ka hoʻokō ʻana i ka palapala:
Ke hoʻopili ʻia nā mea āpau i ka hana, hiki iā ʻoe ke kuhikuhi iā IDA i kona hoʻomaka maoli. E hui pū ia i nā code hana a pau, a hiki ke hoʻokaʻawale ʻia me ka hoʻohana ʻana iā HexRays.
Hoʻokaʻawale i nā kaula
Ua aʻo mākou e hana i ka obfuscation o ka mīkini code ma ka waihona libsgmainso-6.4.36.so mai UC Browser a loaʻa iā ia ke code hana JNI_OnLoad.
int __fastcall real_JNI_OnLoad(JavaVM *vm)
{
int result; // r0
jclass clazz; // r0 MAPDST
int v4; // r0
JNIEnv *env; // r4
int v6; // [sp-40h] [bp-5Ch]
int v7; // [sp+Ch] [bp-10h]
v7 = *(_DWORD *)off_8AC00;
if ( !vm )
goto LABEL_39;
sub_7C4F4();
env = (JNIEnv *)sub_7C5B0(0);
if ( !env )
goto LABEL_39;
v4 = sub_72CCC();
sub_73634(v4);
sub_73E24(&unk_83EA6, &v6, 49);
clazz = (jclass)((int (__fastcall *)(JNIEnv *, int *))(*env)->FindClass)(env, &v6);
if ( clazz
&& (sub_9EE4(),
sub_71D68(env),
sub_E7DC(env) >= 0
&& sub_69D68(env) >= 0
&& sub_197B4(env, clazz) >= 0
&& sub_E240(env, clazz) >= 0
&& sub_B8B0(env, clazz) >= 0
&& sub_5F0F4(env, clazz) >= 0
&& sub_70640(env, clazz) >= 0
&& sub_11F3C(env) >= 0
&& sub_21C3C(env, clazz) >= 0
&& sub_2148C(env, clazz) >= 0
&& sub_210E0(env, clazz) >= 0
&& sub_41B58(env, clazz) >= 0
&& sub_27920(env, clazz) >= 0
&& sub_293E8(env, clazz) >= 0
&& sub_208F4(env, clazz) >= 0) )
{
result = (sub_B7B0(env, clazz) >> 31) | 0x10004;
}
else
{
LABEL_39:
result = -1;
}
return result;
}E nānā pono kākou i kēia mau laina:
sub_73E24(&unk_83EA6, &v6, 49);
clazz = (jclass)((int (__fastcall *)(JNIEnv *, int *))(*env)->FindClass)(env, &v6);Ma ka hana sub_73E24 ʻIke maopopo ʻia ka inoa papa. Ma ke ʻano he mau ʻāpana i kēia hana, kahi kuhikuhi i ka ʻikepili e like me ka ʻikepili i hoʻopili ʻia, ua hala kekahi buffer a me kahi helu. ʻIke loa, ma hope o ke kāhea ʻana i ka hana, aia kahi laina decrypted i ka buffer, no ka mea ua hāʻawi ʻia i ka hana. FindClass, ka mea e lawe i ka inoa papa ma ke ʻano he ʻelua. No laila, ʻo ka helu ka nui o ka pale a i ʻole ka lōʻihi o ka laina. E ho'āʻo kākou e wehewehe i ka inoa o ka papa, pono e haʻi mai inā e hele ana kākou ma ke ala pololei. E nānā pono kākou i ka hana ʻana i loko sub_73E24.
int __fastcall sub_73E56(unsigned __int8 *in, unsigned __int8 *out, size_t size)
{
int v4; // r6
int v7; // r11
int v8; // r9
int v9; // r4
size_t v10; // r5
int v11; // r0
struc_1 v13; // [sp+0h] [bp-30h]
int v14; // [sp+1Ch] [bp-14h]
int v15; // [sp+20h] [bp-10h]
v4 = 0;
v15 = *(_DWORD *)off_8AC00;
v14 = 0;
v7 = sub_7AF78(17);
v8 = sub_7AF78(size);
if ( !v7 )
{
v9 = 0;
goto LABEL_12;
}
(*(void (__fastcall **)(int, const char *, int))(v7 + 12))(v7, "DcO/lcK+h?m3c*q@", 16);
if ( !v8 )
{
LABEL_9:
v4 = 0;
goto LABEL_10;
}
v4 = 0;
if ( !in )
{
LABEL_10:
v9 = 0;
goto LABEL_11;
}
v9 = 0;
if ( out )
{
memset(out, 0, size);
v10 = size - 1;
(*(void (__fastcall **)(int, unsigned __int8 *, size_t))(v8 + 12))(v8, in, v10);
memset(&v13, 0, 0x14u);
v13.field_4 = 3;
v13.field_10 = v7;
v13.field_14 = v8;
v11 = sub_6115C(&v13, &v14);
v9 = v11;
if ( v11 )
{
if ( *(_DWORD *)(v11 + 4) == v10 )
{
qmemcpy(out, *(const void **)v11, v10);
v4 = *(_DWORD *)(v9 + 4);
}
else
{
v4 = 0;
}
goto LABEL_11;
}
goto LABEL_9;
}
LABEL_11:
sub_7B148(v7);
LABEL_12:
if ( v8 )
sub_7B148(v8);
if ( v9 )
sub_7B148(v9);
return v4;
}kuleana pili i sub_7AF78 hana i kahi laʻana o kahi pahu no nā ʻāpana byte o ka nui i ʻōlelo ʻia (ʻaʻole mākou e noʻonoʻo i kēia mau pahu i nā kikoʻī). Ma ʻaneʻi ua hana ʻia ʻelua mau pahu: aia kekahi i ka laina "DcO/lcK+h?m3c*q@" (He mea maʻalahi ka manaʻo he kī kēia), aia kekahi ʻikepili i hoʻopili ʻia. A laila, hoʻokomo ʻia nā mea ʻelua i kahi ʻano, i hāʻawi ʻia i ka hana sub_6115C. E kaha pū kākou i kahi kahua me ka waiwai 3 i loko o kēia hale.
int __fastcall sub_611B4(struc_1 *a1, _DWORD *a2)
{
int v3; // lr
unsigned int v4; // r1
int v5; // r0
int v6; // r1
int result; // r0
int v8; // r0
*a2 = 820000;
if ( a1 )
{
v3 = a1->field_14;
if ( v3 )
{
v4 = a1->field_4;
if ( v4 < 0x19 )
{
switch ( v4 )
{
case 0u:
v8 = sub_6419C(a1->field_0, a1->field_10, v3);
goto LABEL_17;
case 3u:
v8 = sub_6364C(a1->field_0, a1->field_10, v3);
goto LABEL_17;
case 0x10u:
case 0x11u:
case 0x12u:
v8 = sub_612F4(
a1->field_0,
v4,
*(_QWORD *)&a1->field_8,
*(_QWORD *)&a1->field_8 >> 32,
a1->field_10,
v3,
a2);
goto LABEL_17;
case 0x14u:
v8 = sub_63A28(a1->field_0, v3);
goto LABEL_17;
case 0x15u:
sub_61A60(a1->field_0, v3, a2);
return result;
case 0x16u:
v8 = sub_62440(a1->field_14);
goto LABEL_17;
case 0x17u:
v8 = sub_6226C(a1->field_10, v3);
goto LABEL_17;
case 0x18u:
v8 = sub_63530(a1->field_14);
LABEL_17:
v6 = 0;
if ( v8 )
{
*a2 = 0;
v6 = v8;
}
return v6;
default:
LOWORD(v5) = 28032;
goto LABEL_5;
}
}
}
}
LOWORD(v5) = -27504;
LABEL_5:
HIWORD(v5) = 13;
v6 = 0;
*a2 = v5;
return v6;
}ʻO ka ʻāpana hoʻololi he kahua kūkulu i hāʻawi mua ʻia i ka waiwai 3. E nānā i ka hihia 3: i ka hana sub_6364C Ua hala nā ʻāpana mai ka hale i hoʻohui ʻia ma laila i ka hana mua, ʻo ia hoʻi ke kī a me ka ʻikepili i hoʻopili ʻia. Inā ʻoe e nānā pono i sub_6364C, hiki iā ʻoe ke ʻike i ka RC4 algorithm i loko.
Loaʻa iā mākou kahi algorithm a me kahi kī. E ho'āʻo kākou e wehewehe i ka inoa papa. Eia ka mea i hanaia: com/taobao/wireless/security/adapter/JNICLibrary. Nui! Aia mākou ma ke ala pololei.
Laau kauoha
I kēia manawa pono mākou e ʻimi i kahi pilikia Kakauinoa, e kuhikuhi iā mākou i ka hana doCommandNative. E nana kakou i na hana i kapaia mai JNI_OnLoad, a loaʻa iā mākou i loko sub_B7B0:
int __fastcall sub_B7F6(JNIEnv *env, jclass clazz)
{
char signature[41]; // [sp+7h] [bp-55h]
char name[16]; // [sp+30h] [bp-2Ch]
JNINativeMethod method; // [sp+40h] [bp-1Ch]
int v8; // [sp+4Ch] [bp-10h]
v8 = *(_DWORD *)off_8AC00;
decryptString((unsigned __int8 *)&unk_83ED9, (unsigned __int8 *)name, 0x10u);// doCommandNative
decryptString((unsigned __int8 *)&unk_83EEA, (unsigned __int8 *)signature, 0x29u);// (I[Ljava/lang/Object;)Ljava/lang/Object;
method.name = name;
method.signature = signature;
method.fnPtr = sub_B69C;
return ((int (__fastcall *)(JNIEnv *, jclass, JNINativeMethod *, int))(*env)->RegisterNatives)(env, clazz, &method, 1) >> 31;
}A ʻoiaʻiʻo, ua hoʻopaʻa inoa ʻia kahi ala maoli me ka inoa ma aneʻi doCommandNative. I kēia manawa ua ʻike mākou i kāna ʻōlelo. E ʻike kākou i kāna hana.
int __fastcall doCommandNative(JNIEnv *env, jobject obj, int command, jarray args)
{
int v5; // r5
struc_2 *a5; // r6
int v9; // r1
int v11; // [sp+Ch] [bp-14h]
int v12; // [sp+10h] [bp-10h]
v5 = 0;
v12 = *(_DWORD *)off_8AC00;
v11 = 0;
a5 = (struc_2 *)malloc(0x14u);
if ( a5 )
{
a5->field_0 = 0;
a5->field_4 = 0;
a5->field_8 = 0;
a5->field_C = 0;
v9 = command % 10000 / 100;
a5->field_0 = command / 10000;
a5->field_4 = v9;
a5->field_8 = command % 100;
a5->field_C = env;
a5->field_10 = args;
v5 = sub_9D60(command / 10000, v9, command % 100, 1, (int)a5, &v11);
}
free(a5);
if ( !v5 && v11 )
sub_7CF34(env, v11, &byte_83ED7);
return v5;
}Ma ka inoa hiki iā ʻoe ke koho eia ka wahi komo o nā hana āpau i hoʻoholo ai nā mea hoʻomohala e hoʻololi i ka waihona maoli. Makemake mākou i ka helu hana 10601.
Hiki iā ʻoe ke ʻike mai ke code e hana ka helu kauoha i ʻekolu mau helu: kauoha/10000, kauoha % 10000 / 100 и kauoha % 10, ʻo ia hoʻi, ma kā mākou hihia, 1, 6 a me 1. ʻO kēia mau helu ʻekolu, a me kahi kuhikuhi i JNIEnv a ua hoʻohui ʻia nā ʻōlelo hoʻopaʻapaʻa i hāʻawi ʻia i ka hana i kahi hoʻolālā a hāʻawi ʻia. Me ka hoʻohana ʻana i nā helu ʻekolu i loaʻa (e hōʻike iā lākou N1, N2 a me N3), kūkulu ʻia kahi kumulāʻau kauoha.
ʻO kekahi mea e like me kēia:
Hoʻopiha piha ʻia ka lāʻau JNI_OnLoad.
ʻEkolu helu e hoʻopili i ke ala ma ka lāʻau. Loaʻa i kēlā me kēia lau o ka lāʻau ka helu pocked o ka hana pili. Aia ke kī ma ka puka makua. ʻAʻole paʻakikī ka ʻimi ʻana i kahi i loko o ke code kahi e hoʻohui ʻia ai ka hana a mākou e pono ai i ka lāʻau inā maopopo ʻoe i nā hale āpau i hoʻohana ʻia (ʻaʻole mākou e wehewehe iā lākou i ʻole e bloat i kahi ʻatikala nui loa).
Obfuscation hou aku
Ua loaʻa iā mākou ka helu wahi o ka hana e hoʻokaʻawale i nā kaʻa: 0x5F1AC. Akā ʻaʻole hiki ke hauʻoli: ua hoʻomākaukau nā mea hoʻomohala o UC Browser i kahi mea kupanaha no mākou.
Ma hope o ka loaʻa ʻana o nā ʻāpana mai ka array i hoʻokumu ʻia i ka code Java, loaʻa iā mākou
i ka hana ma ka helu wahi 0x4D070. A eia kekahi ʻano obfuscation code e kali nei iā mākou.
Hoʻokomo mākou i ʻelua mau helu ma R7 a me R4:
Hoʻololi mākou i ka papa kuhikuhi mua i R11:
No ka loaʻa ʻana o kahi helu wahi mai ka papa ʻaina, e hoʻohana i kahi kuhikuhi:
Ma hope o ka hele ʻana i ka helu mua, hoʻohana ʻia ka helu helu ʻelua, aia ma R4. Aia he 230 mau mea ma ka papa.
He aha ka mea e hana ai? Hiki iā ʻoe ke haʻi iā IDA he hoʻololi kēia: Hoʻoponopono -> ʻē aʻe -> E wehewehe i ka ʻōlelo hoʻololi.
He mea weliweli ke code hopena. Akā, ke hele nei i loko o kona ululāʻau, hiki iā ʻoe ke ʻike i kahi kelepona i kahi hana i kamaʻāina mua iā mākou sub_6115C:
Aia kahi hoʻololi i ka hihia 3 aia kahi decryption me ka RC4 algorithm. A i kēia hihia, hoʻopiha ʻia ka hale i hāʻawi ʻia i ka hana mai nā ʻāpana i hāʻawi ʻia i doCommandNative. E hoʻomanaʻo kākou i nā mea i loaʻa iā kākou ma laila magicInt me ka waiwai 16. Nānā mākou i ka hihia pili - a ma hope o kekahi mau hoʻololi e ʻike mākou i ke code e hiki ai ke ʻike i ka algorithm.
ʻO AES kēia!
Aia ka algorithm, ʻo nā mea a pau i koe ke loaʻa i kāna mau ʻāpana: mode, kī a, hiki paha, ka vector hoʻomaka (ʻo kona hele ʻana e pili ana i ke ʻano hana o ka algorithm AES). Pono e hoʻokumu ʻia ka hale me lākou ma mua o ke kelepona hana sub_6115C, akā, ʻoi aku ka maikaʻi o kēia ʻāpana o ke code, no laila ua ala ka manaʻo e hoʻopili i ke code i hoʻolei ʻia nā ʻāpana āpau o ka hana decryption i kahi faila.
Pāuli
I ʻole e kākau lima i nā code patch āpau ma ka ʻōlelo hui, hiki iā ʻoe ke hoʻomaka i ka Android Studio, e kākau i kahi hana ma laila e loaʻa ai nā ʻāpana hoʻokomo like e like me kā mākou hana decryption a kākau i kahi faila, a laila kope-paʻi i ke code a ka mea hoʻopili. hoʻohua.
Ua mālama pū kā mākou mau hoaaloha mai ka hui UC Browser i ka maʻalahi o ka hoʻohui ʻana i nā code. E hoʻomanaʻo mākou i ka hoʻomaka ʻana o kēlā me kēia hana i loaʻa iā mākou nā code ʻōpala i hiki ke maʻalahi ke hoʻololi ʻia me nā mea ʻē aʻe. Maʻalahi loa 🙂 Eia nō naʻe, i ka hoʻomaka ʻana o ka hana i manaʻo ʻia ʻaʻole lawa ka wahi no ke code e mālama ai i nā ʻāpana āpau i kahi faila. Pono wau e hoʻokaʻawale i nā ʻāpana a hoʻohana i nā poloka ʻōpala mai nā hana pili. ʻEhā ʻāpana i ka huina.
ʻO ka hapa mua:
Ma ka hoʻolālā ARM, ua hoʻoholo ʻia nā ʻāpana hana ʻehā mua ma nā papa inoa R0-R3, ʻo ke koena, inā loaʻa, ua hele ʻia ma ka waihona. Hāʻawi ka papa inoa LR i ka helu hoʻihoʻi. Pono e mālama ʻia kēia mau mea a pau i hiki i ka hana ke hana ma hope o ka hoʻolei ʻana i kāna mau ʻāpana. Pono mākou e mālama i nā papa inoa a pau a mākou e hoʻohana ai i ke kaʻina hana, no laila e hana mākou i PUSH.W {R0-R10,LR}. Ma R7 loaʻa iā mākou ka helu o ka papa inoa o nā ʻāpana i hāʻawi ʻia i ka hana ma o ka waihona.
Ke hoʻohana nei i ka hana fopen e wehe i ka faila /data/local/tmp/aes ma ke ʻano "ab".
ʻo ia hoʻi no ka hoʻohui. Ma R0 mākou e hoʻouka i ka helu o ka inoa faila, ma R1 - ka helu o ka laina e hōʻike ana i ke ʻano. A eia ka pau ʻana o ke code ʻōpala, no laila neʻe mākou i ka hana aʻe. I mea e hoʻomau ai i ka hana, hoʻomaka mākou i ka hoʻololi ʻana i ke code maoli o ka hana, ke kaʻe ʻana i ka ʻōpala, a ma kahi o ka ʻōpala mākou e hoʻohui i kahi hoʻomau o ka pā.
Kāhea ʻana fopen.
ʻO nā palena mua ʻekolu o ka hana aes loaʻa ʻano INT. No ka mea ua mālama mākou i nā papa inoa i ka hoʻopaʻa ʻana i ka hoʻomaka, hiki iā mākou ke hoʻolilo i ka hana kākau kā lākou mau ʻōlelo ma ka waihona.
Ma hope aʻe, loaʻa iā mākou ʻekolu mau hale i loaʻa ka nui o ka ʻikepili a me kahi kuhikuhi i ka ʻikepili no ke kī, ka vector hoʻomaka a me ka ʻikepili i hoʻopili ʻia.
I ka hopena, e pani i ka faila, e hoʻihoʻi i nā papa inoa a hoʻololi i ka mana i ka hana maoli aes.
E hōʻiliʻili mākou i kahi APK me kahi waihona i hoʻopaʻa ʻia, kau inoa iā ia, hoʻouka iā ia i ka hāmeʻa/emulator, a hoʻomaka. ʻIke mākou ke hana ʻia nei kā mākou dump, a ua kākau ʻia ka nui o nā ʻikepili ma laila. Hoʻohana ka polokalamu kele pūnaewele i ka hoʻopili ʻana ʻaʻole wale no ka hele ʻana, a hele nā hoʻopili āpau i ka hana i nīnau ʻia. Akā, no kekahi kumu, ʻaʻole ʻike ʻia ka ʻikepili e pono ai, a ʻaʻole ʻike ʻia ka noi i koi ʻia ma ke kaʻa. I ʻole e kali a hiki i ka UC Browser e hana i ka noi e pono ai, e lawe i ka pane i hoʻopili ʻia mai ka server i loaʻa ma mua a hoʻopaʻa hou i ka noi: hoʻohui i ka decryption i onCreate o ka hana nui.
const/16 v1, 0x62
new-array v1, v1, [B
fill-array-data v1, :encrypted_data
const/16 v0, 0x1f
invoke-static {v0, v1}, Lcom/uc/browser/core/d/c/g;->j(I[B)[B
move-result-object v1
array-length v2, v1
invoke-static {v2}, Ljava/lang/String;->valueOf(I)Ljava/lang/String;
move-result-object v2
const-string v0, "ololo"
invoke-static {v0, v2}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)IHoʻohui mākou, kau inoa, hoʻokomo, hoʻomaka. Loaʻa iā mākou kahi NullPointerException no ka mea ua hoʻihoʻi ke ala i ka null.
I ka wā e nānā hou ai i ke code, ua ʻike ʻia kahi hana e wehewehe i nā laina hoihoi: "META-INF/" a me ".RSA". Me he mea lā ke hōʻoia nei ka palapala noi i kāna palapala hōʻoia. A i ʻole e hoʻopuka i nā kī mai ia mea. ʻAʻole makemake nui wau e pili i ka mea e hana nei me ka palapala hōʻoia, no laila e hoʻoheheʻe mākou i ka palapala hōʻoia pololei. E hoʻopili i ka laina i hoʻopili ʻia a ma kahi o "META-INF /" loaʻa iā mākou "BLABLINF /", e hana i kahi waihona me kēlā inoa ma ka APK a hoʻohui i ka palapala hōʻoia ʻo squirrel ma laila.
Hoʻohui mākou, kau inoa, hoʻokomo, hoʻomaka. Bingo! Loaʻa iā mākou ke kī!
MitM
Ua loaʻa iā mākou kahi kī a me kahi vector hoʻomaka e like me ke kī. E ho'āʻo kākou e hoʻokaʻawale i ka pane kikowaena ma ke ʻano CBC.
ʻIke mākou i ka URL waihona, kahi mea like me MD5, "extract_unzipsize" a me kahi helu. Nānā mākou: ua like ka MD5 o ka waihona, ua like ka nui o ka waihona i wehe ʻole ʻia. Ke hoʻāʻo nei mākou e hoʻopaʻa i kēia waihona a hāʻawi i ka polokalamu kele pūnaewele. No ka hōʻike ʻana ua hoʻouka ʻia kā mākou waihona i hoʻopaʻa ʻia, e hoʻomaka mākou i kahi Manaʻo e hana i kahi SMS me ka kikokikona "PWNED!" E pani mākou i ʻelua pane mai ke kikowaena: a e hoʻoiho i ka waihona. Ma ka mua mākou e hoʻololi i ka MD5 (ʻaʻole e loli ka nui ma hope o ka wehe ʻana), ma ka lua e hāʻawi mākou i ka waihona me ka waihona patched.
Ke ho'āʻo nei ka polokalamu kele pūnaewele e hoʻoiho i ka waihona i nā manawa he nui, a laila hāʻawi ia i kahi hewa. Me he mea lā
ʻaʻole makemake ʻo ia. Ma muli o ka nānā ʻana i kēia ʻano murky, ua ʻike ʻia ua hoʻouna pū ka server i ka nui o ka waihona:
Hoʻopili ʻia ia ma LEB128. Ma hope o ka pākuʻi, ua loli iki ka nui o ka waihona me ka waihona, no laila ua manaʻo ka polokalamu kele pūnaewele ua hoʻoiho ʻia ka waihona, a ma hope o kekahi mau hoʻāʻo ua hoʻolei i kahi hewa.
Hoʻoponopono mākou i ka nui o ka waihona ... A - lanakila! 🙂 Aia ka hopena ma ke wikiō.
Nā hopena a me ka hopena o ka mea hoʻomohala
Ma ke ala like, hiki i nā mea hacker ke hoʻohana i ka hiʻohiʻona palekana o UC Browser e puʻunaue a holo i nā hale waihona puke ʻino. E hana ana kēia mau hale waihona puke ma ka pōʻaiapili o ka polokalamu kele pūnaewele, no laila e loaʻa iā lākou nā ʻae ʻōnaehana āpau. ʻO ka hopena, hiki ke hōʻike i nā puka makani phishing, a me ke komo ʻana i nā faila hana o ka squirrel Chinese alani, me nā logins, nā ʻōlelo huna a me nā kuki i mālama ʻia i ka waihona.
Hoʻopili mākou i nā mea hoʻomohala o UC Browser a hoʻomaopopo iā lākou e pili ana i ka pilikia i loaʻa iā mākou, hoʻāʻo e kuhikuhi i ka nāwaliwali a me kona pōʻino, akā ʻaʻole lākou i kūkākūkā i kekahi mea me mākou. I kēia manawa, hoʻomau ka polokalamu kele i kāna hiʻohiʻona weliweli i ka ʻike maka. Akā i ka manawa a mākou i hōʻike ai i nā kikoʻī o ka nāwaliwali, ʻaʻole hiki ke haʻalele iā ia e like me ka wā ma mua. ʻO Malaki 27
ua hoʻokuʻu ʻia kahi mana hou o UC Browser 12.10.9.1193, i komo i ke kikowaena ma o HTTPS: .
Eia kekahi, ma hope o ka "hoʻoponopono" a hiki i ka manawa o ka kākau ʻana i kēia ʻatikala, e hoʻāʻo ana e wehe i kahi PDF i kahi polokalamu kele i loaʻa i kahi memo hewa me ka kikokikona "ʻAe, ua hewa kekahi mea!" ʻAʻole i hana ʻia kahi noi i ke kikowaena i ka wā e hoʻāʻo ai e wehe i kahi PDF, akā ua noi ʻia i ka wā i hoʻokuʻu ʻia ai ka polokalamu kele pūnaewele, e hōʻike ana i ka hiki ke hoʻoiho i ka code executable me ka uhai ʻana i nā lula Google Play.
Source: www.habr.com