Taw qhia
Thaum kawg ntawm lub Peb Hlis peb , tias lawv nrhiav tau lub peev xwm zais cia rau thauj thiab khiav tsis tau lees paub hauv UC Browser. Niaj hnub no peb yuav saib nyob rau hauv kom meej txog yuav ua li cas qhov no download tshwm sim thiab yuav ua li cas hackers yuav siv tau rau lawv tus kheej lub hom phiaj.
Qee lub sij hawm dhau los, UC Browser tau tshaj tawm thiab nthuav tawm hnyav heev: nws tau teeb tsa rau cov neeg siv khoom siv malware, faib los ntawm ntau qhov chaw hauv qab cov ntaub ntawv video (piv txwv li, cov neeg siv xav tias lawv rub tawm, piv txwv li, porn video, tab sis. es tsis txhob tau txais ib qho APK nrog rau qhov browser no), siv cov ntawv txaus ntshai nrog cov lus hais tias browser tau dhau los, tsis muaj zog, thiab cov khoom zoo li ntawd. Hauv pawg nom UC Browser ntawm VK muaj , uas cov neeg siv tuaj yeem yws txog kev tshaj tawm tsis ncaj ncees, muaj ntau yam piv txwv muaj. Nyob rau hauv 2016 muaj txawm nyob rau hauv Lavxias teb sab (yog, advertising rau ib tug ad-blocking browser).
Thaum lub sijhawm sau ntawv, UC Browser muaj ntau dua 500 kev teeb tsa hauv Google Play. Qhov no yog impressive - tsuas yog Google Chrome muaj ntau dua. Ntawm cov kev tshuaj xyuas koj tuaj yeem pom ntau qhov kev tsis txaus siab txog kev tshaj tawm thiab xa rov qab mus rau qee cov ntawv thov hauv Google Play. Qhov no yog qhov laj thawj rau peb qhov kev tshawb fawb: peb txiav txim siab saib seb UC Browser puas ua qee yam tsis zoo. Thiab nws tau pom tias nws ua!
Nyob rau hauv daim ntawv thov code, lub peev xwm mus download tau thiab khiav executable code twb nrhiav pom, hauv Google Play. Ntxiv rau kev rub tawm cov lej ua tiav, UC Browser ua li ntawd hauv qhov tsis muaj kev nyab xeeb, uas tuaj yeem siv los tua MitM nres. Cia peb saib seb peb puas tuaj yeem ua qhov kev tawm tsam zoo li no.
Txhua yam sau hauv qab no yog qhov cuam tshuam rau version ntawm UC Browser uas muaj nyob hauv Google Play thaum lub sijhawm kawm:
package: com.UCMobile.intl
versionName: 12.10.8.1172
versionCode: 10598
sha1 APK-ΡΠ°ΠΉΠ»Π°: f5edb2243413c777172f6362876041eb0c3a928cAttack vector
Hauv UC Browser manifest koj tuaj yeem nrhiav tau ib qho kev pabcuam nrog lub npe piav qhia tus kheej com.uc.deployment.UpgradeDeployService.
<service android_exported="false" android_name="com.uc.deployment.UpgradeDeployService" android_process=":deploy" />
Thaum qhov kev pabcuam no pib, tus browser ua rau POST thov rau , uas tuaj yeem pom hauv kev khiav tsheb qee lub sijhawm tom qab pib. Hauv kev teb, nws yuav tau txais cov lus txib kom rub tawm qee qhov hloov tshiab lossis tshiab module. Thaum lub sij hawm tsom xam, tus neeg rau zaub mov tsis tau muab cov lus txib no, tab sis peb pom tias thaum peb sim qhib PDF hauv browser, nws ua qhov kev thov thib ob rau qhov chaw nyob tau teev saum toj no, tom qab ntawd nws rub tawm lub tsev qiv ntawv ib txwm muaj. Txhawm rau ua qhov kev tawm tsam, peb txiav txim siab siv qhov tshwj xeeb ntawm UC Browser: lub peev xwm qhib PDF siv lub tsev qiv ntawv ib txwm muaj, uas tsis nyob hauv APK thiab nws rub tawm hauv Is Taws Nem yog tias tsim nyog. Nws yog ib nqi sau cia hais tias, theoretically, UC Browser tuaj yeem raug yuam kom rub tawm ib yam dab tsi yam tsis muaj kev sib cuam tshuam nrog cov neeg siv - yog tias koj muab cov lus teb zoo rau qhov kev thov uas raug tua tom qab lub browser tau pib. Tab sis ua li no, peb yuav tsum kawm cov txheej txheem ntawm kev sib cuam tshuam nrog cov neeg rau zaub mov kom ntxaws, yog li peb txiav txim siab tias nws yuav yooj yim dua los hloov cov lus teb cuam tshuam thiab hloov lub tsev qiv ntawv rau kev ua haujlwm nrog PDF.
Yog li, thaum tus neeg siv xav qhib PDF ncaj qha hauv qhov browser, cov lus thov hauv qab no tuaj yeem pom hauv kev khiav tsheb:
Ua ntej muaj POST thov rau , ces
Ib qho archive nrog lub tsev qiv ntawv rau saib PDF thiab chaw ua haujlwm hom ntawv raug rub tawm. Nws yog qhov tsim nyog xav tias thawj qhov kev thov xa cov ntaub ntawv hais txog lub kaw lus (tsawg kawg yog cov qauv tsim los muab cov tsev qiv ntawv xav tau), thiab teb rau nws tus browser tau txais qee cov ntaub ntawv hais txog lub tsev qiv ntawv uas yuav tsum tau rub tawm: chaw nyob thiab, tejzaum nws , lwm yam. Qhov teeb meem yog qhov kev thov no yog encrypted.
Thov fragment
Teb tawg tawg
Lub tsev qiv ntawv nws tus kheej tau ntim rau hauv ZIP thiab tsis tau encrypted.
Tshawb nrhiav tsheb decryption code
Wb sim deciphe lub server teb. Cia wb mus saib hauv chav kawm code com.uc.deployment.UpgradeDeployService: los ntawm txoj kev onStartCommand mus rau com.uc.deployment.bx, thiab los ntawm nws mus com.uc.browser.core.dcfe:
public final void e(l arg9) {
int v4_5;
String v3_1;
byte[] v3;
byte[] v1 = null;
if(arg9 == null) {
v3 = v1;
}
else {
v3_1 = arg9.iGX.ipR;
StringBuilder v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]product:");
v4.append(arg9.iGX.ipR);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]version:");
v4.append(arg9.iGX.iEn);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]upgrade_type:");
v4.append(arg9.iGX.mMode);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]force_flag:");
v4.append(arg9.iGX.iEo);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_mode:");
v4.append(arg9.iGX.iDQ);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_type:");
v4.append(arg9.iGX.iEr);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_state:");
v4.append(arg9.iGX.iEp);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_file:");
v4.append(arg9.iGX.iEq);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apk_md5:");
v4.append(arg9.iGX.iEl);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]download_type:");
v4.append(arg9.mDownloadType);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]download_group:");
v4.append(arg9.mDownloadGroup);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]download_path:");
v4.append(arg9.iGH);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_child_version:");
v4.append(arg9.iGX.iEx);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_series:");
v4.append(arg9.iGX.iEw);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_cpu_arch:");
v4.append(arg9.iGX.iEt);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_cpu_vfp3:");
v4.append(arg9.iGX.iEv);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_cpu_vfp:");
v4.append(arg9.iGX.iEu);
ArrayList v3_2 = arg9.iGX.iEz;
if(v3_2 != null && v3_2.size() != 0) {
Iterator v3_3 = v3_2.iterator();
while(v3_3.hasNext()) {
Object v4_1 = v3_3.next();
StringBuilder v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_name:");
v5.append(((au)v4_1).getName());
v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_ver_name:");
v5.append(((au)v4_1).aDA());
v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_ver_code:");
v5.append(((au)v4_1).gBl);
v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_req_type:");
v5.append(((au)v4_1).gBq);
}
}
j v3_4 = new j();
m.b(v3_4);
h v4_2 = new h();
m.b(v4_2);
ay v5_1 = new ay();
v3_4.hS("");
v3_4.setImsi("");
v3_4.hV("");
v5_1.bPQ = v3_4;
v5_1.bPP = v4_2;
v5_1.yr(arg9.iGX.ipR);
v5_1.gBF = arg9.iGX.mMode;
v5_1.gBI = arg9.iGX.iEz;
v3_2 = v5_1.gAr;
c.aBh();
v3_2.add(g.fs("os_ver", c.getRomInfo()));
v3_2.add(g.fs("processor_arch", com.uc.b.a.a.c.getCpuArch()));
v3_2.add(g.fs("cpu_arch", com.uc.b.a.a.c.Pb()));
String v4_3 = com.uc.b.a.a.c.Pd();
v3_2.add(g.fs("cpu_vfp", v4_3));
v3_2.add(g.fs("net_type", String.valueOf(com.uc.base.system.a.Jo())));
v3_2.add(g.fs("fromhost", arg9.iGX.iEm));
v3_2.add(g.fs("plugin_ver", arg9.iGX.iEn));
v3_2.add(g.fs("target_lang", arg9.iGX.iEs));
v3_2.add(g.fs("vitamio_cpu_arch", arg9.iGX.iEt));
v3_2.add(g.fs("vitamio_vfp", arg9.iGX.iEu));
v3_2.add(g.fs("vitamio_vfp3", arg9.iGX.iEv));
v3_2.add(g.fs("plugin_child_ver", arg9.iGX.iEx));
v3_2.add(g.fs("ver_series", arg9.iGX.iEw));
v3_2.add(g.fs("child_ver", r.aVw()));
v3_2.add(g.fs("cur_ver_md5", arg9.iGX.iEl));
v3_2.add(g.fs("cur_ver_signature", SystemHelper.getUCMSignature()));
v3_2.add(g.fs("upgrade_log", i.bjt()));
v3_2.add(g.fs("silent_install", String.valueOf(arg9.iGX.iDQ)));
v3_2.add(g.fs("silent_state", String.valueOf(arg9.iGX.iEp)));
v3_2.add(g.fs("silent_file", arg9.iGX.iEq));
v3_2.add(g.fs("silent_type", String.valueOf(arg9.iGX.iEr)));
v3_2.add(g.fs("cpu_archit", com.uc.b.a.a.c.Pc()));
v3_2.add(g.fs("cpu_set", SystemHelper.getCpuInstruction()));
boolean v4_4 = v4_3 == null || !v4_3.contains("neon") ? false : true;
v3_2.add(g.fs("neon", String.valueOf(v4_4)));
v3_2.add(g.fs("cpu_cores", String.valueOf(com.uc.b.a.a.c.Jl())));
v3_2.add(g.fs("ram_1", String.valueOf(com.uc.b.a.a.h.Po())));
v3_2.add(g.fs("totalram", String.valueOf(com.uc.b.a.a.h.OL())));
c.aBh();
v3_2.add(g.fs("rom_1", c.getRomInfo()));
v4_5 = e.getScreenWidth();
int v6 = e.getScreenHeight();
StringBuilder v7 = new StringBuilder();
v7.append(v4_5);
v7.append("*");
v7.append(v6);
v3_2.add(g.fs("ss", v7.toString()));
v3_2.add(g.fs("api_level", String.valueOf(Build$VERSION.SDK_INT)));
v3_2.add(g.fs("uc_apk_list", SystemHelper.getUCMobileApks()));
Iterator v4_6 = arg9.iGX.iEA.entrySet().iterator();
while(v4_6.hasNext()) {
Object v6_1 = v4_6.next();
v3_2.add(g.fs(((Map$Entry)v6_1).getKey(), ((Map$Entry)v6_1).getValue()));
}
v3 = v5_1.toByteArray();
}
if(v3 == null) {
this.iGY.iGI.a(arg9, "up_encode", "yes", "fail");
return;
}
v4_5 = this.iGY.iGw ? 0x1F : 0;
if(v3 == null) {
}
else {
v3 = g.i(v4_5, v3);
if(v3 == null) {
}
else {
v1 = new byte[v3.length + 16];
byte[] v6_2 = new byte[16];
Arrays.fill(v6_2, 0);
v6_2[0] = 0x5F;
v6_2[1] = 0;
v6_2[2] = ((byte)v4_5);
v6_2[3] = -50;
System.arraycopy(v6_2, 0, v1, 0, 16);
System.arraycopy(v3, 0, v1, 16, v3.length);
}
}
if(v1 == null) {
this.iGY.iGI.a(arg9, "up_encrypt", "yes", "fail");
return;
}
if(TextUtils.isEmpty(this.iGY.mUpgradeUrl)) {
this.iGY.iGI.a(arg9, "up_url", "yes", "fail");
return;
}
StringBuilder v0 = new StringBuilder("[");
v0.append(arg9.iGX.ipR);
v0.append("]url:");
v0.append(this.iGY.mUpgradeUrl);
com.uc.browser.core.d.c.i v0_1 = this.iGY.iGI;
v3_1 = this.iGY.mUpgradeUrl;
com.uc.base.net.e v0_2 = new com.uc.base.net.e(new com.uc.browser.core.d.c.i$a(v0_1, arg9));
v3_1 = v3_1.contains("?") ? v3_1 + "&dataver=pb" : v3_1 + "?dataver=pb";
n v3_5 = v0_2.uc(v3_1);
m.b(v3_5, false);
v3_5.setMethod("POST");
v3_5.setBodyProvider(v1);
v0_2.b(v3_5);
this.iGY.iGI.a(arg9, "up_null", "yes", "success");
this.iGY.iGI.b(arg9);
}Peb pom qhov tsim ntawm POST thov ntawm no. Peb them sai sai rau kev tsim cov array ntawm 16 bytes thiab nws cov filling: 0x5F, 0, 0x1F, -50 (= 0xCE). Coincides nrog qhov peb pom hauv qhov kev thov saum toj no.
Hauv tib chav kawm koj tuaj yeem pom cov chav kawm nested uas muaj lwm txoj hauv kev nthuav dav:
public final void a(l arg10, byte[] arg11) {
f v0 = this.iGQ;
StringBuilder v1 = new StringBuilder("[");
v1.append(arg10.iGX.ipR);
v1.append("]:UpgradeSuccess");
byte[] v1_1 = null;
if(arg11 == null) {
}
else if(arg11.length < 16) {
}
else {
if(arg11[0] != 0x60 && arg11[3] != 0xFFFFFFD0) {
goto label_57;
}
int v3 = 1;
int v5 = arg11[1] == 1 ? 1 : 0;
if(arg11[2] != 1 && arg11[2] != 11) {
if(arg11[2] == 0x1F) {
}
else {
v3 = 0;
}
}
byte[] v7 = new byte[arg11.length - 16];
System.arraycopy(arg11, 16, v7, 0, v7.length);
if(v3 != 0) {
v7 = g.j(arg11[2], v7);
}
if(v7 == null) {
goto label_57;
}
if(v5 != 0) {
v1_1 = g.P(v7);
goto label_57;
}
v1_1 = v7;
}
label_57:
if(v1_1 == null) {
v0.iGY.iGI.a(arg10, "up_decrypt", "yes", "fail");
return;
}
q v11 = g.b(arg10, v1_1);
if(v11 == null) {
v0.iGY.iGI.a(arg10, "up_decode", "yes", "fail");
return;
}
if(v0.iGY.iGt) {
v0.d(arg10);
}
if(v0.iGY.iGo != null) {
v0.iGY.iGo.a(0, ((o)v11));
}
if(v0.iGY.iGs) {
v0.iGY.a(((o)v11));
v0.iGY.iGI.a(v11, "up_silent", "yes", "success");
v0.iGY.iGI.a(v11);
return;
}
v0.iGY.iGI.a(v11, "up_silent", "no", "success");
}
}
Tus txheej txheem siv ib qho array ntawm bytes raws li cov tswv yim thiab xyuas tias xoom byte yog 0x60 lossis thib peb byte yog 0xD0, thiab thib ob byte yog 1, 11 lossis 0x1F. Peb saib cov lus teb los ntawm tus neeg rau zaub mov: xoom byte yog 0x60, qhov thib ob yog 0x1F, qhov thib peb yog 0x60. Suab zoo li peb xav tau. Kev txiav txim los ntawm cov kab ("up_decrypt", piv txwv li), ib txoj hauv kev yuav tsum tau hu rau ntawm no uas yuav txiav txim siab tus neeg rau zaub mov cov lus teb.
Cia peb mus rau txoj kev gj ua. Nco ntsoov tias thawj qhov kev sib cav yog byte ntawm offset 2 (piv txwv li 0x1F hauv peb rooj plaub), thiab qhov thib ob yog cov lus teb rau cov neeg rau zaub mov tsis muaj
thawj 16 bytes.
public static byte[] j(int arg1, byte[] arg2) {
if(arg1 == 1) {
arg2 = c.c(arg2, c.adu);
}
else if(arg1 == 11) {
arg2 = m.aF(arg2);
}
else if(arg1 != 0x1F) {
}
else {
arg2 = EncryptHelper.decrypt(arg2);
}
return arg2;
}
Obviously, ntawm no peb xaiv ib tug decryption algorithm, thiab tib byte uas yog nyob rau hauv peb
rooj plaub sib npaug rau 0x1F, qhia txog ib qho ntawm peb txoj kev xaiv tau.
Peb txuas ntxiv txheeb xyuas cov cai. Tom qab ob peb dhia peb pom peb tus kheej hauv ib txoj hauv kev nrog tus kheej piav lub npe decryptBytesByKey.
Ntawm no ob ntau bytes raug cais los ntawm peb cov lus teb, thiab ib txoj hlua tau txais los ntawm lawv. Nws yog qhov tseeb tias nyob rau hauv txoj kev no tus yuam sij rau decrypting cov lus raug xaiv.
private static byte[] decryptBytesByKey(byte[] bytes) {
byte[] v0 = null;
if(bytes != null) {
try {
if(bytes.length < EncryptHelper.PREFIX_BYTES_SIZE) {
}
else if(bytes.length == EncryptHelper.PREFIX_BYTES_SIZE) {
return v0;
}
else {
byte[] prefix = new byte[EncryptHelper.PREFIX_BYTES_SIZE]; // 2 Π±Π°ΠΉΡΠ°
System.arraycopy(bytes, 0, prefix, 0, prefix.length);
String keyId = c.ayR().d(ByteBuffer.wrap(prefix).getShort()); // ΠΡΠ±ΠΎΡ ΠΊΠ»ΡΡΠ°
if(keyId == null) {
return v0;
}
else {
a v2 = EncryptHelper.ayL();
if(v2 == null) {
return v0;
}
else {
byte[] enrypted = new byte[bytes.length - EncryptHelper.PREFIX_BYTES_SIZE];
System.arraycopy(bytes, EncryptHelper.PREFIX_BYTES_SIZE, enrypted, 0, enrypted.length);
return v2.l(keyId, enrypted);
}
}
}
}
catch(SecException v7_1) {
EncryptHelper.handleDecryptException(((Throwable)v7_1), v7_1.getErrorCode());
return v0;
}
catch(Throwable v7) {
EncryptHelper.handleDecryptException(v7, 2);
return v0;
}
}
return v0;
}Saib tom ntej, peb nco ntsoov tias nyob rau theem no peb tseem tsis tau txais tus yuam sij, tab sis tsuas yog nws "tus cim". Tau txais tus yuam sij yog qhov nyuaj me ntsis.
Nyob rau hauv txoj kev tom ntej no, ob qho ntxiv tsis tau ntxiv rau cov uas twb muaj lawm, ua plaub ntawm lawv: tus lej khawv koob 16, tus cim tseem ceeb, cov ntaub ntawv encrypted, thiab ib txoj hlua tsis nkag siab (hauv peb rooj plaub, khoob).
public final byte[] l(String keyId, byte[] encrypted) throws SecException {
return this.ayJ().staticBinarySafeDecryptNoB64(16, keyId, encrypted, "");
}Tom qab ib tug series ntawm kev hloov pauv peb tuaj txog ntawm txoj kev staticBinarySafeDecryptNoB64 interface com.alibaba.wireless.security.open.staticdataencrypt.IStaticDataEncryptComponent. Tsis muaj cov chav kawm hauv daim ntawv thov tseem ceeb uas siv qhov kev sib tshuam no. Muaj cov chav kawm zoo li no hauv cov ntaub ntawv lib/armeabi-v7a/libsgmain.so, uas tsis yog tiag ib .so, tab sis ib .jar. Txoj kev peb xav tau yog siv raws li hauv qab no:
package com.alibaba.wireless.security.a.i;
// ...
public class a implements IStaticDataEncryptComponent {
private ISecurityGuardPlugin a;
// ...
private byte[] a(int mode, int magicInt, int xzInt, String keyId, byte[] encrypted, String magicString) {
return this.a.getRouter().doCommand(10601, new Object[]{Integer.valueOf(mode), Integer.valueOf(magicInt), Integer.valueOf(xzInt), keyId, encrypted, magicString});
}
// ...
private byte[] b(int magicInt, String keyId, byte[] encrypted, String magicString) {
return this.a(2, magicInt, 0, keyId, encrypted, magicString);
}
// ...
public byte[] staticBinarySafeDecryptNoB64(int magicInt, String keyId, byte[] encrypted, String magicString) throws SecException {
if(keyId != null && keyId.length() > 0 && magicInt >= 0 && magicInt < 19 && encrypted != null && encrypted.length > 0) {
return this.b(magicInt, keyId, encrypted, magicString);
}
throw new SecException("", 301);
}
//...
}
Ntawm no peb cov npe ntawm cov tsis muaj ntxiv nrog ob tus lej ntxiv: 2 thiab 0. Kev txiav txim los ntawm
txhua yam, 2 txhais tau tias decryption, raws li nyob rau hauv txoj kev doFinal chav kawm system javax.crypto.Cipher. Thiab tag nrho cov no tau pauv mus rau ib qho Router nrog tus lej 10601 - qhov no yog qhov tseeb ntawm tus lej hais kom ua.
Tom qab cov saw txuas ntxiv ntawm kev hloov pauv peb pom cov chav kawm uas siv lub interface IRouterCov thiab txoj kev doCommand:
package com.alibaba.wireless.security.mainplugin;
import com.alibaba.wireless.security.framework.IRouterComponent;
import com.taobao.wireless.security.adapter.JNICLibrary;
public class a implements IRouterComponent {
public a() {
super();
}
public Object doCommand(int arg2, Object[] arg3) {
return JNICLibrary.doCommandNative(arg2, arg3);
}
}Thiab kuj chav kawm JNICLibrary, nyob rau hauv uas haiv neeg txoj kev tshaj tawm uaCommandNative:
package com.taobao.wireless.security.adapter;
public class JNICLibrary {
public static native Object doCommandNative(int arg0, Object[] arg1);
}Qhov no txhais tau tias peb yuav tsum nrhiav ib txoj hauv kev hauv cov cai ib txwm muaj uaCommandNative. Thiab qhov no yog qhov kev lom zem pib.
Obfuscation ntawm tshuab code
Hauv cov ntaub ntawv libsgmain.so (uas yog tiag tiag .jar thiab nyob rau hauv uas peb pom qhov kev siv ntawm ib co encryption-txog interfaces saum toj no) muaj ib lub tsev qiv ntawv haiv neeg: libsgmainso-6.4.36.so. Peb qhib nws hauv IDA thiab tau txais ib pawg ntawm cov thawv sib tham nrog qhov yuam kev. Qhov teeb meem yog qhov seem header lub rooj tsis raug. Qhov no yog ua los ntawm lub hom phiaj kom nyuaj rau kev tsom xam.
Tab sis nws tsis xav tau: txhawm rau thauj cov ntaub ntawv ELF kom raug thiab txheeb xyuas nws, cov lus hauv lub ntsiab lus yog txaus. Yog li ntawd, peb tsuas yog tshem tawm cov lus ntu, zeroing tawm cov teb sib xws hauv lub header.
Qhib cov ntaub ntawv hauv IDA dua.
Muaj ob txoj hauv kev los qhia rau Java virtual tshuab qhov twg raws nraim hauv lub tsev qiv ntawv ib txwm ua raws li txoj kev tshaj tawm hauv Java code raws li haiv neeg nyob. Thawj yog muab nws lub npe hom Java_package_name_ClassName_MethodName.
Qhov thib ob yog sau npe thaum thauj cov tsev qiv ntawv (hauv kev ua haujlwm JNI_OnLoad)
siv lub luag haujlwm hu Sau npeNatives.
Hauv peb qhov xwm txheej, yog tias peb siv thawj txoj hauv kev, lub npe yuav tsum zoo li no: Java_com_taobao_wireless_security_adapter_JNICLibrary_doCommandNative.
Tsis muaj kev ua haujlwm zoo li no ntawm cov haujlwm xa tawm, uas txhais tau tias koj yuav tsum nrhiav kev hu Sau npeNatives.
Wb mus rau qhov ua haujlwm JNI_OnLoad thiab peb pom daim duab no:
Yuav ua li cas ntawm no? Thaum xub thawj siab ib muag, qhov pib thiab qhov kawg ntawm qhov kev ua haujlwm yog qhov zoo rau ARM architecture. Thawj cov lus qhia ntawm pawg khaws cov ntsiab lus ntawm cov ntawv sau npe uas lub luag haujlwm yuav siv hauv nws txoj haujlwm (qhov no, R0, R1 thiab R2), nrog rau cov ntsiab lus ntawm LR sau npe, uas muaj qhov chaw nyob rov qab los ntawm kev ua haujlwm. . Cov lus qhia kawg rov kho cov ntawv sau tseg, thiab qhov chaw nyob xa rov qab tam sim ntawd muab tso rau hauv PC sau npe - yog li rov qab los ntawm kev ua haujlwm. Tab sis yog tias koj saib ze, koj yuav pom tias cov lus qhia kawg hloov pauv qhov chaw nyob xa rov qab rau hauv pawg. Cia peb xam seb nws yuav zoo li cas tom qab
kev ua txhaum cai. Ib qho chaw nyob 1xB0 yog loaded rau hauv R130, 5 yog rho tawm los ntawm nws, ces nws yog pauv mus rau R0 thiab 0x10 ntxiv rau nws. Nws hloov tawm 0xB13B. Yog li, IDA xav tias cov lus qhia kawg yog qhov ua haujlwm ib txwm rov qab los, tab sis qhov tseeb nws yuav mus rau qhov chaw nyob suav 0xB13B.
Nws tsim nyog nco qab ntawm no tias ARM processors muaj ob hom thiab ob pawg lus qhia: ARM thiab Thumb. Qhov tseem ceeb me ntsis ntawm qhov chaw nyob qhia tus processor uas cov lus qhia tau siv. Ntawd yog, qhov chaw nyob yog tiag tiag 0xB13A, thiab ib qho ntawm qhov tseem ceeb me ntsis qhia txog hom Thumb.
Ib qho zoo sib xws "adapter" tau ntxiv rau qhov pib ntawm txhua txoj haujlwm hauv lub tsev qiv ntawv no thiab
khib nyiab code. Peb yuav tsis nyob ntawm lawv hauv kev nthuav dav ntxiv - peb tsuas yog nco ntsoov
tias qhov pib tiag tiag ntawm yuav luag txhua txoj haujlwm yog me ntsis ntxiv mus.
Txij li thaum tus lej tsis meej meej dhia mus rau 0xB13A, IDA nws tus kheej tsis paub tias tus lej tau nyob ntawm qhov chaw no. Rau tib lub laj thawj, nws tsis paub txog feem ntau ntawm cov cai hauv lub tsev qiv ntawv raws li cov cai, uas ua rau kev soj ntsuam me ntsis nyuaj. Peb qhia rau IDA tias qhov no yog txoj cai, thiab qhov no yog qhov tshwm sim:
Lub rooj kom meej meej pib ntawm 0xB144. Sub_494C yog dab tsi?
Thaum hu rau qhov ua haujlwm no hauv LR sau npe, peb tau txais qhov chaw nyob ntawm lub rooj hais dhau los (0xB144). Hauv R0 - index hauv cov lus no. Ntawd yog, tus nqi raug coj los ntawm lub rooj, ntxiv rau LR thiab qhov tshwm sim yog
qhov chaw nyob mus rau. Wb sim xam nws: 0xB144 + [0xB144 + 8 * 4] = 0xB144 + 0x120 = 0xB264. Peb mus rau qhov chaw nyob tau txais thiab pom ob peb cov lus qhia muaj txiaj ntsig thiab rov mus rau 0xB140:
Tam sim no yuav muaj kev hloov pauv ntawm offset nrog index 0x20 los ntawm lub rooj.
Kev txiav txim los ntawm qhov loj ntawm lub rooj, yuav muaj ntau yam kev hloov pauv hauv cov cai. Cov lus nug tshwm sim seb puas muaj peev xwm ua tau li cas nrog qhov no ntau dua, tsis suav qhov chaw nyob. Thiab cov ntawv sau thiab lub peev xwm los kho cov cai hauv IDA tuaj rau peb cov kev pab:
def put_unconditional_branch(source, destination):
offset = (destination - source - 4) >> 1
if offset > 2097151 or offset < -2097152:
raise RuntimeError("Invalid offset")
if offset > 1023 or offset < -1024:
instruction1 = 0xf000 | ((offset >> 11) & 0x7ff)
instruction2 = 0xb800 | (offset & 0x7ff)
patch_word(source, instruction1)
patch_word(source + 2, instruction2)
else:
instruction = 0xe000 | (offset & 0x7ff)
patch_word(source, instruction)
ea = here()
if get_wide_word(ea) == 0xb503: #PUSH {R0,R1,LR}
ea1 = ea + 2
if get_wide_word(ea1) == 0xbf00: #NOP
ea1 += 2
if get_operand_type(ea1, 0) == 1 and get_operand_value(ea1, 0) == 0 and get_operand_type(ea1, 1) == 2:
index = get_wide_dword(get_operand_value(ea1, 1))
print "index =", hex(index)
ea1 += 2
if get_operand_type(ea1, 0) == 7:
table = get_operand_value(ea1, 0) + 4
elif get_operand_type(ea1, 1) == 2:
table = get_operand_value(ea1, 1) + 4
else:
print "Wrong operand type on", hex(ea1), "-", get_operand_type(ea1, 0), get_operand_type(ea1, 1)
table = None
if table is None:
print "Unable to find table"
else:
print "table =", hex(table)
offset = get_wide_dword(table + (index << 2))
put_unconditional_branch(ea, table + offset)
else:
print "Unknown code", get_operand_type(ea1, 0), get_operand_value(ea1, 0), get_operand_type(ea1, 1) == 2
else:
print "Unable to detect first instruction"Muab tus cursor rau ntawm kab 0xB26A, khiav tsab ntawv thiab pom kev hloov mus rau 0xB4B0:
IDA rov tsis lees paub thaj chaw no ua tus lej. Peb pab nws thiab pom lwm tus tsim muaj:
Cov lus qhia tom qab BLX tsis zoo li ua rau muaj kev nkag siab ntau, nws zoo li qee yam kev hloov pauv. Wb saib sub_4964:
Thiab qhov tseeb, ntawm no yog dword raug coj los ntawm qhov chaw nyob dag hauv LR, ntxiv rau qhov chaw nyob no, tom qab ntawd tus nqi ntawm qhov chaw nyob tau muab coj los tso rau hauv pawg. Tsis tas li ntawd, 4 ntxiv rau LR yog li tom qab rov qab los ntawm kev ua haujlwm, qhov kev sib tw tib yam no raug hla. Tom qab ntawd cov lus txib POP {R1} yuav siv cov txiaj ntsig tau los ntawm pawg. Yog tias koj saib qhov chaw nyob ntawm qhov chaw nyob 0xB4BA + 0xEA = 0xB5A4, koj yuav pom qee yam zoo ib yam li lub rooj chaw nyob:
Txhawm rau kho qhov tsim no, koj yuav tsum tau txais ob qhov tsis muaj los ntawm cov lej: qhov offset thiab tus lej sau npe uas koj xav muab qhov tshwm sim. Rau txhua qhov ua tau rau npe, koj yuav tau npaj ib daim ntawv ua ntej.
patches = {}
patches[0] = (0x00, 0xbf, 0x01, 0x48, 0x00, 0x68, 0x02, 0xe0)
patches[1] = (0x00, 0xbf, 0x01, 0x49, 0x09, 0x68, 0x02, 0xe0)
patches[2] = (0x00, 0xbf, 0x01, 0x4a, 0x12, 0x68, 0x02, 0xe0)
patches[3] = (0x00, 0xbf, 0x01, 0x4b, 0x1b, 0x68, 0x02, 0xe0)
patches[4] = (0x00, 0xbf, 0x01, 0x4c, 0x24, 0x68, 0x02, 0xe0)
patches[5] = (0x00, 0xbf, 0x01, 0x4d, 0x2d, 0x68, 0x02, 0xe0)
patches[8] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0x80, 0xd8, 0xf8, 0x00, 0x80, 0x01, 0xe0)
patches[9] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0x90, 0xd9, 0xf8, 0x00, 0x90, 0x01, 0xe0)
patches[10] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0xa0, 0xda, 0xf8, 0x00, 0xa0, 0x01, 0xe0)
patches[11] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0xb0, 0xdb, 0xf8, 0x00, 0xb0, 0x01, 0xe0)
ea = here()
if (get_wide_word(ea) == 0xb082 #SUB SP, SP, #8
and get_wide_word(ea + 2) == 0xb503): #PUSH {R0,R1,LR}
if get_operand_type(ea + 4, 0) == 7:
pop = get_bytes(ea + 12, 4, 0)
if pop[1] == 'xbc':
register = -1
r = get_wide_byte(ea + 12)
for i in range(8):
if r == (1 << i):
register = i
break
if register == -1:
print "Unable to detect register"
else:
address = get_wide_dword(ea + 8) + ea + 8
for b in patches[register]:
patch_byte(ea, b)
ea += 1
if ea % 4 != 0:
ea += 2
patch_dword(ea, address)
elif pop[:3] == 'x5dxf8x04':
register = ord(pop[3]) >> 4
if register in patches:
address = get_wide_dword(ea + 8) + ea + 8
for b in patches[register]:
patch_byte(ea, b)
ea += 1
patch_dword(ea, address)
else:
print "POP instruction not found"
else:
print "Wrong operand type on +4:", get_operand_type(ea + 4, 0)
else:
print "Unable to detect first instructions"Peb tso tus cursor rau thaum pib ntawm cov qauv uas peb xav hloov - 0xB4B2 - thiab khiav cov ntawv:
Ntxiv nrog rau cov qauv uas twb tau hais lawm, cov cai tseem muaj cov hauv qab no:
Raws li nyob rau hauv rooj plaub dhau los, tom qab BLX cov lus qhia muaj qhov offset:
Peb muab qhov offset rau qhov chaw nyob ntawm LR, ntxiv rau LR thiab mus rau ntawd. 0x72044 + 0xC = 0x72050. Tsab ntawv rau qhov tsim no yog qhov yooj yim heev:
def put_unconditional_branch(source, destination):
offset = (destination - source - 4) >> 1
if offset > 2097151 or offset < -2097152:
raise RuntimeError("Invalid offset")
if offset > 1023 or offset < -1024:
instruction1 = 0xf000 | ((offset >> 11) & 0x7ff)
instruction2 = 0xb800 | (offset & 0x7ff)
patch_word(source, instruction1)
patch_word(source + 2, instruction2)
else:
instruction = 0xe000 | (offset & 0x7ff)
patch_word(source, instruction)
ea = here()
if get_wide_word(ea) == 0xb503: #PUSH {R0,R1,LR}
ea1 = ea + 6
if get_wide_word(ea + 2) == 0xbf00: #NOP
ea1 += 2
offset = get_wide_dword(ea1)
put_unconditional_branch(ea, (ea1 + offset) & 0xffffffff)
else:
print "Unable to detect first instruction"Cov txiaj ntsig ntawm kev ua tiav tsab ntawv:
Thaum txhua yam yog patched hauv kev ua haujlwm, koj tuaj yeem taw qhia IDA rau nws qhov pib tiag tiag. Nws yuav ua ke tag nrho cov lej ua haujlwm, thiab nws tuaj yeem decompiled siv HexRays.
Txiav cov hlua
Peb tau kawm los daws nrog obfuscation ntawm tshuab code nyob rau hauv lub tsev qiv ntawv libsgmainso-6.4.36.so los ntawm UC Browser thiab tau txais cov lej ua haujlwm JNI_OnLoad.
int __fastcall real_JNI_OnLoad(JavaVM *vm)
{
int result; // r0
jclass clazz; // r0 MAPDST
int v4; // r0
JNIEnv *env; // r4
int v6; // [sp-40h] [bp-5Ch]
int v7; // [sp+Ch] [bp-10h]
v7 = *(_DWORD *)off_8AC00;
if ( !vm )
goto LABEL_39;
sub_7C4F4();
env = (JNIEnv *)sub_7C5B0(0);
if ( !env )
goto LABEL_39;
v4 = sub_72CCC();
sub_73634(v4);
sub_73E24(&unk_83EA6, &v6, 49);
clazz = (jclass)((int (__fastcall *)(JNIEnv *, int *))(*env)->FindClass)(env, &v6);
if ( clazz
&& (sub_9EE4(),
sub_71D68(env),
sub_E7DC(env) >= 0
&& sub_69D68(env) >= 0
&& sub_197B4(env, clazz) >= 0
&& sub_E240(env, clazz) >= 0
&& sub_B8B0(env, clazz) >= 0
&& sub_5F0F4(env, clazz) >= 0
&& sub_70640(env, clazz) >= 0
&& sub_11F3C(env) >= 0
&& sub_21C3C(env, clazz) >= 0
&& sub_2148C(env, clazz) >= 0
&& sub_210E0(env, clazz) >= 0
&& sub_41B58(env, clazz) >= 0
&& sub_27920(env, clazz) >= 0
&& sub_293E8(env, clazz) >= 0
&& sub_208F4(env, clazz) >= 0) )
{
result = (sub_B7B0(env, clazz) >> 31) | 0x10004;
}
else
{
LABEL_39:
result = -1;
}
return result;
}Cia peb ua tib zoo saib cov kab hauv qab no:
sub_73E24(&unk_83EA6, &v6, 49);
clazz = (jclass)((int (__fastcall *)(JNIEnv *, int *))(*env)->FindClass)(env, &v6);Hauv kev ua haujlwm sub_73E24 cov chav kawm lub npe yog kom meej meej decrypted. Raws li tsis muaj nuj nqi rau qhov kev ua haujlwm no, tus taw tes rau cov ntaub ntawv zoo ib yam li cov ntaub ntawv encrypted, qee qhov tsis thiab tus lej raug dhau. Pom tseeb, tom qab hu rau lub luag haujlwm, yuav muaj ib txoj kab decrypted nyob rau hauv qhov tsis, vim nws tau dhau mus rau lub luag haujlwm. FindClass, uas yuav siv lub npe chav kawm ua tus thib ob parameter. Yog li ntawd, tus lej yog qhov loj ntawm qhov tsis muaj lossis qhov ntev ntawm txoj kab. Cia peb sim txiav txim siab lub npe ntawm chav kawm, nws yuav tsum qhia peb seb peb yuav mus rau qhov yog. Cia wb mus saib seb muaj dab tsi tshwm sim hauv sub_73E24.
int __fastcall sub_73E56(unsigned __int8 *in, unsigned __int8 *out, size_t size)
{
int v4; // r6
int v7; // r11
int v8; // r9
int v9; // r4
size_t v10; // r5
int v11; // r0
struc_1 v13; // [sp+0h] [bp-30h]
int v14; // [sp+1Ch] [bp-14h]
int v15; // [sp+20h] [bp-10h]
v4 = 0;
v15 = *(_DWORD *)off_8AC00;
v14 = 0;
v7 = sub_7AF78(17);
v8 = sub_7AF78(size);
if ( !v7 )
{
v9 = 0;
goto LABEL_12;
}
(*(void (__fastcall **)(int, const char *, int))(v7 + 12))(v7, "DcO/lcK+h?m3c*q@", 16);
if ( !v8 )
{
LABEL_9:
v4 = 0;
goto LABEL_10;
}
v4 = 0;
if ( !in )
{
LABEL_10:
v9 = 0;
goto LABEL_11;
}
v9 = 0;
if ( out )
{
memset(out, 0, size);
v10 = size - 1;
(*(void (__fastcall **)(int, unsigned __int8 *, size_t))(v8 + 12))(v8, in, v10);
memset(&v13, 0, 0x14u);
v13.field_4 = 3;
v13.field_10 = v7;
v13.field_14 = v8;
v11 = sub_6115C(&v13, &v14);
v9 = v11;
if ( v11 )
{
if ( *(_DWORD *)(v11 + 4) == v10 )
{
qmemcpy(out, *(const void **)v11, v10);
v4 = *(_DWORD *)(v9 + 4);
}
else
{
v4 = 0;
}
goto LABEL_11;
}
goto LABEL_9;
}
LABEL_11:
sub_7B148(v7);
LABEL_12:
if ( v8 )
sub_7B148(v8);
if ( v9 )
sub_7B148(v9);
return v4;
}muaj nuj nqi sub_7AF78 tsim ib qho piv txwv ntawm lub thawv rau byte arrays ntawm qhov loj me (peb yuav tsis nyob ntawm cov thawv no kom ntxaws). Ntawm no yog ob lub thawv xws li tsim: ib qho muaj cov kab "DcO/lcK+h?m3c*q@" (nws yooj yim los twv tias qhov no yog tus yuam sij), lwm qhov muaj cov ntaub ntawv encrypted. Tom ntej no, ob qho tib si khoom raug muab tso rau hauv ib qho qauv, uas tau dhau mus rau qhov ua haujlwm sub_6115 C. Cia peb kos ib daim teb nrog tus nqi 3 hauv cov qauv no, cia peb saib seb yuav ua li cas rau cov qauv no tom ntej.
int __fastcall sub_611B4(struc_1 *a1, _DWORD *a2)
{
int v3; // lr
unsigned int v4; // r1
int v5; // r0
int v6; // r1
int result; // r0
int v8; // r0
*a2 = 820000;
if ( a1 )
{
v3 = a1->field_14;
if ( v3 )
{
v4 = a1->field_4;
if ( v4 < 0x19 )
{
switch ( v4 )
{
case 0u:
v8 = sub_6419C(a1->field_0, a1->field_10, v3);
goto LABEL_17;
case 3u:
v8 = sub_6364C(a1->field_0, a1->field_10, v3);
goto LABEL_17;
case 0x10u:
case 0x11u:
case 0x12u:
v8 = sub_612F4(
a1->field_0,
v4,
*(_QWORD *)&a1->field_8,
*(_QWORD *)&a1->field_8 >> 32,
a1->field_10,
v3,
a2);
goto LABEL_17;
case 0x14u:
v8 = sub_63A28(a1->field_0, v3);
goto LABEL_17;
case 0x15u:
sub_61A60(a1->field_0, v3, a2);
return result;
case 0x16u:
v8 = sub_62440(a1->field_14);
goto LABEL_17;
case 0x17u:
v8 = sub_6226C(a1->field_10, v3);
goto LABEL_17;
case 0x18u:
v8 = sub_63530(a1->field_14);
LABEL_17:
v6 = 0;
if ( v8 )
{
*a2 = 0;
v6 = v8;
}
return v6;
default:
LOWORD(v5) = 28032;
goto LABEL_5;
}
}
}
}
LOWORD(v5) = -27504;
LABEL_5:
HIWORD(v5) = 13;
v6 = 0;
*a2 = v5;
return v6;
}Qhov kev hloov pauv tsis yog cov qauv teb uas yav dhau los tau muab rau tus nqi 3. Saib ntawm rooj plaub 3: mus rau qhov ua haujlwm sub_6364 C parameters yog dhau los ntawm cov qauv uas tau ntxiv nyob rau hauv kev ua haujlwm dhau los, piv txwv li tus yuam sij thiab cov ntaub ntawv encrypted. Yog koj saib ze rau sub_6364 C, koj tuaj yeem paub txog RC4 algorithm hauv nws.
Peb muaj algorithm thiab tus yuam sij. Wb sim decipher lub npe chav kawm. Nov yog qhov tshwm sim: com/taobao/wireless/security/adapter/JNICLibrary. Zoo heev! Peb nyob ntawm txoj kev.
Tsom ntoo
Tam sim no peb yuav tsum nrhiav kev sib tw Sau npeNatives, uas yuav taw tes rau peb rau lub luag haujlwm uaCommandNative. Wb saib cov haujlwm hu ua los ntawm JNI_OnLoad, thiab peb pom nws hauv sub_B7B0:
int __fastcall sub_B7F6(JNIEnv *env, jclass clazz)
{
char signature[41]; // [sp+7h] [bp-55h]
char name[16]; // [sp+30h] [bp-2Ch]
JNINativeMethod method; // [sp+40h] [bp-1Ch]
int v8; // [sp+4Ch] [bp-10h]
v8 = *(_DWORD *)off_8AC00;
decryptString((unsigned __int8 *)&unk_83ED9, (unsigned __int8 *)name, 0x10u);// doCommandNative
decryptString((unsigned __int8 *)&unk_83EEA, (unsigned __int8 *)signature, 0x29u);// (I[Ljava/lang/Object;)Ljava/lang/Object;
method.name = name;
method.signature = signature;
method.fnPtr = sub_B69C;
return ((int (__fastcall *)(JNIEnv *, jclass, JNINativeMethod *, int))(*env)->RegisterNatives)(env, clazz, &method, 1) >> 31;
}Thiab qhov tseeb, ib haiv neeg txoj kev nrog lub npe tau sau npe ntawm no uaCommandNative. Tam sim no peb paub nws qhov chaw nyob. Cia peb saib nws ua li cas.
int __fastcall doCommandNative(JNIEnv *env, jobject obj, int command, jarray args)
{
int v5; // r5
struc_2 *a5; // r6
int v9; // r1
int v11; // [sp+Ch] [bp-14h]
int v12; // [sp+10h] [bp-10h]
v5 = 0;
v12 = *(_DWORD *)off_8AC00;
v11 = 0;
a5 = (struc_2 *)malloc(0x14u);
if ( a5 )
{
a5->field_0 = 0;
a5->field_4 = 0;
a5->field_8 = 0;
a5->field_C = 0;
v9 = command % 10000 / 100;
a5->field_0 = command / 10000;
a5->field_4 = v9;
a5->field_8 = command % 100;
a5->field_C = env;
a5->field_10 = args;
v5 = sub_9D60(command / 10000, v9, command % 100, 1, (int)a5, &v11);
}
free(a5);
if ( !v5 && v11 )
sub_7CF34(env, v11, &byte_83ED7);
return v5;
}Los ntawm lub npe koj tuaj yeem twv tau tias ntawm no yog qhov nkag ntawm txhua qhov haujlwm uas cov neeg tsim khoom txiav txim siab hloov mus rau lub tsev qiv ntawv ib txwm muaj. Peb txaus siab rau kev ua haujlwm naj npawb 10601.
Koj tuaj yeem pom los ntawm cov lej uas tus lej xaj ua rau peb tus lej: lus / 10000, % 10000 / 100 ΠΈ lus txib %10, i.e., hauv peb rooj plaub, 1, 6 thiab 1. Peb tus lej no, nrog rau tus taw tes rau JNIEnv thiab cov lus sib cav dhau mus rau qhov ua haujlwm tau ntxiv rau cov qauv thiab dhau mus. Siv peb tus lej tau txais (cia peb qhia lawv N1, N2 thiab N3), ib tsob ntoo hais kom ua.
Ib yam li no:
Tsob ntoo puv dynamically JNI_OnLoad.
Peb tus lej encode txoj kev hauv tsob ntoo. Txhua nplooj ntawm tsob ntoo muaj qhov chaw nyob pocked ntawm cov haujlwm sib xws. Tus yuam sij yog nyob rau hauv niam txiv node. Nrhiav qhov chaw nyob rau hauv txoj cai qhov twg muaj nuj nqi peb xav tau ntxiv rau tsob ntoo tsis yooj yim yog tias koj nkag siab tag nrho cov qauv siv (peb tsis piav qhia lawv thiaj li tsis txhob tawg ib tsab xov xwm loj heev).
Ntau obfuscation
Peb tau txais qhov chaw nyob ntawm qhov kev ua haujlwm uas yuav tsum txiav txim siab tsheb khiav: 0x5F1AC. Tab sis nws tseem ntxov dhau los zoo siab: cov neeg tsim khoom ntawm UC Browser tau npaj lwm qhov xav tsis thoob rau peb.
Tom qab tau txais cov kev txwv los ntawm cov array uas tau tsim hauv Java code, peb tau txais
rau qhov ua haujlwm ntawm qhov chaw nyob 0x4D070. Thiab ntawm no lwm hom code obfuscation tos peb.
Peb muab ob qhov ntsuas hauv R7 thiab R4:
Peb hloov thawj qhov ntsuas rau R11:
Kom tau txais qhov chaw nyob los ntawm lub rooj, siv qhov ntsuas:
Tom qab mus rau thawj qhov chaw nyob, qhov ntsuas thib ob yog siv, uas yog nyob rau hauv R4. Muaj 230 yam hauv lub rooj.
Yuav ua li cas txog nws? Koj tuaj yeem qhia rau IDA tias qhov no yog qhov hloov pauv: Kho kom raug -> Lwm yam -> Qhia qhov hloov pauv.
Cov lej tshwm sim yog txaus ntshai. Tab sis, ua koj txoj hauv kev los ntawm nws lub hav zoov, koj tuaj yeem pom kev hu mus rau lub luag haujlwm twb paub peb sub_6115 C:
Muaj qhov hloov pauv uas nyob rau hauv rooj plaub 3 muaj kev decryption siv RC4 algorithm. Thiab nyob rau hauv cov ntaub ntawv no, tus qauv dhau mus rau qhov muaj nuj nqi yog sau los ntawm cov tsis dhau mus uaCommandNative. Cia peb nco ntsoov qhov peb muaj nyob ntawd khawv koobInt nrog rau tus nqi 16. Peb saib cov ntaub ntawv sib thooj - thiab tom qab ob peb lub sijhawm hloov peb pom cov lej uas cov algorithm tuaj yeem txheeb xyuas tau.
Nov yog AES!
Lub algorithm muaj nyob, txhua yam uas tseem tshuav yog kom tau txais nws qhov tsis muaj: hom, qhov tseem ceeb thiab, tejzaum nws pib vector (nws muaj nyob ntawm hom kev ua haujlwm ntawm AES algorithm). Cov qauv nrog lawv yuav tsum tau tsim ib qho chaw ua ntej lub luag haujlwm hu sub_6115 C, tab sis qhov no ntawm txoj cai yog qhov tshwj xeeb zoo obfuscated, yog li lub tswv yim tshwm sim los kho cov cai kom tag nrho cov tsis muaj nuj nqi ntawm kev decryption tau muab pov tseg rau hauv cov ntaub ntawv.
Patch
Txhawm rau kom tsis txhob sau tag nrho cov kab lus sib dhos hauv cov lus sib dhos ua ke, koj tuaj yeem tso tawm Android Studio, sau ib qho haujlwm nyob rau ntawd uas tau txais tib qhov kev nkag tsis tau raws li peb cov kev ua haujlwm decryption thiab sau rau hauv cov ntaub ntawv, tom qab ntawd luam-muab cov lej uas tus compiler yuav. tsim.
Peb cov phooj ywg los ntawm pab pawg UC Browser kuj tau saib xyuas qhov yooj yim ntawm kev ntxiv code. Cia peb nco ntsoov tias thaum pib ntawm txhua txoj haujlwm peb muaj cov cai khib nyiab uas tuaj yeem hloov tau yooj yim nrog lwm yam. Yooj yim heev π Txawm li cas los xij, thaum pib ntawm lub hom phiaj ua haujlwm tsis muaj qhov chaw txaus rau cov cai uas txuag tag nrho cov kev txwv rau cov ntaub ntawv. Kuv yuav tsum tau muab faib ua ntu thiab siv cov khib nyiab los ntawm cov haujlwm nyob sib ze. Muaj plaub ntu hauv tag nrho.
Thawj ntu:
Hauv ARM architecture, thawj plaub qhov kev ua haujlwm tsis tau dhau los ntawm kev sau npe R0-R3, tus so, yog tias muaj, tau dhau los ntawm pawg. Lub npe LR nqa qhov chaw nyob xa rov qab. Tag nrho cov no yuav tsum tau txais kev cawmdim kom cov haujlwm tuaj yeem ua haujlwm tom qab peb pov tseg nws cov kev txwv. Peb kuj yuav tsum tau txuag tag nrho cov npe uas peb yuav siv rau hauv cov txheej txheem, yog li peb ua PUSH.W {R0-R10,LR}. Hauv R7 peb tau txais qhov chaw nyob ntawm daim ntawv teev cov tsis dhau mus rau kev ua haujlwm ntawm pawg.
Siv lub luag haujlwm fopen cia peb qhib cov ntaub ntawv /data/local/tmp/aes hauv "ab" mode
i.e. rau ntxiv. Hauv R0 peb thauj cov chaw nyob ntawm cov ntaub ntawv npe, hauv R1 - qhov chaw nyob ntawm kab qhia hom. Thiab ntawm no cov khib nyiab code xaus, yog li peb txav mus rau qhov ua haujlwm tom ntej. Txhawm rau kom nws ua haujlwm txuas ntxiv, peb muab tso rau hauv qhov pib hloov pauv mus rau qhov tseeb ntawm txoj haujlwm, hla cov khib nyiab, thiab tsis yog cov khib nyiab peb ntxiv ib qho txuas ntxiv ntawm thaj chaw.
Hu fopen.
Thawj peb qhov tsis muaj nuj nqi AES muaj hom rau cov menyuam. Txij li thaum peb khaws cov ntawv sau npe rau pawg thaum pib, peb tuaj yeem dhau qhov kev ua haujlwm fwrite lawv qhov chaw nyob ntawm pawg.
Tom ntej no peb muaj peb cov qauv uas muaj cov ntaub ntawv loj thiab tus taw tes rau cov ntaub ntawv rau tus yuam sij, pib vector thiab encrypted cov ntaub ntawv.
Thaum kawg, kaw cov ntaub ntawv, rov qab cov ntawv sau npe thiab hloov kev tswj mus rau qhov ua haujlwm tiag AES.
Peb sau ib qho APK nrog lub tsev qiv ntawv patched, kos npe rau nws, xa nws mus rau lub cuab yeej / emulator, thiab tso nws. Peb pom tias peb cov pov tseg tau raug tsim, thiab ntau cov ntaub ntawv tau raug sau rau ntawd. Lub browser siv encryption tsis yog rau kev khiav tsheb xwb, thiab tag nrho cov encryption mus los ntawm kev ua haujlwm hauv nqe lus nug. Tab sis rau qee yam vim li cas cov ntaub ntawv tsim nyog tsis nyob ntawd, thiab qhov kev thov yuav tsum tsis pom nyob rau hauv lub tsheb. Txhawm rau kom tsis txhob tos kom txog thaum UC Browser deigns los ua qhov kev thov tsim nyog, cia peb ua cov lus teb encrypted los ntawm cov neeg rau zaub mov tau txais ua ntej thiab patch daim ntawv thov dua: ntxiv cov decryption rau onCreate ntawm cov haujlwm tseem ceeb.
const/16 v1, 0x62
new-array v1, v1, [B
fill-array-data v1, :encrypted_data
const/16 v0, 0x1f
invoke-static {v0, v1}, Lcom/uc/browser/core/d/c/g;->j(I[B)[B
move-result-object v1
array-length v2, v1
invoke-static {v2}, Ljava/lang/String;->valueOf(I)Ljava/lang/String;
move-result-object v2
const-string v0, "ololo"
invoke-static {v0, v2}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)IPeb sib sau ua ke, kos npe, nruab, tso tawm. Peb tau txais NullPointerException vim tias txoj kev xa rov qab null.
Thaum lub sij hawm soj ntsuam ntxiv ntawm cov cai, ib tug muaj nuj nqi twb nrhiav tau hais tias deciphers nthuav kab: "META-INF/" thiab ".RSA". Nws zoo li daim ntawv thov tau txheeb xyuas nws daim ntawv pov thawj. Los yog tseem tsim cov yuam sij los ntawm nws. Kuv tsis xav nrog dab tsi tshwm sim nrog daim ntawv pov thawj, yog li peb tsuas yog swb nws daim ntawv pov thawj tseeb. Cia peb kho cov kab encrypted kom tsis txhob "META-INF/" peb tau txais "BLABLINF/", tsim ib daim nplaub tshev nrog lub npe ntawd hauv APK thiab ntxiv daim ntawv pov thawj browser squirrel nyob ntawd.
Peb sib sau ua ke, kos npe, nruab, tso tawm. Bingo! Peb muaj tus yuam sij!
MitM
Peb tau txais tus yuam sij thiab qhov pib vector sib npaug ntawm tus yuam sij. Cia peb sim decrypt cov lus teb rau cov neeg rau zaub mov hauv CBC hom.
Peb pom qhov archive URL, ib yam dab tsi zoo li MD5, "extract_unzipsize" thiab tus lej. Peb xyuas: MD5 ntawm lub archive yog tib yam, qhov luaj li cas ntawm lub tsev qiv ntawv unpacked yog tib yam. Peb tab tom sim kho lub tsev qiv ntawv no thiab muab nws rau qhov browser. Txhawm rau qhia tias peb lub tsev qiv ntawv patched tau thauj khoom, peb yuav tso lub Hom Phiaj los tsim SMS nrog cov ntawv "PWNED!" Peb yuav hloov ob lo lus teb los ntawm lub server: thiab mus download tau lub archive. Hauv thawj peb hloov MD5 (qhov loj me tsis hloov tom qab unpacking), nyob rau hauv lub thib ob peb muab cov archive nrog lub patched tsev qiv ntawv.
Lub browser sim rub tawm cov ntaub ntawv ntau zaus, tom qab ntawd nws muab qhov yuam kev. Thaj ib yam
nws tsis nyiam. Raws li qhov tshwm sim los ntawm kev tshuaj xyuas cov hom murky no, nws tau muab tawm tias tus neeg rau zaub mov kuj xa qhov loj ntawm cov ntaub ntawv:
Nws yog encoded hauv LEB128. Tom qab thaj ua rau thaj, qhov loj ntawm cov ntaub ntawv khaws cia nrog lub tsev qiv ntawv hloov me ntsis, yog li qhov browser xav tias cov ntaub ntawv tau rub tawm crookedly, thiab tom qab ob peb sim nws cuam tshuam qhov yuam kev.
Peb kho qhov loj ntawm lub archive ... Thiab - yeej! π Qhov tshwm sim yog nyob rau hauv video.
Qhov tshwm sim thiab cov tshuaj tiv thaiv tsim tawm
Ib yam li ntawd, hackers tuaj yeem siv qhov tsis zoo ntawm UC Browser los faib thiab khiav cov tsev qiv ntawv siab phem. Cov tsev qiv ntawv no yuav ua haujlwm hauv cov ntsiab lus ntawm qhov browser, yog li lawv yuav tau txais tag nrho nws cov kev tso cai. Yog li ntawd, lub peev xwm los tso saib phishing windows, nrog rau kev nkag mus rau cov ntaub ntawv ua haujlwm ntawm cov txiv kab ntxwv Suav squirrel, suav nrog kev nkag mus, passwords thiab ncuav qab zib khaws cia hauv cov ntaub ntawv.
Peb tau hu rau cov tsim tawm ntawm UC Browser thiab qhia lawv txog qhov teeb meem uas peb pom, sim taw qhia qhov tsis zoo thiab nws qhov kev phom sij, tab sis lawv tsis tau tham txog dab tsi nrog peb. Lub caij no, tus browser txuas ntxiv mus khav nws qhov kev txaus ntshai hauv qhov pom tseeb. Tab sis ib zaug peb tau nthuav tawm cov ntsiab lus ntawm qhov tsis zoo, nws tsis tuaj yeem tsis quav ntsej nws li yav dhau los. Lub Peb Hlis 27 yog
ib tug tshiab version ntawm UC Browser 12.10.9.1193 tau tso tawm, uas nkag mus rau lub server ntawm HTTPS: .
Tsis tas li ntawd, tom qab "kho" thiab kom txog rau thaum lub sijhawm sau tsab xov xwm no, sim qhib PDF hauv qhov browser ua rau muaj lus yuam kev nrog cov ntawv "Oops, ib yam dab tsi mus tsis ncaj ncees lawm!" Kev thov rau tus neeg rau zaub mov tsis tau ua thaum sim qhib PDF, tab sis qhov kev thov tau ua thaum browser tau pib, uas qhia txog kev muaj peev xwm txuas ntxiv mus rub tawm cov lej ua txhaum cai hauv Google Play cov cai.
Tau qhov twg los: www.hab.com