Okwu Mmalite
Na njedebe nke March anyị , na ha chọpụtara ike zoro ezo ibunye ma mee koodu a na-enyochabeghị na UC Browser. Taa, anyị ga-eleba anya n'ụzọ zuru ezu ka nbudata a si eme yana ka ndị hackers nwere ike isi jiri ya mee ihe maka ebumnuche ha.
Oge ụfọdụ gara aga, a kpọsara UC Browser ma kesaa ya nke ukwuu: etinyere ya na ngwaọrụ ndị ọrụ na-eji malware, kesara site na saịtị dị iche iche n'okpuru faịlụ vidiyo (ya bụ, ndị ọrụ chere na ha na-ebudata, dịka ọmụmaatụ, vidiyo porn, mana). kama nweta ngwa ngwa na ihe nchọgharị a), jiri ọkọlọtọ egwu nwere ozi na ihe nchọgharị ahụ emechiela ya, adịghị ike yana ihe ndị dị otú ahụ. N'ime otu UC Browser na VK enwere , nke ndị ọrụ nwere ike ime mkpesa banyere mgbasa ozi na-ezighị ezi, e nwere ọtụtụ ihe atụ n'ebe ahụ. Na 2016 e nwere ọbụna na Russian (ee, mgbasa ozi maka ihe nchọgharị na-egbochi mgbasa ozi).
N'oge ederede, UC Browser nwere ihe nrụnye 500 na Google Play. Nke a dị egwu - naanị Google Chrome nwere karịa. N'ime nyocha ndị a ị nwere ike ịhụ ọtụtụ mkpesa gbasara mgbasa ozi na ntụgharị gaa na ngwa ụfọdụ na Google Play. Nke a bụ ihe kpatara nyocha anyị: anyị kpebiri ịhụ ma UC Browser ọ na-eme ihe ọjọọ. O wee bụrụ na ọ na-eme ya!
N'ime koodu ngwa ahụ, achọpụtara ike ibudata ma mee koodu executable, na Google Play. Na mgbakwunye na eziokwu na UC Browser na-ebudata koodu executable, ọ na-eme ya n'ụzọ enweghị nchebe, nke enwere ike iji mee mwakpo MitM. Ka anyị hụ ma anyị nwere ike ibuso ụdị ọgụ ahụ.
Ihe niile edere n'okpuru dị mkpa maka ụdị UC Browser nke dị na Google Play n'oge ọmụmụ ihe:
package: com.UCMobile.intl
versionName: 12.10.8.1172
versionCode: 10598
sha1 APK-файла: f5edb2243413c777172f6362876041eb0c3a928cMmegide vector
Na ngosipụta UC Browser ị nwere ike ịhụ ọrụ nwere aha nkọwa onwe ya com.uc.deployment.UpgradeDeployService.
<service android_exported="false" android_name="com.uc.deployment.UpgradeDeployService" android_process=":deploy" />
Mgbe ọrụ a malitere, ihe nchọgharị ahụ na-arịọ arịrịọ POST , nke a pụrụ ịhụ na okporo ụzọ oge ụfọdụ mgbe mmalite. Na nzaghachi, ọ nwere ike ịnweta iwu ka ibudata ụfọdụ mmelite ma ọ bụ modul ọhụrụ. N'oge nyocha ahụ, ihe nkesa ahụ enyeghị iwu ndị dị otú ahụ, ma anyị chọpụtara na mgbe anyị na-agbalị imepe PDF na ihe nchọgharị ahụ, ọ na-arịọ arịrịọ nke abụọ na adreesị akọwapụtara n'elu, mgbe nke ahụ gasịrị, ọ na-ebudata ọbá akwụkwọ nke obodo. Iji mee mwakpo ahụ, anyị kpebiri iji njirimara a nke UC Browser: ikike imepe PDF site na iji ọba akwụkwọ obodo, nke na-adịghị na APK na nke ọ na-ebudata na ịntanetị ma ọ bụrụ na ọ dị mkpa. Ọ dị mma ịmara na, n'ụzọ doro anya, UC Browser nwere ike ịmanye ibudata ihe na-enweghị mmekọrịta onye ọrụ - ọ bụrụ na ị nye nzaghachi nke ọma na arịrịọ emere ka emechara ihe nchọgharị ahụ. Mana iji mee nke a, anyị kwesịrị ịmụ usoro nke mmekọrịta na sava ahụ n'ụzọ zuru ezu, yabụ anyị kpebiri na ọ ga-adị mfe dezie nzaghachi anabatara ma dochie ọbá akwụkwọ maka ịrụ ọrụ na PDF.
Yabụ, mgbe onye ọrụ chọrọ imepe PDF ozugbo na ihe nchọgharị ahụ, enwere ike ịhụ arịrịọ ndị a na okporo ụzọ:
Nke mbụ enwere arịrịọ POST , mgbe ahụ
A na-ebudata ebe nchekwa nke nwere ọbá akwụkwọ maka ịlele PDF na usoro ọfịs. Ọ bụ ihe ezi uche dị na ya iche na arịrịọ mbụ na-ebufe ozi gbasara usoro ahụ (ọ dịkarịa ala, ihe owuwu ahụ iji nye ọbá akwụkwọ achọrọ), na nzaghachi ya, ihe nchọgharị ahụ na-enweta ụfọdụ ozi gbasara ọbá akwụkwọ nke kwesịrị ibudata: adreesị na, ikekwe. , ihe ọzọ. Nsogbu bụ na arịrịọ a ezoro ezo.
Rịọ iberibe
Zaa iberibe
A na-akpakọba ọba akwụkwọ n'onwe ya na ZIP ma ezobeghi ya.
Chọọ koodu ntọhapụ okporo ụzọ
Ka anyị gbalịa ịchọpụta nzaghachi nkesa. Ka anyị lelee koodu klaasị com.uc.deployment.UpgradeDeployService: site na usoro naStartCommand gaa na com.uc.deployment.bx, na site na ya ruo com.uc.browser.core.dcfe:
public final void e(l arg9) {
int v4_5;
String v3_1;
byte[] v3;
byte[] v1 = null;
if(arg9 == null) {
v3 = v1;
}
else {
v3_1 = arg9.iGX.ipR;
StringBuilder v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]product:");
v4.append(arg9.iGX.ipR);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]version:");
v4.append(arg9.iGX.iEn);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]upgrade_type:");
v4.append(arg9.iGX.mMode);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]force_flag:");
v4.append(arg9.iGX.iEo);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_mode:");
v4.append(arg9.iGX.iDQ);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_type:");
v4.append(arg9.iGX.iEr);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_state:");
v4.append(arg9.iGX.iEp);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_file:");
v4.append(arg9.iGX.iEq);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apk_md5:");
v4.append(arg9.iGX.iEl);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]download_type:");
v4.append(arg9.mDownloadType);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]download_group:");
v4.append(arg9.mDownloadGroup);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]download_path:");
v4.append(arg9.iGH);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_child_version:");
v4.append(arg9.iGX.iEx);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_series:");
v4.append(arg9.iGX.iEw);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_cpu_arch:");
v4.append(arg9.iGX.iEt);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_cpu_vfp3:");
v4.append(arg9.iGX.iEv);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_cpu_vfp:");
v4.append(arg9.iGX.iEu);
ArrayList v3_2 = arg9.iGX.iEz;
if(v3_2 != null && v3_2.size() != 0) {
Iterator v3_3 = v3_2.iterator();
while(v3_3.hasNext()) {
Object v4_1 = v3_3.next();
StringBuilder v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_name:");
v5.append(((au)v4_1).getName());
v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_ver_name:");
v5.append(((au)v4_1).aDA());
v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_ver_code:");
v5.append(((au)v4_1).gBl);
v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_req_type:");
v5.append(((au)v4_1).gBq);
}
}
j v3_4 = new j();
m.b(v3_4);
h v4_2 = new h();
m.b(v4_2);
ay v5_1 = new ay();
v3_4.hS("");
v3_4.setImsi("");
v3_4.hV("");
v5_1.bPQ = v3_4;
v5_1.bPP = v4_2;
v5_1.yr(arg9.iGX.ipR);
v5_1.gBF = arg9.iGX.mMode;
v5_1.gBI = arg9.iGX.iEz;
v3_2 = v5_1.gAr;
c.aBh();
v3_2.add(g.fs("os_ver", c.getRomInfo()));
v3_2.add(g.fs("processor_arch", com.uc.b.a.a.c.getCpuArch()));
v3_2.add(g.fs("cpu_arch", com.uc.b.a.a.c.Pb()));
String v4_3 = com.uc.b.a.a.c.Pd();
v3_2.add(g.fs("cpu_vfp", v4_3));
v3_2.add(g.fs("net_type", String.valueOf(com.uc.base.system.a.Jo())));
v3_2.add(g.fs("fromhost", arg9.iGX.iEm));
v3_2.add(g.fs("plugin_ver", arg9.iGX.iEn));
v3_2.add(g.fs("target_lang", arg9.iGX.iEs));
v3_2.add(g.fs("vitamio_cpu_arch", arg9.iGX.iEt));
v3_2.add(g.fs("vitamio_vfp", arg9.iGX.iEu));
v3_2.add(g.fs("vitamio_vfp3", arg9.iGX.iEv));
v3_2.add(g.fs("plugin_child_ver", arg9.iGX.iEx));
v3_2.add(g.fs("ver_series", arg9.iGX.iEw));
v3_2.add(g.fs("child_ver", r.aVw()));
v3_2.add(g.fs("cur_ver_md5", arg9.iGX.iEl));
v3_2.add(g.fs("cur_ver_signature", SystemHelper.getUCMSignature()));
v3_2.add(g.fs("upgrade_log", i.bjt()));
v3_2.add(g.fs("silent_install", String.valueOf(arg9.iGX.iDQ)));
v3_2.add(g.fs("silent_state", String.valueOf(arg9.iGX.iEp)));
v3_2.add(g.fs("silent_file", arg9.iGX.iEq));
v3_2.add(g.fs("silent_type", String.valueOf(arg9.iGX.iEr)));
v3_2.add(g.fs("cpu_archit", com.uc.b.a.a.c.Pc()));
v3_2.add(g.fs("cpu_set", SystemHelper.getCpuInstruction()));
boolean v4_4 = v4_3 == null || !v4_3.contains("neon") ? false : true;
v3_2.add(g.fs("neon", String.valueOf(v4_4)));
v3_2.add(g.fs("cpu_cores", String.valueOf(com.uc.b.a.a.c.Jl())));
v3_2.add(g.fs("ram_1", String.valueOf(com.uc.b.a.a.h.Po())));
v3_2.add(g.fs("totalram", String.valueOf(com.uc.b.a.a.h.OL())));
c.aBh();
v3_2.add(g.fs("rom_1", c.getRomInfo()));
v4_5 = e.getScreenWidth();
int v6 = e.getScreenHeight();
StringBuilder v7 = new StringBuilder();
v7.append(v4_5);
v7.append("*");
v7.append(v6);
v3_2.add(g.fs("ss", v7.toString()));
v3_2.add(g.fs("api_level", String.valueOf(Build$VERSION.SDK_INT)));
v3_2.add(g.fs("uc_apk_list", SystemHelper.getUCMobileApks()));
Iterator v4_6 = arg9.iGX.iEA.entrySet().iterator();
while(v4_6.hasNext()) {
Object v6_1 = v4_6.next();
v3_2.add(g.fs(((Map$Entry)v6_1).getKey(), ((Map$Entry)v6_1).getValue()));
}
v3 = v5_1.toByteArray();
}
if(v3 == null) {
this.iGY.iGI.a(arg9, "up_encode", "yes", "fail");
return;
}
v4_5 = this.iGY.iGw ? 0x1F : 0;
if(v3 == null) {
}
else {
v3 = g.i(v4_5, v3);
if(v3 == null) {
}
else {
v1 = new byte[v3.length + 16];
byte[] v6_2 = new byte[16];
Arrays.fill(v6_2, 0);
v6_2[0] = 0x5F;
v6_2[1] = 0;
v6_2[2] = ((byte)v4_5);
v6_2[3] = -50;
System.arraycopy(v6_2, 0, v1, 0, 16);
System.arraycopy(v3, 0, v1, 16, v3.length);
}
}
if(v1 == null) {
this.iGY.iGI.a(arg9, "up_encrypt", "yes", "fail");
return;
}
if(TextUtils.isEmpty(this.iGY.mUpgradeUrl)) {
this.iGY.iGI.a(arg9, "up_url", "yes", "fail");
return;
}
StringBuilder v0 = new StringBuilder("[");
v0.append(arg9.iGX.ipR);
v0.append("]url:");
v0.append(this.iGY.mUpgradeUrl);
com.uc.browser.core.d.c.i v0_1 = this.iGY.iGI;
v3_1 = this.iGY.mUpgradeUrl;
com.uc.base.net.e v0_2 = new com.uc.base.net.e(new com.uc.browser.core.d.c.i$a(v0_1, arg9));
v3_1 = v3_1.contains("?") ? v3_1 + "&dataver=pb" : v3_1 + "?dataver=pb";
n v3_5 = v0_2.uc(v3_1);
m.b(v3_5, false);
v3_5.setMethod("POST");
v3_5.setBodyProvider(v1);
v0_2.b(v3_5);
this.iGY.iGI.a(arg9, "up_null", "yes", "success");
this.iGY.iGI.b(arg9);
}Anyị na-ahụ nhazi nke arịrịọ POST ebe a. Anyị na-aṅa ntị na ịmepụta usoro nke 16 bytes na njuputa ya: 0x5F, 0, 0x1F, -50 (= 0xCE). Dakọtara na ihe anyị hụrụ na arịrịọ dị n'elu.
N'otu klaasị ị nwere ike ịhụ klaasị akwụkwụ nwere usoro ọzọ na-atọ ụtọ:
public final void a(l arg10, byte[] arg11) {
f v0 = this.iGQ;
StringBuilder v1 = new StringBuilder("[");
v1.append(arg10.iGX.ipR);
v1.append("]:UpgradeSuccess");
byte[] v1_1 = null;
if(arg11 == null) {
}
else if(arg11.length < 16) {
}
else {
if(arg11[0] != 0x60 && arg11[3] != 0xFFFFFFD0) {
goto label_57;
}
int v3 = 1;
int v5 = arg11[1] == 1 ? 1 : 0;
if(arg11[2] != 1 && arg11[2] != 11) {
if(arg11[2] == 0x1F) {
}
else {
v3 = 0;
}
}
byte[] v7 = new byte[arg11.length - 16];
System.arraycopy(arg11, 16, v7, 0, v7.length);
if(v3 != 0) {
v7 = g.j(arg11[2], v7);
}
if(v7 == null) {
goto label_57;
}
if(v5 != 0) {
v1_1 = g.P(v7);
goto label_57;
}
v1_1 = v7;
}
label_57:
if(v1_1 == null) {
v0.iGY.iGI.a(arg10, "up_decrypt", "yes", "fail");
return;
}
q v11 = g.b(arg10, v1_1);
if(v11 == null) {
v0.iGY.iGI.a(arg10, "up_decode", "yes", "fail");
return;
}
if(v0.iGY.iGt) {
v0.d(arg10);
}
if(v0.iGY.iGo != null) {
v0.iGY.iGo.a(0, ((o)v11));
}
if(v0.iGY.iGs) {
v0.iGY.a(((o)v11));
v0.iGY.iGI.a(v11, "up_silent", "yes", "success");
v0.iGY.iGI.a(v11);
return;
}
v0.iGY.iGI.a(v11, "up_silent", "no", "success");
}
}
Usoro a na-ewe ọtụtụ bytes dị ka ntinye wee lelee na efu byte bụ 0x60 ma ọ bụ byte nke atọ bụ 0xD0, na byte nke abụọ bụ 1, 11 ma ọ bụ 0x1F. Anyị na-elele nzaghachi sitere na ihe nkesa: zero byte bụ 0x60, nke abụọ bụ 0x1F, nke atọ bụ 0x60. Dị ka ihe anyị chọrọ. Na-ekpe ikpe site na ahịrị ("up_decrypt", dịka ọmụmaatụ), a ga-akpọ usoro ebe a ga-ewepụ nzaghachi nke ihe nkesa.
Ka anyị gaa n'ihu na usoro gj. Rịba ama na arụmụka mbụ bụ byte na nkwụsị 2 (ya bụ 0x1F n'ọnọdụ anyị), nke abụọ bụ nzaghachi nkesa na-enweghị.
mbụ 16 bytes.
public static byte[] j(int arg1, byte[] arg2) {
if(arg1 == 1) {
arg2 = c.c(arg2, c.adu);
}
else if(arg1 == 11) {
arg2 = m.aF(arg2);
}
else if(arg1 != 0x1F) {
}
else {
arg2 = EncryptHelper.decrypt(arg2);
}
return arg2;
}
N'ụzọ doro anya, ebe a anyị na-ahọrọ a decryption algọridim, na otu byte nke dị na anyị
ikpe hà nhata 0x1F, na-egosi otu n'ime nhọrọ atọ enwere ike.
Anyị na-aga n'ihu na-enyocha koodu ahụ. Mgbe ihe abụọ na-awụlikwa elu anyị na-ahụ onwe anyị na usoro nwere aha nkọwa onwe ya decryptBytesByKey.
N'ebe a, e kewapụrụ bytes abụọ ọzọ na nzaghachi anyị, a na-enwetakwa eriri na ha. O doro anya na n'ụzọ dị otú a, a na-ahọrọ igodo maka decrypting ozi.
private static byte[] decryptBytesByKey(byte[] bytes) {
byte[] v0 = null;
if(bytes != null) {
try {
if(bytes.length < EncryptHelper.PREFIX_BYTES_SIZE) {
}
else if(bytes.length == EncryptHelper.PREFIX_BYTES_SIZE) {
return v0;
}
else {
byte[] prefix = new byte[EncryptHelper.PREFIX_BYTES_SIZE]; // 2 байта
System.arraycopy(bytes, 0, prefix, 0, prefix.length);
String keyId = c.ayR().d(ByteBuffer.wrap(prefix).getShort()); // Выбор ключа
if(keyId == null) {
return v0;
}
else {
a v2 = EncryptHelper.ayL();
if(v2 == null) {
return v0;
}
else {
byte[] enrypted = new byte[bytes.length - EncryptHelper.PREFIX_BYTES_SIZE];
System.arraycopy(bytes, EncryptHelper.PREFIX_BYTES_SIZE, enrypted, 0, enrypted.length);
return v2.l(keyId, enrypted);
}
}
}
}
catch(SecException v7_1) {
EncryptHelper.handleDecryptException(((Throwable)v7_1), v7_1.getErrorCode());
return v0;
}
catch(Throwable v7) {
EncryptHelper.handleDecryptException(v7, 2);
return v0;
}
}
return v0;
}N'ile anya n'ihu, anyị na-achọpụta na n'oge a, anyị enwetabeghị igodo, kama ọ bụ naanị "ihe nchọpụta" ya. Inweta igodo dị ntakịrị mgbagwoju anya.
Na usoro na-esote, a na-agbakwunye paramita abụọ ọzọ na ndị dị adị, na-eme anọ n'ime ha: nọmba anwansi 16, ihe nchọpụta igodo, data ezoro ezo, na eriri na-enweghị nghọta (n'ọnọdụ anyị, efu).
public final byte[] l(String keyId, byte[] encrypted) throws SecException {
return this.ayJ().staticBinarySafeDecryptNoB64(16, keyId, encrypted, "");
}Mgbe usoro mgbanwe gasịrị, anyị rutere na usoro ahụ staticBinarySafeDecryptNoB64 interface com.alibaba.wireless.security.open.staticdataencrypt.IStaticDataEncryptComponent. Enweghị klaasị na koodu ngwa ngwa na-emejuputa interface a. Enwere klas dị otú ahụ na faịlụ ahụ lib/armeabi-v7a/libsgmain.so, nke na-abụghị n'ezie a .so, ma a .jar. A na-emejuputa usoro anyị nwere mmasị na ya dị ka ndị a:
package com.alibaba.wireless.security.a.i;
// ...
public class a implements IStaticDataEncryptComponent {
private ISecurityGuardPlugin a;
// ...
private byte[] a(int mode, int magicInt, int xzInt, String keyId, byte[] encrypted, String magicString) {
return this.a.getRouter().doCommand(10601, new Object[]{Integer.valueOf(mode), Integer.valueOf(magicInt), Integer.valueOf(xzInt), keyId, encrypted, magicString});
}
// ...
private byte[] b(int magicInt, String keyId, byte[] encrypted, String magicString) {
return this.a(2, magicInt, 0, keyId, encrypted, magicString);
}
// ...
public byte[] staticBinarySafeDecryptNoB64(int magicInt, String keyId, byte[] encrypted, String magicString) throws SecException {
if(keyId != null && keyId.length() > 0 && magicInt >= 0 && magicInt < 19 && encrypted != null && encrypted.length > 0) {
return this.b(magicInt, keyId, encrypted, magicString);
}
throw new SecException("", 301);
}
//...
}
N'ebe a, a na-agbakwụnye ọnụọgụ ọnụọgụ abụọ ọzọ: 2 na 0. Ikpe ikpe site na
ihe niile, 2 pụtara decryption, dị ka na usoro nke ikpeazụ klas usoro javax.crypto.Cipher. Ma a na-ebufe ihe ndị a niile na ụfọdụ rawụta nwere nọmba 10601 - nke a bụ nọmba iwu.
Mgbe usoro ntụgharị nke ọzọ gasịrị, anyị na-ahụ klas nke na-emejuputa interface ahụ IouterComponent na usoro iwu iwu:
package com.alibaba.wireless.security.mainplugin;
import com.alibaba.wireless.security.framework.IRouterComponent;
import com.taobao.wireless.security.adapter.JNICLibrary;
public class a implements IRouterComponent {
public a() {
super();
}
public Object doCommand(int arg2, Object[] arg3) {
return JNICLibrary.doCommandNative(arg2, arg3);
}
}Na klaasị Ụlọ akwụkwọ JNICLIbrary, nke ekwuputara usoro nke obodo DoCommandNative:
package com.taobao.wireless.security.adapter;
public class JNICLibrary {
public static native Object doCommandNative(int arg0, Object[] arg1);
}Nke a pụtara na anyị kwesịrị ịchọta usoro na koodu obodo DoCommandNative. Na nke a bụ ebe ntụrụndụ na-amalite.
Mkpuchi koodu igwe
Na faịlụ libsgmain.so (nke bụ n'ezie a .jar na nke anyị chọtara mmejuputa iwu nke ụfọdụ ezoro ezo-metụtara interfaces dị n'elu) e nwere otu nwa afọ ọbá akwụkwọ: libsgmainso-6.4.36.so. Anyị na-emepe ya na IDA wee nweta ụyọkọ igbe okwu nwere mperi. Nsogbu bụ na tebụl nkụnye eji isi mee nke ngalaba adịghị mma. A na-eme nke a na ebumnuche iji mebie nyocha ahụ.
Mana ọ dịghị mkpa: iji buo faịlụ ELF nke ọma ma nyochaa ya, tebụl nkụnye eji isi mee ihe zuru ezu. Ya mere, anyị na-ehichapụ naanị tebụl nkebi, na-ewepụ ubi ndị kwekọrọ na nkụnye eji isi mee.
Mepee faịlụ ahụ na IDA ọzọ.
Enwere ụzọ abụọ ị ga-esi gwa igwe mebere Java ebe kpọmkwem n'ọbá akwụkwọ nke obodo mmejuputa iwu nke usoro ekwuputara na koodu Java dịka nwa amaala dị. Nke mbụ bụ inye ya aha ụdị Java_package_name_ClassAha_MethodAha.
Nke abụọ bụ ịdebanye aha ya mgbe ị na-ebunye ọba akwụkwọ (na ọrụ JNI_Na-ebu)
iji oku ọrụ Ụmụ amaala.
N'ọnọdụ anyị, ọ bụrụ na anyị ejiri usoro mbụ, aha kwesịrị ịdị ka nke a: Java_com_taobao_wireless_security_adapter_JNIClibrary_doCommandNative.
Enweghị ọrụ dị otú ahụ n'etiti ọrụ mbupụ, nke pụtara na ịchọrọ ịchọ oku Ụmụ amaala.
Ka anyị gaa na ọrụ ahụ JNI_Na-ebu ma anyị na-ahụ foto a:
Kedu ihe na-eme ebe a? N'ileghachi anya mbụ, mmalite na njedebe nke ọrụ ahụ bụ ihe a na-ahụkarị maka nhazi ụlọ ARM. Ntuziaka mbụ na ngwugwu ahụ na-echekwa ọdịnaya nke ndekọ nke ọrụ ahụ ga-eji na-arụ ọrụ ya (na nke a, R0, R1 na R2), yana ọdịnaya nke ndekọ LR, nke nwere adreesị nloghachi site na ọrụ ahụ. . Ntuziaka ikpeazụ na-eweghachi ndekọ ndị echekwara, na adreesị nloghachi na-etinye ozugbo na ndekọ PC - si otú a na-alọghachi na ọrụ ahụ. Ma ọ bụrụ na i leruo anya nke ọma, ị ga-achọpụta na ntụziaka na-adịghị mma na-agbanwe adreesị nloghachi echekwara na nchịkọta. Ka anyị gbakọọ ihe ọ ga-adị ma emechaa
koodu ogbugbu. A na-ebunye ụfọdụ adreesị 1xB0 na R130, 5 na-ewepụ ya, wee bufee ya na R0 ma tinye 0x10 na ya. Ọ tụgharịrị 0xB13B. Ya mere, IDA na-eche na ntụziaka ikpeazụ bụ nlọghachi ọrụ nkịtị, ma n'ezie ọ na-aga na adreesị 0xB13B gbakọrọ.
Ọ bara uru icheta ebe a na ndị na-arụ ọrụ ARM nwere ụdịdị abụọ na ntụziaka abụọ: ARM na Thumb. Nke kacha nta dị ịrịba ama nke adreesị na-agwa onye nrụpụta ihe nhazi ntụziaka a na-eji. Ya bụ, adreesị ahụ bụ n'ezie 0xB13A, na otu n'ime ntakịrị ntakịrị pụtara na-egosi ọnọdụ mkpịsị aka.
Agbakwunyere “ihe nkwụnye” yiri ya na mmalite nke ọrụ ọ bụla n'ọbá akwụkwọ a na
koodu mkpofu. Anyị agaghị ebi na ha n'ụzọ zuru ezu n'ihu - anyị na-echeta
na ezigbo mmalite nke ihe fọrọ nke nta ka ọ bụrụ ọrụ niile dị ntakịrị n'ihu.
Ebe koodu ahụ anaghị awụlikwa elu na 0xB13A nke ọma, IDA n'onwe ya amataghị na koodu ahụ dị na ebe a. Maka otu ihe kpatara ya, ọ naghị amata ọtụtụ koodu dị n'ọbá akwụkwọ dị ka koodu, nke na-eme ka nyocha siri ike. Anyị na-agwa IDA na nke a bụ koodu, na nke a bụ ihe na-eme:
Tebụl na-amalite n'ụzọ doro anya na 0xB144. Kedu ihe dị na sub_494C?
Mgbe ị na-akpọ ọrụ a na ndekọ LR, anyị na-enweta adreesị nke tebụl ahụ a kpọtụrụ aha na mbụ (0xB144). Na R0 - index na tebụl a. Nke ahụ bụ, a na-ewepụ uru ahụ na tebụl, gbakwunyere na LR na nsonaazụ ya bụ
adreesị ị ga-aga. Ka anyị gbalịa ịgbakọ ya: 0xB144 + [0xB144 + 8* 4] = 0xB144 + 0x120 = 0xB264. Anyị na-aga na adreesị enwetara wee hụ n'ụzọ nkịtị ntụziaka ole na ole bara uru wee gaa ọzọ 0xB140:
Ugbu a, a ga-enwe mgbanwe na nkwụsị na index 0x20 site na tebụl.
N'ikpe ikpe site na nha nke tebụl, a ga-enwe ọtụtụ mgbanwe dị otú ahụ na koodu. Ajụjụ na-ebilite ma ọ ga-ekwe omume n'ụzọ ụfọdụ iji mesoo nke a na-akpaghị aka, na-ejighị aka gbakọọ adreesị. Na scripts na ikike ịmachi koodu na IDA bịara nyere anyị aka:
def put_unconditional_branch(source, destination):
offset = (destination - source - 4) >> 1
if offset > 2097151 or offset < -2097152:
raise RuntimeError("Invalid offset")
if offset > 1023 or offset < -1024:
instruction1 = 0xf000 | ((offset >> 11) & 0x7ff)
instruction2 = 0xb800 | (offset & 0x7ff)
patch_word(source, instruction1)
patch_word(source + 2, instruction2)
else:
instruction = 0xe000 | (offset & 0x7ff)
patch_word(source, instruction)
ea = here()
if get_wide_word(ea) == 0xb503: #PUSH {R0,R1,LR}
ea1 = ea + 2
if get_wide_word(ea1) == 0xbf00: #NOP
ea1 += 2
if get_operand_type(ea1, 0) == 1 and get_operand_value(ea1, 0) == 0 and get_operand_type(ea1, 1) == 2:
index = get_wide_dword(get_operand_value(ea1, 1))
print "index =", hex(index)
ea1 += 2
if get_operand_type(ea1, 0) == 7:
table = get_operand_value(ea1, 0) + 4
elif get_operand_type(ea1, 1) == 2:
table = get_operand_value(ea1, 1) + 4
else:
print "Wrong operand type on", hex(ea1), "-", get_operand_type(ea1, 0), get_operand_type(ea1, 1)
table = None
if table is None:
print "Unable to find table"
else:
print "table =", hex(table)
offset = get_wide_dword(table + (index << 2))
put_unconditional_branch(ea, table + offset)
else:
print "Unknown code", get_operand_type(ea1, 0), get_operand_value(ea1, 0), get_operand_type(ea1, 1) == 2
else:
print "Unable to detect first instruction"Tinye cursor na ahịrị 0xB26A, mee edemede ahụ wee hụ mgbanwe gaa na 0xB4B0:
IDA amataghị mpaghara a ọzọ dị ka koodu. Anyị na-enyere ya aka ịhụ imewe ọzọ ebe ahụ:
Ntuziaka mgbe BLX adịghị ka ọ na-enwe mmetụta dị ukwuu, ọ dị ka ụdị mgbanwe ụfọdụ. Ka anyị leba anya na sub_4964:
Na n'ezie, ebe a, a na-ewere dword na adreesị dina na LR, gbakwunyere na adreesị a, mgbe nke ahụ gasịrị, a na-ewere uru dị na adreesị nke ga-esi na ya pụta ma tinye ya na nchịkọta. Ọzọkwa, 4 na-agbakwunyere na LR nke mere na mgbe laghachiri na-arụ ọrụ, a na-awụlikwa otu a kwụsịrị. Mgbe nke ahụ gasịrị, iwu POP {R1} na-ewe uru sitere na nchịkọta. Ọ bụrụ na ilele ihe dị na adreesị 0xB4BA + 0xEA = 0xB5A4, ị ga-ahụ ihe yiri tebụl adreesị:
Iji kpachie imewe a, ị ga-achọ ịnweta paramita abụọ site na koodu: nkwụghachi na nọmba ndekọ nke ịchọrọ itinye nsonaazụ ya. Maka ndebanye aha ọ bụla enwere ike, ị ga-akwadebe mpempe koodu tupu oge eruo.
patches = {}
patches[0] = (0x00, 0xbf, 0x01, 0x48, 0x00, 0x68, 0x02, 0xe0)
patches[1] = (0x00, 0xbf, 0x01, 0x49, 0x09, 0x68, 0x02, 0xe0)
patches[2] = (0x00, 0xbf, 0x01, 0x4a, 0x12, 0x68, 0x02, 0xe0)
patches[3] = (0x00, 0xbf, 0x01, 0x4b, 0x1b, 0x68, 0x02, 0xe0)
patches[4] = (0x00, 0xbf, 0x01, 0x4c, 0x24, 0x68, 0x02, 0xe0)
patches[5] = (0x00, 0xbf, 0x01, 0x4d, 0x2d, 0x68, 0x02, 0xe0)
patches[8] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0x80, 0xd8, 0xf8, 0x00, 0x80, 0x01, 0xe0)
patches[9] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0x90, 0xd9, 0xf8, 0x00, 0x90, 0x01, 0xe0)
patches[10] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0xa0, 0xda, 0xf8, 0x00, 0xa0, 0x01, 0xe0)
patches[11] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0xb0, 0xdb, 0xf8, 0x00, 0xb0, 0x01, 0xe0)
ea = here()
if (get_wide_word(ea) == 0xb082 #SUB SP, SP, #8
and get_wide_word(ea + 2) == 0xb503): #PUSH {R0,R1,LR}
if get_operand_type(ea + 4, 0) == 7:
pop = get_bytes(ea + 12, 4, 0)
if pop[1] == 'xbc':
register = -1
r = get_wide_byte(ea + 12)
for i in range(8):
if r == (1 << i):
register = i
break
if register == -1:
print "Unable to detect register"
else:
address = get_wide_dword(ea + 8) + ea + 8
for b in patches[register]:
patch_byte(ea, b)
ea += 1
if ea % 4 != 0:
ea += 2
patch_dword(ea, address)
elif pop[:3] == 'x5dxf8x04':
register = ord(pop[3]) >> 4
if register in patches:
address = get_wide_dword(ea + 8) + ea + 8
for b in patches[register]:
patch_byte(ea, b)
ea += 1
patch_dword(ea, address)
else:
print "POP instruction not found"
else:
print "Wrong operand type on +4:", get_operand_type(ea + 4, 0)
else:
print "Unable to detect first instructions"Anyị na-etinye cursor na mmalite nke ihe owuwu anyị chọrọ dochie - 0xB4B2 - wee mee edemede ahụ:
Na mgbakwunye na usoro ndị a kpọtụrụ aha, koodu ahụ nwekwara ihe ndị a:
Dị ka ọ dị na nke gara aga, mgbe ntụziaka BLX gasịrị, enwere nkwụsị:
Anyị na-ewepụ ụgwọ ahụ na adreesị LR, tinye ya na LR wee gaa ebe ahụ. 0x72044 + 0xC = 0x72050. Edemede maka imewe a dị nnọọ mfe:
def put_unconditional_branch(source, destination):
offset = (destination - source - 4) >> 1
if offset > 2097151 or offset < -2097152:
raise RuntimeError("Invalid offset")
if offset > 1023 or offset < -1024:
instruction1 = 0xf000 | ((offset >> 11) & 0x7ff)
instruction2 = 0xb800 | (offset & 0x7ff)
patch_word(source, instruction1)
patch_word(source + 2, instruction2)
else:
instruction = 0xe000 | (offset & 0x7ff)
patch_word(source, instruction)
ea = here()
if get_wide_word(ea) == 0xb503: #PUSH {R0,R1,LR}
ea1 = ea + 6
if get_wide_word(ea + 2) == 0xbf00: #NOP
ea1 += 2
offset = get_wide_dword(ea1)
put_unconditional_branch(ea, (ea1 + offset) & 0xffffffff)
else:
print "Unable to detect first instruction"Nsonaazụ nke mkpochapụ script:
Ozugbo etinyere ihe niile na ọrụ ahụ, ị nwere ike tụọ IDA n'ezie mmalite ya. Ọ ga-ejikọta koodu ọrụ niile, enwere ike chịkọta ya site na iji HexRays.
Ụrụ ngbanwe
Anyị amụtala ime ihe banyere nkpuchi koodu igwe n'ọba akwụkwọ libsgmainso-6.4.36.so site na UC Browser wee nata koodu ọrụ JNI_Na-ebu.
int __fastcall real_JNI_OnLoad(JavaVM *vm)
{
int result; // r0
jclass clazz; // r0 MAPDST
int v4; // r0
JNIEnv *env; // r4
int v6; // [sp-40h] [bp-5Ch]
int v7; // [sp+Ch] [bp-10h]
v7 = *(_DWORD *)off_8AC00;
if ( !vm )
goto LABEL_39;
sub_7C4F4();
env = (JNIEnv *)sub_7C5B0(0);
if ( !env )
goto LABEL_39;
v4 = sub_72CCC();
sub_73634(v4);
sub_73E24(&unk_83EA6, &v6, 49);
clazz = (jclass)((int (__fastcall *)(JNIEnv *, int *))(*env)->FindClass)(env, &v6);
if ( clazz
&& (sub_9EE4(),
sub_71D68(env),
sub_E7DC(env) >= 0
&& sub_69D68(env) >= 0
&& sub_197B4(env, clazz) >= 0
&& sub_E240(env, clazz) >= 0
&& sub_B8B0(env, clazz) >= 0
&& sub_5F0F4(env, clazz) >= 0
&& sub_70640(env, clazz) >= 0
&& sub_11F3C(env) >= 0
&& sub_21C3C(env, clazz) >= 0
&& sub_2148C(env, clazz) >= 0
&& sub_210E0(env, clazz) >= 0
&& sub_41B58(env, clazz) >= 0
&& sub_27920(env, clazz) >= 0
&& sub_293E8(env, clazz) >= 0
&& sub_208F4(env, clazz) >= 0) )
{
result = (sub_B7B0(env, clazz) >> 31) | 0x10004;
}
else
{
LABEL_39:
result = -1;
}
return result;
}Ka anyị lebakwuo anya na ahịrị ndị a:
sub_73E24(&unk_83EA6, &v6, 49);
clazz = (jclass)((int (__fastcall *)(JNIEnv *, int *))(*env)->FindClass)(env, &v6);Na ọrụ sub_73E24 A na-ehichapụ aha klas ahụ nke ọma. Dị ka paramita nke ọrụ a, a na-atụ aro maka data yiri data ezoro ezo, otu ihe nchekwa na ọnụọgụ na-agafe. N'ụzọ doro anya, mgbe ịkpọchara ọrụ ahụ, a ga-enwe ahịrị decrypted na nchekwa ahụ, ebe ọ bụ na ọ gafere na ọrụ ahụ. ChọtaKlas, nke na-ewere aha klaasị dị ka paramita nke abụọ. Ya mere, ọnụ ọgụgụ ahụ bụ nha nke ihe nchekwa ma ọ bụ ogologo ahịrị. Ka anyị gbalịa ịkọwa aha klas ahụ, ọ kwesịrị ịgwa anyị ma anyị na-aga n'ụzọ ziri ezi. Ka anyị lebakwuo anya n’ihe na-eme sub_73E24.
int __fastcall sub_73E56(unsigned __int8 *in, unsigned __int8 *out, size_t size)
{
int v4; // r6
int v7; // r11
int v8; // r9
int v9; // r4
size_t v10; // r5
int v11; // r0
struc_1 v13; // [sp+0h] [bp-30h]
int v14; // [sp+1Ch] [bp-14h]
int v15; // [sp+20h] [bp-10h]
v4 = 0;
v15 = *(_DWORD *)off_8AC00;
v14 = 0;
v7 = sub_7AF78(17);
v8 = sub_7AF78(size);
if ( !v7 )
{
v9 = 0;
goto LABEL_12;
}
(*(void (__fastcall **)(int, const char *, int))(v7 + 12))(v7, "DcO/lcK+h?m3c*q@", 16);
if ( !v8 )
{
LABEL_9:
v4 = 0;
goto LABEL_10;
}
v4 = 0;
if ( !in )
{
LABEL_10:
v9 = 0;
goto LABEL_11;
}
v9 = 0;
if ( out )
{
memset(out, 0, size);
v10 = size - 1;
(*(void (__fastcall **)(int, unsigned __int8 *, size_t))(v8 + 12))(v8, in, v10);
memset(&v13, 0, 0x14u);
v13.field_4 = 3;
v13.field_10 = v7;
v13.field_14 = v8;
v11 = sub_6115C(&v13, &v14);
v9 = v11;
if ( v11 )
{
if ( *(_DWORD *)(v11 + 4) == v10 )
{
qmemcpy(out, *(const void **)v11, v10);
v4 = *(_DWORD *)(v9 + 4);
}
else
{
v4 = 0;
}
goto LABEL_11;
}
goto LABEL_9;
}
LABEL_11:
sub_7B148(v7);
LABEL_12:
if ( v8 )
sub_7B148(v8);
if ( v9 )
sub_7B148(v9);
return v4;
}ọrụ sub_7AF78 na-emepụta ihe atụ nke akpa maka nrụnye byte nke nha a kapịrị ọnụ (anyị agaghị ebi n'ime akpa ndị a n'ụzọ zuru ezu). N'ebe a, a na-emepụta akpa abụọ dị otú ahụ: otu nwere ahịrị "DcO/lcK+h?m3c*q@" (ọ dị mfe ịkọ na nke a bụ igodo), nke ọzọ nwere data ezoro ezo. Na-esote, a na-etinye ihe abụọ ahụ n'ụdị ụfọdụ, nke a na-agafe na ọrụ ahụ sub_6115C. Ka anyị tinyekwa akara n'ọhịa nwere uru 3 na nhazi a. Ka anyị hụ ihe ga-eme n'usoro a na-esote.
int __fastcall sub_611B4(struc_1 *a1, _DWORD *a2)
{
int v3; // lr
unsigned int v4; // r1
int v5; // r0
int v6; // r1
int result; // r0
int v8; // r0
*a2 = 820000;
if ( a1 )
{
v3 = a1->field_14;
if ( v3 )
{
v4 = a1->field_4;
if ( v4 < 0x19 )
{
switch ( v4 )
{
case 0u:
v8 = sub_6419C(a1->field_0, a1->field_10, v3);
goto LABEL_17;
case 3u:
v8 = sub_6364C(a1->field_0, a1->field_10, v3);
goto LABEL_17;
case 0x10u:
case 0x11u:
case 0x12u:
v8 = sub_612F4(
a1->field_0,
v4,
*(_QWORD *)&a1->field_8,
*(_QWORD *)&a1->field_8 >> 32,
a1->field_10,
v3,
a2);
goto LABEL_17;
case 0x14u:
v8 = sub_63A28(a1->field_0, v3);
goto LABEL_17;
case 0x15u:
sub_61A60(a1->field_0, v3, a2);
return result;
case 0x16u:
v8 = sub_62440(a1->field_14);
goto LABEL_17;
case 0x17u:
v8 = sub_6226C(a1->field_10, v3);
goto LABEL_17;
case 0x18u:
v8 = sub_63530(a1->field_14);
LABEL_17:
v6 = 0;
if ( v8 )
{
*a2 = 0;
v6 = v8;
}
return v6;
default:
LOWORD(v5) = 28032;
goto LABEL_5;
}
}
}
}
LOWORD(v5) = -27504;
LABEL_5:
HIWORD(v5) = 13;
v6 = 0;
*a2 = v5;
return v6;
}Oke ngbanwe bụ mpaghara nhazi nke enyereburu uru 3. Lelee ikpe 3: na ọrụ ahụ sub_6364C A na-agafe paramita site na nhazi nke agbakwunyere ebe ahụ na ọrụ gara aga, ya bụ igodo na data ezoro ezo. Ọ bụrụ na ị na-ele anya nke ọma sub_6364C, ị nwere ike ịmata RC4 algọridim n'ime ya.
Anyị nwere algọridim na igodo. Ka anyị gbalịa ịkọwapụta aha klaasị. Nke a bụ ihe mere: com/taobao/wireless/security/adapter/JNIClibrary. Nnukwu! Anyị nọ n'ụzọ ziri ezi.
Osisi iwu
Ugbu a, anyị kwesịrị ịchọta ihe ịma aka Ụmụ amaala, nke ga-arụtụ aka na ọrụ ahụ DoCommandNative. Ka anyị leba anya na ọrụ a na-akpọ si JNI_Na-ebu, anyị na-ahụkwa ya sub_B7B0:
int __fastcall sub_B7F6(JNIEnv *env, jclass clazz)
{
char signature[41]; // [sp+7h] [bp-55h]
char name[16]; // [sp+30h] [bp-2Ch]
JNINativeMethod method; // [sp+40h] [bp-1Ch]
int v8; // [sp+4Ch] [bp-10h]
v8 = *(_DWORD *)off_8AC00;
decryptString((unsigned __int8 *)&unk_83ED9, (unsigned __int8 *)name, 0x10u);// doCommandNative
decryptString((unsigned __int8 *)&unk_83EEA, (unsigned __int8 *)signature, 0x29u);// (I[Ljava/lang/Object;)Ljava/lang/Object;
method.name = name;
method.signature = signature;
method.fnPtr = sub_B69C;
return ((int (__fastcall *)(JNIEnv *, jclass, JNINativeMethod *, int))(*env)->RegisterNatives)(env, clazz, &method, 1) >> 31;
}Na n'ezie, a nwa amaala usoro na aha na-aha ebe a DoCommandNative. Ugbu a, anyị maara adres ya. Ka anyị hụ ihe ọ na-eme.
int __fastcall doCommandNative(JNIEnv *env, jobject obj, int command, jarray args)
{
int v5; // r5
struc_2 *a5; // r6
int v9; // r1
int v11; // [sp+Ch] [bp-14h]
int v12; // [sp+10h] [bp-10h]
v5 = 0;
v12 = *(_DWORD *)off_8AC00;
v11 = 0;
a5 = (struc_2 *)malloc(0x14u);
if ( a5 )
{
a5->field_0 = 0;
a5->field_4 = 0;
a5->field_8 = 0;
a5->field_C = 0;
v9 = command % 10000 / 100;
a5->field_0 = command / 10000;
a5->field_4 = v9;
a5->field_8 = command % 100;
a5->field_C = env;
a5->field_10 = args;
v5 = sub_9D60(command / 10000, v9, command % 100, 1, (int)a5, &v11);
}
free(a5);
if ( !v5 && v11 )
sub_7CF34(env, v11, &byte_83ED7);
return v5;
}Site na aha ị nwere ike ịkọ na ebe a bụ ntinye ntinye nke ọrụ niile nke ndị mmepe kpebiri ịnyefe na ọbá akwụkwọ obodo. Anyị nwere mmasị na nọmba ọrụ 10601.
Ị nwere ike ịhụ site na koodu na nọmba iwu na-emepụta nọmba atọ: iwu/10000, iwu% 10000/100 и iwu% 10, ya bụ, n'ọnọdụ anyị, 1, 6 na 1. Ọnụọgụ atọ ndị a, yana ihe ntụnye aka JNIEnv na arụmụka ndị a na-agafe na ọrụ ahụ na-agbakwụnye na nhazi ma nyefee ya. Iji nọmba atọ enwetara (ka anyị gosi ha N1, N2 na N3), a na-ewu osisi iwu.
Ihe dị ka nke a:
A na-ejupụta osisi ahụ nke ọma JNI_Na-ebu.
Ọnụọgụ atọ na-edobe ụzọ n'ime osisi ahụ. Akwụkwọ ọ bụla nke osisi ahụ nwere adreesị pocked nke ọrụ kwekọrọ. Isi ihe dị na ọnụ nne na nna. Ịchọta ebe dị na koodu ebe a na-agbakwunye ọrụ anyị chọrọ na osisi anaghị esiri ike ma ọ bụrụ na ị ghọtara ihe niile eji eme ihe (anyị anaghị akọwa ha ka ọ ghara ịkụda isiokwu buru ibu).
Mkpuchi ọzọ
Anyị natara adreesị nke ọrụ kwesịrị ibelata okporo ụzọ: 0x5F1AC. Mana ọ dị oke oke ịñụrị ọñụ: ndị mmepe nke UC Browser akwadola anyị ihe ịtụnanya ọzọ.
Mgbe ị nwetasịrị parampat sitere na n'usoro e guzobere na koodu Java, anyị ga-enweta
na ọrụ na adreesị 0x4D070. Na ebe a ụdị ọzọ nke koodu obfucation na-echere anyị.
Anyị na-etinye indices abụọ na R7 na R4:
Anyị na-atụgharị index nke mbụ na R11:
Iji nweta adreesị site na tebụl, jiri ndeksi:
Mgbe ị gachara na adreesị nke mbụ, a na-eji ndeksi nke abụọ, nke dị na R4. Enwere ihe 230 na tebụl.
Kedu ihe a ga-eme maka ya? Ị nwere ike ịgwa IDA na nke a bụ mgbanwe: Dezie -> Ndị ọzọ -> Ezipụta akpaala okwu mgbanwe.
Koodu nsonaazụ ya dị egwu. Mana, na-eme njem n'ime oke ọhịa ya, ị nwere ike ịhụ oku na-aga ọrụ nke anyị maara nke ọma sub_6115C:
Enwere ngbanwe nke na ikpe 3 enwere decryption site na iji RC4 algọridim. Na n'okwu a, a na-ejupụta usoro a na-agafe na ọrụ ahụ site na paramita gafere DoCommandNative. Ka anyị cheta ihe anyị nwere n’ebe ahụ magicInt na uru 16. Anyị na-eleba anya na ikpe kwekọrọ - na mgbe ọtụtụ mgbanwe gasịrị, anyị na-achọta koodu nke a pụrụ iji chọpụta algọridim.
Nke a bụ AES!
Algọridim dị, naanị ihe fọdụrụ bụ ịnweta paramita ya: ọnọdụ, igodo na, ikekwe, vector mmalite (ọnụnọ ya dabere na ọnọdụ ọrụ nke AES algọridim). A ghaghị ịmepụta usoro ya na ha ebe tupu ọrụ oku sub_6115C, ma akụkụ nke koodu a na-ekpuchi nke ọma nke ọma, ya mere echiche na-ebilite iji kpochapụ koodu ahụ ka a na-atụba akụkụ niile nke ọrụ decryption n'ime faịlụ.
Patch
Ka ị ghara iji aka dee koodu patch niile n'asụsụ mgbakọ, ị nwere ike ịmalite gam akporo Studio, dee ọrụ n'ebe ahụ na-enweta otu ntinye ntinye dị ka ọrụ decryption anyị wee dee na faịlụ, wee detuo-tapawa koodu nke ndị nchịkọta ga-eme. n'ịwa.
Ndị enyi anyị sitere na ndị otu UC Browser na-ahụkwa maka ịdị mma nke ịgbakwunye koodu. Ka anyị cheta na na mmalite nke ọrụ ọ bụla anyị nwere koodu mkpofu nke nwere ike dochie ya na ihe ọ bụla ọzọ. Ọ dabara nke ọma 🙂 Agbanyeghị, na mmalite nke ọrụ ebumnuche enweghị ohere zuru oke maka koodu na-echekwa paramita niile na faịlụ. Ekwesịrị m kewaa ya n'ime akụkụ ma jiri ihe mkpofu sitere na ọrụ ndị agbata obi. Enwere akụkụ anọ na mkpokọta.
Akụkụ nke mbụ:
N'ime ụlọ ọrụ ARM, a na-agafe paramita ọrụ anọ mbụ site na ndekọ R0-R3, ndị ọzọ, ọ bụrụ na ọ bụla, na-agafe na nchịkọta. Ndebanye aha LR na-ebu adreesị nloghachi. Ekwesịrị ịchekwa ihe ndị a niile ka ọrụ ahụ wee rụọ ọrụ mgbe anyị tụfuru paramita ya. Anyị kwesịkwara ịchekwa akwụkwọ ndekọ aha niile anyị ga-eji na-eme ihe, yabụ anyị na-eme PUSH.W {R0-R10,LR}. Na R7 anyị na-enweta adreesị nke ndepụta paramita gafere na ọrụ site na nchịkọta.
Iji ọrụ ahụ fopen ka anyị mepee faịlụ ahụ /data/local/tmp/aes na "ab" mode
ya bụ maka mgbakwunye. Na R0 anyị na-ebunye adreesị nke aha faịlụ, na R1 - adreesị nke akara na-egosi ọnọdụ ahụ. Na ebe a na koodu mkpofu na-agwụ, ya mere anyị na-aga n'ihu na ọrụ ọzọ. Ka ọ na-aga n'ihu na-arụ ọrụ, anyị na-etinye na mmalite mgbanwe na koodu n'ezie nke ọrụ ahụ, na-agafe ihe mkpofu, na kama ihe mkpofu, anyị na-agbakwunye ihe na-aga n'ihu nke patch.
Ịkpọ oku fopen.
Paragraf atọ mbụ nke ọrụ ahụ AES nwere ụdị Int. Ebe ọ bụ na anyị echekwabara ndekọ ahụ na nchịkọta na mmalite, anyị nwere ike ịgafe ọrụ ahụ dee adres ha dị n'ebe ahụ.
Na-esote anyị nwere ụlọ atọ nwere nha data yana ntụnye aka na data maka igodo, vector mmalite na data ezoro ezo.
Na njedebe, mechie faịlụ ahụ, weghachite ndekọ ma nyefee njikwa na ezigbo ọrụ AES.
Anyị na-anakọta ngwa ngwa nwere ọbá akwụkwọ a machiri, bịanye aka na ya, bulite ya na ngwaọrụ/emulator, wee malite ya. Anyị na-ahụ na a na-emepụta ihe mkpofu anyị, na-edekwa ọtụtụ data n'ebe ahụ. Ihe nchọgharị na-eji ezoro ezo ọ bụghị naanị maka okporo ụzọ, na nzuzo niile na-aga site na ọrụ a na-ajụ. Ma n'ihi ihe ụfọdụ data dị mkpa adịghị n'ebe ahụ, na arịrịọ achọrọ adịghị ahụ anya na okporo ụzọ. Ka anyị ghara ichere ruo mgbe UC Browser deigns ịrịọ arịrịọ dị mkpa, ka anyị were nzaghachi ezoro ezo sitere na sava enwetara na mbụ wee mechie ngwa ahụ ọzọ: tinye decryption na onCreate nke isi ọrụ.
const/16 v1, 0x62
new-array v1, v1, [B
fill-array-data v1, :encrypted_data
const/16 v0, 0x1f
invoke-static {v0, v1}, Lcom/uc/browser/core/d/c/g;->j(I[B)[B
move-result-object v1
array-length v2, v1
invoke-static {v2}, Ljava/lang/String;->valueOf(I)Ljava/lang/String;
move-result-object v2
const-string v0, "ololo"
invoke-static {v0, v2}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)IAnyị na-agbakọta, bịanye aka, tinye, malite. Anyị na-enweta NullPointerException n'ihi na usoro ahụ laghachiri efu.
N'oge nyocha ọzọ nke koodu ahụ, a chọpụtara ọrụ nke na-akọwapụta ahịrị ndị na-adọrọ mmasị: "META-INF/" na ".RSA". Ọ dị ka ngwa a na-enyocha asambodo ya. Ma ọ bụ ọbụna na-ewepụta igodo na ya. Achọghị m n'ezie ịme ihe na-eme na asambodo ahụ, yabụ anyị ga-ewepụ ya naanị asambodo ziri ezi. Ka anyị kpachie ahịrị ezoro ezo ka kama “META-INF/” anyị nweta “BLABLINF/”, mepụta folda nwere aha ahụ na APK wee tinye asambodo ihe nchọgharị squirrel ebe ahụ.
Anyị na-agbakọta, bịanye aka, tinye, malite. Bingo! Anyị nwere igodo!
MitM
Anyị natara igodo yana vector mmalite ha nha igodo ahụ. Ka anyị gbalịa mebie nzaghachi nkesa na ọnọdụ CBC.
Anyị na-ahụ URL ebe nchekwa ihe, ihe yiri MD5, "extract_unzipsize" na nọmba. Anyị na-enyocha: MD5 nke ebe a na-edebe ihe ndekọ bụ otu, nha nke ọba akwụkwọ a na-ebughị ibu bụ otu. Anyị na-agbalị ịkwachie ọba akwụkwọ a ma nye ya ihe nchọgharị ahụ. Iji gosi na ọbá akwụkwọ anyị akwachiri akwachiela, anyị ga-ebupụta ebumnuche imepụta SMS nwere ederede “PWNED!” Anyị ga-anọchi azịza abụọ sitere na sava: na ibudata ebe nchekwa. Na nke mbụ, anyị na-edochi MD5 (nha anaghị agbanwe mgbe ewepụsịrị ya), na nke abụọ, anyị na-enye ebe nchekwa na ọbá akwụkwọ patched.
Ihe nchọgharị ahụ na-anwa ibudata ebe nchekwa ahụ ọtụtụ oge, mgbe nke ahụ gasịrị ọ na-enye njehie. O doro anya na ihe
ọ dịghị amasị ya. N'ihi nyochaa usoro a na-adịghị mma, ọ bịara bụrụ na ihe nkesa na-ebufe nha nke ebe nchekwa:
Ededoro ya na LEB128. Mgbe patch ahụ gasịrị, nha nke ebe nchekwa na ọbá akwụkwọ ahụ gbanwere ntakịrị, ya mere ihe nchọgharị ahụ weere na ebudatara ebe nchekwa ahụ n'ụzọ gbagọrọ agbagọ, ma mgbe ọtụtụ mgbalị gasịrị, ọ tụfuru njehie.
Anyị na-edozi nha nke ebe nchekwa ... Na - mmeri! 🙂 Nsonaazụ dị na vidiyo.
Nsonaazụ na mmeghachi omume onye nrụpụta
N'otu aka ahụ, ndị na-agba ọsọ nwere ike iji njirimara na-enweghị nchebe nke UC Browser iji kesaa ma na-agba ọsọ ọba akwụkwọ ọjọọ. Ọbá akwụkwọ ndị a ga-arụ ọrụ n'ọnọdụ ihe nchọgharị ahụ, yabụ na ha ga-enweta ikike sistemụ ya niile. N'ihi ya, ikike igosipụta windo phishing, yana ịnweta faịlụ na-arụ ọrụ nke squirrel oroma Chinese, gụnyere logins, okwuntughe na kuki echekwara na nchekwa data.
Anyị kpọtụụrụ ndị mmepe nke UC Browser wee gwa ha maka nsogbu anyị chọtara, nwara ịkọwapụta adịghị ike na ihe egwu ya, mana ha agwaghị anyị ihe ọ bụla. Ka ọ dị ugbu a, ihe nchọgharị ahụ gara n'ihu na-egosipụta njirimara dị ize ndụ ya n'anya nke ọma. Ma ozugbo anyị kpughere nkọwa nke adịghị ike ahụ, ọ gaghịzi ekwe omume ileghara ya anya dị ka ọ dị na mbụ. Maachị 27 bụ
ewepụtara ụdị ọhụrụ UC Browser 12.10.9.1193, nke nwetara sava site na HTTPS: .
Na mgbakwunye, mgbe "idozi" na ruo n'oge edere isiokwu a, ịgbalị imepe PDF na ihe nchọgharị mere ka ozi njehie dị na ederede "Oops, ihe na-ezighị ezi!" Emeghị arịrịọ nke ihe nkesa ahụ mgbe ị na-achọ imepe PDF, mana a rịọrọ arịrịọ mgbe ewepụtara ihe nchọgharị ahụ, nke na-egosi na ọ na-aga n'ihu iji budata koodu executable megidere iwu Google Play.
isi: www.habr.com