ืืืื
ืืกืืฃ ืืจืฅ ืื ืื ื
ืืคื ื ืืื ืื, UC Browser ืคืืจืกื ืืืืคืฅ ืืฆืืจื ืืืื ืืืจืกืืืืช: ืืื ืืืชืงื ืขื ืืืฉืืจื ืืืฉืชืืฉืื ืืืืฆืขืืช ืชืืื ืืช ืืืื ืืืช, ืฉืืืคืฅ ืืืชืจืื ืฉืื ืื ืืืกืืื ืฉื ืงืืฆื ืืืืื (ืืืืืจ, ืืฉืชืืฉืื ืืฉืื ืฉืื ืืืจืืืื, ืืืฉื, ืกืจืืื ืคืืจื ื, ืืื ืืืงืื ืืืช ืงืืื APK ืขื ืืืคืืคื ืืื), ืืฉืชืืฉ ืืื ืจืื ืืคืืืืื ืขื ืืืืขืืช ืฉืืืคืืคื ืืืืฉื, ืคืืืข ืืืืจืื ืืืื. ืืงืืืฆืช ืืืคืืคื ืื ืืจืฉืืืช ืฉื UC ื-VK ืืฉ
ืืืื ืืืชืืื, ื-UC Browser ืืฉ ืืืชืจ ื-500 ืืชืงื ืืช ื-Google Play. ืื ืืจืฉืื - ืจืง ืืืืื ืืจืื ืืฉ ืืืชืจ. ืืื ืืืืงืืจืืช ื ืืชื ืืจืืืช ืื ืืขื ืชืืื ืืช ืขื ืคืจืกืื ืืืคื ืืืช ืืืืง ืืืืคืืืงืฆืืืช ื-Google Play. ืื ืืืืชื ืืกืืื ืืืืงืจ ืฉืื ื: ืืืืื ื ืืจืืืช ืื UC Browser ืขืืฉื ืืฉืื ืจืข. ืืืชืืจืจ ืฉืื!
ืืงืื ืืืคืืืงืฆืื, ืืชืืืชื ืืืืืืช ืืืืจืื ืืืืคืขืื ืงืื ืืคืขืื,
ืื ืื ืฉื ืืชื ืืืื ืจืืืื ืื ืืืจืกื ืฉื ืืคืืคื UC ืฉืืืืชื ืืืื ื ื-Google Play ืืืื ืืืืงืจ:
package: com.UCMobile.intl
versionName: 12.10.8.1172
versionCode: 10598
sha1 APK-ัะฐะนะปะฐ: f5edb2243413c777172f6362876041eb0c3a928c
ืืงืืืจ ืืชืงืคื
ืืื ืืคืกื ืฉื ืืคืืคื UC ืชืืืื ืืืฆืื ืฉืืจืืช ืขื ืฉื ืฉืืกืืืจ ืืช ืขืฆืื com.uc.deployment.UpgradeDeployService.
<service android_exported="false" android_name="com.uc.deployment.UpgradeDeployService" android_process=":deploy" />
ืืืฉืจ ืฉืืจืืช ืื ืืชืืื, ืืืคืืคื ืืืฆืข ืืงืฉืช POST ืื
ืืื, ืืืฉืจ ืืฉืชืืฉ ืจืืฆื ืืคืชืื ืงืืืฅ PDF ืืฉืืจืืช ืืืคืืคื, ื ืืชื ืืจืืืช ืืช ืืืงืฉืืช ืืืืืช ืืชื ืืขื:
ืจืืฉืืช ืืฉ ืืงืฉืช POST ื
ืืืจืื ืฉื ืืจืืืื ืขื ืกืคืจืืื ืืฆืคืืื ืืคืืจืืืื ืฉื PDF ื-Office. ืืืืื ื ืืื ืื ืฉืืืงืฉื ืืจืืฉืื ื ืืขืืืจื ืืืืข ืขื ืืืขืจืืช (ืืคืืืช ืืืจืืืืงืืืจื ืืกืคืง ืืช ืืกืคืจืืื ืื ืืจืฉืช), ืืืชืืืื ืื ืืืคืืคื ืืงืื ืืืืข ืืกืืื ืขื ืืกืคืจืืื ืฉืฆืจืื ืืืืจืื: ืืืชืืืช ืืืคืฉืจ , ืืฉืื ืืืจ. ืืืขืื ืืื ืฉืืืงืฉื ืืื ืืืฆืคื ืช.
ืืงืฉ ืงืืข
ืงืืข ืชืฉืืื
ืืกืคืจืืื ืขืฆืื ืืจืืื ื-ZIP ืืืื ื ืืืฆืคื ืช.
ืืคืฉ ืงืื ืคืขื ืื ืชืขืืืจื
ืืืื ื ื ืกื ืืคืขื ื ืืช ืชืืืืช ืืฉืจืช. ืืืื ื ืกืชืื ืขื ืงืื ืืืืชื com.uc.deployment.UpgradeDeployService: ืืชืื ืฉืืื onStartCommand ืื ื com.uc.deployment.bx, ืืืื ื ืื com.uc.browser.core.dcfe:
public final void e(l arg9) {
int v4_5;
String v3_1;
byte[] v3;
byte[] v1 = null;
if(arg9 == null) {
v3 = v1;
}
else {
v3_1 = arg9.iGX.ipR;
StringBuilder v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]product:");
v4.append(arg9.iGX.ipR);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]version:");
v4.append(arg9.iGX.iEn);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]upgrade_type:");
v4.append(arg9.iGX.mMode);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]force_flag:");
v4.append(arg9.iGX.iEo);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_mode:");
v4.append(arg9.iGX.iDQ);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_type:");
v4.append(arg9.iGX.iEr);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_state:");
v4.append(arg9.iGX.iEp);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_file:");
v4.append(arg9.iGX.iEq);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apk_md5:");
v4.append(arg9.iGX.iEl);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]download_type:");
v4.append(arg9.mDownloadType);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]download_group:");
v4.append(arg9.mDownloadGroup);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]download_path:");
v4.append(arg9.iGH);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_child_version:");
v4.append(arg9.iGX.iEx);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_series:");
v4.append(arg9.iGX.iEw);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_cpu_arch:");
v4.append(arg9.iGX.iEt);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_cpu_vfp3:");
v4.append(arg9.iGX.iEv);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_cpu_vfp:");
v4.append(arg9.iGX.iEu);
ArrayList v3_2 = arg9.iGX.iEz;
if(v3_2 != null && v3_2.size() != 0) {
Iterator v3_3 = v3_2.iterator();
while(v3_3.hasNext()) {
Object v4_1 = v3_3.next();
StringBuilder v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_name:");
v5.append(((au)v4_1).getName());
v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_ver_name:");
v5.append(((au)v4_1).aDA());
v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_ver_code:");
v5.append(((au)v4_1).gBl);
v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_req_type:");
v5.append(((au)v4_1).gBq);
}
}
j v3_4 = new j();
m.b(v3_4);
h v4_2 = new h();
m.b(v4_2);
ay v5_1 = new ay();
v3_4.hS("");
v3_4.setImsi("");
v3_4.hV("");
v5_1.bPQ = v3_4;
v5_1.bPP = v4_2;
v5_1.yr(arg9.iGX.ipR);
v5_1.gBF = arg9.iGX.mMode;
v5_1.gBI = arg9.iGX.iEz;
v3_2 = v5_1.gAr;
c.aBh();
v3_2.add(g.fs("os_ver", c.getRomInfo()));
v3_2.add(g.fs("processor_arch", com.uc.b.a.a.c.getCpuArch()));
v3_2.add(g.fs("cpu_arch", com.uc.b.a.a.c.Pb()));
String v4_3 = com.uc.b.a.a.c.Pd();
v3_2.add(g.fs("cpu_vfp", v4_3));
v3_2.add(g.fs("net_type", String.valueOf(com.uc.base.system.a.Jo())));
v3_2.add(g.fs("fromhost", arg9.iGX.iEm));
v3_2.add(g.fs("plugin_ver", arg9.iGX.iEn));
v3_2.add(g.fs("target_lang", arg9.iGX.iEs));
v3_2.add(g.fs("vitamio_cpu_arch", arg9.iGX.iEt));
v3_2.add(g.fs("vitamio_vfp", arg9.iGX.iEu));
v3_2.add(g.fs("vitamio_vfp3", arg9.iGX.iEv));
v3_2.add(g.fs("plugin_child_ver", arg9.iGX.iEx));
v3_2.add(g.fs("ver_series", arg9.iGX.iEw));
v3_2.add(g.fs("child_ver", r.aVw()));
v3_2.add(g.fs("cur_ver_md5", arg9.iGX.iEl));
v3_2.add(g.fs("cur_ver_signature", SystemHelper.getUCMSignature()));
v3_2.add(g.fs("upgrade_log", i.bjt()));
v3_2.add(g.fs("silent_install", String.valueOf(arg9.iGX.iDQ)));
v3_2.add(g.fs("silent_state", String.valueOf(arg9.iGX.iEp)));
v3_2.add(g.fs("silent_file", arg9.iGX.iEq));
v3_2.add(g.fs("silent_type", String.valueOf(arg9.iGX.iEr)));
v3_2.add(g.fs("cpu_archit", com.uc.b.a.a.c.Pc()));
v3_2.add(g.fs("cpu_set", SystemHelper.getCpuInstruction()));
boolean v4_4 = v4_3 == null || !v4_3.contains("neon") ? false : true;
v3_2.add(g.fs("neon", String.valueOf(v4_4)));
v3_2.add(g.fs("cpu_cores", String.valueOf(com.uc.b.a.a.c.Jl())));
v3_2.add(g.fs("ram_1", String.valueOf(com.uc.b.a.a.h.Po())));
v3_2.add(g.fs("totalram", String.valueOf(com.uc.b.a.a.h.OL())));
c.aBh();
v3_2.add(g.fs("rom_1", c.getRomInfo()));
v4_5 = e.getScreenWidth();
int v6 = e.getScreenHeight();
StringBuilder v7 = new StringBuilder();
v7.append(v4_5);
v7.append("*");
v7.append(v6);
v3_2.add(g.fs("ss", v7.toString()));
v3_2.add(g.fs("api_level", String.valueOf(Build$VERSION.SDK_INT)));
v3_2.add(g.fs("uc_apk_list", SystemHelper.getUCMobileApks()));
Iterator v4_6 = arg9.iGX.iEA.entrySet().iterator();
while(v4_6.hasNext()) {
Object v6_1 = v4_6.next();
v3_2.add(g.fs(((Map$Entry)v6_1).getKey(), ((Map$Entry)v6_1).getValue()));
}
v3 = v5_1.toByteArray();
}
if(v3 == null) {
this.iGY.iGI.a(arg9, "up_encode", "yes", "fail");
return;
}
v4_5 = this.iGY.iGw ? 0x1F : 0;
if(v3 == null) {
}
else {
v3 = g.i(v4_5, v3);
if(v3 == null) {
}
else {
v1 = new byte[v3.length + 16];
byte[] v6_2 = new byte[16];
Arrays.fill(v6_2, 0);
v6_2[0] = 0x5F;
v6_2[1] = 0;
v6_2[2] = ((byte)v4_5);
v6_2[3] = -50;
System.arraycopy(v6_2, 0, v1, 0, 16);
System.arraycopy(v3, 0, v1, 16, v3.length);
}
}
if(v1 == null) {
this.iGY.iGI.a(arg9, "up_encrypt", "yes", "fail");
return;
}
if(TextUtils.isEmpty(this.iGY.mUpgradeUrl)) {
this.iGY.iGI.a(arg9, "up_url", "yes", "fail");
return;
}
StringBuilder v0 = new StringBuilder("[");
v0.append(arg9.iGX.ipR);
v0.append("]url:");
v0.append(this.iGY.mUpgradeUrl);
com.uc.browser.core.d.c.i v0_1 = this.iGY.iGI;
v3_1 = this.iGY.mUpgradeUrl;
com.uc.base.net.e v0_2 = new com.uc.base.net.e(new com.uc.browser.core.d.c.i$a(v0_1, arg9));
v3_1 = v3_1.contains("?") ? v3_1 + "&dataver=pb" : v3_1 + "?dataver=pb";
n v3_5 = v0_2.uc(v3_1);
m.b(v3_5, false);
v3_5.setMethod("POST");
v3_5.setBodyProvider(v1);
v0_2.b(v3_5);
this.iGY.iGI.a(arg9, "up_null", "yes", "success");
this.iGY.iGI.b(arg9);
}
ืื ื ืจืืืื ืืืืืฆืจืืช ืฉื ืืงืฉืช POST ืืื. ืื ื ืฉืืื ืื ืืืฆืืจืช ืืขืจื ืฉื 16 ืืชืื ืืืืืืื ืฉืื: 0x5F, 0, 0x1F, -50 (=0xCE). ืขืืื ืืงื ื ืืื ืขื ืื ืฉืจืืื ื ืืืงืฉื ืืืขืื.
ืืืืชื ืืืืงื ืืชื ืืืื ืืจืืืช ืืืืงื ืืงืื ื ืช ืฉืืฉ ืื ืฉืืื ืืขื ืืื ืช ื ืืกืคืช:
public final void a(l arg10, byte[] arg11) {
f v0 = this.iGQ;
StringBuilder v1 = new StringBuilder("[");
v1.append(arg10.iGX.ipR);
v1.append("]:UpgradeSuccess");
byte[] v1_1 = null;
if(arg11 == null) {
}
else if(arg11.length < 16) {
}
else {
if(arg11[0] != 0x60 && arg11[3] != 0xFFFFFFD0) {
goto label_57;
}
int v3 = 1;
int v5 = arg11[1] == 1 ? 1 : 0;
if(arg11[2] != 1 && arg11[2] != 11) {
if(arg11[2] == 0x1F) {
}
else {
v3 = 0;
}
}
byte[] v7 = new byte[arg11.length - 16];
System.arraycopy(arg11, 16, v7, 0, v7.length);
if(v3 != 0) {
v7 = g.j(arg11[2], v7);
}
if(v7 == null) {
goto label_57;
}
if(v5 != 0) {
v1_1 = g.P(v7);
goto label_57;
}
v1_1 = v7;
}
label_57:
if(v1_1 == null) {
v0.iGY.iGI.a(arg10, "up_decrypt", "yes", "fail");
return;
}
q v11 = g.b(arg10, v1_1);
if(v11 == null) {
v0.iGY.iGI.a(arg10, "up_decode", "yes", "fail");
return;
}
if(v0.iGY.iGt) {
v0.d(arg10);
}
if(v0.iGY.iGo != null) {
v0.iGY.iGo.a(0, ((o)v11));
}
if(v0.iGY.iGs) {
v0.iGY.a(((o)v11));
v0.iGY.iGI.a(v11, "up_silent", "yes", "success");
v0.iGY.iGI.a(v11);
return;
}
v0.iGY.iGI.a(v11, "up_silent", "no", "success");
}
}
ืืฉืืื ืืืงืืช ืืขืจื ืฉื ืืชืื ืืงืื ืืืืืงืช ืฉืืืืื ืืืคืก ืืื 0x60 ืื ืฉืืืืื ืืฉืืืฉื ืืื 0xD0, ืืืืืื ืืฉื ื ืืื 1, 11 ืื 0x1F. ืื ื ืืกืชืืืื ืขื ืืชืืืื ืืืฉืจืช: ืืืช ืืืคืก ืืื 0x60, ืืฉื ื ืืื 0x1F, ืืฉืืืฉื ืืื 0x60. ื ืฉืืข ืืื ืื ืฉืื ืื ื ืฆืจืืืื. ืื ืืฉืคืื ืืคื ืืฉืืจืืช ("up_decrypt", ืืืฉื), ืืฉ ืืงืจืื ืืื ืฉืืื ืฉืชืคืขื ื ืืช ืชืืืืช ืืฉืจืช.
ื ืขืืืจ ืืฉืืื gj. ืฉืืื ืื ืฉืืืจืืืื ื ืืจืืฉืื ืืื ื-byte ื-offset 2 (ืืืืืจ 0x1F ืืืงืจื ืฉืื ื), ืืืฉื ื ืืื ืชืืืืช ืืฉืจืช ืืื
16 ืืชืื ืจืืฉืื ืื.
public static byte[] j(int arg1, byte[] arg2) {
if(arg1 == 1) {
arg2 = c.c(arg2, c.adu);
}
else if(arg1 == 11) {
arg2 = m.aF(arg2);
}
else if(arg1 != 0x1F) {
}
else {
arg2 = EncryptHelper.decrypt(arg2);
}
return arg2;
}
ืืจืืจ ืฉืืื ืื ื ืืืืจืื ืืืืืจืืชื ืคืขื ืื, ืืืช ืืืชื ืืืื ืฉื ืืฆื ืืฆืื ื
ืืงืจื ืฉืืื ื-0x1F, ืืฆืืื ืืืช ืืฉืืืฉ ืืคืฉืจืืืืช ืืคืฉืจืืืช.
ืื ื ืืืฉืืืื ืื ืชื ืืช ืืงืื. ืืืจื ืืื ืงืคืืฆืืช ืื ืื ื ืืืฆืืื ืืช ืขืฆืื ื ืืฉืืื ืขื ืฉื ืืืื ืืืืื decryptBytesByKey.
ืืื ืืืคืจืืื ืฉื ื ืืชืื ื ืืกืคืื ืืืชืืืื ืฉืื ื, ืืืชืงืืืช ืืื ืืืจืืืช. ืืจืืจ ืฉืืืืคื ืื ื ืืืจ ืืืคืชื ืืคืขื ืื ืืืืืขื.
private static byte[] decryptBytesByKey(byte[] bytes) {
byte[] v0 = null;
if(bytes != null) {
try {
if(bytes.length < EncryptHelper.PREFIX_BYTES_SIZE) {
}
else if(bytes.length == EncryptHelper.PREFIX_BYTES_SIZE) {
return v0;
}
else {
byte[] prefix = new byte[EncryptHelper.PREFIX_BYTES_SIZE]; // 2 ะฑะฐะนัะฐ
System.arraycopy(bytes, 0, prefix, 0, prefix.length);
String keyId = c.ayR().d(ByteBuffer.wrap(prefix).getShort()); // ะัะฑะพั ะบะปััะฐ
if(keyId == null) {
return v0;
}
else {
a v2 = EncryptHelper.ayL();
if(v2 == null) {
return v0;
}
else {
byte[] enrypted = new byte[bytes.length - EncryptHelper.PREFIX_BYTES_SIZE];
System.arraycopy(bytes, EncryptHelper.PREFIX_BYTES_SIZE, enrypted, 0, enrypted.length);
return v2.l(keyId, enrypted);
}
}
}
}
catch(SecException v7_1) {
EncryptHelper.handleDecryptException(((Throwable)v7_1), v7_1.getErrorCode());
return v0;
}
catch(Throwable v7) {
EncryptHelper.handleDecryptException(v7, 2);
return v0;
}
}
return v0;
}
ืืืื ืงืืืื, ื ืฆืืื ืฉืืฉืื ืื ืขืืืื ืื ืืฉืืืื ืืคืชื, ืืื ืจืง ืืช ื"ืืืื" ืฉืื. ืืฉืืช ืืืคืชื ืืื ืงืฆืช ืืืชืจ ืืกืืืืช.
ืืฉืืื ืืืื ืืชืืืกืคืื ืขืื ืฉื ื ืคืจืืืจืื ืืงืืืืื, ืื ืฉืืืคื ืืจืืขื ืืื: ืืกืคืจ ืืงืกื 16, ืืืื ืืืคืชื, ืื ืชืื ืื ืืืืฆืคื ืื ืืืืจืืืช ืืืชื ืืืื ืช (ืืืงืจื ืฉืื ื, ืจืืงื).
public final byte[] l(String keyId, byte[] encrypted) throws SecException {
return this.ayJ().staticBinarySafeDecryptNoB64(16, keyId, encrypted, "");
}
ืืืืจ ืกืืจืช ืืขืืจืื ืืืืขืื ืืฉืืื staticBinarySafeDecryptNoB64 ืฉื ืืืืฉืง com.alibaba.wireless.security.open.staticdataencrypt.IStaticDataEncryptComponent. ืืื ืืืืงืืช ืืงืื ืืืืฉืื ืืจืืฉื ืฉืืืืฉืืืช ืืืฉืง ืื. ืืฉ ืืืืงื ืืื ืืงืืืฅ lib/armeabi-v7a/libsgmain.so, ืฉืืื ืื ืืขืฆื .so, ืืื .ืฆื ืฆื ืช. ืืฉืืื ืฉืื ื ืืขืื ืืื ืื ืื ืืืืฉืืช ืืืืคื ืืื:
package com.alibaba.wireless.security.a.i;
// ...
public class a implements IStaticDataEncryptComponent {
private ISecurityGuardPlugin a;
// ...
private byte[] a(int mode, int magicInt, int xzInt, String keyId, byte[] encrypted, String magicString) {
return this.a.getRouter().doCommand(10601, new Object[]{Integer.valueOf(mode), Integer.valueOf(magicInt), Integer.valueOf(xzInt), keyId, encrypted, magicString});
}
// ...
private byte[] b(int magicInt, String keyId, byte[] encrypted, String magicString) {
return this.a(2, magicInt, 0, keyId, encrypted, magicString);
}
// ...
public byte[] staticBinarySafeDecryptNoB64(int magicInt, String keyId, byte[] encrypted, String magicString) throws SecException {
if(keyId != null && keyId.length() > 0 && magicInt >= 0 && magicInt < 19 && encrypted != null && encrypted.length > 0) {
return this.b(magicInt, keyId, encrypted, magicString);
}
throw new SecException("", 301);
}
//...
}
ืืื ืจืฉืืืช ืืคืจืืืจืื ืฉืื ื ืืชืืืกืคืช ืืฉื ื ืืกืคืจืื ืฉืืืื ื ืืกืคืื: 2 ื-0. ืื ืืฉืคืื ืืคื
ืืื, 2 ืคืืจืืฉื ืคืขื ืื, ืืื ืืฉืืื doFinal ืืืืงืช ืืขืจืืช javax.crypto.Cipher. ืืื ืื ืืืขืืจ ืื ืชื ืืกืืืื ืขื ืืืกืคืจ 10601 - ืื ืื ืจืื ืืกืคืจ ืืคืงืืื.
ืืืืจ ืฉืจืฉืจืช ืืืขืืจืื ืืืื ืื ื ืืืฆืืื ืืืืงื ืืืืืฉืืช ืืช ืืืืฉืง IRouterComponent ืืฉืืื doCommand:
package com.alibaba.wireless.security.mainplugin;
import com.alibaba.wireless.security.framework.IRouterComponent;
import com.taobao.wireless.security.adapter.JNICLibrary;
public class a implements IRouterComponent {
public a() {
super();
}
public Object doCommand(int arg2, Object[] arg3) {
return JNICLibrary.doCommandNative(arg2, arg3);
}
}
ืืื ืืืชื JNICLibrary, ืฉืื ืืืฆืืจืช ืืฉืืื ืืืงืืจืืช doCommandNative:
package com.taobao.wireless.security.adapter;
public class JNICLibrary {
public static native Object doCommandNative(int arg0, Object[] arg1);
}
ืื ืืืืจ ืฉืื ืื ื ืฆืจืืืื ืืืฆืื ืฉืืื ืืงืื ืืืงืืจื doCommandNative. ืืืื ืืชืืื ืืืืฃ.
ืขืจืคืื ืฉื ืงืื ืืืื ื
ืืงืืืฅ libsgmain.so (ืฉืืื ืืืขืฉื jar. ืืื ืืฆืื ื ืืืฉืื ืฉื ืืื ืืืฉืงืื ืืงืฉืืจืื ืืืฆืคื ื ืืืฉ ืืืขืื) ืืฉ ืกืคืจืืื ืืงืืจืืช ืืืช: libsgmainso-6.4.36.so. ืื ื ืคืืชืืื ืืืชื ื-IDA ืืืงืืืื ืืืืจื ืฉื ืชืืืืช ืื-ืฉืื ืขื ืฉืืืืืช. ืืืขืื ืืื ืฉืืืืช ืืืชืจืืช ืืกืขืืคืื ืืื ื ืืืงืืช. ืื ื ืขืฉื ืืืืื ื ืืื ืืกืื ืืช ืื ืืชืื.
ืืื ืื ืื ื ืืืฅ: ืืื ืืืขืื ื ืืื ืงืืืฅ ELF ืืื ืชื ืืืชื, ืืกืคืืงื ืืืืช ืืืชืจืืช ืฉื ืชืืื ืืช. ืืื, ืื ื ืคืฉืื ืืืืงืื ืืช ืืืืช ืืกืขืืคืื, ืืืืคืกืื ืืช ืืฉืืืช ืืืชืืืืื ืืืืชืจืช.
ืคืชื ืฉืื ืืช ืืงืืืฅ ื-IDA.
ืืฉื ื ืฉืชื ืืจืืื ืืืืจ ืืืืื ื ืืืืจืืืืืืช ืฉื Java ืืืื ืืืืืง ืืกืคืจืืื ืืืงืืจืืช ื ืืฆื ืืืืฉืื ืฉื ืฉืืื ืืืืฆืืจืช ืืงืื Java ื-native. ืืจืืฉืื ืืื ืืชืช ืื ืฉื ืืื Java_package_name_ClassName_MethodName.
ืืฉื ื ืืื ืืจืฉืื ืืืชื ืืขืช ืืขืื ืช ืืกืคืจืืื (ืืคืื ืงืฆืื JNI_OnLoad)
ืืืืฆืขืืช ืงืจืืืช ืคืื ืงืฆืื RegisterNatives.
ืืืงืจื ืฉืื ื, ืื ื ืฉืชืืฉ ืืฉืืื ืืจืืฉืื ื, ืืฉื ืฆืจืื ืืืืืช ืื: Java_com_taobao_wireless_security_adapter_JNICLibrary_doCommandNative.
ืืื ืคืื ืงืฆืื ืืื ืืื ืืคืื ืงืฆืืืช ืืืืืฆืืืช, ืื ืฉืืืืจ ืฉืืชื ืฆืจืื ืืืคืฉ ืฉืืื RegisterNatives.
ืืื ื ืื ืืคืื ืงืฆืื JNI_OnLoad ืืื ืื ื ืจืืืื ืืช ืืชืืื ื ืืื:
ืื ืงืืจื ืคื? ืืืื ืจืืฉืื, ืืืชืืื ืืืกืืฃ ืฉื ืืคืื ืงืฆืื ืืืคืืื ืืื ืืืจืืืืงืืืจืช ARM. ืืืืจืื ืืจืืฉืื ื ืขื ืืืืกื ืืช ืืืืกื ืช ืืช ืชืืื ืืืืืจืื ืฉืืคืื ืงืฆืื ืชืฉืชืืฉ ืืื ืืคืขืืืชื (ืืืงืจื ืื, R0, R1 ื-R2), ืืื ืืช ืืชืืื ืฉื ืืืืจ LR, ืืืืื ืืช ืืชืืืช ืืืืืจื ืืืคืื ืงืฆืื. . ืืืืจืื ืืืืจืื ื ืืฉืืืจืช ืืช ืืืืืจืื ืืฉืืืจืื, ืืืชืืืช ืืืืืจื ืืืืงืืช ืืื ืืคื ืงืก ื-PC - ืืืื ืืืืจืช ืืืคืื ืงืฆืื. ืืื ืื ืชืกืชืืื ืืืื, ืชืืืื ื ืฉืืืืจืื ืืืคื ื ืืืจืื ื ืืฉื ื ืืช ืืชืืืช ืืืืืจื ืืืืืืกื ืช ืืขืจืืื. ืืืื ืืืฉื ืืื ืื ืืืื ืืืจื
ืืืฆืืข ืงืื. ืืชืืืช ืืกืืืืช 1xB0 ื ืืขื ืช ืืชืื R130, 5 ืืืคืืช ืืื ื, ืืื ืืื ืืืขืืจืช ื-R0 ื-0x10 ืืชืืืกืฃ ืื. ืืกืชืืจ 0xB13B. ืืคืืื, IDA ืืืฉื ืฉืืืืจืื ืืืืจืื ื ืืื ืืืืจืช ืคืื ืงืฆืื ืจืืืื, ืื ืืืขืฉื ืืื ืืืืืช ืืืชืืืช ืืืืืฉืืช 0xB13B.
ืืืื ืืืืืจ ืืื ืฉืืืขืืื ARM ืืฉ ืฉื ื ืืฆืืื ืืฉืชื ืงืืืฆืืช ืฉื ืืืจืืืช: ARM ื-Thumb. ืืืืง ืืคืืืช ืืฉืืขืืชื ืืืชืืืช ืืืืจ ืืืขืื ืืืืื ืขืจืืช ืืืจืืืช ืืฉืชืืฉืื. ืืืืืจ, ืืืชืืืช ืืื ืืืขืฉื 0xB13A, ืืืืช ืืกืืืืช ืืคืืืช ืืฉืืขืืชืืช ืืฆืืื ืช ืืช ืืฆื Thumb.
"ืืชืื" ืืืื ื ืืกืฃ ืืชืืืืช ืื ืคืื ืงืฆืื ืืกืคืจืืื ืื ื
ืงืื ืืื. ืื ื ืชืขืื ืขืืืื ืืืชืจ ืืคืืจืื - ืื ืื ื ืจืง ืืืืจืื
ืฉืืืชืืื ืืืืืชืืช ืฉื ืืืขื ืื ืืคืื ืงืฆืืืช ืืื ืงืฆืช ืืืชืจ ืจืืืงื.
ืืืืืื ืฉืืงืื ืืื ื ืงืืคืฅ ืืืคืืจืฉ ื-0xB13A, IDA ืขืฆืื ืื ืืืื ืฉืืงืื ื ืืฆื ืืืืงืื ืื. ืืืืชื ืกืืื, ืืื ืืื ื ืืืื ืืช ืจืื ืืงืื ืืกืคืจืืื ืืงืื, ืื ืฉืืงืฉื ืืืงืฆืช ืขื ืื ืืชืื. ืื ืื ื ืืืืจืื ื-IDA ืฉืื ืืงืื, ืืื ืื ืฉืงืืจื:
ืืืืื ืืชืืืื ืืืืจืืจ ื-0xB144. ืื ืืฉ ื-sub_494C?
ืืืฉืจ ืงืืจืืื ืืคืื ืงืฆืื ืื ืืืืืจ LR, ืื ื ืืงืืืื ืืช ืืืชืืืช ืฉื ืืืืื ืฉืืืืืจื ืงืืื ืืื (0xB144). ื-R0 - ืืื ืืงืก ืืืืื ืื. ืืืืืจ, ืืขืจื ื ืืงื ืืืืืื, ืืชืืืกืฃ ื-LR ืืืชืืฆืื ืืื
ืืืชืืืช ืฉืืืื ืืฉ ืืคื ืืช. ืืืื ื ื ืกื ืืืฉื ืืช ืื: 0xB144 + [0xB144 + 8* 4] = 0xB144 + 0x120 = 0xB264. ืื ืื ื ืืืืืื ืืืชืืืช ืฉืืชืงืืื ืืจืืืื ืืืฉ ืืื ืืืจืืืช ืฉืืืืฉืืืช ืืฉืื ืขืืืจืื ืื 0xB140:
ืืขืช ืืืื ืืขืืจ ืืืืกื ืขื ืืื ืืงืก 0x20 ืืืืืื.
ืื ืืฉืคืื ืืคื ืืืื ืืืืื, ืืืื ืืจืื ืืขืืจืื ืืืื ืืงืื. ื ืฉืืืช ืืฉืืื ืืื ืืคืฉืจ ืืืืฉืื ืืืชืืืื ืขื ืื ืืฆืืจื ืืืืืืืืช ืืืชืจ, ืืื ืืืฉื ืืชืืืืช ืืืืคื ืืื ื. ืืกืงืจืืคืืื ืืืืืืืช ืืชืงื ืงืื ื-IDA ืืืื ืืขืืจืชื ื:
def put_unconditional_branch(source, destination):
offset = (destination - source - 4) >> 1
if offset > 2097151 or offset < -2097152:
raise RuntimeError("Invalid offset")
if offset > 1023 or offset < -1024:
instruction1 = 0xf000 | ((offset >> 11) & 0x7ff)
instruction2 = 0xb800 | (offset & 0x7ff)
patch_word(source, instruction1)
patch_word(source + 2, instruction2)
else:
instruction = 0xe000 | (offset & 0x7ff)
patch_word(source, instruction)
ea = here()
if get_wide_word(ea) == 0xb503: #PUSH {R0,R1,LR}
ea1 = ea + 2
if get_wide_word(ea1) == 0xbf00: #NOP
ea1 += 2
if get_operand_type(ea1, 0) == 1 and get_operand_value(ea1, 0) == 0 and get_operand_type(ea1, 1) == 2:
index = get_wide_dword(get_operand_value(ea1, 1))
print "index =", hex(index)
ea1 += 2
if get_operand_type(ea1, 0) == 7:
table = get_operand_value(ea1, 0) + 4
elif get_operand_type(ea1, 1) == 2:
table = get_operand_value(ea1, 1) + 4
else:
print "Wrong operand type on", hex(ea1), "-", get_operand_type(ea1, 0), get_operand_type(ea1, 1)
table = None
if table is None:
print "Unable to find table"
else:
print "table =", hex(table)
offset = get_wide_dword(table + (index << 2))
put_unconditional_branch(ea, table + offset)
else:
print "Unknown code", get_operand_type(ea1, 0), get_operand_value(ea1, 0), get_operand_type(ea1, 1) == 2
else:
print "Unable to detect first instruction"
ืืงื ืืช ืืกืื ืืฉืืจื 0xB26A, ืืคืขื ืืช ืืกืงืจืืคื ืืจืื ืืช ืืืขืืจ ื-0xB4B0:
IDA ืฉืื ืื ืืืื ืืืืจ ืื ืืงืื. ืื ืื ื ืขืืืจืื ืื ืืจืืืื ืฉื ืขืืฆืื ื ืืกืฃ:
ื ืจืื ืฉืืืืจืืืช ืืืจื BLX ืื ืืืฉ ืืืืื ืืืช, ืื ืืืชืจ ืืื ืกืื ืฉื ืชืืืื. ืืืื ื ืกืชืื ืขื sub_4964:
ืืืื ื, ืืื ืืืงืืื ืืืืจื ืืืชืืืช ืืืื ืืช ื-LR, ืืชืืืกืคืช ืืืชืืืช ืื, ืืืืืจ ืืื ืืืงืืื ืืช ืืขืจื ืืืชืืืช ืืืชืงืืืช ืืืขืืื ืืืชื ืขื ืืขืจืืื. ืืื ืื, 4 ืืชืืืกืฃ ื-LR ืื ืฉืืืจื ืืืืจื ืืืคืื ืงืฆืื, ืืืชื ืืืกื ืืืื. ืืืืจ ืืื ืืคืงืืื POP {R1} ืืืงืืช ืืช ืืขืจื ืืืชืงืื ืืืืืกื ืืช. ืื ืชืกืชืื ืขื ืื ืฉื ืืฆื ืืืชืืืช 0xB4BA + 0xEA = 0xB5A4, ืชืจืื ืืฉืื ืืืื ืืืืืช ืืชืืืืช:
ืืื ืืชืงื ืืช ืืขืืฆืื ืืื, ืชืฆืืจื ืืงืื ืฉื ื ืคืจืืืจืื ืืืงืื: ืืืืกื ืืืกืคืจ ืืืืืจ ืฉืื ืืชื ืจืืฆื ืืฉืื ืืช ืืชืืฆืื. ืขืืืจ ืื ืจืืฉืื ืืคืฉืจื, ืชืฆืืจืื ืืืืื ืคืืกืช ืงืื ืืจืืฉ.
patches = {}
patches[0] = (0x00, 0xbf, 0x01, 0x48, 0x00, 0x68, 0x02, 0xe0)
patches[1] = (0x00, 0xbf, 0x01, 0x49, 0x09, 0x68, 0x02, 0xe0)
patches[2] = (0x00, 0xbf, 0x01, 0x4a, 0x12, 0x68, 0x02, 0xe0)
patches[3] = (0x00, 0xbf, 0x01, 0x4b, 0x1b, 0x68, 0x02, 0xe0)
patches[4] = (0x00, 0xbf, 0x01, 0x4c, 0x24, 0x68, 0x02, 0xe0)
patches[5] = (0x00, 0xbf, 0x01, 0x4d, 0x2d, 0x68, 0x02, 0xe0)
patches[8] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0x80, 0xd8, 0xf8, 0x00, 0x80, 0x01, 0xe0)
patches[9] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0x90, 0xd9, 0xf8, 0x00, 0x90, 0x01, 0xe0)
patches[10] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0xa0, 0xda, 0xf8, 0x00, 0xa0, 0x01, 0xe0)
patches[11] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0xb0, 0xdb, 0xf8, 0x00, 0xb0, 0x01, 0xe0)
ea = here()
if (get_wide_word(ea) == 0xb082 #SUB SP, SP, #8
and get_wide_word(ea + 2) == 0xb503): #PUSH {R0,R1,LR}
if get_operand_type(ea + 4, 0) == 7:
pop = get_bytes(ea + 12, 4, 0)
if pop[1] == 'xbc':
register = -1
r = get_wide_byte(ea + 12)
for i in range(8):
if r == (1 << i):
register = i
break
if register == -1:
print "Unable to detect register"
else:
address = get_wide_dword(ea + 8) + ea + 8
for b in patches[register]:
patch_byte(ea, b)
ea += 1
if ea % 4 != 0:
ea += 2
patch_dword(ea, address)
elif pop[:3] == 'x5dxf8x04':
register = ord(pop[3]) >> 4
if register in patches:
address = get_wide_dword(ea + 8) + ea + 8
for b in patches[register]:
patch_byte(ea, b)
ea += 1
patch_dword(ea, address)
else:
print "POP instruction not found"
else:
print "Wrong operand type on +4:", get_operand_type(ea + 4, 0)
else:
print "Unable to detect first instructions"
ื ืืงื ืืช ืืกืื ืืชืืืืช ืืืื ื ืฉืืจืฆืื ื ื ืืืืืืฃ - 0xB4B2 - ืื ืคืขืื ืืช ืืกืงืจืืคื:
ืื ืืกืฃ ืืืื ืื ืฉืืืืืจื ืืืจ, ืืงืื ืืืื ืื ืืช ืืืืจืื ืืืืื:
ืืื ืืืงืจื ืืงืืื, ืืืืจ ืืืจืืช BLX ืืฉ ืืืกื:
ืื ืื ื ืืืงืืื ืืช ืืงืืืื ืืืชืืืช ื-LR, ืืืกืืคืื ืืืชื ื-LR ืืืืืืื ืืฉื. 0x72044 + 0xC = 0x72050. ืืชืกืจืื ืืขืืฆืื ืื ืื ืคืฉืื:
def put_unconditional_branch(source, destination):
offset = (destination - source - 4) >> 1
if offset > 2097151 or offset < -2097152:
raise RuntimeError("Invalid offset")
if offset > 1023 or offset < -1024:
instruction1 = 0xf000 | ((offset >> 11) & 0x7ff)
instruction2 = 0xb800 | (offset & 0x7ff)
patch_word(source, instruction1)
patch_word(source + 2, instruction2)
else:
instruction = 0xe000 | (offset & 0x7ff)
patch_word(source, instruction)
ea = here()
if get_wide_word(ea) == 0xb503: #PUSH {R0,R1,LR}
ea1 = ea + 6
if get_wide_word(ea + 2) == 0xbf00: #NOP
ea1 += 2
offset = get_wide_dword(ea1)
put_unconditional_branch(ea, (ea1 + offset) & 0xffffffff)
else:
print "Unable to detect first instruction"
ืชืืฆืื ืฉื ืืืฆืืข ืกืงืจืืคื:
ืืจืืข ืฉืืื ืชืืงื ืืคืื ืงืฆืื, ืืชื ืืืื ืืืคื ืืช ืืช IDA ืืืชืืื ืืืืืชืืช ืฉืื. ืื ืืจืืื ืืช ืื ืงืื ืืคืื ืงืฆืืืช, ืื ืืชื ืืคืจืง ืืืชื ืืืืฆืขืืช HexRays.
ืคืขื ืื ืืืจืืืืช
ืืืื ื ืืืชืืืื ืขื ืขืจืคืื ืงืื ืืืื ื ืืกืคืจืื libsgmainso-6.4.36.so ืืืคืืคื UC ืืงืืื ืืช ืงืื ืืคืื ืงืฆืื JNI_OnLoad.
int __fastcall real_JNI_OnLoad(JavaVM *vm)
{
int result; // r0
jclass clazz; // r0 MAPDST
int v4; // r0
JNIEnv *env; // r4
int v6; // [sp-40h] [bp-5Ch]
int v7; // [sp+Ch] [bp-10h]
v7 = *(_DWORD *)off_8AC00;
if ( !vm )
goto LABEL_39;
sub_7C4F4();
env = (JNIEnv *)sub_7C5B0(0);
if ( !env )
goto LABEL_39;
v4 = sub_72CCC();
sub_73634(v4);
sub_73E24(&unk_83EA6, &v6, 49);
clazz = (jclass)((int (__fastcall *)(JNIEnv *, int *))(*env)->FindClass)(env, &v6);
if ( clazz
&& (sub_9EE4(),
sub_71D68(env),
sub_E7DC(env) >= 0
&& sub_69D68(env) >= 0
&& sub_197B4(env, clazz) >= 0
&& sub_E240(env, clazz) >= 0
&& sub_B8B0(env, clazz) >= 0
&& sub_5F0F4(env, clazz) >= 0
&& sub_70640(env, clazz) >= 0
&& sub_11F3C(env) >= 0
&& sub_21C3C(env, clazz) >= 0
&& sub_2148C(env, clazz) >= 0
&& sub_210E0(env, clazz) >= 0
&& sub_41B58(env, clazz) >= 0
&& sub_27920(env, clazz) >= 0
&& sub_293E8(env, clazz) >= 0
&& sub_208F4(env, clazz) >= 0) )
{
result = (sub_B7B0(env, clazz) >> 31) | 0x10004;
}
else
{
LABEL_39:
result = -1;
}
return result;
}
ืืืื ื ืกืชืื ืืงืจืื ืขื ืืฉืืจืืช ืืืืืช:
sub_73E24(&unk_83EA6, &v6, 49);
clazz = (jclass)((int (__fastcall *)(JNIEnv *, int *))(*env)->FindClass)(env, &v6);
ืืชืคืงืื sub_73E24 ืฉื ืืืืืงื ืืคืืขื ื ืืืืจืืจ. ืืคืจืืืจืื ืืคืื ืงืฆืื ืื, ืืขืืืจืื ืืฆืืืข ืื ืชืื ืื ืืืืืื ืื ืชืื ืื ืืืฆืคื ืื, ืืืืจ ืืกืืื ืืืกืคืจ. ืืจืืจ ืฉืืืืจ ืงืจืืื ืืคืื ืงืฆืื ืชืืื ืฉืืจื ืืคืืขื ืืช ืืืืืจ, ืืืืืื ืฉืืื ืืืขืืจืช ืืคืื ืงืฆืื FindClass, ืืฉืจ ืืืงื ืืช ืฉื ืืืืืงื ืืคืจืืืจ ืืฉื ื. ืืื, ืืืกืคืจ ืืื ืืืื ืืืืืจ ืื ืืืจื ืืงื. ืืืื ื ื ืกื ืืคืขื ื ืืช ืฉื ืืืืชื, ืืื ืืืืจ ืืืืื ืื ื ืื ืื ืื ื ืืืืืื ืืืืืื ืื ืืื. ืืืื ื ืกืชืื ืืงืจืื ืขื ืื ืฉืงืืจื ื sub_73E24.
int __fastcall sub_73E56(unsigned __int8 *in, unsigned __int8 *out, size_t size)
{
int v4; // r6
int v7; // r11
int v8; // r9
int v9; // r4
size_t v10; // r5
int v11; // r0
struc_1 v13; // [sp+0h] [bp-30h]
int v14; // [sp+1Ch] [bp-14h]
int v15; // [sp+20h] [bp-10h]
v4 = 0;
v15 = *(_DWORD *)off_8AC00;
v14 = 0;
v7 = sub_7AF78(17);
v8 = sub_7AF78(size);
if ( !v7 )
{
v9 = 0;
goto LABEL_12;
}
(*(void (__fastcall **)(int, const char *, int))(v7 + 12))(v7, "DcO/lcK+h?m3c*q@", 16);
if ( !v8 )
{
LABEL_9:
v4 = 0;
goto LABEL_10;
}
v4 = 0;
if ( !in )
{
LABEL_10:
v9 = 0;
goto LABEL_11;
}
v9 = 0;
if ( out )
{
memset(out, 0, size);
v10 = size - 1;
(*(void (__fastcall **)(int, unsigned __int8 *, size_t))(v8 + 12))(v8, in, v10);
memset(&v13, 0, 0x14u);
v13.field_4 = 3;
v13.field_10 = v7;
v13.field_14 = v8;
v11 = sub_6115C(&v13, &v14);
v9 = v11;
if ( v11 )
{
if ( *(_DWORD *)(v11 + 4) == v10 )
{
qmemcpy(out, *(const void **)v11, v10);
v4 = *(_DWORD *)(v9 + 4);
}
else
{
v4 = 0;
}
goto LABEL_11;
}
goto LABEL_9;
}
LABEL_11:
sub_7B148(v7);
LABEL_12:
if ( v8 )
sub_7B148(v8);
if ( v9 )
sub_7B148(v9);
return v4;
}
ืคืื ืงืฆืื sub_7AF78 ืืืฆืจ ืืืคืข ืฉื ืงืื ืืืื ืจ ืขืืืจ ืืขืจืื ืืชืื ืืืืื ืฉืฆืืื (ืื ื ืชืขืื ืขื ืืืืืื ืืื ืืคืืจืื). ืืื ื ืืฆืจืื ืฉื ื ืืืืืื ืืืื: ืืืื ืืืื ืืช ืืฉืืจื "DcO/lcK+h?m3c*q@" (ืงื ืื ืืฉ ืฉืื ืืคืชื), ืืฉื ื ืืืื ื ืชืื ืื ืืืฆืคื ืื. ืืืืจ ืืื, ืฉื ื ืืืืืืืงืืื ืืืืงืืื ืืืื ื ืืกืืื, ืืฉืจ ืืืขืืจ ืืคืื ืงืฆืื sub_6115C. ืืืื ื ืกืื ืืืื ื ืืื ืื ืฉืื ืขื ืืขืจื 3. ืืืื ื ืจืื ืื ืงืืจื ืืืื ื ืืื ืืืืฉื.
int __fastcall sub_611B4(struc_1 *a1, _DWORD *a2)
{
int v3; // lr
unsigned int v4; // r1
int v5; // r0
int v6; // r1
int result; // r0
int v8; // r0
*a2 = 820000;
if ( a1 )
{
v3 = a1->field_14;
if ( v3 )
{
v4 = a1->field_4;
if ( v4 < 0x19 )
{
switch ( v4 )
{
case 0u:
v8 = sub_6419C(a1->field_0, a1->field_10, v3);
goto LABEL_17;
case 3u:
v8 = sub_6364C(a1->field_0, a1->field_10, v3);
goto LABEL_17;
case 0x10u:
case 0x11u:
case 0x12u:
v8 = sub_612F4(
a1->field_0,
v4,
*(_QWORD *)&a1->field_8,
*(_QWORD *)&a1->field_8 >> 32,
a1->field_10,
v3,
a2);
goto LABEL_17;
case 0x14u:
v8 = sub_63A28(a1->field_0, v3);
goto LABEL_17;
case 0x15u:
sub_61A60(a1->field_0, v3, a2);
return result;
case 0x16u:
v8 = sub_62440(a1->field_14);
goto LABEL_17;
case 0x17u:
v8 = sub_6226C(a1->field_10, v3);
goto LABEL_17;
case 0x18u:
v8 = sub_63530(a1->field_14);
LABEL_17:
v6 = 0;
if ( v8 )
{
*a2 = 0;
v6 = v8;
}
return v6;
default:
LOWORD(v5) = 28032;
goto LABEL_5;
}
}
}
}
LOWORD(v5) = -27504;
LABEL_5:
HIWORD(v5) = 13;
v6 = 0;
*a2 = v5;
return v6;
}
ืคืจืืืจ ืืืชื ืืื ืฉืื ืืื ื ืฉืืืงืฆื ืื ืืขืืจ ืืขืจื 3. ืชืกืชืื ืขื ืืงืจื 3: ืืคืื ืงืฆืื sub_6364C ืคืจืืืจืื ืืืขืืจืื ืืืืื ื ืฉื ืืกืคื ืฉื ืืคืื ืงืฆืื ืืงืืืืช, ืืืืืจ ืืืคืชื ืืื ืชืื ืื ืืืืฆืคื ืื. ืื ืืกืชืืืื ืืงืจืื ืขื sub_6364C, ืืชื ืืืื ืืืืืช ืืช ืืืืืืจืืชื RC4 ืื.
ืืฉ ืื ื ืืืืืจืืชื ืืืคืชื. ืืืื ื ื ืกื ืืคืขื ื ืืช ืฉื ืืืืชื. ืื ื ืื ืฉืงืจื: com/taobao/wireless/security/adapter/JNICLibrary. ืืืื! ืื ืื ื ืืืจื ืื ืืื ื.
ืขืฅ ืคืงืืืืช
ืขืืฉืื ืื ืื ื ืฆืจืืืื ืืืฆืื ืืชืืจ RegisterNatives, ืฉืืืืื ืืืชื ื ืืคืื ืงืฆืื doCommandNative. ืืืื ื ืกืชืื ืขื ืืคืื ืงืฆืืืช ืฉื ืงืจืืืช ื JNI_OnLoad, ืืื ืื ื ืืืฆืืื ืืช ืื ื sub_B7B0:
int __fastcall sub_B7F6(JNIEnv *env, jclass clazz)
{
char signature[41]; // [sp+7h] [bp-55h]
char name[16]; // [sp+30h] [bp-2Ch]
JNINativeMethod method; // [sp+40h] [bp-1Ch]
int v8; // [sp+4Ch] [bp-10h]
v8 = *(_DWORD *)off_8AC00;
decryptString((unsigned __int8 *)&unk_83ED9, (unsigned __int8 *)name, 0x10u);// doCommandNative
decryptString((unsigned __int8 *)&unk_83EEA, (unsigned __int8 *)signature, 0x29u);// (I[Ljava/lang/Object;)Ljava/lang/Object;
method.name = name;
method.signature = signature;
method.fnPtr = sub_B69C;
return ((int (__fastcall *)(JNIEnv *, jclass, JNINativeMethod *, int))(*env)->RegisterNatives)(env, clazz, &method, 1) >> 31;
}
ืืืื, ืฉืืื ืืงืืืืช ืขื ืืฉื ืจืฉืืื ืืื doCommandNative. ืขืืฉืื ืื ืื ื ืืืืขืื ืืช ืืืชืืืช ืฉืื. ืืื ื ืจืื ืื ืืื ืืขืฉื.
int __fastcall doCommandNative(JNIEnv *env, jobject obj, int command, jarray args)
{
int v5; // r5
struc_2 *a5; // r6
int v9; // r1
int v11; // [sp+Ch] [bp-14h]
int v12; // [sp+10h] [bp-10h]
v5 = 0;
v12 = *(_DWORD *)off_8AC00;
v11 = 0;
a5 = (struc_2 *)malloc(0x14u);
if ( a5 )
{
a5->field_0 = 0;
a5->field_4 = 0;
a5->field_8 = 0;
a5->field_C = 0;
v9 = command % 10000 / 100;
a5->field_0 = command / 10000;
a5->field_4 = v9;
a5->field_8 = command % 100;
a5->field_C = env;
a5->field_10 = args;
v5 = sub_9D60(command / 10000, v9, command % 100, 1, (int)a5, &v11);
}
free(a5);
if ( !v5 && v11 )
sub_7CF34(env, v11, &byte_83ED7);
return v5;
}
ืืคื ืืฉื ืืคืฉืจ ืื ืืฉ ืฉืืื ื ืืฆืืช ื ืงืืืช ืืื ืืกื ืฉื ืื ืืคืื ืงืฆืืืช ืฉืืืคืชืืื ืืืืืื ืืืขืืืจ ืืกืคืจืืื ืืืงืืืืช. ืื ื ืืขืื ืืื ืื ืืคืื ืงืฆืื ืืกืคืจ 10601.
ื ืืชื ืืจืืืช ืืืงืื ืฉืืกืคืจ ืืคืงืืื ืืืืฆืจ ืฉืืืฉื ืืกืคืจืื: ืคืงืืื/10000, ืคืงืืื % 10000 / 100 ะธ ืคืงืืื % 10, ืืืืืจ, ืืืงืจื ืฉืื ื, 1, 6 ื-1. ืฉืืืฉืช ืืืกืคืจืื ืืืื, ืืื ืื ืืฆืืืข ื JNIEnv ืืืืจืืืื ืืื ืืืืขืืจืื ืืคืื ืงืฆืื ืืชืืืกืคืื ืืืื ื ืืืืขืืจืื ืืืื. ืืืืฆืขืืช ืฉืืืฉืช ืืืกืคืจืื ืฉืืชืงืืื (ืืืื ื ืกืื ืืืชื N1, N2 ื-N3), ื ืื ื ืขืฅ ืคืงืืืืช.
ืืฉืื ืืื:
ืืขืฅ ืืชืืื ืืืืคื ืืื ืื JNI_OnLoad.
ืฉืืืฉื ืืกืคืจืื ืืงืืืืื ืืช ืื ืชืื ืืขืฅ. ืื ืขืื ืฉื ืืขืฅ ืืืื ืืช ืืืชืืืช ืืืืืจืจืช ืฉื ืืคืื ืงืฆืื ืืืชืืืื. ืืืคืชื ื ืืฆื ืืฆืืืช ืืื. ืืืฆืื ืืช ืืืงืื ืืงืื ืฉืื ืืคืื ืงืฆืื ืฉืื ืื ื ืฆืจืืืื ืืชืืืกืคืช ืืขืฅ ืื ืงืฉื ืื ืืชื ืืืื ืืช ืื ืืืื ืื ืฉืืื ื ืขืฉื ืฉืืืืฉ (ืื ืื ื ืื ืืชืืจืื ืืืชื ืืื ืื ืื ืคื ืืืืจ ืืืจ ืื ืืืื).
ืขืื ืขืจืคืื
ืงืืืื ื ืืช ืืืชืืืช ืฉื ืืคืื ืงืฆืื ืฉืืืืจื ืืคืขื ื ืืช ืืชืขืืืจื: 0x5F1AC. ืืื ืขืื ืืืงืื ืืฉืืื: ืืคืชืื UC Browser ืืืื ื ืื ื ืืคืชืขื ื ืืกืคืช.
ืืืืจ ืงืืืช ืืคืจืืืจืื ืืืืขืจื ืฉื ืืฆืจ ืืงืื ื-Java, ืื ื ืืงืืืื
ืืคืื ืงืฆืื ืืืชืืืช 0x4D070. ืืื ื ืขืื ืกืื ืฉื ืขืจืคืื ืงืื ืืืื ืื ื.
ืฉืื ื ืฉื ื ืืืืื ื-R7 ื-R4:
ืื ื ืืขืืืจืื ืืช ืืืื ืืจืืฉืื ื-R11:
ืืื ืืงืื ืืชืืืช ืืืืื, ืืฉืชืืฉ ืืืื ืืงืก:
ืืืืจ ืืขืืจ ืืืชืืืช ืืจืืฉืื ื, ื ืขืฉื ืฉืืืืฉ ืืืื ืืงืก ืืฉื ื, ืฉืืื ื-R4. ืืฉ 230 ืืืื ืืื ืืืืื.
ืื ืืขืฉืืช ืื ืืืื? ืืชื ืืืื ืืืืื ื-IDA ืฉืืื ืืชื: ืขืจืื -> ืืืจ -> ืฆืืื ืืฉืื ืืชื.
ืืงืื ืฉื ืืฆืจ ืืคืืื. ืืื ืืฉืืชื ืขืืฉื ืืช ืืจืื ืื'ืื ืื ืฉืื, ืืชื ืืืื ืืืืืื ืืงืจืืื ืืคืื ืงืฆืื ืฉืืืจ ืืืืจืช ืื ื sub_6115C:
ืืื ืืชื ืฉืื ืืืงืจื 3 ืืื ืคืขื ืื ืืืืฆืขืืช ืืืืืจืืชื RC4. ืืืืงืจื ืื, ืืืื ื ืืืืขืืจ ืืคืื ืงืฆืื ืืชืืื ืืืคืจืืืจืื ืฉืืืขืืจื ืืืื doCommandNative. ืืืื ื ืืืืจ ืื ืืื ืื ื ืฉื magicInt ืขื ืืขืจื 16. ืื ื ืืกืชืืืื ืขื ืืืงืจื ืืืชืืื - ืืืืืจ ืืกืคืจ ืืขืืจืื ืื ื ืืืฆืืื ืืช ืืงืื ืฉืืืืฆืขืืชื ื ืืชื ืืืืืช ืืช ืืืืืืจืืชื.
ืื AES!
ืืืืืืจืืชื ืงืืื, ืื ืฉื ืืชืจ ืืื ืืืฉืื ืืช ืืคืจืืืจืื ืฉืื: ืืฆื, ืืคืชื ืืืืื ืื ืืงืืืจ ืืืชืืื (ื ืืืืืชื ืชืืืื ืืืฆื ืืคืขืืื ืฉื ืืืืืจืืชื AES). ืืืื ื ืืืชื ืืืื ืืืืืืฆืจ ืืืคืฉืื ืืคื ื ืงืจืืืช ืืคืื ืงืฆืื sub_6115C, ืืื ืืืืง ืืื ืฉื ืืงืื ืืขืืจืคื ืืืื, ืืืื ืขืืื ืืจืขืืื ืืชืงื ืืช ืืงืื ืื ืฉืื ืืคืจืืืจืื ืฉื ืคืื ืงืฆืืืช ืืคืขื ืื ืืืืจืงื ืืงืืืฅ.
ืชืืงืื
ืืื ืื ืืืชืื ืืช ืื ืงืื ืืชืืงืื ืืฉืคืช assembly ืืืืคื ืืื ื, ืืคืฉืจ ืืืคืขืื ืืช Android Studio, ืืืชืื ืฉื ืคืื ืงืฆืื ืฉืืงืืืช ืืช ืืืชื ืคืจืืืจื ืงืื ืืื ืคืื ืงืฆืืืช ืืคืขื ืื ืฉืื ื ืืืืชืืช ืืงืืืฅ, ืืื ืืืขืชืืง ืืืืืืืง ืืช ืืงืื ืฉืืงืืืคืืืืจ ืืขืฉื. ืึดืืฆืึนืจ.
ืืืจืื ื ืืฆืืืช ืืคืืคื UC ืืืื ืื ืื ืื ืืืืช ืฉื ืืืกืคืช ืงืื. ืืืื ื ืืืืจ ืฉืืชืืืืช ืื ืคืื ืงืฆืื ืืฉ ืื ื ืงืื ืืื ืฉื ืืชื ืืืืืืฃ ืืงืืืช ืืื ืงืื ืืืจ. ื ืื ืืืื ๐ ืขื ืืืช, ืืชืืืืช ืคืื ืงืฆืืืช ืืืืจื ืืื ืืกืคืืง ืืงืื ืืงืื ืฉืฉืืืจ ืืช ืื ืืคืจืืืจืื ืืงืืืฅ. ื ืืืฆืชื ืืคืฆื ืืืชื ืืืืงืื ืืืืฉืชืืฉ ืืืืงื ืืฉืคื ืืคืื ืงืฆืืืช ืฉืื ืืช. ืืื ืืจืืขื ืืืงืื ืืกื ืืื.
ัะฐััั ะะตัะฒะฐั:
ืืืจืืืืงืืืจืช ARM, ืืจืืขืช ืืคืจืืืจืื ืืจืืฉืื ืื ืฉื ืืคืื ืงืฆืื ืืืขืืจืื ืืจื ืืืืืจืื R0-R3, ืืฉืืจ, ืื ืืืื, ืืืขืืจืื ืืจื ืืืืกื ืืช. ืคื ืงืก LR ื ืืฉื ืืช ืืชืืืช ืืืืืจื. ืื ืื ืฆืจืื ืืืืฉืืจ ืืื ืฉืืคืื ืงืฆืื ืชืืื ืืขืืื ืืืืจ ืฉื ืฉืื ืืช ืืคืจืืืจืื ืฉืื. ืื ืื ื ืฆืจืืืื ืื ืืฉืืืจ ืืช ืื ืืจืืืกืืจืื ืฉืืื ื ืฉืชืืฉ ืืชืืืื, ืื ืื ืื ื ืขืืฉืื PUSH.W {R0-R10,LR}. ื-R7 ื ืงืื ืืช ืืืชืืืช ืฉื ืจืฉืืืช ืืคืจืืืจืื ืืืืขืืจืื ืืคืื ืงืฆืื ืืจื ืืืืกื ืืช.
ืืืืฆืขืืช ืคืื ืงืฆืื ืคืืค ืืืื ื ืคืชื ืืช ืืงืืืฅ /data/local/tmp/aes ืืืฆื "ab".
ืืืืืจ ืืชืืกืคืช. ื-R0 ืื ื ืืืขื ืื ืืช ืืืชืืืช ืฉื ืฉื ืืงืืืฅ, ื-R1 - ืืืชืืืช ืฉื ืืฉืืจื ืืืฆืืื ืช ืืช ืืืฆื. ืืืื ืืกืชืืื ืงืื ืืืื, ืื ื ืขืืืจ ืืคืื ืงืฆืื ืืืื. ืืื ืฉืื ืืืฉืื ืืขืืื, ืฉืื ื ืืืชืืื ืืช ืืืขืืจ ืืงืื ืืืืืชื ืฉื ืืคืื ืงืฆืื, ืขืืงืฃ ืืช ืืืื, ืืืืงืื ืืืื ืืืกืืคืื ืืืฉื ืฉื ืืชืืงืื.
ืึดืขืึผื ืคืืค.
ืฉืืืฉืช ืืคืจืืืจืื ืืจืืฉืื ืื ืฉื ืืคืื ืงืฆืื AES ืืฉ ืกืื int. ืืืืืื ืฉืฉืืจื ื ืืช ืืจืฉืืื ืืขืจืืื ืืืชืืื, ืื ืื ื ืืืืืื ืคืฉืื ืืืขืืืจ ืืช ืืคืื ืงืฆืื ืืืชืื ืืืชืืืืช ืฉืืื ืขื ืืขืจืืื.
ืืืืจ ืืื ืืฉ ืื ื ืฉืืืฉื ืืื ืื ืืืืืืื ืืช ืืืื ืื ืชืื ืื ืืืฆืืืข ืื ืชืื ืื ืขืืืจ ืืืคืชื, ืืงืืืจ ืืืชืืื ืื ืชืื ืื ืืืฆืคื ืื.
ืืกืืื, ืกืืืจ ืืช ืืงืืืฅ, ืฉืืืจ ืืช ืืืืืจืื ืืืขืืืจ ืืช ืืฉืืืื ืืคืื ืงืฆืื ืืืืืชืืช AES.
ืื ื ืืืกืคืื APK ืขื ืกืคืจืืืช ืชืืงืื, ืืืชืืื ืขืืื, ืืขืืื ืืืชื ืืืืฉืืจ/ืืืืืืืืจ ืืืคืขืืืื ืืืชื. ืื ืื ื ืจืืืื ืฉืืืืืื ืฉืื ื ื ืืฆืจืช, ืื ืืชืืื ืฉื ืืจืื ื ืชืื ืื. ืืืคืืคื ืืฉืชืืฉ ืืืฆืคื ื ืื ืจืง ืืชืขืืืจื, ืืื ืืืฆืคื ื ืขืืืจืช ืืจื ืืคืื ืงืฆืื ืืืืืืจืช. ืืื ืืฉืื ืื ืื ืชืื ืื ืืืจืืฉืื ืืื ื ืฉื, ืืืืงืฉื ืื ืืจืฉืช ืืื ื ื ืจืืืช ืืชื ืืขื. ืืื ืื ืืืืืช ืขื ืฉ- UC Browser ืืขืฉื ืืช ืืืงืฉื ืืืจืืฉื, ืืืื ื ืืงื ืืช ืืชืืืื ืืืืฆืคื ืช ืืืฉืจืช ืฉืืชืงืืื ืงืืื ืืื ืื ืชืงื ืฉืื ืืช ืืืคืืืงืฆืื: ืืืกืฃ ืืช ืืคืขื ืื ื-onCreate ืฉื ืืคืขืืืืช ืืจืืฉืืช.
const/16 v1, 0x62
new-array v1, v1, [B
fill-array-data v1, :encrypted_data
const/16 v0, 0x1f
invoke-static {v0, v1}, Lcom/uc/browser/core/d/c/g;->j(I[B)[B
move-result-object v1
array-length v2, v1
invoke-static {v2}, Ljava/lang/String;->valueOf(I)Ljava/lang/String;
move-result-object v2
const-string v0, "ololo"
invoke-static {v0, v2}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)I
ืื ืื ื ืืจืืืืื, ืืืชืืื, ืืชืงืื ืื, ืืฉืืงืื. ืื ื ืืงืืืื NullPointerException ืื ืืฉืืื ืืืืืจื null.
ืืืืื ื ืืชืื ื ืืกืฃ ืฉื ืืงืื, ืืชืืืชื ืคืื ืงืฆืื ืืืคืขื ืืช ืฉืืจืืช ืืขื ืืื ืืช: "META-INF/" ื-".RSA". ื ืจืื ืฉืืืคืืืงืฆืื ืืืืชืช ืืช ืืืืฉืืจ ืฉืื. ืื ืืคืืื ืืืืฆืจ ืืคืชืืืช ืืื ื. ืื ื ืื ืืืืช ืจืืฆื ืืืชืขืกืง ืืื ืฉืงืืจื ืขื ืืชืขืืื, ืื ืคืฉืื ื ืฉืืื ืื ืืช ืืชืขืืื ืื ืืื ื. ืืืื ื ืชืงื ืืช ืืฉืืจื ืืืืฆืคื ืช ืื ืฉืืืงืื "META-INF/" ื ืงืื ืืช "BLABLINF/", ื ืืฆืืจ ืชืืงืื ืืฉื ืื ื-APK ืื ืืกืืฃ ืฉื ืืช ืชืขืืืช ืืคืืคื ืืกื ืื.
ืื ืื ื ืืจืืืืื, ืืืชืืื, ืืชืงืื ืื, ืืฉืืงืื. ืืื ืื! ืืฉ ืื ื ืืช ืืืคืชื!
MitM
ืงืืืื ื ืืคืชื ืืืงืืืจ ืืชืืื ืืฉืืืื ืืืคืชื. ืืืื ื ื ืกื ืืคืขื ื ืืช ืชืืืืช ืืฉืจืช ืืืฆื CBC.
ืื ื ืจืืืื ืืช ืืชืืืช ืืืชืจ ืฉื ืืืจืืืื, ืืฉืื ืืืื ื-MD5, "extract_unzipsize" ืืืกืคืจ. ืื ืื ื ืืืืงืื: ื-MD5 ืฉื ืืืจืืืื ืืื, ืืืื ืืกืคืจืืื ืืื-ืืจืืื ืืื. ืื ืื ื ืื ืกืื ืืชืงื ืืช ืืกืคืจืืื ืืื ืืืชืช ืืืชื ืืืคืืคื. ืืื ืืืจืืืช ืฉืกืคืจืืืช ืืชืืงืื ืฉืื ื ื ืืขื ื, ื ืฉืืง ืืืื ื ืืืฆืืจืช SMS ืขื ืืืงืกื "PWNED!" ื ืืืืฃ ืฉืชื ืชืืืืืช ืืืฉืจืช:
ืืืคืืคื ืื ืกื ืืืืจืื ืืช ืืืจืืืื ืืกืคืจ ืคืขืืื, ืืืืืจ ืืื ืืื ื ืืชื ืฉืืืื. ืื ืจืื ืืฉืื
ืืื ืื ืืืื. ืืชืืฆืื ืื ืืชืื ืืคืืจืื ืืขืืืจ ืืื, ืืชืืจืจ ืฉืืฉืจืช ืืฉืืจ ืื ืืช ืืืื ืืืจืืืื:
ืืื ืืงืืื ื-LEB128. ืืืืจ ืืชืืงืื, ืืืื ืืืจืืืื ืขื ืืกืคืจืืื ืืฉืชื ื ืืขื, ืื ืฉืืืคืืคื ืืฉื ืฉืืืจืืืื ืืืจื ืืฆืืจื ืขืงืืื, ืืืืืจ ืืกืคืจ ื ืืกืืื ืืช ืืื ืืจืง ืฉืืืื.
ืื ืื ื ืืชืืืืื ืืช ืืืื ืืืจืืืื... ืืื โ ื ืืฆืืื! ๐ ืืชืืฆืื ืืกืจืืื.
ืืฉืืืืช ืืชืืืืช ืืคืชื
ืืืืชื ืืืคื, ืืืงืจืื ืืืืืื ืืืฉืชืืฉ ืืชืืื ื ืืื ืืืืืืืช ืฉื ืืคืืคื UC ืืื ืืืคืืฅ ืืืืคืขืื ืกืคืจืืืช ืืืื ืืืช. ืกืคืจืืืช ืืื ืืขืืื ืืืงืฉืจ ืฉื ืืืคืืคื, ืื ืฉืื ืืงืืื ืืช ืื ืืจืฉืืืช ืืืขืจืืช ืฉืื. ืืชืืฆืื ืืื, ืืืืืืช ืืืฆืื ืืืื ืืช ืืืื, ืืื ืื ืืืฉื ืืงืืฆื ืืขืืืื ืฉื ืืกื ืื ืืกืื ื ืืืชืื, ืืืื ืื ืืกืืช, ืกืืกืืืืช ืืขืืืืืช ืืืืืืกื ืืช ืืืกื ืื ืชืื ืื.
ืืฆืจื ื ืงืฉืจ ืขื ืืคืชืื UC Browser ืืืืืขื ื ืืืชื ืขื ืืืขืื ืฉืืฆืื ื, ื ืืกืื ื ืืืฆืืืข ืขื ืืคืืืขืืช ืืืกืื ื ืฉืื, ืื ืื ืื ืื ื ืืืชื ื ืขื ืืืจ. ืืื ืชืืื, ืืืคืืคื ืืืฉืื ืืืชืืืจ ืืชืืื ื ืืืกืืื ืช ืฉืื ืืขืื. ืืื ืืจืืข ืฉืืฉืคื ื ืืช ืคืจืื ืืคืืืขืืช, ืืืจ ืื ื ืืชื ืืื ืืืชืขืื ืืื ื ืืื ืงืืื. 27 ืืืจืฅ ืืื
ืฉืืืจืจื ืืจืกื ืืืฉื ืฉื UC Browser 12.10.9.1193, ืืฉืจ ื ืืืฉื ืืฉืจืช ืืืืฆืขืืช HTTPS:
ืื ืืกืฃ, ืืืืจ ื"ืชืืงืื" ืืขื ืืืืขื ืืชืืืช ืืืืจ ืื, ื ืืกืืื ืืคืชืื ืงืืืฅ PDF ืืืคืืคื ืืืื ืืืืืขืช ืฉืืืื ืขื ืืืงืกื "ืืืคืก, ืืฉืื ืืฉืชืืฉ!" ืื ืืืืฉื ืืงืฉื ืืฉืจืช ืืขืช ื ืืกืืื ืืคืชืื ืงืืืฅ PDF, ืื ืขื ืืคืขืืช ืืืคืืคื ืืืืฉื ืืงืฉื, ืื ืฉืืจืื ืขื ืืืฉื ืืืืืืช ืืืืจืื ืงืื ืืคืขืื ืื ืืืื ืืืืื Google Play.
ืืงืืจ: www.habr.com