ααα ααααΈααααΆα
αα
α
α»αααααΈααΆααΎα
αα½αααααα»α UC Browser ααααΌαααΆαααααααααααΆα αα·αα
ααα
αΆααααΆααααααΎαα ααΆααααΌαααΆαααα‘αΎααα
ααΎα§αααααααααα’αααααααΎααααΆαααααααααΎααααΆααααααα α
ααα
αΆαααΈααα ααααααααααααααααααΆαααααααααααα―αααΆαααΈααα’αΌ (α§ααΆα ααα α’αααααααΎααααΆαααα·αααΆαα½ααααααα»αααΆααα ααΆα§ααΆα ααα ααΈααα’αΌα’αΆαα’αΆααΆα ααα»αααα αααα½αα±ααααΆαααα½αααΆα APK ααΆαα½ααααααα·ααΈαα»αααααΆαα’ααΈαααΊαα·αααα) ααΆαααααΎαααΆαααα½αα±ααααααΆα
αααααΆαααΆαααααααααα·ααΈαα»αααααΆαα’ααΈαααΊαα·αα α½ααααα ααΆαααααααα αα·αα’αααΈαααΌα
αααα αα
αααα»ααααα»ααααααα·ααΈαα»ααα UC ααααΌαααΆααα
ααΎ VK ααΆα
αα
αααααααα UC Browser ααΆαααΆαααα‘αΎαααΆα 500 αα
ααΎ Google Play α ααααα½αα±ααα
αΆααα’αΆααααααααΆαα - ααΆααα Google Chrome ααα»ααααααααααΆαα
αααΎααααα αααα»αα
ααααααΆααα·αα·ααα α’αααα’αΆα
ααΎαααΎαααΆαααα’αΌαααα’ααααΆα
αααΎαα’αααΈααΆαααααΆαααΆαα·ααααααα αα·αααΆααααααΌααααααα
ααΆαααααααα·ααΈαα½αα
ααα½ααα
ααΎ Google Play α αααααΆα ααα»αααααααΆααααΆαααααΆαααααΆαααααααΎαα ααΎαααΆααααααα
α
α·αααααΎαααΆααΎ UC Browser αααα»αααααααΎα’αααΈαα·αααα’α α αΎαααΆααΆαααααααααΆαααΆααΆααααααΎ!
αα
αααα»αααΌααααααα·ααΈ αααααααΆααααα»αααΆαααΆααα αα·αααααΎαααΆαααΌααααα’αΆα
ααααα·ααααα·ααΆαααααΌαααΆαααααΎαα
α’αααΈααααααααΆααααααΆααααααααΆααααααααΊααΆααααααααααααΆαααααααααα UC Browser αααααΆααα ααΎ Google Play αα ααααα·ααααΆα
package: com.UCMobile.intl
versionName: 12.10.8.1172
versionCode: 10598
sha1 APK-ΡΠ°ΠΉΠ»Π°: f5edb2243413c777172f6362876041eb0c3a928c
ααα·α αααααΆααααα αΆα
αα αααα»α UC Browser manifest α’αααα’αΆα αααααααααααΆαααααααααΆααααααααααααααααααα½αα―αα com.uc.deployment.UpgradeDeployService.
<service android_exported="false" android_name="com.uc.deployment.UpgradeDeployService" android_process=":deploy" />
αα
ααααααααααΆαααααααα
αΆααααααΎα αααααα·ααΈαα»αααααΉαααααΎααΆαααααΎαα»α POST αα
ααΌα αααα αα ααααααα’αααααααΎααααΆααα ααααΎα PDF αααααααΆαααα αααα»ααααααα·ααΈαα»αααααΆαα’ααΈαααΊαα·α ααααΎααΆααααααα’αΆα ααΎαααΎααα αααα»αα ααΆα αααα
ααααΌαααΆαααααΎ POST αα
ααααααΆααααααΆααααααΆααααααααΆααααΎα PDF αα·αααααααααΆαα·ααΆαααααααΌαααΆαααΆαααα ααΆααα ααα»αααααα»αααΆαααααααααΆααααΎααααΌααααααΌαααααααΆαα’αααΈαααααααα (αααΆαα αα
ααΆααααααΆααααααααααΎααααΈααααααααααΆααααααααααΌαααΆα) α αΎαααΆααΆαααααΎααααα
ααΉαααΆ αααααα·ααΈαα»αααααα½αααΆαααααααΆααα½αα
ααα½αα’αααΈαααααΆααααααααααΌαααΆαααΆαααα α’αΆααααααΆα αα·α αααα ααααΆ , α’αααΈβααααααααα αααα αΆααΊααΆααααΎαααααααΌαααΆαα’αα·αααααΈαα
ααααΎαα»αααααα
αααααααα ααααΎα
αααααΆααααααα½αααΆααααΌαααΆαααα ααααΆ ZIP α αΎααα·αααααΌαααΆαα’αα·αααααΈαααα
αααααααααΌααα·ααααΈαα ααΆα ααα
αααααααΆααΆααα·ααααΈαααΆαααααΎααααααααααΆαααΈαααα ααΌααααα‘ααααΎααααααΌαααααΆαα com.uc.deployment.UpgradeDeployServiceα ααΈαα·ααΈααΆααααα onStartCommand αα com.uc.deployment.bxαα·αααΈααΆαα com.uc.browser.core.dcfe:
public final void e(l arg9) {
int v4_5;
String v3_1;
byte[] v3;
byte[] v1 = null;
if(arg9 == null) {
v3 = v1;
}
else {
v3_1 = arg9.iGX.ipR;
StringBuilder v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]product:");
v4.append(arg9.iGX.ipR);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]version:");
v4.append(arg9.iGX.iEn);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]upgrade_type:");
v4.append(arg9.iGX.mMode);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]force_flag:");
v4.append(arg9.iGX.iEo);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_mode:");
v4.append(arg9.iGX.iDQ);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_type:");
v4.append(arg9.iGX.iEr);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_state:");
v4.append(arg9.iGX.iEp);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_file:");
v4.append(arg9.iGX.iEq);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apk_md5:");
v4.append(arg9.iGX.iEl);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]download_type:");
v4.append(arg9.mDownloadType);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]download_group:");
v4.append(arg9.mDownloadGroup);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]download_path:");
v4.append(arg9.iGH);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_child_version:");
v4.append(arg9.iGX.iEx);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_series:");
v4.append(arg9.iGX.iEw);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_cpu_arch:");
v4.append(arg9.iGX.iEt);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_cpu_vfp3:");
v4.append(arg9.iGX.iEv);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_cpu_vfp:");
v4.append(arg9.iGX.iEu);
ArrayList v3_2 = arg9.iGX.iEz;
if(v3_2 != null && v3_2.size() != 0) {
Iterator v3_3 = v3_2.iterator();
while(v3_3.hasNext()) {
Object v4_1 = v3_3.next();
StringBuilder v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_name:");
v5.append(((au)v4_1).getName());
v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_ver_name:");
v5.append(((au)v4_1).aDA());
v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_ver_code:");
v5.append(((au)v4_1).gBl);
v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_req_type:");
v5.append(((au)v4_1).gBq);
}
}
j v3_4 = new j();
m.b(v3_4);
h v4_2 = new h();
m.b(v4_2);
ay v5_1 = new ay();
v3_4.hS("");
v3_4.setImsi("");
v3_4.hV("");
v5_1.bPQ = v3_4;
v5_1.bPP = v4_2;
v5_1.yr(arg9.iGX.ipR);
v5_1.gBF = arg9.iGX.mMode;
v5_1.gBI = arg9.iGX.iEz;
v3_2 = v5_1.gAr;
c.aBh();
v3_2.add(g.fs("os_ver", c.getRomInfo()));
v3_2.add(g.fs("processor_arch", com.uc.b.a.a.c.getCpuArch()));
v3_2.add(g.fs("cpu_arch", com.uc.b.a.a.c.Pb()));
String v4_3 = com.uc.b.a.a.c.Pd();
v3_2.add(g.fs("cpu_vfp", v4_3));
v3_2.add(g.fs("net_type", String.valueOf(com.uc.base.system.a.Jo())));
v3_2.add(g.fs("fromhost", arg9.iGX.iEm));
v3_2.add(g.fs("plugin_ver", arg9.iGX.iEn));
v3_2.add(g.fs("target_lang", arg9.iGX.iEs));
v3_2.add(g.fs("vitamio_cpu_arch", arg9.iGX.iEt));
v3_2.add(g.fs("vitamio_vfp", arg9.iGX.iEu));
v3_2.add(g.fs("vitamio_vfp3", arg9.iGX.iEv));
v3_2.add(g.fs("plugin_child_ver", arg9.iGX.iEx));
v3_2.add(g.fs("ver_series", arg9.iGX.iEw));
v3_2.add(g.fs("child_ver", r.aVw()));
v3_2.add(g.fs("cur_ver_md5", arg9.iGX.iEl));
v3_2.add(g.fs("cur_ver_signature", SystemHelper.getUCMSignature()));
v3_2.add(g.fs("upgrade_log", i.bjt()));
v3_2.add(g.fs("silent_install", String.valueOf(arg9.iGX.iDQ)));
v3_2.add(g.fs("silent_state", String.valueOf(arg9.iGX.iEp)));
v3_2.add(g.fs("silent_file", arg9.iGX.iEq));
v3_2.add(g.fs("silent_type", String.valueOf(arg9.iGX.iEr)));
v3_2.add(g.fs("cpu_archit", com.uc.b.a.a.c.Pc()));
v3_2.add(g.fs("cpu_set", SystemHelper.getCpuInstruction()));
boolean v4_4 = v4_3 == null || !v4_3.contains("neon") ? false : true;
v3_2.add(g.fs("neon", String.valueOf(v4_4)));
v3_2.add(g.fs("cpu_cores", String.valueOf(com.uc.b.a.a.c.Jl())));
v3_2.add(g.fs("ram_1", String.valueOf(com.uc.b.a.a.h.Po())));
v3_2.add(g.fs("totalram", String.valueOf(com.uc.b.a.a.h.OL())));
c.aBh();
v3_2.add(g.fs("rom_1", c.getRomInfo()));
v4_5 = e.getScreenWidth();
int v6 = e.getScreenHeight();
StringBuilder v7 = new StringBuilder();
v7.append(v4_5);
v7.append("*");
v7.append(v6);
v3_2.add(g.fs("ss", v7.toString()));
v3_2.add(g.fs("api_level", String.valueOf(Build$VERSION.SDK_INT)));
v3_2.add(g.fs("uc_apk_list", SystemHelper.getUCMobileApks()));
Iterator v4_6 = arg9.iGX.iEA.entrySet().iterator();
while(v4_6.hasNext()) {
Object v6_1 = v4_6.next();
v3_2.add(g.fs(((Map$Entry)v6_1).getKey(), ((Map$Entry)v6_1).getValue()));
}
v3 = v5_1.toByteArray();
}
if(v3 == null) {
this.iGY.iGI.a(arg9, "up_encode", "yes", "fail");
return;
}
v4_5 = this.iGY.iGw ? 0x1F : 0;
if(v3 == null) {
}
else {
v3 = g.i(v4_5, v3);
if(v3 == null) {
}
else {
v1 = new byte[v3.length + 16];
byte[] v6_2 = new byte[16];
Arrays.fill(v6_2, 0);
v6_2[0] = 0x5F;
v6_2[1] = 0;
v6_2[2] = ((byte)v4_5);
v6_2[3] = -50;
System.arraycopy(v6_2, 0, v1, 0, 16);
System.arraycopy(v3, 0, v1, 16, v3.length);
}
}
if(v1 == null) {
this.iGY.iGI.a(arg9, "up_encrypt", "yes", "fail");
return;
}
if(TextUtils.isEmpty(this.iGY.mUpgradeUrl)) {
this.iGY.iGI.a(arg9, "up_url", "yes", "fail");
return;
}
StringBuilder v0 = new StringBuilder("[");
v0.append(arg9.iGX.ipR);
v0.append("]url:");
v0.append(this.iGY.mUpgradeUrl);
com.uc.browser.core.d.c.i v0_1 = this.iGY.iGI;
v3_1 = this.iGY.mUpgradeUrl;
com.uc.base.net.e v0_2 = new com.uc.base.net.e(new com.uc.browser.core.d.c.i$a(v0_1, arg9));
v3_1 = v3_1.contains("?") ? v3_1 + "&dataver=pb" : v3_1 + "?dataver=pb";
n v3_5 = v0_2.uc(v3_1);
m.b(v3_5, false);
v3_5.setMethod("POST");
v3_5.setBodyProvider(v1);
v0_2.b(v3_5);
this.iGY.iGI.a(arg9, "up_null", "yes", "success");
this.iGY.iGI.b(arg9);
}
ααΎαααΎαααΆααααααΎαααααΎ POST αα ααΈαααα ααΎαααα α·ααααα»αααΆααααΎααΆααααααΎαα’αΆαααα 16 αα αα·αααΆααααααααααααΆ: 0x5F, 0, 0x1F, -50 (= 0xCE) α ααααααααΆααΉαα’αααΈαααααΎαααΆαααΎααα αααα»αααααΎααΆαααΎα
αααα»αβααααΆααβααΌα ααααΆ α’αααβα’αΆα βααΎαβααΎαβααααΆααβαααβααααααβαααβαα·ααΈααΆαααααβαα½αβα±ααβα αΆααβα’αΆααααααβαα½αβαααα
public final void a(l arg10, byte[] arg11) {
f v0 = this.iGQ;
StringBuilder v1 = new StringBuilder("[");
v1.append(arg10.iGX.ipR);
v1.append("]:UpgradeSuccess");
byte[] v1_1 = null;
if(arg11 == null) {
}
else if(arg11.length < 16) {
}
else {
if(arg11[0] != 0x60 && arg11[3] != 0xFFFFFFD0) {
goto label_57;
}
int v3 = 1;
int v5 = arg11[1] == 1 ? 1 : 0;
if(arg11[2] != 1 && arg11[2] != 11) {
if(arg11[2] == 0x1F) {
}
else {
v3 = 0;
}
}
byte[] v7 = new byte[arg11.length - 16];
System.arraycopy(arg11, 16, v7, 0, v7.length);
if(v3 != 0) {
v7 = g.j(arg11[2], v7);
}
if(v7 == null) {
goto label_57;
}
if(v5 != 0) {
v1_1 = g.P(v7);
goto label_57;
}
v1_1 = v7;
}
label_57:
if(v1_1 == null) {
v0.iGY.iGI.a(arg10, "up_decrypt", "yes", "fail");
return;
}
q v11 = g.b(arg10, v1_1);
if(v11 == null) {
v0.iGY.iGI.a(arg10, "up_decode", "yes", "fail");
return;
}
if(v0.iGY.iGt) {
v0.d(arg10);
}
if(v0.iGY.iGo != null) {
v0.iGY.iGo.a(0, ((o)v11));
}
if(v0.iGY.iGs) {
v0.iGY.a(((o)v11));
v0.iGY.iGI.a(v11, "up_silent", "yes", "success");
v0.iGY.iGI.a(v11);
return;
}
v0.iGY.iGI.a(v11, "up_silent", "no", "success");
}
}
αα·ααΈααΆαααααααα’αΆααααααααΆααΆααααα
αΌα α αΎααα·αα·αααααΎαααΆααΌαααααααΊ 0x60 α¬ααααΈααΈααΊ 0xD0 α αΎαααααΈααΈαααΊ 1, 11 α¬ 0x1F α ααΎαααΎαααΆαααααΎαααααΈαααΆαααΈαααα ααΌαααααααΊ 0x60 ααΈααΈαααΊ 0x1F ααΈααΈααΊ 0x60 α ααααΆαααα
ααΌα
ααΆα’αααΈαααααΎαααααΌαααΆαα ααΆααα·αα·α
ααααααααααααΆαα (α§ααΆα ααα "up_decrypt") αα·ααΈααΆααααααα½αααααααΌαααΆαα α
αα
ααΈααααααααΉααα·ααααΈαααΆαααααΎααααααααααΆαααΈαααα
α
αΌααααααα
αα·ααΈααΆααααα gj. α
αααΆαααΆα’αΆαα»αααααααΈαα½αααΊααΆαααα
α’α»α αααα·α 2 (α§ααΆα ααα 0x1F αααα»αααααΈααααααΎα) α αΎαααΈααΈαααΊααΆααΆαααααΎααααααααααΆαααΈααααααααααΆα
16 ααααααΌαα
public static byte[] j(int arg1, byte[] arg2) {
if(arg1 == 1) {
arg2 = c.c(arg2, c.adu);
}
else if(arg1 == 11) {
arg2 = m.aF(arg2);
}
else if(arg1 != 0x1F) {
}
else {
arg2 = EncryptHelper.decrypt(arg2);
}
return arg2;
}
ααΆααααααα αα
ααΈαααααΎαααααΎαααΎααααα½ααααααααΆαααΆααα·ααααΈα αα·αααααΌα
ααααΆαααααΆααα
αααα»αααααααΎαα
ααααΈααααΎααΉα 0x1F ααααΆαα±αααααααΎααα½ααααα»αα
αααααααααΎαααΈα
ααΎααααααα·ααΆαααΌαα αααααΆααααΈααΆααααααΈαααΈαα ααΎαααααΎααααα½αααΎααα αααα»ααα·ααΈααΆααααααα½ααααααΆααααααααααααααααααα½αα―αα αα·ααααΈαBytesByKey.
αα ααΈαααααΈααααααααααΌαααΆααααααα ααααΈααΆαααααΎαααααααααΎα α αΎαααααα’αααααα½αααααΌαααΆαααα½αααΈαα½αααα ααΆα αααΆααααΆααααΆααΆαααααααααααααΉααααααΆααααΆααα·ααααΈαααΆαααααΌαααΆαααααΎαααΎαα
private static byte[] decryptBytesByKey(byte[] bytes) {
byte[] v0 = null;
if(bytes != null) {
try {
if(bytes.length < EncryptHelper.PREFIX_BYTES_SIZE) {
}
else if(bytes.length == EncryptHelper.PREFIX_BYTES_SIZE) {
return v0;
}
else {
byte[] prefix = new byte[EncryptHelper.PREFIX_BYTES_SIZE]; // 2 Π±Π°ΠΉΡΠ°
System.arraycopy(bytes, 0, prefix, 0, prefix.length);
String keyId = c.ayR().d(ByteBuffer.wrap(prefix).getShort()); // ΠΡΠ±ΠΎΡ ΠΊΠ»ΡΡΠ°
if(keyId == null) {
return v0;
}
else {
a v2 = EncryptHelper.ayL();
if(v2 == null) {
return v0;
}
else {
byte[] enrypted = new byte[bytes.length - EncryptHelper.PREFIX_BYTES_SIZE];
System.arraycopy(bytes, EncryptHelper.PREFIX_BYTES_SIZE, enrypted, 0, enrypted.length);
return v2.l(keyId, enrypted);
}
}
}
}
catch(SecException v7_1) {
EncryptHelper.handleDecryptException(((Throwable)v7_1), v7_1.getErrorCode());
return v0;
}
catch(Throwable v7) {
EncryptHelper.handleDecryptException(v7, 2);
return v0;
}
}
return v0;
}
αααααΉααα αα»α ααΎααααααααΆααααΆ αα ααααΆααααΆαααα ααΎααα·αααΆααααα½αααΆαααααα ααα»ααααααΆααα "α§ααααααααααα’ααααααααΆα" ααα»αααααα ααΆαααα½αααΆαααΌαααααΊαααα»αααααΆαααααα·α α
αα αααα»ααα·ααΈααΆααααααααααΆαα αααΆαααΆααααααααΈααααααααααααααΌαααΆααααααααα αααααααααΆαααααΆαα αααααααΎα±αααα½αααα ααα½ααα½αα αααααααααα 16 ααααααααΆαααααααΉα αα·αααααααααααΆαα’αα·αααααΈα αα·αααααα’ααααααααα·αα’αΆα αααααΆα (αααα»αααααΈααααααΎαααΊααα)α
public final byte[] l(String keyId, byte[] encrypted) throws SecException {
return this.ayJ().staticBinarySafeDecryptNoB64(16, keyId, encrypted, "");
}
αααααΆααααΈααΆαααααΆααααααΌαααΆαααααααααΆααααΎαααααααα·ααΈααΆααααα staticBinarySafeDecryptNoB64 α ααα»α αααααΆαα com.alibaba.wireless.security.open.staticdataencrypt.IStaticDataEncryptComponentα αα·αααΆαααααΆαααα αααα»αααΌααααααα·ααΈααααΆαααααα’αα»ααααα ααα»α αααααΆαααααααα ααΆαααααΆαααααααααα αααα»αα―αααΆα lib/armeabi-v7a/libsgmain.soααααα·ααααααΆ .so ααα»ααααααΆ .jar α αα·ααΈααΆααααααααααΎαα αΆααα’αΆααααααααααΌαααΆαα’αα»ααααααΌα ααΆαααααα:
package com.alibaba.wireless.security.a.i;
// ...
public class a implements IStaticDataEncryptComponent {
private ISecurityGuardPlugin a;
// ...
private byte[] a(int mode, int magicInt, int xzInt, String keyId, byte[] encrypted, String magicString) {
return this.a.getRouter().doCommand(10601, new Object[]{Integer.valueOf(mode), Integer.valueOf(magicInt), Integer.valueOf(xzInt), keyId, encrypted, magicString});
}
// ...
private byte[] b(int magicInt, String keyId, byte[] encrypted, String magicString) {
return this.a(2, magicInt, 0, keyId, encrypted, magicString);
}
// ...
public byte[] staticBinarySafeDecryptNoB64(int magicInt, String keyId, byte[] encrypted, String magicString) throws SecException {
if(keyId != null && keyId.length() > 0 && magicInt >= 0 && magicInt < 19 && encrypted != null && encrypted.length > 0) {
return this.b(magicInt, keyId, encrypted, magicString);
}
throw new SecException("", 301);
}
//...
}
ααΆαααααααααααΆαααααΈαααΆαααΆααααααααααααΎαααααΌαααΆααααααααααα
ααα½ααααααΈααααααααααα 2 αα·α 0α αα·αα·α
ααααααα
α’αααΈααααααααΆα, 2 ααΆααααααΆααΆααα·ααααΈα, ααΌα
αα
αααα»ααα·ααΈααΆααααα doFinal ααααΆαααααααααα javax.crypto.Cipher. α αΎαααΆααα’αααααααααΌαααΆαααααααα
Router ααΆααααΆαααα½ααααααΆαααα 10601 - αααα
αααΆααααΆααααααααΆα
αααααΆααααΈαααααααααΆαααααααΆααααααΆαααααΆααααααΌαααΎαααααΎαααααΆαααααα’αα»ααααα ααα»α αααααΆαα αααΆαααΆαα» IRouter αα·ααα·ααΈααΆααααα αααααΆ:
package com.alibaba.wireless.security.mainplugin;
import com.alibaba.wireless.security.framework.IRouterComponent;
import com.taobao.wireless.security.adapter.JNICLibrary;
public class a implements IRouterComponent {
public a() {
super();
}
public Object doCommand(int arg2, Object[] arg3) {
return JNICLibrary.doCommandNative(arg2, arg3);
}
}
αα·αααααΆαααααααα αααααΆααα JNICLααααααα»αααααα·ααΈααΆαααααααΎαααααΌαααΆααααααΆα doCommandNative:
package com.taobao.wireless.security.adapter;
public class JNICLibrary {
public static native Object doCommandNative(int arg0, Object[] arg1);
}
αααααΆααααααΆααΎαααααΌαααααααααα·ααΈααΆααααααααα»αααΌαααΎα doCommandNative. α αΎααααααΊααΆαααααααααααΆααααααΆαααΈαααΆαα αΆααααααΎαα
ααΆαα ααααΌαα ααααααααααααΌααααΆαααΈα
αα αααα»αα―αααΆα libsgmain.so (ααααα·αααΆ .jar α αΎααααααΎαααΆαααααΎαααΆαα’αα»ααααα ααα»α αααααΆαααααααΆααααααΉαααΆαα’αα·αααααΈααα½αα ααα½ααα ααΆαααΎ) ααΆααααααΆαααααΎααα½αα libsgmainso-6.4.36.so. ααΎαααΎαααΆαα αααα»α IDA α αΎαααα½αααΆααααα’ααααΆα αααΎααααααΆαααα α»αα αααα αΆααΊααΆααΆααΆαααααααΆαααααααααΊαα·αααααΉαααααΌαααα αααααααΌαααΆαααααΎαααα»ααααααααααΎααααΈααααΎα±αααααα»αααααΆααααααΆααα·ααΆαα
ααα»ααααααΆαα·αα
αΆαααΆα
αααα ααΎααααΈαααα»αα―αααΆα ELF αα·ααα·ααΆαααΆα±ααααΆαααααΉαααααΌα ααΆααΆαααααααΆαααααα·ααΈααΊαααααααααΆααα αΎαα ααΌα
αααα ααΎαααααΆαααααα»αααΆααΆαααααα ααααα»αααΆααααααααΌαααααΆαα
αααα»αααααααΆα
ααΎαα―αααΆααααα»α IDA αααααααα
ααΆααα·ααΈααΈααααΆαααΎααααΈααααΆαααααΆαααΈααα·αααα·α Java ααααα·αααααΆαααα αααα»ααααααΆαααααΎαααααΆαα’αα»αααααα·ααΈααΆααααααααααΆααααααΆααα αααα»αααΌα Java ααΆαααααααΎαααΆαααΈααΆαααα α ααΈαα½αααΊααααΌαααΆααααααααααααααααα Java_package_name_ClassName_MethodName.
ααΈααΈαααΊααααΌαα
α»ααααααααΆαα
ααααααα»ααααααΆααα (αα
αααα»ααα»αααΆα JNI_OnLoad)
αααααααΎαα»αααΆαα α
ααΆαα
α»ααααααααααΆαα·ααΎα.
αααα»αααααΈααααααΎα ααααα·αααΎααΎαααααΎαα·ααΈααΈαα½α ααααααα½αααααΌα αααα Java_com_taobao_wireless_security_adapter_JNICLibrary_doCommandNative.
αα·αααΆααα»αααΆααααααααααα»αα
αααααα»αααΆααααααΆαααΆαα
αααα αααααΆααααααΆα’αααααααΌαααααΎαααΆαα α
ααΌααααα ααΆαα
α»ααααααααααΆαα·ααΎα.
ααααα
αα»αααΆα JNI_OnLoad α αΎαααΎαααΎαααΌαααΆααααα
ααΎααΆαα’αααΈααΎαα‘αΎααα
ααΈααα? αα
glance ααααΌα ααΆαα
αΆααααααΎα αα·αα
α»ααααα
αααααα»αααΆαααΊααΆαα½αααΆααααααΆααααααΆαααααααα ARM α ααΆαααααΆαααααΌααα
ααΎααααααααΆαα»αααΆαα·ααΆααααΆαα
α»ααααααααααα»αααΆαααΉαααααΎαααα»αααααα·ααααα·ααΆαααααααΆ (αααα»αααααΈααα R0, R1 αα·α R2) ααααΌα
ααΆααΆαα·ααΆααααΆαα
α»αααααα LR αααααΆαα’αΆααααααΆααααα‘ααααΈαα»αααΆα . ααΆαααααΆαα
α»ααααααααααΆαααΆαα
α»αααααααααααΆααααααΆαα»αα αΎαα’αΆααααααΆααααα‘αααααα·αααααΌαααΆαααΆααααααΆαααα
αααα»αααΆαα
α»αααααααα»αααααΌααα - ααΌα
αααααααα‘ααααΈαα»αααΆαα ααα»ααααααααα·αααΎα’ααααααα‘ααααΎαα±αααα·α α’αααααΉααααααΆααααΎαααΆ ααΆαααααΆαα
α»ααααααααααΆααααααΌαα’αΆααααααΆααααα‘αααααα·αααααααααΆαα»ααα
ααΎαααα α
αΌαααΎαααααΆααΆααΎααΆααΉααα
ααΆαααΆαααΆαααααΆααααΈαααα
ααΆαα’αα»ααααααΌαα α’αΆααααααΆαααΆααααΆαα 1xB0 ααααΌαααΆααααα»ααα
αααα»α R130, 5 ααααΌαααΆαααα
ααααΈααΆ αααααΆααααααΆααααΌαααΆαααααααα
R0 α αΎα 0x10 ααααΌαααΆααααααααα
ααΆα ααΆααααα
αα 0xB13B α ααΌα
αααα IDA αα·αααΆααΆαααααΆαα
α»ααααααααΊααΆααΆααααα‘αααα»αααΆαααααααΆ ααα»ααααααΆααα·αααΆααΉααα
α’αΆααααααΆααααααΆαααααΆ 0xB13Bα
ααΆαα½αα’ααα αα αΆααα ααΈαααααΆ ARM processors ααΆαααααααΈα αα·αααΆαααααΆαααΈαααΊ ARM αα·α Thumb α α’αΆαααααααΆααααααααΆαααα·α αααα»αααααΆαα processor ααΆααΎαααα»αααΆαααααΆααα½αααΆαααα»αααααΌαααΆαααααΎααααΆααα αααααΊααΆα’αΆααααααΆααα·αααααΆααααΊ 0xB13A α αΎααα½ααααα»αα αααααααΈαααααααΆαααααα»ααααα αΆαααΈααααααααα
"α’αΆααΆααααα" ααααααααααΆαααααααΌαααΆααααααααα
ααΆαα
αΆααααααΎααααα»αααΆαααΈαα½αααα
αααα»ααααααΆαααααα αα·α
αααααΌαααααΆαα ααΎαααΉααα·αααααα
ααΎαα½ααααααα’α·αααααααααααα - ααΎαααααΆααααα
αα
αΆα
ααΆααΆαα
αΆααααααΎααα·αααααΆαααααα»αααΆαααααΎαααααΆααα’ααααΊαα
ααααΆαααααα·α
α
αααααΆααααααΌααα·αααααα 0xB13A α αααΆααααΆαα IDA αααα½αα―ααα·αααΆαααα½αααααΆααααΆαααααΌαααΆαααΈααΆαααα ααΈααΆαααααααα αααααΆααα ααα»ααααΌα ααααΆααα ααΆαα·αααα½αααααΆααααΌαααΆαα αααΎααα αααα»ααααααΆαααααΆααΆααΌααααααααΎα±ααααΆααα·ααΆααα·ααΆαααααα·α α ααΎαααααΆαα IDA ααΆαααααΆααΌα α αΎααααααΆα’αααΈαααααΎαα‘αΎαα
ααΆααΆααααΆαα
αααΆααα
αΆααααααΎααα
0xB144 α ααΎααΆαα’αααΈαα
αααα»α sub_494C?
αα
αααα α
αα»αααΆαααααα
αααα»αααΆαα
α»αααααα LR ααΎαααα½αααΆαα’αΆααααααΆαααααΆααΆααααααΆααααααΆααααΈαα»α (0xB144) α αα
αααα»α R0 - ααααααααααα
αααα»αααΆααΆααααα αααααΊαααααααααΌαααΆαααα
ααααΈααΆααΆααααααααα
LR α αΎαααααααααΊ
α’αΆααααααΆααααααααΌααα
α αααααααΆααΆαααααΆααΆα 0xB144 + [0xB144 + 8* 4] = 0xB144 + 0x120 = 0xB264 α ααΎααα
α’αΆααααααΆααααααα½αααΆα α αΎαααΎαααΆαααααΆαααααΆααααααααααα½αα
ααα½α α αΎαααααααααα
ααΆαα 0xB140α
α₯α‘αΌααααααΉαααΆαααΆαααααΆααααααΌααα
α’α»α αααα·αααΆαα½αααααααααα 0x20 ααΈααΆααΆαα
ααααα·αα·α αααααααααα αααααΆααΆαααΆααΉαααΆαααΆαααααΆααααααΌαααααααααΆα αααΎααα αααα»αααΌαα αααα½αααΎαα‘αΎαααΆααΎααΆα’αΆα αα αα½α αααααα»αααΆααααααααΆαααΆαα½ααααα αΆααααααααααααααααααα·ααααα·αα αΆαααΆα αααααΆα’αΆααααααΆααααααα α αΎαααααααΈα αα·ααααααααΆααααα»αααΆαααααααΌααα αααα»α IDA ααααΆαααα½αααααααΎαα
def put_unconditional_branch(source, destination):
offset = (destination - source - 4) >> 1
if offset > 2097151 or offset < -2097152:
raise RuntimeError("Invalid offset")
if offset > 1023 or offset < -1024:
instruction1 = 0xf000 | ((offset >> 11) & 0x7ff)
instruction2 = 0xb800 | (offset & 0x7ff)
patch_word(source, instruction1)
patch_word(source + 2, instruction2)
else:
instruction = 0xe000 | (offset & 0x7ff)
patch_word(source, instruction)
ea = here()
if get_wide_word(ea) == 0xb503: #PUSH {R0,R1,LR}
ea1 = ea + 2
if get_wide_word(ea1) == 0xbf00: #NOP
ea1 += 2
if get_operand_type(ea1, 0) == 1 and get_operand_value(ea1, 0) == 0 and get_operand_type(ea1, 1) == 2:
index = get_wide_dword(get_operand_value(ea1, 1))
print "index =", hex(index)
ea1 += 2
if get_operand_type(ea1, 0) == 7:
table = get_operand_value(ea1, 0) + 4
elif get_operand_type(ea1, 1) == 2:
table = get_operand_value(ea1, 1) + 4
else:
print "Wrong operand type on", hex(ea1), "-", get_operand_type(ea1, 0), get_operand_type(ea1, 1)
table = None
if table is None:
print "Unable to find table"
else:
print "table =", hex(table)
offset = get_wide_dword(table + (index << 2))
put_unconditional_branch(ea, table + offset)
else:
print "Unknown code", get_operand_type(ea1, 0), get_operand_value(ea1, 0), get_operand_type(ea1, 1) == 2
else:
print "Unable to detect first instruction"
ααΆααααααααααααα·α αα ααΎαααααΆαα 0xB26A ααααΎαααΆαααααααΈα α αΎαααΎαααΆαααααΆααααααΌααα 0xB4B0α
IDA ααααααααα·αααΆαααα½αααααΆααααααααααααΆαααααΌαααα ααΎααα½αααΆα α αΎαααΎαααΆααα
ααΆαα½αααααα
ααΈαααα
ααΆαααααΆααααααΆααααΈ BLX α αΆααααΌα
ααΆαα·αααΆαα’ααααααα
αααΎααα ααΆααΌα
ααΆααΆαααααΆααααΈαααα
αα½αα
ααα½αα αααααΎα sub_4964α
α αΎαααΆααΆααα·α αα
ααΈααα dword αα½αααααΌαααΆααααααα
α’αΆααααααΆαααααααα·ααα
αααα»α LR αααααααΌαααΆααααααααα
α’αΆααααααΆαααα αααααΆααααΈαααααααααα
α’αΆααααααΆαααααααααααΌαααΆαααα αΎαααΆααααΎαααα ααΌα
ααααΆαααααααα 4 ααααΌαααΆααααααααα
LR ααΌα
αααααααααΆααααΈαααα‘ααααΈαα»αααΆα α’α»α αααα·αααΌα
ααααΆαααααααΌαααΆαααααα αααααΆααααΈαααααΆααααααααΆ POP {R1} αααααααααααααααΈαααα ααααα·αααΎα’ααααααα‘ααααΎαα’αααΈαααααΆαααΈααΆαααα
α’αΆααααααΆα 0xB4BA + 0xEA = 0xB5A4 α’αααααΉαααΎαα’αααΈαα½ααααααααααααΉαααΆααΆαα’αΆααααααΆαα
ααΎααααΈαα½ααα»αααΆααα
ααΆααα α’αααααΉαααααΌαααα½αααΆααααΆαααΆααααααααΈαααΈααΌαα α’α»α αααα·α αα·ααααα
α»αααααααααα’αααα
ααααΆααααααααα αααααΆααααΆαα
α»ααααααααΈαα½αααααα’αΆα
ααααΎααΆα α’αααααΉαααααΌααααα
αααααααααααααΌαααΆαα»αα
patches = {}
patches[0] = (0x00, 0xbf, 0x01, 0x48, 0x00, 0x68, 0x02, 0xe0)
patches[1] = (0x00, 0xbf, 0x01, 0x49, 0x09, 0x68, 0x02, 0xe0)
patches[2] = (0x00, 0xbf, 0x01, 0x4a, 0x12, 0x68, 0x02, 0xe0)
patches[3] = (0x00, 0xbf, 0x01, 0x4b, 0x1b, 0x68, 0x02, 0xe0)
patches[4] = (0x00, 0xbf, 0x01, 0x4c, 0x24, 0x68, 0x02, 0xe0)
patches[5] = (0x00, 0xbf, 0x01, 0x4d, 0x2d, 0x68, 0x02, 0xe0)
patches[8] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0x80, 0xd8, 0xf8, 0x00, 0x80, 0x01, 0xe0)
patches[9] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0x90, 0xd9, 0xf8, 0x00, 0x90, 0x01, 0xe0)
patches[10] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0xa0, 0xda, 0xf8, 0x00, 0xa0, 0x01, 0xe0)
patches[11] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0xb0, 0xdb, 0xf8, 0x00, 0xb0, 0x01, 0xe0)
ea = here()
if (get_wide_word(ea) == 0xb082 #SUB SP, SP, #8
and get_wide_word(ea + 2) == 0xb503): #PUSH {R0,R1,LR}
if get_operand_type(ea + 4, 0) == 7:
pop = get_bytes(ea + 12, 4, 0)
if pop[1] == 'xbc':
register = -1
r = get_wide_byte(ea + 12)
for i in range(8):
if r == (1 << i):
register = i
break
if register == -1:
print "Unable to detect register"
else:
address = get_wide_dword(ea + 8) + ea + 8
for b in patches[register]:
patch_byte(ea, b)
ea += 1
if ea % 4 != 0:
ea += 2
patch_dword(ea, address)
elif pop[:3] == 'x5dxf8x04':
register = ord(pop[3]) >> 4
if register in patches:
address = get_wide_dword(ea + 8) + ea + 8
for b in patches[register]:
patch_byte(ea, b)
ea += 1
patch_dword(ea, address)
else:
print "POP instruction not found"
else:
print "Wrong operand type on +4:", get_operand_type(ea + 4, 0)
else:
print "Unable to detect first instructions"
ααΎαααΆααααααααααααα·α αα ααΎααα ααΆαααααααααααααΎαα αααααα½α - 0xB4B2 - α αΎαααααΎαααΆαααααααΈαα
ααααααααΈααΎαα
ααΆαααααααααααααΆααααααΆαααα½α
α αΎα ααΌαααααΆαααΌα
ααΆααααααα
ααΌα
αα
αααα»αααααΈαα»α αααααΆααααΈααΆαααααΆα BLX ααΆαα’α»α αααα·ααα½αα
ααΎαααα’α»α αααα·ααα
α’αΆααααααΆαααΈ LR ααααααααΆαα
LR α αΎααα
ααΈαααα 0x72044 + 0xC = 0x72050 α ααααααΈααααααΆααααΆααα
ααΆαααααΊααΆααααααΆααα
def put_unconditional_branch(source, destination):
offset = (destination - source - 4) >> 1
if offset > 2097151 or offset < -2097152:
raise RuntimeError("Invalid offset")
if offset > 1023 or offset < -1024:
instruction1 = 0xf000 | ((offset >> 11) & 0x7ff)
instruction2 = 0xb800 | (offset & 0x7ff)
patch_word(source, instruction1)
patch_word(source + 2, instruction2)
else:
instruction = 0xe000 | (offset & 0x7ff)
patch_word(source, instruction)
ea = here()
if get_wide_word(ea) == 0xb503: #PUSH {R0,R1,LR}
ea1 = ea + 6
if get_wide_word(ea + 2) == 0xbf00: #NOP
ea1 += 2
offset = get_wide_dword(ea1)
put_unconditional_branch(ea, (ea1 + offset) & 0xffffffff)
else:
print "Unable to detect first instruction"
ααααααααααΆαααααα·ααααα·ααααααΈαα
αα
ααααααα’αααΈαααααΌαααΆααα½ααα»ααα
αααα»ααα»αααΆα α’αααα’αΆα
α
ααα’α»α IDA αα
ααΆααααΆαα
αΆααααααΎααα·αααααΆααααααααΆα ααΆααΉααααα
αΌαααααΆααΌαααΌααα»αααΆαααΆααα’αα α αΎαααΆα’αΆα
ααααΌαααΆαααααααααααααΎ HexRaysα
ααΆααα·ααΌαααααα’αααα
ααΎαβααΆαβαααβααΎααααΈβαααααααΆαβααΆαα½αβααΉαβααΆαβα ααααΌαα αααααβααβααΌαβαααΆαααΈαβαα βαααα»αβαααααΆααα libsgmainso-6.4.36.so ααΈ UC Browser α αΎαααΆαααα½αααΌααα»αααΆα JNI_OnLoad.
int __fastcall real_JNI_OnLoad(JavaVM *vm)
{
int result; // r0
jclass clazz; // r0 MAPDST
int v4; // r0
JNIEnv *env; // r4
int v6; // [sp-40h] [bp-5Ch]
int v7; // [sp+Ch] [bp-10h]
v7 = *(_DWORD *)off_8AC00;
if ( !vm )
goto LABEL_39;
sub_7C4F4();
env = (JNIEnv *)sub_7C5B0(0);
if ( !env )
goto LABEL_39;
v4 = sub_72CCC();
sub_73634(v4);
sub_73E24(&unk_83EA6, &v6, 49);
clazz = (jclass)((int (__fastcall *)(JNIEnv *, int *))(*env)->FindClass)(env, &v6);
if ( clazz
&& (sub_9EE4(),
sub_71D68(env),
sub_E7DC(env) >= 0
&& sub_69D68(env) >= 0
&& sub_197B4(env, clazz) >= 0
&& sub_E240(env, clazz) >= 0
&& sub_B8B0(env, clazz) >= 0
&& sub_5F0F4(env, clazz) >= 0
&& sub_70640(env, clazz) >= 0
&& sub_11F3C(env) >= 0
&& sub_21C3C(env, clazz) >= 0
&& sub_2148C(env, clazz) >= 0
&& sub_210E0(env, clazz) >= 0
&& sub_41B58(env, clazz) >= 0
&& sub_27920(env, clazz) >= 0
&& sub_293E8(env, clazz) >= 0
&& sub_208F4(env, clazz) >= 0) )
{
result = (sub_B7B0(env, clazz) >> 31) | 0x10004;
}
else
{
LABEL_39:
result = -1;
}
return result;
}
α αΌαααΎααα·αα·αααααΎαα±ααααΆααααα αααΆααααΌααααααΆααααΆααααααα
sub_73E24(&unk_83EA6, &v6, 49);
clazz = (jclass)((int (__fastcall *)(JNIEnv *, int *))(*env)->FindClass)(env, &v6);
αα αααα»ααα»αααΆα sub_73E24 αααααααααΆααααααΌαααΆααα·ααααΈααααΆαα αααΆααα ααΆαααΆαααΆαααααααααα»αααΆαααα ααααα·α αα αα·ααααααααααααααΉααα·αααααααααααΆαα’αα·αααααΈα ααα·ααααααα’αΆααααααΆααααΆαα αα·αααααα½αααααΌαααΆαααααααΆααα ααΆααααααα αααααΆααααΈα α αα»αααΆααα½α ααΆααΉαααΆααααααΆαααα·ααααΈααα αααα»αααα·ααααααα’αΆαααα αααααααΆααααΌαααΆααααααΌααα αα»αααΆα αααααααααααΆααααααααααααααααΆααααΆαααΆαααΆααααααααΈααΈαα ααΌα αααααααααΊααΆααα αααααα·ααααααα’αΆαααα α¬αααααααααααααΆααα α αΌαααΎαααααΆααΆα decipher αααααααααΆαα ααΆαα½αααααααΆααααΎαααΆααΎααΎααααα»αααΎααααα»ααα·ααα ααααΉαααααΌαα¬α’αα α αΌαααΎααα·αα·αααααΎαα±ααααΆααααα αααΆααααΌαα’αααΈαααααΎαα‘αΎααα αααα»α sub_73E24.
int __fastcall sub_73E56(unsigned __int8 *in, unsigned __int8 *out, size_t size)
{
int v4; // r6
int v7; // r11
int v8; // r9
int v9; // r4
size_t v10; // r5
int v11; // r0
struc_1 v13; // [sp+0h] [bp-30h]
int v14; // [sp+1Ch] [bp-14h]
int v15; // [sp+20h] [bp-10h]
v4 = 0;
v15 = *(_DWORD *)off_8AC00;
v14 = 0;
v7 = sub_7AF78(17);
v8 = sub_7AF78(size);
if ( !v7 )
{
v9 = 0;
goto LABEL_12;
}
(*(void (__fastcall **)(int, const char *, int))(v7 + 12))(v7, "DcO/lcK+h?m3c*q@", 16);
if ( !v8 )
{
LABEL_9:
v4 = 0;
goto LABEL_10;
}
v4 = 0;
if ( !in )
{
LABEL_10:
v9 = 0;
goto LABEL_11;
}
v9 = 0;
if ( out )
{
memset(out, 0, size);
v10 = size - 1;
(*(void (__fastcall **)(int, unsigned __int8 *, size_t))(v8 + 12))(v8, in, v10);
memset(&v13, 0, 0x14u);
v13.field_4 = 3;
v13.field_10 = v7;
v13.field_14 = v8;
v11 = sub_6115C(&v13, &v14);
v9 = v11;
if ( v11 )
{
if ( *(_DWORD *)(v11 + 4) == v10 )
{
qmemcpy(out, *(const void **)v11, v10);
v4 = *(_DWORD *)(v9 + 4);
}
else
{
v4 = 0;
}
goto LABEL_11;
}
goto LABEL_9;
}
LABEL_11:
sub_7B148(v7);
LABEL_12:
if ( v8 )
sub_7B148(v8);
if ( v9 )
sub_7B148(v9);
return v4;
}
αα»αααΆα sub_7AF78 αααααΎαα§ααΆα ααααααα»αααΊααααααααΆααα’αΆααααααααα ααααααΆααααααΆαα (ααΎαααΉααα·αααααα ααΎαα»αααΆααααααααα’α·ααα)α αα ααΈααααα»αααΈαααααΌαααΆααααααΎαα‘αΎα: αα½αααΆααααααΆαα "DcO/lcK+h?m3c*q@" (ααΆααΆααααα½αααΆαααΆαααααΊααΆαα) αα½ααααααΆααα·αααααααααααΆαα’αα·αααααΈαα αααααΆαααα ααααα»ααΆααααΈαααααΌαααΆαααΆαααααα»ααα ααΆααααααααααΆααααΆαααα½α αααααααΌαααΆααααααΌααα αα»αααΆα sub_6115C. α αΌαααΎααααααΆααααΆααα½ααααααΆαααααα 3 αααα»ααα ααΆααααααααααααααααα αααααΎαααΆααΎααΆαα’αααΈααΎαα‘αΎαα αααααα ααΆααααααααααααααααΆαααααα
int __fastcall sub_611B4(struc_1 *a1, _DWORD *a2)
{
int v3; // lr
unsigned int v4; // r1
int v5; // r0
int v6; // r1
int result; // r0
int v8; // r0
*a2 = 820000;
if ( a1 )
{
v3 = a1->field_14;
if ( v3 )
{
v4 = a1->field_4;
if ( v4 < 0x19 )
{
switch ( v4 )
{
case 0u:
v8 = sub_6419C(a1->field_0, a1->field_10, v3);
goto LABEL_17;
case 3u:
v8 = sub_6364C(a1->field_0, a1->field_10, v3);
goto LABEL_17;
case 0x10u:
case 0x11u:
case 0x12u:
v8 = sub_612F4(
a1->field_0,
v4,
*(_QWORD *)&a1->field_8,
*(_QWORD *)&a1->field_8 >> 32,
a1->field_10,
v3,
a2);
goto LABEL_17;
case 0x14u:
v8 = sub_63A28(a1->field_0, v3);
goto LABEL_17;
case 0x15u:
sub_61A60(a1->field_0, v3, a2);
return result;
case 0x16u:
v8 = sub_62440(a1->field_14);
goto LABEL_17;
case 0x17u:
v8 = sub_6226C(a1->field_10, v3);
goto LABEL_17;
case 0x18u:
v8 = sub_63530(a1->field_14);
LABEL_17:
v6 = 0;
if ( v8 )
{
*a2 = 0;
v6 = v8;
}
return v6;
default:
LOWORD(v5) = 28032;
goto LABEL_5;
}
}
}
}
LOWORD(v5) = -27504;
LABEL_5:
HIWORD(v5) = 13;
v6 = 0;
*a2 = v5;
return v6;
}
αααΆαααΆααααααβααααΌαβααΊβααΆβααΆαβαα ααΆααααααααβαααβααααΌαβααΆαβαααααβαααααβααΈβαα»α 3. ααΎαβααααΈβααΈ 3α αα βαα»αααΆα sub_6364C αααΆαααΆααααααααααΌαααΆαααααααΆααααΈαα ααΆαααααααααααααααΌαααΆααααααααα ααΈααααααα»ααα»αααΆααα»α αααααΊ αα αα·ααα·αααααααααααΆαα’αα·αααααΈαα ααααα·αααΎα’ααααααα‘ααααΎααααΆααα·ααααα·ααα sub_6364Cα’αααα’αΆα ααααΆαα RC4 algorithm αα αααα»αααΆα
ααΎαααΆααααα½ααααααααΆα αα·ααααααΉααα½αα αααβααααΆααΆαβαα·ααααΈαβαααααβααααΆααα αααααΆα’αααΈαααααΆαααΎαα‘αΎαα com/taobao/wireless/security/adapter/JNICLibrary. α’ααα αΆααα! ααΎααααα·ααα ααΎααααΌαααααΌαα
ααΎαααΎαααααΆ
α₯α‘αΌααααααΎαααααΌαααααααααααα αΆααααααα½αα ααΆαα α»ααααααααααΆαα·ααΎααααααΉαα ααα’α»αααΎααα αα»αααΆα doCommandNative. αααααΎααα»αααΆααααα α ααΆααΈ JNI_OnLoad, α αΎαααΎαααααΎαααΆαα αααα»α sub_B7B0:
int __fastcall sub_B7F6(JNIEnv *env, jclass clazz)
{
char signature[41]; // [sp+7h] [bp-55h]
char name[16]; // [sp+30h] [bp-2Ch]
JNINativeMethod method; // [sp+40h] [bp-1Ch]
int v8; // [sp+4Ch] [bp-10h]
v8 = *(_DWORD *)off_8AC00;
decryptString((unsigned __int8 *)&unk_83ED9, (unsigned __int8 *)name, 0x10u);// doCommandNative
decryptString((unsigned __int8 *)&unk_83EEA, (unsigned __int8 *)signature, 0x29u);// (I[Ljava/lang/Object;)Ljava/lang/Object;
method.name = name;
method.signature = signature;
method.fnPtr = sub_B69C;
return ((int (__fastcall *)(JNIEnv *, jclass, JNINativeMethod *, int))(*env)->RegisterNatives)(env, clazz, &method, 1) >> 31;
}
α αΎαααΆααΆααα·αααΆαα αα·ααΈααΆαααααααΎααααααΆααααααααααΌαααΆαα α»αααααααα ααΈααα doCommandNative. α₯α‘αΌααααααΎαααΉαααΈα’αΆααααααΆαααααααΆααα αααααΎαα’αααΈαααααΆααααααΎα
int __fastcall doCommandNative(JNIEnv *env, jobject obj, int command, jarray args)
{
int v5; // r5
struc_2 *a5; // r6
int v9; // r1
int v11; // [sp+Ch] [bp-14h]
int v12; // [sp+10h] [bp-10h]
v5 = 0;
v12 = *(_DWORD *)off_8AC00;
v11 = 0;
a5 = (struc_2 *)malloc(0x14u);
if ( a5 )
{
a5->field_0 = 0;
a5->field_4 = 0;
a5->field_8 = 0;
a5->field_C = 0;
v9 = command % 10000 / 100;
a5->field_0 = command / 10000;
a5->field_4 = v9;
a5->field_8 = command % 100;
a5->field_C = env;
a5->field_10 = args;
v5 = sub_9D60(command / 10000, v9, command % 100, 1, (int)a5, &v11);
}
free(a5);
if ( !v5 && v11 )
sub_7CF34(env, v11, &byte_83ED7);
return v5;
}
ααΆααααααα’αααα’αΆα ααΆαααΆαααΆαααααΊααΆα ααα»α α αΌααααα»αααΆαααΆααα’αααααα’αααα’αα·ααααααααΆααααααα α α·αααααααααα αααααΆαααααΎαα ααΎαα αΆααα’αΆααααααααΎαα»αααΆα 10601 α
α’αααα’αΆα ααΎαααΎαααΈααΌααααααααααααΆαααααΎααααααΈα ααΆααααααααΆ / 10000, ααΆααααααααΆ % 10000 / 100 ΠΈ ααΆααααααααΆ % 10α§. αααα»αααααΈααααααΎα 1, 6 αα·α 1α αααααΆααααΈααα ααααΌα ααΆααααα·α αα JNIEnv α αΎαα’αΆαα»ααααααααααΆααααααΌααα α’αα»ααααααααΌαααΆααααααααα αα ααΆαααααααααα½αα αΎααααααΌαααααα αααβααααΎβαααβααΈβαααβααα½αβααΆα (ααΌαβαααααΆααβαα½αααΆ N1, N2 αα·α N3) αααααΆαβααΆαααβαααααΆβααααΌαβααΆαβαααααΎαβα‘αΎαα
α’αααΈαα½αβααΌα ααα:
ααΎαααΎααααΌαααΆαααααααααααΆααααα JNI_OnLoad.
αααααΈααΆαα’αα·αααΌαααααΌααα
αααα»αααΎαααΎα ααααΉαααΈαα½αααααααααΆαααΆαα’αΆααααααΆα pocked αααα»αααΆααααααααΌαααααΆα αααααΉαααΊαα
αααα»αααααΆααααα ααΆαααααααααααααααα
αααα»αααΌαααααα»αααΆααααααΎαααααΌαααΆαααααΌαααΆααααααααα
αααααΆααα·ααα·ααΆααα ααααα·αααΎα’ααααααααΈαα
ααΆααααααααααΆααα’αααααααΆαααααΎ (ααΎααα·ααααααΆαα½αααΆααΎααααΈαα»αα±ααα’αααααααααΆαααα)α
ααΆαα ααααΌαα αααααααααααααα
ααΎαααΆαααα½αα’αΆααααααΆααααα»αααΆαααααα½ααα·ααααΈαα ααΆα αααα 0x5F1AC α ααα»ααααααΆααΏαααααααα»αααΆαααΈαααΆαα α’αααα’αα·αααααα UC Browser ααΆααααα αααΆαααααΆααααα’αΎααα½αααααααααΆαααα½αααΎαα
αααααΆααααΈααα½αααΆααααΆαααΆααααααααΈα’αΆαααααααααΌαααΆααααααΎαα‘αΎααα
αααα»αααΌα Java ααΎαααα½αααΆα
αα
αα»αααΆααα
α’αΆααααααΆα 0x4D070 α α αΎααα
ααΈααα ααααααααααΆαααΆααααΆααααΌααα½ααααααααααααα»ααααα
αΆαααΎαα
ααΎαααΆαααααααααααααΈααααα»α R7 αα·α R4α
ααΎαααααΌααααααααααααΈαα½ααα
R11α
ααΎααααΈααα½αααΆαα’αΆααααααΆαααΈααΆααΆα ααΌαααααΎαα·αα·ααααα
αααααΆααααΈα
αΌααα
ααΆααα’αΆααααααΆαααΈαα½α αα·αα·ααααααΈααΈαααααΌαααΆαααααΎ ααααααα·ααα
αααα»α R4α ααΆα 230 ααΆαα»αα
αααα»αααΆααΆαα
α’αααΈαααααααΌαααααΎα’αααΈααΆ? α’αααα’αΆα ααααΆαα IDA ααΆαααααΊααΆαα»αααΆααα ααααααα½α -> αααααααα -> αααααΆααααΆαααααΌα idiom α
αααααΌαααααααααΊαα½αα±ααααααΆα
α ααα»αααα ααΆαβααααΎβααααΌαβααΆααβααααβααααβααΆ α’αααβα’αΆα
βαααααΆααβααΎαβααΆαβα α
βαα
βαα»αααΆαβαααβααΎαβααααΆααβααααΆααβαα½α
βα αΎαα sub_6115C:
ααΆααα»αααΆααααααααα»αααααΈααΈ 3 ααΆαααΆααα·ααααΈααααααααΎαααα½ααααααααΆα RC4 α α αΎααααα»αααααΈααααα
ααΆαααααααααααααΆααααααΌααα
αα»αααΆαααααΌαααΆααααααααΈαααΆαααΆαααααααααααΆααααααΌααα
doCommandNative. α
αΌαααΎαα
αα
αΆαααΌαα’αααΈαααααΎαααΆααα
ααΈααα αααααααα’ααΈα ααΆαα½αααΉαααααα 16. ααΎααα·αα·αααααΎαααααΈαααααααΌαααααΆ α αΎααααααΆααααΈααΆαααααΆααααααΌαααΆα
αααΎα ααΎαααααΎαααΌαααααααα½ααααααααΆαα’αΆα
ααααΌαααΆααααααα’ααααααααΆαα
αααααΊααΆ AES!
αααα½ααααααααΆαααΆαα αΎα α’αααΈααααα ααααααααΊααΎααααΈααα½αααΆααααΆαααΆααααααααααααΆα αααα αααααΉα αα·α ααα·α αααααΆαα αΆααααααΎα (ααααααΆαααααααΆα’αΆαααααααΎααααααααα·ααααα·ααΆααααααα½ααααααααΆα AES) α αα ααΆααααααααααΆαα½ααα½αααααααΌαααααααΌαααΆααααααΎαα‘αΎααα ααααααααΆαα½ααα»ααααααΆαα α αα»αααΆα sub_6115Cααα»αααααααααααααΌααααααΆαααΆαα ααααΌαα ααααααααΆαααααΆαα ααΌα αααααααα·αααΎαα‘αΎαααΎααααΈαα½ααα»αααΌα ααΎααααΈα±αααααΆαααΆααααααααΆααα’αααααα»αααΆααα·ααααΈαααααΌαααΆααααα αααα αααα»αα―αααΆαα
αααα
ααΎααααΈαα»αα±αααααααααΌαααααααΆααα’ααααΆααΆααΆααα‘αΎαααααα α’αααα’αΆα ααΎαααααΎαααΆα Android Studio ααααααα»αααΆααα ααΈααααααααα½ααααΆαααΆαααααααααα αΌαααΌα ααααΆααΉααα»αααΆααα·ααααΈαααααααΎα α αΎαααααααα α―αααΆα αααααΆααααα αααα-αα·αααααΆααααΌααααα’αααα αααααααΉα αααααΎαα
αα·ααααααααα·ααααααΎαααααΈαααα»α UC Browser ααααΆαααα α·ααααα»αααΆααααΎααΆαααΆααααα½αααααΆαααααααααΌααααααα α αΌαααΎαα αΆαααΆαα ααΎααααα»αααΆαααΈαα½αα ααΎαααΆααααααΌαααααΆααααα’αΆα αααα½αααΆααααααΆααααα½αα ααΆααααα½αααΆαα π ααααααΆαααΆααααααα ααΎααα»αααΆαααααα αα·αααΆααααααααααααααααΆαααααααΆααααΌαααααααααΆαα»ααααΆαααΆααααααααΆααα’αααα αααα»αα―αααΆααα½αα αααα»αβααααΌαβαααααβααΆβααΆβααααα α αΎαβααααΎβαααα»αβααααΆαβααΈβαα»αααΆαβαα·αααΆαα ααα»αααΆααα½ααααααα
αααααααααΌαα
αα
αααα»αααααΆαααααααα ARM αααΆαααΆαααααααα»αααΆααα½αααααΌαααααΌαααΆαααααααΆααααΆαα
α»αααααα R0-R3 αα
αααααααα·αααΎααΆαααααΌαααΆαααααααΆαααααα ααΆαα
α»αααααα LR αααα»αα’αΆααααααΆααααα‘αααααα·αα ααΆααα’αααααα
αΆαααΆα
αααααΌααααααΆαα»αααΎααααΈα±αααα»αααΆαα’αΆα
ααααΎαααΆααααααΆααααΈααΎααααα
αααααΆαααΆααααααααααααΆα ααΎαααααααΌααααααΆαα»αααΆαα
α»ααααααααΆααα’αααααααΎαααΉαααααΎαααα»αααααΎαααΆα ααΌα
ααααααΎαααααΎ PUSH.W {R0-R10,LR}α αα
αααα»α R7 ααΎαααα½αααΆαα’αΆααααααΆααααααααΈαααΆαααΆαααααααααααΆααααααΌααα
αα»αααΆαααΆαααααααα
ααΆαααααΎααααΆαααα»αααΆα fopen αααααΎαα―αααΆα /data/local/tmp/aes αα
αααα»ααααα "ab"
i.e. αααααΆααααΆαααααααα αα
αααα»α R0 ααΎααααα»αα’αΆααααααΆααααααααα―αααΆααα
αααα»α R1 - α’αΆααααααΆααααααααΆααααααααα αΆαααΈααααα α αΎααα
ααΈααααααααΌαααααΆααααα
αα ααΌα
ααααααΎααααααα
αα»αααΆααααααΆααα ααΎααααΈα±ααααΆααααααααΎαααΆα ααΎαααΆαααΆαααα
ααΎαααααΌαααΌαααΆαααααΆααααααΌααα
ααΌααα·ααααα»αααΆα αααααααααΆααααααΆα α αΎααααα½αα±ααααααΆαααΎαααααααααΆαααααααααααα
ααΆαα α
ααΌααααα fopen.
αααΆαααΆααααααααΈααααΌααααα»αααΆα aes ααΆααααααα int. αααααΆαβααΎαβααΆαβαααααΆβαα»αβααΆαβα α»αβαααααβαααα»αβαααβαα βααΎαβααααΌα ααΎαβα’αΆα βα α»α βαα»αααΆαβααΆαβαααΆαβααΆαααα ααααα α’αΆααααααΆααααααα½ααααα ααΎαααα
αααααΆααβααβααΎαβααΆαβαα
ααΆααααααααβααΈβαααβααΆαβααα αβαα·αααααα αα·αβα
ααα’α»αβαα
βαα·ααααααβαααααΆααβααΌααα ααα·α
αααβα
αΆααααααΎα αα·αβαα·ααααααβαααβααΆαβα’αα·αααααΈαα
αα
α
α»ααααα
αααα·αα―αααΆα ααααΆαααΆαα
α»αααααα αα·ααααααααΆαααααααααααα
αα»αααΆααα·α aes.
ααΎααααααΌα APK ααΆαα½ααααααΆααααααααΆααα½ααα»α α α»αα αααααααΆααΎααΆ αααα ααααΆαα αααα»αα§ααααα/αααααα·ααΈααααΆααααΆα α αΎαααΎαααααΎαααΆαααΆα ααΎαααΎαααΆααΆαα αΆααααααΆαααααααΎααααα»αααααΌαααΆααααααΎα α αΎααα·ααααααααΆα αααΎααααα»αααααΌαααΆαααααααα ααΈαααα αααααα·ααΈαα»αααααααΎααΆαα’αα·αααααΈααα·αααααΉααααααααΆααα ααΆα ααααα α αΎαααΆαα’αα·αααααΈαααΆααα’ααααααααΆαααα»αααΆααααααααΌαα αααα½αα ααα»αααααααααΆααα ααα»αααα½αα ααα½ααα·ααααααα αΆαααΆα ααα·ααα ααΈααα α αΎαααααΎαααααααΌαααΆααα·αα’αΆα ααΎαααΎααα αααα»αα ααΆα αααααα ααΎααααΈαα»αα±αααααα αΆααα αΌαααα UC Browser αα ααΆααΎααααΈααααΎααααΎα αΆαααΆα α ααΌαααα½αααααΆαααααΎααααααααΆαα’αα·αααααΈαααΈαααΆαααΈααααααααΆαααα½ααα»αααα α αΎααα½ααα»ααααααα·ααΈαααααααα ααααααααΆααα·ααααΈααα onCreate αααααααααΆαα ααααα
const/16 v1, 0x62
new-array v1, v1, [B
fill-array-data v1, :encrypted_data
const/16 v0, 0x1f
invoke-static {v0, v1}, Lcom/uc/browser/core/d/c/g;->j(I[B)[B
move-result-object v1
array-length v2, v1
invoke-static {v2}, Ljava/lang/String;->valueOf(I)Ljava/lang/String;
move-result-object v2
const-string v0, "ololo"
invoke-static {v0, v2}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)I
ααΎααααααΌααααα»α α α»αα αααααααΆ ααα‘αΎα ααΎαααααΎαααΆαα ααΎαααα½αααΆα NullPointerException ααΈααααααα·ααΈααΆααααααααα‘αα null α
αααα»αα’αα‘α»ααααααααΆααα·ααΆαααααααααααΌα αα»αααΆααα½αααααΌαααΆαααααααΎαααα deciphers αααααΆαααα½αα±ααα αΆααα’αΆαααααα: "META-INF/" αα·α ".RSA" α ααΆα αΆααααΌα ααΆαααααα·ααΈαααα»ααααααααααΆαααα·ααααΆααααααααααααΆα α¬ααΌααααΈαααααααΎαααααΈααΆα αααα»ααα·αααΆαα·αα αααααααααΆαααΆαα½αααΉαα’αααΈααααααα»αααΎαα‘αΎαααΆαα½ααα·ααααΆαααααααα ααΌα ααααααΎαααΉαααααΆαααααααααΆααααΆααΌααα·ααααΆααααααααααΉαααααΌαα ααααα½ααα»ααααααΆαααααααΆαα’αα·αααααΈα ααΌα αααααααα½αα±αα "META-INF/" ααΎαααα½αααΆα "BLABLINF/" αααααΎαααα―αααΆααααααΆααααααααααα αααα»α APK α αΎααααααααα·ααααΆαααααααααααα·ααΈαα»αααααΆαα’ααΈαααΊαα·ααα ααΈαααα
ααΎααααααΌααααα»α α α»αα αααααααΆ ααα‘αΎα ααΎαααααΎαααΆαα αααΈαα ααα! ααΎαααΆααααααΉα!
ααΈααΈα’αΉα
ααΎαααΆαααα½αααΌααααα½α αα·αααα·α αααα αΆααααααΎαααααΎααΉαααΌαααα αααααααΆααΆααα·ααααΈαααΆαααααΎααααααααααΆαααΈααααα αααα»ααααα CBC α
ααΎαααΎααααααααΆα URL αααααααααααΉα MD5 βextract_unzipsizeβ αα·αααααα½αα ααΎααα·αα·αααα MD5 ααααααααΆαααΊααΌα
ααααΆ ααα ααααααααΆαααααααα·αααΆαααα
ααα
ααααΊααΌα
ααααΆα ααΎααααα»αααααΆααΆααα½ααα»ααααααΆαααααα α αΎααααααα±ααααΆαα
αααααα·ααΈαα»αααα ααΎααααΈαααα αΆαααΆαααααΆααααααααΆαααααααααααΎαααΆααααα»α ααΎαααΉαααΎαααααΎαααΆα Intent ααΎααααΈαααααΎαααΆα SMS αααααΆαα’αααα βPWNED!β ααΎαααΉααααα½αααΆαααααΎαααααΈαααΈαααΆαααΈαααα
αααααα·ααΈαα»αααααΆαα’ααΈαααΊαα·αααααΆααΆαααΆαααααααααΆαααΆα
αααΎααα αααααΆααααΈαααααΆαααααααα α»αα ααΆαααααααα’αααΈαα½α
ααΆααβαα·αβα
αΌαα
α·αααα ααΆααααααααααΆααα·ααΆααααααααααααααα·α
ααααα·αααα ααΆααΆαααααααααΆαααΆαααΆαααΈααααααααααΌαααα ααααααααααΆααααααα
ααΆααααΌαααΆαα’αα·αααΌααα
αααα»α LEB128 α αααααΆααααΈαααα ααα ααααααααααΆαααΆαα½ααααααΆαααααΆαααααΆααααααΌαααααα·α
ααααα½α
ααΌα
αααααααααα·ααΈαα»αααααΆαα
αΆαααα»αααΆααααααΆαααααΌαααΆαααΆααααααα’α
ααααΆ α αΎααααααΆααααΈααΆαααααΆααΆαααΆα
αααΎααα ααΆααΆαααααααα α»αα
ααΎαααααααα½αααα αααααααααΆα... α αΎα - ααααααα! π ααααααααΊαα αααα»αααΈααα’αΌα
αααα·ααΆα αα·αααααα·ααααααααα’αααα’αα·αααααα
ααΌα ααααΆααα αα½α Hacker α’αΆα ααααΎααααΆαααα»αααΆααα·αααΆααα»ααααα·ααΆααααα UC Browser ααΎααααΈα ααα αΆα αα·αααααΎαααΆααααααΆααααααααΆααααα·αα’αΆαααααα αααααΆαααααΆαααααααΉαααααΎαααΆααα αααα»αααα·αααααααααα·ααΈαα»ααα ααΌα αααααα½αααααΉαααα½αααΆαααΆαα’αα»ααααΆαααααααααααΆααα’ααααααααΆα ααΆαααααα αααααααΆααααα»αααΆααααα αΆααααα’α½α ααααα ααααΌα ααΆααΆαα αΌααα ααΆααα―αααΆαααΆαααΆααααααααααααααα»αα α·ααααααΉαααααΌα αα½αααΆααααΆαα αΌα ααΆααααααααΆαα αα·αααΌααΈααααααααΆαα»ααααα»αααΌαααααΆααα·ααααααα
ααΎαααΆαααΆααααα’αααα’αα·αααααα UC Browser αα·αααΌαααααΉααα½αααα’αααΈαααα αΆαααααΎαααΆαααααΎα ααααΆααΆαα
ααα’α»ααααα αΆαααΈααΆαααΆαααααααα αα·ααααααααααΆααααααααΆ ααα»αααααα½ααααα·αααΆααα·ααΆααααΆα’αααΈααΆαα½αααΎαααα αααααΉαααΉαααα αααααα·ααΈαα»αααααΆαα’ααΈαααΊαα·αααΆααααααααα αΆαααΈαααααααα·ααααααααααααααΆααααααααΆαα
αααα»αααΆαααΎαααΎαααααααΆα ααα»αααααα
ααααααααΎααααα αΆαααααααΆααααα’α·αααααΆαααΆααααααααααα ααΆαα·αα’αΆα
αα·αα’αΎααΎααΆααΌα
ααΈαα»ααααααα ααααααΈ 27 ααααΈααΆ
ααααααααΈαα UC Browser 12.10.9.1193 ααααΌαααΆαα
ααααααΆα αααα
αΌαααααΎαααΆαααΈαααααΆαααα HTTPSα
ααΎαααΈαααααααααααΆααααΈ "αα½ααα»α" αα·ααα αΌαααααααααααΆααααααα’αααααααα ααΆαααααΆααΆαααΎα PDF αα
αααα»ααααααα·ααΈαα»αααααΆααααααΆαα±ααααΆαααΆαααα α»αααΆαα½αα’ααααα "α’αΌ! ααΆαα’αααΈαα»α!" ααααΎαα
ααΆαααααΆαααΈααααα·αααααΌαααΆαααααΎα‘αΎααα
αααααααΆααΆαααΎα PDF ααααα ααα»ααααααααΎαα½αααααΌαααΆαααααΎα‘αΎααα
αααααααααααα·ααΈαα»αααααααΌαααΆαααΎαααααΎαααΆα ααααααα αΆαααΈααααααΆααααααααα»αααΆαααΆαααααΌααααα’αΆα
ααααα·ααααα·ααΆααααααααΆαα
αααΆαα Google Play α
ααααα: www.habr.com