Whakataki
I te mutunga o Maehe tatou , i kitea e ratou he kaha huna ki te uta me te whakahaere waehere kore manatoko i te UC Browser. I tenei ra ka titiro tatou ki te ahua o tenei tangohanga me te pehea e taea ai e nga kaiwhaiwhai te whakamahi mo o raatau ake kaupapa.
I etahi wa kua pahure ake nei, i panuitia te UC Browser me te tohatoha tino kaha: i whakauruhia ki runga i nga taputapu a nga kaiwhakamahi ma te whakamahi i te malware, ka tohatohahia mai i nga waahi maha i raro i te ahua o nga konae ataata (arā, i whakaaro nga kaiwhakamahi kei te tango ratou, hei tauira, he ataata porn, engari engari i whiwhi i te APK me tenei kaitirotiro), i whakamahia nga haki whakamataku me nga karere he tawhito te kaitirotiro, he whakaraerae, me era atu mea. I roto i te roopu UC Browser mana i runga i te VK kei reira , ka taea e nga kaiwhakamahi te amuamu mo nga panui kino, he maha nga tauira kei reira. I te tau 2016 he rite i te reo Rūhia (ae, he panui mo te kaitirotiro aukati panui).
I te wa e tuhi ana, neke atu i te 500 nga whakaurunga a UC Browser ki Google Play. He mea whakamiharo tenei - ko Google Chrome anake te maha atu. I roto i nga arotake ka taea e koe te kite i te maha o nga amuamu mo te panui me te huri ki etahi tono i runga i te Google Play. Koinei te take o ta maatau rangahau: i whakatau matou ki te kite mena kei te mahi kino a UC Browser. Na ka kitea e ia!
I roto i te waehere tono, i kitea te kaha ki te tango me te whakahaere i nga waehere whakahaere, i runga i te Google Play. I tua atu i te tango i nga waehere ka taea te whakahaere, ka mahia e te UC Browser i runga i te kore haumaru, ka taea te whakamahi ki te whakarewa i te whakaeke MitM. Kia kite tatou mehemea ka taea e tatou te whakahaere i taua whakaeke.
Ko nga mea katoa i tuhia i raro nei e tika ana mo te putanga o te UC Browser i waatea i runga i te Google Play i te wa o te ako:
package: com.UCMobile.intl
versionName: 12.10.8.1172
versionCode: 10598
sha1 APK-файла: f5edb2243413c777172f6362876041eb0c3a928cVector whakaeke
I roto i te whakaaturanga UC Browser ka kitea e koe he ratonga me te ingoa whakamarama com.uc.deployment.UpgradeDeployService.
<service android_exported="false" android_name="com.uc.deployment.UpgradeDeployService" android_process=":deploy" />
Ina timata tenei ratonga, ka tono te kaitirotiro POST ki , ka kitea i roto i nga waka i etahi wa i muri i te timatanga. Hei whakautu, ka riro pea he tono ki a ia ki te tango i etahi whakahou, waahanga hou ranei. I te wa o te tātaritanga, kaore i tukuna e te kaimau nga whakahau penei, engari i kite matou i te wa e ngana ana matou ki te whakatuwhera i te PDF i roto i te tirotiro, ka tono tuarua ki te wahitau kua tohua i runga ake nei, katahi ka tango i te whare pukapuka taketake. Hei whakahaere i te whakaeke, i whakatau matou ki te whakamahi i tenei waahanga o te UC Browser: te kaha ki te whakatuwhera i te PDF ma te whakamahi i te whare pukapuka taketake, kaore i roto i te APK me te tango mai i te Ipurangi mena e tika ana. He mea tika kia mohio koe, ko te UC Browser ka taea te akiaki ki te tango i tetahi mea kaore he taunekeneke a te kaiwhakamahi - mena ka tukuna e koe he whakautu pai ki te tono ka mahia i muri i te whakarewatanga o te kaitirotiro. Engari ki te mahi i tenei, me ata ako i te kawa o te taunekeneke me te tūmau, na reira i whakatauhia he maamaa ake te whakatika i te whakautu haukotia me te whakakapi i te whare pukapuka mo te mahi me te PDF.
Na, ka hiahia te kaiwhakamahi ki te whakatuwhera tika i tetahi PDF ki te tirotiro, ka kitea nga tono e whai ake nei i roto i nga waka:
Tuatahi he tono POST ki muri iho
Ka tangohia he purongo me te whare pukapuka hei tiro i nga whakatakotoranga PDF me te tari. He mea tika ki te whakaaro ko te tono tuatahi ka tukuna nga korero mo te punaha (te iti rawa o te hoahoanga hei whakarato i te whare pukapuka e hiahiatia ana), me te whakautu ki a ia ka whiwhi te kaitirotiro etahi korero mo te whare pukapuka e tika ana kia tangohia: te wahitau, me te mea pea. , tetahi atu mea. Ko te raruraru ko tenei tono kua whakamunatia.
Tonoa kongakonga
Whakautu kongakonga
Ko te whare pukapuka ake kei te kopaki ki te ZIP karekau i whakamunatia.
Rapua te waehere wetemuna waka
Me ngana ki te wetewete i te whakautu a te tūmau. Kia titiro tatou ki te waehere karaehe com.uc.deployment.UpgradeDeployService: mai i te tikanga onStartCommand haere ki com.uc.deployment.bx, a mai i reira ki com.uc.browser.core.dcfe:
public final void e(l arg9) {
int v4_5;
String v3_1;
byte[] v3;
byte[] v1 = null;
if(arg9 == null) {
v3 = v1;
}
else {
v3_1 = arg9.iGX.ipR;
StringBuilder v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]product:");
v4.append(arg9.iGX.ipR);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]version:");
v4.append(arg9.iGX.iEn);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]upgrade_type:");
v4.append(arg9.iGX.mMode);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]force_flag:");
v4.append(arg9.iGX.iEo);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_mode:");
v4.append(arg9.iGX.iDQ);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_type:");
v4.append(arg9.iGX.iEr);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_state:");
v4.append(arg9.iGX.iEp);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_file:");
v4.append(arg9.iGX.iEq);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apk_md5:");
v4.append(arg9.iGX.iEl);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]download_type:");
v4.append(arg9.mDownloadType);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]download_group:");
v4.append(arg9.mDownloadGroup);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]download_path:");
v4.append(arg9.iGH);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_child_version:");
v4.append(arg9.iGX.iEx);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_series:");
v4.append(arg9.iGX.iEw);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_cpu_arch:");
v4.append(arg9.iGX.iEt);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_cpu_vfp3:");
v4.append(arg9.iGX.iEv);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_cpu_vfp:");
v4.append(arg9.iGX.iEu);
ArrayList v3_2 = arg9.iGX.iEz;
if(v3_2 != null && v3_2.size() != 0) {
Iterator v3_3 = v3_2.iterator();
while(v3_3.hasNext()) {
Object v4_1 = v3_3.next();
StringBuilder v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_name:");
v5.append(((au)v4_1).getName());
v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_ver_name:");
v5.append(((au)v4_1).aDA());
v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_ver_code:");
v5.append(((au)v4_1).gBl);
v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_req_type:");
v5.append(((au)v4_1).gBq);
}
}
j v3_4 = new j();
m.b(v3_4);
h v4_2 = new h();
m.b(v4_2);
ay v5_1 = new ay();
v3_4.hS("");
v3_4.setImsi("");
v3_4.hV("");
v5_1.bPQ = v3_4;
v5_1.bPP = v4_2;
v5_1.yr(arg9.iGX.ipR);
v5_1.gBF = arg9.iGX.mMode;
v5_1.gBI = arg9.iGX.iEz;
v3_2 = v5_1.gAr;
c.aBh();
v3_2.add(g.fs("os_ver", c.getRomInfo()));
v3_2.add(g.fs("processor_arch", com.uc.b.a.a.c.getCpuArch()));
v3_2.add(g.fs("cpu_arch", com.uc.b.a.a.c.Pb()));
String v4_3 = com.uc.b.a.a.c.Pd();
v3_2.add(g.fs("cpu_vfp", v4_3));
v3_2.add(g.fs("net_type", String.valueOf(com.uc.base.system.a.Jo())));
v3_2.add(g.fs("fromhost", arg9.iGX.iEm));
v3_2.add(g.fs("plugin_ver", arg9.iGX.iEn));
v3_2.add(g.fs("target_lang", arg9.iGX.iEs));
v3_2.add(g.fs("vitamio_cpu_arch", arg9.iGX.iEt));
v3_2.add(g.fs("vitamio_vfp", arg9.iGX.iEu));
v3_2.add(g.fs("vitamio_vfp3", arg9.iGX.iEv));
v3_2.add(g.fs("plugin_child_ver", arg9.iGX.iEx));
v3_2.add(g.fs("ver_series", arg9.iGX.iEw));
v3_2.add(g.fs("child_ver", r.aVw()));
v3_2.add(g.fs("cur_ver_md5", arg9.iGX.iEl));
v3_2.add(g.fs("cur_ver_signature", SystemHelper.getUCMSignature()));
v3_2.add(g.fs("upgrade_log", i.bjt()));
v3_2.add(g.fs("silent_install", String.valueOf(arg9.iGX.iDQ)));
v3_2.add(g.fs("silent_state", String.valueOf(arg9.iGX.iEp)));
v3_2.add(g.fs("silent_file", arg9.iGX.iEq));
v3_2.add(g.fs("silent_type", String.valueOf(arg9.iGX.iEr)));
v3_2.add(g.fs("cpu_archit", com.uc.b.a.a.c.Pc()));
v3_2.add(g.fs("cpu_set", SystemHelper.getCpuInstruction()));
boolean v4_4 = v4_3 == null || !v4_3.contains("neon") ? false : true;
v3_2.add(g.fs("neon", String.valueOf(v4_4)));
v3_2.add(g.fs("cpu_cores", String.valueOf(com.uc.b.a.a.c.Jl())));
v3_2.add(g.fs("ram_1", String.valueOf(com.uc.b.a.a.h.Po())));
v3_2.add(g.fs("totalram", String.valueOf(com.uc.b.a.a.h.OL())));
c.aBh();
v3_2.add(g.fs("rom_1", c.getRomInfo()));
v4_5 = e.getScreenWidth();
int v6 = e.getScreenHeight();
StringBuilder v7 = new StringBuilder();
v7.append(v4_5);
v7.append("*");
v7.append(v6);
v3_2.add(g.fs("ss", v7.toString()));
v3_2.add(g.fs("api_level", String.valueOf(Build$VERSION.SDK_INT)));
v3_2.add(g.fs("uc_apk_list", SystemHelper.getUCMobileApks()));
Iterator v4_6 = arg9.iGX.iEA.entrySet().iterator();
while(v4_6.hasNext()) {
Object v6_1 = v4_6.next();
v3_2.add(g.fs(((Map$Entry)v6_1).getKey(), ((Map$Entry)v6_1).getValue()));
}
v3 = v5_1.toByteArray();
}
if(v3 == null) {
this.iGY.iGI.a(arg9, "up_encode", "yes", "fail");
return;
}
v4_5 = this.iGY.iGw ? 0x1F : 0;
if(v3 == null) {
}
else {
v3 = g.i(v4_5, v3);
if(v3 == null) {
}
else {
v1 = new byte[v3.length + 16];
byte[] v6_2 = new byte[16];
Arrays.fill(v6_2, 0);
v6_2[0] = 0x5F;
v6_2[1] = 0;
v6_2[2] = ((byte)v4_5);
v6_2[3] = -50;
System.arraycopy(v6_2, 0, v1, 0, 16);
System.arraycopy(v3, 0, v1, 16, v3.length);
}
}
if(v1 == null) {
this.iGY.iGI.a(arg9, "up_encrypt", "yes", "fail");
return;
}
if(TextUtils.isEmpty(this.iGY.mUpgradeUrl)) {
this.iGY.iGI.a(arg9, "up_url", "yes", "fail");
return;
}
StringBuilder v0 = new StringBuilder("[");
v0.append(arg9.iGX.ipR);
v0.append("]url:");
v0.append(this.iGY.mUpgradeUrl);
com.uc.browser.core.d.c.i v0_1 = this.iGY.iGI;
v3_1 = this.iGY.mUpgradeUrl;
com.uc.base.net.e v0_2 = new com.uc.base.net.e(new com.uc.browser.core.d.c.i$a(v0_1, arg9));
v3_1 = v3_1.contains("?") ? v3_1 + "&dataver=pb" : v3_1 + "?dataver=pb";
n v3_5 = v0_2.uc(v3_1);
m.b(v3_5, false);
v3_5.setMethod("POST");
v3_5.setBodyProvider(v1);
v0_2.b(v3_5);
this.iGY.iGI.a(arg9, "up_null", "yes", "success");
this.iGY.iGI.b(arg9);
}Ka kite matou i te hanganga o te tono POST i konei. Ka aro atu ki te hanga i tetahi huinga 16 paita me tona whakakī: 0x5F, 0, 0x1F, -50 (=0xCE). Ka rite ki ta matou i kite i te tono i runga ake nei.
I roto i te karaehe kotahi ka kite koe i tetahi karaehe kohanga me tetahi atu tikanga whakamere:
public final void a(l arg10, byte[] arg11) {
f v0 = this.iGQ;
StringBuilder v1 = new StringBuilder("[");
v1.append(arg10.iGX.ipR);
v1.append("]:UpgradeSuccess");
byte[] v1_1 = null;
if(arg11 == null) {
}
else if(arg11.length < 16) {
}
else {
if(arg11[0] != 0x60 && arg11[3] != 0xFFFFFFD0) {
goto label_57;
}
int v3 = 1;
int v5 = arg11[1] == 1 ? 1 : 0;
if(arg11[2] != 1 && arg11[2] != 11) {
if(arg11[2] == 0x1F) {
}
else {
v3 = 0;
}
}
byte[] v7 = new byte[arg11.length - 16];
System.arraycopy(arg11, 16, v7, 0, v7.length);
if(v3 != 0) {
v7 = g.j(arg11[2], v7);
}
if(v7 == null) {
goto label_57;
}
if(v5 != 0) {
v1_1 = g.P(v7);
goto label_57;
}
v1_1 = v7;
}
label_57:
if(v1_1 == null) {
v0.iGY.iGI.a(arg10, "up_decrypt", "yes", "fail");
return;
}
q v11 = g.b(arg10, v1_1);
if(v11 == null) {
v0.iGY.iGI.a(arg10, "up_decode", "yes", "fail");
return;
}
if(v0.iGY.iGt) {
v0.d(arg10);
}
if(v0.iGY.iGo != null) {
v0.iGY.iGo.a(0, ((o)v11));
}
if(v0.iGY.iGs) {
v0.iGY.a(((o)v11));
v0.iGY.iGI.a(v11, "up_silent", "yes", "success");
v0.iGY.iGI.a(v11);
return;
}
v0.iGY.iGI.a(v11, "up_silent", "no", "success");
}
}
Ka tangohia e te tikanga he huinga paita hei whakaurunga ka tirohia ko te paita kore he 0x60, ko te paita tuatoru ko te 0xD0, ko te paita tuarua ko te 1, 11, ko te 0x1F ranei. Ka titiro tatou ki te whakautu mai i te tūmau: ko te paita kore he 0x60, ko te tuarua ko 0x1F, ko te tuatoru ko te 0x60. Ka rite ki ta tatou e hiahia ana. Ma te whakatau i nga rarangi ("up_decrypt", hei tauira), me karangahia he tikanga i konei ka whakakorehia te whakautu a te tūmau.
Me haere tatou ki te tikanga gj. Kia mahara ko te tohenga tuatahi ko te paita i te utunga 2 (arā, 0x1F i roto i ta maatau keehi), a ko te tuarua ko te whakautu a te tūmau me te kore
tuatahi 16 paita.
public static byte[] j(int arg1, byte[] arg2) {
if(arg1 == 1) {
arg2 = c.c(arg2, c.adu);
}
else if(arg1 == 11) {
arg2 = m.aF(arg2);
}
else if(arg1 != 0x1F) {
}
else {
arg2 = EncryptHelper.decrypt(arg2);
}
return arg2;
}
Maamaa, i konei ka tohua e matou he algorithm wetemunatanga, me te paita ano kei roto i a maatau
keehe rite ki te 0x1F, he tohu tetahi o nga whiringa ka taea e toru.
Ka wetewete tonu tatou i te waehere. I muri i nga peke e rua ka kitea e matou i roto i tetahi tikanga me te ingoa whakamarama ake decryptBytesByKey.
I konei e rua ano nga paita ka wehea mai i ta maatau whakautu, ka riro mai he aho mai i a raatau. E marama ana ma tenei ka tohua te ki mo te wetemuna i te karere.
private static byte[] decryptBytesByKey(byte[] bytes) {
byte[] v0 = null;
if(bytes != null) {
try {
if(bytes.length < EncryptHelper.PREFIX_BYTES_SIZE) {
}
else if(bytes.length == EncryptHelper.PREFIX_BYTES_SIZE) {
return v0;
}
else {
byte[] prefix = new byte[EncryptHelper.PREFIX_BYTES_SIZE]; // 2 байта
System.arraycopy(bytes, 0, prefix, 0, prefix.length);
String keyId = c.ayR().d(ByteBuffer.wrap(prefix).getShort()); // Выбор ключа
if(keyId == null) {
return v0;
}
else {
a v2 = EncryptHelper.ayL();
if(v2 == null) {
return v0;
}
else {
byte[] enrypted = new byte[bytes.length - EncryptHelper.PREFIX_BYTES_SIZE];
System.arraycopy(bytes, EncryptHelper.PREFIX_BYTES_SIZE, enrypted, 0, enrypted.length);
return v2.l(keyId, enrypted);
}
}
}
}
catch(SecException v7_1) {
EncryptHelper.handleDecryptException(((Throwable)v7_1), v7_1.getErrorCode());
return v0;
}
catch(Throwable v7) {
EncryptHelper.handleDecryptException(v7, 2);
return v0;
}
}
return v0;
}Ma te titiro whakamua, ka kite matou i tenei waahanga kaore ano kia whiwhi i te kii, engari ko tana "tohu" anake. He iti ake te uaua ki te tiki i te taviri.
I roto i te tikanga e whai ake nei, e rua atu nga tawhā ka taapirihia ki nga mea o naianei, e wha o enei: ko te nama makutu 16, te tohu tohu matua, nga raraunga whakamunatia, me te aho kore e mohiohia (kei a maatau, he kau).
public final byte[] l(String keyId, byte[] encrypted) throws SecException {
return this.ayJ().staticBinarySafeDecryptNoB64(16, keyId, encrypted, "");
}I muri i te raupapa o nga whakawhitinga ka tae matou ki te tikanga staticBinarySafeDecryptNoB64 atanga com.alibaba.wireless.security.open.staticdataencrypt.IStaticDataEncryptComponent. Kaore he karaehe i roto i te waehere tono matua e whakatinana ana i tenei atanga. He akomanga pera kei roto i te konae lib/armeabi-v7a/libsgmain.so, ehara i te mea he .so, engari he .jar. Ko te tikanga e hiahia ana matou ka whakatinanahia e whai ake nei:
package com.alibaba.wireless.security.a.i;
// ...
public class a implements IStaticDataEncryptComponent {
private ISecurityGuardPlugin a;
// ...
private byte[] a(int mode, int magicInt, int xzInt, String keyId, byte[] encrypted, String magicString) {
return this.a.getRouter().doCommand(10601, new Object[]{Integer.valueOf(mode), Integer.valueOf(magicInt), Integer.valueOf(xzInt), keyId, encrypted, magicString});
}
// ...
private byte[] b(int magicInt, String keyId, byte[] encrypted, String magicString) {
return this.a(2, magicInt, 0, keyId, encrypted, magicString);
}
// ...
public byte[] staticBinarySafeDecryptNoB64(int magicInt, String keyId, byte[] encrypted, String magicString) throws SecException {
if(keyId != null && keyId.length() > 0 && magicInt >= 0 && magicInt < 19 && encrypted != null && encrypted.length > 0) {
return this.b(magicInt, keyId, encrypted, magicString);
}
throw new SecException("", 301);
}
//...
}
I konei ka taapirihia ta maatau rarangi tawhā me etahi atu tauoti e rua: 2 me te 0. Ma te whakatau
nga mea katoa, 2 te tikanga wetemunatanga, pera i te tikanga mahiWhakamutunga akomanga pūnaha javax.crypto.Cipher. Na ka whakawhitia enei katoa ki tetahi Router me te nama 10601 - ko te ahua tenei ko te nama whakahau.
I muri i te rarangi o nga whakawhitinga e whai ake nei ka kitea e matou he akomanga e whakatinana ana i te atanga IRouterComponent me te tikanga doCommand:
package com.alibaba.wireless.security.mainplugin;
import com.alibaba.wireless.security.framework.IRouterComponent;
import com.taobao.wireless.security.adapter.JNICLibrary;
public class a implements IRouterComponent {
public a() {
super();
}
public Object doCommand(int arg2, Object[] arg3) {
return JNICLibrary.doCommandNative(arg2, arg3);
}
}Me te akomanga hoki JNICLwhare pukapuka, e whakapuakihia ana te tikanga maori doCommandNative:
package com.taobao.wireless.security.adapter;
public class JNICLibrary {
public static native Object doCommandNative(int arg0, Object[] arg1);
}Ko te tikanga me rapu tikanga i roto i te waehere taketake doCommandNative. Na konei ka timata te ngahau.
Te whakakore i te waehere miihini
I roto i te kōnae libsgmain.so (koinei he .jar a i kitea e matou te whakatinanatanga o etahi atanga e pa ana ki te whakamunatanga i runga ake nei) kotahi ano te whare pukapuka taketake: libsgmainso-6.4.36.so. Ka whakatuwherahia e matou i roto i te IDA ka whiwhi i nga pouaka korero me nga hapa. Ko te raruraru he muhu te ripanga pane pane. Ka mahia tenei i runga i te whakaaro ki te whakararu i te tātaritanga.
Engari kaore e hiahiatia: ki te uta tika i te konae ELF me te tātari, he rawaka he ripanga pane kaupapa. Na reira, ka mukua noa e matou te ripanga waahanga, ka kore e puta nga mara e rite ana ki te pane.
Whakatuwheratia ano te konae ki IDA.
E rua nga huarahi ki te korero ki te miihini mariko Java kei hea kei roto i te whare pukapuka taketake te whakatinanatanga o tetahi tikanga kua kiia i roto i te waehere Java hei tangata whenua. Ko te mea tuatahi me hoatu he ingoa momo Java_package_name_ClassName_MethodName.
Ko te tuarua ko te rehita i te wa e utaina ana te whare pukapuka (i te mahi JNI_OnUta)
te whakamahi i te waea mahi RehitaMaori.
I roto i to maatau, ki te whakamahi tatou i te tikanga tuatahi, me penei te ingoa: Java_com_taobao_wireless_security_adapter_JNICLlibrary_doCommandNative.
Kaore he mahi pera i waenga i nga mahi kaweake, ko te tikanga me rapu waea RehitaMaori.
Me haere ki te mahi JNI_OnUta a ka kite tatou i tenei pikitia:
He aha kei konei? I te tuatahi o te titiro, ko te tiimata me te mutunga o te mahi he tohu mo te hoahoanga ARM. Ko te tohutohu tuatahi i runga i te puranga kei te rongoa nga ihirangi o nga rehita ka whakamahia e te mahi i roto i tana mahi (i tenei keehi, R0, R1 me R2), me nga ihirangi o te rehita LR, kei roto te wahitau whakahoki mai i te mahi. . Ko te tohutohu whakamutunga ka whakahoki i nga rehita kua tiakina, ka tukuna tonu te wahitau whakahoki ki te rehita PC - na reira ka hoki mai i te mahi. Engari ki te ata titiro koe, ka kite koe ka huri te tohutohu whakamutunga i te wahitau whakahoki kua rongoa ki te puranga. Kia tatauhia te ahua o muri
mahi waehere. Ko tetahi wahitau 1xB0 ka utaina ki R130, ka tangohia te 5 mai i tera, ka whakawhitia ki te R0 ka taapirihia te 0x10. Ka puta ko 0xB13B. No reira, ka whakaaro a IDA ko te ako whakamutunga he hokinga mahi noa, engari kei te haere ki te wahitau kua tohua 0xB13B.
He mea tika kia maumahara i konei e rua nga ahuatanga o nga kaitahuri ARM me nga huinga tohutohu e rua: ARM me te koromatua. Ko te moka iti rawa o te wahitau ka whakaatu ki te kaitukatuka ko tehea huinga tohutohu e whakamahia ana. Arā, ko te wāhitau ko te 0xB13A, ko tetahi o te moka iti rawa e tohu ana i te aratau Thumb.
Kua taapirihia he "whakauru" rite ki te timatanga o ia mahi i tenei whare pukapuka me
waehere paru. E kore matou e korero mo ratou i nga korero - ka mahara noa matou
ko te tino timatanga o te tata katoa o nga mahi kei tawhiti noa atu.
I te mea karekau e tino peke te waehere ki te 0xB13A, karekau a IDA i mohio ko te waehere kei tenei waahi. Mo taua take ano, kaore i te mohio ki te nuinga o nga waehere kei roto i te whare pukapuka hei waehere, na te mea he uaua te tātari. Ka korerotia e matou ki a IDA koinei te waehere, a koinei te mea ka tupu:
Ka tiimata te tepu i te 0xB144. He aha kei roto i te sub_494C?
I te wa e karangahia ana tenei mahi i roto i te rehita LR, ka whiwhi tatou i te wahitau o te ripanga kua whakahuahia i mua (0xB144). I roto i te R0 - taupū i tenei ripanga. Arā, ka tangohia te uara mai i te teepu, ka tapirihia ki te LR ka mutu ko te hua
te wahi noho hei haere. Me ngana ki te tatau: 0xB144 + [0xB144 + 8* 4] = 0xB144 + 0x120 = 0xB264. Ka haere matou ki te wahitau kua riro mai ka kite i etahi tohutohu whaihua ka haere ano ki te 0xB140:
Inaianei ka puta he whakawhitinga ki te whakawhiunga me te taupū 0x20 mai i te ripanga.
Ma te whakatau i te rahi o te tepu, ka maha nga whakawhitinga pera i roto i te waehere. Ka puta ake te patai mehemea ka taea te whakahaere aunoa i tenei mahi, me te kore e tatau i nga waahi noho. A ko nga tuhinga me te kaha ki te tarai i te waehere i roto i te IDA ka awhina mai ki a maatau:
def put_unconditional_branch(source, destination):
offset = (destination - source - 4) >> 1
if offset > 2097151 or offset < -2097152:
raise RuntimeError("Invalid offset")
if offset > 1023 or offset < -1024:
instruction1 = 0xf000 | ((offset >> 11) & 0x7ff)
instruction2 = 0xb800 | (offset & 0x7ff)
patch_word(source, instruction1)
patch_word(source + 2, instruction2)
else:
instruction = 0xe000 | (offset & 0x7ff)
patch_word(source, instruction)
ea = here()
if get_wide_word(ea) == 0xb503: #PUSH {R0,R1,LR}
ea1 = ea + 2
if get_wide_word(ea1) == 0xbf00: #NOP
ea1 += 2
if get_operand_type(ea1, 0) == 1 and get_operand_value(ea1, 0) == 0 and get_operand_type(ea1, 1) == 2:
index = get_wide_dword(get_operand_value(ea1, 1))
print "index =", hex(index)
ea1 += 2
if get_operand_type(ea1, 0) == 7:
table = get_operand_value(ea1, 0) + 4
elif get_operand_type(ea1, 1) == 2:
table = get_operand_value(ea1, 1) + 4
else:
print "Wrong operand type on", hex(ea1), "-", get_operand_type(ea1, 0), get_operand_type(ea1, 1)
table = None
if table is None:
print "Unable to find table"
else:
print "table =", hex(table)
offset = get_wide_dword(table + (index << 2))
put_unconditional_branch(ea, table + offset)
else:
print "Unknown code", get_operand_type(ea1, 0), get_operand_value(ea1, 0), get_operand_type(ea1, 1) == 2
else:
print "Unable to detect first instruction"Tuhia te pehu ki te raina 0xB26A, whakahaere i te tuhinga ka kite i te whakawhiti ki te 0xB4B0:
Kaore ano a IDA i mohio ki tenei waahi he waehere. Ka awhina matou ki a ia ka kite i tetahi atu hoahoa i reira:
Ko nga tohutohu i muri mai i te BLX te ahua karekau e tino whai kiko, he rite tonu ki etahi momo nekehanga. Kia titiro tatou ki sub_4964:
Ae, i konei ka mauhia he kupu ki te wahitau e takoto ana i roto i te LR, ka taapirihia ki tenei wahitau, muri iho ka tangohia te uara o te wahitau kua puta, ka maka ki runga i te puranga. Ano hoki, ka taapirihia te 4 ki te LR kia hoki mai i te mahi, ka pekehia tenei taapiri. Whai muri ka tangohia e te tono POP {R1} te uara ka puta mai i te puranga. Mena ka titiro koe ki nga mea kei te wahitau 0xB4BA + 0xEA = 0xB5A4, ka kite koe i tetahi mea e rite ana ki te ripanga wahitau:
Hei papaki i tenei hoahoa, me tiki e koe nga tawhā e rua mai i te waehere: te whakatiki me te nama rehita e hiahia ana koe ki te whakauru i te hua. Mo ia rehita ka taea, me whakarite e koe tetahi waahanga waehere i mua.
patches = {}
patches[0] = (0x00, 0xbf, 0x01, 0x48, 0x00, 0x68, 0x02, 0xe0)
patches[1] = (0x00, 0xbf, 0x01, 0x49, 0x09, 0x68, 0x02, 0xe0)
patches[2] = (0x00, 0xbf, 0x01, 0x4a, 0x12, 0x68, 0x02, 0xe0)
patches[3] = (0x00, 0xbf, 0x01, 0x4b, 0x1b, 0x68, 0x02, 0xe0)
patches[4] = (0x00, 0xbf, 0x01, 0x4c, 0x24, 0x68, 0x02, 0xe0)
patches[5] = (0x00, 0xbf, 0x01, 0x4d, 0x2d, 0x68, 0x02, 0xe0)
patches[8] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0x80, 0xd8, 0xf8, 0x00, 0x80, 0x01, 0xe0)
patches[9] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0x90, 0xd9, 0xf8, 0x00, 0x90, 0x01, 0xe0)
patches[10] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0xa0, 0xda, 0xf8, 0x00, 0xa0, 0x01, 0xe0)
patches[11] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0xb0, 0xdb, 0xf8, 0x00, 0xb0, 0x01, 0xe0)
ea = here()
if (get_wide_word(ea) == 0xb082 #SUB SP, SP, #8
and get_wide_word(ea + 2) == 0xb503): #PUSH {R0,R1,LR}
if get_operand_type(ea + 4, 0) == 7:
pop = get_bytes(ea + 12, 4, 0)
if pop[1] == 'xbc':
register = -1
r = get_wide_byte(ea + 12)
for i in range(8):
if r == (1 << i):
register = i
break
if register == -1:
print "Unable to detect register"
else:
address = get_wide_dword(ea + 8) + ea + 8
for b in patches[register]:
patch_byte(ea, b)
ea += 1
if ea % 4 != 0:
ea += 2
patch_dword(ea, address)
elif pop[:3] == 'x5dxf8x04':
register = ord(pop[3]) >> 4
if register in patches:
address = get_wide_dword(ea + 8) + ea + 8
for b in patches[register]:
patch_byte(ea, b)
ea += 1
patch_dword(ea, address)
else:
print "POP instruction not found"
else:
print "Wrong operand type on +4:", get_operand_type(ea + 4, 0)
else:
print "Unable to detect first instructions"Ka tuuhia te pehu ki te timatanga o te hanganga e hiahia ana matou ki te whakakapi - 0xB4B2 - ka whakahaere i te tuhinga:
I tua atu i nga hanganga kua whakahuahia ake nei, kei roto ano i te waehere nga mea e whai ake nei:
Ka rite ki te keehi o mua, i muri i te ako a BLX kei reira he wehenga:
Ka tangohia e matou te waahi ki te wahitau mai i te LR, ka taapiri atu ki te LR ka haere ki reira. 0x72044 + 0xC = 0x72050. He tino ngawari te tuhinga mo tenei hoahoa:
def put_unconditional_branch(source, destination):
offset = (destination - source - 4) >> 1
if offset > 2097151 or offset < -2097152:
raise RuntimeError("Invalid offset")
if offset > 1023 or offset < -1024:
instruction1 = 0xf000 | ((offset >> 11) & 0x7ff)
instruction2 = 0xb800 | (offset & 0x7ff)
patch_word(source, instruction1)
patch_word(source + 2, instruction2)
else:
instruction = 0xe000 | (offset & 0x7ff)
patch_word(source, instruction)
ea = here()
if get_wide_word(ea) == 0xb503: #PUSH {R0,R1,LR}
ea1 = ea + 6
if get_wide_word(ea + 2) == 0xbf00: #NOP
ea1 += 2
offset = get_wide_dword(ea1)
put_unconditional_branch(ea, (ea1 + offset) & 0xffffffff)
else:
print "Unable to detect first instruction"Te hua o te mahi tuhi:
Ina oti nga mea katoa ki te papaki i roto i te mahi, ka taea e koe te tohu IDA ki tona timatanga. Ka whakahiatohia nga waehere mahi katoa, ka taea te whakahiato ma te whakamahi HexRays.
Wetewete aho
Kua ako matou ki te mahi i te whakapouri o te waehere miihini i roto i te whare pukapuka libsgmainso-6.4.36.so mai i UC Pūtirotiro me te whiwhi i te waehere mahi JNI_OnUta.
int __fastcall real_JNI_OnLoad(JavaVM *vm)
{
int result; // r0
jclass clazz; // r0 MAPDST
int v4; // r0
JNIEnv *env; // r4
int v6; // [sp-40h] [bp-5Ch]
int v7; // [sp+Ch] [bp-10h]
v7 = *(_DWORD *)off_8AC00;
if ( !vm )
goto LABEL_39;
sub_7C4F4();
env = (JNIEnv *)sub_7C5B0(0);
if ( !env )
goto LABEL_39;
v4 = sub_72CCC();
sub_73634(v4);
sub_73E24(&unk_83EA6, &v6, 49);
clazz = (jclass)((int (__fastcall *)(JNIEnv *, int *))(*env)->FindClass)(env, &v6);
if ( clazz
&& (sub_9EE4(),
sub_71D68(env),
sub_E7DC(env) >= 0
&& sub_69D68(env) >= 0
&& sub_197B4(env, clazz) >= 0
&& sub_E240(env, clazz) >= 0
&& sub_B8B0(env, clazz) >= 0
&& sub_5F0F4(env, clazz) >= 0
&& sub_70640(env, clazz) >= 0
&& sub_11F3C(env) >= 0
&& sub_21C3C(env, clazz) >= 0
&& sub_2148C(env, clazz) >= 0
&& sub_210E0(env, clazz) >= 0
&& sub_41B58(env, clazz) >= 0
&& sub_27920(env, clazz) >= 0
&& sub_293E8(env, clazz) >= 0
&& sub_208F4(env, clazz) >= 0) )
{
result = (sub_B7B0(env, clazz) >> 31) | 0x10004;
}
else
{
LABEL_39:
result = -1;
}
return result;
}Kia ata titiro ki nga rarangi e whai ake nei:
sub_73E24(&unk_83EA6, &v6, 49);
clazz = (jclass)((int (__fastcall *)(JNIEnv *, int *))(*env)->FindClass)(env, &v6);I roto i te mahi iti_73E24 kei te tino wetewetehia te ingoa o te akomanga. Hei tawhā mo tenei mahi, ka tukuna he tohu ki nga raraunga e rite ana ki nga raraunga whakamunatia, ka tukuna he parepare me tetahi nama. Ma te mohio, i muri i te karanga i te mahi, ka puta he raina wetewete i roto i te kaitarai, na te mea kua tukuna ki te mahi KimiClass, e tango ana i te ingoa o te akomanga hei tawhā tuarua. No reira, ko te tau ko te rahi o te parepare, ko te roa ranei o te raina. Me ngana ki te whakamaarama i te ingoa o te karaehe, me whakaatu mai mena kei te haere tika tatou. Kia ata titiro ki nga mea ka tupu i roto iti_73E24.
int __fastcall sub_73E56(unsigned __int8 *in, unsigned __int8 *out, size_t size)
{
int v4; // r6
int v7; // r11
int v8; // r9
int v9; // r4
size_t v10; // r5
int v11; // r0
struc_1 v13; // [sp+0h] [bp-30h]
int v14; // [sp+1Ch] [bp-14h]
int v15; // [sp+20h] [bp-10h]
v4 = 0;
v15 = *(_DWORD *)off_8AC00;
v14 = 0;
v7 = sub_7AF78(17);
v8 = sub_7AF78(size);
if ( !v7 )
{
v9 = 0;
goto LABEL_12;
}
(*(void (__fastcall **)(int, const char *, int))(v7 + 12))(v7, "DcO/lcK+h?m3c*q@", 16);
if ( !v8 )
{
LABEL_9:
v4 = 0;
goto LABEL_10;
}
v4 = 0;
if ( !in )
{
LABEL_10:
v9 = 0;
goto LABEL_11;
}
v9 = 0;
if ( out )
{
memset(out, 0, size);
v10 = size - 1;
(*(void (__fastcall **)(int, unsigned __int8 *, size_t))(v8 + 12))(v8, in, v10);
memset(&v13, 0, 0x14u);
v13.field_4 = 3;
v13.field_10 = v7;
v13.field_14 = v8;
v11 = sub_6115C(&v13, &v14);
v9 = v11;
if ( v11 )
{
if ( *(_DWORD *)(v11 + 4) == v10 )
{
qmemcpy(out, *(const void **)v11, v10);
v4 = *(_DWORD *)(v9 + 4);
}
else
{
v4 = 0;
}
goto LABEL_11;
}
goto LABEL_9;
}
LABEL_11:
sub_7B148(v7);
LABEL_12:
if ( v8 )
sub_7B148(v8);
if ( v9 )
sub_7B148(v9);
return v4;
}mahi iti_7AF78 ka hangaia he tauira o te ipu mo nga huinga paita o te rahi kua tohua (kaore matou e korero mo enei ipu. I konei ka hangaia nga ipu penei: kei roto i tetahi te raina "DcO/lcK+h?m3c*q@" (he mea ngawari ki te whakaaro he matua tenei), kei roto i etahi atu nga raraunga whakamunatia. I muri mai, ka whakauruhia nga mea e rua ki tetahi hanganga, ka tukuna ki te mahi iti_6115C. Me tohu ano he mara me te uara 3 i roto i tenei hanganga. Kia kite tatou ka ahatia tenei hanganga ka whai ake.
int __fastcall sub_611B4(struc_1 *a1, _DWORD *a2)
{
int v3; // lr
unsigned int v4; // r1
int v5; // r0
int v6; // r1
int result; // r0
int v8; // r0
*a2 = 820000;
if ( a1 )
{
v3 = a1->field_14;
if ( v3 )
{
v4 = a1->field_4;
if ( v4 < 0x19 )
{
switch ( v4 )
{
case 0u:
v8 = sub_6419C(a1->field_0, a1->field_10, v3);
goto LABEL_17;
case 3u:
v8 = sub_6364C(a1->field_0, a1->field_10, v3);
goto LABEL_17;
case 0x10u:
case 0x11u:
case 0x12u:
v8 = sub_612F4(
a1->field_0,
v4,
*(_QWORD *)&a1->field_8,
*(_QWORD *)&a1->field_8 >> 32,
a1->field_10,
v3,
a2);
goto LABEL_17;
case 0x14u:
v8 = sub_63A28(a1->field_0, v3);
goto LABEL_17;
case 0x15u:
sub_61A60(a1->field_0, v3, a2);
return result;
case 0x16u:
v8 = sub_62440(a1->field_14);
goto LABEL_17;
case 0x17u:
v8 = sub_6226C(a1->field_10, v3);
goto LABEL_17;
case 0x18u:
v8 = sub_63530(a1->field_14);
LABEL_17:
v6 = 0;
if ( v8 )
{
*a2 = 0;
v6 = v8;
}
return v6;
default:
LOWORD(v5) = 28032;
goto LABEL_5;
}
}
}
}
LOWORD(v5) = -27504;
LABEL_5:
HIWORD(v5) = 13;
v6 = 0;
*a2 = v5;
return v6;
}Ko te tawhā whakawhiti he mara hanganga i tautapahia i mua ko te uara 3. Tirohia te take 3: ki te mahi iti_6364C ka tukuna nga tawhā mai i te hanganga i taapirihia ki reira i te mahi o mua, ara ko te matua me te raraunga whakamunatia. Mena ka ata titiro koe ki iti_6364C, ka taea e koe te mohio ki te RC4 algorithm i roto.
Kei a matou he algorithm me tetahi matua. Me ngana ki te whakamaarama i te ingoa o te akomanga. Anei te mea i tupu: com/taobao/wireless/security/adapter/JNICLibrary. Rawe! Kei runga tatou i te huarahi tika.
Rakau whakahau
Inaianei me rapu he wero RehitaMaori, ka tohu ia tatou ki te mahi doCommandNative. Kia titiro tatou ki nga mahi i karangahia mai JNI_OnUta, a ka kitea e matou i roto iti_B7B0:
int __fastcall sub_B7F6(JNIEnv *env, jclass clazz)
{
char signature[41]; // [sp+7h] [bp-55h]
char name[16]; // [sp+30h] [bp-2Ch]
JNINativeMethod method; // [sp+40h] [bp-1Ch]
int v8; // [sp+4Ch] [bp-10h]
v8 = *(_DWORD *)off_8AC00;
decryptString((unsigned __int8 *)&unk_83ED9, (unsigned __int8 *)name, 0x10u);// doCommandNative
decryptString((unsigned __int8 *)&unk_83EEA, (unsigned __int8 *)signature, 0x29u);// (I[Ljava/lang/Object;)Ljava/lang/Object;
method.name = name;
method.signature = signature;
method.fnPtr = sub_B69C;
return ((int (__fastcall *)(JNIEnv *, jclass, JNINativeMethod *, int))(*env)->RegisterNatives)(env, clazz, &method, 1) >> 31;
}Ae, he tikanga Maori kua rehitatia ki konei doCommandNative. Inaianei kua mohio tatou ki tona wahi noho. Ka kite tatou he aha tana mahi.
int __fastcall doCommandNative(JNIEnv *env, jobject obj, int command, jarray args)
{
int v5; // r5
struc_2 *a5; // r6
int v9; // r1
int v11; // [sp+Ch] [bp-14h]
int v12; // [sp+10h] [bp-10h]
v5 = 0;
v12 = *(_DWORD *)off_8AC00;
v11 = 0;
a5 = (struc_2 *)malloc(0x14u);
if ( a5 )
{
a5->field_0 = 0;
a5->field_4 = 0;
a5->field_8 = 0;
a5->field_C = 0;
v9 = command % 10000 / 100;
a5->field_0 = command / 10000;
a5->field_4 = v9;
a5->field_8 = command % 100;
a5->field_C = env;
a5->field_10 = args;
v5 = sub_9D60(command / 10000, v9, command % 100, 1, (int)a5, &v11);
}
free(a5);
if ( !v5 && v11 )
sub_7CF34(env, v11, &byte_83ED7);
return v5;
}Ma te ingoa ka taea e koe te whakaaro koinei te urunga o nga mahi katoa i whakatauhia e nga kaihanga ki te whakawhiti ki te whare pukapuka taketake. Kei te pirangi matou ki te nama mahi 10601.
Ka taea e koe te kite mai i te waehere ko te nama whakahau e toru nga tau: whakahau/10000, whakahau % 10000 / 100 и whakahau % 10, i.e., in our case, 1, 6 and 1. Ko enei tau e toru, me te tohu tohu ki JNIEnv a ko nga tohenga kua tukuna ki te mahi ka taapirihia ki tetahi hanganga ka tukuna. Ma te whakamahi i nga tau e toru kua riro mai (me tohu ko N1, N2 me N3), ka hangaia he rakau whakahau.
He mea penei:
Ka whakakiia te rakau ki roto JNI_OnUta.
E toru nga tau e whakawaehere ana i te ara o te rakau. Kei roto i ia rau o te rakau te wahitau pukoro o te mahi e rite ana. Ko te matua kei roto i te node matua. Ko te rapu i te waahi kei roto i te waehere ka taapirihia te mahi e hiahiatia ana e matou ki te rakau kaore i te uaua mena ka mohio koe ki nga hanganga katoa e whakamahia ana (kaore matou e whakaahua kia kore e pupuhi i tetahi tuhinga kua tino nui).
Ētahi atu obfuscation
I whiwhi matou i te wahitau o te mahi hei wetewete i nga waka: 0x5F1AC. Engari he wa wawe ki te koa: kua whakaritea e nga kaihanga o UC Browser tetahi atu ohorere mo tatou.
I muri i te whiwhi i nga tawhā mai i te huinga i hangaia i roto i te waehere Java, ka whiwhi tatou
ki te mahi i te wahitau 0x4D070. A, kei konei tetahi atu momo obfuscation waehere e tatari ana ki a tatou.
Ka hoatu e matou nga tohu e rua ki te R7 me te R4:
Ka nekehia te taurangi tuatahi ki te R11:
Hei tiki wāhitau mai i te ripanga, whakamahia he taupū:
I muri i te haere ki te waahi tuatahi, ka whakamahia te tohu tuarua, kei te R4. E 230 nga huānga kei te ripanga.
Me aha? Ka taea e koe te korero ki a IDA he pana tenei: Whakatika -> Ētahi atu -> Tauwhāitihia te kīwaha whakawhiti.
He whakamataku te waehere ka puta. Engari, ka haere koe i roto i tana ngahere, ka kite koe i te waea ki tetahi mahi kua mohiohia e matou iti_6115C:
He huringa kei roto i te keehi 3 he wetemuna ma te whakamahi i te RC4 algorithm. Na i tenei keehi, ka whakakiia te hanganga i tukuna ki te mahi mai i nga tawhā i tukuna ki doCommandNative. Kia maumahara tatou ki nga mea i a tatou i reira makutuInt me te uara 16. Ka tirohia e matou te keehi e rite ana - a i muri i etahi whakawhitinga ka kitea e matou te waehere e taea ai te tautuhi i te algorithm.
Ko AES tenei!
Kei te noho tonu te algorithm, ko nga mea katoa e toe ana ko te whiwhi i ona tawhā: aratau, matua me, pea, te vector arawhiti (kei runga i te ahua whakahaere o te AES algorithm). Ko te hanganga ki a raatau me hanga ki tetahi waahi i mua i te karanga mahi iti_6115C, engari ko tenei waahanga o te waehere he tino whakapouri, no reira ka puta te whakaaro ki te papaki i te waehere kia maka nga tawhā katoa o te mahi wetemuna ki roto i te konae.
Papaki
Kia kore ai e tuhia nga waehere papaki katoa i roto i te reo huihuinga, ka taea e koe te whakarewa i te Android Studio, tuhia he mahi ki reira ka whiwhi i nga tawhā whakauru rite ki ta maatau mahi wetemunatanga me te tuhi ki tetahi konae, katahi ka kape-whakapiri i te waehere ka mahia e te kaitoi. whakaputa.
Ko o maatau hoa o te roopu UC Browser i tiaki i te ngawari o te taapiri waehere. Kia maumahara tatou i te timatanga o ia mahi kei a tatou he waehere paru ka ngawari te whakakapi ki tetahi atu. He tino watea 🙂 Heoi, i te timatanga o te mahi whaainga kaore i te nui te waahi mo te waehere ka penapena nga taapiri katoa ki tetahi konae. Me wehe e au ki etahi waahanga me te whakamahi i nga poraka paru mai i nga mahi tata. E wha nga wahanga katoa.
Wāhanga tuatahi:
I roto i te hoahoanga ARM, ka tukuna nga tawhā mahi tuatahi e wha i roto i nga rehita R0-R3, ko te toenga, mena he, ka tukuna ma te puranga. Kei te rehita LR te wahitau whakahoki. Ko enei mea katoa me penapena kia taea ai e te mahi te mahi i muri i to makanga i ona tawhā. Me tiaki ano e matou nga rehita katoa ka whakamahia e matou i roto i te mahi, na reira ka mahi matou PUSH.W {R0-R10,LR}. I roto i te R7 ka whiwhi tatou i te wahitau o te rarangi o nga tawhā i tukuna ki te mahi ma te puranga.
Te whakamahi i te mahi fopen kia tuwhera te kōnae /data/local/tmp/aes i roto i te aratau "ab".
ara mo te taapiri. I R0 ka utaina e matou te wahitau o te ingoa konae, i te R1 - te wahitau o te raina e tohu ana i te aratau. Na konei ka mutu te waehere paru, na ka neke atu ki te mahi e whai ake nei. Kia mau tonu ai te mahi, ka tukuna e matou i te timatanga te whakawhiti ki te waehere tuuturu o te mahi, ma te maataki i te paru, a, hei utu mo te paru ka taapirihia he haere tonu o te papaki.
Te karanga fopen.
Ko nga tawhā tuatahi e toru o te mahi AES he momo int. I te mea i tiakina e matou nga rehita ki te puranga i te timatanga, ka taea noa e matou te tuku i te mahi tuhi o ratou wahitau i runga i te puranga.
I muri mai e toru nga hanganga kei roto te rahi o te raraunga me te tohu tohu ki nga raraunga mo te matua, te vector arawhiti me te raraunga whakamunatia.
I te mutunga, kati te konae, whakahokia nga rehita me te whakawhiti i te mana whakahaere ki te tino mahi AES.
Ka kohia e matou he APK me te whare pukapuka papaki, hainatia, tuku atu ki te taputapu/emulator, ka whakarewahia. Ka kite matou kei te hangahia ta matou putunga, he maha nga raraunga kei te tuhia ki reira. Ka whakamahia e te kaitirotiro te whakamunatanga ehara i te mea mo te hokohoko anake, a ka haere nga whakamunatanga katoa i roto i te mahi e pa ana. Engari mo etahi take kaore nga raraunga e tika ana i reira, kaore hoki e kitea te tono e hiahiatia ana i roto i nga waka. Kia kore ai e tatari kia tae ra ano te UC Browser ki te tuku tono e tika ana, me tango e tatou te whakautu whakamunatia mai i te kaimau i riro mai i mua ka tarai ano i te tono: taapirihia te wetewete ki te onCreate o te mahi matua.
const/16 v1, 0x62
new-array v1, v1, [B
fill-array-data v1, :encrypted_data
const/16 v0, 0x1f
invoke-static {v0, v1}, Lcom/uc/browser/core/d/c/g;->j(I[B)[B
move-result-object v1
array-length v2, v1
invoke-static {v2}, Ljava/lang/String;->valueOf(I)Ljava/lang/String;
move-result-object v2
const-string v0, "ololo"
invoke-static {v0, v2}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)IKa huihui matou, ka haina, ka whakauruhia, ka whakarewahia. Ka whiwhi matou i te NullPointerException na te mea i whakahokia kore te tikanga.
I roto i te tātaritanga o te waehere, i kitea he mahi e whakamaori ana i nga rarangi whakamere: "META-INF/" me ".RSA". Te ahua nei kei te manatoko te tono i tana tiwhikete. Ka whakaputa ranei i nga taviri mai i a ia. Kaore au e tino hiahia ki te mahi i nga mea e pa ana ki te tiwhikete, no reira ka paheke noa te tiwhikete tika. Me papaki i te raina whakamunatia kia kore ai ko "META-INF/" ka whiwhi "BLABLINF/", hangahia he kōpaki me taua ingoa ki roto i te APK me te taapiri i te tiwhikete tirotiro squirrel ki reira.
Ka huihui matou, ka haina, ka whakauruhia, ka whakarewahia. Bingo! Kei a matou te ki!
MitM
I whakawhiwhia mai he kii me tetahi vector arawhiti e rite ana ki te ki. Me ngana ki te wetewete i te whakautu a te tūmau i te aratau CBC.
Ka kite matou i te URL purongo, he ahua rite ki te MD5, "extract_unzipsize" me tetahi tau. Ka tirohia e matou: he rite tonu te MD5 o te puranga, he rite te rahi o te whare pukapuka kua wetewetehia. E ngana ana matou ki te papaki i tenei whare pukapuka ka hoatu ki te kaitirotiro. Hei whakaatu kua utaina ta matou whare pukapuka papaki, ka whakarewahia e matou he Intent ki te hanga SMS me te kupu "PWNED!" Ka whakakapihia e matou nga whakautu e rua mai i te tūmau: me te tango i te puranga. I te tuatahi ka whakakapihia e matou te MD5 (kaore e rereke te rahi i muri i te wetewete), i te tuarua ka hoatu e matou te puranga me te whare pukapuka papaki.
Ka ngana te kaitirotiro ki te tango i te puranga i nga wa maha, ka puta he hapa. Te ahua nei he mea
kaore ia e pai. Ko te hua o te wetewete i tenei whakatakotoranga pouri, i puta mai ka tukuna ano e te tūmau te rahi o te pūranga:
Kua whakawaeheretia ki LEB128. Whai muri i te papaki, he iti noa te rereke o te rahi o te puranga me te whare pukapuka, na reira i whakaaro te kaitirotiro i tango porangi te konae, a, i muri i nga nganatanga maha ka puta he hapa.
Ka whakatikahia e matou te rahi o te puranga... A – wikitoria! 🙂 Ko te hua kei roto i te ataata.
Nga putanga me te tauhohenga kaiwhakawhanake
He pera ano, ka taea e nga kaiwhaiwhai te whakamahi i te ahuatanga haumaru o te UC Browser ki te tohatoha me te whakahaere i nga whare pukapuka kino. Ka mahi enei whare pukapuka i roto i te horopaki o te kaitirotiro, no reira ka whiwhi ratou i ana whakaaetanga punaha katoa. Ko te mutunga, ko te kaha ki te whakaatu i nga matapihi hītinihanga, me te uru ki nga konae mahi o te karaka Hainamana karaka, tae atu ki nga takiuru, nga kupuhipa me nga pihikete kei te rongoa i roto i te paataka.
I whakapā atu matou ki nga kaiwhakawhanake o UC Browser me te whakamohio atu ki a raatau mo te raru i kitea e matou, ka ngana ki te tohu i te whakaraeraetanga me tona kino, engari kaore ratou i korero ki a maatau. I taua wa, ka whakaatu tonu te kaitirotiro i tana ahuatanga kino i te tirohanga noa. Engari i te wa i whakaatuhia e matou nga korero mo te whakaraeraetanga, kua kore e taea te warewarehia i mua. Ko te 27 o Maehe
i tukuna he putanga hou o UC Browser 12.10.9.1193, i uru ki te tūmau ma te HTTPS: .
I tua atu, i muri i te "whakatika" a tae noa ki te wa o te tuhi i tenei tuhinga, ko te ngana ki te whakatuwhera i te PDF i roto i te kaitirotiro ka puta he karere hapa me te tuhinga "Aue, kua he tetahi mea!" Kaore i puta he tono ki te kaimau i te wa e ngana ana ki te whakatuwhera i te PDF, engari i tukuna he tono i te wa i whakarewahia ai te kaitirotiro, e tohu ana i te kaha tonu ki te tango i nga waehere ka taea te takahi i nga ture a Google Play.
Source: will.com