Mau oyamba
Kumapeto kwa March ife , kuti adapeza luso lobisika lotsegula ndikuyendetsa nambala yosatsimikizika mu UC Browser. Lero tiona mwatsatanetsatane mmene download izi zimachitika ndi hackers angagwiritse ntchito pa zolinga zawo.
Kalekale, UC Browser idalengezedwa ndikugawidwa mwaukali kwambiri: idayikidwa pazida za ogwiritsa ntchito pogwiritsa ntchito pulogalamu yaumbanda, yogawidwa kuchokera kumasamba osiyanasiyana motengera mafayilo amakanema (ie, ogwiritsa ntchito amaganiza kuti akutsitsa, mwachitsanzo, kanema wamaliseche, koma m'malo mwake adalandira APK yokhala ndi msakatuliyu), adagwiritsa ntchito zikwangwani zowopsa zokhala ndi mauthenga oti msakatuliyo ndi wachikale, wosatetezeka, ndi zina zotero. Pagulu lovomerezeka la UC Browser pa VK pali , momwe ogwiritsa ntchito angadandaule za kutsatsa kopanda chilungamo, pali zitsanzo zambiri pamenepo. Mu 2016 kunali kosiyana mu Chirasha (inde, kutsatsa msakatuli woletsa malonda).
Panthawi yolemba, UC Browser ili ndi makhazikitsidwe opitilira 500 pa Google Play. Izi ndizodabwitsa - Google Chrome yokha ndiyomwe ili ndi zambiri. Mwa ndemanga, mutha kuwona madandaulo ambiri okhudza kutsatsa ndikutumizanso ku mapulogalamu ena pa Google Play. Ichi chinali chifukwa cha kafukufuku wathu: tinaganiza zowona ngati UC Browser ikuchita zoipa. Ndipo zinapezeka kuti anatero!
Mu code yogwiritsira ntchito, kuthekera kotsitsa ndikuyendetsa kachidindo kogwiritsiridwa ntchito kunapezeka, pa Google Play. Kuphatikiza pa kutsitsa ma code otheka, UC Browser imachita izi mopanda chitetezo, yomwe ingagwiritsidwe ntchito kuyambitsa kuwukira kwa MitM. Tiyeni tione ngati tingathe kuchita zimenezi.
Zonse zolembedwa pansipa ndizogwirizana ndi mtundu wa UC Browser womwe udalipo pa Google Play panthawi ya kafukufukuyu:
package: com.UCMobile.intl
versionName: 12.10.8.1172
versionCode: 10598
sha1 APK-ΡΠ°ΠΉΠ»Π°: f5edb2243413c777172f6362876041eb0c3a928cAttack vector
Mu chiwonetsero cha UC Browser mutha kupeza ntchito yokhala ndi dzina lodzifotokozera com.uc.deployment.UpgradeDeployService.
<service android_exported="false" android_name="com.uc.deployment.UpgradeDeployService" android_process=":deploy" />
Ntchitoyi ikayamba, msakatuli amapanga pempho la POST , yomwe imatha kuwoneka pamagalimoto pakapita nthawi pambuyo poyambira. Poyankha, angalandire lamulo lotsitsa zosintha zina kapena gawo latsopano. Pakuwunika, seva sinapereke malamulo oterowo, koma tidawona kuti tikamayesa kutsegula PDF mu msakatuli, imapanga pempho lachiwiri ku adilesi yomwe yatchulidwa pamwambapa, kenako imatsitsa laibulale yakomweko. Kuti tichite izi, tidaganiza zogwiritsa ntchito gawo ili la UC Browser: kuthekera kotsegula PDF pogwiritsa ntchito laibulale yakomweko, yomwe ilibe mu APK komanso yomwe imatsitsa pa intaneti ngati kuli kofunikira. Ndizofunikira kudziwa kuti, mwachidziwitso, UC Browser ikhoza kukakamizidwa kutsitsa china chake popanda kuyanjana ndi ogwiritsa ntchito - ngati mupereka yankho lopangidwa bwino ku pempho lomwe limachitidwa msakatuli atatsegulidwa. Koma kuti tichite izi, tifunika kuphunzira ndondomeko yolumikizirana ndi seva mwatsatanetsatane, chifukwa chake tidaganiza kuti zingakhale zosavuta kusintha yankho lomwe lalandidwa ndikulowetsa laibulale yogwira ntchito ndi PDF.
Chifukwa chake, wogwiritsa ntchito akafuna kutsegula PDF mwachindunji mumsakatuli, zopempha zotsatirazi zitha kuwoneka pamagalimoto:
Choyamba pali pempho la POST kuti , ndiye
Malo osungira omwe ali ndi laibulale yowonera ma PDF ndi maofesi amatsitsidwa. Ndizomveka kuganiza kuti pempho loyamba limapereka chidziwitso chokhudza dongosolo (osachepera zomangamanga kuti apereke laibulale yofunikira), ndipo poyankha, osatsegula amalandira zambiri zokhudza laibulale yomwe iyenera kumasulidwa: adiresi ndipo, mwinamwake. , chinthu china. Vuto ndiloti pempholi ndi lobisika.
Pemphani chidutswa
Yankhani chidutswa
Laibulale yokhayo imayikidwa mu ZIP ndipo siyinasinthidwe.
Sakani ma code of traffic decryption
Tiyeni tiyese kumvetsetsa mayankho a seva. Tiyeni tiwone kalasi code com.uc.deployment.UpgradeDeployService: kuchokera njira paStartCommand kupita ku com.uc.deployment.bx, ndi kuchokera ku izo kupita com.uc.browser.core.dcfe:
public final void e(l arg9) {
int v4_5;
String v3_1;
byte[] v3;
byte[] v1 = null;
if(arg9 == null) {
v3 = v1;
}
else {
v3_1 = arg9.iGX.ipR;
StringBuilder v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]product:");
v4.append(arg9.iGX.ipR);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]version:");
v4.append(arg9.iGX.iEn);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]upgrade_type:");
v4.append(arg9.iGX.mMode);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]force_flag:");
v4.append(arg9.iGX.iEo);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_mode:");
v4.append(arg9.iGX.iDQ);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_type:");
v4.append(arg9.iGX.iEr);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_state:");
v4.append(arg9.iGX.iEp);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_file:");
v4.append(arg9.iGX.iEq);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apk_md5:");
v4.append(arg9.iGX.iEl);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]download_type:");
v4.append(arg9.mDownloadType);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]download_group:");
v4.append(arg9.mDownloadGroup);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]download_path:");
v4.append(arg9.iGH);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_child_version:");
v4.append(arg9.iGX.iEx);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_series:");
v4.append(arg9.iGX.iEw);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_cpu_arch:");
v4.append(arg9.iGX.iEt);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_cpu_vfp3:");
v4.append(arg9.iGX.iEv);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_cpu_vfp:");
v4.append(arg9.iGX.iEu);
ArrayList v3_2 = arg9.iGX.iEz;
if(v3_2 != null && v3_2.size() != 0) {
Iterator v3_3 = v3_2.iterator();
while(v3_3.hasNext()) {
Object v4_1 = v3_3.next();
StringBuilder v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_name:");
v5.append(((au)v4_1).getName());
v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_ver_name:");
v5.append(((au)v4_1).aDA());
v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_ver_code:");
v5.append(((au)v4_1).gBl);
v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_req_type:");
v5.append(((au)v4_1).gBq);
}
}
j v3_4 = new j();
m.b(v3_4);
h v4_2 = new h();
m.b(v4_2);
ay v5_1 = new ay();
v3_4.hS("");
v3_4.setImsi("");
v3_4.hV("");
v5_1.bPQ = v3_4;
v5_1.bPP = v4_2;
v5_1.yr(arg9.iGX.ipR);
v5_1.gBF = arg9.iGX.mMode;
v5_1.gBI = arg9.iGX.iEz;
v3_2 = v5_1.gAr;
c.aBh();
v3_2.add(g.fs("os_ver", c.getRomInfo()));
v3_2.add(g.fs("processor_arch", com.uc.b.a.a.c.getCpuArch()));
v3_2.add(g.fs("cpu_arch", com.uc.b.a.a.c.Pb()));
String v4_3 = com.uc.b.a.a.c.Pd();
v3_2.add(g.fs("cpu_vfp", v4_3));
v3_2.add(g.fs("net_type", String.valueOf(com.uc.base.system.a.Jo())));
v3_2.add(g.fs("fromhost", arg9.iGX.iEm));
v3_2.add(g.fs("plugin_ver", arg9.iGX.iEn));
v3_2.add(g.fs("target_lang", arg9.iGX.iEs));
v3_2.add(g.fs("vitamio_cpu_arch", arg9.iGX.iEt));
v3_2.add(g.fs("vitamio_vfp", arg9.iGX.iEu));
v3_2.add(g.fs("vitamio_vfp3", arg9.iGX.iEv));
v3_2.add(g.fs("plugin_child_ver", arg9.iGX.iEx));
v3_2.add(g.fs("ver_series", arg9.iGX.iEw));
v3_2.add(g.fs("child_ver", r.aVw()));
v3_2.add(g.fs("cur_ver_md5", arg9.iGX.iEl));
v3_2.add(g.fs("cur_ver_signature", SystemHelper.getUCMSignature()));
v3_2.add(g.fs("upgrade_log", i.bjt()));
v3_2.add(g.fs("silent_install", String.valueOf(arg9.iGX.iDQ)));
v3_2.add(g.fs("silent_state", String.valueOf(arg9.iGX.iEp)));
v3_2.add(g.fs("silent_file", arg9.iGX.iEq));
v3_2.add(g.fs("silent_type", String.valueOf(arg9.iGX.iEr)));
v3_2.add(g.fs("cpu_archit", com.uc.b.a.a.c.Pc()));
v3_2.add(g.fs("cpu_set", SystemHelper.getCpuInstruction()));
boolean v4_4 = v4_3 == null || !v4_3.contains("neon") ? false : true;
v3_2.add(g.fs("neon", String.valueOf(v4_4)));
v3_2.add(g.fs("cpu_cores", String.valueOf(com.uc.b.a.a.c.Jl())));
v3_2.add(g.fs("ram_1", String.valueOf(com.uc.b.a.a.h.Po())));
v3_2.add(g.fs("totalram", String.valueOf(com.uc.b.a.a.h.OL())));
c.aBh();
v3_2.add(g.fs("rom_1", c.getRomInfo()));
v4_5 = e.getScreenWidth();
int v6 = e.getScreenHeight();
StringBuilder v7 = new StringBuilder();
v7.append(v4_5);
v7.append("*");
v7.append(v6);
v3_2.add(g.fs("ss", v7.toString()));
v3_2.add(g.fs("api_level", String.valueOf(Build$VERSION.SDK_INT)));
v3_2.add(g.fs("uc_apk_list", SystemHelper.getUCMobileApks()));
Iterator v4_6 = arg9.iGX.iEA.entrySet().iterator();
while(v4_6.hasNext()) {
Object v6_1 = v4_6.next();
v3_2.add(g.fs(((Map$Entry)v6_1).getKey(), ((Map$Entry)v6_1).getValue()));
}
v3 = v5_1.toByteArray();
}
if(v3 == null) {
this.iGY.iGI.a(arg9, "up_encode", "yes", "fail");
return;
}
v4_5 = this.iGY.iGw ? 0x1F : 0;
if(v3 == null) {
}
else {
v3 = g.i(v4_5, v3);
if(v3 == null) {
}
else {
v1 = new byte[v3.length + 16];
byte[] v6_2 = new byte[16];
Arrays.fill(v6_2, 0);
v6_2[0] = 0x5F;
v6_2[1] = 0;
v6_2[2] = ((byte)v4_5);
v6_2[3] = -50;
System.arraycopy(v6_2, 0, v1, 0, 16);
System.arraycopy(v3, 0, v1, 16, v3.length);
}
}
if(v1 == null) {
this.iGY.iGI.a(arg9, "up_encrypt", "yes", "fail");
return;
}
if(TextUtils.isEmpty(this.iGY.mUpgradeUrl)) {
this.iGY.iGI.a(arg9, "up_url", "yes", "fail");
return;
}
StringBuilder v0 = new StringBuilder("[");
v0.append(arg9.iGX.ipR);
v0.append("]url:");
v0.append(this.iGY.mUpgradeUrl);
com.uc.browser.core.d.c.i v0_1 = this.iGY.iGI;
v3_1 = this.iGY.mUpgradeUrl;
com.uc.base.net.e v0_2 = new com.uc.base.net.e(new com.uc.browser.core.d.c.i$a(v0_1, arg9));
v3_1 = v3_1.contains("?") ? v3_1 + "&dataver=pb" : v3_1 + "?dataver=pb";
n v3_5 = v0_2.uc(v3_1);
m.b(v3_5, false);
v3_5.setMethod("POST");
v3_5.setBodyProvider(v1);
v0_2.b(v3_5);
this.iGY.iGI.a(arg9, "up_null", "yes", "success");
this.iGY.iGI.b(arg9);
}Tikuwona kupangidwa kwa pempho la POST apa. Timayang'anitsitsa kupangidwa kwa ma byte 16 ndi kudzazidwa kwake: 0x5F, 0, 0x1F, -50 (=0xCE). Zimagwirizana ndi zomwe tawona mu pempho pamwambapa.
M'kalasi lomwelo mutha kuwona kalasi yokhazikika yomwe ili ndi njira ina yosangalatsa:
public final void a(l arg10, byte[] arg11) {
f v0 = this.iGQ;
StringBuilder v1 = new StringBuilder("[");
v1.append(arg10.iGX.ipR);
v1.append("]:UpgradeSuccess");
byte[] v1_1 = null;
if(arg11 == null) {
}
else if(arg11.length < 16) {
}
else {
if(arg11[0] != 0x60 && arg11[3] != 0xFFFFFFD0) {
goto label_57;
}
int v3 = 1;
int v5 = arg11[1] == 1 ? 1 : 0;
if(arg11[2] != 1 && arg11[2] != 11) {
if(arg11[2] == 0x1F) {
}
else {
v3 = 0;
}
}
byte[] v7 = new byte[arg11.length - 16];
System.arraycopy(arg11, 16, v7, 0, v7.length);
if(v3 != 0) {
v7 = g.j(arg11[2], v7);
}
if(v7 == null) {
goto label_57;
}
if(v5 != 0) {
v1_1 = g.P(v7);
goto label_57;
}
v1_1 = v7;
}
label_57:
if(v1_1 == null) {
v0.iGY.iGI.a(arg10, "up_decrypt", "yes", "fail");
return;
}
q v11 = g.b(arg10, v1_1);
if(v11 == null) {
v0.iGY.iGI.a(arg10, "up_decode", "yes", "fail");
return;
}
if(v0.iGY.iGt) {
v0.d(arg10);
}
if(v0.iGY.iGo != null) {
v0.iGY.iGo.a(0, ((o)v11));
}
if(v0.iGY.iGs) {
v0.iGY.a(((o)v11));
v0.iGY.iGI.a(v11, "up_silent", "yes", "success");
v0.iGY.iGI.a(v11);
return;
}
v0.iGY.iGI.a(v11, "up_silent", "no", "success");
}
}
Njirayi imatenga ma byte angapo monga zolowetsa ndikuwunika kuti zero byte ndi 0x60 kapena byte yachitatu ndi 0xD0, ndipo yachiwiri ndi 1, 11 kapena 0x1F. Timayang'ana yankho la seva: zero byte ndi 0x60, yachiwiri ndi 0x1F, yachitatu ndi 0x60. Zikumveka ngati zomwe timafunikira. Poyang'ana mizere ("up_decrypt", mwachitsanzo), njira iyenera kutchedwa apa yomwe idzachotsa yankho la seva.
Tiyeni tipitirire ku njira gj. Dziwani kuti mkangano woyamba ndi byte at offset 2 (ie 0x1F kwa ife), ndipo yachiwiri ndi yankho la seva popanda
woyamba 16 byte.
public static byte[] j(int arg1, byte[] arg2) {
if(arg1 == 1) {
arg2 = c.c(arg2, c.adu);
}
else if(arg1 == 11) {
arg2 = m.aF(arg2);
}
else if(arg1 != 0x1F) {
}
else {
arg2 = EncryptHelper.decrypt(arg2);
}
return arg2;
}
Mwachiwonekere, apa timasankha decryption algorithm, ndi byte yomweyo yomwe ili mwathu
chikwama chofanana ndi 0x1F, chikutanthauza chimodzi mwazinthu zitatu zomwe zingatheke.
Tikupitiriza kusanthula code. Titadumpha kangapo timadzipeza tiri mu njira yokhala ndi dzina lodzifotokozera decryptBytesByKey.
Apa ma byte ena awiri amasiyanitsidwa ndi mayankho athu, ndipo chingwe chimachokera kwa iwo. N'zoonekeratu kuti mwa njira imeneyi chinsinsi decrypting uthenga amasankhidwa.
private static byte[] decryptBytesByKey(byte[] bytes) {
byte[] v0 = null;
if(bytes != null) {
try {
if(bytes.length < EncryptHelper.PREFIX_BYTES_SIZE) {
}
else if(bytes.length == EncryptHelper.PREFIX_BYTES_SIZE) {
return v0;
}
else {
byte[] prefix = new byte[EncryptHelper.PREFIX_BYTES_SIZE]; // 2 Π±Π°ΠΉΡΠ°
System.arraycopy(bytes, 0, prefix, 0, prefix.length);
String keyId = c.ayR().d(ByteBuffer.wrap(prefix).getShort()); // ΠΡΠ±ΠΎΡ ΠΊΠ»ΡΡΠ°
if(keyId == null) {
return v0;
}
else {
a v2 = EncryptHelper.ayL();
if(v2 == null) {
return v0;
}
else {
byte[] enrypted = new byte[bytes.length - EncryptHelper.PREFIX_BYTES_SIZE];
System.arraycopy(bytes, EncryptHelper.PREFIX_BYTES_SIZE, enrypted, 0, enrypted.length);
return v2.l(keyId, enrypted);
}
}
}
}
catch(SecException v7_1) {
EncryptHelper.handleDecryptException(((Throwable)v7_1), v7_1.getErrorCode());
return v0;
}
catch(Throwable v7) {
EncryptHelper.handleDecryptException(v7, 2);
return v0;
}
}
return v0;
}Kuyang'ana m'tsogolo, tikuwona kuti pakadali pano sitinapeze makiyi, koma "chizindikiritso" chake. Kupeza fungulo ndikovuta pang'ono.
Mu njira yotsatira, magawo ena awiri akuwonjezeredwa ku zomwe zilipo, kupanga zinayi mwa izo: nambala yamatsenga 16, chizindikiritso chachinsinsi, deta yobisika, ndi chingwe chosamvetsetseka (kwa ife, chopanda kanthu).
public final byte[] l(String keyId, byte[] encrypted) throws SecException {
return this.ayJ().staticBinarySafeDecryptNoB64(16, keyId, encrypted, "");
}Pambuyo pa kusintha kosiyanasiyana timafika pa njira staticBinarySafeDecryptNoB64 mawonekedwe com.alibaba.wireless.security.open.staticdataencrypt.IStaticDataEncryptComponent. Palibe makalasi pamakina ogwiritsira ntchito omwe amagwiritsa ntchito mawonekedwewa. Pali kalasi yotere mu fayilo lib/armeabi-v7a/libsgmain.so, yomwe kwenikweni si .so, koma .jar. Njira yomwe timakonda ikugwiritsidwa ntchito motere:
package com.alibaba.wireless.security.a.i;
// ...
public class a implements IStaticDataEncryptComponent {
private ISecurityGuardPlugin a;
// ...
private byte[] a(int mode, int magicInt, int xzInt, String keyId, byte[] encrypted, String magicString) {
return this.a.getRouter().doCommand(10601, new Object[]{Integer.valueOf(mode), Integer.valueOf(magicInt), Integer.valueOf(xzInt), keyId, encrypted, magicString});
}
// ...
private byte[] b(int magicInt, String keyId, byte[] encrypted, String magicString) {
return this.a(2, magicInt, 0, keyId, encrypted, magicString);
}
// ...
public byte[] staticBinarySafeDecryptNoB64(int magicInt, String keyId, byte[] encrypted, String magicString) throws SecException {
if(keyId != null && keyId.length() > 0 && magicInt >= 0 && magicInt < 19 && encrypted != null && encrypted.length > 0) {
return this.b(magicInt, keyId, encrypted, magicString);
}
throw new SecException("", 301);
}
//...
}
Pano mndandanda wathu wa magawo akuwonjezeredwa ndi zowonjezera ziwiri: 2 ndi 0. Kuweruza
chirichonse, 2 amatanthauza decryption, monga mu njira doFinal kalasi ya dongosolo javax.crypto.Cipher. Ndipo zonsezi zimasamutsidwa ku rauta inayake yokhala ndi nambala 10601 - izi mwachiwonekere ndi nambala yolamula.
Pambuyo pa unyolo wotsatira wa kusintha timapeza kalasi yomwe imagwiritsa ntchito mawonekedwe IRouterComponent ndi njira doCommand:
package com.alibaba.wireless.security.mainplugin;
import com.alibaba.wireless.security.framework.IRouterComponent;
import com.taobao.wireless.security.adapter.JNICLibrary;
public class a implements IRouterComponent {
public a() {
super();
}
public Object doCommand(int arg2, Object[] arg3) {
return JNICLibrary.doCommandNative(arg2, arg3);
}
}Komanso class JNIC Library, momwe njira yachibadwidwe imalengezedwa doCommandNative:
package com.taobao.wireless.security.adapter;
public class JNICLibrary {
public static native Object doCommandNative(int arg0, Object[] arg1);
}Izi zikutanthauza kuti tiyenera kupeza njira mu code yachibadwidwe doCommandNative. Ndipo apa ndi pomwe zosangalatsa zimayambira.
Kusintha kwa code ya makina
Mu fayilo libsgmain.so (yomwe ndi .jar komanso momwe tidapeza kukhazikitsidwa kwa njira zina zolumikizirana ndi encryption pamwambapa) pali laibulale imodzi yakumalo: libsgmainso-6.4.36.so. Timatsegula mu IDA ndikupeza bokosi la zokambirana ndi zolakwika. Vuto ndiloti tebulo lamutu wagawo ndilolakwika. Izi zimachitika mwadala pofuna kusokoneza kusanthula.
Koma sizofunika: kuyika bwino fayilo ya ELF ndikuyisanthula, tebulo lamutu wa pulogalamu ndilokwanira. Chifukwa chake, timangochotsa tebulo lachigawo, ndikuchotsa magawo omwe ali pamutuwo.
Tsegulani fayilo mu IDA kachiwiri.
Pali njira ziwiri zowuzira makina a Java pafupifupi komwe kwenikweni mulaibulale yakumaloko kukhazikitsidwa kwa njira yomwe yalengezedwa mu Java code ngati mbadwa. Choyamba ndikuchipatsa dzina la mtundu Java_package_name_ClassName_MethodName.
Chachiwiri ndikulembetsa mukatsitsa laibulale (muntchito JNI_OnLoad)
kugwiritsa ntchito foni yam'manja RegisterNatives.
Kwa ife, ngati tigwiritsa ntchito njira yoyamba, dzina liyenera kukhala motere: Java_com_taobao_wireless_security_adapter_JNICLibrary_doCommandNative.
Palibe ntchito yotereyi pakati pa ntchito zotumizidwa kunja, zomwe zikutanthauza kuti muyenera kuyang'ana foni RegisterNatives.
Tiyeni tipite ku ntchito JNI_OnLoad ndipo tikuwona chithunzi ichi:
Kodi chikuchitika ndi chiyani pano? Poyang'ana koyamba, chiyambi ndi mapeto a ntchitoyi ndizofanana ndi zomangamanga za ARM. Langizo loyamba pa stack limasunga zomwe zili m'marejista omwe ntchitoyi idzagwiritse ntchito (panthawiyi, R0, R1 ndi R2), komanso zomwe zili m'kaundula wa LR, womwe uli ndi adilesi yobwerera kuchokera ku ntchitoyi. . Langizo lomaliza limabwezeretsa zolembera zosungidwa, ndipo adilesi yobwerera imayikidwa nthawi yomweyo mu kaundula wa PC - motero kubwerera ku ntchitoyo. Koma ngati muyang'anitsitsa, mudzawona kuti malangizo oyambirira amasintha adiresi yobwerera yosungidwa pa stack. Tiyeni tiwerengere momwe zidzakhalire pambuyo pake
ntchito kodi. Adilesi inayake 1xB0 imayikidwa mu R130, 5 imachotsedwapo, kenako imasamutsidwa ku R0 ndipo 0x10 imawonjezedwa. Izi ndi 0xB13B. Chifukwa chake, IDA ikuganiza kuti malangizo omaliza ndi kubwereranso kwanthawi zonse, koma kwenikweni akupita ku adilesi yowerengera 0xB13B.
Ndikoyenera kukumbukira apa kuti ma processor a ARM ali ndi mitundu iwiri ndi malangizo awiri: ARM ndi Thumb. Adilesi yaying'ono kwambiri imauza purosesa kuti ndi malangizo ati omwe akugwiritsidwa ntchito. Ndiye kuti, adilesiyo ndi 0xB13A, ndipo imodzi mwazofunikira kwambiri imawonetsa mawonekedwe a Thumb.
"Adapter" yofananira yawonjezeredwa kumayambiriro kwa ntchito iliyonse mulaibulale iyi ndi
kodi zinyalala. Sitidzakhazikika pa iwo mwatsatanetsatane - timangokumbukira
kuti chiyambi chenicheni cha pafupifupi ntchito zonse ndi patali pang'ono.
Popeza nambalayo sidumphira ku 0xB13A, IDA yokha sinazindikire kuti codeyo inali pamalo ano. Pachifukwa chomwechi, sichizindikira ma code ambiri mulaibulale ngati code, zomwe zimapangitsa kusanthula kukhala kovuta. Timauza IDA kuti iyi ndiye code, ndipo izi ndi zomwe zimachitika:
Gome likuyamba bwino pa 0xB144. Mu sub_494C muli chiyani?
Poyimba ntchitoyi mu kaundula wa LR, timapeza adilesi ya tebulo lomwe latchulidwa kale (0xB144). Mu R0 - index mu tebulo ili. Ndiye kuti, mtengowo umatengedwa kuchokera patebulo, kuwonjezeredwa ku LR ndipo zotsatira zake ndi
adilesi yoti mupiteko. Tiyeni tiyese kuwerengera: 0xB144 + [0xB144 + 8* 4] = 0xB144 + 0x120 = 0xB264. Timapita ku adilesi yolandilidwa ndikuwona malangizo angapo othandiza ndikupitanso ku 0xB140:
Tsopano padzakhala kusintha kosinthika ndi index 0x20 kuchokera patebulo.
Poyang'ana kukula kwa tebulo, padzakhala kusintha kotereku mu code. Funso limakhala ngati ndizotheka kuchita izi mokhazikika, popanda kuwerengera maadiresi pamanja. Ndipo zolembedwa komanso kuthekera koyika ma code mu IDA kumatithandiza:
def put_unconditional_branch(source, destination):
offset = (destination - source - 4) >> 1
if offset > 2097151 or offset < -2097152:
raise RuntimeError("Invalid offset")
if offset > 1023 or offset < -1024:
instruction1 = 0xf000 | ((offset >> 11) & 0x7ff)
instruction2 = 0xb800 | (offset & 0x7ff)
patch_word(source, instruction1)
patch_word(source + 2, instruction2)
else:
instruction = 0xe000 | (offset & 0x7ff)
patch_word(source, instruction)
ea = here()
if get_wide_word(ea) == 0xb503: #PUSH {R0,R1,LR}
ea1 = ea + 2
if get_wide_word(ea1) == 0xbf00: #NOP
ea1 += 2
if get_operand_type(ea1, 0) == 1 and get_operand_value(ea1, 0) == 0 and get_operand_type(ea1, 1) == 2:
index = get_wide_dword(get_operand_value(ea1, 1))
print "index =", hex(index)
ea1 += 2
if get_operand_type(ea1, 0) == 7:
table = get_operand_value(ea1, 0) + 4
elif get_operand_type(ea1, 1) == 2:
table = get_operand_value(ea1, 1) + 4
else:
print "Wrong operand type on", hex(ea1), "-", get_operand_type(ea1, 0), get_operand_type(ea1, 1)
table = None
if table is None:
print "Unable to find table"
else:
print "table =", hex(table)
offset = get_wide_dword(table + (index << 2))
put_unconditional_branch(ea, table + offset)
else:
print "Unknown code", get_operand_type(ea1, 0), get_operand_value(ea1, 0), get_operand_type(ea1, 1) == 2
else:
print "Unable to detect first instruction"Ikani cholozera pamzere 0xB26A, yendetsani script ndikuwona kusintha kwa 0xB4B0:
IDA sinazindikirenso derali ngati code. Timamuthandiza ndikuwona mapangidwe ena pamenepo:
Malangizo pambuyo pa BLX samawoneka ngati samveka, ali ngati kusamuka kwina. Tiyeni tiwone sub_4964:
Ndipo ndithudi, apa dword imatengedwa ku adiresi yomwe ili mu LR, yowonjezeredwa ku adiresi iyi, pambuyo pake mtengo wa adiresiyo umatengedwa ndikuyika pa stack. Komanso, 4 imawonjezedwa ku LR kotero kuti mutabwerera kuchokera ku ntchitoyo, kuchotsera komweku kumadumphidwa. Pambuyo pake lamulo la POP {R1} limatenga mtengo wake kuchokera pamndandanda. Mukayang'ana zomwe zili pa adilesi 0xB4BA + 0xEA = 0xB5A4, muwona zofanana ndi tebulo la adilesi:
Kuti mugwirizane ndi mapangidwe awa, muyenera kupeza magawo awiri kuchokera pa code: offset ndi nambala yolembera yomwe mukufuna kuyika zotsatira. Pa zolembera zilizonse zomwe zingatheke, muyenera kukonzekera kachidindo pasadakhale.
patches = {}
patches[0] = (0x00, 0xbf, 0x01, 0x48, 0x00, 0x68, 0x02, 0xe0)
patches[1] = (0x00, 0xbf, 0x01, 0x49, 0x09, 0x68, 0x02, 0xe0)
patches[2] = (0x00, 0xbf, 0x01, 0x4a, 0x12, 0x68, 0x02, 0xe0)
patches[3] = (0x00, 0xbf, 0x01, 0x4b, 0x1b, 0x68, 0x02, 0xe0)
patches[4] = (0x00, 0xbf, 0x01, 0x4c, 0x24, 0x68, 0x02, 0xe0)
patches[5] = (0x00, 0xbf, 0x01, 0x4d, 0x2d, 0x68, 0x02, 0xe0)
patches[8] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0x80, 0xd8, 0xf8, 0x00, 0x80, 0x01, 0xe0)
patches[9] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0x90, 0xd9, 0xf8, 0x00, 0x90, 0x01, 0xe0)
patches[10] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0xa0, 0xda, 0xf8, 0x00, 0xa0, 0x01, 0xe0)
patches[11] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0xb0, 0xdb, 0xf8, 0x00, 0xb0, 0x01, 0xe0)
ea = here()
if (get_wide_word(ea) == 0xb082 #SUB SP, SP, #8
and get_wide_word(ea + 2) == 0xb503): #PUSH {R0,R1,LR}
if get_operand_type(ea + 4, 0) == 7:
pop = get_bytes(ea + 12, 4, 0)
if pop[1] == 'xbc':
register = -1
r = get_wide_byte(ea + 12)
for i in range(8):
if r == (1 << i):
register = i
break
if register == -1:
print "Unable to detect register"
else:
address = get_wide_dword(ea + 8) + ea + 8
for b in patches[register]:
patch_byte(ea, b)
ea += 1
if ea % 4 != 0:
ea += 2
patch_dword(ea, address)
elif pop[:3] == 'x5dxf8x04':
register = ord(pop[3]) >> 4
if register in patches:
address = get_wide_dword(ea + 8) + ea + 8
for b in patches[register]:
patch_byte(ea, b)
ea += 1
patch_dword(ea, address)
else:
print "POP instruction not found"
else:
print "Wrong operand type on +4:", get_operand_type(ea + 4, 0)
else:
print "Unable to detect first instructions"Timayika cholozera kumayambiriro kwa kapangidwe kamene tikufuna kusintha - 0xB4B2 - ndikuyendetsa script:
Kuphatikiza pa zomwe zatchulidwa kale, code ilinso ndi izi:
Monga momwe zinalili m'mbuyomu, pambuyo pa malangizo a BLX pamakhala kuchotsera:
Timachotsa ku adilesi kuchokera ku LR, yonjezerani ku LR ndikupita kumeneko. 0x72044 + 0xC = 0x72050. Zolemba zamapangidwe awa ndizosavuta:
def put_unconditional_branch(source, destination):
offset = (destination - source - 4) >> 1
if offset > 2097151 or offset < -2097152:
raise RuntimeError("Invalid offset")
if offset > 1023 or offset < -1024:
instruction1 = 0xf000 | ((offset >> 11) & 0x7ff)
instruction2 = 0xb800 | (offset & 0x7ff)
patch_word(source, instruction1)
patch_word(source + 2, instruction2)
else:
instruction = 0xe000 | (offset & 0x7ff)
patch_word(source, instruction)
ea = here()
if get_wide_word(ea) == 0xb503: #PUSH {R0,R1,LR}
ea1 = ea + 6
if get_wide_word(ea + 2) == 0xbf00: #NOP
ea1 += 2
offset = get_wide_dword(ea1)
put_unconditional_branch(ea, (ea1 + offset) & 0xffffffff)
else:
print "Unable to detect first instruction"Zotsatira zakuchita script:
Chilichonse chikalumikizidwa mu ntchitoyi, mutha kuloza IDA ku chiyambi chake chenicheni. Iphatikiza ma code onse ogwirira ntchito, ndipo itha kuwongoleredwa pogwiritsa ntchito HexRays.
Decoding zingwe
Taphunzira kuthana ndi obfuscation makina code mu laibulale libsgmainso-6.4.36.so kuchokera ku UC Browser ndipo adalandira nambala yantchito JNI_OnLoad.
int __fastcall real_JNI_OnLoad(JavaVM *vm)
{
int result; // r0
jclass clazz; // r0 MAPDST
int v4; // r0
JNIEnv *env; // r4
int v6; // [sp-40h] [bp-5Ch]
int v7; // [sp+Ch] [bp-10h]
v7 = *(_DWORD *)off_8AC00;
if ( !vm )
goto LABEL_39;
sub_7C4F4();
env = (JNIEnv *)sub_7C5B0(0);
if ( !env )
goto LABEL_39;
v4 = sub_72CCC();
sub_73634(v4);
sub_73E24(&unk_83EA6, &v6, 49);
clazz = (jclass)((int (__fastcall *)(JNIEnv *, int *))(*env)->FindClass)(env, &v6);
if ( clazz
&& (sub_9EE4(),
sub_71D68(env),
sub_E7DC(env) >= 0
&& sub_69D68(env) >= 0
&& sub_197B4(env, clazz) >= 0
&& sub_E240(env, clazz) >= 0
&& sub_B8B0(env, clazz) >= 0
&& sub_5F0F4(env, clazz) >= 0
&& sub_70640(env, clazz) >= 0
&& sub_11F3C(env) >= 0
&& sub_21C3C(env, clazz) >= 0
&& sub_2148C(env, clazz) >= 0
&& sub_210E0(env, clazz) >= 0
&& sub_41B58(env, clazz) >= 0
&& sub_27920(env, clazz) >= 0
&& sub_293E8(env, clazz) >= 0
&& sub_208F4(env, clazz) >= 0) )
{
result = (sub_B7B0(env, clazz) >> 31) | 0x10004;
}
else
{
LABEL_39:
result = -1;
}
return result;
}Tiyeni tiwone bwinobwino mizere iyi:
sub_73E24(&unk_83EA6, &v6, 49);
clazz = (jclass)((int (__fastcall *)(JNIEnv *, int *))(*env)->FindClass)(env, &v6);Mu ntchito gawo_73E24 dzina kalasi momveka decrypted. Monga magawo a ntchitoyi, cholozera ku data yofanana ndi data yobisidwa, buffer inayake ndi nambala zimadutsa. Mwachiwonekere, mutatha kuyitana ntchitoyi, padzakhala mzere wotsekedwa mu buffer, popeza umaperekedwa kuntchito. FindClass, yomwe imatenga dzina la kalasi ngati gawo lachiwiri. Chifukwa chake, nambalayo ndi kukula kwa bafa kapena kutalika kwa mzere. Tiyeni tiyese kumasulira dzina la kalasi, liyenera kutiuza ngati tikuyenda bwino. Tiyeni tiwone bwinobwino zomwe zimachitika gawo_73E24.
int __fastcall sub_73E56(unsigned __int8 *in, unsigned __int8 *out, size_t size)
{
int v4; // r6
int v7; // r11
int v8; // r9
int v9; // r4
size_t v10; // r5
int v11; // r0
struc_1 v13; // [sp+0h] [bp-30h]
int v14; // [sp+1Ch] [bp-14h]
int v15; // [sp+20h] [bp-10h]
v4 = 0;
v15 = *(_DWORD *)off_8AC00;
v14 = 0;
v7 = sub_7AF78(17);
v8 = sub_7AF78(size);
if ( !v7 )
{
v9 = 0;
goto LABEL_12;
}
(*(void (__fastcall **)(int, const char *, int))(v7 + 12))(v7, "DcO/lcK+h?m3c*q@", 16);
if ( !v8 )
{
LABEL_9:
v4 = 0;
goto LABEL_10;
}
v4 = 0;
if ( !in )
{
LABEL_10:
v9 = 0;
goto LABEL_11;
}
v9 = 0;
if ( out )
{
memset(out, 0, size);
v10 = size - 1;
(*(void (__fastcall **)(int, unsigned __int8 *, size_t))(v8 + 12))(v8, in, v10);
memset(&v13, 0, 0x14u);
v13.field_4 = 3;
v13.field_10 = v7;
v13.field_14 = v8;
v11 = sub_6115C(&v13, &v14);
v9 = v11;
if ( v11 )
{
if ( *(_DWORD *)(v11 + 4) == v10 )
{
qmemcpy(out, *(const void **)v11, v10);
v4 = *(_DWORD *)(v9 + 4);
}
else
{
v4 = 0;
}
goto LABEL_11;
}
goto LABEL_9;
}
LABEL_11:
sub_7B148(v7);
LABEL_12:
if ( v8 )
sub_7B148(v8);
if ( v9 )
sub_7B148(v9);
return v4;
}ntchito gawo_7AF78 imapanga chitsanzo cha chidebe chamagulu angapo a kukula kwake (sitikhala pazidazi mwatsatanetsatane). Apa zotengera ziwiri zotere zimapangidwira: chimodzi chimakhala ndi mzere "DcO/lcK+h?m3c*q@" (ndikosavuta kuganiza kuti iyi ndi kiyi), ina ili ndi deta yobisika. Kenako, zinthu zonsezi zimayikidwa mu dongosolo linalake, lomwe limaperekedwa ku ntchitoyo gawo_6115C. Tiyeninso tiike chizindikiro pagawo lokhala ndi mtengo wa 3. Tiyeni tiwone zomwe zidzachitike panyumbayi.
int __fastcall sub_611B4(struc_1 *a1, _DWORD *a2)
{
int v3; // lr
unsigned int v4; // r1
int v5; // r0
int v6; // r1
int result; // r0
int v8; // r0
*a2 = 820000;
if ( a1 )
{
v3 = a1->field_14;
if ( v3 )
{
v4 = a1->field_4;
if ( v4 < 0x19 )
{
switch ( v4 )
{
case 0u:
v8 = sub_6419C(a1->field_0, a1->field_10, v3);
goto LABEL_17;
case 3u:
v8 = sub_6364C(a1->field_0, a1->field_10, v3);
goto LABEL_17;
case 0x10u:
case 0x11u:
case 0x12u:
v8 = sub_612F4(
a1->field_0,
v4,
*(_QWORD *)&a1->field_8,
*(_QWORD *)&a1->field_8 >> 32,
a1->field_10,
v3,
a2);
goto LABEL_17;
case 0x14u:
v8 = sub_63A28(a1->field_0, v3);
goto LABEL_17;
case 0x15u:
sub_61A60(a1->field_0, v3, a2);
return result;
case 0x16u:
v8 = sub_62440(a1->field_14);
goto LABEL_17;
case 0x17u:
v8 = sub_6226C(a1->field_10, v3);
goto LABEL_17;
case 0x18u:
v8 = sub_63530(a1->field_14);
LABEL_17:
v6 = 0;
if ( v8 )
{
*a2 = 0;
v6 = v8;
}
return v6;
default:
LOWORD(v5) = 28032;
goto LABEL_5;
}
}
}
}
LOWORD(v5) = -27504;
LABEL_5:
HIWORD(v5) = 13;
v6 = 0;
*a2 = v5;
return v6;
}Kusintha kwa parameter ndi gawo lachipangidwe lomwe poyamba linapatsidwa mtengo wa 3. Yang'anani pa nkhani 3: kuntchito gawo_6364C magawo amadutsa kuchokera kumapangidwe omwe adawonjezedwa pamenepo mu ntchito yapitayi, i.e. makiyi ndi data yobisika. Ngati muyang'anitsitsa gawo_6364C, mutha kuzindikira algorithm ya RC4 momwemo.
Tili ndi algorithm ndi kiyi. Tiyeni tiyese kumasulira dzina la kalasi. Nazi zomwe zidachitika: com/taobao/wireless/security/adapter/JNICLibrary. Zabwino! Tili panjira yoyenera.
Lamulo mtengo
Tsopano tiyenera kupeza vuto RegisterNatives, zomwe zidzatilozera ku ntchitoyo doCommandNative. Tiyeni tiwone ntchito zomwe zimatchedwa kuchokera JNI_OnLoad, ndipo tikupezamo gawo_B7B0:
int __fastcall sub_B7F6(JNIEnv *env, jclass clazz)
{
char signature[41]; // [sp+7h] [bp-55h]
char name[16]; // [sp+30h] [bp-2Ch]
JNINativeMethod method; // [sp+40h] [bp-1Ch]
int v8; // [sp+4Ch] [bp-10h]
v8 = *(_DWORD *)off_8AC00;
decryptString((unsigned __int8 *)&unk_83ED9, (unsigned __int8 *)name, 0x10u);// doCommandNative
decryptString((unsigned __int8 *)&unk_83EEA, (unsigned __int8 *)signature, 0x29u);// (I[Ljava/lang/Object;)Ljava/lang/Object;
method.name = name;
method.signature = signature;
method.fnPtr = sub_B69C;
return ((int (__fastcall *)(JNIEnv *, jclass, JNINativeMethod *, int))(*env)->RegisterNatives)(env, clazz, &method, 1) >> 31;
}Ndipo ndithudi, njira yachibadwidwe yokhala ndi dzina imalembetsedwa pano doCommandNative. Tsopano tikudziwa adilesi yake. Tiyeni tione zimene amachita.
int __fastcall doCommandNative(JNIEnv *env, jobject obj, int command, jarray args)
{
int v5; // r5
struc_2 *a5; // r6
int v9; // r1
int v11; // [sp+Ch] [bp-14h]
int v12; // [sp+10h] [bp-10h]
v5 = 0;
v12 = *(_DWORD *)off_8AC00;
v11 = 0;
a5 = (struc_2 *)malloc(0x14u);
if ( a5 )
{
a5->field_0 = 0;
a5->field_4 = 0;
a5->field_8 = 0;
a5->field_C = 0;
v9 = command % 10000 / 100;
a5->field_0 = command / 10000;
a5->field_4 = v9;
a5->field_8 = command % 100;
a5->field_C = env;
a5->field_10 = args;
v5 = sub_9D60(command / 10000, v9, command % 100, 1, (int)a5, &v11);
}
free(a5);
if ( !v5 && v11 )
sub_7CF34(env, v11, &byte_83ED7);
return v5;
}Ndi dzina mutha kuganiza kuti apa ndiye malo olowera ntchito zonse zomwe opanga adasankha kusamutsa ku library yakwawoko. Tili ndi chidwi ndi ntchito nambala 10601.
Mutha kuwona kuchokera pa code yomwe nambala yalamulo imapanga manambala atatu: command/10000, lamulo % 10000 / 100 ΠΈ lamulo% 10, mwachitsanzo, kwa ife, 1, 6 ndi 1. Manambala atatuwa, komanso cholozera kuti JNIEnv ndipo mikangano yoperekedwa ku ntchitoyi ikuwonjezeredwa ku dongosolo ndikuperekedwa. Pogwiritsa ntchito manambala atatu omwe adapezeka (tiyeni tiwonetse N1, N2 ndi N3), mtengo wolamula umamangidwa.
Chinachake chonga ichi:
Mtengo umadzazidwa dynamically mkati JNI_OnLoad.
Nambala zitatu zimayika njira mumtengo. Tsamba lililonse la mtengo limakhala ndi adilesi yotsekeka ya ntchito yofananira. Mfungulo ili mu node ya makolo. Kupeza malo mu code komwe ntchito yomwe tikufuna ikuwonjezedwa pamtengo sikovuta ngati mumvetsetsa zonse zomwe zagwiritsidwa ntchito (sitizifotokoza kuti tisatseke nkhani yayikulu kale).
More obfuscation
Tidalandira adilesi ya ntchito yomwe ikuyenera kusokoneza traffic: 0x5F1AC. Koma koyambirira kwambiri kuti tisangalale: Opanga UC Browser atikonzera zodabwitsa zina.
Titalandira magawo kuchokera ku gulu lomwe linapangidwa mu Java code, timapeza
ku ntchito ku adilesi 0x4D070. Ndipo apa mtundu wina wa code obfuscation akutiyembekezera.
Timayika zizindikiro ziwiri mu R7 ndi R4:
Timasamutsa index yoyamba kukhala R11:
Kuti mupeze adilesi patebulo, gwiritsani ntchito index:
Mukapita ku adilesi yoyamba, cholozera chachiwiri chimagwiritsidwa ntchito, chomwe chili mu R4. Pali zinthu 230 patebulo.
Zotani nazo? Mutha kuuza IDA kuti uku ndikusintha: Sinthani -> Zina -> Tchulani mawu osinthira.
Zotsatira zake ndi zoyipa. Koma, podutsa m'nkhalango yake, mutha kuwona kuyimba kwa ntchito yomwe timaidziwa kale gawo_6115C:
Panali masinthidwe omwe ngati 3 panali kusungidwa pogwiritsa ntchito algorithm ya RC4. Ndipo pakadali pano, kapangidwe kameneka kamaperekedwa ku ntchitoyi kumadzazidwa kuchokera ku magawo omwe amaperekedwa doCommandNative. Tiyeni tikumbukire zomwe tinali nazo kumeneko MagicInt ndi mtengo wa 16. Timayang'ana mlandu wofanana - ndipo pambuyo pa kusintha kangapo timapeza code yomwe algorithm ingadziwike.
Izi ndi AES!
Ma aligorivimu alipo, zomwe zatsala ndikupeza magawo ake: mawonekedwe, makiyi, ndipo, mwina, vekitala yoyambira (kukhalapo kwake kumadalira momwe amagwirira ntchito algorithm ya AES). Kapangidwe ndi iwo ayenera kupangidwa kwinakwake ntchito isanayambe kuyitana gawo_6115C, koma gawo ili la code ndilodziwika bwino kwambiri, kotero lingaliro limakhalapo kuti likhale ndi chigambacho kuti magawo onse a ntchito ya decryption atayidwe mu fayilo.
Chigamba
Kuti musalembe ma code onse m'chinenero cholumikizira pamanja, mutha kuyambitsa Android Studio, lembani ntchito pamenepo yomwe imalandila magawo omwewo monga momwe timagwirira ntchito ndikulemba ku fayilo, kenako kukopera ndikuyika manambala omwe wopangayo apanga. kupanga.
Anzathu a gulu la UC Browser adasamaliranso mwayi wowonjezera ma code. Tiyeni tikumbukire kuti kumayambiriro kwa ntchito iliyonse tili ndi code ya zinyalala yomwe ingasinthidwe mosavuta ndi ina iliyonse. Zosavuta kwambiri π Komabe, kumayambiriro kwa ntchito yomwe mukufunayo palibe malo okwanira a code yomwe imasunga magawo onse ku fayilo. Ndinayenera kuzigawa m'zigawo zina ndikugwiritsa ntchito zinyalala zochokera kuzinthu zoyandikana nazo. Panali magawo anayi pamodzi.
Gawo loyamba:
Muzomangamanga za ARM, magawo anayi oyambirira a ntchito amadutsa m'kaundula R0-R3, ena onse, ngati alipo, amadutsa pamtanda. Regista ya LR imakhala ndi adilesi yobwerera. Zonsezi ziyenera kupulumutsidwa kuti ntchitoyi igwire ntchito titataya magawo ake. Tiyeneranso kusunga zolembera zonse zomwe tidzagwiritse ntchito pokonzekera, kotero timachita PUSH.W {R0-R10,LR}. Mu R7 timapeza adilesi ya mndandanda wa magawo omwe amaperekedwa ku ntchitoyi kudzera pa stack.
Kugwiritsa ntchito fopen tiyeni titsegule fayilo /data/local/tmp/aes mu "ab" mode
i.e. kuwonjezera. Mu R0 timayika adilesi ya fayilo, mu R1 - adilesi ya mzere wosonyeza mawonekedwe. Ndipo apa malamulo a zinyalala amatha, choncho timapita kuntchito yotsatira. Kuti ipitirire kugwira ntchito, timayika pachiyambi kusintha kwa code yeniyeni ya ntchitoyo, kudutsa zinyalala, ndipo mmalo mwa zinyalala timawonjezera kupitiriza kwa chigambacho.
Kuitana fopen.
Magawo atatu oyamba a ntchitoyi aes ndi mtundu Int. Popeza tidasunga zolembera ku stack poyambira, titha kungodutsa ntchitoyi kulemba ma adilesi awo pamtengo.
Kenako tili ndi zida zitatu zomwe zili ndi kukula kwa data ndi cholozera ku data ya kiyi, vekitala yoyambira ndi data yobisika.
Pamapeto pake, tsekani fayilo, bwezeretsani zolembera ndikusintha ulamuliro ku ntchito yeniyeni aes.
Timasonkhanitsa APK yokhala ndi laibulale yokhala ndi zigamba, kusayina, kuyiyika pachipangizo/emulator, ndikuyiyambitsa. Tikuwona kuti dambo lathu likupangidwa, ndipo zambiri zikulembedwa pamenepo. Msakatuli amagwiritsa ntchito encryption osati magalimoto okha, ndipo kubisa konse kumadutsa ntchito yomwe ikufunsidwa. Koma pazifukwa zina deta yofunikira palibe, ndipo pempho lofunika silikuwoneka mumsewu. Kuti tisadikire mpaka UC Browser atasankha kuti afunse zomwe zikufunika, tiyeni titenge yankho lobisika kuchokera pa seva yomwe idalandilidwa kale ndikuyikanso pulogalamuyo: onjezani kumasulira kwa paPangani ntchito yayikulu.
const/16 v1, 0x62
new-array v1, v1, [B
fill-array-data v1, :encrypted_data
const/16 v0, 0x1f
invoke-static {v0, v1}, Lcom/uc/browser/core/d/c/g;->j(I[B)[B
move-result-object v1
array-length v2, v1
invoke-static {v2}, Ljava/lang/String;->valueOf(I)Ljava/lang/String;
move-result-object v2
const-string v0, "ololo"
invoke-static {v0, v2}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)ITimasonkhanitsa, kusaina, kukhazikitsa, kukhazikitsa. Timalandila NullPointerException chifukwa njirayo idabwereranso.
Pakuwunika kowonjezereka kwa kachidindo, ntchito inapezeka yomwe imatanthauzira mizere yosangalatsa: "META-INF/" ndi ".RSA". Zikuwoneka ngati pulogalamuyo ikutsimikizira satifiketi yake. Kapena amapanga makiyi kuchokera pamenepo. Sindikufuna kuthana ndi zomwe zikuchitika ndi satifiketiyo, ndiye kuti tingoyiyika satifiketi yolondola. Tiyeni tiphatikize mzere wobisika kuti m'malo mwa "META-INF/" tipeze "BLABLINF/", pangani foda yokhala ndi dzinalo mu APK ndikuwonjezera satifiketi ya msakatuli wa gologolo pamenepo.
Timasonkhanitsa, kusaina, kukhazikitsa, kukhazikitsa. Bingo! Tili ndi kiyi!
MitM
Tinalandira kiyi ndi vekitala yoyambira yofanana ndi kiyi. Tiyeni tiyese kubisa kuyankha kwa seva mumayendedwe a CBC.
Timawona ulalo wosungidwa, wofanana ndi MD5, "extract_unzipsize" ndi nambala. Timayang'ana: MD5 ya zosungirako ndi yofanana, kukula kwa laibulale yosatulutsidwa ndi yofanana. Tikuyesera kulumikiza laibulale iyi ndikuyipereka kwa osatsegula. Kuwonetsa kuti laibulale yathu yokhala ndi zigamba yadzaza, tikhazikitsa Cholinga chopanga SMS yokhala ndi mawu oti "PWNED!" Tisintha mayankho awiri kuchokera pa seva: ndi kutsitsa archive. Koyamba timasintha MD5 (kukula kwake sikumasintha mutatsegula), kachiwiri, timapereka zosungirako ndi laibulale yomwe ili ndi zigamba.
Msakatuli amayesa kutsitsa zakale kangapo, pambuyo pake amapereka cholakwika. Mwachiwonekere chinachake
sakonda. Chifukwa cha kusanthula mtundu wakuda uwu, zidapezeka kuti seva imatumizanso kukula kwa zosungidwa:
Imasungidwa mu LEB128. Pambuyo pa chigambacho, kukula kwa zosungidwa ndi laibulale kunasintha pang'ono, kotero msakatuliyo adawona kuti zosungidwazo zidatsitsidwa molakwika, ndipo atayesa kangapo adalakwitsa.
Timakonza kukula kwa zosungirako ... Ndipo - kupambana! π Zotsatira zake zili muvidiyo.
Zotsatira ndi kachitidwe ka mapulogalamu
Momwemonso, obera amatha kugwiritsa ntchito mawonekedwe osatetezeka a UC Browser kugawa ndikuyendetsa malaibulale oyipa. Ma library awa adzagwira ntchito molingana ndi osatsegula, kotero adzalandira zilolezo zake zonse. Zotsatira zake, kutha kuwonetsa mazenera a phishing, komanso mwayi wopeza mafayilo ogwirira ntchito a gologolo wa lalanje waku China, kuphatikiza ma logins, mapasiwedi ndi makeke osungidwa mu database.
Tidalumikizana ndi omwe akupanga UC Browser ndikuwadziwitsa za vuto lomwe tidapeza, tidayesa kuwonetsa kusatetezeka komanso kuwopsa kwake, koma sanakambirane nafe chilichonse. Pakadali pano, msakatuliyu adapitilizabe kuwonetsa mawonekedwe ake owopsa powonekera. Koma titaulula tsatanetsatane wa kusatetezekako, sikunali kothekanso kunyalanyaza monga kale. March 27 anali
mtundu watsopano wa UC Browser 12.10.9.1193 unatulutsidwa, womwe unafikira seva kudzera pa HTTPS: .
Kuphatikiza apo, "kukonza" komanso mpaka nthawi yolemba nkhaniyi, kuyesa kutsegula PDF mumsakatuli kudabweretsa cholakwika ndi mawu akuti "Oops, china chake chalakwika!" Pempho kwa seva silinapangidwe poyesa kutsegula PDF, koma pempho lidapangidwa pomwe msakatuli adakhazikitsidwa, zomwe zikuwonetsa kupitilirabe kutsitsa kachidindo komwe kungathe kuchitika mophwanya malamulo a Google Play.
Source: www.habr.com