Nhanganyaya
Pakupera kwaMarch isu , kuti vakawana yakavanzika kugona kurodha uye kumhanya isina kusimbiswa kodhi muUC Browser. Nhasi isu tichatarisa zvakadzama kuti kurodha iyi kunoitika sei uye kuti hackers vanogona kuishandisa sei ivo pachavo zvinangwa.
Imwe nguva yapfuura, UC Browser yakashambadzirwa uye yakagoverwa zvine hutsinye: yakaiswa pamidziyo yevashandisi vachishandisa malware, yakagoverwa kubva kunzvimbo dzakasiyana siyana pasi pechifukidziro chemavhidhiyo mafaera (kureva, vashandisi vaifunga kuti vari kurodha, semuenzaniso, vhidhiyo yezvinonyadzisira, asi panzvimbo yakagamuchira APK nebrowser iyi), yakashandisa mabhena anotyisa ane mameseji ekuti bhurawuza raive rechinyakare, panjodzi, uye nezvimwe zvakadaro. Mune yepamutemo UC Browser boka paVK pane , umo vashandisi vanogona kunyunyuta pamusoro pekushambadzira kusina kunaka, kune mienzaniso yakawanda ipapo. Muna 2016 pakanga pasina muchiRussia (hongu, kushambadzira kune ad-blocking browser).
Panguva yekunyora, UC Browser ine pamusoro pe500 yekumisikidza paGoogle Play. Izvi zvinokatyamadza - Google Chrome chete ine zvimwe. Pakati pekuongorora iwe unogona kuona zvakawanda zvichemo nezve kushambadza uye redirect kune mamwe maapplication paGoogle Play. Ichi ndicho chikonzero chekutsvagisa kwedu: takasarudza kuona kana UC Browser yaiita chimwe chinhu chakaipa. Uye zvakazoitika kuti anodaro!
Mune kodhi yekushandisa, kugona kudhawunirodha uye kumhanyisa kodhi kodhi yakawanikwa, paGoogle Play. Pamusoro pekudhawunirodha kodhi inogoneka, UC Browser inozviita nenzira isina kuchengeteka, inogona kushandiswa kutanga MitM kurwisa. Ngationei kana tingaita kurwisa kwakadaro.
Zvese zvakanyorwa pazasi zvine chekuita neshanduro yeUC Browser yaivepo paGoogle Play panguva yechidzidzo:
package: com.UCMobile.intl
versionName: 12.10.8.1172
versionCode: 10598
sha1 APK-ΡΠ°ΠΉΠ»Π°: f5edb2243413c777172f6362876041eb0c3a928cAttack vector
MuUC Browser manifest unogona kuwana sevhisi ine zita rinozvitsanangura com.uc.deployment.UpgradeDeployService.
<service android_exported="false" android_name="com.uc.deployment.UpgradeDeployService" android_process=":deploy" />
Kana sevhisi iyi yatanga, browser inoita POST chikumbiro ku , iyo inogona kuonekwa mumotokari imwe nguva mushure mekutanga. Mukupindura, anogona kugamuchira murairo wekudhawunirodha imwe yekuvandudza kana module nyowani. Munguva yekuongorora, sevha haina kupa mirairo yakadaro, asi takaona kuti patinoedza kuzarura PDF mubrowser, inoita chikumbiro chechipiri kukero yakataurwa pamusoro, mushure mokunge yatora raibhurari yemunharaunda. Kuti tiite kurwiswa uku, takasarudza kushandisa chimiro ichi cheUC Browser: kugona kuvhura PDF uchishandisa raibhurari yemuno, isiri muAPK uye yainorodha kubva paInternet kana zvichidikanwa. Zvakakosha kuziva kuti, nedzidziso, UC Browser inogona kumanikidzwa kudhawunirodha chimwe chinhu pasina kupindirana kwemushandisi - kana iwe ukapa mhinduro yakanyatso kuumbwa kuchikumbiro chinoitwa mushure mekunge browser yatangwa. Asi kuti tiite izvi, isu tinofanirwa kudzidza iyo protocol yekudyidzana neserver zvakadzama, saka takasarudza kuti zvingava nyore kugadzirisa mhinduro yakabatwa uye kutsiva raibhurari yekushanda nePDF.
Saka, kana mushandisi achida kuvhura PDF zvakananga mubrowser, zvinotevera zvikumbiro zvinogona kuoneka mu traffic:
Chekutanga pane POST chikumbiro ku , ipapo
Nzvimbo yakachengetedzwa ine raibhurari yekuona maPDF uye mafomati ehofisi inotorwa. Zvine musoro kufunga kuti chikumbiro chekutanga chinoendesa ruzivo nezve sisitimu (inenge iyo dhizaini yekupa raibhurari inodiwa), uye mukupindura iyo browser inogamuchira rumwe ruzivo nezve raibhurari inoda kutorwa: kero uye, pamwe. , chimwe chinhu. Dambudziko nderekuti chikumbiro ichi chakavharirwa.
Kumbira chimedu
Pindura chimedu
Raibhurari yacho pachayo yakaiswa muZIP uye haina kuvharirwa.
Tsvaga traffic decryption code
Ngatiedze kutsanangura mhinduro yeseva. Ngatitarisei kodhi yekirasi com.uc.deployment.UpgradeDeployService: kubva nzira onStartCommand enda ku com.uc.deployment.bx, uye kubva pairi kuenda com.uc.browser.core.dcfe:
public final void e(l arg9) {
int v4_5;
String v3_1;
byte[] v3;
byte[] v1 = null;
if(arg9 == null) {
v3 = v1;
}
else {
v3_1 = arg9.iGX.ipR;
StringBuilder v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]product:");
v4.append(arg9.iGX.ipR);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]version:");
v4.append(arg9.iGX.iEn);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]upgrade_type:");
v4.append(arg9.iGX.mMode);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]force_flag:");
v4.append(arg9.iGX.iEo);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_mode:");
v4.append(arg9.iGX.iDQ);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_type:");
v4.append(arg9.iGX.iEr);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_state:");
v4.append(arg9.iGX.iEp);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_file:");
v4.append(arg9.iGX.iEq);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apk_md5:");
v4.append(arg9.iGX.iEl);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]download_type:");
v4.append(arg9.mDownloadType);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]download_group:");
v4.append(arg9.mDownloadGroup);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]download_path:");
v4.append(arg9.iGH);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_child_version:");
v4.append(arg9.iGX.iEx);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_series:");
v4.append(arg9.iGX.iEw);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_cpu_arch:");
v4.append(arg9.iGX.iEt);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_cpu_vfp3:");
v4.append(arg9.iGX.iEv);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_cpu_vfp:");
v4.append(arg9.iGX.iEu);
ArrayList v3_2 = arg9.iGX.iEz;
if(v3_2 != null && v3_2.size() != 0) {
Iterator v3_3 = v3_2.iterator();
while(v3_3.hasNext()) {
Object v4_1 = v3_3.next();
StringBuilder v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_name:");
v5.append(((au)v4_1).getName());
v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_ver_name:");
v5.append(((au)v4_1).aDA());
v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_ver_code:");
v5.append(((au)v4_1).gBl);
v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_req_type:");
v5.append(((au)v4_1).gBq);
}
}
j v3_4 = new j();
m.b(v3_4);
h v4_2 = new h();
m.b(v4_2);
ay v5_1 = new ay();
v3_4.hS("");
v3_4.setImsi("");
v3_4.hV("");
v5_1.bPQ = v3_4;
v5_1.bPP = v4_2;
v5_1.yr(arg9.iGX.ipR);
v5_1.gBF = arg9.iGX.mMode;
v5_1.gBI = arg9.iGX.iEz;
v3_2 = v5_1.gAr;
c.aBh();
v3_2.add(g.fs("os_ver", c.getRomInfo()));
v3_2.add(g.fs("processor_arch", com.uc.b.a.a.c.getCpuArch()));
v3_2.add(g.fs("cpu_arch", com.uc.b.a.a.c.Pb()));
String v4_3 = com.uc.b.a.a.c.Pd();
v3_2.add(g.fs("cpu_vfp", v4_3));
v3_2.add(g.fs("net_type", String.valueOf(com.uc.base.system.a.Jo())));
v3_2.add(g.fs("fromhost", arg9.iGX.iEm));
v3_2.add(g.fs("plugin_ver", arg9.iGX.iEn));
v3_2.add(g.fs("target_lang", arg9.iGX.iEs));
v3_2.add(g.fs("vitamio_cpu_arch", arg9.iGX.iEt));
v3_2.add(g.fs("vitamio_vfp", arg9.iGX.iEu));
v3_2.add(g.fs("vitamio_vfp3", arg9.iGX.iEv));
v3_2.add(g.fs("plugin_child_ver", arg9.iGX.iEx));
v3_2.add(g.fs("ver_series", arg9.iGX.iEw));
v3_2.add(g.fs("child_ver", r.aVw()));
v3_2.add(g.fs("cur_ver_md5", arg9.iGX.iEl));
v3_2.add(g.fs("cur_ver_signature", SystemHelper.getUCMSignature()));
v3_2.add(g.fs("upgrade_log", i.bjt()));
v3_2.add(g.fs("silent_install", String.valueOf(arg9.iGX.iDQ)));
v3_2.add(g.fs("silent_state", String.valueOf(arg9.iGX.iEp)));
v3_2.add(g.fs("silent_file", arg9.iGX.iEq));
v3_2.add(g.fs("silent_type", String.valueOf(arg9.iGX.iEr)));
v3_2.add(g.fs("cpu_archit", com.uc.b.a.a.c.Pc()));
v3_2.add(g.fs("cpu_set", SystemHelper.getCpuInstruction()));
boolean v4_4 = v4_3 == null || !v4_3.contains("neon") ? false : true;
v3_2.add(g.fs("neon", String.valueOf(v4_4)));
v3_2.add(g.fs("cpu_cores", String.valueOf(com.uc.b.a.a.c.Jl())));
v3_2.add(g.fs("ram_1", String.valueOf(com.uc.b.a.a.h.Po())));
v3_2.add(g.fs("totalram", String.valueOf(com.uc.b.a.a.h.OL())));
c.aBh();
v3_2.add(g.fs("rom_1", c.getRomInfo()));
v4_5 = e.getScreenWidth();
int v6 = e.getScreenHeight();
StringBuilder v7 = new StringBuilder();
v7.append(v4_5);
v7.append("*");
v7.append(v6);
v3_2.add(g.fs("ss", v7.toString()));
v3_2.add(g.fs("api_level", String.valueOf(Build$VERSION.SDK_INT)));
v3_2.add(g.fs("uc_apk_list", SystemHelper.getUCMobileApks()));
Iterator v4_6 = arg9.iGX.iEA.entrySet().iterator();
while(v4_6.hasNext()) {
Object v6_1 = v4_6.next();
v3_2.add(g.fs(((Map$Entry)v6_1).getKey(), ((Map$Entry)v6_1).getValue()));
}
v3 = v5_1.toByteArray();
}
if(v3 == null) {
this.iGY.iGI.a(arg9, "up_encode", "yes", "fail");
return;
}
v4_5 = this.iGY.iGw ? 0x1F : 0;
if(v3 == null) {
}
else {
v3 = g.i(v4_5, v3);
if(v3 == null) {
}
else {
v1 = new byte[v3.length + 16];
byte[] v6_2 = new byte[16];
Arrays.fill(v6_2, 0);
v6_2[0] = 0x5F;
v6_2[1] = 0;
v6_2[2] = ((byte)v4_5);
v6_2[3] = -50;
System.arraycopy(v6_2, 0, v1, 0, 16);
System.arraycopy(v3, 0, v1, 16, v3.length);
}
}
if(v1 == null) {
this.iGY.iGI.a(arg9, "up_encrypt", "yes", "fail");
return;
}
if(TextUtils.isEmpty(this.iGY.mUpgradeUrl)) {
this.iGY.iGI.a(arg9, "up_url", "yes", "fail");
return;
}
StringBuilder v0 = new StringBuilder("[");
v0.append(arg9.iGX.ipR);
v0.append("]url:");
v0.append(this.iGY.mUpgradeUrl);
com.uc.browser.core.d.c.i v0_1 = this.iGY.iGI;
v3_1 = this.iGY.mUpgradeUrl;
com.uc.base.net.e v0_2 = new com.uc.base.net.e(new com.uc.browser.core.d.c.i$a(v0_1, arg9));
v3_1 = v3_1.contains("?") ? v3_1 + "&dataver=pb" : v3_1 + "?dataver=pb";
n v3_5 = v0_2.uc(v3_1);
m.b(v3_5, false);
v3_5.setMethod("POST");
v3_5.setBodyProvider(v1);
v0_2.b(v3_5);
this.iGY.iGI.a(arg9, "up_null", "yes", "success");
this.iGY.iGI.b(arg9);
}Isu tinoona kuumbwa kwePOST chikumbiro pano. Isu tinoteerera kune kusikwa kweiyo 16 bytes uye kuzadza kwayo: 0x5F, 0, 0x1F, -50 (=0xCE). Zvinoenderana nezvataona muchikumbiro chiri pamusoro.
Mukirasi imwe chete iwe unogona kuona kirasi yakagara ine imwe nzira inonakidza:
public final void a(l arg10, byte[] arg11) {
f v0 = this.iGQ;
StringBuilder v1 = new StringBuilder("[");
v1.append(arg10.iGX.ipR);
v1.append("]:UpgradeSuccess");
byte[] v1_1 = null;
if(arg11 == null) {
}
else if(arg11.length < 16) {
}
else {
if(arg11[0] != 0x60 && arg11[3] != 0xFFFFFFD0) {
goto label_57;
}
int v3 = 1;
int v5 = arg11[1] == 1 ? 1 : 0;
if(arg11[2] != 1 && arg11[2] != 11) {
if(arg11[2] == 0x1F) {
}
else {
v3 = 0;
}
}
byte[] v7 = new byte[arg11.length - 16];
System.arraycopy(arg11, 16, v7, 0, v7.length);
if(v3 != 0) {
v7 = g.j(arg11[2], v7);
}
if(v7 == null) {
goto label_57;
}
if(v5 != 0) {
v1_1 = g.P(v7);
goto label_57;
}
v1_1 = v7;
}
label_57:
if(v1_1 == null) {
v0.iGY.iGI.a(arg10, "up_decrypt", "yes", "fail");
return;
}
q v11 = g.b(arg10, v1_1);
if(v11 == null) {
v0.iGY.iGI.a(arg10, "up_decode", "yes", "fail");
return;
}
if(v0.iGY.iGt) {
v0.d(arg10);
}
if(v0.iGY.iGo != null) {
v0.iGY.iGo.a(0, ((o)v11));
}
if(v0.iGY.iGs) {
v0.iGY.a(((o)v11));
v0.iGY.iGI.a(v11, "up_silent", "yes", "success");
v0.iGY.iGI.a(v11);
return;
}
v0.iGY.iGI.a(v11, "up_silent", "no", "success");
}
}
Nzira yacho inotora nhevedzano yemabhaiti sekuisa uye inotarisa kuti zero byte iri 0x60 kana yechitatu byte iri 0xD0, uye yechipiri byte i1, 11 kana 0x1F. Isu tinotarisa mhinduro kubva kune server: zero byte ndeye 0x60, yechipiri 0x1F, yechitatu 0x60. Zvinonzwika sezvatinoda. Tichitarisa nemitsara ("up_decrypt", semuenzaniso), nzira inofanirwa kudanwa pano iyo inobvisa mhinduro yeseva.
Ngatienderere mberi kune nzira gj. Ziva kuti nharo yekutanga ndeye byte pa offset 2 (kureva 0x1F kwatiri), uye yechipiri imhinduro yeserver pasina.
kutanga 16 bytes.
public static byte[] j(int arg1, byte[] arg2) {
if(arg1 == 1) {
arg2 = c.c(arg2, c.adu);
}
else if(arg1 == 11) {
arg2 = m.aF(arg2);
}
else if(arg1 != 0x1F) {
}
else {
arg2 = EncryptHelper.decrypt(arg2);
}
return arg2;
}
Zviripachena, pano isu tinosarudza decryption algorithm, uye yakafanana byte iri mune yedu
kesi yakaenzana ne0x1F, inoratidza imwe yezvitatu zvingasarudzwa.
Tinoenderera mberi nekuongorora kodhi. Mushure mekusvetuka kaviri tinozviwana tiri munzira ine zita rinozvitsanangura decryptBytesByKey.
Pano mamwe maviri mabyte akaparadzaniswa kubva pamhinduro yedu, uye tambo inowanikwa kubva kwavari. Zviri pachena kuti nenzira iyi kiyi yekubvisa meseji inosarudzwa.
private static byte[] decryptBytesByKey(byte[] bytes) {
byte[] v0 = null;
if(bytes != null) {
try {
if(bytes.length < EncryptHelper.PREFIX_BYTES_SIZE) {
}
else if(bytes.length == EncryptHelper.PREFIX_BYTES_SIZE) {
return v0;
}
else {
byte[] prefix = new byte[EncryptHelper.PREFIX_BYTES_SIZE]; // 2 Π±Π°ΠΉΡΠ°
System.arraycopy(bytes, 0, prefix, 0, prefix.length);
String keyId = c.ayR().d(ByteBuffer.wrap(prefix).getShort()); // ΠΡΠ±ΠΎΡ ΠΊΠ»ΡΡΠ°
if(keyId == null) {
return v0;
}
else {
a v2 = EncryptHelper.ayL();
if(v2 == null) {
return v0;
}
else {
byte[] enrypted = new byte[bytes.length - EncryptHelper.PREFIX_BYTES_SIZE];
System.arraycopy(bytes, EncryptHelper.PREFIX_BYTES_SIZE, enrypted, 0, enrypted.length);
return v2.l(keyId, enrypted);
}
}
}
}
catch(SecException v7_1) {
EncryptHelper.handleDecryptException(((Throwable)v7_1), v7_1.getErrorCode());
return v0;
}
catch(Throwable v7) {
EncryptHelper.handleDecryptException(v7, 2);
return v0;
}
}
return v0;
}Tichitarisa mberi, tinoona kuti panguva ino hatisati tawana kiyi, asi chete "chiziviso". Kutora kiyi kwakatonyanya kuoma.
Munzira inotevera, mamwe maparamendi maviri anowedzerwa kune aripo, achiita mana acho: nhamba yemashiripiti 16, kiyi identifier, iyo encrypted data, uye tambo isinganzwisisike (munyaya yedu, isina chinhu).
public final byte[] l(String keyId, byte[] encrypted) throws SecException {
return this.ayJ().staticBinarySafeDecryptNoB64(16, keyId, encrypted, "");
}Mushure mekutevedzana kwekuchinja tinosvika panzira staticBinarySafeDecryptNoB64 interface com.alibaba.wireless.security.open.staticdataencrypt.IStaticDataEncryptComponent. Iko hakuna makirasi mune huru yekushandisa kodhi inoshandisa iyi interface. Pane kirasi yakadaro mufaira lib/armeabi-v7a/libsgmain.so, iyo isiri iyo chaiyo .so, asi .jar. Iyo nzira yatinofarira inoitwa nenzira inotevera:
package com.alibaba.wireless.security.a.i;
// ...
public class a implements IStaticDataEncryptComponent {
private ISecurityGuardPlugin a;
// ...
private byte[] a(int mode, int magicInt, int xzInt, String keyId, byte[] encrypted, String magicString) {
return this.a.getRouter().doCommand(10601, new Object[]{Integer.valueOf(mode), Integer.valueOf(magicInt), Integer.valueOf(xzInt), keyId, encrypted, magicString});
}
// ...
private byte[] b(int magicInt, String keyId, byte[] encrypted, String magicString) {
return this.a(2, magicInt, 0, keyId, encrypted, magicString);
}
// ...
public byte[] staticBinarySafeDecryptNoB64(int magicInt, String keyId, byte[] encrypted, String magicString) throws SecException {
if(keyId != null && keyId.length() > 0 && magicInt >= 0 && magicInt < 19 && encrypted != null && encrypted.length > 0) {
return this.b(magicInt, keyId, encrypted, magicString);
}
throw new SecException("", 301);
}
//...
}
Pano runyorwa rwedu rwema parameter runowedzerwa nemamwe maviri akati wandei: 2 na 0. Tichitarisa
zvese, 2 zvinoreva decryption, sezviri munzira doFinal system class javax.crypto.Cipher. Uye izvi zvese zvinoendeswa kune imwe Router ine nhamba 10601 - iyi sezviri pachena ndiyo nhamba yekuraira.
Mushure meketani inotevera yekuchinja tinowana kirasi inoshandisa iyo interface IRouterComponent uye nzira doCommand:
package com.alibaba.wireless.security.mainplugin;
import com.alibaba.wireless.security.framework.IRouterComponent;
import com.taobao.wireless.security.adapter.JNICLibrary;
public class a implements IRouterComponent {
public a() {
super();
}
public Object doCommand(int arg2, Object[] arg3) {
return JNICLibrary.doCommandNative(arg2, arg3);
}
}Uyewo kirasi JNICLibrary, umo nzira yekuzvarwa inoziviswa doCommandNative:
package com.taobao.wireless.security.adapter;
public class JNICLibrary {
public static native Object doCommandNative(int arg0, Object[] arg1);
}Izvi zvinoreva kuti tinoda kutsvaga nzira mukodhi yekuzvarwa doCommandNative. Uye apa ndipo panotangira mafaro.
Obfuscation yemuchina kodhi
Mufaira libsgmain.so (inotova .jar uye yatakawana kushandiswa kweimwe encryption-inoenderana nepamusoro apa) pane imwe raibhurari yemuno: libsgmainso-6.4.36.so. Isu tinoivhura muIDA uye tinowana boka remabhokisi ebhokisi ane zvikanganiso. Dambudziko nderekuti tafura yemusoro wechikamu haishande. Izvi zvinoitwa nechinangwa kuomesa kuongorora.
Asi hazvidiwi: kunyatso kurodha ELF faira uye kuiongorora, tafura yemusoro wepurogiramu yakakwana. Naizvozvo, isu tinongodzima tafura yechikamu, tichibvisa minda inoenderana mumusoro.
Vhura iyo faira muIDA zvakare.
Pane nzira mbiri dzekuudza iyo Java chaiyo muchina uko chaizvo muraibhurari yemuno kuitiswa kwenzira yakaziviswa muJava kodhi seyakaberekerwa iripo. Chekutanga ndechekuchipa zita rerudzi Java_package_name_ClassName_MethodName.
Yechipiri ndeyekunyora iyo paunenge uchiisa raibhurari (mune basa JNI_OnLoad)
uchishandisa runhare rwekuita RegisterNatives.
Muchiitiko chedu, kana tikashandisa nzira yekutanga, zita rinofanira kunge rakadai: Java_com_taobao_wireless_security_adapter_JNICLibrary_doCommandNative.
Iko hakuna basa rakadaro pakati pemabasa ekunze, izvo zvinoreva kuti unofanirwa kutsvaga kufona RegisterNatives.
Handei kubasa JNI_OnLoad uye tinoona mufananidzo uyu:
Chii chiri kuitika pano? Pakutanga kutarisa, kutanga uye kupera kwechiito kwakajairwa neArM architecture. Murairo wekutanga pane stack inochengetedza zviri mukati merejista iyo basa richashandisa mukushanda kwayo (munyaya iyi, R0, R1 uye R2), pamwe chete nezviri mukati meLR rejista, iyo ine kero yekudzoka kubva kubasa. . Murairo wekupedzisira unodzorera marejista akachengetwa, uye kero yekudzoka inongoiswa pakarepo muPC register - nokudaro kudzoka kubva kubasa. Asi kana iwe ukanyatsotarisisa, iwe uchaona kuti iyo penultimate rairo inoshandura kero yekudzoka yakachengetwa pane stack. Ngativerengei kuti zvichave sei mushure
code execution. Imwe kero 1xB0 inoiswa muR130, 5 inobviswa pairi, yozoendeswa kuR0 uye 0x10 inowedzerwa kwairi. Zvinoita 0xB13B. Nokudaro, IDA inofunga kuti murairo wekupedzisira inguva yekudzoka kwebasa, asi chaizvoizvo iri kusvetukira kukero yakaverengwa 0xB13B.
Zvakakodzera kuyeuka pano kuti ma ARM processors ane maviri modhi uye maviri seti yemirairo: ARM uye Thumb. Iyo isinganyanyi kukosha yekero inoudza processor kuti ndeipi yekuraira seti iri kushandiswa. Kureva kuti, kero yacho ndeye 0xB13A, uye imwe mune isinganyanyi kukosha inoratidza iyo Thumb modhi.
Imwe "adapter" yakafanana yakawedzerwa kune kutanga kwebasa rega rega muraibhurari ino uye
kodhi yemarara. Hatisi kuzogara pazviri zvakadzama zvakare - isu tinongorangarira
kuti mavambo chaiwo ezvinenge mabasa ose ari kure zvishoma.
Sezvo iyo kodhi isingasvetuke ku0xB13A, IDA pachayo haina kuziva kuti kodhi yaive panzvimbo iyi. Nechikonzero chimwe chete, haizive yakawanda yekodhi muraibhurari sekodhi, izvo zvinoita kuti kuongorora kuve kwakaoma. Isu tinoudza IDA kuti iyi ndiyo kodhi, uye izvi ndizvo zvinoitika:
Tafura inonyatsotanga pa 0xB144. Chii chiri mu sub_494C?
Kana tichidaidza basa iri murejista yeLR, tinowana kero yetafura yakambotaurwa (0xB144). MuR0 - indekisi mune iyi tafura. Ndiko kuti, kukosha kunotorwa kubva patafura, yakawedzerwa kuLR uye mhedzisiro yacho
kero yekuenda kwairi. Ngatiedzei kuiverenga: 0xB144 + [0xB144 + 8* 4] = 0xB144 + 0x120 = 0xB264. Isu tinoenda kukero yakagamuchirwa uye tinoona chaizvo akati wandei mirairo inobatsira uye zvakare enda ku0xB140:
Ikozvino pachave neshanduko pakugadzirisa nendekisi 0x20 kubva patafura.
Tichitarisa nehukuru hwetafura, pachava neshanduko dzakawanda dzakadaro mukodhi. Mubvunzo unomuka kana zvichikwanisika kuita neimwe nzira otomatiki, pasina kuverengera kero. Uye zvinyorwa uye kugona kupinza kodhi muIDA zvinouya kuzotibatsira:
def put_unconditional_branch(source, destination):
offset = (destination - source - 4) >> 1
if offset > 2097151 or offset < -2097152:
raise RuntimeError("Invalid offset")
if offset > 1023 or offset < -1024:
instruction1 = 0xf000 | ((offset >> 11) & 0x7ff)
instruction2 = 0xb800 | (offset & 0x7ff)
patch_word(source, instruction1)
patch_word(source + 2, instruction2)
else:
instruction = 0xe000 | (offset & 0x7ff)
patch_word(source, instruction)
ea = here()
if get_wide_word(ea) == 0xb503: #PUSH {R0,R1,LR}
ea1 = ea + 2
if get_wide_word(ea1) == 0xbf00: #NOP
ea1 += 2
if get_operand_type(ea1, 0) == 1 and get_operand_value(ea1, 0) == 0 and get_operand_type(ea1, 1) == 2:
index = get_wide_dword(get_operand_value(ea1, 1))
print "index =", hex(index)
ea1 += 2
if get_operand_type(ea1, 0) == 7:
table = get_operand_value(ea1, 0) + 4
elif get_operand_type(ea1, 1) == 2:
table = get_operand_value(ea1, 1) + 4
else:
print "Wrong operand type on", hex(ea1), "-", get_operand_type(ea1, 0), get_operand_type(ea1, 1)
table = None
if table is None:
print "Unable to find table"
else:
print "table =", hex(table)
offset = get_wide_dword(table + (index << 2))
put_unconditional_branch(ea, table + offset)
else:
print "Unknown code", get_operand_type(ea1, 0), get_operand_value(ea1, 0), get_operand_type(ea1, 1) == 2
else:
print "Unable to detect first instruction"Isa chitubu pamutsara 0xB26A, mhanyisa script uye ona shanduko kuenda ku0xB4B0:
IDA zvakare haina kuziva nzvimbo iyi sekodhi. Isu tinomubatsira uye kuona imwe dhizaini ipapo:
Iyo mirairo mushure meBLX haiite senge ine musoro, yakafanana nerudzi rwekutamisa. Ngatitarisei sub_4964:
Uye zvechokwadi, pano dword inotorwa kukero iri muLR, yakawedzerwa kune ino kero, mushure mezvo kukosha kwekero inobuda kunotorwa uye kuiswa pachitunha. Zvakare, 4 inowedzerwa kuLR kuitira kuti mushure mekudzoka kubva kubasa, iyi yekubvisa imwe chete inosvetuka. Mushure meizvozvo iyo POP {R1} murairo unotora kukosha kunoguma kubva kune stack. Kana iwe ukatarisa chiri pakero 0xB4BA + 0xEA = 0xB5A4, uchaona chimwe chinhu chakafanana netafura yekero:
Kuti ubatanidze dhizaini iyi, iwe uchafanirwa kuwana ma paramita maviri kubva kune kodhi: iyo yekubvisa uye nhamba yerejista yaunoda kuisa mhedzisiro. Kune yega yega rejista inogoneka, iwe uchafanirwa kugadzirira chidimbu chekodhi pamberi.
patches = {}
patches[0] = (0x00, 0xbf, 0x01, 0x48, 0x00, 0x68, 0x02, 0xe0)
patches[1] = (0x00, 0xbf, 0x01, 0x49, 0x09, 0x68, 0x02, 0xe0)
patches[2] = (0x00, 0xbf, 0x01, 0x4a, 0x12, 0x68, 0x02, 0xe0)
patches[3] = (0x00, 0xbf, 0x01, 0x4b, 0x1b, 0x68, 0x02, 0xe0)
patches[4] = (0x00, 0xbf, 0x01, 0x4c, 0x24, 0x68, 0x02, 0xe0)
patches[5] = (0x00, 0xbf, 0x01, 0x4d, 0x2d, 0x68, 0x02, 0xe0)
patches[8] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0x80, 0xd8, 0xf8, 0x00, 0x80, 0x01, 0xe0)
patches[9] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0x90, 0xd9, 0xf8, 0x00, 0x90, 0x01, 0xe0)
patches[10] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0xa0, 0xda, 0xf8, 0x00, 0xa0, 0x01, 0xe0)
patches[11] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0xb0, 0xdb, 0xf8, 0x00, 0xb0, 0x01, 0xe0)
ea = here()
if (get_wide_word(ea) == 0xb082 #SUB SP, SP, #8
and get_wide_word(ea + 2) == 0xb503): #PUSH {R0,R1,LR}
if get_operand_type(ea + 4, 0) == 7:
pop = get_bytes(ea + 12, 4, 0)
if pop[1] == 'xbc':
register = -1
r = get_wide_byte(ea + 12)
for i in range(8):
if r == (1 << i):
register = i
break
if register == -1:
print "Unable to detect register"
else:
address = get_wide_dword(ea + 8) + ea + 8
for b in patches[register]:
patch_byte(ea, b)
ea += 1
if ea % 4 != 0:
ea += 2
patch_dword(ea, address)
elif pop[:3] == 'x5dxf8x04':
register = ord(pop[3]) >> 4
if register in patches:
address = get_wide_dword(ea + 8) + ea + 8
for b in patches[register]:
patch_byte(ea, b)
ea += 1
patch_dword(ea, address)
else:
print "POP instruction not found"
else:
print "Wrong operand type on +4:", get_operand_type(ea + 4, 0)
else:
print "Unable to detect first instructions"Isu tinoisa cursor pakutanga kwechimiro chatinoda kutsiva - 0xB4B2 - uye mhanyisa script:
Pamusoro pezvimiro zvakatotaurwa, iyo kodhi zvakare ine zvinotevera:
Sezvakaitika muchiitiko chakapfuura, mushure mekuraira kweBLX pane kukanganisa:
Isu tinotora offset kukero kubva kuLR, toiwedzera kuLR toenda ikoko. 0x72044 + 0xC = 0x72050. Iyo script yeiyi dhizaini iri nyore:
def put_unconditional_branch(source, destination):
offset = (destination - source - 4) >> 1
if offset > 2097151 or offset < -2097152:
raise RuntimeError("Invalid offset")
if offset > 1023 or offset < -1024:
instruction1 = 0xf000 | ((offset >> 11) & 0x7ff)
instruction2 = 0xb800 | (offset & 0x7ff)
patch_word(source, instruction1)
patch_word(source + 2, instruction2)
else:
instruction = 0xe000 | (offset & 0x7ff)
patch_word(source, instruction)
ea = here()
if get_wide_word(ea) == 0xb503: #PUSH {R0,R1,LR}
ea1 = ea + 6
if get_wide_word(ea + 2) == 0xbf00: #NOP
ea1 += 2
offset = get_wide_dword(ea1)
put_unconditional_branch(ea, (ea1 + offset) & 0xffffffff)
else:
print "Unable to detect first instruction"Mhedzisiro yekuita script:
Kamwe zvese zvabatwa muchiitiko, unogona kunongedza IDA kune kwayo kutanga kwayo. Ichabatanidza kodhi yese yebasa, uye inogona kupatsanurwa uchishandisa HexRays.
Decoding tambo
Isu takadzidza kubata nekubfuscation yekodhi yemuchina muraibhurari libsgmainso-6.4.36.so kubva kuUC Browser uye yakagamuchira kodhi yebasa JNI_OnLoad.
int __fastcall real_JNI_OnLoad(JavaVM *vm)
{
int result; // r0
jclass clazz; // r0 MAPDST
int v4; // r0
JNIEnv *env; // r4
int v6; // [sp-40h] [bp-5Ch]
int v7; // [sp+Ch] [bp-10h]
v7 = *(_DWORD *)off_8AC00;
if ( !vm )
goto LABEL_39;
sub_7C4F4();
env = (JNIEnv *)sub_7C5B0(0);
if ( !env )
goto LABEL_39;
v4 = sub_72CCC();
sub_73634(v4);
sub_73E24(&unk_83EA6, &v6, 49);
clazz = (jclass)((int (__fastcall *)(JNIEnv *, int *))(*env)->FindClass)(env, &v6);
if ( clazz
&& (sub_9EE4(),
sub_71D68(env),
sub_E7DC(env) >= 0
&& sub_69D68(env) >= 0
&& sub_197B4(env, clazz) >= 0
&& sub_E240(env, clazz) >= 0
&& sub_B8B0(env, clazz) >= 0
&& sub_5F0F4(env, clazz) >= 0
&& sub_70640(env, clazz) >= 0
&& sub_11F3C(env) >= 0
&& sub_21C3C(env, clazz) >= 0
&& sub_2148C(env, clazz) >= 0
&& sub_210E0(env, clazz) >= 0
&& sub_41B58(env, clazz) >= 0
&& sub_27920(env, clazz) >= 0
&& sub_293E8(env, clazz) >= 0
&& sub_208F4(env, clazz) >= 0) )
{
result = (sub_B7B0(env, clazz) >> 31) | 0x10004;
}
else
{
LABEL_39:
result = -1;
}
return result;
}Ngatitarisei pamitsetse inotevera:
sub_73E24(&unk_83EA6, &v6, 49);
clazz = (jclass)((int (__fastcall *)(JNIEnv *, int *))(*env)->FindClass)(env, &v6);Mukushanda sub_73E24 zita rekirasi riri kunyorwa zvakajeka. Semaparamita ebasa iri, chinongedzo kune data yakafanana neyakavharidzirwa data, imwe buffer uye nhamba inopfuudzwa. Zviripachena, mushure mekudaidza basa racho, pachave neiyo decrypted mutsara mubuffer, sezvo ichipfuudzwa kune basa. FindClass, iyo inotora zita rekirasi seyechipiri parameter. Naizvozvo, nhamba ndiyo saizi yebhafa kana kureba kwemutsara. Ngatiedzei kududzira zita rekirasi, rinofanira kutiudza kana tiri kuenda nenzira kwayo. Ngatitarisei zviri kuitika mukati sub_73E24.
int __fastcall sub_73E56(unsigned __int8 *in, unsigned __int8 *out, size_t size)
{
int v4; // r6
int v7; // r11
int v8; // r9
int v9; // r4
size_t v10; // r5
int v11; // r0
struc_1 v13; // [sp+0h] [bp-30h]
int v14; // [sp+1Ch] [bp-14h]
int v15; // [sp+20h] [bp-10h]
v4 = 0;
v15 = *(_DWORD *)off_8AC00;
v14 = 0;
v7 = sub_7AF78(17);
v8 = sub_7AF78(size);
if ( !v7 )
{
v9 = 0;
goto LABEL_12;
}
(*(void (__fastcall **)(int, const char *, int))(v7 + 12))(v7, "DcO/lcK+h?m3c*q@", 16);
if ( !v8 )
{
LABEL_9:
v4 = 0;
goto LABEL_10;
}
v4 = 0;
if ( !in )
{
LABEL_10:
v9 = 0;
goto LABEL_11;
}
v9 = 0;
if ( out )
{
memset(out, 0, size);
v10 = size - 1;
(*(void (__fastcall **)(int, unsigned __int8 *, size_t))(v8 + 12))(v8, in, v10);
memset(&v13, 0, 0x14u);
v13.field_4 = 3;
v13.field_10 = v7;
v13.field_14 = v8;
v11 = sub_6115C(&v13, &v14);
v9 = v11;
if ( v11 )
{
if ( *(_DWORD *)(v11 + 4) == v10 )
{
qmemcpy(out, *(const void **)v11, v10);
v4 = *(_DWORD *)(v9 + 4);
}
else
{
v4 = 0;
}
goto LABEL_11;
}
goto LABEL_9;
}
LABEL_11:
sub_7B148(v7);
LABEL_12:
if ( v8 )
sub_7B148(v8);
if ( v9 )
sub_7B148(v9);
return v4;
}shanda sub_7AF78 inogadzira muenzaniso wemudziyo we-byte arrays ehukuru hwakatarwa (hatizogara pamidziyo iyi zvakadzama). Pano midziyo miviri yakadaro inogadzirwa: imwe ine mutsara "DcO/lcK+h?m3c*q@" (zviri nyore kufungidzira kuti iyi kiyi), imwe yacho ine data rakavharidzirwa. Zvadaro, zvinhu zvose zviri zviviri zvinoiswa mune chimwe chimiro, chinopfuudzwa kune basa sub_6115C. Ngatimakeiwo ndima ine kukosha 3 muchimiro ichi.Ngationei kuti chii chinoitika kuchimiro ichi chinotevera.
int __fastcall sub_611B4(struc_1 *a1, _DWORD *a2)
{
int v3; // lr
unsigned int v4; // r1
int v5; // r0
int v6; // r1
int result; // r0
int v8; // r0
*a2 = 820000;
if ( a1 )
{
v3 = a1->field_14;
if ( v3 )
{
v4 = a1->field_4;
if ( v4 < 0x19 )
{
switch ( v4 )
{
case 0u:
v8 = sub_6419C(a1->field_0, a1->field_10, v3);
goto LABEL_17;
case 3u:
v8 = sub_6364C(a1->field_0, a1->field_10, v3);
goto LABEL_17;
case 0x10u:
case 0x11u:
case 0x12u:
v8 = sub_612F4(
a1->field_0,
v4,
*(_QWORD *)&a1->field_8,
*(_QWORD *)&a1->field_8 >> 32,
a1->field_10,
v3,
a2);
goto LABEL_17;
case 0x14u:
v8 = sub_63A28(a1->field_0, v3);
goto LABEL_17;
case 0x15u:
sub_61A60(a1->field_0, v3, a2);
return result;
case 0x16u:
v8 = sub_62440(a1->field_14);
goto LABEL_17;
case 0x17u:
v8 = sub_6226C(a1->field_10, v3);
goto LABEL_17;
case 0x18u:
v8 = sub_63530(a1->field_14);
LABEL_17:
v6 = 0;
if ( v8 )
{
*a2 = 0;
v6 = v8;
}
return v6;
default:
LOWORD(v5) = 28032;
goto LABEL_5;
}
}
}
}
LOWORD(v5) = -27504;
LABEL_5:
HIWORD(v5) = 13;
v6 = 0;
*a2 = v5;
return v6;
}Iyo switch parameter inzvimbo yekugadzira iyo yakambopihwa kukosha 3. Tarisa pane kesi 3: kune basa sub_6364C maparamita anopfuudzwa kubva kune chimiro chakawedzerwa ipapo mune yapfuura basa, i.e. kiyi uye encrypted data. Kana iwe ukanyatsotarisa sub_6364C, unogona kuziva iyo RC4 algorithm mairi.
Tine algorithm uye kiyi. Ngatiedzei kutsanangura zita rekirasi. Izvi ndizvo zvakaitika: com/taobao/wireless/security/adapter/JNICLibrary. Hukuru! Tiri mugwara chairo.
Raira muti
Zvino tinofanira kuwana dambudziko RegisterNatives, iyo ichatinongedzera kune basa doCommandNative. Ngatitarisei mabasa akadaidzwa kubva JNI_Onload, uye tinozviwana mukati sub_B7B0:
int __fastcall sub_B7F6(JNIEnv *env, jclass clazz)
{
char signature[41]; // [sp+7h] [bp-55h]
char name[16]; // [sp+30h] [bp-2Ch]
JNINativeMethod method; // [sp+40h] [bp-1Ch]
int v8; // [sp+4Ch] [bp-10h]
v8 = *(_DWORD *)off_8AC00;
decryptString((unsigned __int8 *)&unk_83ED9, (unsigned __int8 *)name, 0x10u);// doCommandNative
decryptString((unsigned __int8 *)&unk_83EEA, (unsigned __int8 *)signature, 0x29u);// (I[Ljava/lang/Object;)Ljava/lang/Object;
method.name = name;
method.signature = signature;
method.fnPtr = sub_B69C;
return ((int (__fastcall *)(JNIEnv *, jclass, JNINativeMethod *, int))(*env)->RegisterNatives)(env, clazz, &method, 1) >> 31;
}Uye zvechokwadi, nzira yekuzvarwa ine zita yakanyoreswa pano doCommandNative. Iye zvino tava kuziva kero yake. Ngationei zvaanoita.
int __fastcall doCommandNative(JNIEnv *env, jobject obj, int command, jarray args)
{
int v5; // r5
struc_2 *a5; // r6
int v9; // r1
int v11; // [sp+Ch] [bp-14h]
int v12; // [sp+10h] [bp-10h]
v5 = 0;
v12 = *(_DWORD *)off_8AC00;
v11 = 0;
a5 = (struc_2 *)malloc(0x14u);
if ( a5 )
{
a5->field_0 = 0;
a5->field_4 = 0;
a5->field_8 = 0;
a5->field_C = 0;
v9 = command % 10000 / 100;
a5->field_0 = command / 10000;
a5->field_4 = v9;
a5->field_8 = command % 100;
a5->field_C = env;
a5->field_10 = args;
v5 = sub_9D60(command / 10000, v9, command % 100, 1, (int)a5, &v11);
}
free(a5);
if ( !v5 && v11 )
sub_7CF34(env, v11, &byte_83ED7);
return v5;
}Nezita iwe unogona kufungidzira kuti heino nzvimbo yekupinda yeese mabasa ayo vagadziri vakasarudza kuendesa kuraibhurari yemuno. Isu tinofarira basa nhamba 10601.
Iwe unogona kuona kubva kune kodhi iyo nhamba yekuraira inoburitsa nhamba nhatu: command/10000, raira % 10000 / 100 ΠΈ kuraira % 10, kureva, kwatiri, 1, 6 uye 1. Nhamba idzi nhatu, pamwe neinongedza JNIEnv uye nharo dzakapfuudzwa kune basa dzinowedzerwa kune chimiro uye dzinopfuudzwa. Tichishandisa nhamba nhatu dzakawanikwa (ngatizviratidzei N1, N2 uye N3), muti wekuraira unovakwa.
Chinhu chakadai:
Muti unozadzwa zvine simba mukati JNI_OnLoad.
Nhamba nhatu dzinokodha nzira mumuti. Shizha rega rega remuti rine kero yakavharwa yebasa rinoenderana. Kiyi iri munodhi yevabereki. Kuwana nzvimbo mukodhi iyo basa ratinoda rinowedzerwa pamuti hakuna kuoma kana iwe uchinzwisisa zvese zvimiro zvakashandiswa (hatizvitsanangure kuti tisavhure chinyorwa chakatokura).
More obfuscation
Isu takagamuchira kero yebasa iro rinofanira kudzima traffic: 0x5F1AC. Asi kuchiri kumberi kuti tifare: vanogadzira UC Browser vakatigadzirira chimwe chinoshamisa.
Mushure mekugamuchira ma parameters kubva kune yakarongwa yakaumbwa muJava code, tinowana
kune basa pakero 0x4D070. Uye pano imwe mhando yekodhi obfuscation yakatimirira.
Isu tinoisa ma indices maviri muR7 uye R4:
Isu tinoshandura index yekutanga kuenda kuR11:
Kuti uwane kero kubva patafura, shandisa index:
Mushure mekuenda kukero yekutanga, indekisi yechipiri inoshandiswa, iri muR4. Pane 230 zvinhu mutafura.
Chii chekuita nezvazvo? Unogona kuudza IDA kuti iyi switch: Rongedza -> Zvimwe -> Taura chinja idiom.
Kodhi yabuda inotyisa. Asi, uchigadzira nzira yako nemusango rayo, unogona kuona kufona kune basa ratinoziva kare sub_6115C:
Paive neshanduko umo kana 3 pakanga paine decryption uchishandisa RC4 algorithm. Uye mune iyi kesi, chimiro chakapfuudzwa kune basa chinozadzwa kubva kune paramita yakapfuudzwa kune doCommandNative. Ngatirangarirei zvataiva nazvo ikoko magicInt nehuwandu 16. Tinotarisa nyaya inowirirana - uye mushure mekuchinja kwakawanda tinowana code iyo algorithm inogona kuonekwa.
Iyi ndiyo AES!
Iyo algorithm iripo, zvese zvinosara ndezvekuwana ma paramita ayo: modhi, kiyi uye, pamwe, iyo yekutanga vector (kuvapo kwayo kunoenderana neanoshanda maitiro eAES algorithm). Chimiro navo chinofanira kuumbwa pane imwe nzvimbo pamberi pekuita kufona sub_6115C, asi chikamu ichi chekodhi chakanyanya kubvongodzwa, saka pfungwa inomuka yekuisa kodhi kuitira kuti ese maparameter e decryption basa akandwa mufaira.
Chigamba
Kuti urege kunyora ese chigamba kodhi mumutauro wegungano nemaoko, unogona kuvhura Android Studio, nyora basa ipapo iro rinogashira maparamendi akafanana ekuisa sebasa redu rekunyora uye kunyora kufaira, wozokopa-namira iyo kodhi iyo iyo compiler ichaita. gadzira.
Shamwari dzedu kubva kuUC Browser timu dzakatarisirawo kuve nyore kwekuwedzera kodhi. Ngatiyeukei kuti pakutanga kwebasa rega rega tine kodhi yemarara iyo inogona kutsiviwa nyore neimwe chero ipi zvayo. Yakanyanya nyore π Zvisinei, pakutanga kwechinangwa chekuita hapana nzvimbo yakakwana yekodhi inochengetedza ese ma paramita kufaira. Ndaifanira kuipatsanura kuita zvidimbu uye kushandisa marara kubva kumabasa akavakidzana. Paiva nezvikamu zvina pamwe chete.
Chikamu chekutanga:
Muchivakwa cheARM, mana ekutanga ma paramita ebasa anopfuudzwa kuburikidza nemarejista R0-R3, mamwe ese, kana aripo, anopfuudzwa nepakati. Rejista yeLR inotakura kero yekudzosera. Zvese izvi zvinoda kuchengetwa kuti basa rishande mushure mekunge tarasa ma parameter ayo. Isu tinodawo kuchengetedza maregister ese atichashandisa mukuita, saka tinoita PUSH.W {R0-R10,LR}. MuR7 tinowana kero yerondedzero yeparamita yakapfuudzwa kubasa kuburikidza ne stack.
Kushandisa basa fopen ngativhure faira /data/local/tmp/aes mune "ab" mode
kureva kuwedzera. MuR0 tinotakura kero yezita refaira, muR1 - kero yemutsara unoratidza maitiro. Uye pano kodhi yemarara inopera, saka tinoenderera mberi kune rinotevera basa. Kuti irambe ichishanda, tinoisa pakutanga kushanduka kune kodhi chaiyo yebasa, tichipfuura marara, uye panzvimbo yemarara tinowedzera kuenderera mberi kwechigamba.
Kufona fopen.
Zvitatu zvekutanga zvebasa racho aes vane mhando Int. Sezvo isu takachengeta marejista kune stack pakutanga, tinogona kungopfuura basa racho fwrite kero dzavo pamurwi.
Tevere tine zvimiro zvitatu zvine saizi yedata uye chinongedzo kune data rekiyi, yekutanga vector uye encrypted data.
Pakupedzisira, vhara faira, dzorera marejista uye kuendesa kutonga kune chaiyo basa aes.
Isu tinounganidza APK ine raibhurari yakadhindwa, isaina, ikwidze kune mudziyo/emulator, uye toitanga. Isu tinoona kuti dump yedu iri kugadzirwa, uye yakawanda data iri kunyorwa ipapo. Iyo bhurawuza inoshandisa encryption kwete yetraffic chete, uye zvese encryption inopfuura nebasa riri mubvunzo. Asi nokuda kwechimwe chikonzero data inodiwa haisipo, uye chikumbiro chinodiwa hachioneki mumigwagwa. Kuti usamirire kusvika UC Browser yasarudza kuita chikumbiro chinodiwa, ngatitorei mhinduro yakavharidzirwa kubva kune server yakagamuchirwa kare uye gadzira iyo application zvakare: wedzera decryption kuGadzira chiitiko chikuru.
const/16 v1, 0x62
new-array v1, v1, [B
fill-array-data v1, :encrypted_data
const/16 v0, 0x1f
invoke-static {v0, v1}, Lcom/uc/browser/core/d/c/g;->j(I[B)[B
move-result-object v1
array-length v2, v1
invoke-static {v2}, Ljava/lang/String;->valueOf(I)Ljava/lang/String;
move-result-object v2
const-string v0, "ololo"
invoke-static {v0, v2}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)ITinounganidza, kusaina, kuisa, kutanga. Isu tinogashira NullPointerException nekuti iyo nzira yakadzoka isina.
Panguva yekumwe kuongorora kwekodhi, basa rakawanikwa rinotsanangura mitsara inofadza: "META-INF/" uye ".RSA". Zvinotaridza kunge application irikusimbisa chitupa chayo. Kana kutogadzira makiyi kubva mairi. Ini handisi kunyatsoda kubata nezviri kuitika nechitupa, saka isu tichangotsveta icho chitupa chaicho. Ngatisungei mutsara wakavharidzirwa kuitira kuti panzvimbo ye "META-INF/" tiwane "BLABLINF/", gadzira dhairekitori rine zita iroro muAPK uye wedzera squirrel browser chitupa ipapo.
Tinounganidza, kusaina, kuisa, kutanga. Bhingo! Tine kiyi!
MitM
Takagamuchira kiyi uye yekutanga vector yakaenzana nekiyi. Ngatiedze kudzima mhinduro yeseva muCBC modhi.
Isu tinoona iyo archive URL, chimwe chinhu chakafanana neMD5, "extract_unzipsize" uye nhamba. Isu tinotarisa: iyo MD5 yearchive yakafanana, saizi yeraibhurari isina kuvharwa yakafanana. Tiri kuyedza kupeta raibhurari iyi toipa kubrowser. Kuratidza kuti raibhurari yedu yakavharwa yazara, isu tichaparura Chinangwa chekugadzira SMS ine chinyorwa "PWNED!" Tichatsiva mhinduro mbiri kubva kuseva: uye kudhawunirodha archive. Mune yekutanga tinotsiva MD5 (saizi haichinji mushure mekuburitsa), mune yechipiri tinopa iyo archive neyakavharwa raibhurari.
Iyo browser inoedza kudhawunirodha archive kakawanda, mushure mezvo inopa kukanganisa. Sezviri pachena chimwe chinhu
haadi. Nekuda kwekuongorora iyi murky fomati, zvakazoitika kuti sevha inotumirawo saizi yearchive:
Yakavharirwa muLEB128. Mushure mechigamba, saizi yedura neraibhurari yakachinja zvishoma, saka bhurawuza rakaona kuti dura rakatorwa zvisina tsarukano, uye mushure mekuedza kwakati kwakakanganisa.
Isu tinogadzirisa ukuru hweiyo archive ... Uye - kukunda! π Mhedzisiro iri muvhidhiyo.
Mhedzisiro uye maitiro emugadziri
Nenzira imwecheteyo, matsotsi anogona kushandisa iyo isina kuchengeteka ficha yeUC Browser kugovera uye kumhanyisa maraibhurari ane hutsinye. Aya maraibhurari anozoshanda mumamiriro ebrowser, saka ivo vanogashira maredhiyo ayo ese system. Nekuda kweizvozvo, kugona kuratidza phishing windows, pamwe nekuwana mafaera ekushanda eorange Chinese squirrel, kusanganisira logins, passwords uye makuki akachengetwa mudhatabhesi.
Isu takabata vanogadzira UC Browser uye tikavazivisa nezve dambudziko ratakawana, kuyedza kuratidza kusagadzikana uye nengozi yaro, asi hapana chavakakurukura nesu. Zvichakadaro, bhurawuza rakaramba richiratidzira chimiro chayo chine njodzi mukuona pachena. Asi patakangoburitsa pachena ruzivo rwekusagadzikana, zvainge zvisisaite kuzvifuratira sepakutanga. Kurume 27 yaive
imwe vhezheni itsva yeUC Browser 12.10.9.1193 yakaburitswa, iyo yakawana sevha kuburikidza neHTTPS: .
Uye zvakare, mushure me "kugadzirisa" uye kusvika panguva yekunyora chinyorwa ichi, kuedza kuvhura PDF mubrowser kwakakonzera meseji yekukanganisa ine chinyorwa "Oops, pane chakashata!" Chikumbiro kuseva hachina kuitwa pakuedza kuvhura PDF, asi chikumbiro chakaitwa pakatangwa browser, izvo zvinoratidzira pakuenderera mberi kwekugona kudhawunirodha kodhi inokwanisika kutyora mitemo yeGoogle Play.
Source: www.habr.com