Selelekela
Qetellong ea March re , hore ba fumane bokhoni bo patiloeng ba ho kenya le ho tsamaisa khoutu e sa netefatsoang ho UC Browser. Kajeno re tla sheba ka ho qaqileng hore na download ena e etsahala joang le hore na barekisi ba ka e sebelisa joang molemong oa bona.
Nakong e fetileng, UC Browser e ile ea phatlalatsoa 'me ea ajoa ka matla haholo: e kentsoe lisebelisoa tsa basebelisi ba sebelisa malware, e ajoa ho tsoa libakeng tse fapa-fapaneng tlas'a sebopeho sa lifaele tsa video (ke hore, basebelisi ba ne ba nahana hore ba khoasolla, mohlala, video ea bootsoa, ho e-na le hoo e fumane APK e nang le sebatli sena), e sebelisitse li-banner tse tšosang tse nang le melaetsa ea hore sebatli se siiloe ke nako, se kotsing, le lintho tse joalo. Sehlopheng sa semmuso sa UC Browser ho VK ho na le , moo basebelisi ba ka tletlebang ka papatso e sa lokang, ho na le mehlala e mengata moo. Ka 2016 ho ne ho e-na le mathata ka Serussia (ee, papatso ea sebatli se thibelang lipapatso).
Ka nako ea ho ngola, UC Browser e na le lisebelisoa tse fetang 500 ho Google Play. Sena sea khahla - ke Google Chrome feela e nang le tse ling. Har'a litlhahlobo, u ka bona litletlebo tse ngata mabapi le papatso le ho tsamaisa lits'ebetso tse ling ho Google Play. Lena e ne e le lebaka la lipatlisiso tsa rona: re nkile qeto ea ho bona hore na UC Browser e etsa ho hong ho hobe. ’Me ho ile ha fumaneha hore o etsa joalo!
Khoutung ea kopo, bokhoni ba ho khoasolla le ho tsamaisa khoutu e ka sebetsoang bo fumanoe, ho Google Play. Ntle le ho khoasolla khoutu e ka sebetsoang, UC Browser e etsa joalo ka mokhoa o sa sireletsehang, o ka sebelisoang ho qala tlhaselo ea MitM. A re boneng hore na re ka etsa tlhaselo e joalo.
Ntho e ngoe le e ngoe e ngotsoeng ka tlase e bohlokoa bakeng sa mofuta oa UC Browser o neng o le teng ho Google Play nakong ea boithuto:
package: com.UCMobile.intl
versionName: 12.10.8.1172
versionCode: 10598
sha1 APK-файла: f5edb2243413c777172f6362876041eb0c3a928cHlasela vector
Ho UC Browser manifest u ka fumana tšebeletso e nang le lebitso le itlhalosang com.uc.deployment.UpgradeDeployService.
<service android_exported="false" android_name="com.uc.deployment.UpgradeDeployService" android_process=":deploy" />
Ha ts'ebeletso ena e qala, sebatli se etsa kopo ea POST ho , e ka bonoang sephethephethe nako e itseng ka mor'a ho qala. Ha a arabela, a ka fumana taelo ea ho khoasolla ntlafatso e itseng kapa mojule o mocha. Nakong ea tlhahlobo, seva ha ea ka ea fana ka litaelo tse joalo, empa re hlokometse hore ha re leka ho bula PDF ho sebatli, e etsa kopo ea bobeli atereseng e boletsoeng ka holimo, ka mor'a moo e khoasolla laebrari ea lehae. Ho etsa tlhaselo, re nkile qeto ea ho sebelisa tšobotsi ena ea UC Browser: bokhoni ba ho bula PDF u sebelisa laeborari ea lehae, e seng ka har'a APK le eo e e jarollang marang-rang ha ho hlokahala. Ke habohlokoa ho hlokomela hore, ka khopolo, UC Browser e ka qobelloa ho khoasolla ntho e itseng ntle le tšebelisano ea mosebedisi - haeba u fana ka karabelo e hlophisitsoeng hantle ho kopo e etsoang ka mor'a hore sebatli se hlahisoe. Empa ho etsa sena, re hloka ho ithuta protocol ea ho sebelisana le seva ka botlalo, kahoo re nkile qeto ea hore ho tla ba bonolo ho hlophisa karabo e hanetsoeng le ho khutlisa laeborari bakeng sa ho sebetsa le PDF.
Kahoo, ha mosebelisi a batla ho bula PDF ka kotloloho ho sebatli, likopo tse latelang li ka bonoa sephethephetheng:
Pele ho na le kopo ea POST ho , ebe
Letlapa le nang le laeborari bakeng sa ho shebella PDF le lifomate tsa ofisi lea khoasolloa. Hoa utloahala ho nahana hore kopo ea pele e fetisetsa tlhahisoleseling mabapi le sistimi (bonyane meralo ea ho fana ka laeborari e hlokahalang), mme ho e arabela sebatli se fumana tlhahisoleseling mabapi le laeborari e lokelang ho jarolleloa: aterese le, mohlomong. , ntho e 'ngoe hape. Bothata ke hore kopo ena e patiloe.
Kopa sekhechana
Karabo sekhechana
Laeborari ka boeona e kentsoe ka har'a ZIP 'me ha ea ngolisoa.
Batla khoutu ea ho hlakola sephethephethe
Ha re leke ho utloisisa karabo ea seva. Ha re shebe khoutu ea sehlopha com.uc.deployment.UpgradeDeployService: ho tloha mokhoeng onStartCommand eya ho com.uc.deployment.bx, le ho tloha ho eona ho ea com.uc.browser.core.dcfe:
public final void e(l arg9) {
int v4_5;
String v3_1;
byte[] v3;
byte[] v1 = null;
if(arg9 == null) {
v3 = v1;
}
else {
v3_1 = arg9.iGX.ipR;
StringBuilder v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]product:");
v4.append(arg9.iGX.ipR);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]version:");
v4.append(arg9.iGX.iEn);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]upgrade_type:");
v4.append(arg9.iGX.mMode);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]force_flag:");
v4.append(arg9.iGX.iEo);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_mode:");
v4.append(arg9.iGX.iDQ);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_type:");
v4.append(arg9.iGX.iEr);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_state:");
v4.append(arg9.iGX.iEp);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_file:");
v4.append(arg9.iGX.iEq);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apk_md5:");
v4.append(arg9.iGX.iEl);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]download_type:");
v4.append(arg9.mDownloadType);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]download_group:");
v4.append(arg9.mDownloadGroup);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]download_path:");
v4.append(arg9.iGH);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_child_version:");
v4.append(arg9.iGX.iEx);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_series:");
v4.append(arg9.iGX.iEw);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_cpu_arch:");
v4.append(arg9.iGX.iEt);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_cpu_vfp3:");
v4.append(arg9.iGX.iEv);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_cpu_vfp:");
v4.append(arg9.iGX.iEu);
ArrayList v3_2 = arg9.iGX.iEz;
if(v3_2 != null && v3_2.size() != 0) {
Iterator v3_3 = v3_2.iterator();
while(v3_3.hasNext()) {
Object v4_1 = v3_3.next();
StringBuilder v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_name:");
v5.append(((au)v4_1).getName());
v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_ver_name:");
v5.append(((au)v4_1).aDA());
v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_ver_code:");
v5.append(((au)v4_1).gBl);
v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_req_type:");
v5.append(((au)v4_1).gBq);
}
}
j v3_4 = new j();
m.b(v3_4);
h v4_2 = new h();
m.b(v4_2);
ay v5_1 = new ay();
v3_4.hS("");
v3_4.setImsi("");
v3_4.hV("");
v5_1.bPQ = v3_4;
v5_1.bPP = v4_2;
v5_1.yr(arg9.iGX.ipR);
v5_1.gBF = arg9.iGX.mMode;
v5_1.gBI = arg9.iGX.iEz;
v3_2 = v5_1.gAr;
c.aBh();
v3_2.add(g.fs("os_ver", c.getRomInfo()));
v3_2.add(g.fs("processor_arch", com.uc.b.a.a.c.getCpuArch()));
v3_2.add(g.fs("cpu_arch", com.uc.b.a.a.c.Pb()));
String v4_3 = com.uc.b.a.a.c.Pd();
v3_2.add(g.fs("cpu_vfp", v4_3));
v3_2.add(g.fs("net_type", String.valueOf(com.uc.base.system.a.Jo())));
v3_2.add(g.fs("fromhost", arg9.iGX.iEm));
v3_2.add(g.fs("plugin_ver", arg9.iGX.iEn));
v3_2.add(g.fs("target_lang", arg9.iGX.iEs));
v3_2.add(g.fs("vitamio_cpu_arch", arg9.iGX.iEt));
v3_2.add(g.fs("vitamio_vfp", arg9.iGX.iEu));
v3_2.add(g.fs("vitamio_vfp3", arg9.iGX.iEv));
v3_2.add(g.fs("plugin_child_ver", arg9.iGX.iEx));
v3_2.add(g.fs("ver_series", arg9.iGX.iEw));
v3_2.add(g.fs("child_ver", r.aVw()));
v3_2.add(g.fs("cur_ver_md5", arg9.iGX.iEl));
v3_2.add(g.fs("cur_ver_signature", SystemHelper.getUCMSignature()));
v3_2.add(g.fs("upgrade_log", i.bjt()));
v3_2.add(g.fs("silent_install", String.valueOf(arg9.iGX.iDQ)));
v3_2.add(g.fs("silent_state", String.valueOf(arg9.iGX.iEp)));
v3_2.add(g.fs("silent_file", arg9.iGX.iEq));
v3_2.add(g.fs("silent_type", String.valueOf(arg9.iGX.iEr)));
v3_2.add(g.fs("cpu_archit", com.uc.b.a.a.c.Pc()));
v3_2.add(g.fs("cpu_set", SystemHelper.getCpuInstruction()));
boolean v4_4 = v4_3 == null || !v4_3.contains("neon") ? false : true;
v3_2.add(g.fs("neon", String.valueOf(v4_4)));
v3_2.add(g.fs("cpu_cores", String.valueOf(com.uc.b.a.a.c.Jl())));
v3_2.add(g.fs("ram_1", String.valueOf(com.uc.b.a.a.h.Po())));
v3_2.add(g.fs("totalram", String.valueOf(com.uc.b.a.a.h.OL())));
c.aBh();
v3_2.add(g.fs("rom_1", c.getRomInfo()));
v4_5 = e.getScreenWidth();
int v6 = e.getScreenHeight();
StringBuilder v7 = new StringBuilder();
v7.append(v4_5);
v7.append("*");
v7.append(v6);
v3_2.add(g.fs("ss", v7.toString()));
v3_2.add(g.fs("api_level", String.valueOf(Build$VERSION.SDK_INT)));
v3_2.add(g.fs("uc_apk_list", SystemHelper.getUCMobileApks()));
Iterator v4_6 = arg9.iGX.iEA.entrySet().iterator();
while(v4_6.hasNext()) {
Object v6_1 = v4_6.next();
v3_2.add(g.fs(((Map$Entry)v6_1).getKey(), ((Map$Entry)v6_1).getValue()));
}
v3 = v5_1.toByteArray();
}
if(v3 == null) {
this.iGY.iGI.a(arg9, "up_encode", "yes", "fail");
return;
}
v4_5 = this.iGY.iGw ? 0x1F : 0;
if(v3 == null) {
}
else {
v3 = g.i(v4_5, v3);
if(v3 == null) {
}
else {
v1 = new byte[v3.length + 16];
byte[] v6_2 = new byte[16];
Arrays.fill(v6_2, 0);
v6_2[0] = 0x5F;
v6_2[1] = 0;
v6_2[2] = ((byte)v4_5);
v6_2[3] = -50;
System.arraycopy(v6_2, 0, v1, 0, 16);
System.arraycopy(v3, 0, v1, 16, v3.length);
}
}
if(v1 == null) {
this.iGY.iGI.a(arg9, "up_encrypt", "yes", "fail");
return;
}
if(TextUtils.isEmpty(this.iGY.mUpgradeUrl)) {
this.iGY.iGI.a(arg9, "up_url", "yes", "fail");
return;
}
StringBuilder v0 = new StringBuilder("[");
v0.append(arg9.iGX.ipR);
v0.append("]url:");
v0.append(this.iGY.mUpgradeUrl);
com.uc.browser.core.d.c.i v0_1 = this.iGY.iGI;
v3_1 = this.iGY.mUpgradeUrl;
com.uc.base.net.e v0_2 = new com.uc.base.net.e(new com.uc.browser.core.d.c.i$a(v0_1, arg9));
v3_1 = v3_1.contains("?") ? v3_1 + "&dataver=pb" : v3_1 + "?dataver=pb";
n v3_5 = v0_2.uc(v3_1);
m.b(v3_5, false);
v3_5.setMethod("POST");
v3_5.setBodyProvider(v1);
v0_2.b(v3_5);
this.iGY.iGI.a(arg9, "up_null", "yes", "success");
this.iGY.iGI.b(arg9);
}Re bona ho thehoa ha kopo ea POST mona. Re ela hloko ho thehoa ha letoto la li-byte tse 16 le ho tlatsoa ha eona: 0x5F, 0, 0x1F, -50 (=0xCE). E lumellana le seo re se boneng kopong e ka holimo.
Ka tlelaseng e le 'ngoe u ka bona sehlopha sa sehlaha se nang le mokhoa o mong o khahlisang:
public final void a(l arg10, byte[] arg11) {
f v0 = this.iGQ;
StringBuilder v1 = new StringBuilder("[");
v1.append(arg10.iGX.ipR);
v1.append("]:UpgradeSuccess");
byte[] v1_1 = null;
if(arg11 == null) {
}
else if(arg11.length < 16) {
}
else {
if(arg11[0] != 0x60 && arg11[3] != 0xFFFFFFD0) {
goto label_57;
}
int v3 = 1;
int v5 = arg11[1] == 1 ? 1 : 0;
if(arg11[2] != 1 && arg11[2] != 11) {
if(arg11[2] == 0x1F) {
}
else {
v3 = 0;
}
}
byte[] v7 = new byte[arg11.length - 16];
System.arraycopy(arg11, 16, v7, 0, v7.length);
if(v3 != 0) {
v7 = g.j(arg11[2], v7);
}
if(v7 == null) {
goto label_57;
}
if(v5 != 0) {
v1_1 = g.P(v7);
goto label_57;
}
v1_1 = v7;
}
label_57:
if(v1_1 == null) {
v0.iGY.iGI.a(arg10, "up_decrypt", "yes", "fail");
return;
}
q v11 = g.b(arg10, v1_1);
if(v11 == null) {
v0.iGY.iGI.a(arg10, "up_decode", "yes", "fail");
return;
}
if(v0.iGY.iGt) {
v0.d(arg10);
}
if(v0.iGY.iGo != null) {
v0.iGY.iGo.a(0, ((o)v11));
}
if(v0.iGY.iGs) {
v0.iGY.a(((o)v11));
v0.iGY.iGI.a(v11, "up_silent", "yes", "success");
v0.iGY.iGI.a(v11);
return;
}
v0.iGY.iGI.a(v11, "up_silent", "no", "success");
}
}
Mokhoa o nka mefuta e mengata ea li-byte e le ho kenya letsoho ebe o hlahloba hore na zero byte ke 0x60 kapa ea boraro ke 0xD0, 'me ea bobeli ke 1, 11 kapa 0x1F. Re sheba karabelo e tsoang ho seva: zero byte ke 0x60, ea bobeli ke 0x1F, ea boraro ke 0x60. Ho utloahala joalo ka seo re se hlokang. Ho latela mela ("up_decrypt", mohlala), mokhoa o lokela ho bitsoa mona o tla hlakola karabo ea seva.
Ha re feteleng ho mokhoa gj. Hlokomela hore khang ea pele ke byte at offset 2 (e leng 0x1F molemong oa rona), 'me ea bobeli ke karabo ea seva ntle le
li-byte tse 16 tsa pele.
public static byte[] j(int arg1, byte[] arg2) {
if(arg1 == 1) {
arg2 = c.c(arg2, c.adu);
}
else if(arg1 == 11) {
arg2 = m.aF(arg2);
}
else if(arg1 != 0x1F) {
}
else {
arg2 = EncryptHelper.decrypt(arg2);
}
return arg2;
}
Ho hlakile hore mona re khetha algorithm ea decryption, le byte e tšoanang e ho rona
Khetla e lekanang le 0x1F, e supa e 'ngoe ea likhetho tse tharo tse ka khonehang.
Re tsoela pele ho sekaseka khoutu. Ka mor'a ho qhoma makhetlo a 'maloa re iphumana re le mokhoeng o nang le lebitso le itlhalosang decryptBytesByKey.
Mona li-byte tse ling tse peli li arohane le karabo ea rona, 'me khoele e fumanoa ho bona. Ho hlakile hore ka tsela ena senotlolo sa ho hlakola molaetsa se khethiloe.
private static byte[] decryptBytesByKey(byte[] bytes) {
byte[] v0 = null;
if(bytes != null) {
try {
if(bytes.length < EncryptHelper.PREFIX_BYTES_SIZE) {
}
else if(bytes.length == EncryptHelper.PREFIX_BYTES_SIZE) {
return v0;
}
else {
byte[] prefix = new byte[EncryptHelper.PREFIX_BYTES_SIZE]; // 2 байта
System.arraycopy(bytes, 0, prefix, 0, prefix.length);
String keyId = c.ayR().d(ByteBuffer.wrap(prefix).getShort()); // Выбор ключа
if(keyId == null) {
return v0;
}
else {
a v2 = EncryptHelper.ayL();
if(v2 == null) {
return v0;
}
else {
byte[] enrypted = new byte[bytes.length - EncryptHelper.PREFIX_BYTES_SIZE];
System.arraycopy(bytes, EncryptHelper.PREFIX_BYTES_SIZE, enrypted, 0, enrypted.length);
return v2.l(keyId, enrypted);
}
}
}
}
catch(SecException v7_1) {
EncryptHelper.handleDecryptException(((Throwable)v7_1), v7_1.getErrorCode());
return v0;
}
catch(Throwable v7) {
EncryptHelper.handleDecryptException(v7, 2);
return v0;
}
}
return v0;
}Ha re sheba pele, rea hlokomela hore mothating ona ha re e-so fumane senotlolo, empa ke "identifier" ea eona feela. Ho fumana senotlolo ho thata haholoanyane.
Mokhoa o latelang, li-parameter tse ling tse peli li eketsoa ho tse seng li ntse li le teng, ho etsa tse 'nè tsa tsona: nomoro ea boselamose 16, sekhetho sa senotlolo, data e patiloeng, le khoele e sa utloisiseheng (ho rona, ha e na letho).
public final byte[] l(String keyId, byte[] encrypted) throws SecException {
return this.ayJ().staticBinarySafeDecryptNoB64(16, keyId, encrypted, "");
}Ka mor'a letoto la liphetoho re fihla mokhoa staticBinarySafeDecryptNoB64 segokanyimmediamentsi sa sebolokigolo com.alibaba.wireless.security.open.staticdataencrypt.IStaticDataEncryptComponent. Ha ho na litlelase khoutung ea mantlha ea ts'ebeliso e kenyang ts'ebetso ena. Ho na le sehlopha se joalo faeleng lib/armeabi-v7a/libsgmain.so, eo ha e le hantle e seng .so, empa e .jar. Mokhoa oo re o thahasellang o sebelisoa ka tsela e latelang:
package com.alibaba.wireless.security.a.i;
// ...
public class a implements IStaticDataEncryptComponent {
private ISecurityGuardPlugin a;
// ...
private byte[] a(int mode, int magicInt, int xzInt, String keyId, byte[] encrypted, String magicString) {
return this.a.getRouter().doCommand(10601, new Object[]{Integer.valueOf(mode), Integer.valueOf(magicInt), Integer.valueOf(xzInt), keyId, encrypted, magicString});
}
// ...
private byte[] b(int magicInt, String keyId, byte[] encrypted, String magicString) {
return this.a(2, magicInt, 0, keyId, encrypted, magicString);
}
// ...
public byte[] staticBinarySafeDecryptNoB64(int magicInt, String keyId, byte[] encrypted, String magicString) throws SecException {
if(keyId != null && keyId.length() > 0 && magicInt >= 0 && magicInt < 19 && encrypted != null && encrypted.length > 0) {
return this.b(magicInt, keyId, encrypted, magicString);
}
throw new SecException("", 301);
}
//...
}
Mona lethathamo la rona la li-parameter le tlatsetsoa ka lipalo tse ling tse peli: 2 le 0. Ho ahlola ka
ntho e ngoe le e ngoe, 2 e bolela decryption, joalo ka mokhoa etsaFinal sehlopha sa tsamaiso javax.crypto.Cipher. 'Me sena sohle se fetisetsoa ho Router e itseng e nang le nomoro ea 10601 - ho hlakile hore ena ke nomoro ea taelo.
Ka mor'a ketane e latelang ea liphetoho re fumana sehlopha se sebelisang sebopeho IRouterComponent le mokhoa doCommand:
package com.alibaba.wireless.security.mainplugin;
import com.alibaba.wireless.security.framework.IRouterComponent;
import com.taobao.wireless.security.adapter.JNICLibrary;
public class a implements IRouterComponent {
public a() {
super();
}
public Object doCommand(int arg2, Object[] arg3) {
return JNICLibrary.doCommandNative(arg2, arg3);
}
}Hape le sehlopha JNICLaebrari, moo ho phatlalatsoang mokhoa oa matsoalloa doCommandNative:
package com.taobao.wireless.security.adapter;
public class JNICLibrary {
public static native Object doCommandNative(int arg0, Object[] arg1);
}Sena se bolela hore re hloka ho fumana mokhoa ho khoutu ea matsoalloa doCommandNative. 'Me mona ke moo monate o qalang teng.
Ho fetisoa ha khoutu ea mochini
Ka faele libsgmain.so (eo ha e le hantle e leng .jar mme moo re fumaneng ts'ebetsong ea likhokahano tse amanang le encryption ka holimo) ho na le laebrari e le 'ngoe ea lehae: libsgmainso-6.4.36.so. Re e bula ho IDA mme re fumana letoto la mabokose a lipuisano a nang le liphoso. Bothata ke hore tafole ea hlooho ea karolo ha e sebetse. Sena se etsoa ka morero ho thatafatsa tlhahlobo.
Empa ha e hlokehe: ho kenya faele ea ELF ka nepo le ho e sekaseka, tafole ea hlooho ea lenaneo e lekane. Ka hona, re hlakola tafole ea likarolo feela, re hlakola masimo a tšoanang hloohong.
Bula faele ho IDA hape.
Ho na le mekhoa e 'meli ea ho bolella mochini o sebetsang oa Java moo hantle laebraring ea lehae ts'ebetsong ea mokhoa o phatlalalitsoeng ka khoutu ea Java e le oa tlhaho o teng. Ea pele ke ho e reha lebitso la mofuta Java_package_name_ClassName_MethodName.
Ea bobeli ke ho e ngolisa ha u kenya laebrari (ka ts'ebetsong JNI_Onload)
ho sebedisa mohala wa tshebetso Ngolisa matsoalloa.
Tabeng ea rona, haeba re sebelisa mokhoa oa pele, lebitso le lokela ho ba tjena: Java_com_taobao_wireless_security_adapter_JNICLibrary_doCommandNative.
Ha ho na ts'ebetso e joalo har'a mesebetsi e romelloang kantle ho naha, ho bolelang hore o hloka ho batla mohala Ngolisa matsoalloa.
Ha re eeng tšebetsong JNI_Onload mme re bona setšoantšo sena:
Ho etsahalang moo? Ha u habanya feela, qalo le pheletso ea ts'ebetso li tloaelehile bakeng sa meralo ea ARM. Taelo ea pele ho stack e boloka likahare tsa lirejista tseo mosebetsi o tla li sebelisa ts'ebetsong ea eona (tabeng ena, R0, R1 le R2), hammoho le litaba tse ka har'a rejista ea LR, e nang le aterese ea ho khutlisa ho tsoa mosebetsing. . Taelo ea ho qetela e tsosolosa li-registas tse bolokiloeng, 'me aterese ea ho khutlela hang-hang e behoa ka har'a rejista ea PC - kahoo e khutlela mosebetsing. Empa ha u sheba ka hloko, u tla hlokomela hore taelo ea penultimate e fetola aterese ea ho khutlisa e bolokiloeng ho stack. Ha re bale hore na ho tla ba joang ka mor'a moo
phethahatso ya khoutu. Aterese e itseng 1xB0 e kenngoa ho R130, 5 e tlosoa ho eona, ebe e fetisetsoa ho R0 'me 0x10 e eketsoa ho eona. E fumaneha 0xB13B. Kahoo, IDA e nahana hore taelo ea ho qetela ke ts'ebetso e tloaelehileng ea ts'ebetso, empa ha e le hantle e ea atereseng e baloang 0xB13B.
Ho bohlokoa ho hopola mona hore li-processor tsa ARM li na le mekhoa e 'meli le lihlopha tse peli tsa litaelo: ARM le Thumb. Karolo e nyane haholo ea aterese e bolella processor hore na ho sebelisoa sete ea litaelo efe. Ka mantsoe a mang, aterese ha e le hantle ke 0xB13A, 'me e le' ngoe bonyane e bonts'a mokhoa oa Thumb.
Ho kentsoe "adapter" e ts'oanang qalong ea ts'ebetso ka 'ngoe ea laeborari ena le
khoutu ea litšila. Re ke ke ra lula ho tsona ka botlalo - re mpa re hopola
hore tšimoloho ea sebele ea hoo e ka bang mesebetsi eohle e hole hanyane.
Kaha khoutu ha e tlole ka ho hlaka ho 0xB13A, IDA ka boeona ha e tsebe hore khoutu e teng sebakeng sena. Ka lebaka le tšoanang, ha e hlokomele boholo ba khoutu e laebraring e le khoutu, e leng se etsang hore tlhahlobo e be thata. Re bolella IDA hore ena ke khoutu, 'me sena ke se etsahalang:
Tafole e qala ka ho hlaka ho 0xB144. Ho na le eng ho sub_494C?
Ha re letsetsa mosebetsi ona bukeng ea LR, re fumana aterese ea tafole e boletsoeng pejana (0xB144). Ka R0 - index tafoleng ena. Ke hore, boleng bo nkiloe tafoleng, bo kenyelletsoa ho LR 'me phello ke
aterese eo u eang ho eona. A re leke ho e bala: 0xB144 + [0xB144 + 8* 4] = 0xB144 + 0x120 = 0xB264. Re ea atereseng e amoheloang ebe re bona litaelo tse 'maloa tsa bohlokoa ebe re ea ho 0xB140 hape:
Joale ho tla ba le phetoho e felletseng ka index 0x20 ho tloha tafoleng.
Ho latela boholo ba tafole, ho tla ba le liphetoho tse ngata joalo ka khoutu. Potso e hlaha hore na hoa khoneha ho sebetsana le sena ka tsela e iketsang, ntle le ho bala liaterese ka letsoho. 'Me mangolo le bokhoni ba ho pata khoutu ho IDA lia re thusa:
def put_unconditional_branch(source, destination):
offset = (destination - source - 4) >> 1
if offset > 2097151 or offset < -2097152:
raise RuntimeError("Invalid offset")
if offset > 1023 or offset < -1024:
instruction1 = 0xf000 | ((offset >> 11) & 0x7ff)
instruction2 = 0xb800 | (offset & 0x7ff)
patch_word(source, instruction1)
patch_word(source + 2, instruction2)
else:
instruction = 0xe000 | (offset & 0x7ff)
patch_word(source, instruction)
ea = here()
if get_wide_word(ea) == 0xb503: #PUSH {R0,R1,LR}
ea1 = ea + 2
if get_wide_word(ea1) == 0xbf00: #NOP
ea1 += 2
if get_operand_type(ea1, 0) == 1 and get_operand_value(ea1, 0) == 0 and get_operand_type(ea1, 1) == 2:
index = get_wide_dword(get_operand_value(ea1, 1))
print "index =", hex(index)
ea1 += 2
if get_operand_type(ea1, 0) == 7:
table = get_operand_value(ea1, 0) + 4
elif get_operand_type(ea1, 1) == 2:
table = get_operand_value(ea1, 1) + 4
else:
print "Wrong operand type on", hex(ea1), "-", get_operand_type(ea1, 0), get_operand_type(ea1, 1)
table = None
if table is None:
print "Unable to find table"
else:
print "table =", hex(table)
offset = get_wide_dword(table + (index << 2))
put_unconditional_branch(ea, table + offset)
else:
print "Unknown code", get_operand_type(ea1, 0), get_operand_value(ea1, 0), get_operand_type(ea1, 1) == 2
else:
print "Unable to detect first instruction"Beha sesupa moleng oa 0xB26A, tsamaisa sengoloa 'me u bone phetoho ho 0xB4B0:
IDA hape ha e bone sebaka sena e le khoutu. Rea mo thusa le ho bona moralo o mong moo:
Litaelo ka mor'a BLX ha li bonahale li utloahala, li tšoana le mofuta o mong oa phalliso. Ha re shebeng sub_4964:
'Me ka sebele, mona ho nkiloe dword atereseng e lutseng ho LR, e kenyelelitsoe atereseng ena, ka mor'a moo boleng ba aterese e hlahisoang bo nkoa ebe bo behoa holim'a stack. Hape, 4 e eketsoa ho LR e le hore ka mor'a ho khutla mosebetsing, eona offset ena e tlōle. Ka mor'a moo taelo ea POP {R1} e nka boleng ba sephetho ho tsoa ho stack. Haeba u sheba se fumanehang atereseng ea 0xB4BA + 0xEA = 0xB5A4, u tla bona ntho e tšoanang le tafole ea aterese:
Ho pata moralo ona, o tla hloka ho fumana li-parameter tse peli ho tsoa ho khoutu: offset le nomoro ea ngoliso eo u batlang ho beha sephetho ho eona. Bakeng sa ngoliso e 'ngoe le e' ngoe e ka khonehang, o tla tlameha ho lokisa sengoathoana sa khoutu esale pele.
patches = {}
patches[0] = (0x00, 0xbf, 0x01, 0x48, 0x00, 0x68, 0x02, 0xe0)
patches[1] = (0x00, 0xbf, 0x01, 0x49, 0x09, 0x68, 0x02, 0xe0)
patches[2] = (0x00, 0xbf, 0x01, 0x4a, 0x12, 0x68, 0x02, 0xe0)
patches[3] = (0x00, 0xbf, 0x01, 0x4b, 0x1b, 0x68, 0x02, 0xe0)
patches[4] = (0x00, 0xbf, 0x01, 0x4c, 0x24, 0x68, 0x02, 0xe0)
patches[5] = (0x00, 0xbf, 0x01, 0x4d, 0x2d, 0x68, 0x02, 0xe0)
patches[8] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0x80, 0xd8, 0xf8, 0x00, 0x80, 0x01, 0xe0)
patches[9] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0x90, 0xd9, 0xf8, 0x00, 0x90, 0x01, 0xe0)
patches[10] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0xa0, 0xda, 0xf8, 0x00, 0xa0, 0x01, 0xe0)
patches[11] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0xb0, 0xdb, 0xf8, 0x00, 0xb0, 0x01, 0xe0)
ea = here()
if (get_wide_word(ea) == 0xb082 #SUB SP, SP, #8
and get_wide_word(ea + 2) == 0xb503): #PUSH {R0,R1,LR}
if get_operand_type(ea + 4, 0) == 7:
pop = get_bytes(ea + 12, 4, 0)
if pop[1] == 'xbc':
register = -1
r = get_wide_byte(ea + 12)
for i in range(8):
if r == (1 << i):
register = i
break
if register == -1:
print "Unable to detect register"
else:
address = get_wide_dword(ea + 8) + ea + 8
for b in patches[register]:
patch_byte(ea, b)
ea += 1
if ea % 4 != 0:
ea += 2
patch_dword(ea, address)
elif pop[:3] == 'x5dxf8x04':
register = ord(pop[3]) >> 4
if register in patches:
address = get_wide_dword(ea + 8) + ea + 8
for b in patches[register]:
patch_byte(ea, b)
ea += 1
patch_dword(ea, address)
else:
print "POP instruction not found"
else:
print "Wrong operand type on +4:", get_operand_type(ea + 4, 0)
else:
print "Unable to detect first instructions"Re beha sesupa qalong ea sebopeho seo re batlang ho se fetola - 0xB4B2 - ebe re tsamaisa sengoloa:
Ntle le libopeho tse seng li boletsoe, khoutu e boetse e na le tse latelang:
Joalo ka nyeoeng e fetileng, kamora taelo ea BLX ho na le phoso:
Re nka offset atereseng e tsoang ho LR, re e kenye ho LR ebe re ea moo. 0x72044 + 0xC = 0x72050. Script ea moralo ona e bonolo haholo:
def put_unconditional_branch(source, destination):
offset = (destination - source - 4) >> 1
if offset > 2097151 or offset < -2097152:
raise RuntimeError("Invalid offset")
if offset > 1023 or offset < -1024:
instruction1 = 0xf000 | ((offset >> 11) & 0x7ff)
instruction2 = 0xb800 | (offset & 0x7ff)
patch_word(source, instruction1)
patch_word(source + 2, instruction2)
else:
instruction = 0xe000 | (offset & 0x7ff)
patch_word(source, instruction)
ea = here()
if get_wide_word(ea) == 0xb503: #PUSH {R0,R1,LR}
ea1 = ea + 6
if get_wide_word(ea + 2) == 0xbf00: #NOP
ea1 += 2
offset = get_wide_dword(ea1)
put_unconditional_branch(ea, (ea1 + offset) & 0xffffffff)
else:
print "Unable to detect first instruction"Sephetho sa ts'ebetso ea script:
Hang ha ntho e 'ngoe le e' ngoe e se e hlophisitsoe tšebetsong, u ka supa IDA qalong ea eona ea 'nete. E tla kopanya khoutu eohle ea ts'ebetso, 'me e ka aroloa ho sebelisoa HexRays.
Decoding likhoele
Re ithutile ho sebetsana le obfuscation ea khoutu ea mochini laebraring libsgmainso-6.4.36.so ho tsoa ho UC Browser mme o fumane khoutu ea ts'ebetso JNI_Onload.
int __fastcall real_JNI_OnLoad(JavaVM *vm)
{
int result; // r0
jclass clazz; // r0 MAPDST
int v4; // r0
JNIEnv *env; // r4
int v6; // [sp-40h] [bp-5Ch]
int v7; // [sp+Ch] [bp-10h]
v7 = *(_DWORD *)off_8AC00;
if ( !vm )
goto LABEL_39;
sub_7C4F4();
env = (JNIEnv *)sub_7C5B0(0);
if ( !env )
goto LABEL_39;
v4 = sub_72CCC();
sub_73634(v4);
sub_73E24(&unk_83EA6, &v6, 49);
clazz = (jclass)((int (__fastcall *)(JNIEnv *, int *))(*env)->FindClass)(env, &v6);
if ( clazz
&& (sub_9EE4(),
sub_71D68(env),
sub_E7DC(env) >= 0
&& sub_69D68(env) >= 0
&& sub_197B4(env, clazz) >= 0
&& sub_E240(env, clazz) >= 0
&& sub_B8B0(env, clazz) >= 0
&& sub_5F0F4(env, clazz) >= 0
&& sub_70640(env, clazz) >= 0
&& sub_11F3C(env) >= 0
&& sub_21C3C(env, clazz) >= 0
&& sub_2148C(env, clazz) >= 0
&& sub_210E0(env, clazz) >= 0
&& sub_41B58(env, clazz) >= 0
&& sub_27920(env, clazz) >= 0
&& sub_293E8(env, clazz) >= 0
&& sub_208F4(env, clazz) >= 0) )
{
result = (sub_B7B0(env, clazz) >> 31) | 0x10004;
}
else
{
LABEL_39:
result = -1;
}
return result;
}Ha re shebisiseng mela e latelang:
sub_73E24(&unk_83EA6, &v6, 49);
clazz = (jclass)((int (__fastcall *)(JNIEnv *, int *))(*env)->FindClass)(env, &v6);Ka tshebetso sub_73E24 lebitso la sehlopha ho hlakile hore decrypted. Joalo ka liparamente tsa ts'ebetso ena, ho fetisoa pointer ho data e ts'oanang le data e patiloeng, buffer e itseng le nomoro. Ho hlakile hore kamora ho letsetsa ts'ebetso, ho tla ba le mohala o sirelelitsoeng ka har'a buffer, kaha o fetisetsoa tšebetsong. FumanaClass, e nkang lebitso la sehlopha joalo ka paramethara ea bobeli. Ka hona, palo ke boholo ba buffer kapa bolelele ba mola. Ha re lekeng ho manolla lebitso la sehlopha, le lokela ho re bolella hore na re tsamaea ka tsela e nepahetseng. Ha re hlahlobeng se etsahalang ho sub_73E24.
int __fastcall sub_73E56(unsigned __int8 *in, unsigned __int8 *out, size_t size)
{
int v4; // r6
int v7; // r11
int v8; // r9
int v9; // r4
size_t v10; // r5
int v11; // r0
struc_1 v13; // [sp+0h] [bp-30h]
int v14; // [sp+1Ch] [bp-14h]
int v15; // [sp+20h] [bp-10h]
v4 = 0;
v15 = *(_DWORD *)off_8AC00;
v14 = 0;
v7 = sub_7AF78(17);
v8 = sub_7AF78(size);
if ( !v7 )
{
v9 = 0;
goto LABEL_12;
}
(*(void (__fastcall **)(int, const char *, int))(v7 + 12))(v7, "DcO/lcK+h?m3c*q@", 16);
if ( !v8 )
{
LABEL_9:
v4 = 0;
goto LABEL_10;
}
v4 = 0;
if ( !in )
{
LABEL_10:
v9 = 0;
goto LABEL_11;
}
v9 = 0;
if ( out )
{
memset(out, 0, size);
v10 = size - 1;
(*(void (__fastcall **)(int, unsigned __int8 *, size_t))(v8 + 12))(v8, in, v10);
memset(&v13, 0, 0x14u);
v13.field_4 = 3;
v13.field_10 = v7;
v13.field_14 = v8;
v11 = sub_6115C(&v13, &v14);
v9 = v11;
if ( v11 )
{
if ( *(_DWORD *)(v11 + 4) == v10 )
{
qmemcpy(out, *(const void **)v11, v10);
v4 = *(_DWORD *)(v9 + 4);
}
else
{
v4 = 0;
}
goto LABEL_11;
}
goto LABEL_9;
}
LABEL_11:
sub_7B148(v7);
LABEL_12:
if ( v8 )
sub_7B148(v8);
if ( v9 )
sub_7B148(v9);
return v4;
}Mosebetsi sub_7AF78 e theha mohlala oa setshelo bakeng sa li-byte arrays tsa boholo bo boletsoeng (re ke ke ra lula holim'a lijana tsena ka botlalo). Mona ho bōptjoa lijana tse joalo tse peli: e 'ngoe e na le mola "DcO/lcK+h?m3c*q@" (ho bonolo ho hakanya hore sena ke senotlolo), e 'ngoe e na le data e patiloeng. Ka mor'a moo, lintho tseo ka bobeli li kenngoa mohahong o itseng, o fetisetsoang mosebetsing sub_6115C. Hape ha re tšoaee lebala le nang le boleng ba 3 mohahong ona.
int __fastcall sub_611B4(struc_1 *a1, _DWORD *a2)
{
int v3; // lr
unsigned int v4; // r1
int v5; // r0
int v6; // r1
int result; // r0
int v8; // r0
*a2 = 820000;
if ( a1 )
{
v3 = a1->field_14;
if ( v3 )
{
v4 = a1->field_4;
if ( v4 < 0x19 )
{
switch ( v4 )
{
case 0u:
v8 = sub_6419C(a1->field_0, a1->field_10, v3);
goto LABEL_17;
case 3u:
v8 = sub_6364C(a1->field_0, a1->field_10, v3);
goto LABEL_17;
case 0x10u:
case 0x11u:
case 0x12u:
v8 = sub_612F4(
a1->field_0,
v4,
*(_QWORD *)&a1->field_8,
*(_QWORD *)&a1->field_8 >> 32,
a1->field_10,
v3,
a2);
goto LABEL_17;
case 0x14u:
v8 = sub_63A28(a1->field_0, v3);
goto LABEL_17;
case 0x15u:
sub_61A60(a1->field_0, v3, a2);
return result;
case 0x16u:
v8 = sub_62440(a1->field_14);
goto LABEL_17;
case 0x17u:
v8 = sub_6226C(a1->field_10, v3);
goto LABEL_17;
case 0x18u:
v8 = sub_63530(a1->field_14);
LABEL_17:
v6 = 0;
if ( v8 )
{
*a2 = 0;
v6 = v8;
}
return v6;
default:
LOWORD(v5) = 28032;
goto LABEL_5;
}
}
}
}
LOWORD(v5) = -27504;
LABEL_5:
HIWORD(v5) = 13;
v6 = 0;
*a2 = v5;
return v6;
}Phetoho ea phetoho ke tšimo ea mohaho eo pele e neng e abetsoe bohlokoa ba 3. Sheba nyeoe ea 3: ho ea mosebetsing sub_6364C litekanyo li fetisoa ho tloha mohahong o kentsoeng moo mosebetsing o fetileng, ke hore, senotlolo le data e patiloeng. Haeba u sheba ka hloko sub_6364C, o ka lemoha algorithm ea RC4 ho eona.
Re na le algorithm le senotlolo. Ha re leke ho hlalosa lebitso la sehlopha. Se etsahetseng ke sena: com/taobao/wireless/security/adapter/JNICLibrary. E kholo! Re tseleng e nepahetseng.
Sefate sa taelo
Joale re hloka ho fumana phephetso Ngolisa matsoalloa, e tla re supisa tšebetso doCommandNative. Ha re shebeng mesebetsi e bitsoang ho tloha JNI_Onload, mme re e fumana ka hare sub_B7B0:
int __fastcall sub_B7F6(JNIEnv *env, jclass clazz)
{
char signature[41]; // [sp+7h] [bp-55h]
char name[16]; // [sp+30h] [bp-2Ch]
JNINativeMethod method; // [sp+40h] [bp-1Ch]
int v8; // [sp+4Ch] [bp-10h]
v8 = *(_DWORD *)off_8AC00;
decryptString((unsigned __int8 *)&unk_83ED9, (unsigned __int8 *)name, 0x10u);// doCommandNative
decryptString((unsigned __int8 *)&unk_83EEA, (unsigned __int8 *)signature, 0x29u);// (I[Ljava/lang/Object;)Ljava/lang/Object;
method.name = name;
method.signature = signature;
method.fnPtr = sub_B69C;
return ((int (__fastcall *)(JNIEnv *, jclass, JNINativeMethod *, int))(*env)->RegisterNatives)(env, clazz, &method, 1) >> 31;
}'Me ka sebele, mokhoa oa tlhaho o nang le lebitso o ngolisitsoe mona doCommandNative. Joale re tseba aterese ea hae. A re boneng seo a se etsang.
int __fastcall doCommandNative(JNIEnv *env, jobject obj, int command, jarray args)
{
int v5; // r5
struc_2 *a5; // r6
int v9; // r1
int v11; // [sp+Ch] [bp-14h]
int v12; // [sp+10h] [bp-10h]
v5 = 0;
v12 = *(_DWORD *)off_8AC00;
v11 = 0;
a5 = (struc_2 *)malloc(0x14u);
if ( a5 )
{
a5->field_0 = 0;
a5->field_4 = 0;
a5->field_8 = 0;
a5->field_C = 0;
v9 = command % 10000 / 100;
a5->field_0 = command / 10000;
a5->field_4 = v9;
a5->field_8 = command % 100;
a5->field_C = env;
a5->field_10 = args;
v5 = sub_9D60(command / 10000, v9, command % 100, 1, (int)a5, &v11);
}
free(a5);
if ( !v5 && v11 )
sub_7CF34(env, v11, &byte_83ED7);
return v5;
}Ka lebitso u ka hakanya hore mona ke ntlha ea ho kena ea mesebetsi eohle eo bahlahisi ba entseng qeto ea ho e fetisetsa laebraring ea lehae. Re thahasella nomoro ea ts'ebetso 10601.
U ka bona ho tsoa khoutu hore nomoro ea taelo e hlahisa linomoro tse tharo: taelo/10000, taelo % 10000 / 100 и taelo % 10, ke hore, tabeng ea rona, 1, 6 le 1. Linomoro tsena tse tharo, hammoho le pointer ho JNIEnv mme mabaka a fetisetswang tshebetsong a ekeletswa sebopeho mme a fetisetswa. Ho sebelisa linomoro tse tharo tse fumanoeng (ha re li bolele N1, N2 le N3), sefate sa taelo se hahoa.
Ntho e kang ena:
Sefate se tletse ka matla JNI_Onload.
Linomoro tse tharo li kenyelletsa tsela sefateng. Lekhasi le leng le le leng la sefate le na le aterese e potsoeng ea ts'ebetso e ts'oanang. Senotlolo se ho node ea motsoali. Ho fumana sebaka ka khoutu moo ts'ebetso eo re e hlokang e eketsoang sefateng ha ho thata haeba u utloisisa meaho eohle e sebelisitsoeng (ha re e hlalose e le hore re se ke ra senya sengoloa se seng se le seholo).
Boikemisetso bo eketsehileng
Re fumane aterese ea ts'ebetso e lokelang ho hlakola sephethephethe: 0x5F1AC. Empa e sa le hoseng haholo hore re ka thaba: baetsi ba UC Browser ba re lokiselitse ntho e 'ngoe e makatsang.
Ka mor'a ho amohela li-parameter ho tloha lethathamong le entsoeng ka khoutu ea Java, re fumana
ho ea tšebetsong atereseng ea 0x4D070. 'Me re letetsoe ke mofuta o mong oa ho hlaka ha khoutu.
Re kenya li-indices tse peli ho R7 le R4:
Re fetola index ea pele ho R11:
Ho fumana aterese ho tsoa tafoleng, sebelisa index:
Ka mor'a ho ea atereseng ea pele, ho sebelisoa index ea bobeli, e leng R4. Ho na le lintlha tse 230 tafoleng.
Seo u lokelang ho se etsa ka eona? O ka bolella IDA hore ena ke switjha: Edita -> Tse ling -> Hlalosa maele a switjha.
Khoutu e hlahisoang e ea tšosa. Empa, ha u ntse u haola le merung ea eona, u ka hlokomela mohala oa tšebetso oo re seng re o tloaetse sub_6115C:
Ho ne ho e-na le phetoho eo ho eona haeba 3 ho ne ho e-na le mokhoa oa ho hlakoloa ho sebelisoa RC4 algorithm. 'Me tabeng ena, mohaho o fetiselitsoeng mosebetsing o tlatsitsoe ho tloha ho li-parameter tse fetisitsoeng ho tsona doCommandNative. A re hopoleng seo re neng re e-na le sona moo magicInt ka bohlokoa ba 16. Re sheba nyeoe e lumellanang - 'me ka mor'a liphetoho tse' maloa re fumana khoutu eo algorithm e ka tsejoang ka eona.
Ena ke AES!
Algorithm e teng, se setseng ke ho fumana litekanyo tsa eona: mokhoa, senotlolo le, mohlomong, vector ea ho qala (ho ba teng ha eona ho itšetlehile ka mokhoa oa ho sebetsa oa algorithm ea AES). Sebopeho se nang le tsona se tlameha ho thehoa kae-kae pele ho mohala oa ts'ebetso sub_6115C, empa karolo ena ea khoutu e hlakile haholo, kahoo ho hlaha mohopolo oa ho pata khoutu e le hore liparamente tsohle tsa ts'ebetso ea decryption li lahleloe faeleng.
Patch
E le hore u se ke ua ngola khoutu eohle ea patch ka puo ea kopano ka letsoho, u ka qala Android Studio, ua ngola mosebetsi moo o amohelang liparamente tse tšoanang le tsa ts'ebetso ea rona ea ho hlakola, ebe o ngolla faele, ebe o kopitsa khoutu eo moqapi a tla e ngola. hlahisa.
Metsoalle ea rona ea sehlopha sa UC Browser le eona e ile ea hlokomela boiketlo ba ho eketsa khoutu. A re hopoleng hore qalong ea ts'ebetso e 'ngoe le e' ngoe re na le khoutu ea lithōle tse ka nkeloang sebaka ke tse ling habonolo. E loketseng haholo 🙂 Leha ho le joalo, qalong ea ts'ebetso ea sepheo ha ho na sebaka se lekaneng bakeng sa khoutu e bolokang litekanyo tsohle ho faele. Ke ile ka tlameha ho e arola likarolo ebe ke sebelisa lithōle tse tsoang mesebetsing ea boahelani. Ho ne ho e-na le likarolo tse 'nè ka kakaretso.
Karolo ea pele:
Ka mohaho oa ARM, likarolo tse 'nè tsa pele tsa ts'ebetso li fetisoa ka li-registas R0-R3, tse ling kaofela, haeba li le teng, li fetisoa ka har'a stack. Rejisetara ea LR e na le aterese ea ho khutlisa. Sena sohle se hloka ho bolokoa e le hore ts'ebetso e ka sebetsa ka mor'a hore re lahle li-parameter tsa eona. Re boetse re hloka ho boloka lirejisete tsohle tseo re tla li sebelisa ts'ebetsong, kahoo re etsa PUSH.W {R0-R10,LR}. Ho R7 re fumana aterese ea lenane la li-parameter tse fetiselitsoeng mosebetsing ka stack.
Ho sebelisa ts'ebetso fopen ha re bule faele /data/local/tmp/aes ka "ab" mokhoa
i.e. bakeng sa tlatsetso. Ho R0 re kenya aterese ea lebitso la faele, ho R1 - aterese ea mohala o bontšang mokhoa. 'Me mona khoutu ea lithōle e fela, kahoo re fetela mosebetsing o latelang. E le hore e tsoele pele ho sebetsa, re beha qalong ho fetela ho khoutu ea sebele ea mosebetsi, ho feta lithōle, 'me ho e-na le lithōle re eketsa ho tsoela pele ha patch.
Ho letsa fopen.
Likarolo tse tharo tsa pele tsa ts'ebetso aes na le mofuta eth. Kaha re bolokile lirekoto ho stack qalong, re ka fetisa ts'ebetso feela ngola liaterese tsa bona sepakapakeng.
E latelang re na le meaho e meraro e nang le boholo ba data le pointer ho data bakeng sa senotlolo, vector ea ho qala le data e patiloeng.
Qetellong, koala faele, tsosolosa li-registas le ho fetisetsa taolo mosebetsing oa sebele aes.
Re bokella APK e nang le laeborari e patiloeng, re e saena, re e kenye sesebelisoa/emulator, ebe re e qala. Rea bona hore thotobolo ea rona e ntse e etsoa, 'me ho ntse ho ngoloa data e ngata moo. Sebatli ha se sebelise encryption eseng feela bakeng sa sephethephethe, mme encryption eohle e feta tšebetsong eo ho buuoang ka eona. Empa ka lebaka le itseng data e hlokahalang ha e eo, mme kopo e hlokahalang ha e bonahale sephethephethe. E le hore re se ke ra ema ho fihlela Sebatli sa UC se khetha ho etsa kopo e hlokahalang, a re nkeng karabo e patiloeng ho tsoa ho seva e amohetsoeng pejana ebe re kenya kopo hape: eketsa decryption ho onCreate of the main activity.
const/16 v1, 0x62
new-array v1, v1, [B
fill-array-data v1, :encrypted_data
const/16 v0, 0x1f
invoke-static {v0, v1}, Lcom/uc/browser/core/d/c/g;->j(I[B)[B
move-result-object v1
array-length v2, v1
invoke-static {v2}, Ljava/lang/String;->valueOf(I)Ljava/lang/String;
move-result-object v2
const-string v0, "ololo"
invoke-static {v0, v2}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)IRea kopanya, ho saena, ho kenya, ho qala. Re fumana NullPointerException hobane mokhoa o ile oa khutla.
Nakong ea tlhahlobo e tsoelang pele ea khoutu, ho ile ha fumanoa mosebetsi o hlalosang mela e thahasellisang: "META-INF/" le ".RSA". Ho bonahala eka kopo e netefatsa setifikeiti sa eona. Kapa esita le ho hlahisa linotlolo ho eona. Ha ke batle ho sebetsana le se etsahalang ka setifikeiti, kahoo re tla se thella setifikeiti se nepahetseng. Ha re kenye mohala o kentsoeng e le hore sebakeng sa "META-INF/" re fumane "BLABLINF/", theha foldara e nang le lebitso leo ho APK mme o kenye setifikeiti sa sebatli sa squirrel moo.
Rea kopanya, ho saena, ho kenya, ho qala. Bingo! Re na le senotlolo!
MitM
Re fumane senotlolo le vector ea ho qala e lekanang le senotlolo. Ha re leke ho hlakola karabo ea seva ka mokhoa oa CBC.
Re bona URL ea polokelo, ntho e tšoanang le MD5, "extract_unzipsize" le nomoro. Re hlahloba: MD5 ea polokelo ea boitsebiso e tšoana, boholo ba laebrari e sa pakoang boa tšoana. Re leka ho peta laeborari ena le ho e fa sebatli. Ho bonts'a hore laeborari ea rona e patiloeng e kentsoe, re tla qala Maikemisetso a ho theha SMS e nang le mongolo "PWNED!" Re tla khutlisa likarabo tse peli ho tsoa ho seva: le ho jarolla polokelo ea litaba. Ka lekhetlo la pele re nkela MD5 sebaka (boholo ha bo fetohe ka mor'a ho phutholla), ka lekhetlo la bobeli re fana ka polokelo ka laebrari e patiloeng.
Sebatli se leka ho khoasolla li-archive ka makhetlo a 'maloa, ka mor'a moo se fana ka phoso. Ho bonahala eka ke ntho e itseng
ha a rate. Ka lebaka la ho sekaseka sebopeho sena se lerootho, ho ile ha fumaneha hore seva e boetse e fetisa boholo ba polokelo:
E kentsoe ka har'a LEB128. Ka mor'a patch, boholo ba polokelo e nang le laebrari bo ile ba fetoha hanyenyane, kahoo sebatli se ile sa nka hore polokelo ea boitsebiso e jarollotsoe ka mokhoa o fosahetseng, 'me ka mor'a liteko tse' maloa e ile ea hlahisa phoso.
Re lokisa boholo ba polokelo ... 'Me - tlhōlo! 🙂 Sephetho se ka har'a video.
Liphello le karabelo ea moqapi
Ka mokhoa o ts'oanang, linokoane li ka sebelisa tšobotsi e sa sireletsehang ea UC Browser ho aba le ho tsamaisa lilaebrari tse mpe. Lilaebrari tsena li tla sebetsa maemong a sebatli, kahoo li tla fumana tumello eohle ea sistimi. Ka lebaka leo, bokhoni ba ho bonts'a lifensetere tsa phishing, hammoho le ho fihlella lifaeleng tse sebetsang tsa squirrel ea lamunu ea Chaena, ho akarelletsa le li-logins, li-passwords le li-cookie tse bolokiloeng polokelong ea litaba.
Re ikopanye le baetsi ba UC Browser mme ra ba tsebisa ka bothata boo re bo fumaneng, ra leka ho supa bofokoli le kotsi ea bona, empa ha ba ka ba bua letho le rona. Ho sa le joalo, sebatli se ile sa tsoela pele ho hlahisa tšobotsi ea sona e kotsi mahlong a pepenene. Empa hang ha re senola lintlha tsa ho ba kotsing, ho ne ho se ho sa khonehe ho e hlokomoloha joaloka pele. La 27 Hlakubele e ne e le
ho ile ha lokolloa mofuta o mocha oa UC Browser 12.10.9.1193, o fihletseng seva ka HTTPS: .
Ho phaella moo, ka mor'a ho "lokisa" le ho fihlela nakong ea ho ngola sengoloa sena, ho leka ho bula PDF ho sebatli ho felletse ka molaetsa oa phoso ka mongolo o reng "Oops, ho na le phoso!" Kopo ho seva ha ea ka ea etsoa ha ho leka ho bula PDF, empa kopo e ile ea etsoa ha sebatli se qala, se bonts'a bokhoni bo tsoelang pele ba ho jarolla khoutu e ka phethisoang ho tlola melao ea Google Play.
Source: www.habr.com