Ifihan
Ni opin ti Oṣù a , pe wọn ṣe awari agbara ti o farapamọ lati fifuye ati ṣiṣe koodu ti ko ni idaniloju ni UC Browser. Loni a yoo wo ni alaye ni bi igbasilẹ yii ṣe waye ati bii awọn olosa ṣe le lo fun awọn idi tiwọn.
Ni akoko diẹ sẹyin, UC Browser ti wa ni ipolowo ati pinpin ni ibinu pupọ: o ti fi sori ẹrọ lori awọn ẹrọ olumulo nipa lilo malware, pinpin lati awọn aaye oriṣiriṣi labẹ itanjẹ awọn faili fidio (ie, awọn olumulo ro pe wọn ṣe igbasilẹ, fun apẹẹrẹ, fidio onihoho, ṣugbọn dipo gbigba apk kan pẹlu ẹrọ aṣawakiri yii), lo awọn asia idẹruba pẹlu awọn ifiranṣẹ ti ẹrọ aṣawakiri naa ti pẹ, jẹ ipalara, ati nkan bii iyẹn. Ninu ẹgbẹ aṣawakiri UC osise lori VK wa , ninu eyiti awọn olumulo le kerora nipa ipolowo aiṣododo, ọpọlọpọ awọn apẹẹrẹ wa nibẹ. Ni ọdun 2016 paapaa wa ni ede Rọsia (bẹẹni, ipolowo fun ẹrọ aṣawakiri ìdènà).
Ni akoko kikọ, UC Browser ni diẹ sii ju awọn fifi sori ẹrọ 500 lori Google Play. Eyi jẹ iwunilori - Google Chrome nikan ni diẹ sii. Lara awọn atunyẹwo o le rii ọpọlọpọ awọn awawi nipa ipolowo ati awọn àtúnjúwe si diẹ ninu awọn ohun elo lori Google Play. Eyi ni idi fun iwadii wa: a pinnu lati rii boya UC Browser n ṣe nkan buburu. Ó sì ṣẹlẹ̀ pé ó ṣe bẹ́ẹ̀!
Ninu koodu ohun elo, agbara lati ṣe igbasilẹ ati ṣiṣẹ koodu ti o ṣiṣẹ ni a ṣe awari, lori Google Play. Ni afikun si gbigba koodu iṣẹ ṣiṣe, UC Browser ṣe bẹ ni ọna ti ko ni aabo, eyiti o le ṣee lo lati ṣe ifilọlẹ ikọlu MitM kan. Jẹ ká wo ti o ba ti a le gbe iru ohun kolu.
Ohun gbogbo ti a kọ ni isalẹ jẹ pataki fun ẹya ti UC Browser ti o wa lori Google Play ni akoko ikẹkọ:
package: com.UCMobile.intl
versionName: 12.10.8.1172
versionCode: 10598
sha1 APK-файла: f5edb2243413c777172f6362876041eb0c3a928cIkọlu fekito
Ninu ifihan UC Browser o le wa iṣẹ kan pẹlu orukọ alaye ti ara ẹni com.uc.deployment.UpgradeDeployerService.
<service android_exported="false" android_name="com.uc.deployment.UpgradeDeployService" android_process=":deploy" />
Nigbati iṣẹ yii ba bẹrẹ, ẹrọ aṣawakiri naa ṣe ibeere POST kan si , eyi ti a le rii ni ijabọ diẹ ninu awọn akoko lẹhin ibẹrẹ. Ni idahun, o le gba aṣẹ kan lati ṣe igbasilẹ imudojuiwọn tabi module tuntun. Lakoko itupalẹ, olupin naa ko fun iru awọn aṣẹ bẹ, ṣugbọn a ṣe akiyesi pe nigba ti a ba gbiyanju lati ṣii PDF kan ninu ẹrọ aṣawakiri, o ṣe ibeere keji si adirẹsi ti o ṣalaye loke, lẹhin eyi o ṣe igbasilẹ ile-ikawe abinibi. Lati ṣe ikọlu naa, a pinnu lati lo ẹya yii ti UC Browser: agbara lati ṣii PDF nipa lilo ile-ikawe abinibi, eyiti ko si ni apk ati eyiti o ṣe igbasilẹ lati Intanẹẹti ti o ba jẹ dandan. O tọ lati ṣe akiyesi pe, ni imọ-jinlẹ, ẹrọ aṣawakiri UC le fi agbara mu lati ṣe igbasilẹ ohunkan laisi ibaraenisepo olumulo - ti o ba pese esi ti o ṣẹda daradara si ibeere kan ti o ṣe lẹhin ifilọlẹ aṣawakiri naa. Ṣugbọn lati ṣe eyi, a nilo lati kawe ilana ti ibaraenisepo pẹlu olupin ni awọn alaye diẹ sii, nitorinaa a pinnu pe yoo rọrun lati satunkọ esi ti o gba ati rọpo ile-ikawe fun ṣiṣẹ pẹlu PDF.
Nitorinaa, nigbati olumulo kan ba fẹ ṣii PDF taara ni ẹrọ aṣawakiri, awọn ibeere wọnyi ni a le rii ninu ijabọ naa:
Ni akọkọ ibeere POST wa si , lẹhinna
Ile-ipamọ pẹlu ile-ikawe kan fun wiwo PDF ati awọn ọna kika ọfiisi jẹ igbasilẹ. O jẹ ohun ọgbọn lati ro pe ibeere akọkọ n gbe alaye nipa eto naa (o kere ju faaji lati pese ile-ikawe ti o nilo), ati ni idahun si ẹrọ aṣawakiri naa gba alaye diẹ nipa ile-ikawe ti o nilo lati ṣe igbasilẹ: adirẹsi ati, o ṣee ṣe. , nkan miran. Iṣoro naa ni pe ibeere yii jẹ fifipamọ.
Beere ajeku
Idahun ajẹkù
Ile-ikawe funrararẹ jẹ akopọ ninu ZIP ko si jẹ fifipamọ.
Wa fun ijabọ decryption koodu
Jẹ ká gbiyanju lati decipher awọn olupin esi. Jẹ ká wo ni kilasi koodu com.uc.deployment.UpgradeDeployerService: lati ọna loriStartCommand lọ si com.uc.deployment.bx, ati lati rẹ si com.uc.browser.core.dcfe:
public final void e(l arg9) {
int v4_5;
String v3_1;
byte[] v3;
byte[] v1 = null;
if(arg9 == null) {
v3 = v1;
}
else {
v3_1 = arg9.iGX.ipR;
StringBuilder v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]product:");
v4.append(arg9.iGX.ipR);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]version:");
v4.append(arg9.iGX.iEn);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]upgrade_type:");
v4.append(arg9.iGX.mMode);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]force_flag:");
v4.append(arg9.iGX.iEo);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_mode:");
v4.append(arg9.iGX.iDQ);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_type:");
v4.append(arg9.iGX.iEr);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_state:");
v4.append(arg9.iGX.iEp);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_file:");
v4.append(arg9.iGX.iEq);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apk_md5:");
v4.append(arg9.iGX.iEl);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]download_type:");
v4.append(arg9.mDownloadType);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]download_group:");
v4.append(arg9.mDownloadGroup);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]download_path:");
v4.append(arg9.iGH);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_child_version:");
v4.append(arg9.iGX.iEx);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_series:");
v4.append(arg9.iGX.iEw);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_cpu_arch:");
v4.append(arg9.iGX.iEt);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_cpu_vfp3:");
v4.append(arg9.iGX.iEv);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_cpu_vfp:");
v4.append(arg9.iGX.iEu);
ArrayList v3_2 = arg9.iGX.iEz;
if(v3_2 != null && v3_2.size() != 0) {
Iterator v3_3 = v3_2.iterator();
while(v3_3.hasNext()) {
Object v4_1 = v3_3.next();
StringBuilder v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_name:");
v5.append(((au)v4_1).getName());
v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_ver_name:");
v5.append(((au)v4_1).aDA());
v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_ver_code:");
v5.append(((au)v4_1).gBl);
v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_req_type:");
v5.append(((au)v4_1).gBq);
}
}
j v3_4 = new j();
m.b(v3_4);
h v4_2 = new h();
m.b(v4_2);
ay v5_1 = new ay();
v3_4.hS("");
v3_4.setImsi("");
v3_4.hV("");
v5_1.bPQ = v3_4;
v5_1.bPP = v4_2;
v5_1.yr(arg9.iGX.ipR);
v5_1.gBF = arg9.iGX.mMode;
v5_1.gBI = arg9.iGX.iEz;
v3_2 = v5_1.gAr;
c.aBh();
v3_2.add(g.fs("os_ver", c.getRomInfo()));
v3_2.add(g.fs("processor_arch", com.uc.b.a.a.c.getCpuArch()));
v3_2.add(g.fs("cpu_arch", com.uc.b.a.a.c.Pb()));
String v4_3 = com.uc.b.a.a.c.Pd();
v3_2.add(g.fs("cpu_vfp", v4_3));
v3_2.add(g.fs("net_type", String.valueOf(com.uc.base.system.a.Jo())));
v3_2.add(g.fs("fromhost", arg9.iGX.iEm));
v3_2.add(g.fs("plugin_ver", arg9.iGX.iEn));
v3_2.add(g.fs("target_lang", arg9.iGX.iEs));
v3_2.add(g.fs("vitamio_cpu_arch", arg9.iGX.iEt));
v3_2.add(g.fs("vitamio_vfp", arg9.iGX.iEu));
v3_2.add(g.fs("vitamio_vfp3", arg9.iGX.iEv));
v3_2.add(g.fs("plugin_child_ver", arg9.iGX.iEx));
v3_2.add(g.fs("ver_series", arg9.iGX.iEw));
v3_2.add(g.fs("child_ver", r.aVw()));
v3_2.add(g.fs("cur_ver_md5", arg9.iGX.iEl));
v3_2.add(g.fs("cur_ver_signature", SystemHelper.getUCMSignature()));
v3_2.add(g.fs("upgrade_log", i.bjt()));
v3_2.add(g.fs("silent_install", String.valueOf(arg9.iGX.iDQ)));
v3_2.add(g.fs("silent_state", String.valueOf(arg9.iGX.iEp)));
v3_2.add(g.fs("silent_file", arg9.iGX.iEq));
v3_2.add(g.fs("silent_type", String.valueOf(arg9.iGX.iEr)));
v3_2.add(g.fs("cpu_archit", com.uc.b.a.a.c.Pc()));
v3_2.add(g.fs("cpu_set", SystemHelper.getCpuInstruction()));
boolean v4_4 = v4_3 == null || !v4_3.contains("neon") ? false : true;
v3_2.add(g.fs("neon", String.valueOf(v4_4)));
v3_2.add(g.fs("cpu_cores", String.valueOf(com.uc.b.a.a.c.Jl())));
v3_2.add(g.fs("ram_1", String.valueOf(com.uc.b.a.a.h.Po())));
v3_2.add(g.fs("totalram", String.valueOf(com.uc.b.a.a.h.OL())));
c.aBh();
v3_2.add(g.fs("rom_1", c.getRomInfo()));
v4_5 = e.getScreenWidth();
int v6 = e.getScreenHeight();
StringBuilder v7 = new StringBuilder();
v7.append(v4_5);
v7.append("*");
v7.append(v6);
v3_2.add(g.fs("ss", v7.toString()));
v3_2.add(g.fs("api_level", String.valueOf(Build$VERSION.SDK_INT)));
v3_2.add(g.fs("uc_apk_list", SystemHelper.getUCMobileApks()));
Iterator v4_6 = arg9.iGX.iEA.entrySet().iterator();
while(v4_6.hasNext()) {
Object v6_1 = v4_6.next();
v3_2.add(g.fs(((Map$Entry)v6_1).getKey(), ((Map$Entry)v6_1).getValue()));
}
v3 = v5_1.toByteArray();
}
if(v3 == null) {
this.iGY.iGI.a(arg9, "up_encode", "yes", "fail");
return;
}
v4_5 = this.iGY.iGw ? 0x1F : 0;
if(v3 == null) {
}
else {
v3 = g.i(v4_5, v3);
if(v3 == null) {
}
else {
v1 = new byte[v3.length + 16];
byte[] v6_2 = new byte[16];
Arrays.fill(v6_2, 0);
v6_2[0] = 0x5F;
v6_2[1] = 0;
v6_2[2] = ((byte)v4_5);
v6_2[3] = -50;
System.arraycopy(v6_2, 0, v1, 0, 16);
System.arraycopy(v3, 0, v1, 16, v3.length);
}
}
if(v1 == null) {
this.iGY.iGI.a(arg9, "up_encrypt", "yes", "fail");
return;
}
if(TextUtils.isEmpty(this.iGY.mUpgradeUrl)) {
this.iGY.iGI.a(arg9, "up_url", "yes", "fail");
return;
}
StringBuilder v0 = new StringBuilder("[");
v0.append(arg9.iGX.ipR);
v0.append("]url:");
v0.append(this.iGY.mUpgradeUrl);
com.uc.browser.core.d.c.i v0_1 = this.iGY.iGI;
v3_1 = this.iGY.mUpgradeUrl;
com.uc.base.net.e v0_2 = new com.uc.base.net.e(new com.uc.browser.core.d.c.i$a(v0_1, arg9));
v3_1 = v3_1.contains("?") ? v3_1 + "&dataver=pb" : v3_1 + "?dataver=pb";
n v3_5 = v0_2.uc(v3_1);
m.b(v3_5, false);
v3_5.setMethod("POST");
v3_5.setBodyProvider(v1);
v0_2.b(v3_5);
this.iGY.iGI.a(arg9, "up_null", "yes", "success");
this.iGY.iGI.b(arg9);
}A rii idasile ti ibeere POST nibi. A san ifojusi si ẹda ti awọn baiti 16 ati kikun rẹ: 0x5F, 0, 0x1F, -50 (= 0xCE). Ni ibamu pẹlu ohun ti a rii ninu ibeere ti o wa loke.
Ninu kilasi kanna o le rii kilasi itẹ-ẹiyẹ ti o ni ọna ti o nifẹ si:
public final void a(l arg10, byte[] arg11) {
f v0 = this.iGQ;
StringBuilder v1 = new StringBuilder("[");
v1.append(arg10.iGX.ipR);
v1.append("]:UpgradeSuccess");
byte[] v1_1 = null;
if(arg11 == null) {
}
else if(arg11.length < 16) {
}
else {
if(arg11[0] != 0x60 && arg11[3] != 0xFFFFFFD0) {
goto label_57;
}
int v3 = 1;
int v5 = arg11[1] == 1 ? 1 : 0;
if(arg11[2] != 1 && arg11[2] != 11) {
if(arg11[2] == 0x1F) {
}
else {
v3 = 0;
}
}
byte[] v7 = new byte[arg11.length - 16];
System.arraycopy(arg11, 16, v7, 0, v7.length);
if(v3 != 0) {
v7 = g.j(arg11[2], v7);
}
if(v7 == null) {
goto label_57;
}
if(v5 != 0) {
v1_1 = g.P(v7);
goto label_57;
}
v1_1 = v7;
}
label_57:
if(v1_1 == null) {
v0.iGY.iGI.a(arg10, "up_decrypt", "yes", "fail");
return;
}
q v11 = g.b(arg10, v1_1);
if(v11 == null) {
v0.iGY.iGI.a(arg10, "up_decode", "yes", "fail");
return;
}
if(v0.iGY.iGt) {
v0.d(arg10);
}
if(v0.iGY.iGo != null) {
v0.iGY.iGo.a(0, ((o)v11));
}
if(v0.iGY.iGs) {
v0.iGY.a(((o)v11));
v0.iGY.iGI.a(v11, "up_silent", "yes", "success");
v0.iGY.iGI.a(v11);
return;
}
v0.iGY.iGI.a(v11, "up_silent", "no", "success");
}
}
Ọna naa gba ọpọlọpọ awọn baiti bi titẹ sii ati ṣayẹwo pe baiti odo jẹ 0x60 tabi baiti kẹta jẹ 0xD0, ati baiti keji jẹ 1, 11 tabi 0x1F. A wo idahun lati ọdọ olupin naa: baiti odo jẹ 0x60, ekeji jẹ 0x1F, ẹkẹta jẹ 0x60. O dabi ohun ti a nilo. Idajọ nipasẹ awọn laini (“up_decrypt”, fun apẹẹrẹ), ọna kan yẹ ki o pe ni ibi ti yoo dinku esi olupin naa.
Jẹ ki a lọ si ọna naa gj. Ṣe akiyesi pe ariyanjiyan akọkọ jẹ baiti ni aiṣedeede 2 (ie 0x1F ninu ọran wa), ati keji jẹ idahun olupin laisi
akọkọ 16 baiti.
public static byte[] j(int arg1, byte[] arg2) {
if(arg1 == 1) {
arg2 = c.c(arg2, c.adu);
}
else if(arg1 == 11) {
arg2 = m.aF(arg2);
}
else if(arg1 != 0x1F) {
}
else {
arg2 = EncryptHelper.decrypt(arg2);
}
return arg2;
}
O han ni, nibi a yan algorithm decryption, ati baiti kanna ti o wa ninu wa
ọran ti o dọgba si 0x1F, tọkasi ọkan ninu awọn aṣayan ti o ṣeeṣe mẹta.
A tẹsiwaju lati ṣe itupalẹ koodu naa. Lẹhin awọn fofo tọkọtaya kan a rii ara wa ni ọna kan pẹlu orukọ asọye ti ara ẹni decryptBytesByKey.
Nibi awọn baiti meji miiran ti yapa si idahun wa, ati pe o gba okun kan lati ọdọ wọn. O han gbangba pe ni ọna yii bọtini fun decrypting ifiranṣẹ ti yan.
private static byte[] decryptBytesByKey(byte[] bytes) {
byte[] v0 = null;
if(bytes != null) {
try {
if(bytes.length < EncryptHelper.PREFIX_BYTES_SIZE) {
}
else if(bytes.length == EncryptHelper.PREFIX_BYTES_SIZE) {
return v0;
}
else {
byte[] prefix = new byte[EncryptHelper.PREFIX_BYTES_SIZE]; // 2 байта
System.arraycopy(bytes, 0, prefix, 0, prefix.length);
String keyId = c.ayR().d(ByteBuffer.wrap(prefix).getShort()); // Выбор ключа
if(keyId == null) {
return v0;
}
else {
a v2 = EncryptHelper.ayL();
if(v2 == null) {
return v0;
}
else {
byte[] enrypted = new byte[bytes.length - EncryptHelper.PREFIX_BYTES_SIZE];
System.arraycopy(bytes, EncryptHelper.PREFIX_BYTES_SIZE, enrypted, 0, enrypted.length);
return v2.l(keyId, enrypted);
}
}
}
}
catch(SecException v7_1) {
EncryptHelper.handleDecryptException(((Throwable)v7_1), v7_1.getErrorCode());
return v0;
}
catch(Throwable v7) {
EncryptHelper.handleDecryptException(v7, 2);
return v0;
}
}
return v0;
}Ni wiwa niwaju, a ṣe akiyesi pe ni ipele yii a ko tii gba bọtini kan, ṣugbọn “idamo” rẹ nikan. Gbigba bọtini jẹ diẹ idiju diẹ sii.
Ni ọna atẹle, awọn paramita meji miiran ni a ṣafikun si awọn ti o wa, ṣiṣe mẹrin ninu wọn: nọmba idan 16, idanimọ bọtini, data ti paroko, ati okun ti ko ni oye (ninu ọran wa, ofo).
public final byte[] l(String keyId, byte[] encrypted) throws SecException {
return this.ayJ().staticBinarySafeDecryptNoB64(16, keyId, encrypted, "");
}Lẹhin kan lẹsẹsẹ ti awọn itejade a de ni ọna staticBinarySafeDecryptNoB64 ni wiwo com.alibaba.wireless.security.open.staticdataencrypt.IStaticDataEncryptComponent. Ko si awọn kilasi ninu koodu ohun elo akọkọ ti o ṣe imuse wiwo yii. Iru kilasi kan wa ninu faili naa lib/armeabi-v7a/libsgmain.so, eyi ti o jẹ kosi kan .so, ṣugbọn a .jar. Ọna ti a nifẹ si jẹ imuse bi atẹle:
package com.alibaba.wireless.security.a.i;
// ...
public class a implements IStaticDataEncryptComponent {
private ISecurityGuardPlugin a;
// ...
private byte[] a(int mode, int magicInt, int xzInt, String keyId, byte[] encrypted, String magicString) {
return this.a.getRouter().doCommand(10601, new Object[]{Integer.valueOf(mode), Integer.valueOf(magicInt), Integer.valueOf(xzInt), keyId, encrypted, magicString});
}
// ...
private byte[] b(int magicInt, String keyId, byte[] encrypted, String magicString) {
return this.a(2, magicInt, 0, keyId, encrypted, magicString);
}
// ...
public byte[] staticBinarySafeDecryptNoB64(int magicInt, String keyId, byte[] encrypted, String magicString) throws SecException {
if(keyId != null && keyId.length() > 0 && magicInt >= 0 && magicInt < 19 && encrypted != null && encrypted.length > 0) {
return this.b(magicInt, keyId, encrypted, magicString);
}
throw new SecException("", 301);
}
//...
}
Nibi atokọ ti awọn paramita wa ni afikun pẹlu awọn odidi meji diẹ sii: 2 ati 0. Idajọ nipasẹ
ohun gbogbo, 2 tumo si decryption, bi ninu awọn ọna doFinal kilasi eto Javax.crypto.Cipher. Ati pe gbogbo eyi ni a gbe lọ si olulana kan pẹlu nọmba 10601 - eyi ni o han gbangba nọmba aṣẹ naa.
Lẹhin pq atẹle ti awọn iyipada a wa kilasi ti o ṣe imuse wiwo naa IRouterComponent ati ọna aṣẹ:
package com.alibaba.wireless.security.mainplugin;
import com.alibaba.wireless.security.framework.IRouterComponent;
import com.taobao.wireless.security.adapter.JNICLibrary;
public class a implements IRouterComponent {
public a() {
super();
}
public Object doCommand(int arg2, Object[] arg3) {
return JNICLibrary.doCommandNative(arg2, arg3);
}
}Ati ki o tun kilasi JNICLIbrary, ninu eyiti ọna abinibi ti kede doCommandNative:
package com.taobao.wireless.security.adapter;
public class JNICLibrary {
public static native Object doCommandNative(int arg0, Object[] arg1);
}Eyi tumọ si pe a nilo lati wa ọna kan ninu koodu abinibi doCommandNative. Ati pe eyi ni ibi ti igbadun bẹrẹ.
Obfuscation ti ẹrọ koodu
Ninu faili libsgmain.so (eyiti o jẹ .jar gangan ati ninu eyiti a rii imuse ti diẹ ninu awọn atọkun ti o jọmọ fifi ẹnọ kọ nkan ti o kan loke) ile-ikawe abinibi kan wa: libsgmainso-6.4.36.so. A ṣii ni IDA ati gba opo ti awọn apoti ibaraẹnisọrọ pẹlu awọn aṣiṣe. Iṣoro naa ni pe tabili akọsori apakan ko wulo. Eyi ni a ṣe lori idi lati ṣe idiju onínọmbà naa.
Ṣugbọn ko nilo: lati gbe faili ELF ni deede ati ṣe itupalẹ rẹ, tabili akọsori eto kan to. Nitorina, a nìkan pa awọn tabili apakan, zeroing jade awọn ti o baamu aaye ninu awọn akọsori.
Ṣii faili ni IDA lẹẹkansi.
Awọn ọna meji lo wa lati sọ fun ẹrọ foju Java nibiti gangan ni ile-ikawe abinibi imuse ti ọna ti a kede ni koodu Java bi abinibi ti wa. Ohun akọkọ ni lati fun ni orukọ eya kan Java_package_name_ClassName_ỌnaOrukọ.
Ekeji ni lati forukọsilẹ nigbati o ba n ṣajọpọ ile-ikawe (ninu iṣẹ naa JNI_Load)
lilo ipe iṣẹ Awọn ara ilu forukọsilẹ.
Ninu ọran wa, ti a ba lo ọna akọkọ, orukọ naa yẹ ki o jẹ bi eleyi: Java_com_taobao_wireless_security_adapter_JNIClibrary_doCommandNative.
Ko si iru iṣẹ bẹ laarin awọn iṣẹ ti a gbejade, eyiti o tumọ si pe o nilo lati wa ipe kan Awọn ara ilu forukọsilẹ.
Jẹ ki a lọ si iṣẹ naa JNI_Load ati pe a rii aworan yii:
Kini n ṣẹlẹ nibi? Ni iwo akọkọ, ibẹrẹ ati ipari iṣẹ naa jẹ aṣoju fun faaji ARM. Ilana akọkọ lori akopọ naa tọju awọn akoonu ti awọn iforukọsilẹ ti iṣẹ naa yoo lo ninu iṣẹ rẹ (ninu ọran yii, R0, R1 ati R2), ati awọn akoonu ti iforukọsilẹ LR, eyiti o ni adirẹsi ipadabọ lati iṣẹ naa. . Ilana ti o kẹhin ṣe atunṣe awọn iforukọsilẹ ti o fipamọ, ati adirẹsi ipadabọ ti wa ni lẹsẹkẹsẹ gbe sinu iforukọsilẹ PC - nitorinaa pada lati iṣẹ naa. Ṣugbọn ti o ba wo ni pẹkipẹki, iwọ yoo ṣe akiyesi pe itọnisọna penultimate yipada adirẹsi ipadabọ ti o fipamọ sori akopọ. Jẹ ki a ṣe iṣiro ohun ti yoo dabi lẹhin
koodu ipaniyan. Adirẹsi kan 1xB0 ti kojọpọ sinu R130, 5 ti yọkuro lati inu rẹ, lẹhinna o gbe lọ si R0 ati 0x10 ti ṣafikun. O wa ni jade 0xB13B. Nitorinaa, IDA ro pe ẹkọ ti o kẹhin jẹ ipadabọ iṣẹ deede, ṣugbọn ni otitọ o nlo si adiresi iṣiro 0xB13B.
O tọ lati ranti nibi pe awọn ilana ARM ni awọn ipo meji ati awọn ilana ilana meji: ARM ati Atanpako. Iwọn pataki ti o kere ju ti adirẹsi naa sọ fun ero isise naa iru eto ẹkọ ti o nlo. Iyẹn ni, adirẹsi naa jẹ 0xB13A gangan, ati pe ọkan ninu iwọn pataki ti o kere ju tọkasi ipo Atanpako.
A iru "badọgba" ti a ti fi kun si awọn ibere ti kọọkan iṣẹ ni yi ìkàwé ati
idoti koodu. A kii yoo gbe lori wọn ni awọn alaye siwaju sii - a kan ranti
pe ibẹrẹ gidi ti fere gbogbo awọn iṣẹ jẹ diẹ siwaju sii.
Niwọn bi koodu ko ṣe fo ni gbangba si 0xB13A, IDA funrararẹ ko mọ pe koodu naa wa ni ipo yii. Fun idi kanna, ko ṣe idanimọ pupọ julọ koodu inu ile-ikawe bi koodu, eyiti o jẹ ki itupalẹ nira ni itumo. A sọ fun IDA pe eyi ni koodu, ati pe eyi ni ohun ti o ṣẹlẹ:
Tabili bẹrẹ kedere ni 0xB144. Kini o wa ninu sub_494C?
Nigbati o ba n pe iṣẹ yii ni iforukọsilẹ LR, a gba adirẹsi ti tabili ti a mẹnuba tẹlẹ (0xB144). Ni R0 - atọka ni yi tabili. Iyẹn ni, iye ti ya lati tabili, ṣafikun si LR ati abajade jẹ
adirẹsi lati lọ si. Jẹ ki a gbiyanju lati ṣe iṣiro rẹ: 0xB144 + [0xB144 + 8* 4] = 0xB144 + 0x120 = 0xB264. A lọ si adirẹsi ti o gba ati rii gangan awọn itọnisọna to wulo ati lẹẹkansi lọ si 0xB140:
Bayi iyipada yoo wa ni aiṣedeede pẹlu atọka 0x20 lati tabili.
Ni idajọ nipasẹ iwọn tabili, ọpọlọpọ awọn iyipada yoo wa ninu koodu naa. Ibeere naa waye boya o ṣee ṣe lati bakan ṣe pẹlu eyi diẹ sii laifọwọyi, laisi iṣiro awọn adirẹsi pẹlu ọwọ. Ati awọn iwe afọwọkọ ati agbara lati patch koodu ni IDA wa si iranlọwọ wa:
def put_unconditional_branch(source, destination):
offset = (destination - source - 4) >> 1
if offset > 2097151 or offset < -2097152:
raise RuntimeError("Invalid offset")
if offset > 1023 or offset < -1024:
instruction1 = 0xf000 | ((offset >> 11) & 0x7ff)
instruction2 = 0xb800 | (offset & 0x7ff)
patch_word(source, instruction1)
patch_word(source + 2, instruction2)
else:
instruction = 0xe000 | (offset & 0x7ff)
patch_word(source, instruction)
ea = here()
if get_wide_word(ea) == 0xb503: #PUSH {R0,R1,LR}
ea1 = ea + 2
if get_wide_word(ea1) == 0xbf00: #NOP
ea1 += 2
if get_operand_type(ea1, 0) == 1 and get_operand_value(ea1, 0) == 0 and get_operand_type(ea1, 1) == 2:
index = get_wide_dword(get_operand_value(ea1, 1))
print "index =", hex(index)
ea1 += 2
if get_operand_type(ea1, 0) == 7:
table = get_operand_value(ea1, 0) + 4
elif get_operand_type(ea1, 1) == 2:
table = get_operand_value(ea1, 1) + 4
else:
print "Wrong operand type on", hex(ea1), "-", get_operand_type(ea1, 0), get_operand_type(ea1, 1)
table = None
if table is None:
print "Unable to find table"
else:
print "table =", hex(table)
offset = get_wide_dword(table + (index << 2))
put_unconditional_branch(ea, table + offset)
else:
print "Unknown code", get_operand_type(ea1, 0), get_operand_value(ea1, 0), get_operand_type(ea1, 1) == 2
else:
print "Unable to detect first instruction"Gbe kọsọ sori laini 0xB26A, ṣiṣe iwe afọwọkọ naa ki o wo iyipada si 0xB4B0:
IDA ko tun da agbegbe yii mọ bi koodu kan. A ṣe iranlọwọ fun u ati rii apẹrẹ miiran nibẹ:
Awọn itọnisọna lẹhin BLX ko dabi pe o ni oye pupọ, o dabi diẹ ninu iru gbigbe. Jẹ ki a wo sub_4964:
Ati nitootọ, nibi a ti mu dword ni adirẹsi ti o dubulẹ ni LR, ti a fi kun si adirẹsi yii, lẹhin eyi ni iye ti o wa ni adiresi abajade ti a mu ki o si fi sori akopọ. Pẹlupẹlu, 4 ti wa ni afikun si LR ki lẹhin ti o pada lati iṣẹ naa, aiṣedeede kanna ni a fo. Lẹhin eyi aṣẹ POP {R1} gba iye abajade lati akopọ. Ti o ba wo ohun ti o wa ni adirẹsi 0xB4BA + 0xEA = 0xB5A4, iwọ yoo rii nkan ti o jọra si tabili adirẹsi:
Lati patch apẹrẹ yii, iwọ yoo nilo lati gba awọn aye meji lati koodu: aiṣedeede ati nọmba iforukọsilẹ ninu eyiti o fẹ fi abajade sii. Fun iforukọsilẹ kọọkan ti o ṣeeṣe, iwọ yoo ni lati mura nkan ti koodu ni ilosiwaju.
patches = {}
patches[0] = (0x00, 0xbf, 0x01, 0x48, 0x00, 0x68, 0x02, 0xe0)
patches[1] = (0x00, 0xbf, 0x01, 0x49, 0x09, 0x68, 0x02, 0xe0)
patches[2] = (0x00, 0xbf, 0x01, 0x4a, 0x12, 0x68, 0x02, 0xe0)
patches[3] = (0x00, 0xbf, 0x01, 0x4b, 0x1b, 0x68, 0x02, 0xe0)
patches[4] = (0x00, 0xbf, 0x01, 0x4c, 0x24, 0x68, 0x02, 0xe0)
patches[5] = (0x00, 0xbf, 0x01, 0x4d, 0x2d, 0x68, 0x02, 0xe0)
patches[8] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0x80, 0xd8, 0xf8, 0x00, 0x80, 0x01, 0xe0)
patches[9] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0x90, 0xd9, 0xf8, 0x00, 0x90, 0x01, 0xe0)
patches[10] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0xa0, 0xda, 0xf8, 0x00, 0xa0, 0x01, 0xe0)
patches[11] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0xb0, 0xdb, 0xf8, 0x00, 0xb0, 0x01, 0xe0)
ea = here()
if (get_wide_word(ea) == 0xb082 #SUB SP, SP, #8
and get_wide_word(ea + 2) == 0xb503): #PUSH {R0,R1,LR}
if get_operand_type(ea + 4, 0) == 7:
pop = get_bytes(ea + 12, 4, 0)
if pop[1] == 'xbc':
register = -1
r = get_wide_byte(ea + 12)
for i in range(8):
if r == (1 << i):
register = i
break
if register == -1:
print "Unable to detect register"
else:
address = get_wide_dword(ea + 8) + ea + 8
for b in patches[register]:
patch_byte(ea, b)
ea += 1
if ea % 4 != 0:
ea += 2
patch_dword(ea, address)
elif pop[:3] == 'x5dxf8x04':
register = ord(pop[3]) >> 4
if register in patches:
address = get_wide_dword(ea + 8) + ea + 8
for b in patches[register]:
patch_byte(ea, b)
ea += 1
patch_dword(ea, address)
else:
print "POP instruction not found"
else:
print "Wrong operand type on +4:", get_operand_type(ea + 4, 0)
else:
print "Unable to detect first instructions"A gbe kọsọ si ibẹrẹ eto ti a fẹ lati rọpo - 0xB4B2 - ati ṣiṣe iwe afọwọkọ naa:
Ni afikun si awọn ẹya ti a mẹnuba tẹlẹ, koodu naa tun ni atẹle naa:
Gẹgẹbi ọran ti tẹlẹ, lẹhin itọnisọna BLX aiṣedeede wa:
A gba aiṣedeede si adirẹsi lati LR, ṣafikun si LR ki o lọ sibẹ. 0x72044 + 0xC = 0x72050. Iwe afọwọkọ fun apẹrẹ yii jẹ ohun rọrun:
def put_unconditional_branch(source, destination):
offset = (destination - source - 4) >> 1
if offset > 2097151 or offset < -2097152:
raise RuntimeError("Invalid offset")
if offset > 1023 or offset < -1024:
instruction1 = 0xf000 | ((offset >> 11) & 0x7ff)
instruction2 = 0xb800 | (offset & 0x7ff)
patch_word(source, instruction1)
patch_word(source + 2, instruction2)
else:
instruction = 0xe000 | (offset & 0x7ff)
patch_word(source, instruction)
ea = here()
if get_wide_word(ea) == 0xb503: #PUSH {R0,R1,LR}
ea1 = ea + 6
if get_wide_word(ea + 2) == 0xbf00: #NOP
ea1 += 2
offset = get_wide_dword(ea1)
put_unconditional_branch(ea, (ea1 + offset) & 0xffffffff)
else:
print "Unable to detect first instruction"Abajade ti ipaniyan iwe afọwọkọ:
Ni kete ti ohun gbogbo ba ti parẹ ninu iṣẹ naa, o le tọka IDA si ibẹrẹ gidi rẹ. Yoo ṣajọpọ gbogbo koodu iṣẹ, ati pe o le ṣe akopọ nipa lilo HexRays.
Awọn gbolohun ọrọ iyipada
A ti kọ ẹkọ lati ṣe pẹlu obfuscation ti koodu ẹrọ ni ile-ikawe libsgmainso-6.4.36.so lati UC Browser ati ki o gba koodu iṣẹ JNI_Load.
int __fastcall real_JNI_OnLoad(JavaVM *vm)
{
int result; // r0
jclass clazz; // r0 MAPDST
int v4; // r0
JNIEnv *env; // r4
int v6; // [sp-40h] [bp-5Ch]
int v7; // [sp+Ch] [bp-10h]
v7 = *(_DWORD *)off_8AC00;
if ( !vm )
goto LABEL_39;
sub_7C4F4();
env = (JNIEnv *)sub_7C5B0(0);
if ( !env )
goto LABEL_39;
v4 = sub_72CCC();
sub_73634(v4);
sub_73E24(&unk_83EA6, &v6, 49);
clazz = (jclass)((int (__fastcall *)(JNIEnv *, int *))(*env)->FindClass)(env, &v6);
if ( clazz
&& (sub_9EE4(),
sub_71D68(env),
sub_E7DC(env) >= 0
&& sub_69D68(env) >= 0
&& sub_197B4(env, clazz) >= 0
&& sub_E240(env, clazz) >= 0
&& sub_B8B0(env, clazz) >= 0
&& sub_5F0F4(env, clazz) >= 0
&& sub_70640(env, clazz) >= 0
&& sub_11F3C(env) >= 0
&& sub_21C3C(env, clazz) >= 0
&& sub_2148C(env, clazz) >= 0
&& sub_210E0(env, clazz) >= 0
&& sub_41B58(env, clazz) >= 0
&& sub_27920(env, clazz) >= 0
&& sub_293E8(env, clazz) >= 0
&& sub_208F4(env, clazz) >= 0) )
{
result = (sub_B7B0(env, clazz) >> 31) | 0x10004;
}
else
{
LABEL_39:
result = -1;
}
return result;
}Jẹ ki a ṣe akiyesi diẹ sii ni awọn ila wọnyi:
sub_73E24(&unk_83EA6, &v6, 49);
clazz = (jclass)((int (__fastcall *)(JNIEnv *, int *))(*env)->FindClass)(env, &v6);Ni iṣẹ sub_73E24 kilasi orukọ ti wa ni kedere ni decrypted. Gẹgẹbi awọn paramita si iṣẹ yii, itọka si data ti o jọra si data ti paroko, ifipamọ kan ati nọmba kan ti kọja. O han ni, lẹhin pipe iṣẹ naa, laini decrypted yoo wa ninu ifipamọ, niwon o ti kọja si iṣẹ naa. Wa Kilasi, eyi ti o gba orukọ kilasi bi paramita keji. Nitorina, nọmba naa jẹ iwọn ti ifipamọ tabi ipari ti ila naa. Jẹ ká gbiyanju lati decipher awọn kilasi orukọ, o yẹ ki o so fun wa boya a ti wa ni lilọ ni awọn itọsọna ọtun. Jẹ ká ya a jo wo ni ohun ti o ṣẹlẹ ni sub_73E24.
int __fastcall sub_73E56(unsigned __int8 *in, unsigned __int8 *out, size_t size)
{
int v4; // r6
int v7; // r11
int v8; // r9
int v9; // r4
size_t v10; // r5
int v11; // r0
struc_1 v13; // [sp+0h] [bp-30h]
int v14; // [sp+1Ch] [bp-14h]
int v15; // [sp+20h] [bp-10h]
v4 = 0;
v15 = *(_DWORD *)off_8AC00;
v14 = 0;
v7 = sub_7AF78(17);
v8 = sub_7AF78(size);
if ( !v7 )
{
v9 = 0;
goto LABEL_12;
}
(*(void (__fastcall **)(int, const char *, int))(v7 + 12))(v7, "DcO/lcK+h?m3c*q@", 16);
if ( !v8 )
{
LABEL_9:
v4 = 0;
goto LABEL_10;
}
v4 = 0;
if ( !in )
{
LABEL_10:
v9 = 0;
goto LABEL_11;
}
v9 = 0;
if ( out )
{
memset(out, 0, size);
v10 = size - 1;
(*(void (__fastcall **)(int, unsigned __int8 *, size_t))(v8 + 12))(v8, in, v10);
memset(&v13, 0, 0x14u);
v13.field_4 = 3;
v13.field_10 = v7;
v13.field_14 = v8;
v11 = sub_6115C(&v13, &v14);
v9 = v11;
if ( v11 )
{
if ( *(_DWORD *)(v11 + 4) == v10 )
{
qmemcpy(out, *(const void **)v11, v10);
v4 = *(_DWORD *)(v9 + 4);
}
else
{
v4 = 0;
}
goto LABEL_11;
}
goto LABEL_9;
}
LABEL_11:
sub_7B148(v7);
LABEL_12:
if ( v8 )
sub_7B148(v8);
if ( v9 )
sub_7B148(v9);
return v4;
}Išẹ sub_7AF78 ṣẹda apẹẹrẹ ti eiyan kan fun awọn ọna baiti ti iwọn pàtó kan (a kii yoo gbe lori awọn apoti wọnyi ni awọn alaye). Nibi meji iru awọn apoti ni a ṣẹda: ọkan ni laini ninu "DcO/lcK+h?m3c*q@" (o rọrun lati gboju le won pe eyi jẹ bọtini), ekeji ni data ti paroko. Nigbamii ti, awọn nkan mejeeji ni a gbe sinu eto kan, eyiti o kọja si iṣẹ naa sub_6115C. Jẹ ki a tun samisi aaye kan pẹlu iye 3 ni ọna yii. Jẹ ki a wo kini o ṣẹlẹ si eto yii nigbamii.
int __fastcall sub_611B4(struc_1 *a1, _DWORD *a2)
{
int v3; // lr
unsigned int v4; // r1
int v5; // r0
int v6; // r1
int result; // r0
int v8; // r0
*a2 = 820000;
if ( a1 )
{
v3 = a1->field_14;
if ( v3 )
{
v4 = a1->field_4;
if ( v4 < 0x19 )
{
switch ( v4 )
{
case 0u:
v8 = sub_6419C(a1->field_0, a1->field_10, v3);
goto LABEL_17;
case 3u:
v8 = sub_6364C(a1->field_0, a1->field_10, v3);
goto LABEL_17;
case 0x10u:
case 0x11u:
case 0x12u:
v8 = sub_612F4(
a1->field_0,
v4,
*(_QWORD *)&a1->field_8,
*(_QWORD *)&a1->field_8 >> 32,
a1->field_10,
v3,
a2);
goto LABEL_17;
case 0x14u:
v8 = sub_63A28(a1->field_0, v3);
goto LABEL_17;
case 0x15u:
sub_61A60(a1->field_0, v3, a2);
return result;
case 0x16u:
v8 = sub_62440(a1->field_14);
goto LABEL_17;
case 0x17u:
v8 = sub_6226C(a1->field_10, v3);
goto LABEL_17;
case 0x18u:
v8 = sub_63530(a1->field_14);
LABEL_17:
v6 = 0;
if ( v8 )
{
*a2 = 0;
v6 = v8;
}
return v6;
default:
LOWORD(v5) = 28032;
goto LABEL_5;
}
}
}
}
LOWORD(v5) = -27504;
LABEL_5:
HIWORD(v5) = 13;
v6 = 0;
*a2 = v5;
return v6;
}Awọn paramita yipada ni a be aaye ti a ti tẹlẹ sọtọ iye 3. Wo ni irú 3: si awọn iṣẹ sub_6364C Awọn paramita ti kọja lati eto ti a ṣafikun nibẹ ni iṣẹ iṣaaju, ie bọtini ati data ti paroko. Ti o ba wo ni pẹkipẹki sub_6364C, o le ṣe idanimọ algorithm RC4 ninu rẹ.
A ni algorithm ati bọtini kan. Jẹ ká gbiyanju lati decipher awọn kilasi orukọ. Eyi ni ohun ti o ṣẹlẹ: com/taobao/ailokun/aabo/adapter/JNIClibrary. Nla! A wa lori ọna ti o tọ.
Igi aṣẹ
Bayi a nilo lati wa ipenija Awọn ara ilu forukọsilẹ, eyi ti yoo tọka wa si iṣẹ naa doCommandNative. Jẹ ká wo lori awọn iṣẹ ti a npe ni lati JNI_Lori, ati pe a rii ninu rẹ sub_B7B0:
int __fastcall sub_B7F6(JNIEnv *env, jclass clazz)
{
char signature[41]; // [sp+7h] [bp-55h]
char name[16]; // [sp+30h] [bp-2Ch]
JNINativeMethod method; // [sp+40h] [bp-1Ch]
int v8; // [sp+4Ch] [bp-10h]
v8 = *(_DWORD *)off_8AC00;
decryptString((unsigned __int8 *)&unk_83ED9, (unsigned __int8 *)name, 0x10u);// doCommandNative
decryptString((unsigned __int8 *)&unk_83EEA, (unsigned __int8 *)signature, 0x29u);// (I[Ljava/lang/Object;)Ljava/lang/Object;
method.name = name;
method.signature = signature;
method.fnPtr = sub_B69C;
return ((int (__fastcall *)(JNIEnv *, jclass, JNINativeMethod *, int))(*env)->RegisterNatives)(env, clazz, &method, 1) >> 31;
}Ati nitootọ, ọna abinibi pẹlu orukọ ti forukọsilẹ nibi doCommandNative. Bayi a mọ adirẹsi rẹ. Jẹ́ ká wo ohun tó ń ṣe.
int __fastcall doCommandNative(JNIEnv *env, jobject obj, int command, jarray args)
{
int v5; // r5
struc_2 *a5; // r6
int v9; // r1
int v11; // [sp+Ch] [bp-14h]
int v12; // [sp+10h] [bp-10h]
v5 = 0;
v12 = *(_DWORD *)off_8AC00;
v11 = 0;
a5 = (struc_2 *)malloc(0x14u);
if ( a5 )
{
a5->field_0 = 0;
a5->field_4 = 0;
a5->field_8 = 0;
a5->field_C = 0;
v9 = command % 10000 / 100;
a5->field_0 = command / 10000;
a5->field_4 = v9;
a5->field_8 = command % 100;
a5->field_C = env;
a5->field_10 = args;
v5 = sub_9D60(command / 10000, v9, command % 100, 1, (int)a5, &v11);
}
free(a5);
if ( !v5 && v11 )
sub_7CF34(env, v11, &byte_83ED7);
return v5;
}Nipa orukọ o le gboju pe eyi ni aaye titẹsi ti gbogbo awọn iṣẹ ti awọn olupilẹṣẹ pinnu lati gbe lọ si ile-ikawe abinibi. A nifẹ si nọmba iṣẹ 10601.
O le rii lati koodu pe nọmba aṣẹ n ṣe awọn nọmba mẹta: pipaṣẹ / 10000, pipaṣẹ% 10000/100 и aṣẹ% 10, i.e., ninu ọran tiwa, 1, 6 ati 1. Awọn nọmba mẹta wọnyi, bakannaa itọka si JNIEnv ati awọn ariyanjiyan ti o kọja si iṣẹ naa ni a ṣafikun si eto kan ati kọja. Lilo awọn nọmba mẹta ti o gba (jẹ ki a ṣe afihan wọn N1, N2 ati N3), igi aṣẹ kan ti kọ.
Nkankan bi eleyi:
Igi naa kun ni agbara ni JNI_Load.
Awọn nọmba mẹta ṣe koodu ọna ninu igi naa. Ewe kọọkan ti igi ni adiresi ti a fi silẹ ti iṣẹ ti o baamu. Awọn bọtini jẹ ninu awọn obi ipade. Wiwa aaye ti o wa ninu koodu nibiti iṣẹ ti a nilo ni afikun si igi ko nira ti o ba loye gbogbo awọn ẹya ti a lo (a ko ṣe apejuwe wọn ki o má ba bu nkan ti tẹlẹ kuku nla).
Ibanujẹ diẹ sii
A gba adirẹsi ti iṣẹ ti o yẹ ki o decrypt ijabọ: 0x5F1AC. Ṣugbọn o ti ni kutukutu lati yọ: awọn olupilẹṣẹ ti UC Browser ti pese iyalẹnu miiran fun wa.
Lẹhin gbigba awọn aye lati orun ti o ṣẹda ninu koodu Java, a gba
si iṣẹ ni adirẹsi 0x4D070. Ati pe nibi iru koodu obfuscation miiran n duro de wa.
A fi awọn atọka meji sinu R7 ati R4:
A yi atọka akọkọ lọ si R11:
Lati gba adirẹsi lati tabili kan, lo itọka kan:
Lẹhin lilọ si adirẹsi akọkọ, a lo atọka keji, eyiti o wa ni R4. Awọn eroja 230 wa ninu tabili.
Kini lati ṣe nipa rẹ? O le sọ fun IDA pe eyi jẹ iyipada: Ṣatunkọ -> Omiiran -> Pato idiom yipada.
Abajade koodu jẹ idẹruba. Ṣugbọn, ṣiṣe ọna rẹ nipasẹ igbo rẹ, o le ṣe akiyesi ipe si iṣẹ kan ti o ti mọ tẹlẹ si wa sub_6115C:
Iyipada kan wa ninu eyiti ninu ọran 3 decryption kan wa nipa lilo algorithm RC4. Ati ninu ọran yii, eto ti o kọja si iṣẹ naa kun lati awọn aye ti o kọja si doCommandNative. Jẹ ki a ranti ohun ti a ni nibẹ magicInt pẹlu iye 16. A wo ọran ti o baamu - ati lẹhin ọpọlọpọ awọn iyipada a wa koodu nipasẹ eyiti a le ṣe idanimọ algorithm.
Eyi ni AES!
Algoridimu wa, gbogbo ohun ti o ku ni lati gba awọn aye rẹ: ipo, bọtini ati, o ṣee ṣe, fekito ipilẹṣẹ (iwaju rẹ da lori ipo iṣẹ ti AES algorithm). Eto pẹlu wọn gbọdọ wa ni akoso ibikan ṣaaju ipe iṣẹ sub_6115C, ṣugbọn apakan yii ti koodu naa jẹ paapaa ti o ṣofo daradara, nitorinaa imọran naa dide lati patẹ koodu naa ki gbogbo awọn aye ti iṣẹ decryption ti wa ni sisọ sinu faili kan.
Patch
Ni ibere ki o má ba kọ gbogbo koodu patch ni ede apejọ pẹlu ọwọ, o le ṣe ifilọlẹ Android Studio, kọ iṣẹ kan nibẹ ti o gba awọn aye igbewọle kanna bi iṣẹ decryption wa ati kọwe si faili kan, lẹhinna daakọ-lẹẹmọ koodu naa ti olupilẹṣẹ yoo ṣe. ina.
Awọn ọrẹ wa lati ẹgbẹ UC Browser tun ṣe abojuto irọrun ti fifi koodu sii. Jẹ ki a ranti pe ni ibẹrẹ iṣẹ kọọkan a ni koodu idọti ti o le ni rọọrun rọpo pẹlu eyikeyi miiran. Irọrun pupọ 🙂 Sibẹsibẹ, ni ibẹrẹ iṣẹ ibi-afẹde ko si aaye to fun koodu ti o fipamọ gbogbo awọn aye si faili kan. Mo ni lati pin si awọn apakan ati lo awọn bulọọki idoti lati awọn iṣẹ agbegbe. Awọn ẹya mẹrin wa lapapọ.
Apa akọkọ:
Ninu faaji ARM, awọn paramita iṣẹ mẹrin akọkọ ti kọja nipasẹ awọn iforukọsilẹ R0-R3, iyoku, ti o ba jẹ eyikeyi, ti kọja nipasẹ akopọ. Iforukọsilẹ LR gbe adirẹsi pada. Gbogbo eyi nilo lati wa ni fipamọ ki iṣẹ naa le ṣiṣẹ lẹhin ti a da awọn aye rẹ silẹ. A tun nilo lati fipamọ gbogbo awọn iforukọsilẹ ti a yoo lo ninu ilana naa, nitorinaa a ṣe PUSH.W {R0-R10,LR}. Ni R7 a gba adirẹsi ti atokọ ti awọn aye ti o kọja si iṣẹ nipasẹ akopọ.
Lilo iṣẹ naa fopen jẹ ki a ṣii faili naa /data/agbegbe/tmp/aes ni "ab" mode
ie fun afikun. Ni R0 a fifuye adirẹsi ti orukọ faili, ni R1 - adirẹsi ti ila ti o nfihan ipo naa. Ati nibi koodu idoti dopin, nitorinaa a tẹsiwaju si iṣẹ atẹle. Ni ibere fun o lati tesiwaju lati sise, a fi ni ibẹrẹ awọn iyipada si awọn koodu gidi ti awọn iṣẹ, bypassing awọn idoti, ati dipo ti idoti a fi kan itesiwaju ti patch.
Pípè fopen.
Awọn paramita mẹta akọkọ ti iṣẹ naa AES ni iru int. Niwọn igba ti a ti fipamọ awọn iforukọsilẹ si akopọ ni ibẹrẹ, a le nirọrun ṣe iṣẹ naa f kọ adirẹsi wọn lori akopọ.
Nigbamii ti a ni awọn ẹya mẹta ti o ni iwọn data ninu ati itọka si data fun bọtini, fekito ibẹrẹ ati data ti paroko.
Ni ipari, pa faili naa, mu awọn iforukọsilẹ pada ati gbigbe iṣakoso si iṣẹ gidi AES.
A gba apk kan pẹlu ile-ikawe ti o pamọ, forukọsilẹ, gbejade si ẹrọ/emulator, ki o ṣe ifilọlẹ. A rii pe a ti ṣẹda idalẹnu wa, ati pe ọpọlọpọ data ti wa ni kikọ nibẹ. Aṣàwákiri naa nlo fifi ẹnọ kọ nkan kii ṣe fun ijabọ nikan, ati gbogbo fifi ẹnọ kọ nkan lọ nipasẹ iṣẹ ti o wa ninu ibeere. Ṣugbọn fun idi kan data pataki ko si nibẹ, ati pe ibeere ti a beere ko han ninu ijabọ naa. Ni ibere ki o ma duro titi UC Browser deigns lati ṣe ibeere to wulo, jẹ ki a mu esi ti paroko lati ọdọ olupin ti o gba tẹlẹ ki o tun ṣe ohun elo naa lẹẹkansi: ṣafikun decryption si Ṣẹda ti iṣẹ ṣiṣe akọkọ.
const/16 v1, 0x62
new-array v1, v1, [B
fill-array-data v1, :encrypted_data
const/16 v0, 0x1f
invoke-static {v0, v1}, Lcom/uc/browser/core/d/c/g;->j(I[B)[B
move-result-object v1
array-length v2, v1
invoke-static {v2}, Ljava/lang/String;->valueOf(I)Ljava/lang/String;
move-result-object v2
const-string v0, "ololo"
invoke-static {v0, v2}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)IA pejọ, wole, fi sori ẹrọ, ifilọlẹ. A gba NullPointerException nitori ọna naa pada asan.
Lakoko itupalẹ siwaju ti koodu naa, a ṣe awari iṣẹ kan ti o pinnu awọn ila ti o nifẹ si: “META-INF/” ati “.RSA”. O dabi pe ohun elo naa n jẹrisi ijẹrisi rẹ. Tabi paapaa ṣe ipilẹṣẹ awọn bọtini lati ọdọ rẹ. Emi ko fẹ gaan lati koju ohun ti n ṣẹlẹ pẹlu ijẹrisi naa, nitorinaa a kan yoo yọkuro ijẹrisi to pe. Jẹ ki a palẹ laini ti paroko pe dipo “META-INF/” a gba “BLABLINF/”, ṣẹda folda kan pẹlu orukọ yẹn ninu apk ki o ṣafikun ijẹrisi aṣawakiri squirrel nibẹ.
A pejọ, wole, fi sori ẹrọ, ifilọlẹ. Bingo! A ni bọtini!
MitM
A gba bọtini ati fekito ibẹrẹ ti o dọgba si bọtini. Jẹ ki a gbiyanju lati ge idahun olupin ni ipo CBC.
A rii URL pamosi, nkan ti o jọra si MD5, “extract_unzipsize” ati nọmba kan. A ṣayẹwo: MD5 ti ile-ipamọ jẹ kanna, iwọn ti ile-ikawe ti a ko paadi jẹ kanna. A ti wa ni gbiyanju lati alemo yi ìkàwé ki o si fi fun awọn kiri. Lati fihan pe ile-ikawe wa paadi ti kojọpọ, a yoo ṣe ifilọlẹ Idi kan lati ṣẹda SMS kan pẹlu ọrọ “PWNED!” A yoo rọpo awọn idahun meji lati ọdọ olupin naa: ati lati gba lati ayelujara awọn pamosi. Ni akọkọ a rọpo MD5 (iwọn ko yipada lẹhin ṣiṣi silẹ), ni keji a fun ile-ipamọ pẹlu ile-ikawe patched.
Ẹrọ aṣawakiri n gbiyanju lati ṣe igbasilẹ igbasilẹ ni igba pupọ, lẹhin eyi o funni ni aṣiṣe kan. Nkqwe nkankan
ko feran. Bi abajade ti n ṣatupalẹ ọna kika alaroyi, o wa ni jade pe olupin naa tun tan iwọn ti ile-ipamọ naa:
O ti wa ni koodu ni LEB128. Lẹhin alemo naa, iwọn pamosi pẹlu ile-ikawe yipada diẹ, nitorinaa ẹrọ aṣawakiri naa ro pe a ti gbasilẹ faili ni ilokulo, ati lẹhin awọn igbiyanju pupọ o jabọ aṣiṣe kan.
A ṣatunṣe iwọn pamosi naa ... Ati - iṣẹgun! 🙂 Abajade wa ninu fidio naa.
Abajade ati olupilẹṣẹ lenu
Ni ọna kanna, awọn olosa le lo ẹya ti ko ni aabo ti UC Browser lati pin kaakiri ati ṣiṣe awọn ile-ikawe irira. Awọn ile-ikawe wọnyi yoo ṣiṣẹ ni aaye ti ẹrọ aṣawakiri, nitorinaa wọn yoo gba gbogbo awọn igbanilaaye eto rẹ. Bi abajade, agbara lati ṣe afihan awọn ferese aṣiri-ararẹ, ati iraye si awọn faili iṣẹ ti okere Kannada osan, pẹlu awọn iwọle, awọn ọrọ igbaniwọle ati awọn kuki ti o fipamọ sinu aaye data.
A kan si awọn olupilẹṣẹ ti UC Browser ati sọ fun wọn nipa iṣoro ti a rii, gbiyanju lati tọka si ailagbara ati eewu rẹ, ṣugbọn wọn ko jiroro ohunkohun pẹlu wa. Nibayi, ẹrọ aṣawakiri naa tẹsiwaju lati ṣafihan ẹya ti o lewu ni oju itele. Ṣugbọn ni kete ti a ba ṣafihan awọn alaye ti ailagbara naa, ko ṣee ṣe lati foju rẹ bi iṣaaju. 27. Oṣù jẹ
ẹya tuntun ti UC Browser 12.10.9.1193 ti tu silẹ, eyiti o wọle si olupin nipasẹ HTTPS: .
Ni afikun, lẹhin “fix” ati titi di akoko kikọ nkan yii, igbiyanju lati ṣii PDF kan ninu ẹrọ aṣawakiri kan yorisi ifiranṣẹ aṣiṣe pẹlu ọrọ naa “Oops, nkankan ti ko tọ!” A ko ṣe ibeere kan si olupin nigbati o n gbiyanju lati ṣii PDF kan, ṣugbọn ibeere kan ni a ṣe nigbati ẹrọ aṣawakiri ti ṣe ifilọlẹ, eyiti o tọka si agbara tẹsiwaju lati ṣe igbasilẹ koodu ṣiṣe ni ilodi si awọn ofin Google Play.
orisun: www.habr.com