Isingeniso
Ekupheleni kuka-March thina , ukuthi bathole ikhono elifihliwe lokulayisha nokusebenzisa ikhodi engaqinisekisiwe ku-UC Browser. Namuhla sizobheka ngokuningiliziwe ukuthi lokhu kulanda kwenzeka kanjani nokuthi abaduni bangayisebenzisa kanjani ngezinjongo zabo.
Esikhathini esidlule, i-UC Browser yakhangiswa futhi yasatshalaliswa ngokunamandla kakhulu: yafakwa emishinini yabasebenzisi kusetshenziswa uhlelo olungayilungele ikhompuyutha, yasakazwa kumasayithi ahlukahlukene ngokucasha kwamafayela evidiyo (okungukuthi, abasebenzisi babecabanga ukuthi bayalanda, ngokwesibonelo, ividiyo yocansi, kodwa esikhundleni salokho ithole i-APK ngalesi siphequluli), isebenzise izibhengezo ezesabekayo ezinemilayezo yokuthi isiphequluli siphelelwe yisikhathi, sisengozini, nezinto ezinjalo. Eqenjini elisemthethweni le-UC Browser ku-VK kukhona , lapho abasebenzisi bangakhononda khona mayelana nokukhangisa okungalungile, kunezibonelo eziningi lapho. Ngo-2016 kwaba khona ngesi-Russian (yebo, ukukhangisa kwesiphequluli esivimba izikhangiso).
Ngesikhathi sokubhala, Isiphequluli se-UC sinokufaka okungaphezu kuka-500 ku-Google Play. Lokhu kuyamangaza - i-Google Chrome kuphela enokwengeziwe. Phakathi kwezibuyekezo ungabona izikhalazo eziningi mayelana nokukhangisa nokuqondisa kabusha kwezinye izinhlelo zokusebenza ku-Google Play. Lesi bekuyisizathu socwaningo lwethu: sinqume ukubona ukuthi isiphequluli se-UC sasenza okuthile okubi. Futhi kwaba ukuthi uyakwenza!
Kukhodi yohlelo lokusebenza, ikhono lokulanda nokusebenzisa ikhodi esebenzisekayo litholiwe, ku-Google Play. Ngaphezu kokulanda ikhodi esebenzisekayo, Isiphequluli se-UC senza kanjalo ngendlela engavikelekile, engasetshenziswa ukuqalisa ukuhlasela kwe-MitM. Ake sibone ukuthi singakwazi yini ukuhlasela okunjalo.
Yonke into ebhalwe ngezansi ihambisana nenguqulo ye-UC Browser eyayitholakala ku-Google Play ngesikhathi socwaningo:
package: com.UCMobile.intl
versionName: 12.10.8.1172
versionCode: 10598
sha1 APK-файла: f5edb2243413c777172f6362876041eb0c3a928cI-vector yokuhlasela
Ku-manifest Yesiphequluli se-UC ungathola isevisi enegama elizichazayo com.uc.deployment.UpgradeDeployService.
<service android_exported="false" android_name="com.uc.deployment.UpgradeDeployService" android_process=":deploy" />
Uma le sevisi iqala, isiphequluli senza isicelo soku-THUMELA ku , okungabonakala kuthrafikhi esikhathini esithile ngemva kokuqala. Ephendula, angase athole umyalo wokulanda isibuyekezo esithile noma imojuli entsha. Ngesikhathi sokuhlaziya, iseva ayizange inikeze imiyalo enjalo, kodwa siqaphele ukuthi lapho sizama ukuvula i-PDF esipheqululini, yenza isicelo sesibili ekhelini elishiwo ngenhla, ngemva kwalokho lilande umtapo wolwazi. Ukuze senze lokhu kuhlasela, sinqume ukusebenzisa lesi sici se-UC Browser: ikhono lokuvula i-PDF usebenzisa umtapo wolwazi, ongekho ku-APK futhi owulanda ku-inthanethi uma kunesidingo. Kuyaphawuleka ukuthi, ngokwethiyori, Isiphequluli se-UC singaphoqeleka ukuthi silande okuthile ngaphandle kokusebenzisana nomsebenzisi - uma unikeza impendulo eyakhiwe kahle esicelweni esenziwe ngemva kokwethulwa kwesiphequluli. Kodwa ukuze senze lokhu, sidinga ukutadisha umthetho olandelwayo wokusebenzelana neseva ngokuningiliziwe, ngakho-ke sinqume ukuthi kuzoba lula ukuhlela impendulo ebanjiwe futhi sibuyisele umtapo wolwazi ukuze usebenze nge-PDF.
Ngakho-ke, uma umsebenzisi efuna ukuvula i-PDF ngqo esipheqululini, izicelo ezilandelayo zingabonakala kuthrafikhi:
Okokuqala kunesicelo sokuTHUMELA kokuthi emva kwalokho
Ingobo yomlando enomtapo wolwazi wokubuka amafomethi e-PDF namahhovisi iyalandwa. Kunengqondo ukucabanga ukuthi isicelo sokuqala sidlulisa ulwazi mayelana nohlelo (okungenani isakhiwo ukuze sinikeze umtapo wolwazi odingekayo), futhi ekuphenduleni kuso isiphequluli sithola ulwazi oluthile mayelana nomtapo wolwazi okudingeka ulandwe: ikheli kanye, ngokunokwenzeka. , Okunye. Inkinga ukuthi lesi sicelo sibethelwe.
Cela isiqeshana
Phendula isiqeshana
Ilabhulali ngokwayo ipakishwe ku-ZIP futhi ayibetheliwe.
Sesha ikhodi yokususwa kwethrafikhi
Ake sizame ukucacisa impendulo yeseva. Ake sibheke ikhodi yekilasi com.uc.deployment.UpgradeDeployService: kusuka kundlela ku-StartCommand Iya ku com.uc.deployment.bx, futhi ukusuka kuyo kuya com.uc.browser.core.dcfe:
public final void e(l arg9) {
int v4_5;
String v3_1;
byte[] v3;
byte[] v1 = null;
if(arg9 == null) {
v3 = v1;
}
else {
v3_1 = arg9.iGX.ipR;
StringBuilder v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]product:");
v4.append(arg9.iGX.ipR);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]version:");
v4.append(arg9.iGX.iEn);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]upgrade_type:");
v4.append(arg9.iGX.mMode);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]force_flag:");
v4.append(arg9.iGX.iEo);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_mode:");
v4.append(arg9.iGX.iDQ);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_type:");
v4.append(arg9.iGX.iEr);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_state:");
v4.append(arg9.iGX.iEp);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]silent_file:");
v4.append(arg9.iGX.iEq);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apk_md5:");
v4.append(arg9.iGX.iEl);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]download_type:");
v4.append(arg9.mDownloadType);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]download_group:");
v4.append(arg9.mDownloadGroup);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]download_path:");
v4.append(arg9.iGH);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_child_version:");
v4.append(arg9.iGX.iEx);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_series:");
v4.append(arg9.iGX.iEw);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_cpu_arch:");
v4.append(arg9.iGX.iEt);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_cpu_vfp3:");
v4.append(arg9.iGX.iEv);
v4 = new StringBuilder("[");
v4.append(v3_1);
v4.append("]apollo_cpu_vfp:");
v4.append(arg9.iGX.iEu);
ArrayList v3_2 = arg9.iGX.iEz;
if(v3_2 != null && v3_2.size() != 0) {
Iterator v3_3 = v3_2.iterator();
while(v3_3.hasNext()) {
Object v4_1 = v3_3.next();
StringBuilder v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_name:");
v5.append(((au)v4_1).getName());
v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_ver_name:");
v5.append(((au)v4_1).aDA());
v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_ver_code:");
v5.append(((au)v4_1).gBl);
v5 = new StringBuilder("[");
v5.append(((au)v4_1).getName());
v5.append("]component_req_type:");
v5.append(((au)v4_1).gBq);
}
}
j v3_4 = new j();
m.b(v3_4);
h v4_2 = new h();
m.b(v4_2);
ay v5_1 = new ay();
v3_4.hS("");
v3_4.setImsi("");
v3_4.hV("");
v5_1.bPQ = v3_4;
v5_1.bPP = v4_2;
v5_1.yr(arg9.iGX.ipR);
v5_1.gBF = arg9.iGX.mMode;
v5_1.gBI = arg9.iGX.iEz;
v3_2 = v5_1.gAr;
c.aBh();
v3_2.add(g.fs("os_ver", c.getRomInfo()));
v3_2.add(g.fs("processor_arch", com.uc.b.a.a.c.getCpuArch()));
v3_2.add(g.fs("cpu_arch", com.uc.b.a.a.c.Pb()));
String v4_3 = com.uc.b.a.a.c.Pd();
v3_2.add(g.fs("cpu_vfp", v4_3));
v3_2.add(g.fs("net_type", String.valueOf(com.uc.base.system.a.Jo())));
v3_2.add(g.fs("fromhost", arg9.iGX.iEm));
v3_2.add(g.fs("plugin_ver", arg9.iGX.iEn));
v3_2.add(g.fs("target_lang", arg9.iGX.iEs));
v3_2.add(g.fs("vitamio_cpu_arch", arg9.iGX.iEt));
v3_2.add(g.fs("vitamio_vfp", arg9.iGX.iEu));
v3_2.add(g.fs("vitamio_vfp3", arg9.iGX.iEv));
v3_2.add(g.fs("plugin_child_ver", arg9.iGX.iEx));
v3_2.add(g.fs("ver_series", arg9.iGX.iEw));
v3_2.add(g.fs("child_ver", r.aVw()));
v3_2.add(g.fs("cur_ver_md5", arg9.iGX.iEl));
v3_2.add(g.fs("cur_ver_signature", SystemHelper.getUCMSignature()));
v3_2.add(g.fs("upgrade_log", i.bjt()));
v3_2.add(g.fs("silent_install", String.valueOf(arg9.iGX.iDQ)));
v3_2.add(g.fs("silent_state", String.valueOf(arg9.iGX.iEp)));
v3_2.add(g.fs("silent_file", arg9.iGX.iEq));
v3_2.add(g.fs("silent_type", String.valueOf(arg9.iGX.iEr)));
v3_2.add(g.fs("cpu_archit", com.uc.b.a.a.c.Pc()));
v3_2.add(g.fs("cpu_set", SystemHelper.getCpuInstruction()));
boolean v4_4 = v4_3 == null || !v4_3.contains("neon") ? false : true;
v3_2.add(g.fs("neon", String.valueOf(v4_4)));
v3_2.add(g.fs("cpu_cores", String.valueOf(com.uc.b.a.a.c.Jl())));
v3_2.add(g.fs("ram_1", String.valueOf(com.uc.b.a.a.h.Po())));
v3_2.add(g.fs("totalram", String.valueOf(com.uc.b.a.a.h.OL())));
c.aBh();
v3_2.add(g.fs("rom_1", c.getRomInfo()));
v4_5 = e.getScreenWidth();
int v6 = e.getScreenHeight();
StringBuilder v7 = new StringBuilder();
v7.append(v4_5);
v7.append("*");
v7.append(v6);
v3_2.add(g.fs("ss", v7.toString()));
v3_2.add(g.fs("api_level", String.valueOf(Build$VERSION.SDK_INT)));
v3_2.add(g.fs("uc_apk_list", SystemHelper.getUCMobileApks()));
Iterator v4_6 = arg9.iGX.iEA.entrySet().iterator();
while(v4_6.hasNext()) {
Object v6_1 = v4_6.next();
v3_2.add(g.fs(((Map$Entry)v6_1).getKey(), ((Map$Entry)v6_1).getValue()));
}
v3 = v5_1.toByteArray();
}
if(v3 == null) {
this.iGY.iGI.a(arg9, "up_encode", "yes", "fail");
return;
}
v4_5 = this.iGY.iGw ? 0x1F : 0;
if(v3 == null) {
}
else {
v3 = g.i(v4_5, v3);
if(v3 == null) {
}
else {
v1 = new byte[v3.length + 16];
byte[] v6_2 = new byte[16];
Arrays.fill(v6_2, 0);
v6_2[0] = 0x5F;
v6_2[1] = 0;
v6_2[2] = ((byte)v4_5);
v6_2[3] = -50;
System.arraycopy(v6_2, 0, v1, 0, 16);
System.arraycopy(v3, 0, v1, 16, v3.length);
}
}
if(v1 == null) {
this.iGY.iGI.a(arg9, "up_encrypt", "yes", "fail");
return;
}
if(TextUtils.isEmpty(this.iGY.mUpgradeUrl)) {
this.iGY.iGI.a(arg9, "up_url", "yes", "fail");
return;
}
StringBuilder v0 = new StringBuilder("[");
v0.append(arg9.iGX.ipR);
v0.append("]url:");
v0.append(this.iGY.mUpgradeUrl);
com.uc.browser.core.d.c.i v0_1 = this.iGY.iGI;
v3_1 = this.iGY.mUpgradeUrl;
com.uc.base.net.e v0_2 = new com.uc.base.net.e(new com.uc.browser.core.d.c.i$a(v0_1, arg9));
v3_1 = v3_1.contains("?") ? v3_1 + "&dataver=pb" : v3_1 + "?dataver=pb";
n v3_5 = v0_2.uc(v3_1);
m.b(v3_5, false);
v3_5.setMethod("POST");
v3_5.setBodyProvider(v1);
v0_2.b(v3_5);
this.iGY.iGI.a(arg9, "up_null", "yes", "success");
this.iGY.iGI.b(arg9);
}Sibona ukwakheka kwesicelo sokuthunyelwe lapha. Sinaka ukwakhiwa kohlu lwamabhayithi angu-16 nokugcwaliswa kwawo: 0x5F, 0, 0x1F, -50 (=0xCE). Kuqondana nalokhu esikubonile esicelweni esingenhla.
Ekilasini elifanayo ungabona ikilasi elifakwe isidleke elinenye indlela ethokozisayo:
public final void a(l arg10, byte[] arg11) {
f v0 = this.iGQ;
StringBuilder v1 = new StringBuilder("[");
v1.append(arg10.iGX.ipR);
v1.append("]:UpgradeSuccess");
byte[] v1_1 = null;
if(arg11 == null) {
}
else if(arg11.length < 16) {
}
else {
if(arg11[0] != 0x60 && arg11[3] != 0xFFFFFFD0) {
goto label_57;
}
int v3 = 1;
int v5 = arg11[1] == 1 ? 1 : 0;
if(arg11[2] != 1 && arg11[2] != 11) {
if(arg11[2] == 0x1F) {
}
else {
v3 = 0;
}
}
byte[] v7 = new byte[arg11.length - 16];
System.arraycopy(arg11, 16, v7, 0, v7.length);
if(v3 != 0) {
v7 = g.j(arg11[2], v7);
}
if(v7 == null) {
goto label_57;
}
if(v5 != 0) {
v1_1 = g.P(v7);
goto label_57;
}
v1_1 = v7;
}
label_57:
if(v1_1 == null) {
v0.iGY.iGI.a(arg10, "up_decrypt", "yes", "fail");
return;
}
q v11 = g.b(arg10, v1_1);
if(v11 == null) {
v0.iGY.iGI.a(arg10, "up_decode", "yes", "fail");
return;
}
if(v0.iGY.iGt) {
v0.d(arg10);
}
if(v0.iGY.iGo != null) {
v0.iGY.iGo.a(0, ((o)v11));
}
if(v0.iGY.iGs) {
v0.iGY.a(((o)v11));
v0.iGY.iGI.a(v11, "up_silent", "yes", "success");
v0.iGY.iGI.a(v11);
return;
}
v0.iGY.iGI.a(v11, "up_silent", "no", "success");
}
}
Indlela ithatha uxhaxha lwamabhayithi njengokufakwayo futhi ihlola ukuthi i-byte enguziro ingu-0x60 noma ibhayithi yesithathu ingu-0xD0, futhi ibhayithi yesibili ngu-1, 11 noma 0x1F. Sibheka impendulo evela kuseva: i-zero byte ingu-0x60, eyesibili ngu-0x1F, eyesithathu ngu-0x60. Kuzwakala njengalokho esikudingayo. Uma sibheka imigqa (“up_decrypt”, isibonelo), indlela kufanele ibizwe lapha ezosusa ukubethela kwempendulo yeseva.
Ake siqhubekele endleleni gj. Qaphela ukuthi impikiswano yokuqala iyi-byte at offset 2 (okungukuthi 0x1F kithi), futhi eyesibili impendulo yeseva ngaphandle
amabhayithi okuqala angu-16.
public static byte[] j(int arg1, byte[] arg2) {
if(arg1 == 1) {
arg2 = c.c(arg2, c.adu);
}
else if(arg1 == 11) {
arg2 = m.aF(arg2);
}
else if(arg1 != 0x1F) {
}
else {
arg2 = EncryptHelper.decrypt(arg2);
}
return arg2;
}
Ngokusobala, lapha sikhetha i-algorithm ye-decryption, kanye ne-byte efanayo ekwethu
uhlamvu olulingana no-0x1F, luchaza enye yezinketho ezintathu ezingenzeka.
Siyaqhubeka nokuhlaziya ikhodi. Ngemva kokugxuma okumbalwa sizithola sisendleleni enegama elizichazayo decryptBytesByKey.
Lapha amabhayithi amabili engeziwe ahlukaniswe empendulweni yethu, futhi iyunithi yezinhlamvu itholwa kuwo. Kuyacaca ukuthi ngale ndlela ukhiye wokususa ukubethela komlayezo ukhethiwe.
private static byte[] decryptBytesByKey(byte[] bytes) {
byte[] v0 = null;
if(bytes != null) {
try {
if(bytes.length < EncryptHelper.PREFIX_BYTES_SIZE) {
}
else if(bytes.length == EncryptHelper.PREFIX_BYTES_SIZE) {
return v0;
}
else {
byte[] prefix = new byte[EncryptHelper.PREFIX_BYTES_SIZE]; // 2 байта
System.arraycopy(bytes, 0, prefix, 0, prefix.length);
String keyId = c.ayR().d(ByteBuffer.wrap(prefix).getShort()); // Выбор ключа
if(keyId == null) {
return v0;
}
else {
a v2 = EncryptHelper.ayL();
if(v2 == null) {
return v0;
}
else {
byte[] enrypted = new byte[bytes.length - EncryptHelper.PREFIX_BYTES_SIZE];
System.arraycopy(bytes, EncryptHelper.PREFIX_BYTES_SIZE, enrypted, 0, enrypted.length);
return v2.l(keyId, enrypted);
}
}
}
}
catch(SecException v7_1) {
EncryptHelper.handleDecryptException(((Throwable)v7_1), v7_1.getErrorCode());
return v0;
}
catch(Throwable v7) {
EncryptHelper.handleDecryptException(v7, 2);
return v0;
}
}
return v0;
}Uma sibheka phambili, siyaqaphela ukuthi kulesi sigaba asikatholi ukhiye, kodwa kuphela “isihlonzi” saso. Ukuthola ukhiye kuyinkimbinkimbi kakhulu.
Ngendlela elandelayo, amanye amapharamitha amabili angeziwe kulawo akhona, okwenza amane awo: inombolo yomlingo 16, isihlonzi sokhiye, idatha ebethelwe, kanye nentambo engaqondakali (kithi, ayinalutho).
public final byte[] l(String keyId, byte[] encrypted) throws SecException {
return this.ayJ().staticBinarySafeDecryptNoB64(16, keyId, encrypted, "");
}Ngemva kochungechunge lwezinguquko sifika endleleni I-staticBinarySafeDecryptNoB64 isikhombimsebenzisi com.alibaba.wireless.security.open.staticdataencrypt.IStaticDataEncryptComponent. Awekho amakilasi kukhodi enkulu yohlelo lokusebenza esebenzisa lesi sikhombimsebenzisi. Kukhona isigaba esinjalo kufayela lib/armeabi-v7a/libsgmain.so, okungeyona empeleni i-.so, kodwa i-.jar. Indlela esinentshisekelo kuyo isetshenziswa kanje:
package com.alibaba.wireless.security.a.i;
// ...
public class a implements IStaticDataEncryptComponent {
private ISecurityGuardPlugin a;
// ...
private byte[] a(int mode, int magicInt, int xzInt, String keyId, byte[] encrypted, String magicString) {
return this.a.getRouter().doCommand(10601, new Object[]{Integer.valueOf(mode), Integer.valueOf(magicInt), Integer.valueOf(xzInt), keyId, encrypted, magicString});
}
// ...
private byte[] b(int magicInt, String keyId, byte[] encrypted, String magicString) {
return this.a(2, magicInt, 0, keyId, encrypted, magicString);
}
// ...
public byte[] staticBinarySafeDecryptNoB64(int magicInt, String keyId, byte[] encrypted, String magicString) throws SecException {
if(keyId != null && keyId.length() > 0 && magicInt >= 0 && magicInt < 19 && encrypted != null && encrypted.length > 0) {
return this.b(magicInt, keyId, encrypted, magicString);
}
throw new SecException("", 301);
}
//...
}
Lapha uhlu lwethu lwamapharamitha lulekelelwa ngamanani aphelele amabili: 2 kanye no-0. Ngokubheka
yonke into, 2 isho ukubethela, njengakundlela doFinal isigaba sesistimu javax.crypto.Cipher. Futhi konke lokhu kudluliselwa kumzila othile ngenombolo 10601 - ngokusobala lena inombolo yomyalo.
Ngemva kochungechunge olulandelayo lwezinguquko sithola isigaba esisebenzisa isixhumi esibonakalayo I-IRouterComponent kanye nendlela doCommand:
package com.alibaba.wireless.security.mainplugin;
import com.alibaba.wireless.security.framework.IRouterComponent;
import com.taobao.wireless.security.adapter.JNICLibrary;
public class a implements IRouterComponent {
public a() {
super();
}
public Object doCommand(int arg2, Object[] arg3) {
return JNICLibrary.doCommandNative(arg2, arg3);
}
}Futhi ekilasini JNICLibrary, lapho kumenyezelwa khona indlela yomdabu doCommandNative:
package com.taobao.wireless.security.adapter;
public class JNICLibrary {
public static native Object doCommandNative(int arg0, Object[] arg1);
}Lokhu kusho ukuthi sidinga ukuthola indlela kukhodi yomdabu doCommandNative. Futhi yilapho ubumnandi buqala khona.
Ukushintshwa kwekhodi yomshini
Kufayela libsgmain.so (okuyinto empeleni .jar futhi lapho sithole khona ukusetshenziswa kwezinye izixhumi ezibonakalayo ezihlobene nokubethela ngenhla nje) kukhona umtapo wolwazi owodwa: libsgmainso-6.4.36.so. Siyivula ku-IDA futhi sithole inqwaba yamabhokisi ezingxoxo anamaphutha. Inkinga ukuthi ithebula lesihloko sesigaba alivumelekile. Lokhu kwenziwa ngenhloso ukuze kube nzima ukuhlaziya.
Kodwa akudingekile: ukulayisha kahle ifayela le-ELF futhi ulihlaziye, ithebula lesihloko sohlelo lanele. Ngakho-ke, sivele sisuse ithebula lesigaba, sikhiphe izinkambu ezihambisanayo kunhlokweni.
Vula ifayela ku-IDA futhi.
Kunezindlela ezimbili zokutshela umshini we-Java ongu-virtual lapho khona kanye kumtapo wolwazi wendabuko ukuqaliswa kwendlela eshiwo ngekhodi ye-Java njengendabuko kutholakala. Owokuqala uwukunikeza igama lezinhlobo Java_package_name_ClassName_MethodName.
Okwesibili ukuwubhalisa lapho ulayisha umtapo wolwazi (kumsebenzi I-JNI_Onload)
usebenzisa ucingo lomsebenzi Bhalisa aboMdabu.
Esimweni sethu, uma sisebenzisa indlela yokuqala, igama kufanele libe kanje: Java_com_taobao_wireless_security_adapter_JNICLibrary_doCommandNative.
Awukho umsebenzi onjalo phakathi kwemisebenzi ethunyelwe, okusho ukuthi udinga ukubheka ucingo Bhalisa aboMdabu.
Asiye emcimbini I-JNI_Onload futhi sibona lesi sithombe:
Kwenzakalani lapha? Uma uthi nhlá, isiqalo nesiphetho somsebenzi zijwayelekile ekwakhiweni kwe-ARM. Umyalelo wokuqala esitakini ugcina okuqukethwe kwerejista ezosetshenziswa umsebenzi ekusebenzeni kwayo (kulokhu, i-R0, i-R1 ne-R2), kanye nokuqukethwe kwerejista ye-LR, equkethe ikheli lokubuyisela elivela emsebenzini. . Umyalelo wokugcina ubuyisela amarejista agciniwe, futhi ikheli lokubuyisela lifakwa ngokushesha kurejista ye-PC - ngaleyo ndlela ibuya emsebenzini. Kodwa uma ubhekisisa, uzobona ukuthi umyalo ongaphambi kwesikhathi uyashintsha ikheli lokubuyisela eligcinwe esitakini. Ake sibale ukuthi kuzoba njani ngemva kwalokho
ukwenziwa kwekhodi. Ikheli elithile elithi 1xB0 lilayishwa ku-R130, kukhishwe u-5 kulo, bese lidluliselwa ku-R0 bese kwengezwa u-0x10 kulo. Kuvela i-0xB13B. Ngakho, i-IDA icabanga ukuthi umyalo wokugcina uwukubuyisela umsebenzi ovamile, kodwa empeleni uya ekhelini elibaliwe elithi 0xB13B.
Kuhle ukukhumbula lapha ukuthi ama-ARM processors anezinhlobo ezimbili namasethi amabili emiyalo: I-ARM neThupha. Ingcosana yekheli ebaluleke kakhulu itshela iphrosesa ukuthi iyiphi isethi yemiyalelo esetshenziswayo. Okusho ukuthi, ikheli empeleni lithi 0xB13A, futhi eyodwa kokuncane kakhulu ikhombisa imodi yeThupha.
“I-adaptha” efanayo yengezwe ekuqaleni komsebenzi ngamunye kulo mtapo wolwazi kanye
ikhodi kadoti. Ngeke sigxile kuzo ngokuningiliziwe - sikhumbula nje
ukuthi isiqalo sangempela sayo yonke imisebenzi sisekude kancane.
Njengoba ikhodi ingagxumeli ngokusobala ku-0xB13A, i-IDA ngokwayo ayizange ibone ukuthi ikhodi ikule ndawo. Ngesizathu esifanayo, ayiboni amakhodi amaningi emtatsheni wezincwadi njengekhodi, okwenza ukuhlaziya kube nzima. Sitshela i-IDA ukuthi lena ikhodi, futhi nakhu okwenzekayo:
Ithebula liqala ngokucacile kokuthi 0xB144. Yini eku-sub_494C?
Lapho ubiza lo msebenzi kurejista ye-LR, sithola ikheli letafula elishiwo ngaphambili (0xB144). Ngo-R0 - inkomba kuleli thebula. Okusho ukuthi, inani lithathwa etafuleni, lengezwe ku-LR futhi umphumela uba
ikheli ongaya kulo. Ake sizame ukuyibala: 0xB144 + [0xB144 + 8* 4] = 0xB144 + 0x120 = 0xB264. Siya ekhelini elitholiwe futhi sibone ngokoqobo imiyalelo embalwa ewusizo bese siya futhi ku-0xB140:
Manje kuzoba nenguquko ekususeni ngenkomba engu-0x20 kusuka etafuleni.
Uma sibheka ngosayizi wethebula, kuzoba nezinguquko eziningi ezinjalo kukhodi. Umbuzo uphakama ukuthi kungenzeka yini ukuthi ngandlela thize ukubhekana nalokhu ngokuzenzakalelayo, ngaphandle kokubala amakheli mathupha. Futhi imibhalo kanye nekhono lokunamathisela ikhodi ku-IDA kuyasisiza:
def put_unconditional_branch(source, destination):
offset = (destination - source - 4) >> 1
if offset > 2097151 or offset < -2097152:
raise RuntimeError("Invalid offset")
if offset > 1023 or offset < -1024:
instruction1 = 0xf000 | ((offset >> 11) & 0x7ff)
instruction2 = 0xb800 | (offset & 0x7ff)
patch_word(source, instruction1)
patch_word(source + 2, instruction2)
else:
instruction = 0xe000 | (offset & 0x7ff)
patch_word(source, instruction)
ea = here()
if get_wide_word(ea) == 0xb503: #PUSH {R0,R1,LR}
ea1 = ea + 2
if get_wide_word(ea1) == 0xbf00: #NOP
ea1 += 2
if get_operand_type(ea1, 0) == 1 and get_operand_value(ea1, 0) == 0 and get_operand_type(ea1, 1) == 2:
index = get_wide_dword(get_operand_value(ea1, 1))
print "index =", hex(index)
ea1 += 2
if get_operand_type(ea1, 0) == 7:
table = get_operand_value(ea1, 0) + 4
elif get_operand_type(ea1, 1) == 2:
table = get_operand_value(ea1, 1) + 4
else:
print "Wrong operand type on", hex(ea1), "-", get_operand_type(ea1, 0), get_operand_type(ea1, 1)
table = None
if table is None:
print "Unable to find table"
else:
print "table =", hex(table)
offset = get_wide_dword(table + (index << 2))
put_unconditional_branch(ea, table + offset)
else:
print "Unknown code", get_operand_type(ea1, 0), get_operand_value(ea1, 0), get_operand_type(ea1, 1) == 2
else:
print "Unable to detect first instruction"Beka ikhesa kulayini 0xB26A, sebenzisa iskripthi futhi ubone ukushintshela ku-0xB4B0:
I-IDA futhi ayizange ibone le ndawo njengekhodi. Siyamsiza futhi sibone omunye umklamo lapho:
Imiyalo ngemuva kwe-BLX ayibonakali inengqondo, ifana nohlobo oluthile lokufuduka. Ake sibheke i-sub_4964:
Futhi ngempela, lapha kuthathwa i-dword ekhelini elilele ku-LR, yengezwe kuleli kheli, ngemva kwalokho inani ekhelini eliwumphumela lithathwa libekwe esitakini. Futhi, u-4 wengezwa ku-LR ukuze ngemva kokubuya emsebenzini, le offset efanayo yeqiwe. Ngemva kwalokho umyalo we-POP {R1} uthatha inani eliwumphumela esitakini. Uma ubheka lokho okutholakala ekhelini elithi 0xB4BA + 0xEA = 0xB5A4, uzobona into efana nethebula lekheli:
Ukuze unamathisele lo mklamo, uzodinga ukuthola amapharamitha amabili kukhodi: i-offset nenombolo yerejista ofuna ukubeka kuyo umphumela. Kurejista ngayinye engenzeka, kuzodingeka ulungiselele ucezu lwekhodi kusengaphambili.
patches = {}
patches[0] = (0x00, 0xbf, 0x01, 0x48, 0x00, 0x68, 0x02, 0xe0)
patches[1] = (0x00, 0xbf, 0x01, 0x49, 0x09, 0x68, 0x02, 0xe0)
patches[2] = (0x00, 0xbf, 0x01, 0x4a, 0x12, 0x68, 0x02, 0xe0)
patches[3] = (0x00, 0xbf, 0x01, 0x4b, 0x1b, 0x68, 0x02, 0xe0)
patches[4] = (0x00, 0xbf, 0x01, 0x4c, 0x24, 0x68, 0x02, 0xe0)
patches[5] = (0x00, 0xbf, 0x01, 0x4d, 0x2d, 0x68, 0x02, 0xe0)
patches[8] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0x80, 0xd8, 0xf8, 0x00, 0x80, 0x01, 0xe0)
patches[9] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0x90, 0xd9, 0xf8, 0x00, 0x90, 0x01, 0xe0)
patches[10] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0xa0, 0xda, 0xf8, 0x00, 0xa0, 0x01, 0xe0)
patches[11] = (0x00, 0xbf, 0xdf, 0xf8, 0x06, 0xb0, 0xdb, 0xf8, 0x00, 0xb0, 0x01, 0xe0)
ea = here()
if (get_wide_word(ea) == 0xb082 #SUB SP, SP, #8
and get_wide_word(ea + 2) == 0xb503): #PUSH {R0,R1,LR}
if get_operand_type(ea + 4, 0) == 7:
pop = get_bytes(ea + 12, 4, 0)
if pop[1] == 'xbc':
register = -1
r = get_wide_byte(ea + 12)
for i in range(8):
if r == (1 << i):
register = i
break
if register == -1:
print "Unable to detect register"
else:
address = get_wide_dword(ea + 8) + ea + 8
for b in patches[register]:
patch_byte(ea, b)
ea += 1
if ea % 4 != 0:
ea += 2
patch_dword(ea, address)
elif pop[:3] == 'x5dxf8x04':
register = ord(pop[3]) >> 4
if register in patches:
address = get_wide_dword(ea + 8) + ea + 8
for b in patches[register]:
patch_byte(ea, b)
ea += 1
patch_dword(ea, address)
else:
print "POP instruction not found"
else:
print "Wrong operand type on +4:", get_operand_type(ea + 4, 0)
else:
print "Unable to detect first instructions"Sibeka ikhesa ekuqaleni kwesakhiwo esifuna ukusishintsha - 0xB4B2 - bese siqhuba iskripthi:
Ngaphezu kwezakhiwo esezibaluliwe, ikhodi iqukethe okulandelayo:
Njengasesimeni sangaphambilini, ngemuva komyalo we-BLX kukhona i-offset:
Sithatha i-offset ekhelini elisuka ku-LR, lingeze ku-LR bese siya lapho. 0x72044 + 0xC = 0x72050. Umbhalo walo mklamo ulula kakhulu:
def put_unconditional_branch(source, destination):
offset = (destination - source - 4) >> 1
if offset > 2097151 or offset < -2097152:
raise RuntimeError("Invalid offset")
if offset > 1023 or offset < -1024:
instruction1 = 0xf000 | ((offset >> 11) & 0x7ff)
instruction2 = 0xb800 | (offset & 0x7ff)
patch_word(source, instruction1)
patch_word(source + 2, instruction2)
else:
instruction = 0xe000 | (offset & 0x7ff)
patch_word(source, instruction)
ea = here()
if get_wide_word(ea) == 0xb503: #PUSH {R0,R1,LR}
ea1 = ea + 6
if get_wide_word(ea + 2) == 0xbf00: #NOP
ea1 += 2
offset = get_wide_dword(ea1)
put_unconditional_branch(ea, (ea1 + offset) & 0xffffffff)
else:
print "Unable to detect first instruction"Umphumela wokwenziwa kombhalo:
Uma yonke into isinamathiselwe emsebenzini, ungakhomba i-IDA ekuqaleni kwayo kwangempela. Izohlanganisa yonke ikhodi yokusebenza, futhi ingahlakazwa kusetshenziswa ama-HexRays.
Ukuqopha izintambo
Sifunde ukubhekana ne-obfuscation yekhodi yomshini emtatsheni wezincwadi libsgmainso-6.4.36.so kusuka ku-UC Browser futhi uthole ikhodi yokusebenza I-JNI_Onload.
int __fastcall real_JNI_OnLoad(JavaVM *vm)
{
int result; // r0
jclass clazz; // r0 MAPDST
int v4; // r0
JNIEnv *env; // r4
int v6; // [sp-40h] [bp-5Ch]
int v7; // [sp+Ch] [bp-10h]
v7 = *(_DWORD *)off_8AC00;
if ( !vm )
goto LABEL_39;
sub_7C4F4();
env = (JNIEnv *)sub_7C5B0(0);
if ( !env )
goto LABEL_39;
v4 = sub_72CCC();
sub_73634(v4);
sub_73E24(&unk_83EA6, &v6, 49);
clazz = (jclass)((int (__fastcall *)(JNIEnv *, int *))(*env)->FindClass)(env, &v6);
if ( clazz
&& (sub_9EE4(),
sub_71D68(env),
sub_E7DC(env) >= 0
&& sub_69D68(env) >= 0
&& sub_197B4(env, clazz) >= 0
&& sub_E240(env, clazz) >= 0
&& sub_B8B0(env, clazz) >= 0
&& sub_5F0F4(env, clazz) >= 0
&& sub_70640(env, clazz) >= 0
&& sub_11F3C(env) >= 0
&& sub_21C3C(env, clazz) >= 0
&& sub_2148C(env, clazz) >= 0
&& sub_210E0(env, clazz) >= 0
&& sub_41B58(env, clazz) >= 0
&& sub_27920(env, clazz) >= 0
&& sub_293E8(env, clazz) >= 0
&& sub_208F4(env, clazz) >= 0) )
{
result = (sub_B7B0(env, clazz) >> 31) | 0x10004;
}
else
{
LABEL_39:
result = -1;
}
return result;
}Ake sibhekisise imigqa elandelayo:
sub_73E24(&unk_83EA6, &v6, 49);
clazz = (jclass)((int (__fastcall *)(JNIEnv *, int *))(*env)->FindClass)(env, &v6);Kumsebenzi sub_73E24 igama lekilasi liyasuswa ukubethela ngokusobala. Njengemingcele yalo msebenzi, isikhombi sedatha efana nedatha ebethelwe, ibhafa ethile kanye nenombolo kuyadluliswa. Ngokusobala, ngemuva kokubiza umsebenzi, kuzoba nomugqa ofihliwe ku-buffer, ngoba udluliselwe emsebenzini. I-FindClass, okuthatha igama lekilasi njengepharamitha yesibili. Ngakho-ke, inombolo ingusayizi webhafa noma ubude bomugqa. Ake sizame ukuchaza igama lekilasi, kufanele lisitshele ukuthi sihamba ngendlela efanele yini. Ake sibhekisise ukuthi kwenzekani ku sub_73E24.
int __fastcall sub_73E56(unsigned __int8 *in, unsigned __int8 *out, size_t size)
{
int v4; // r6
int v7; // r11
int v8; // r9
int v9; // r4
size_t v10; // r5
int v11; // r0
struc_1 v13; // [sp+0h] [bp-30h]
int v14; // [sp+1Ch] [bp-14h]
int v15; // [sp+20h] [bp-10h]
v4 = 0;
v15 = *(_DWORD *)off_8AC00;
v14 = 0;
v7 = sub_7AF78(17);
v8 = sub_7AF78(size);
if ( !v7 )
{
v9 = 0;
goto LABEL_12;
}
(*(void (__fastcall **)(int, const char *, int))(v7 + 12))(v7, "DcO/lcK+h?m3c*q@", 16);
if ( !v8 )
{
LABEL_9:
v4 = 0;
goto LABEL_10;
}
v4 = 0;
if ( !in )
{
LABEL_10:
v9 = 0;
goto LABEL_11;
}
v9 = 0;
if ( out )
{
memset(out, 0, size);
v10 = size - 1;
(*(void (__fastcall **)(int, unsigned __int8 *, size_t))(v8 + 12))(v8, in, v10);
memset(&v13, 0, 0x14u);
v13.field_4 = 3;
v13.field_10 = v7;
v13.field_14 = v8;
v11 = sub_6115C(&v13, &v14);
v9 = v11;
if ( v11 )
{
if ( *(_DWORD *)(v11 + 4) == v10 )
{
qmemcpy(out, *(const void **)v11, v10);
v4 = *(_DWORD *)(v9 + 4);
}
else
{
v4 = 0;
}
goto LABEL_11;
}
goto LABEL_9;
}
LABEL_11:
sub_7B148(v7);
LABEL_12:
if ( v8 )
sub_7B148(v8);
if ( v9 )
sub_7B148(v9);
return v4;
}Umsebenzi sub_7AF78 idala isibonelo sesiqukathi se-byte array yosayizi obaluliwe (ngeke sihlale kulezi ziqukathi ngokuningiliziwe). Lapha kwakhiwa iziqukathi ezimbili ezinjalo: esisodwa siqukethe umugqa "DcO/lcK+h?m3c*q@" (kulula ukuqagela ukuthi lona ukhiye), enye iqukethe idatha ebethelwe. Okulandelayo, zombili izinto zifakwa esakhiweni esithile, esidluliselwa emsebenzini ngaphansi_6115C. Masiphinde siphawule inkambu enenani elingu-3 kulesi sakhiwo, Ake sibone ukuthi kwenzekani kulesi sakhiwo ngokulandelayo.
int __fastcall sub_611B4(struc_1 *a1, _DWORD *a2)
{
int v3; // lr
unsigned int v4; // r1
int v5; // r0
int v6; // r1
int result; // r0
int v8; // r0
*a2 = 820000;
if ( a1 )
{
v3 = a1->field_14;
if ( v3 )
{
v4 = a1->field_4;
if ( v4 < 0x19 )
{
switch ( v4 )
{
case 0u:
v8 = sub_6419C(a1->field_0, a1->field_10, v3);
goto LABEL_17;
case 3u:
v8 = sub_6364C(a1->field_0, a1->field_10, v3);
goto LABEL_17;
case 0x10u:
case 0x11u:
case 0x12u:
v8 = sub_612F4(
a1->field_0,
v4,
*(_QWORD *)&a1->field_8,
*(_QWORD *)&a1->field_8 >> 32,
a1->field_10,
v3,
a2);
goto LABEL_17;
case 0x14u:
v8 = sub_63A28(a1->field_0, v3);
goto LABEL_17;
case 0x15u:
sub_61A60(a1->field_0, v3, a2);
return result;
case 0x16u:
v8 = sub_62440(a1->field_14);
goto LABEL_17;
case 0x17u:
v8 = sub_6226C(a1->field_10, v3);
goto LABEL_17;
case 0x18u:
v8 = sub_63530(a1->field_14);
LABEL_17:
v6 = 0;
if ( v8 )
{
*a2 = 0;
v6 = v8;
}
return v6;
default:
LOWORD(v5) = 28032;
goto LABEL_5;
}
}
}
}
LOWORD(v5) = -27504;
LABEL_5:
HIWORD(v5) = 13;
v6 = 0;
*a2 = v5;
return v6;
}Ipharamitha yokushintsha iyinkambu yesakhiwo ngaphambili eyanikezwa inani elingu-3. Bheka icala lesi-3: kumsebenzi ngaphansi_6364C amapharamitha adluliswa esakhiweni esingezwe lapho kumsebenzi wangaphambilini, okungukuthi ukhiye nedatha ebethelwe. Uma ubhekisisa ngaphansi_6364C, ungakwazi ukubona i-algorithm ye-RC4 kuyo.
Sine-algorithm kanye nokhiye. Ake sizame ukuchaza igama lekilasi. Nakhu okwenzekile: com/taobao/wireless/security/adapter/JNICLibrary. Kuhle! Sisendleleni efanele.
Isihlahla somyalo
Manje sidinga ukuthola inselele Bhalisa aboMdabu, ezosikhomba emsebenzini doCommandNative. Ake sibheke imisebenzi ebizwa kusuka I-JNI_Onload, futhi siyithola phakathi ingxenye_B7B0:
int __fastcall sub_B7F6(JNIEnv *env, jclass clazz)
{
char signature[41]; // [sp+7h] [bp-55h]
char name[16]; // [sp+30h] [bp-2Ch]
JNINativeMethod method; // [sp+40h] [bp-1Ch]
int v8; // [sp+4Ch] [bp-10h]
v8 = *(_DWORD *)off_8AC00;
decryptString((unsigned __int8 *)&unk_83ED9, (unsigned __int8 *)name, 0x10u);// doCommandNative
decryptString((unsigned __int8 *)&unk_83EEA, (unsigned __int8 *)signature, 0x29u);// (I[Ljava/lang/Object;)Ljava/lang/Object;
method.name = name;
method.signature = signature;
method.fnPtr = sub_B69C;
return ((int (__fastcall *)(JNIEnv *, jclass, JNINativeMethod *, int))(*env)->RegisterNatives)(env, clazz, &method, 1) >> 31;
}Futhi ngempela, indlela yomdabu enegama ibhalisiwe lapha doCommandNative. Manje sesilazi ikheli lakhe. Ake sibone ukuthi wenzani.
int __fastcall doCommandNative(JNIEnv *env, jobject obj, int command, jarray args)
{
int v5; // r5
struc_2 *a5; // r6
int v9; // r1
int v11; // [sp+Ch] [bp-14h]
int v12; // [sp+10h] [bp-10h]
v5 = 0;
v12 = *(_DWORD *)off_8AC00;
v11 = 0;
a5 = (struc_2 *)malloc(0x14u);
if ( a5 )
{
a5->field_0 = 0;
a5->field_4 = 0;
a5->field_8 = 0;
a5->field_C = 0;
v9 = command % 10000 / 100;
a5->field_0 = command / 10000;
a5->field_4 = v9;
a5->field_8 = command % 100;
a5->field_C = env;
a5->field_10 = args;
v5 = sub_9D60(command / 10000, v9, command % 100, 1, (int)a5, &v11);
}
free(a5);
if ( !v5 && v11 )
sub_7CF34(env, v11, &byte_83ED7);
return v5;
}Ngegama ungaqagela ukuthi nansi indawo yokungena yayo yonke imisebenzi abathuthukisi abanqume ukuyidlulisela kulabhulali yomdabu. Sithanda inombolo yokusebenza 10601.
Ungabona kukhodi ukuthi inombolo yomyalo ikhiqiza izinombolo ezintathu: umyalo/10000, umyalo % 10000 / 100 и umyalo % 10, okungukuthi, esimweni sethu, 1, 6 kanye no-1. Lezi zinombolo ezintathu, kanye nesikhombi I-JNIEnv futhi izimpikiswano ezidluliselwe emsebenzini zengezwa esakhiweni futhi zidluliselwe. Kusetshenziswa izinombolo ezintathu ezitholiwe (ake sizisho uN1, N2 kanye no-N3), kwakhiwa isihlahla somyalo.
Okufana nalokhu:
Isihlahla sigcwaliswa ngamandla I-JNI_Onload.
Izinombolo ezintathu zihlanganisa indlela esihlahleni. Iqabunga ngalinye lesihlahla liqukethe ikheli elikhishiwe lomsebenzi ohambisanayo. Ukhiye usenodi yomzali. Ukuthola indawo kukhodi lapho umsebenzi esiwudingayo ungezwe esihlahleni akunzima uma uqonda zonke izakhiwo ezisetshenzisiwe (asizichazi ukuze singabhubhisi i-athikili evele inkulu kakhulu).
Obfuscation okwengeziwe
Sithole ikheli lomsebenzi okufanele lisuse ukubethela kwethrafikhi: 0x5F1AC. Kepha kusesekuseni kakhulu ukuthi singajabula: abathuthukisi be-UC Browser basilungiselele esinye isimanga.
Ngemva kokuthola imingcele kusukela kuhlelo olwakhiwe kukhodi ye-Java, sithola
emsebenzini ekhelini elithi 0x4D070. Futhi lapha olunye uhlobo lwekhodi obfuscation lisilindile.
Sibeka ama-indices amabili ku-R7 naku-R4:
Sishintsha inkomba yokuqala iye ku-R11:
Ukuze uthole ikheli etafuleni, sebenzisa inkomba:
Ngemva kokuya ekhelini lokuqala, kusetshenziswa inkomba yesibili, eyi-R4. Kukhona ama-elementi angama-230 etafuleni.
Yini okufanele uyenze ngakho? Ungatshela i-IDA ukuthi lena iswishi: Hlela -> Okunye -> Cacisa isisho sokushintsha.
Ikhodi ewumphumela iyesabisa. Kodwa, uma unqamula ihlathi lakhona, ungabona ucingo lomsebenzi esiwujwayele kakade ngaphansi_6115C:
Kube khona iswishi lapho esimeni sesi-3 kube khona ukuchithwa kwekhodi kusetshenziswa i-algorithm ye-RC4. Futhi kulokhu, isakhiwo esidluliselwe emsebenzini sigcwaliswa kusukela kumingcele edluliselwe kuyo doCommandNative. Masikhumbule esasinakho lapho magicInt ngenani 16. Sibheka icala elihambisanayo - futhi ngemva kokuguqulwa okuningana sithola ikhodi lapho i-algorithm ingabonakala khona.
Lokhu i-AES!
I-algorithm ikhona, okusele ukuthola imingcele yayo: imodi, ukhiye futhi, ngokunokwenzeka, i-vector yokuqalisa (ukuba khona kwayo kuncike kumodi yokusebenza ye-algorithm ye-AES). Isakhiwo esinazo kumele sakheke ndawana thize ngaphambi kocingo lomsebenzi ngaphansi_6115C, kodwa le ngxenye yekhodi yenziwe i-obfusified kahle, ngakho-ke umqondo uvela wokunamathisela ikhodi ukuze wonke amapharamitha womsebenzi wokukhipha ukubethela alahlwe efayeleni.
Isiqephu
Ukuze ungabhali yonke ikhodi yesichibi ngolimi lokuhlanganisa ngesandla, ungavula i-Android Studio, ubhale umsebenzi lapho othola amapharamitha okokufaka afanayo njengomsebenzi wethu wokukhipha ukubethela bese ubhala efayeleni, bese ukopisha-unamathisele ikhodi ezotholwa ngumhlanganisi. khiqiza.
Abangane bethu bethimba le-UC Browser nabo bakunakekele ukunezela ikhodi. Masikhumbule ukuthi ekuqaleni komsebenzi ngamunye sinekhodi kadoti engashintshwa kalula nganoma iyiphi enye. Elula kakhulu 🙂 Nokho, ekuqaleni komsebenzi oqondiwe asikho isikhala esanele sekhodi egcina wonke amapharamitha efayeleni. Kwadingeka ngisihlukanise sibe izingxenye futhi ngisebenzise amabhlokhi kadoti avela emisebenzini engumakhelwane. Kwakukhona izingxenye ezine sezizonke.
Ingxenye yokuqala:
Esakhiweni se-ARM, amapharamitha amane okuqala emisebenzi adluliswa kumarejista R0-R3, amanye, uma ekhona, adluliswa esitakini. Irejista ye-LR inekheli lokubuyisela. Konke lokhu kudinga ukugcinwa ukuze umsebenzi ukwazi ukusebenza ngemva kokulahla imingcele yawo. Kudingeka futhi silondoloze wonke amarejista esizowasebenzisa kule nqubo, ngakho senza i-PUSH.W {R0-R10,LR}. Ku-R7 sithola ikheli lohlu lwamapharamitha adluliselwe emsebenzini ngesitaki.
Ukusebenzisa umsebenzi fopen asivule ifayela /data/local/tmp/aes kumodi ethi "ab".
okungukuthi ukwengeza. Ku-R0 silayisha ikheli legama lefayela, ku-R1 - ikheli lomugqa obonisa imodi. Futhi lapha ikhodi kadoti iphela, ngakho siqhubekela umsebenzi olandelayo. Ukuze iqhubeke nokusebenza, sibeka ekuqaleni ukushintshela kukhodi yangempela yomsebenzi, sidlula udoti, futhi esikhundleni semfucumfucu sengeza ukuqhubeka kwe-patch.
Iyafona fopen.
Amapharamitha amathathu okuqala omsebenzi aes ube nohlobo Int. Njengoba silondoloze amarejista kusitaki ekuqaleni, singamane sidlulise umsebenzi bhala amakheli abo esitakini.
Okulandelayo sinezakhiwo ezintathu eziqukethe usayizi wedatha kanye nesikhombi sedatha yokhiye, i-vector yokuqalisa kanye nedatha ebethelwe.
Ekugcineni, vala ifayela, buyisela amarejista futhi udlulise ukulawula emsebenzini wangempela aes.
Siqoqa i-APK enelabhulali epheshiwe, siyisayine, siyilayishe kudivayisi/isifanisi, bese siyivula. Siyabona ukuthi ukulahlwa kwethu kuyadalwa, futhi kunemininingwane eminingi ebhalwa lapho. Isiphequluli asisebenzisi ukubethela kuphela kwethrafikhi, futhi konke ukubethela kuhamba ngomsebenzi okukhulunywa ngawo. Kodwa ngesizathu esithile idatha edingekayo ayikho, futhi isicelo esidingekayo asibonakali kuthrafikhi. Ukuze singalindi kuze kube yilapho Isiphequluli se-UC sinquma ukwenza isicelo esidingekayo, ake sithathe impendulo ebethelwe kuseva etholwe ngaphambili bese sichibiyela uhlelo lokusebenza futhi: engeza ukubethela kokuthiDala umsebenzi oyinhloko.
const/16 v1, 0x62
new-array v1, v1, [B
fill-array-data v1, :encrypted_data
const/16 v0, 0x1f
invoke-static {v0, v1}, Lcom/uc/browser/core/d/c/g;->j(I[B)[B
move-result-object v1
array-length v2, v1
invoke-static {v2}, Ljava/lang/String;->valueOf(I)Ljava/lang/String;
move-result-object v2
const-string v0, "ololo"
invoke-static {v0, v2}, Landroid/util/Log;->d(Ljava/lang/String;Ljava/lang/String;)ISiyahlanganisa, sisayine, siyafaka, siyaqalisa. Sithola i-NullPointerException ngoba indlela ibuye ingenalutho.
Phakathi nokuhlaziywa okwengeziwe kwekhodi, kutholwe umsebenzi ochaza imigqa ethakazelisayo: “META-INF/” kanye “.RSA”. Kubonakala sengathi isicelo siqinisekisa isitifiketi saso. Noma ikhiphe okhiye kuyo. Angifuni ngempela ukubhekana nokwenzeka ngesitifiketi, ngakho-ke sizovele sisishelele isitifiketi esifanele. Ake sinamathisele umugqa obethelwe ukuze esikhundleni sokuthi “META-INF/” sithole okuthi “BLABLINF/”, sidale ifolda enalelo gama ku-APK bese wengeza isitifiketi sesiphequluli sesquirrel lapho.
Siyahlanganisa, sisayine, siyafaka, siyaqalisa. Ibhingo! Sinawo ukhiye!
I-MitM
Sithole ukhiye kanye nevekhtha yokuqalisa elingana nokhiye. Ake sizame ukususa ukubhala ngemfihlo impendulo yeseva kumodi ye-CBC.
Sibona i-URL yengobo yomlando, into efana ne-MD5, “extract_unzipsize” kanye nenombolo. Siyahlola: i-MD5 yengobo yomlando iyafana, usayizi womtapo wolwazi ongapakishiwe uyafana. Sizama ukupeyisha le labhulali futhi siyinikeze isiphequluli. Ukukhombisa ukuthi ilabhulali yethu echibiyelwe ilayishiwe, sizokwethula Inhloso yokwakha i-SMS enombhalo othi “PWNED!” Sizoshintsha izimpendulo ezimbili ezivela kuseva: kanye nokulanda ingobo yomlando. Kowokuqala sishintsha i-MD5 (usayizi awushintshi ngemva kokukhipha impahla), okwesibili sinikeza ingobo yomlando nomtapo wolwazi ocishiwe.
Isiphequluli sizama ukulanda ingobo yomlando izikhathi ezimbalwa, ngemva kwalokho sinikeze iphutha. Ngokusobala okuthile
akathandi. Njengomphumela wokuhlaziya le fomethi embi, kuvele ukuthi iseva iphinde idlulise usayizi wengobo yomlando:
Ifakwe ikhodi ku-LEB128. Ngemva kwesiqephu, usayizi wengobo yomlando nomtapo wolwazi ushintshe kancane, ngakho isiphequluli sicabange ukuthi ingobo yomlando ilandwe ngokungafanele, futhi ngemva kwemizamo eminingana yenze iphutha.
Silungisa usayizi wengobo yomlando... Futhi - ukunqoba! 🙂 Umphumela ukuvidiyo.
Imiphumela nokusabela konjiniyela
Ngendlela efanayo, izigebengu ze-inthanethi zingasebenzisa isici esingavikelekile se-UC Browser ukusabalalisa nokusebenzisa imitapo yolwazi enonya. Lawa mamitapo azosebenza kumongo wesiphequluli, ngakho azothola zonke izimvume zesistimu yawo. Ngenxa yalokho, ikhono lokubonisa amafasitela obugebengu bokweba imininingwane ebucayi, kanye nokufinyelela kumafayela asebenzayo engwejeje yase-Chinese ewolintshi, okuhlanganisa ukungena ngemvume, amaphasiwedi namakhukhi agcinwe kusizindalwazi.
Sixhumane nabathuthukisi be-UC Browser futhi sabazisa ngenkinga esiyitholile, sazama ukukhomba ubungozi kanye nobungozi bakho, kodwa abazange baxoxe lutho nathi. Ngaleso sikhathi, isiphequluli saqhubeka nokubukisa ngesici saso esiyingozi ngokusobala. Kodwa lapho sesiveze imininingwane yokuba sengozini, kwakungasekho ukuthi singakunaki njengakuqala. Ngo-March 27 kwaba
inguqulo entsha ye-UC Browser 12.10.9.1193 ikhishwe, efinyelele iseva nge-HTTPS: .
Ngaphezu kwalokho, ngemva “kokulungisa” futhi kuze kube yisikhathi sokubhala lesi sihloko, ukuzama ukuvula i-PDF esipheqululini kubangele umlayezo wephutha onombhalo othi “Eshu, kukhona okungahambanga kahle!” Isicelo esibhekiswe kuseva asenziwanga ngenkathi kuzanywa ukuvula i-PDF, kodwa isicelo senziwe lapho isiphequluli siqaliswa, esibonisa ikhono eliqhubekayo lokulanda ikhodi esebenzisekayo ephula imithetho ye-Google Play.
Source: www.habr.com