fulao2定位加解密---违法应用分析

胡凯莉 · 发表于 2023-3-8 07:57

fulao2定位加解密反调试

这块暂时不太熟悉，用大佬的脚本过了
- 据说检测点是 maps、status
- 通过hook libc.so的open函数将参数进行替换
- 替换后检测内存中的maps和status变成检测sdcard中的maps和status
- 把正常的maps和正常的status重定向到sdcard中
  - 打开app
  - 查看包名
    - adb shell dumpsys window |grep mCurrentFocus
  - 进入adb shell 查看进程
    - ps -e |grep com.X2uXsmr2f.k1MULKVZd
  - 看这个下面的守护进程4746
- 将这个maps、status重定向到sd卡中并给运行权限
  - bullhead:/ # cat /proc/4746/maps > /sdcard/maps
    bullhead:/ # cat /proc/4746/status  > /sdcard/status
    bullhead:/ # chmod 777 /sdcard/maps
    bullhead:/ # chmod 777 /sdcard/status
- 再次运行
  - 正常运行这样就过掉了检测

Objection与frIDA同时注入

这里要注意因为frida已经注入了一个进程在同时开启objection的时候要直接用 -g指定应用的pid

objection -g 6452 explore

Objection 定位加解密代码

加解密的代码定位思路：
- 1、先在内存中搜索安卓开发中加解密常用的类
- 2、hook所有疑似加密的类
- 3、手机触发加解密函数查看调用频率确定疑似的类
- 4、将疑似的类的方法进行hook 打调用栈
- 5、脱壳静态分析算法还原
具体如下：

1 先在内存中搜索安卓开发中加解密常用的类

cipher是安卓开发加解密常用的
android hooking search classes cipher

2 、hook这些疑似的类

保存到cipher.txt--->加上android hooking watch class
- nano cipher.txt
- sed -i -e 's/^/android hooking watch class /' cipher.txt
- 注意class后面的一个空格
启动objection 若是崩了先把这个类单独拿出来最后测试
- objection -g 6452 explore -c cipher.txt

3、触发加解密查看疑似的类

点我的即可触发
可以发现以这个类为主的加解密javax.crypto.Cipher

4、将疑似的类的方法进行hook 打调用栈

随便找个方法进行hookjavax.crypto.Cipher.createCipher
- objection -g 6452 explore
- `android hooking watch class_method javax.crypto.Cipher.createCipher --dump-args --dump-backtrace --dump-return
再次点击触发
javax.crypto.Cipher.createCipher(Native Method)roid Commands specific to Android
      javax.crypto.Cipher.getInstance(Cipher.java:414)    Change the current working directory
      com.ilulutv.fulao2.other.k.b.j(EncodeUtility.kt:3)
      com.ilulutv.fulao2.other.k.b.o(EncodeUtility.kt:6)
      com.AppGuard.andjni.JniLib.cV(Native Method)
      com.ilulutv.fulao2.other.h.b.h.i(Unknown Source:15)
      com.AppGuard.andjni.JniLib.cV(Native Method)
      com.ilulutv.fulao2.other.h.b.h.u(Unknown Source:15)
      com.ilulutv.fulao2.membership.contract.ContractManagementActivity.s2(ContractManagementActivity.kt:14)
      com.ilulutv.fulao2.membership.contract.ContractManagementActivity.u2(ContractManagementActivity.kt:2)
      com.AppGuard.andjni.JniLib.cV(Native Method)
      com.ilulutv.fulao2.membership.contract.ContractManagementActivity.onCreate(Unknown Source:18)
      android.app.Activity.performCreate(Activity.java:6999)
      android.app.Activity.performCreate(Activity.java:6990)
      android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1214)
      android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2731)
      android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:2856)
      android.app.ActivityThread.-wrap11(Unknown Source:0)
      android.app.ActivityThread$H.handleMessage(ActivityThread.java:1589)
      android.os.Handler.dispatchMessage(Handler.java:106)
      android.os.Looper.loop(Looper.java:164)
      android.app.ActivityThread.main(ActivityThread.java:6494)
      java.lang.reflect.Method.invoke(Native Method)
      com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:438)
      com.android.internal.os.ZygoteInit.main(ZygoteInit.java:807)

(agent) [bu0icef4v4g] Arguments javax.crypto.Cipher.createCipher(AES/CBC/PKCS5Padding, (none))
(agent) [bu0icef4v4g] Return Value: javax.crypto.Cipher@d41049c
(agent) [bu0icef4v4g] Called javax.crypto.Cipher.createCipher(java.lang.String, java.security.Provider)
(agent) [bu0icef4v4g] Backtrace:
      javax.crypto.Cipher.createCipher(Native Method)
      javax.crypto.Cipher.getInstance(Cipher.java:414)
      com.ilulutv.fulao2.other.k.b.g(EncodeUtility.kt:1)
      com.ilulutv.fulao2.other.k.b.f(EncodeUtility.kt:2)
      com.AppGuard.andjni.JniLib.cL(Native Method)
      com.ilulutv.fulao2.other.h.b.a.a(Unknown Source:18)
      h.g0.g.g.j(RealInterceptorChain.java:9)
      h.g0.g.g.d(RealInterceptorChain.java:1)
      h.z.f(RealCall.java:13)
      h.z.c(RealCall.java:9)
      l.l.c(OkHttpCall.java:18)
      l.x.a.c.C(CallExecuteObservable.java:5)
      f.a.m.e(Observable.java:4)
      f.a.a0.e.d.o$b.run(ObservableSubscribeOn.java:1)
      f.a.q$a.run(Scheduler.java:2)
      f.a.a0.g.l.run(ScheduledRunnable.java:2)
      f.a.a0.g.l.call(ScheduledRunnable.java:1)
      java.util.concurrent.FutureTask.run(FutureTask.java:266)
      java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:301)
      java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1162)
      java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:636)
      java.lang.Thread.run(Thread.java:764)

(agent) [bu0icef4v4g] Arguments javax.crypto.Cipher.createCipher(AES/CBC/PKCS5Padding, (none))
(agent) [bu0icef4v4g] Return Value: javax.crypto.Cipher@39c6bfb
(agent) [bu0icef4v4g] Called javax.crypto.Cipher.createCipher(java.lang.String, java.security.Provider)
(agent) [bu0icef4v4g] Backtrace:
      javax.crypto.Cipher.createCipher(Native Method)
      javax.crypto.Cipher.getInstance(Cipher.java:414)
      com.ilulutv.fulao2.other.k.b.j(EncodeUtility.kt:3)
      com.ilulutv.fulao2.other.k.b.o(EncodeUtility.kt:6)
      com.AppGuard.andjni.JniLib.cV(Native Method)
      com.ilulutv.fulao2.other.h.b.h.i(Unknown Source:15)
      com.AppGuard.andjni.JniLib.cV(Native Method)
      com.ilulutv.fulao2.other.h.b.h.u(Unknown Source:15)
      com.ilulutv.fulao2.membership.contract.ContractManagementActivity.q2(ContractManagementActivity.kt:13)
      com.ilulutv.fulao2.membership.contract.ContractManagementActivity.t2(ContractManagementActivity.kt:4)
      com.ilulutv.fulao2.membership.contract.ContractManagementActivity.o2(Unknown Source:0)
      com.ilulutv.fulao2.membership.contract.d.a(Unknown Source:2)
      com.AppGuard.andjni.JniLib.cV(Native Method)
      com.ilulutv.fulao2.other.h.b.h$d$a.b(Unknown Source:18)
      com.AppGuard.andjni.JniLib.cV(Native Method)
      com.ilulutv.fulao2.other.h.b.c.a(Unknown Source:31)
      com.AppGuard.andjni.JniLib.cV(Native Method)
      com.ilulutv.fulao2.other.h.b.c.b(Unknown Source:21)
      com.AppGuard.andjni.JniLib.cV(Native Method)
      com.ilulutv.fulao2.other.h.b.h.h(Unknown Source:18)
      com.AppGuard.andjni.JniLib.cV(Native Method)
      com.ilulutv.fulao2.other.h.b.h.n(Unknown Source:35)
      com.ilulutv.fulao2.other.h.b.h.c(RetrofitConnectionHelper.kt:1)
      com.AppGuard.andjni.JniLib.cV(Native Method)
      com.ilulutv.fulao2.other.h.b.h$a.e(Unknown Source:18)
      com.ilulutv.fulao2.other.h.b.h$a.d(RetrofitConnectionHelper.kt:1)
      f.a.a0.e.d.j$a.h(ObservableObserveOn.java:8)
      f.a.a0.e.d.j$a.run(ObservableObserveOn.java:3)
      f.a.w.b.b$b.run(HandlerScheduler.java:1)
      android.os.Handler.handleCallback(Handler.java:790)
      android.os.Handler.dispatchMessage(Handler.java:99)
      android.os.Looper.loop(Looper.java:164)
      android.app.ActivityThread.main(ActivityThread.java:6494)
      java.lang.reflect.Method.invoke(Native Method)
      com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:438)
      com.android.internal.os.ZygoteInit.main(ZygoteInit.java:807)

(agent) [bu0icef4v4g] Arguments javax.crypto.Cipher.createCipher(AES/CBC/PKCS5Padding, (none))
(agent) [bu0icef4v4g] Return Value: javax.crypto.Cipher@aaa70ad
(agent) [bu0icef4v4g] Called javax.crypto.Cipher.createCipher(java.lang.String, java.security.Provider)
(agent) [bu0icef4v4g] Backtrace:
      javax.crypto.Cipher.createCipher(Native Method)
      javax.crypto.Cipher.getInstance(Cipher.java:414)
      com.ilulutv.fulao2.other.k.b.g(EncodeUtility.kt:1)
      com.ilulutv.fulao2.other.k.b.f(EncodeUtility.kt:2)
      com.AppGuard.andjni.JniLib.cL(Native Method)
      com.ilulutv.fulao2.other.h.b.a.a(Unknown Source:18)
      h.g0.g.g.j(RealInterceptorChain.java:9)
      h.g0.g.g.d(RealInterceptorChain.java:1)
      h.z.f(RealCall.java:13)
      h.z.c(RealCall.java:9)
      l.l.c(OkHttpCall.java:18)
      l.x.a.c.C(CallExecuteObservable.java:5)
      f.a.m.e(Observable.java:4)
      f.a.a0.e.d.o$b.run(ObservableSubscribeOn.java:1)
      f.a.q$a.run(Scheduler.java:2)
      f.a.a0.g.l.run(ScheduledRunnable.java:2)
      f.a.a0.g.l.call(ScheduledRunnable.java:1)
      java.util.concurrent.FutureTask.run(FutureTask.java:266)
      java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:301)
      java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1162)
      java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:636)
      java.lang.Thread.run(Thread.java:764)

(agent) [bu0icef4v4g] Arguments javax.crypto.Cipher.createCipher(AES/CBC/PKCS5Padding, (none))
(agent) [bu0icef4v4g] Return Value: javax.crypto.Cipher@515c49f
直接定位到这个类com.ilulutv.fulao2.other.k.b.j

5、脱壳静态分析算法还原

直接用大佬的frida-dexdump
注意：上面已经开了frida了直接用attach模式
基础中的基础，frida有两种模式：
attach模式，直接附加到已知已存在的进程：
- frida -U com.example.android
spawn模式，找到指定包名的app并在启动前注入脚本进去，加“--no-pause”表示直接启动，不暂停在app启动时：
- frida -U -f com.example.android --no-pause -l _agent.js
frida-dexdump -UF -d -F 直接attach前台进程 -d深度搜索
- 过程有点久
查看MainActivity在哪个dex中
- adb shell dumpsys window |grep mCurrentFocus
- grep -ril "com.ilulutv.fulao2.main.MainActivity"
- 用jadx打开测试是在02这个dex文件中
- jadx-gui classes02.dex
新版的jadx可能打不开百度搜checksum jadx
定位到刚刚的类com.ilulutv.fulao2.other.k.b.j
- 大概就在这
算法还原直接问chatgpt !!!
自己改改补补差不多就ok了

感受老司机的爱 · 发表于 2023-3-8 14:26

成功了嘛？成功了的话，发给我帮你测试一下，我最近想学习软件测试。

我为52pojie狂 · 发表于 2023-3-8 11:21

这是取精软件，营养不够的尽量少看。一旦开车，刹车就会失灵。

laustar · 发表于 2023-3-8 11:27

谢谢@Thanks！

sdieedu · 发表于 2023-3-8 12:23

干啥呢？不知道啥APP？虽然很牛

deffedyy · 发表于 2023-3-8 14:14

注意节制！！！

adjclubyb · 发表于 2023-3-8 15:49

fulao2。。。我还以为是什么新的逆向工具，原来是扶弟弟，笑死

tiantangyiyun · 发表于 2023-3-8 18:40

大佬里面的视频如何把它取出来啊

xixicoco · 发表于 2023-3-8 20:13

不错，很好的分析文章的

salut小路 · 发表于 2023-3-8 22:55

虽然没看懂，先点赞再说。。。。。

帐号		自动登录	找回密码
密码			注册[Register]

[Android 原创] fulao2定位加解密---违法应用分析

免费评分

个人中心