菱菱邦signature及sd参数分析
image-20211230140326245
headers有signature,请求参数和返回结果里有sd
apk有壳,然后脱壳的时候出了个小问题,使用blackdex脱出来只有一个dex文件,打开查看也没有看到主要代码。转而使用fdex脱壳,这次就没问题了。
脱出来有很多个dex文件,一个个查找虽然也可以,但是略显麻烦,而且有时候需要跳转代码而两个方法又不在同一个dex里的话,就很头痛。
一种方法是把dex转成java代码,放到同一个文件夹,然后用ide打开,可以使用jdax的命令
jadx -j 1 -r -d dst a.dex
另一种就是用脱壳出来的dex替换原来的dex,生成新的apk文件,然后用jadx打开,需要注意的是,这里并没有处理签名问题,在手机上安装的话应该是会出问题的,但是只是用于jdax分析的话还是没问题的。
这里选择第二种方式
import pathlib
import zipfile
def get_files(dex_dir):
fdir = pathlib.Path(dex_dir)
infos = {}
for item in fdir.glob('*.dex'):
size = item.stat().st_size
infos[size] = item
fdict = {}
for idx, key in enumerate(sorted(infos, reverse=True)):
name = 'classes{}.dex'.format(str(idx) if idx else '')
fdict[name] = infos[key]
return fdict
def pack(apk_path, dex_dir):
dst = apk_path + '.pack.apk'
with zipfile.ZipFile(apk_path) as zf, zipfile.ZipFile(dst, 'w') as zout:
for item in zf.infolist():
if item.filename.startswith('classes') and item.filename.endswith('.dex'):
print('Ignore:', item.filename)
elif item.filename.startswith('res/'):
pass
else:
buffer = zf.read(item.filename)
zout.writestr(item, buffer)
for filename, fpath in get_files(dex_dir).items():
print('Add:', fpath)
zinfo = zipfile.ZipInfo(filename)
with open(fpath, 'rb') as fin:
zout.writestr(zinfo, fin.read())
if __name__ == '__main__':
pack(r"linglingbang\linglingbang8011.apk", r"linglingbang\linglingbangfdex")
image-20211230144210341
image-20211230144304813
可以看到jdax能够正常解析。
查找"signature"
image-20211230144509760
com.cloudy.linglingbang.model.request.retrofit2.RequestUtils -> addTokenAndSignature
image-20211230144624687
可以看到有nonce,有oauthConsumerKey,应该就是这里了,hook验证一下。
请求参数和返回结果分析
搜索"sd"
image-20211230144820278
image-20211230144925133
然乎查找用例
com.cloudy.linglingbang.model.request.retrofit2.CheckCodeUtils -> decodeContent
image-20211230145016901
com.cloudy.linglingbang.model.request.retrofit2.CheckCodeUtils -> decrypt
image-20211230145110253
com.bangcle.comapiprotect.CheckCodeUtil -> decheckcode
image-20211230145205477
image-20211230145326901
checkcode和decheckcode应该就是加密和解密的地方。
image-20211230145426172
可以看到最后调用的是libencrypt.so里面的函数
unidbg实现
decheckcode部分
打开so大致看了下,直接逆向还是有点难度的,所以还是先用unidbg实现,然后unidbg结合ida来逆向,比较节省精力。
package com.linglingbang;
import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.Module;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.memory.Memory;
import java.io.File;
import java.util.ArrayList;
import java.util.List;
public class LingLingBang extends AbstractJni {
private final AndroidEmulator emulator;
private final VM vm;
private final Module module;
public static String pkgName = "com.cloudy.linglingbang";
public static String apkPath = "unidbg-android/src/test/java/com/linglingbang/linglingbang8011.apk";
public static String soPath = "unidbg-android/src/test/java/com/linglingbang/libencrypt.so";
public LingLingBang() {
emulator = AndroidEmulatorBuilder.for32Bit().setProcessName(pkgName).build();
Memory memory = emulator.getMemory();
memory.setLibraryResolver(new AndroidResolver(23));
vm = emulator.createDalvikVM(new File(apkPath));
vm.setJni(this);
vm.setVerbose(true);
DalvikModule dm = vm.loadLibrary(new File(soPath), true);
module = dm.getModule();
}
public void call_decheckcode() {
List<Object> list = new ArrayList<>(10);
list.add(vm.getJNIEnv());
list.add(0);
list.add(vm.addLocalObject(new StringObject(vm, "MLj4JOPMKPdGeytkeBPy/TvgGCgIOWegKndYgDVbmrctTnrov1z7Uei09BKfKhlW/xnLMOg1HaIN7llJqgPFjmayzV1OI2Rqd7heXxQw1VAmVCe6yXyiiyQ5OHaZ7hhRm5BRpmlFqgY1ebjsv8WPnnw+OZXydnPcySv4Lt5bwmHrOQfygHI7KhDFN40NU8/Csuumues12zRmtaQH9ycfD8fnu27yxX0UQeZBL/VPS+UVNrAwPtjFWrahQztLD3btpjWPXVttVzQZWcLl05iS1hg==")));
Number ret = module.callFunction(emulator, 0x165e0+1, list.toArray());
System.out.println(vm.getObject(ret.intValue()).getValue());
}
public static void main(String[] args) {
LingLingBang test = new LingLingBang();
test.call_decheckcode();
}
}
之后就是循环的报错和补环境
image
@Override
public DvmObject<?> callStaticObjectMethod(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
switch (signature) {
case "android/app/ActivityThread->currentPackageName()Ljava/lang/String;": {
return new StringObject(vm, "com.cloudy.linglingbang");
}
}
return super.callStaticObjectMethod(vm, dvmClass, signature, varArg);
}
image-20220106171834454
case "android/app/ActivityThread->currentActivityThread()Landroid/app/ActivityThread;": {
return vm.resolveClass("android/app/ActivityThread").newObject(null);
}
image-20220106172004674
@Override
public DvmObject<?> callObjectMethod(BaseVM vm, DvmObject<?> dvmObject, String signature, VarArg varArg) {
switch (signature) {
case "android/app/ActivityThread->getSystemContext()Landroid/app/ContextImpl;": {
return vm.resolveClass("android/app/ContextImpl").newObject(null);
}
}
return super.callObjectMethod(vm, dvmObject, signature, varArg);
}
image-20220106172051867
case "android/app/ContextImpl->getPackageManager()Landroid/content/pm/PackageManager;": {
return vm.resolveClass("android/content/pm/PackageManager").newObject(null);
}
再次运行后,发现有结果了,但是结果不太对
image-20220106172221305
这时候就需要用ida看看问题了,跳转到0x166cd。然后再往前面看看
image
看看sub_138AC
image-20220106172602610
也许是签名校验?我们尝试patch这部分代码,修改if(!v6)这个判断语句,查看对应的汇编代码
image-20220106173626117
原指令是CBNZ,我们修改为CBZ,对应的指令可以用Patcher测试
image-20220106173848010
unidbg对应代码
public void patchVerify(){
emulator.getMemory().pointer(module.base + 0x16605).setInt(0, 0x000020B1);
}
public static void main(String[] args) {
LingLingBang test = new LingLingBang();
test.patchVerify();
test.call_decheckcode();
}
重新运行
image-20220106174746995
结果出来了,H4sI是一个比较熟悉东西,它是gzip的头\x1f\x8b\x08经过base64后的结果,我们在cyberchef上验证一下
image-20220106175018133
猜测没错,所以解密的流程就是b64decode -> aes_decrypt -> b64decode -> gunzip。
checkcode部分
添加代码
public void call_checkCode() {
DvmClass clz = vm.resolveClass("com/bangcle/comapiprotect/CheckCodeUtil");
DvmObject ret = clz.callStaticJniMethodObject(emulator, "checkcode(Ljava/lang/String;ILjava/lang/String;)Ljava/lang/String;",
"hello", 2, "everhu");
System.out.println(ret.getValue());
}
同样的报错和补环境
image-20220106175741601
@Override
public DvmObject<?> getStaticObjectField(BaseVM vm, DvmClass dvmClass, String signature) {
switch (signature) {
case "android/os/Build->MODEL:Ljava/lang/String;": {
return new StringObject(vm, "Pixel");
}
}
return super.getStaticObjectField(vm, dvmClass, signature);
}
image-20220106175854011
case "android/os/Build->MANUFACTURER:Ljava/lang/String;": {
return new StringObject(vm, "Google");
}
image-20220106175948642
case "android/os/SystemProperties->get(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;": {
String key = (String) varArg.getObjectArg(0).getValue();
String val2 = (String) varArg.getObjectArg(1).getValue();
System.out.println("get:" + key + " val:" + val2);
return new StringObject(vm, "unknown");
}
image-20220106180035226
case "android/app/ContextImpl->getSystemService(Ljava/lang/String;)Ljava/lang/Object;": {
return vm.resolveClass("java/lang/Object").newObject(null);
}
image-20220106180124532
case "java/lang/Object->getConnectionInfo()Landroid/net/wifi/WifiInfo;": {
return vm.resolveClass("android/net/wifi/WifiInfo").newObject(null);
}
image-20220106180221867
case "android/net/wifi/WifiInfo->getMacAddress()Ljava/lang/String;": {
return new StringObject(vm, "02:00:00:00:00:00");
}
image-20220106180257388
case "android/os/Build$VERSION->SDK:Ljava/lang/String;": {
return new StringObject(vm, "23");
}
再次运行
image-20220106193752406
这个结果的输入到底是什么呢,我们把它作为decheckcode的输入看看
image-20220106193726821
可以看到除了checkcode之外,其他参数都比较容易构造,猜测应该是做了个MD5签名之后再做AES加密。
完整代码
package com.linglingbang;
import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.Module;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.memory.Memory;
import java.io.File;
import java.util.ArrayList;
import java.util.List;
public class LingLingBang extends AbstractJni {
private final AndroidEmulator emulator;
private final VM vm;
private final Module module;
public static String pkgName = "com.cloudy.linglingbang";
public static String apkPath = "unidbg-android/src/test/java/com/linglingbang/linglingbang8011.apk";
public static String soPath = "unidbg-android/src/test/java/com/linglingbang/libencrypt.so";
public LingLingBang() {
emulator = AndroidEmulatorBuilder.for32Bit().setProcessName(pkgName).build();
Memory memory = emulator.getMemory();
memory.setLibraryResolver(new AndroidResolver(23));
vm = emulator.createDalvikVM(new File(apkPath));
vm.setJni(this);
vm.setVerbose(true);
DalvikModule dm = vm.loadLibrary(new File(soPath), true);
module = dm.getModule();
}
@Override
public DvmObject<?> callObjectMethod(BaseVM vm, DvmObject<?> dvmObject, String signature, VarArg varArg) {
switch (signature) {
case "android/app/ActivityThread->getSystemContext()Landroid/app/ContextImpl;": {
return vm.resolveClass("android/app/ContextImpl").newObject(null);
}
case "android/app/ContextImpl->getPackageManager()Landroid/content/pm/PackageManager;": {
return vm.resolveClass("android/content/pm/PackageManager").newObject(null);
}
case "android/app/ContextImpl->getSystemService(Ljava/lang/String;)Ljava/lang/Object;": {
return vm.resolveClass("java/lang/Object").newObject(null);
}
case "java/lang/Object->getConnectionInfo()Landroid/net/wifi/WifiInfo;": {
return vm.resolveClass("android/net/wifi/WifiInfo").newObject(null);
}
case "android/net/wifi/WifiInfo->getMacAddress()Ljava/lang/String;": {
return new StringObject(vm, "02:00:00:00:00:00");
}
}
return super.callObjectMethod(vm, dvmObject, signature, varArg);
}
@Override
public DvmObject<?> callStaticObjectMethod(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
switch (signature) {
case "android/app/ActivityThread->currentPackageName()Ljava/lang/String;": {
return new StringObject(vm, "com.cloudy.linglingbang");
}
case "android/app/ActivityThread->currentActivityThread()Landroid/app/ActivityThread;": {
return vm.resolveClass("android/app/ActivityThread").newObject(null);
}
case "android/os/SystemProperties->get(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;": {
String key = (String) varArg.getObjectArg(0).getValue();
String val2 = (String) varArg.getObjectArg(1).getValue();
System.out.println("get:" + key + " val:" + val2);
// switch (key){
// case "ro.serialno": return new StringObject(vm, "FA6AT0306923");
// }
return new StringObject(vm, "unknown");
}
}
return super.callStaticObjectMethod(vm, dvmClass, signature, varArg);
}
@Override
public DvmObject<?> getStaticObjectField(BaseVM vm, DvmClass dvmClass, String signature) {
switch (signature) {
case "android/os/Build->MODEL:Ljava/lang/String;": {
return new StringObject(vm, "Pixel");
}
case "android/os/Build->MANUFACTURER:Ljava/lang/String;": {
return new StringObject(vm, "Google");
}
case "android/os/Build$VERSION->SDK:Ljava/lang/String;": {
return new StringObject(vm, "23");
}
}
return super.getStaticObjectField(vm, dvmClass, signature);
}
public void patchVerify(){
emulator.getMemory().pointer(module.base + 0x16605).setInt(0, 0x000020B1);
//emulator.getMemory().pointer(module.base + 0x13fc6).setInt(0, 0x00000128);
}
public void call_checkCode() {
DvmClass clz = vm.resolveClass("com/bangcle/comapiprotect/CheckCodeUtil");
DvmObject ret = clz.callStaticJniMethodObject(emulator, "checkcode(Ljava/lang/String;ILjava/lang/String;)Ljava/lang/String;",
"hello", 2, "everhu");
System.out.println(ret.getValue());
}
public void call_decheckcode() {
List<Object> list = new ArrayList<>(10);
list.add(vm.getJNIEnv());
list.add(0);
// list.add(vm.addLocalObject(new StringObject(vm, "MLj4JOPMKPdGeytkeBPy/TvgGCgIOWegKndYgDVbmrctTnrov1z7Uei09BKfKhlW/xnLMOg1HaIN7llJqgPFjmayzV1OI2Rqd7heXxQw1VAmVCe6yXyiiyQ5OHaZ7hhRm5BRpmlFqgY1ebjsv8WPnnw+OZXydnPcySv4Lt5bwmHrOQfygHI7KhDFN40NU8/Csuumues12zRmtaQH9ycfD8fnu27yxX0UQeZBL/VPS+UVNrAwPtjFWrahQztLD3btpjWPXVttVzQZWcLl05iS1hg==")));
list.add(vm.addLocalObject(new StringObject(vm, "MwUaGPev8Eg0vAo+U6kQ5Rttn7JWhJrZ85kPHQbs7GNNYdHWOMLSUvdCTzcAFoO1302KS4qdH/j1e8A8ghHpjD7NWW3gOeoj4nQDXWAqHmx+vyiMG9yxL2PRdIOpFnT5AH62scsuuSYlj3KYmn7ZX9x78pINtVXJFkUcM8ITyW0xFhXadqqY2djgjTjflJU6A")));
Number ret = module.callFunction(emulator, 0x165e0+1, list.toArray());
System.out.println(vm.getObject(ret.intValue()).getValue());
}
public static void main(String[] args) {
LingLingBang test = new LingLingBang();
test.patchVerify();
// test.call_checkCode();
test.call_decheckcode();
}
}
