某软件反虚拟机、反调试、反hook、反root分析

[TOC]

要分析这个dex难度无异于跟一个成熟的商业公司的开发团队做对抗, 而且还是专门做返逆向分析的团队. 不仅对类, 文本字符串, 方法名做了混淆, 还混淆了算术逻辑运算和控制流. 对敏感的API还添加了反射调用.

0x01 key

初始化了一个byte数组(猜测是混淆字符串的key):

private static void c() {
    EmulatorDetector.j = new byte[]{15, 80, -22, 125, 6, 2, 2, 2, -1, 1, 6, 2, 5, -4, 6, 2, 2, 2, -1, 1, 6, 2, 5, -6, 55, 3, 19, -69, 68, -10, 10, 10, -20, 19, -5, 9, -9, -1, -63, 68, 4, -1, -9, 19, -16, 19, -68, 65, -10, 15, 9, -13, -3, 4, 19, 3, -1, -11, 15, 6, 2, 2, 2, -1, 1, 6, 2, 5, -2, -1, -63, 60, -5, 19, -12, 21, -20, 19, -11, 75, 7, -76, 72, 5, 5, -5, -41, -24, 55, 3, 19, -69, 70, -2, -10, 10, -4, 17, -67, 53, 1, 20, -12, -1, 1, 15, -8, -3, 10, 0, 11, 13, -19, 0, 11, -7, 15, -7, -4, -2, 27, -62, 0, -5, 70, -13, 9, -10, 27, -62, 0, -5, 58, 0, 11, -7, 15, -7, -4, -2, 27, -62, 0, 70, 8, -4, 3, -13, 10, -60, 63, -1, -5, -49, 63, -1, -5, 3, -2, 16, -10, 13, 2, 5, -10, -2, 7, 3, -1, 21, -12, -6, 20, -10, 10, 10, -69, 71, -2, -1, -63, 63, -4, 15, -2, -7, 9, -60, 69, -10, 10, 10, -69, 59, 7, -5, 16, 73, 36, -1, 3, -9, 15, 4, 7, -87, 17, -10, -54, -10, 10, 10, -69, 71, -11, -54, 58, -3, 12, -4, -4, 6, 0, 14, -6, 15, -15, 0, 1, 4, 6, -4, 2, 2, 2, 2, 2, 2, 2, 2, 2, 42, -1, -6, 4, 5, 12, -9, 55, 3, 19, -69, 70, -2, -10, 10, -4, 17, -67, 58, 0, 11, 13, -19, 17, -7, 2, -11, 27, -62, 0, -1, -63, 54, 15, 2, 7, -6, 5, -12, 5, 3, 15, 0, 11, -7, 15, -7, -4, -50, 73, -18, 15, 11, -62, 0, 60, -63, 73, -18, 15, 11, -62, 0, 60, -1, -63, 54, 21, -10, 5, -6, -52, 56, 7, 12, -1, -2, -9, 26, -73, 61, -3, 6, 2, 2, 2, -1, 1, 6, 2, 2, 1, 49, 2, -78, 52, 37, -5, 8, -9, 6, -6, -67, 72, 11, 5, -80, 37, 39, 12, -1, 0, -6, -18, 15, 11, -62, 0, 70, 8, -4, -66, 68, -10, 10, 10, -20, 23, 0, -15, 4, 4, 63, 43, 8, -5, -8, -66, 79, -10, 21, -15, 7, 3, 7, -5, -69, 70, -1, 21, -17, -36, -25, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, -1, -63, 54, 21, -10, 5, -6, -52, 68, 4, -1, -9, 19, -16, 19, 70, 8, -4, -66, 55, 3, 19, -11, -4, 4, 16, -66, 73, -11, 11, 4, 3, -18, 13, -59, 64, -2, 12, -14, -50, 52, 15, -8, 16, -1, -4, -3, -3, 4, 5, 0, 47, -8, 16, -1, -4, -3, -1, -63, 63, -4, 15, -2, -7, 9, -60, 53, 15, -8, 16, -1, -4, -3, -52, 69, -10, 10, 10, -15, 10, 10, -7, -9, 21, -3, 5, 55, 3, 19, -69, 70, -2, -10, 10, -4, 17, -67, 68, -10, 10, 10, -15, -1, -63, 63, -4, 15, -2, -7, 9, -60, 69, -10, 10, 10, -6, 9, 1, -7, 6, 2, 2, 2, -1, 1, 6, 2, 2, 5, 3, 3, 3, 3, 3, 3, 3, 3, 3, -6, 3, 3, 3, 3, 85, -9, 9, 8, -7, -6, -66, 74, -5, 23, -15, -67, 68, 5, 2, 11, -76, 71, 10, 5, 6, 7, -73, 6, 2, 2, 2, -1, 1, 6, 2, 2, 3, -13, 9, 0, 17, -36, 25, 17, 5, -6, 5, -5, -32, 39, 8, -13, 15, -10, -3, 4, 4, 16, -1, -63, 71, -12, 0, 20, -1, -11, 0, 11, -7, 15, -7, -4, -50, 58, 10, 2, -6, 7, -5, -4, 22, -13, 9, -58, 58, 0, 11, -7, 15, -7, -4, 15, -8, 16, -1, -4, -3, -52, 55, 14, 1, 8, -13, 11, 8, -68, 23, 46, 1, 8, -13, 21, -2, 6, 2, 2, 2, -1, 1, 6, 2, 3, -4, 0, 17, -31, 40, -4, 3, -13, 10, -24, 20, 15, 6, -11, -4, 4, 67, 4, -1, -10, -50, 54, 15, 7, -10, 7, -6, 11, -25, 6, 2, 2, 2, -1, 1, 6, 2, 3, 0, 6, 2, 2, 2, -1, 1, 6, 2, 3, -2, -13, 16, 3, -69, 7, -3, 13, -68, 71, 5, -17, -51, 69, -10, 10, 10, -70, 69, 4, -1, 3, 5, 70, 8, -4, 3, -13, 10, -60, 53, 9, 7, -61, 68, -10, 10, 10, -70, 69, 4, -1, 3, 5, 0, 17, -38, 31, 7, -7, -50, 31, 41, -6, -9, 5, 15, -5, -1, 5, 3, 10, -7, -18, 15, 11, -62, 0, 60, 10, -1, -6, 4, 5, 12, -9, 0, 17, -49, 49, 2, -2, -1, -4, 0, 21, -9, 8, 1, -41, 46, 1, 8, -13, 21, -2, 63, 43, 8, -5, -8, -66, 86, -3, -2, -4, 11, -50, -24, 60, 7, -3, 13, -68, 59, 10, -1, -6, 4, 5, 12, -9, -56, 70, -13, 13, -15, 13, 2, 5, -10, -51, 59, 10, -1, -6, 4, 5, 12, -9, -56, 71, -2, 0, 17, -36, 25, 17, 5, -6, 5, -5, -26, 35, -9, 15, -15, 21, -3, 5, -34, 21, 14, -6, -1, -63, 68, 4, -1, -9, 19, -16, 19, -68, 54, 18, -15, 15, -8, 6, 2, 2, 2, -1, 1, 6, 2, 3, 4, 67, 4, -1, -10, -50, 60, 8, 3, 1, 5, 4, 1, 67, 4, -1, -10, -50, 70, -12, 9, -4, -53, 64, -10, 17, 5, 6, 2, 2, 2, -1, 1, 6, 2, 3, 2, 56, 2, -68, 28, 6, 2, 2, 2, -1, 1, 6, 2, 4, -3, 7, 12, -1, 0, -2, 14, -6, -1, -63, 68, 4, -1, -9, 19, -16, 19, -68, 65, 4, -9, 3, 9, 6, 2, 2, 2, -1, 1, 6, 2, 4, -5, 0, 17, -31, 24, 6, -24, 20, 15, -7, -6,[...], 9, 1, -7, 28, -10, 3, -17, 21, -13, 3, -7, 3, 5, -1, 1, 5, 1, 1, 2, 2, 2, 9, -1, -2, 1, 9, -3, 0};
    EmulatorDetector.h = 128;
}

0x02 Decode函数

然后再用e方法解析, 需要传入三个参:

private static String e(short arg7, short arg8, byte arg9) {
    int v9 = 118 - arg9;
    byte[] v0 = EmulatorDetector.j;
    int v7 = arg7 + 1;
    byte[] v1 = new byte[v7];
    EmulatorDetector.g = (EmulatorDetector.i + 119) % 128;
    int v3 = 1251 - arg8;
    int v8;
    for(v8 = 0; true; v8 = v4) {
        int v4 = v8 + 1;
        v1[v8] = ((byte)v9);
        if(v4 == v7) {
            break;
        }

        ++v3;
        v8 = v0[v3];
        int v5 = EmulatorDetector.g + 25;
        EmulatorDetector.i = v5 % 128;
        int v6 = 57;
        v5 = v5 % 2 == 0 ? 57 : 64;
        v9 = v5 != v6 ? v9 >> v8 << 101 : v9 + v8 - 2;
    }

    return new String(v1, 0).intern();
}

但是调了很久都没有调出来正常运行,EmulatorDetector.i这个全局变量的初始化去找了一下,发现在isRunningInEmulater那里没有初始化它就直接调用了,然而在static{}那里也没有初始化它就直接调用e函数,这就很奇怪了,没有初始化就赋值肯定会出问题。

0x03 decode字符串

这肯定就是初始化字符串的静态方法:

static {
    EmulatorDetector.c();
    String[] v1 = new String[9];
    v1[0] = EmulatorDetector.e(((byte)EmulatorDetector.j[159]), ((short)(EmulatorDetector.h | 298)), ((byte)EmulatorDetector.j[177]));
    v1[1] = EmulatorDetector.e(((byte)EmulatorDetector.j[111]), ((short)(EmulatorDetector.h & 1100 | EmulatorDetector.h ^ 1100)), ((byte)EmulatorDetector.j[177]));
    v1[2] = EmulatorDetector.e(((byte)EmulatorDetector.j[589]), ((short)(EmulatorDetector.h & 1036 | EmulatorDetector.h ^ 1036)), ((byte)EmulatorDetector.j[177]));
    v1[3] = EmulatorDetector.e(((byte)EmulatorDetector.j[159]), ((short)(EmulatorDetector.h | 876)), ((byte)EmulatorDetector.j[177]));
    byte v2 = ((byte)EmulatorDetector.j[159]);
    v1[4] = EmulatorDetector.e(((short)v2), ((short)(v2 ^ 742 | v2 & 742)), ((byte)EmulatorDetector.j[177]));
    v1[5] = EmulatorDetector.e(((byte)EmulatorDetector.j[111]), ((short)(EmulatorDetector.h | 1100)), ((byte)EmulatorDetector.j[177]));
    v1[6] = EmulatorDetector.e(((byte)EmulatorDetector.j[223]), 893, ((byte)EmulatorDetector.j[177]));
    v1[7] = EmulatorDetector.e(((byte)EmulatorDetector.j[75]), ((short)(EmulatorDetector.h << 2)), ((byte)EmulatorDetector.j[177]));
    v1[8] = EmulatorDetector.e(((byte)EmulatorDetector.j[198]), 1109, ((byte)EmulatorDetector.j[177]));
    EmulatorDetector.a = v1;
    v1 = new String[2];
    v2 = ((byte)EmulatorDetector.j[870]);
    v1[0] = EmulatorDetector.e(((short)v2), ((short)(v2 ^ 212 | v2 & 212)), ((byte)EmulatorDetector.j[177]));
    v2 = ((byte)EmulatorDetector.j[198]);
    v1[1] = EmulatorDetector.e(((short)v2), ((short)(v2 ^ 793 | v2 & 793)), ((byte)EmulatorDetector.j[177]));
    EmulatorDetector.d = v1;
    g[] v1_1 = new g[17];
    byte v11 = ((byte)EmulatorDetector.j[627]);
    String v11_1 = EmulatorDetector.e(((short)v11), ((short)(v11 ^ 1193 | v11 & 1193)), ((byte)EmulatorDetector.j[40]));
    String[] v12 = new String[3];
    v12[0] = EmulatorDetector.e(((byte)EmulatorDetector.j[35]), ((short)(-EmulatorDetector.j[729])), ((byte)EmulatorDetector.j[459]));
    byte v5 = ((byte)EmulatorDetector.j[4]);
    v12[1] = EmulatorDetector.e(((short)v5), ((short)(v5 ^ 472 | v5 & 472)), ((byte)EmulatorDetector.j[9]));
    v12[2] = EmulatorDetector.e(((byte)EmulatorDetector.j[80]), 296, ((byte)EmulatorDetector.j[26]));
    v1_1[0] = new g(v11_1, v12);
    v1_1[1] = new g(EmulatorDetector.e(((byte)EmulatorDetector.j[159]), ((short)(EmulatorDetector.h + 2)), ((byte)EmulatorDetector.j[40])), new String[]{EmulatorDetector.e(((byte)EmulatorDetector.j[4]), ((short)(EmulatorDetector.h & 344 | EmulatorDetector.h ^ 344)), ((byte)EmulatorDetector.j[109])), EmulatorDetector.e(((byte)EmulatorDetector.j[4]), 114, ((byte)EmulatorDetector.j[0]))});
    String v5_1 = EmulatorDetector.e(((byte)EmulatorDetector.j[0]), 289, ((byte)EmulatorDetector.j[40]));
    String[] v11_2 = new String[3];
    v11_2[0] = EmulatorDetector.e(((byte)EmulatorDetector.j[5]), ((short)(EmulatorDetector.h | 540)), ((byte)EmulatorDetector.j[25]));
    v11_2[1] = EmulatorDetector.e(((byte)EmulatorDetector.j[80]), ((short)(EmulatorDetector.h & 637 | EmulatorDetector.h ^ 637)), ((byte)EmulatorDetector.j[97]));
    byte v12_1 = ((byte)EmulatorDetector.j[75]);
    v11_2[2] = EmulatorDetector.e(((short)v12_1), ((short)(v12_1 ^ 898 | v12_1 & 898)), ((byte)EmulatorDetector.j[99]));
    v1_1[2] = new g(v5_1, v11_2);
    v5 = ((byte)EmulatorDetector.j[30]);
    v1_1[3] = new g(EmulatorDetector.e(((short)v5), ((short)(v5 | 1173)), ((byte)EmulatorDetector.j[40])), new String[]{EmulatorDetector.e(((byte)EmulatorDetector.j[80]), ((short)(EmulatorDetector.h | 338)), ((byte)EmulatorDetector.j[0])), EmulatorDetector.e(((byte)EmulatorDetector.j[12]), ((short)(EmulatorDetector.h ^ 770 | EmulatorDetector.h & 770)), ((byte)EmulatorDetector.j[109]))});
    v1_1[4] = new g(EmulatorDetector.e(((byte)EmulatorDetector.j[0]), 371, ((byte)EmulatorDetector.j[40])), new String[]{EmulatorDetector.e(((byte)EmulatorDetector.j[4]), 114, ((byte)EmulatorDetector.j[0])), EmulatorDetector.e(((byte)EmulatorDetector.j[80]), 296, ((byte)EmulatorDetector.j[26]))});
    v5_1 = EmulatorDetector.e(((byte)EmulatorDetector.j[111]), ((short)(EmulatorDetector.h & 614 | EmulatorDetector.h ^ 614)), ((byte)EmulatorDetector.j[40]));
    String[] v10 = new String[1];
    v11 = ((byte)EmulatorDetector.j[109]);
    v10[0] = EmulatorDetector.e(((short)v11), ((short)(v11 ^ 758 | v11 & 758)), ((byte)EmulatorDetector.j[188]));
    v1_1[5] = new g(v5_1, v10);
    v5_1 = EmulatorDetector.e(((byte)EmulatorDetector.j[144]), ((short)(EmulatorDetector.h & 519 | EmulatorDetector.h ^ 519)), ((byte)EmulatorDetector.j[40]));
    v10 = new String[1];
    v11 = ((byte)EmulatorDetector.j[109]);
    v10[0] = EmulatorDetector.e(((short)v11), ((short)(v11 | 787)), ((byte)EmulatorDetector.j[92]));
    v1_1[6] = new g(v5_1, v10);
    v1_1[7] = new g(EmulatorDetector.e(((byte)EmulatorDetector.j[0]), 844, ((byte)EmulatorDetector.j[40])), new String[]{EmulatorDetector.e(((byte)EmulatorDetector.j[5]), ((short)(EmulatorDetector.h & 540 | EmulatorDetector.h ^ 540)), ((byte)EmulatorDetector.j[25])), EmulatorDetector.e(((byte)EmulatorDetector.j[4]), ((short)(EmulatorDetector.h & 344 | EmulatorDetector.h ^ 344)), ((byte)EmulatorDetector.j[109])), EmulatorDetector.e(((byte)EmulatorDetector.j[80]), ((short)(EmulatorDetector.h | 860)), ((byte)EmulatorDetector.j[159]))});
    v5_1 = EmulatorDetector.e(((byte)EmulatorDetector.j[26]), 98, ((byte)EmulatorDetector.j[40]));
    v10 = new String[4];
    v10[0] = EmulatorDetector.e(((byte)EmulatorDetector.j[892]), ((short)EmulatorDetector.j[379]), ((byte)EmulatorDetector.j[0]));
    v10[1] = EmulatorDetector.e(((byte)(EmulatorDetector.j[764] - 1)), 1139, ((byte)EmulatorDetector.j[0]));
    v11 = ((byte)EmulatorDetector.j[589]);
    v10[2] = EmulatorDetector.e(((short)v11), ((short)(v11 ^ 614 | v11 & 614)), ((byte)EmulatorDetector.j[0]));
    v10[3] = EmulatorDetector.e(((byte)EmulatorDetector.j[627]), ((short)(EmulatorDetector.h & 841 | EmulatorDetector.h ^ 841)), ((byte)EmulatorDetector.j[0]));
    v1_1[8] = new g(v5_1, v10);
    v5_1 = EmulatorDetector.e(((byte)EmulatorDetector.j[218]), ((short)(EmulatorDetector.h & 853 | EmulatorDetector.h ^ 853)), ((byte)EmulatorDetector.j[40]));
    v10 = new String[1];
    v11 = ((byte)EmulatorDetector.j[4]);
    v10[0] = EmulatorDetector.e(((short)v11), ((short)(v11 ^ 472 | v11 & 472)), ((byte)EmulatorDetector.j[9]));
    v1_1[9] = new g(v5_1, v10);
    v5 = ((byte)EmulatorDetector.j[892]);
    v5_1 = EmulatorDetector.e(((short)v5), ((short)(v5 ^ 929 | v5 & 929)), ((byte)EmulatorDetector.j[40]));
    v10 = new String[1];
    v11 = ((byte)EmulatorDetector.j[40]);
    v10[0] = EmulatorDetector.e(((short)v11), ((short)(v11 ^ 530 | v11 & 530)), ((byte)EmulatorDetector.j[5]));
    v1_1[10] = new g(v5_1, v10);
    v5 = ((byte)EmulatorDetector.j[892]);
    v1_1[11] = new g(EmulatorDetector.e(((short)v5), ((short)(v5 | 512)), ((byte)EmulatorDetector.j[111])), new String[0]);
    v1_1[12] = new g(EmulatorDetector.e(((byte)EmulatorDetector.j[0]), ((short)(EmulatorDetector.h | 17)), ((byte)EmulatorDetector.j[12])), new String[0]);
    v5 = ((byte)EmulatorDetector.j[892]);
    v1_1[13] = new g(EmulatorDetector.e(((short)v5), ((short)(v5 ^ 1025 | v5 & 1025)), ((byte)EmulatorDetector.j[12])), new String[0]);
    v1_1[14] = new g(EmulatorDetector.e(((byte)EmulatorDetector.j[892]), ((short)(EmulatorDetector.h & 35 | EmulatorDetector.h ^ 35)), ((byte)EmulatorDetector.j[12])), new String[0]);
    v1_1[15] = new g(EmulatorDetector.e(((byte)EmulatorDetector.j[627]), 787, ((byte)EmulatorDetector.j[40])), new String[0]);
    v1_1[16] = new g(EmulatorDetector.e(((byte)EmulatorDetector.j[892]), 1073, ((byte)EmulatorDetector.j[40])), new String[0]);
    EmulatorDetector.c = v1_1;
    v1_1 = new g[5];
    v5_1 = EmulatorDetector.e(((byte)EmulatorDetector.j[111]), ((short)(EmulatorDetector.h & 363 | EmulatorDetector.h ^ 363)), ((byte)EmulatorDetector.j[0]));
    v10 = new String[16];
    v10[0] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), ((short)(EmulatorDetector.h & 801 | EmulatorDetector.h ^ 801)), ((byte)EmulatorDetector.j[188]));
    v10[1] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), ((short)(EmulatorDetector.h & 550 | EmulatorDetector.h ^ 550)), ((byte)EmulatorDetector.j[188]));
    v10[2] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), ((short)(EmulatorDetector.h & 597 | EmulatorDetector.h ^ 597)), ((byte)EmulatorDetector.j[188]));
    v10[3] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), 592, ((byte)EmulatorDetector.j[188]));
    v10[4] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), 544, ((byte)EmulatorDetector.j[188]));
    v11 = ((byte)EmulatorDetector.j[30]);
    v10[5] = EmulatorDetector.e(((short)v11), ((short)(v11 ^ 544 | v11 & 544)), ((byte)EmulatorDetector.j[188]));
    v10[6] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), 320, ((byte)EmulatorDetector.j[188]));
    v10[7] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), 356, ((byte)EmulatorDetector.j[188]));
    v10[8] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), 274, ((byte)EmulatorDetector.j[188]));
    v10[9] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), 306, ((byte)EmulatorDetector.j[188]));
    v10[10] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), ((short)(EmulatorDetector.h & 60 | EmulatorDetector.h ^ 60)), ((byte)EmulatorDetector.j[188]));
    v10[11] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), ((short)(EmulatorDetector.h & 84 | EmulatorDetector.h ^ 84)), ((byte)EmulatorDetector.j[188]));
    v10[12] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), ((short)EmulatorDetector.j[321]), ((byte)EmulatorDetector.j[188]));
    v10[13] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), ((short)(EmulatorDetector.h & 1110 | EmulatorDetector.h ^ 1110)), ((byte)EmulatorDetector.j[188]));
    v10[14] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), ((short)(EmulatorDetector.h & 1120 | EmulatorDetector.h ^ 1120)), ((byte)EmulatorDetector.j[188]));
    v10[15] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), ((short)(EmulatorDetector.h & 1065 | EmulatorDetector.h ^ 1065)), ((byte)EmulatorDetector.j[188]));
    v1_1[0] = new g(v5_1, v10);
    v1_1[1] = new g(EmulatorDetector.e(((byte)EmulatorDetector.j[75]), ((short)(EmulatorDetector.h & 264 | EmulatorDetector.h ^ 264)), ((byte)EmulatorDetector.j[0])), new String[]{EmulatorDetector.e(((byte)EmulatorDetector.j[4]), 793, ((byte)EmulatorDetector.j[99]))});
    v1_1[2] = new g(EmulatorDetector.e(((byte)EmulatorDetector.j[97]), 264, ((byte)EmulatorDetector.j[0])), new String[]{EmulatorDetector.e(((byte)EmulatorDetector.j[26]), ((short)EmulatorDetector.j[109]), ((byte)(-EmulatorDetector.j[121])))});
    v1_1[3] = new g(EmulatorDetector.e(((byte)EmulatorDetector.j[223]), ((short)(EmulatorDetector.h & 74 | EmulatorDetector.h ^ 74)), ((byte)EmulatorDetector.j[0])), new String[]{EmulatorDetector.e(((byte)EmulatorDetector.j[223]), 1025, ((byte)EmulatorDetector.j[685]))});
    v1_1[4] = new g(EmulatorDetector.e(((byte)EmulatorDetector.j[30]), 108, ((byte)EmulatorDetector.j[0])), new String[]{EmulatorDetector.e(((byte)EmulatorDetector.j[223]), 858, ((byte)EmulatorDetector.j[92])), EmulatorDetector.e(((byte)EmulatorDetector.j[0]), ((short)(EmulatorDetector.h & 50 | EmulatorDetector.h ^ 50)), ((byte)EmulatorDetector.j[97])), EmulatorDetector.e(((byte)EmulatorDetector.j[223]), ((short)(EmulatorDetector.h | 587)), ((byte)EmulatorDetector.j[92]))});
    EmulatorDetector.e = v1_1;
    g[] v0 = new g[2];
    String v2_1 = EmulatorDetector.e(((byte)EmulatorDetector.j[218]), 346, ((byte)EmulatorDetector.j[177]));
    String[] v5_2 = new String[1];
    byte v7 = ((byte)EmulatorDetector.j[40]);
    v5_2[0] = EmulatorDetector.e(((short)v7), ((short)(v7 ^ 306 | v7 & 306)), ((byte)EmulatorDetector.j[92]));
    v0[0] = new g(v2_1, v5_2);
    v2 = ((byte)EmulatorDetector.j[223]);
    v2_1 = EmulatorDetector.e(((short)v2), ((short)(v2 ^ 320 | v2 & 320)), ((byte)EmulatorDetector.j[177]));
    v5_2 = new String[1];
    v7 = ((byte)EmulatorDetector.j[892]);
    v5_2[0] = EmulatorDetector.e(((short)v7), ((short)(v7 | 392)), ((byte)EmulatorDetector.j[0]));
    v0[1] = new g(v2_1, v5_2);
    EmulatorDetector.b = v0;
    EmulatorDetector.f = new AntiHooking$HookInfo();
    EmulatorDetector.g = (EmulatorDetector.i + 53) % 128;
}

0x04 外部调用

外部主要是调用isRunningInEmulator方法:

public static int isRunningInEmulator(android.content.Context context,
                                      int ok,
                                      int flags)
  • This method will use a series of techniques in order to determine if the application is running in an emulator or on a real device.
  • Parameters:
    • context - Application context.
    • ok - Return code indicating no emulator was found.
      flags - Flags enabling some configuration of the employed checks.
  • Returns:
    Returns 'ok' if not on an emulator, a variation of 'ok' containing an error code when an emulator was detected.

isRunningInEmulator同时利用了重载,下面我们主要分析一下这个方法做了什么:

package anti_emulator;

import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.util.ArrayList;
import java.util.HashMap;

public class EmulatorDetector {
    public static void main(String args[]) {
        
    }
    
  public static final int FAIL_ON_MITIGATED_TAMPER_ATTEMPT = 2;
  public static final int IGNORE_TAMPER_ATTEMPTS = 4;
  private static final String[] a = null;
//  private static final g[] b = null;
//  private static final g[] c = null;
  private static final String[] d = null;
//  private static final g[] e = null;
//  private static AntiHooking$HookInfo f = null;
  private static int g = 1;
  private static int h;
  private static int i = 0;
  private static byte[] j;
  
  static {
    EmulatorDetector.c();
    String[] v1 = new String[9];
    v1[0] = EmulatorDetector.e(((byte)EmulatorDetector.j[159]), ((short)(EmulatorDetector.h | 298)), ((byte)EmulatorDetector.j[177]));
    v1[1] = EmulatorDetector.e(((byte)EmulatorDetector.j[111]), ((short)(EmulatorDetector.h & 1100 | EmulatorDetector.h ^ 1100)), ((byte)EmulatorDetector.j[177]));
    v1[2] = EmulatorDetector.e(((byte)EmulatorDetector.j[589]), ((short)(EmulatorDetector.h & 1036 | EmulatorDetector.h ^ 1036)), ((byte)EmulatorDetector.j[177]));
    v1[3] = EmulatorDetector.e(((byte)EmulatorDetector.j[159]), ((short)(EmulatorDetector.h | 876)), ((byte)EmulatorDetector.j[177]));
    byte v2 = ((byte)EmulatorDetector.j[159]);
    v1[4] = EmulatorDetector.e(((short)v2), ((short)(v2 ^ 742 | v2 & 742)), ((byte)EmulatorDetector.j[177]));
    v1[5] = EmulatorDetector.e(((byte)EmulatorDetector.j[111]), ((short)(EmulatorDetector.h | 1100)), ((byte)EmulatorDetector.j[177]));
    v1[6] = EmulatorDetector.e(((byte)EmulatorDetector.j[223]), (short) 893, ((byte)EmulatorDetector.j[177]));
    v1[7] = EmulatorDetector.e(((byte)EmulatorDetector.j[75]), ((short)(EmulatorDetector.h << 2)), ((byte)EmulatorDetector.j[177]));
    v1[8] = EmulatorDetector.e(((byte)EmulatorDetector.j[198]), (short) 1109, ((byte)EmulatorDetector.j[177]));
    String[] v1 = new String[2];
    byte v2 = ((byte)EmulatorDetector.j[870]);
    v1[0] = EmulatorDetector.e(((short)v2), ((short)(v2 ^ 212 | v2 & 212)), ((byte)EmulatorDetector.j[177]));
    v2 = ((byte)EmulatorDetector.j[198]);
    v1[1] = EmulatorDetector.e(((short)v2), ((short)(v2 ^ 793 | v2 & 793)), ((byte)EmulatorDetector.j[177]));
    
    for(int i = 0; i <= 8; i++) {
      System.out.println(v1[i]);
    }
  }
  
  private static String e(short arg7, short arg8, byte arg9) {
    int v9 = 118 - arg9;
    byte[] v0 = EmulatorDetector.j;
    int v7 = arg7 + 1;
    byte[] v1 = new byte[v7];
    EmulatorDetector.g = (EmulatorDetector.i + 119) % 128;
    int v3 = 1251 - arg8;
    int v8;
    for(int ii = 0; true; ii++) {
        int v4 = ii + 1;
        v1[ii] = ((byte)v9);
        if(v4 == v7) {
            break;
        }

        ++v3;
        v8 = v0[v3];
        int v5 = EmulatorDetector.g + 25;
        EmulatorDetector.i = v5 % 128;
        int v6 = 57;
        v5 = v5 % 2 == 0 ? 57 : 64;
        v9 = v5 != v6 ? v9 >> v8 << 101 : v9 + v8 - 2;
    }

    return new String(v1, 0).intern();
  }
  
  private static void c() {
    j = new byte[] { 15, 80, -22, 125, 6, 2, 2, 2, -1, 1, 6, 2, 5, -4, 6, 2, 2, 2, -1, 1, 6, 2, 5, -6, 55, 3, 19, -69, 68, -10, 10, 10, -20, 19, -5, 9, -9, -1, -63, 68, 4, -1, -9, 19, -16, 19, -68, 65, -10, 15, 9, -13, -3, 4, 19, 3, -1, -11, 15, 6, 2, 2, 2, -1, 1, 6, 2, 5, -2, -1, -63, 60, -5, 19, -12, 21, -20, 19, -11, 75, 7, -76, 72, 5, 5, -5, -41, -24, 55, 3, 19, -69, 70, -2, -10, 10, -4, 17, -67, 53, 1, 20, -12, -1, 1, 15, -8, -3, 10, 0, 11, 13, -19, 0, 11, -7, 15, -7, -4, -2, 27, -62, 0, -5, 70, -13, 9, -10, 27, -62, 0, -5, 58, 0, 11, -7, 15, -7, -4, -2, 27, -62, 0, 70, 8, -4, 3, -13, 10, -60, 63, -1, -5, -49, 63, -1, -5, 3, -2, 16, -10, 13, 2, 5, -10, -2, 7, 3, -1, 21, -12, -6, 20, -10, 10, 10, -69, 71, -2, -1, -63, 63, -4, 15, -2, -7, 9, -60, 69, -10, 10, 10, -69, 59, 7, -5, 16, 73, 36, -1, 3, -9, 15, 4, 7, -87, 17, -10, -54, -10, 10, 10, -69, 71, -11, -54, 58, -3, 12, -4, -4, 6, 0, 14, -6, 15, -15, 0, 1, 4, 6, -4, 2, 2, 2, 2, 2, 2, 2, 2, 2, 42, -1, -6, 4, 5, 12, -9, 55, 3, 19, -69, 70, -2, -10, 10, -4, 17, -67, 58, 0, 11, 13, -19, 17, -7, 2, -11, 27, -62, 0, -1, -63, 54, 15, 2, 7, -6, 5, -12, 5, 3, 15, 0, 11, -7, 15, -7, -4, -50, 73, -18, 15, 11, -62, 0, 60, -63, 73, -18, 15, 11, -62, 0, 60, -1, -63, 54, 21, -10, 5, -6, -52, 56, 7, 12, -1, -2, -9, 26, -73, 61, -3, 6, 2, 2, 2, -1, 1, 6, 2, 2, 1, 49, 2, -78, 52, 37, -5, 8, -9, 6, -6, -67, 72, 11, 5, -80, 37, 39, 12, -1, 0, -6, -18, 15, 11, -62, 0, 70, 8, -4, -66, 68, -10, 10, 10, -20, 23, 0, -15, 4, 4, 63, 43, 8, -5, -8, -66, 79, -10, 21, -15, 7, 3, 7, -5, -69, 70, -1, 21, -17, -36, -25, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, -1, -63, 54, 21, -10, 5, -6, -52, 68, 4, -1, -9, 19, -16, 19, 70, 8, -4, -66, 55, 3, 19, -11, -4, 4, 16, -66, 73, -11, 11, 4, 3, -18, 13, -59, 64, -2, 12, -14, -50, 52, 15, -8, 16, -1, -4, -3, -3, 4, 5, 0, 47, -8, 16, -1, -4, -3, -1, -63, 63, -4, 15, -2, -7, 9, -60, 53, 15, -8, 16, -1, -4, -3, -52, 69, -10, 10, 10, -15, 10, 10, -7, -9, 21, -3, 5, 55, 3, 19, -69, 70, -2, -10, 10, -4, 17, -67, 68, -10, 10, 10, -15, -1, -63, 63, -4, 15, -2, -7, 9, -60, 69, -10, 10, 10, -6, 9, 1, -7, 6, 2, 2, 2, -1, 1, 6, 2, 2, 5, 3, 3, 3, 3, 3, 3, 3, 3, 3, -6, 3, 3, 3, 3, 85, -9, 9, 8, -7, -6, -66, 74, -5, 23, -15, -67, 68, 5, 2, 11, -76, 71, 10, 5, 6, 7, -73, 6, 2, 2, 2, -1, 1, 6, 2, 2, 3, -13, 9, 0, 17, -36, 25, 17, 5, -6, 5, -5, -32, 39, 8, -13, 15, -10, -3, 4, 4, 16, -1, -63, 71, -12, 0, 20, -1, -11, 0, 11, -7, 15, -7, -4, -50, 58, 10, 2, -6, 7, -5, -4, 22, -13, 9, -58, 58, 0, 11, -7, 15, -7, -4, 15, -8, 16, -1, -4, -3, -52, 55, 14, 1, 8, -13, 11, 8, -68, 23, 46, 1, 8, -13, 21, -2, 6, 2, 2, 2, -1, 1, 6, 2, 3, -4, 0, 17, -31, 40, -4, 3, -13, 10, -24, 20, 15, 6, -11, -4, 4, 67, 4, -1, -10, -50, 54, 15, 7, -10, 7, -6, 11, -25, 6, 2, 2, 2, -1, 1, 6, 2, 3, 0, 6, 2, 2, 2, -1, 1, 6, 2, 3, -2, -13, 16, 3, -69, 7, -3, 13, -68, 71, 5, -17, -51, 69, -10, 10, 10, -70, 69, 4, -1, 3, 5, 70, 8, -4, 3, -13, 10, -60, 53, 9, 7, -61, 68, -10, 10, 10, -70, 69, 4, -1, 3, 5, 0, 17, -38, 31, 7, -7, -50, 31, 41, -6, -9, 5, 15, -5, -1, 5, 3, 10, -7, -18, 15, 11, -62, 0, 60, 10, -1, -6, 4, 5, 12, -9, 0, 17, -49, 49, 2, -2, -1, -4, 0, 21, -9, 8, 1, -41, 46, 1, 8, -13, 21, -2, 63, 43, 8, -5, -8, -66, 86, -3, -2, -4, 11, -50, -24, 60, 7, -3, 13, -68, 59, 10, -1, -6, 4, 5, 12, -9, -56, 70, -13, 13, -15, 13, 2, 5, -10, -51, 59, 10, -1, -6, 4, 5, 12, -9, -56, 71, -2, 0, 17, -36, 25, 17, 5, -6, 5, -5, -26, 35, -9, 15, -15, 21, -3, 5, -34, 21, 14, -6, -1, -63, 68, 4, -1, -9, 19, -16, 19, -68, 54, 18, -15, 15, -8, 6, 2, 2, 2, -1, 1, 6, 2, 3, 4, 67, 4, -1, -10, -50, 60, 8, 3, 1, 5, 4, 1, 67, 4, -1, -10, -50, 70, -12, 9, -4, -53, 64, -10, 17, 5, 6, 2, 2, 2, -1, 1, 6, 2, 3, 2, 56, 2, -68, 28, 6, 2, 2, 2, -1, 1, 6, 2, 4, -3, 7, 12, -1, 0, -2, 14, -6, -1, -63, 68, 4, -1, -9, 19, -16, 19, -68, 65, 4, -9, 3, 9, 6, 2, 2, 2, -1, 1, 6, 2, 4, -5, 0, 17, -31, 24, 6, -24, 20, 15, -7, -6, 13, -28, 41, -6, -9, 5, 15, 70, 8, -4, -66, 55, 3, 19, -11, -4, 4, 16, -66, 70, 8, -4, 3, -13, 10, -60, 54, 15, 7, -68, 54, 15, 7, -67, 1, 54, 15, 7, -13, 14, -11, 14, 6, 2, 2, 2, -1, 1, 6, 2, 4, 1, 0, 17, -31, 36, -17, 19, -14, 17, -7, -5, 5, 15, -39, 29, 6, 2, 2, 2, -1, 1, 6, 2, 4, -1, -49, 1, 9, -3, 2, 1, 3, 4, 47, -42, 49, 2, 3, -51, 1, -10, 10, 10, -69, 71, -11, -54, 64, -7, 3, -3, 7, 3, 11, 7, -8, 13, 7, -10, 10, 10, -69, 60, 17, -71, 65, -10, 10, 7, -1, -4, 22, -4, -1, -63, 68, 4, -1, -9, 19, -16, 19, -68, 56, 3, 19, -11, -4, 4, 0, 11, -7, 15, -7, -4, 0, 17, -46, 35, 19, -11, -4, 4, -26, 29, -1, -63, 54, 21, -10, 5, -6, -52, 58, 5, 7, -5, 0, 15, 0, 4, -7, 7, 8, 0, 11, -7, 15, -7, -4, -50, 70, -13, 9, -58, 58, 0, 11, -7, 15, -7, -4, 6, 2, 2, 2, -1, 1, 6, 2, 4, 3, 32, 11, 13, -10, 4, 7, -9, 8, 1, 72, 8, -9, 8, 2, 0, 1, -52, 15, -8, 16, -1, -4, -3, -52, 68, -9, 15, -3, -2, 12, 2, -8, 8, 1, -62, 38, -11, -2, 5, 29, -13, -6, 9, 1, -7, 28, -10, 3, -17, 21, -13, 3, -7, 3, 5, -1, 1, 5, 1, 1, 2, 2, 2, 9, -1, -2, 1, 9, -3, 0 };
    EmulatorDetector.h = 128;
  }
}
  • EmulatorDetector中的a字符串数组内容如下:
    虚拟机特征目录

可知这些都是模拟器的特征目录和文件, 应该是要查找是否有这些特征目录的.

我们选择这个深入分析一下:

isRunningInEmulator方法里调用了这个字符串数组:

v2_1 = AntiHooking.e(EmulatorDetector.a, EmulatorDetector.f);
v3 = v2_1 < 0 ? 1 : 0;
// EmulatorDetector.f是AntiHooking$HookInfo的实例化.

而v2_1是isRunningInEmulator方法的返回值, 即如果返回值大于0则表示是虚拟机.

跟进AntiHookinge方法:

public static int e(String[] arg5, AntiHooking$HookInfo arg6) {
    AntiHooking.m = (AntiHooking.l + 85) % 128;
    AntiHooking.l = ((AntiHooking.m & 37) + (AntiHooking.m | 37)) % 128;
    int v1;
    for(v1 = 0; true; v1 = ((v2 | 96) << 1) - (v2 ^ 96)) {
        int v2 = v1 >= arg5.length ? 0 : 1;
        if(v2 != 1) {
            AntiHooking.m = (((AntiHooking.l | 89) << 1) - (AntiHooking.l ^ 89)) % 128;
            return -1;
        }

        AntiHooking.l = ((AntiHooking.m & 39) + (AntiHooking.m | 39)) % 128;
        if(AntiHooking.c(AntiHooking.a(arg5[v1], arg6), arg6)) {
            byte v0 = ((byte)AntiHooking.i[206]);
            byte v2_1 = ((byte)AntiHooking.i[36]);
            new StringBuilder(AntiHooking.a(v0, ((short)v2_1), ((short)(v2_1 ^ 172 | v2_1 & 172)))).append(arg5[v1]);
            AntiHooking.m = ((AntiHooking.l & 3) + (AntiHooking.l | 3)) % 128;
            return v1;
        }

        v2 = ((v1 | -95) << 1) - (v1 ^ -95);
    }
}

我们能看到有一个重要的判断:

if(AntiHooking.c(AntiHooking.a(arg5[v1], arg6), arg6))

所以我们先分析a方法:

public static File a(String arg5, AntiHooking$HookInfo arg6) {
    int v5;
    Object v6;
    AntiHooking.l = (((AntiHooking.m | 123) << 1) - (AntiHooking.m ^ 123)) % 128;
    try {
        v6 = AntiHooking.c(File.class.getConstructor(String.class), File.class, new Object[]{arg5}, arg6);
        v5 = AntiHooking.l;
    }
    catch(Exception ) {
        return new File(((String)v5));
    }

    AntiHooking.m = ((v5 & 59) + (v5 | 59)) % 128;
    return ((File)v6);
}

最终我们能跟到c方法中的invoke方法, 也就是我们熟知的反射了:

return v9_1.invoke(v4_1, v0_2);
  • d字符串数组如下:

    /sys/devices/system/cpu/cpu0/cpufreq
    /sys/devices/virtual/misc/android_adb
    

    能看出是要查看CPU信息以及设备版本信息.

  • c字符串数组如下:

    g[] v1_1 = new g[17];
    byte v11 = ((byte)j[627]);
    String v11_1 = e(((short)v11), ((short)(v11 ^ 1193 | v11 & 1193)), ((byte)j[40]));
    //    System.out.println(v11_1);
    String[] v12 = new String[3];
    v12[0] = e(((byte)j[35]), ((short)(-j[729])), ((byte)j[459]));
    byte v5 = ((byte)j[4]);
    v12[1] = e(((short)v5), ((short)(v5 ^ 472 | v5 & 472)), ((byte)j[9]));
    v12[2] = e(((byte)j[80]), (short) 296, ((byte)j[26]));
    v1_1[0] = new g(v11_1, v12);
    v1_1[1] = new g(e(((byte)j[159]), ((short)(h + 2)), ((byte)j[40])), new String[]{e(((byte)j[4]), ((short)(h & 344 | h ^ 344)), ((byte)j[109])), e(((byte)j[4]), (short) 114, ((byte)j[0]))});
    String v5_1 = e(((byte)j[0]), (short) 289, ((byte)j[40]));
    String[] v11_2 = new String[3];
    v11_2[0] = e(((byte)j[5]), ((short)(h | 540)), ((byte)j[25]));
    v11_2[1] = e(((byte)j[80]), ((short)(h & 637 | h ^ 637)), ((byte)j[97]));
    byte v12_1 = ((byte)j[75]);
    v11_2[2] = e(((short)v12_1), ((short)(v12_1 ^ 898 | v12_1 & 898)), ((byte)j[99]));
    v1_1[2] = new g(v5_1, v11_2);
    v5 = ((byte)j[30]);
    v1_1[3] = new g(e(((short)v5), ((short)(v5 | 1173)), ((byte)j[40])), new String[]{e(((byte)j[80]), ((short)(h | 338)), ((byte)j[0])), e(((byte)j[12]), ((short)(h ^ 770 | h & 770)), ((byte)j[109]))});
    v1_1[4] = new g(e(((byte)j[0]), (short) 371, ((byte)j[40])), new String[]{e(((byte)j[4]), (short) 114, ((byte)j[0])), e(((byte)j[80]), (short) 296, ((byte)j[26]))});
    v5_1 = e(((byte)j[111]), ((short)(h & 614 | h ^ 614)), ((byte)j[40]));
    String[] v10 = new String[1];
    v11 = ((byte)j[109]);
    v10[0] = e(((short)v11), ((short)(v11 ^ 758 | v11 & 758)), ((byte)j[188]));
    v1_1[5] = new g(v5_1, v10);
    v5_1 = e(((byte)j[144]), ((short)(h & 519 | h ^ 519)), ((byte)j[40]));
    v10 = new String[1];
    v11 = ((byte)j[109]);
    v10[0] = e(((short)v11), ((short)(v11 | 787)), ((byte)j[92]));
    v1_1[6] = new g(v5_1, v10);
    v1_1[7] = new g(e(((byte)j[0]), (short) 844, ((byte)j[40])), new String[]{e(((byte)j[5]), ((short)(h & 540 | h ^ 540)), ((byte)j[25])), e(((byte)j[4]), ((short)(h & 344 | h ^ 344)), ((byte)j[109])), e(((byte)j[80]), ((short)(h | 860)), ((byte)j[159]))});
    v5_1 = e(((byte)j[26]), (short) 98, ((byte)j[40]));
    v10 = new String[4];
    v10[0] = e(((byte)j[892]), ((short)j[379]), ((byte)j[0]));
    v10[1] = e(((byte)(j[764] - 1)), (short) 1139, ((byte)j[0]));
    v11 = ((byte)j[589]);
    v10[2] = e(((short)v11), ((short)(v11 ^ 614 | v11 & 614)), ((byte)j[0]));
    v10[3] = e(((byte)j[627]), ((short)(h & 841 | h ^ 841)), ((byte)j[0]));
    v1_1[8] = new g(v5_1, v10);
    v5_1 = e(((byte)j[218]), ((short)(h & 853 | h ^ 853)), ((byte)j[40]));
    v10 = new String[1];
    v11 = ((byte)j[4]);
    v10[0] = e(((short)v11), ((short)(v11 ^ 472 | v11 & 472)), ((byte)j[9]));
    v1_1[9] = new g(v5_1, v10);
    v5 = ((byte)j[892]);
    v5_1 = e(((short)v5), ((short)(v5 ^ 929 | v5 & 929)), ((byte)j[40]));
    v10 = new String[1];
    v11 = ((byte)j[40]);
    v10[0] = e(((short)v11), ((short)(v11 ^ 530 | v11 & 530)), ((byte)j[5]));
    v1_1[10] = new g(v5_1, v10);
    v5 = ((byte)j[892]);
    v1_1[11] = new g(e(((short)v5), ((short)(v5 | 512)), ((byte)j[111])), new String[0]);
    v1_1[12] = new g(e(((byte)j[0]), ((short)(h | 17)), ((byte)j[12])), new String[0]);
    v5 = ((byte)j[892]);
    v1_1[13] = new g(e(((short)v5), ((short)(v5 ^ 1025 | v5 & 1025)), ((byte)j[12])), new String[0]);
    v1_1[14] = new g(e(((byte)j[892]), ((short)(h & 35 | h ^ 35)), ((byte)j[12])), new String[0]);
    v1_1[15] = new g(e(((byte)j[627]), (short) 787, ((byte)j[40])), new String[0]);
    v1_1[16] = new g(e(((byte)j[892]), (short) 1073, ((byte)j[40])), new String[0]);
    for(int i = 0; i <= 16; i++) {
        System.out.println(Arrays.toString(v1_1[i].a));
        System.out.println(v1_1[i].b);
    }
    

    输出如下:

    [Genymotion, unknown, chromium]
    ro.product.manufacturer
    [vbox86p, generic]
    ro.product.device
    [sdk, emulator, App Runtime for Chrome]
    ro.product.model
    [goldfish, vbox86]
    ro.hardware
    [generic, chromium]
    ro.product.brand
    [1]
    ro.kernel.qemu
    [0]
    ro.secure
    [sdk, vbox86p, full_x86]
    ro.build.product
    [generic/sdk/generic, generic_x86/sdk_x86/generic_x86, generic/google_sdk/generic, generic/vbox86p/vbox86p]
    ro.build.fingerprint
    [unknown]
    ro.bootloader
    [test-]
    ro.build.display.id
    []
    init.svc.qemu-props
    []
    qemu.hw.mainkeys
    []
    qemu.sf.fake_camera
    []
    qemu.sf.lcd_density
    []
    ro.kernel.android.qemud
    []
    ro.kernel.qemu.gles
    

    可以看到上面是一些关于模拟器相关的包、目录、文件、标志位等。

  • e字符串数组如下:

    g[] v1_1 = new g[5];
    String v5_1 = e(((byte)j[111]), ((short)(h & 363 | h ^ 363)), ((byte)j[0]));
    String[] v10 = new String[16];
    v10[0] = e(((byte)j[30]), ((short)(h & 801 | h ^ 801)), ((byte)j[188]));
    v10[1] = e(((byte)j[30]), ((short)(h & 550 | h ^ 550)), ((byte)j[188]));
    v10[2] = e(((byte)j[30]), ((short)(h & 597 | h ^ 597)), ((byte)j[188]));
    v10[3] = e(((byte)j[30]), (short) 592, ((byte)j[188]));
    v10[4] = e(((byte)j[30]), (short) 544, ((byte)j[188]));
    byte v11 = ((byte)j[30]);
    v10[5] = e(((short)v11), ((short)(v11 ^ 544 | v11 & 544)), ((byte)j[188]));
    v10[6] = e(((byte)j[30]), (short) 320, ((byte)j[188]));
    v10[7] = e(((byte)j[30]), (short) 356, ((byte)j[188]));
    v10[8] = e(((byte)j[30]), (short) 274, ((byte)j[188]));
    v10[9] = e(((byte)j[30]), (short) 306, ((byte)j[188]));
    v10[10] = e(((byte)j[30]), ((short)(h & 60 | h ^ 60)), ((byte)j[188]));
    v10[11] = e(((byte)j[30]), ((short)(h & 84 | h ^ 84)), ((byte)j[188]));
    v10[12] = e(((byte)j[30]), ((short)j[321]), ((byte)j[188]));
    v10[13] = e(((byte)j[30]), ((short)(h & 1110 | h ^ 1110)), ((byte)j[188]));
    v10[14] = e(((byte)j[30]), ((short)(h & 1120 | h ^ 1120)), ((byte)j[188]));
    v10[15] = e(((byte)j[30]), ((short)(h & 1065 | h ^ 1065)), ((byte)j[188]));
    v1_1[0] = new g(v5_1, v10);
    v1_1[1] = new g(e(((byte)j[75]), ((short)(h & 264 | h ^ 264)), ((byte)j[0])), new String[]{e(((byte)j[4]), (short) 793, ((byte)j[99]))});
    v1_1[2] = new g(e(((byte)j[97]), (short) 264, ((byte)j[0])), new String[]{e(((byte)j[26]), ((short)j[109]), ((byte)(-j[121])))});
    v1_1[3] = new g(e(((byte)j[223]), ((short)(h & 74 | h ^ 74)), ((byte)j[0])), new String[]{e(((byte)j[223]), (short) 1025, ((byte)j[685]))});
    v1_1[4] = new g(e(((byte)j[30]), (short) 108, ((byte)j[0])), new String[]{e(((byte)j[223]), (short) 858, ((byte)j[92])), e(((byte)j[0]), ((short)(h & 50 | h ^ 50)), ((byte)j[97])), e(((byte)j[223]), ((short)(h | 587)), ((byte)j[92]))});
    //    e = v1_1;
    for(int i = 0; i <= 4; i++) {
        System.out.println(Arrays.toString(v1_1[i].a));
        System.out.println(v1_1[i].b);
    }
    

    字符串如下:

    [15555215554, 15555215556, 15555215558, 15555215560, 15555215562, 15555215564, 15555215566, 15555215568, 15555215570, 15555215572, 15555215574, 15555215576, 15555215578, 15555215580, 15555215582, 15555215584]
    getLine1Number
    [Android]
    getNetworkOperatorName
    [89014103211118510720]
    getSimSerialNumber
    [310260000000000]
    getSubscriberId
    [000000000000000, e21833235b6eef10, 012345678912345]
    getDeviceId
    

    可以看到, 是一些设备信息.

  • 字符串数组b:

    g[] v0 = new g[2];
    String v2_1 = EmulatorDetector.e(((byte)EmulatorDetector.j[218]), (short) 346, ((byte)EmulatorDetector.j[177]));
    String[] v5_2 = new String[1];
    byte v7 = ((byte)EmulatorDetector.j[40]);
    v5_2[0] = EmulatorDetector.e(((short)v7), ((short)(v7 ^ 306 | v7 & 306)), ((byte)EmulatorDetector.j[92]));
    v0[0] = new g(v2_1, v5_2);
    byte v2 = ((byte)EmulatorDetector.j[223]);
    v2_1 = EmulatorDetector.e(((short)v2), ((short)(v2 ^ 320 | v2 & 320)), ((byte)EmulatorDetector.j[177]));
    v5_2 = new String[1];
    v7 = ((byte)EmulatorDetector.j[892]);
    v5_2[0] = EmulatorDetector.e(((short)v7), ((short)(v7 | 392)), ((byte)EmulatorDetector.j[0]));
    v0[1] = new g(v2_1, v5_2);
    
    for(int i = 0; i <= 1; i++) {
        System.out.println(Arrays.toString(v0[i].a));
        System.out.println(v0[i].b);
    }
    

    字符串解析出来如下:

    [0ff :]
    /proc/ioports
    [gralloc.goldfish.so]
    /proc/self/maps
    

0x05 RootDector

检查方法就是通过检查root工具的包名实现的:

public static final int IGNORE_BINARY_EXISTENCE = 64;
  public static final int NO_CIRCUMSTANTIAL = 8;
  public static final int NO_FAIL_ON_HOOKING = 32;
  public static final int NO_TRICK_APPS = 4;
  public static final int SILENT = 1;
//  private static final String[] a;
//  private static final String[] b;
//  private static final String[] c;
//  private static final String[] d;
//  private static final String[] e;
//  private static j f;
//  private static AntiHooking.HookInfo g;
//  private static j h;
//  private static j i;
  private static String[] j;
  private static int k = 0;
  private static int l = 0;
  private static int m = 1;
  private static byte[] n;
  
  static {
    b();
    String[] v1 = new String[8];
    int v5 = 0;
    v1[0] = d((short) 618, 90, ((byte)n[47]));
    System.out.println(v1[0]);
    v1[1] = d((short) 280, 90, ((byte)n[7]));
    v1[2] = d((short) 198, ((byte)((n[228] & -1) + (n[228] | -1))), ((byte)n[28]));
    v1[3] = d((short) 786, 90, ((byte)n[21]));
    v1[4] = d(((short)(-n[517])), 90, ((byte)n[0]));
    v1[5] = d((short) 260, 90, ((byte)n[34]));
    short v2 = ((short)(((n[228] | -1) << 1) - (n[228] ^ -1)));
    v1[6] = d(v2, ((byte)(v2 - 1 - 1)), ((byte)n[121]));
    v1[7] = d(((short)((n[146] & -1) + (n[146] | -1))), 90, ((byte)n[7]));
//    d = v1;
    for(int i=0;i<=7;i++) {
      System.out.println(v1[i]);
    }
  }
  
  private static String d(short arg5, int arg6, byte arg7) {
    byte[] v1_1;
    int v7;
    byte[] v0_1;
    int v5;
    int v0 = m + 43;
    l = v0 % 128;
    int v1 = 65;
    v0 = v0 % 2 == 0 ? 65 : 71;
    int v2 = -1;
    if(v0 != v1) {
        arg6 += 20;
        v5 = arg5 + 125;
        v0_1 = n;
        v7 = arg7 | 117;
        v1_1 = new byte[v7];
        v7 += 101;
    }
    else {
        arg6 += 9;
        v5 = arg5 + 4;
        v0_1 = n;
        v7 = 32 - arg7;
        v1_1 = new byte[v7];
        v7 += v2;
    }

    m = (l + 49) % 128;
    while(true) {
        ++v2;
        v1_1[v2] = ((byte)arg6);
        ++v5;
        if(v2 == v7) {
            break;
        }

        arg6 = arg6 - v0_1[v5] + 9;
    }

    return new String(v1_1, 0).intern();
  }
  
  private static void b()
  {
    n = new byte[] { 15, 80, -22, 125, -59, 3, 15, 8, 24, 1, 71, -64, 31, 2, 4, 72, 4, 14, -2, 79, -60, 6, 28, 62, -60, 7, 31, 4, 12, 5, 1, 7, 10, -3, 11, 72, -59, 26, -3, 18, -5, 12, 15, 14, 63, -42, -6, 9, 8, 5, 29, -8, 26, -4, 3, 20, 4, 18, -3, 11, 72, -52, 11, 4, 16, 1, 3, 11, 23, -4, 77, -44, -3, 11, -3, 11, 72, -48, 11, 0, -2, 21, 7, 4, 20, 3, 10, 73, -60, 7, 14, 20, -4, 6, 11, 23, -4, -3, 11, 72, -66, 29, 2, 9, 6, 1, 27, -5, 78, -60, 7, -45, -6, 26, -7, 80, -44, 4, 16, 1, 4, 17, 6, 0, 22, 64, -54, 7, 22, 2, 6, 16, -1, 20, 4, 4, -44, 12, -10, 28, 59, -52, 6, 21, 11, -2, 70, -42, 2, 4, 72, 8, -8, 23, 0, 3, -59, 26, 2, 4, 72, -59, 3, 15, 8, 24, 1, 71, -64, 31, 2, 4, 8, 64, -59, 12, 22, -11, 81, -42, -4, 19, -5, 12, 15, 14, 63, -65, 17, 10, 5, 23, 10, 63, -50, 4, 4, 8, 28, -2, 9, 16, -4, -7, 80, -44, 4, 16, 1, 4, 17, 6, 0, 22, 64, -60, 7, 14, 20, -4, 8, 7, 12, 86, -67, 12, -1, 8, 93, -71, 24, 7, 1, 19, 3, 11, -5, 20, -4, 8, 19, -1, 8, 79, -60, 3, 15, 78, -59, 12, 9, 4, 30, 7, 7, 9, 7, -5, 9, -61, 0, 3, 16, 19, 63, -3, 11, 72, -52, 11, 4, 16, -2, 12, 9, 4, 79, -52, 11, 4, 16, -5, 11, 23, -4, -3, 11, 72, -61, 21, 8, 0, 23, -3, 24, -8, 7, 4, 84, -60, 7, 14, 20, -4, 6, 11, 23, -4, -59, 3, 15, 8, 24, 1, 71, -42, 2, 4, 72, -59, 3, 15, 8, 24, 1, 71, -42, 2, 4, 7, 3, 16, 3, -59, 26, 2, 4, 11, -6, 52, -28, 3, -59, 3, 15, 8, 24, 1, 71, -42, 2, 4, 72, -46, 14, 1, 6, 2, 27, 4, 10, 63, -3, 11, 72, -45, 8, -8, 30, 6, -9, 30, -4, 20, 7, 64, -59, 12, 9, 4, 26, 0, 6, 23, -1, -59, 3, 15, 8, 24, 1, 71, -59, 24, 62, -64, 31, 2, 4, 72, -3, 11, 72, -67, 34, 7, 4, -2, 12, 10, 10, 16, 66, -61, 24, 1, 6, 7, 12, 9, 4, 11, 22, 1, 7, 2, 26, 4, 17, 7, 94, -4, -45, 76, -64, 14, -94, 7, 12, 21, 7, -5, 9, 14, 22, -3, 17, 78, -58, -3, 10, 3, 28, 1, 4, 18, 10, 51, 35, -3, 11, 72, -47, 0, 6, 14, -3, 26, 4, 72, -49, 8, 14, 8, -4, 12, 9, 4, 6, 16, 9, 14, 4, 16, -3, 11, 72, -60, 27, -11, 12, 18, 7, 70, -60, 7, 28, -8, 8, 11, 26, -10, 24, -3, 11, 72, -45, 4, 5, 7, 10, 1, 22, 14, 8, -1, 74, -53, 0, 27, 1, -5, 18, 24, -10, 26, 4, 12, -4, 12, 9, 4, 11, -6, -29, 0, 3, 16, 19, -3, 11, 72, -42, -3, 6, 17, 2, 6, 26, -9, 78, -49, 8, 14, 8, 1, -3, 16, 12, 9, 4, 12, 5, 1, 7, 10, 4, 7, -62, 26, 0, 19, -2, 6, 76, -42, 2, 4, 7, -73, 4, -59, 3, 15, 8, 24, 1, 71, -42, 2, 4, 72, 10, -46, -10, 13, 78, -3, 11, 72, -52, 5, 3, 11, 20, 8, 7, 16, -8, 10, 9, 28, 60, -59, 12, 11, 9, 21, -4, 22, 3, 11, -4, -3, 11, 72, -55, 8, 5, 20, -4, 24, 0, 3, 80, -42, -4, 19, -5, 12, 15, 14, 63, -60, 7, -44, 12, -10, 28, 59, -52, 6, 21, 11, -2, 70, -44, 12, -10, 28, 59, -52, 6, 21, 11, -2, 70, -64, 31, 2, 4, 72, 24, 7, 1, 19, 3, 11, 52, -32, -3, 11, 72, -42, -4, 19, -5, 12, 15, 14, 63, -4, 19, -5, 12, 15, 14, 63, -56, 5, 78, -28, -29, 15, 8, 24, 1, 38, -25, 12, 8, 20, -4, 7, 20, 13, -5, 24, 7, 1, 19, 3, 11, 52, -32, -3, 11, 72, -48, 1, 9, 17, 4, 16, 64, -3, 11, 72, -44, 4, 12, 2, 5, 4, 11, 78, -53, 20, 7, 1, -5, 18, 24, -10, 26, 4, -59, 3, 15, 8, 24, 1, 71, -61, 11, 10, 76, -63, 27, 65, -56, 18, 9, 10, 64, -60, 12, 9, 4, 78, -59, 3, 15, 8, 24, 1, 71, -59, 26, 2, 4, -3, 11, 72, -52, 5, 3, 11, 20, 8, 7, 16, -8, 10, 9, 28, 60, -60, 7, 14, 20, -4, 6, 11, 23, -4, -59, 3, 15, 8, 24, 1 };
    k = 173;
  }

解析出来之后:

root工具的包名

很明显上面这些包名就是特征的root工具的包名

0x06 AntiHooking

private static Class a = null;
private static ArrayList b = null;
private static Class c = null;
//  private static b d = null;
private static Class e = null;
private static Method f = null;
private static HashMap g = null;
private static Field h = null;
private static byte[] i = null;
private static int j = 0;
private static int l = 1;
private static int m;

static {
d();
System.out.println(a(((byte)i[193]), (short)97, (short)378));
System.out.println(a(((byte)(-i[136])), (short) 106, ((short)(212 & j | j ^ 18))));
System.out.println(a(((byte)i[212]), ((byte)(-i[446])), ((short)(j + 3 - 1))));
System.out.println(a((byte)i[31], ((byte)(((i[225] | 1) << 1) - (i[225] ^ 1))), ((short)(j & 334 | j ^ 334))));
byte v1_2 = ((byte)(-i[8]));
System.out.println(a(v1_2, ((byte)(v1_2 ^ 106 | v1_2 & 106)), ((short)(j | 13))));
System.out.println(a(((byte)(-i[32])), ((byte)(-i[446])), ((short)(-i[68]))));
System.out.println(a(((byte)i[212]), (short) 108, ((short)(-i[136]))));
System.out.println(a(((byte)(-i[33])), ((byte)(-i[312])), (short) 275));
byte v5 = ((byte)i[208]);
byte v6 = ((byte)(-i[312]));
System.out.println(a(v5, ((short)v6), ((short)(v6 ^ 167 | v6 & 167))));
System.out.println(a(((byte)i[88]), ((byte)i[0]), (short) 344));


byte v61 = ((byte)i[36]);
byte v8 = ((byte)(-i[24]));
System.out.println(a(v61, ((short)v8), ((short)(v8 ^ 160 | v8 & 160))));

byte v11_1 = ((byte)i[48]);
byte v51 = ((byte)i[0]);
System.out.println(a(v11_1, ((short)v51), ((short)((v51 ^ 3) + ((v51 & 3) << 1)))));

System.out.println(a(((byte)i[69]), ((byte)i[0]), ((short)i[151])));

System.out.println(a(((byte)i[34]), ((byte)(-i[387])), ((short)(j | 57))));
}

private static String a(byte arg8, short arg9, short arg10) {
int v10 = arg10 + 4;
byte[] v0 = i;
int v9 = arg9 + 9;
int v8 = arg8 + 1;
byte[] v2 = new byte[v8];
int v3 = -1;
v8 += v3;
l = (m + 37) % 128;
while(true) {
++v3;
++v10;
v2[v3] = ((byte)v9);
int v4 = 0;
if(v3 == v8) {
break;
}

int v5 = v0[v10];
int v6 = l + 77;
m = v6 % 128;
if(v6 % 2 == 0) {
v4 = 1;
}

if(v4 != 0) {
v9 = v9 - v5 - 11;
continue;
}

v9 = v9 % v5 >>> 94;
}

return new String(v2, 0).intern();
}

private static void d() {
i = new byte[]{94, 22, 100, -15, -24, -1, -25, -8, -5, -6, 43, -64, -23, -10, -17, 4, -20, -17, 59, -32, -55, -10, -17, 4, -30, -7, -4, -5, -18, -11, -7, 19, -35, -26, 1, -18, 0, -9, -26, -7, -13, -8, -12, 69, -12, 44, -79, -8, 2, -31, 61, -62, -24, -1, -25, -8, -5, -6, 43, -85, -3, -10, -15, 3, -10, 43, -53, 10, -39, 7, -35, -26, 1, -18, 0, 17, -50, -11, -7, -5, -17, -5, -14, -13, -11, -13, -25, -11, 34, -49, 0, -17, -23, -28, -13, 28, -35, -26, 1, -18, 0, 0, -9, -26, -2, -32, 10, 40, -73, 0, -24, -4, 46, -79, 2, -12, -17, -4, -9, -28, 59, -30, -44, -28, -12, -9, 6, -13, -28, 28, -35, -26, 1, -18, 0, -16, -21, 7, -12, -21, -4, 18, -50, -11, -7, -19, -3, -10, -15, 3, -10, 32, -50, -11, -7, -5, -10, 12, -35, -26, 1, -18, 0, 22, -41, -22, -11, -1, -10, -13, -19, -19, -21, 34, -46, -14, -4, -72, -46, -14, -4, 58, -80, -30, 4, -21, -12, -10, 46, 15, 16, -10, 3, 14, -22, -16, -8, -9, -19, 29, -41, -22, -11, -8, -16, -4, 13, -46, 20, -29, -18, -5, 11, -32, -24, -6, -7, -21, -11, -1, -17, -10, -30, 4, -22, 95, -12, 44, -79, -8, 2, -31, 61, -62, -24, -1, -25, -8, -5, -6, 43, -85, -3, -10, -15, 3, -10, 43, -53, -35, -10, -15, 3, -10, 23, -59, -2, -6, -14, -9, -24, -1, -25, -8, -5, -6, 43, -76, -15, 58, -77, -13, -8, -12, 0, -24, -13, 0, -7, -25, -24, -1, -25, -8, -5, -6, 43, -76, -15, 58, -48, -49, -5, -12, 4, -19, 18, -45, -8, -12, 0, -24, -13, 0, -7, -25, -35, -19, 0, -14, -24, 71, -88, -19, -9, -12, 73, -77, -14, 58, -88, -3, -26, 1, -18, 0, 57, -90, -14, 71, -78, -23, -10, -16, -12, -9, -14, 7, -28, -6, -14, 71, -90, 2, -19, -6, -9, -28, 59, -9, -26, 25, -45, -8, -12, 0, -24, -13, -16, 51, 16, -81, -6, -19, -14, -4, -10, 57, -95, -6, 68, -81, -14, -16, -1, 57, -78, -20, 0, -29, -11, 72, -18, -2, -32, 10, 40, -83, -2, 52, -83, 6, -24, -12, -1, -17, -10, -30, 4, -21, -12, -10, -2, -32, 10, 40, -73, 0, -24, -4, 46, -79, 2, -12, -17, -4, -9, -28, 59, -30, -60, -13, 28, -35, -26, 1, -18, 0, -38, -19, -14, -4, -10, 57, -95, -6, 68, -78, -26, 2, -7, -30, 4, 58, -76, 54, -91, -13, -8, 1, -13, -25, -11, 58, -30, 8, -9, -21, 36, -48, -20, 2, -9, -28, -6, -14, -18, -16, -19, -4, -7, -5, 11, -46, -2, -9, -13, -16, 2, -22, 20, -35, -26, 1, -18, 0};
j = 128;
}

解析的部分字符串:


hook的一些特征模块

猜测一下, 应该是在检测xposed模块了. 举例:

AntiHooking.e = Class.forName(AntiHooking.a(((byte)(-AntiHooking.i[32])), ((byte)(-AntiHooking.i[v3])), ((short)(-AntiHooking.i[68]))), true, ClassLoader.getSystemClassLoader());
// 其中传入的字符串就是"de.robv.android.xposed.XC_MethodHook"

0x07 DebugDetector

    public static void main(String args[]) {
      Object[] v4 = new Object[1];
      byte v5 = ((byte)b[89]);
    short v7 = ((short)(v5 ^ 95 | v5 & 95));
    v4[0] = b(v5, v7, ((byte)(v7 & 48)));
    System.out.println(v4[0].toString());
        System.out.println(b(((byte)b[26]), (short) 304, ((byte)b[82])));
        System.out.println(b(((byte)b[32]), ((short)(c | 392)), ((byte)b[89])));
        System.out.println(b(((byte)(-b[135])), (short) 329, ((byte)b[63])));
//      System.out.println(b(((byte)(-b[583])), (short) 6623, ((byte)b[114])));
        System.out.println(b(((byte)(-b[133])), (short) 273, ((byte)b[29])));
        System.out.println(b(((byte)(b[129] - 1)), ((short)b[129]), ((byte)b[272])));
        byte v2 = ((byte)(-b[370]));
        System.out.println(b(v2, ((short)(v2 | 256)), ((byte)b[85])));
        System.out.println(b(((byte)(-b[133])), (short) 273, ((byte)b[29])));
        System.out.println(b(((byte)(b[129] - 1)), (short) 258, ((byte)b[78])));
        String[] str = new String[19];
        
        v7 = 360;
        str[0] = b(((byte)(-b[v7])), ((short)(c & 106 | c ^ 106)), ((byte)b[250]));
        byte v3 = ((byte)b[130]);
        str[1] = b(v3, ((short)(v3 | 321)), (short) 30);
        int v8 = 129;
    int v11 = 272;
    int v16 = 7;
        str[2] = b(((byte)(b[v8] - 1)), ((short)b[v8]), ((byte)b[v11]));
        int v10 = 370;
    byte v9 = ((byte)(-b[v10]));
    short v12 = ((short)(v9 ^ 325 | v9 & 325));
        str[3] = b(v9, v12, ((byte)(v12 & 16)));
        str[4] = b(((byte)(((b[v8] | -1) << 1) - (b[v8] ^ -1))), ((short)b[v8]), ((byte)b[v11]));
        str[5] = b(((byte)(-b[v10])), ((short)(c & 392 | c ^ 392)), ((byte)b[v16]));
        str[6] = b(((byte)(b[v8] - 1)), (short) 184, ((byte)b[0]));
        str[7] = b(((byte)(-b[v10])), (short) 291, ((byte)b[v16]));
        str[8] = b(((byte)(b[v8] - 1)), (short) 220, ((byte)(c & 24 | c ^ 24)));
        str[9] = b(((byte)b[104]), (short) 249, ((byte)b[5]));
        str[10] = b(((byte)(b[1] - 1)), (short) 216, ((byte)b[270]));
        str[11] = b(((byte)(-b[v7])), (short) 148, ((byte)b[355]));
        str[12] = b(((byte)(-b[v10])), (short) 410, ((byte)b[44]));
        str[13] = b(((byte)(b[v8] - 1)), (short) 420, ((byte)b[182]));
        str[14] = b(((byte)b[26]), (short) 371, ((byte)b[44]));
        str[15] = b(((byte)(-b[v7])), (short) 148, ((byte)b[355]));
        str[16] = b(((byte)(-b[370])), ((short)b[89]), ((byte)b[29]));
        str[17] = b(((byte)(-b[v7])), ((short)b[29]), ((byte)b[273]));
        str[18] = b(((byte)(-b[370])), ((short)(b[134] - 1)), ((byte)b[272]));
        for(int i=0; i<str.length; i++) {
          System.out.println(str[i]);
        }
        
    }
    
    private static byte[] b = null;
  private static int c = 0;
  private static int d = 0;
  private static int e = 1;
  
  static {
    c();
  }
  

  private static void c() {
    b = new byte[]{32, 42, 34, 123, -2, 9, -9, 13, -17, 19, -15, -34, 34, 13, 2, -11, -3, 3, -6, -2, 19, -15, -9, 21, -21, -51, 69, -14, -2, 18, -3, -9, 11, 5, -75, 53, 2, 13, 2, -70, 42, -35, -5, 9, 10, 34, 13, 2, -11, -3, 3, -6, -2, 19, -15, 13, -10, 14, -3, -6, -5, -54, 53, 12, -1, 6, -15, 9, 6, -70, 21, 44, -1, 6, -15, 19, -4, -2, 15, -33, 34, -19, 8, -5, -2, 17, -28, -35, -5, 0, 32, 34, -9, 5, -11, 6, 7, -15, 11, 65, 2, -3, -12, -52, 68, -14, 7, -6, -55, 68, 1, -19, 19, 1, -2, -9, 21, -21, 23, -74, 69, -14, -2, 18, -3, -9, 11, 5, -75, 51, 20, -1, -12, -58, 74, -67, -5, 0, -2, 42, -35, -5, 0, 32, 34, -9, 5, -11, 6, 7, -15, 11, -9, 21, -21, -51, 69, -14, -2, 18, -3, -9, 11, 5, -75, 53, 2, 13, 2, -70, 21, 34, 13, 2, -11, -3, 3, -6, -2, 19, -15, -31, 27, 2, 17, -5, 3, 7, 13, -10, 14, -3, -6, -5, -54, 53, 12, -1, 6, -15, 9, 6, -70, 66, -3, -63, 34, 17, 2, 8, -10, 6, -2, -24, 20, 13, -13, 6, -2, 13, -42, 7, -5, 9, 13, -10, 14, -3, -6, -5, -54, 53, 12, -1, 6, -15, 9, 6, -70, 66, -3, -63, 34, 17, 2, 8, -10, 6, -2, -28, 37, -8, 9, -10, -2, 7, -13, 19, 1, -3, -13, 14, 13, -10, 14, -3, -6, -5, -54, 65, 4, -69, 22, 33, -3, 19, -14, 10, -47, 33, -3, 19, -14, 0, -2, 13, -47, 44, -1, 0, -9, -2, 17, -15, -1, -2, 15, -36, 17, 2, 8, -10, 6, -2, -28, 37, -8, 9, -2, -17, 2, 2, 13, -2, -7, -5, -2, 15, -51, 47, 0, -4, -3, -6, -2, 19, -11, 6, -1, -37, 37, -8, 9, -3, -65, 54, 1, -3, 19, -14, 0, -6, 1, 10, -7, 11, -17, 4, 45, -10, 14, -3, -6, -5, -68, 36, 33, -3, 19, -14, -59, 35, -18, 4, 45, -10, 14, -3, -6, -5, -56, 23, -6, 24, -2, -5, -45, 55, -5, -15, -36, 49, 0, -17, 24, -2, 15, -36, 17, 2, 8, -10, 6, -2, -24, 20, 13, -13, 6, -2, 13, -2, 15, -36, 17, 2, 8, -10, 6, -2, -23, 19, 12, -8, -2, 15, -43, 37, 5, 1, -19, 13, -11, 2, 13, -10, 14, -3, -6, -5, -54, 53, 12, -1, 6, -15, 9, 6, -70, 66, -3, -63, 37, 22, -2, 7, -13, 19, 1, -3, -13};
    c = 5;
  }
  
  private static String b(int arg7, short arg8, short arg9) {
    e = (d + 41) % 128;
    int v9 = arg9 + 1;
    byte[] v0 = b;
    byte[] v1 = new byte[v9];
    int v3 = arg8 + 4;
    int v8 = arg7 + 47;
    for(int ii = 0; true; ii++) {
        int v4 = ii + 1;
        v1[ii] = ((byte)v8);
        if(v4 == v9) {
            break;
        }

//        arg7 = v0[v3];
        d = (e + 53) % 128;
        v8 += v0[v3];
        ++v3;
    }

    String v7 = new String(v1, 0).intern();
    e = (d + 25) % 128;
    return v7;
  }

解析出来的字符串如下:

/proc/self/status
tracerpid
:
ro.debuggable
isDebuggerConnected
android.content.Context
getApplicationInfo
isDebuggerConnected
android.os.Debug
javax.security.auth.x500.X500Principal
CN=Android Debug,O=Android,C=US
android.content.Context
getPackageManager
android.content.Context
getPackageName
android.content.pm.PackageManager
getPackageInfo
android.content.pm.PackageInfo
signatures
X.509
java.security.cert.CertificateFactory
getInstance
android.content.pm.Signature
toByteArray
java.security.cert.CertificateFactory
generateCertificate
java.security.cert.X509Certificate
getSubjectX500Principal

从上面可以看到, 不仅查看了程序的status(状态), 还查询ptrace的pid, 标志位(ro.debuggable), x509证书等多种方式来判断是否处于调试状态.

0x08 后记

dex是一位大佬通过重编译安卓源码提取出来的, 实际就是脱了壳, 原本有native层的加固(某灰产软件). 可以考虑一下写一个jeb插件去解析这些字符串, 可以省好多时间. 这个保护其实是某国外安全公司开发的, 详见

最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 215,634评论 6 497
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 91,951评论 3 391
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 161,427评论 0 351
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 57,770评论 1 290
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 66,835评论 6 388
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 50,799评论 1 294
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 39,768评论 3 416
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 38,544评论 0 271
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 44,979评论 1 308
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 37,271评论 2 331
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 39,427评论 1 345
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 35,121评论 5 340
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 40,756评论 3 324
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 31,375评论 0 21
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 32,579评论 1 268
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 47,410评论 2 368
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 44,315评论 2 352