4.1 绿洲

抓包

抓包发现有加密参数,因此来分析一下这个 sign (32 位,很有可能是 md5

image-20230308135651334

逆向分析

jadx 打开 app 查看源码发现了加壳的标志

image-20230308133524488

尝试使用 frida-dexdump 进行脱壳,脱壳的命令如下:

frida-dexdump -U -f com.sina.oasis
image-20230308133405574

可以看到已经脱出来很多个 dex 文件了!

image-20230308133811347

按照大小排序,一般最大的就是主 dex, 所以直接尝试看看 classes02.dex, 用 jadx 反编译看看,发现报错了

image-20230308134720522

通过百度就知道了,其实需要加一下启动参数:-Pdex-input.verify-checksum=no , 加上之后发现果然就 ok

image-20230308134820023

尝试 hook 一下,直接搜索 sign (要把所有的 dex 都弄到 jadx 才可以)

image-20230308171302553

找到可能的点,然后慢慢 hook 就可以了,最终发现位置

image-20230308171523393
image-20230308171532674
image-20230308171557359

慢慢跟进代码,最后发现是一个 Native 方法,可以知道他的 so 文件应该是 oasiscore 之类的,那就解压了去那看看!

image-20230308171635395

没有找到,那就 hook 一下 RegisterNative 把!所以 so 文件就是 liboasiscore.so

image-20230308172056629

这里补充一下 hook 代码:


        let b = Java.use("g.a.c.b");
        b["c"].implementation = function (bArr, z) {
            console.log(`b.c is called: bArr=${bArr}, z=${z}`);
            let result = this["c"](bArr, z);
            console.log(`b.c result=${result}`);
            return result;
        };

附上 native 函数 hook 方法, 这边将 bArr 转回了 string 来看看参数!

        let str = Java.use("java.lang.String")
        let NativeApi = Java.use("com.weibo.xvideo.NativeApi");
        NativeApi["s"].implementation = function (bArr, z) {

            console.log('s is called' + ', ' + 'arg1: ' + str.$new(bArr) + ', ' + 'z: ' + z);
            let ret = this.s(bArr, z);
            console.log('s ret value is ' + ret);
            return ret;
        };

编写一下主动调用的代码:


function getSign() {
    Java.perform(function () {
        function stringToBytes(str) {
            var javaString = Java.use('java.lang.String');
            return javaString.$new(str).getBytes();
        }

        let NativeApi = Java.use("com.weibo.xvideo.NativeApi");
        let arg1 = "aid=01AwqqBnklOIBhGlE_TKDKyLBX3Cx7Rboh-igytQig6B0DtIQ.&cfrom=28B5295010&cuid=1766247692&noncestr=MS3e1q5d2tYNEq9nleFPQK0690J79n&platform=ANDROID&sdk_version=1.6.4&timestamp=1678267776709&ua=OnePlus-ONEPLUSA6000__oasis__3.5.8__Android__Android10&version=3.5.8&vid=2009961396444&wm=20004_90024";

        // sign is 607c746c0c38d368f16ce26670305809
        let arg2 = false;
        let ret = NativeApi.$new().s(stringToBytes(arg1), arg2);
        console.log("ret:" + ret);
    })
}
image-20230308173206646

验证一下发现也没有什么问题!

Unidbg

先套用一下模板,做一下初始化

package com.sina.oasis;

import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.arm.backend.Unicorn2Factory;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.AbstractJni;
import com.github.unidbg.linux.android.dvm.DalvikModule;
import com.github.unidbg.linux.android.dvm.DvmClass;
import com.github.unidbg.linux.android.dvm.VM;
import com.github.unidbg.memory.Memory;

import java.io.File;

public class sign extends AbstractJni {
    private final AndroidEmulator emulator;
    private final DvmClass NativeApi;
    private final VM vm;

    public sign() {
        emulator = AndroidEmulatorBuilder
                .for64Bit()
                .addBackendFactory(new Unicorn2Factory(true))
                .setProcessName("com.sina.oasis")
                .build();
        Memory memory = emulator.getMemory();
        memory.setLibraryResolver(new AndroidResolver(23));
        vm = emulator.createDalvikVM(new File("unidbg-android/src/test/resources/lvzhou.apk"));
        vm.setJni(this);
        vm.setVerbose(true);
        // 这里看 jadx 里面是是这么加载的
        DalvikModule dm = vm.loadLibrary("oasiscore", true);
        NativeApi = vm.resolveClass("com/weibo/xvideo/NativeApi");
        dm.callJNI_OnLoad(emulator);
    }

    public static void main(String[] args) {
        sign xv = new sign();
    }

}

翻译 frida js 代码为 java 代码

    public void getSign() {
        //   let NativeApi = Java.use("com.weibo.xvideo.NativeApi");
        DvmClass NativeApi = vm.resolveClass("com/weibo/xvideo/NativeApi");
        // let arg1 = "aid=01AwqqBnklOIBhGlE_TKDKyLBX3Cx7Rboh-igytQig6B0DtIQ.&cfrom=28B5295010&cuid=1766247692&noncestr=MS3e1q5d2tYNEq9nleFPQK0690J79n&platform=ANDROID&sdk_version=1.6.4&timestamp=1678267776709&ua=OnePlus-ONEPLUSA6000__oasis__3.5.8__Android__Android10&version=3.5.8&vid=2009961396444&wm=20004_90024";
        String arg1 = "aid=01AwqqBnklOIBhGlE_TKDKyLBX3Cx7Rboh-igytQig6B0DtIQ.&cfrom=28B5295010&cuid=1766247692&noncestr=MS3e1q5d2tYNEq9nleFPQK0690J79n&platform=ANDROID&sdk_version=1.6.4&timestamp=1678267776709&ua=OnePlus-ONEPLUSA6000__oasis__3.5.8__Android__Android10&version=3.5.8&vid=2009961396444&wm=20004_90024";
        // let arg2 = false;
        Boolean arg2 = false;

        // let ret = NativeApi.$new().s(stringToBytes(arg1), arg2);
        // sign is 607c746c0c38d368f16ce26670305809
        DvmObject<?> nativeApi = NativeApi.newObject(null);
        DvmObject<?> ret = nativeApi.callJniMethodObject(emulator, "s([BZ)Ljava/lang/String;", arg1.getBytes(), arg2);
        System.out.println(ret.getValue());

    }
image-20230308180731601

验证完毕,最终的代码为:

package com.sina.oasis;

import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.arm.backend.Unicorn2Factory;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.memory.Memory;

import java.io.File;

public class sign extends AbstractJni {
    private final AndroidEmulator emulator;
    private final DvmClass NativeApi;
    private final VM vm;

    public sign() {
        emulator = AndroidEmulatorBuilder
                .for64Bit()
                .addBackendFactory(new Unicorn2Factory(true))
                .setProcessName("com.sina.oasis")
                .build();
        Memory memory = emulator.getMemory();
        memory.setLibraryResolver(new AndroidResolver(23));
        vm = emulator.createDalvikVM(new File("unidbg-android/src/test/resources/lvzhou.apk"));
        vm.setJni(this);
        vm.setVerbose(true);
        DalvikModule dm = vm.loadLibrary("oasiscore", true);
        NativeApi = vm.resolveClass("com/weibo/xvideo/NativeApi");
        dm.callJNI_OnLoad(emulator);
    }

    public static void main(String[] args) {
        sign xv = new sign();
        xv.getSign();
    }

    public void getSign() {
        //   let NativeApi = Java.use("com.weibo.xvideo.NativeApi");
        DvmClass NativeApi = vm.resolveClass("com/weibo/xvideo/NativeApi");
        // let arg1 = "aid=01AwqqBnklOIBhGlE_TKDKyLBX3Cx7Rboh-igytQig6B0DtIQ.&cfrom=28B5295010&cuid=1766247692&noncestr=MS3e1q5d2tYNEq9nleFPQK0690J79n&platform=ANDROID&sdk_version=1.6.4&timestamp=1678267776709&ua=OnePlus-ONEPLUSA6000__oasis__3.5.8__Android__Android10&version=3.5.8&vid=2009961396444&wm=20004_90024";
        String arg1 = "aid=01AwqqBnklOIBhGlE_TKDKyLBX3Cx7Rboh-igytQig6B0DtIQ.&cfrom=28B5295010&cuid=1766247692&noncestr=MS3e1q5d2tYNEq9nleFPQK0690J79n&platform=ANDROID&sdk_version=1.6.4&timestamp=1678267776709&ua=OnePlus-ONEPLUSA6000__oasis__3.5.8__Android__Android10&version=3.5.8&vid=2009961396444&wm=20004_90024";
        // let arg2 = false;
        Boolean arg2 = false;

        // let ret = NativeApi.$new().s(stringToBytes(arg1), arg2);
        // sign is 607c746c0c38d368f16ce26670305809
        DvmObject<?> nativeApi = NativeApi.newObject(null);
        DvmObject<?> ret = nativeApi.callJniMethodObject(emulator, "s([BZ)Ljava/lang/String;", arg1.getBytes(), arg2);
        System.out.println(ret.getValue());

    }


}

最后更新于

这有帮助吗?