4.1 绿洲
抓包
抓包发现有加密参数,因此来分析一下这个 sign (32 位,很有可能是 md5 )
逆向分析
用 jadx 打开 app 查看源码发现了加壳的标志
尝试使用 frida-dexdump 进行脱壳,脱壳的命令如下:
frida-dexdump -U -f com.sina.oasis
可以看到已经脱出来很多个 dex 文件了!
按照大小排序,一般最大的就是主 dex, 所以直接尝试看看 classes02.dex, 用 jadx 反编译看看,发现报错了
通过百度就知道了,其实需要加一下启动参数:-Pdex-input.verify-checksum=no , 加上之后发现果然就 ok 了
尝试 hook 一下,直接搜索 sign (要把所有的 dex 都弄到 jadx 才可以)
找到可能的点,然后慢慢 hook 就可以了,最终发现位置
慢慢跟进代码,最后发现是一个 Native 方法,可以知道他的 so 文件应该是 oasiscore 之类的,那就解压了去那看看!
没有找到,那就 hook 一下 RegisterNative 把!所以 so 文件就是 liboasiscore.so
这里补充一下 hook 代码:
let b = Java.use("g.a.c.b");
b["c"].implementation = function (bArr, z) {
console.log(`b.c is called: bArr=${bArr}, z=${z}`);
let result = this["c"](bArr, z);
console.log(`b.c result=${result}`);
return result;
};附上 native 函数 hook 方法, 这边将 bArr 转回了 string 来看看参数!
let str = Java.use("java.lang.String")
let NativeApi = Java.use("com.weibo.xvideo.NativeApi");
NativeApi["s"].implementation = function (bArr, z) {
console.log('s is called' + ', ' + 'arg1: ' + str.$new(bArr) + ', ' + 'z: ' + z);
let ret = this.s(bArr, z);
console.log('s ret value is ' + ret);
return ret;
};编写一下主动调用的代码:
function getSign() {
Java.perform(function () {
function stringToBytes(str) {
var javaString = Java.use('java.lang.String');
return javaString.$new(str).getBytes();
}
let NativeApi = Java.use("com.weibo.xvideo.NativeApi");
let arg1 = "aid=01AwqqBnklOIBhGlE_TKDKyLBX3Cx7Rboh-igytQig6B0DtIQ.&cfrom=28B5295010&cuid=1766247692&noncestr=MS3e1q5d2tYNEq9nleFPQK0690J79n&platform=ANDROID&sdk_version=1.6.4×tamp=1678267776709&ua=OnePlus-ONEPLUSA6000__oasis__3.5.8__Android__Android10&version=3.5.8&vid=2009961396444&wm=20004_90024";
// sign is 607c746c0c38d368f16ce26670305809
let arg2 = false;
let ret = NativeApi.$new().s(stringToBytes(arg1), arg2);
console.log("ret:" + ret);
})
}
验证一下发现也没有什么问题!
Unidbg
先套用一下模板,做一下初始化
package com.sina.oasis;
import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.arm.backend.Unicorn2Factory;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.AbstractJni;
import com.github.unidbg.linux.android.dvm.DalvikModule;
import com.github.unidbg.linux.android.dvm.DvmClass;
import com.github.unidbg.linux.android.dvm.VM;
import com.github.unidbg.memory.Memory;
import java.io.File;
public class sign extends AbstractJni {
private final AndroidEmulator emulator;
private final DvmClass NativeApi;
private final VM vm;
public sign() {
emulator = AndroidEmulatorBuilder
.for64Bit()
.addBackendFactory(new Unicorn2Factory(true))
.setProcessName("com.sina.oasis")
.build();
Memory memory = emulator.getMemory();
memory.setLibraryResolver(new AndroidResolver(23));
vm = emulator.createDalvikVM(new File("unidbg-android/src/test/resources/lvzhou.apk"));
vm.setJni(this);
vm.setVerbose(true);
// 这里看 jadx 里面是是这么加载的
DalvikModule dm = vm.loadLibrary("oasiscore", true);
NativeApi = vm.resolveClass("com/weibo/xvideo/NativeApi");
dm.callJNI_OnLoad(emulator);
}
public static void main(String[] args) {
sign xv = new sign();
}
}
翻译 frida js 代码为 java 代码
public void getSign() {
// let NativeApi = Java.use("com.weibo.xvideo.NativeApi");
DvmClass NativeApi = vm.resolveClass("com/weibo/xvideo/NativeApi");
// let arg1 = "aid=01AwqqBnklOIBhGlE_TKDKyLBX3Cx7Rboh-igytQig6B0DtIQ.&cfrom=28B5295010&cuid=1766247692&noncestr=MS3e1q5d2tYNEq9nleFPQK0690J79n&platform=ANDROID&sdk_version=1.6.4×tamp=1678267776709&ua=OnePlus-ONEPLUSA6000__oasis__3.5.8__Android__Android10&version=3.5.8&vid=2009961396444&wm=20004_90024";
String arg1 = "aid=01AwqqBnklOIBhGlE_TKDKyLBX3Cx7Rboh-igytQig6B0DtIQ.&cfrom=28B5295010&cuid=1766247692&noncestr=MS3e1q5d2tYNEq9nleFPQK0690J79n&platform=ANDROID&sdk_version=1.6.4×tamp=1678267776709&ua=OnePlus-ONEPLUSA6000__oasis__3.5.8__Android__Android10&version=3.5.8&vid=2009961396444&wm=20004_90024";
// let arg2 = false;
Boolean arg2 = false;
// let ret = NativeApi.$new().s(stringToBytes(arg1), arg2);
// sign is 607c746c0c38d368f16ce26670305809
DvmObject<?> nativeApi = NativeApi.newObject(null);
DvmObject<?> ret = nativeApi.callJniMethodObject(emulator, "s([BZ)Ljava/lang/String;", arg1.getBytes(), arg2);
System.out.println(ret.getValue());
}
验证完毕,最终的代码为:
package com.sina.oasis;
import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.arm.backend.Unicorn2Factory;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.*;
import com.github.unidbg.memory.Memory;
import java.io.File;
public class sign extends AbstractJni {
private final AndroidEmulator emulator;
private final DvmClass NativeApi;
private final VM vm;
public sign() {
emulator = AndroidEmulatorBuilder
.for64Bit()
.addBackendFactory(new Unicorn2Factory(true))
.setProcessName("com.sina.oasis")
.build();
Memory memory = emulator.getMemory();
memory.setLibraryResolver(new AndroidResolver(23));
vm = emulator.createDalvikVM(new File("unidbg-android/src/test/resources/lvzhou.apk"));
vm.setJni(this);
vm.setVerbose(true);
DalvikModule dm = vm.loadLibrary("oasiscore", true);
NativeApi = vm.resolveClass("com/weibo/xvideo/NativeApi");
dm.callJNI_OnLoad(emulator);
}
public static void main(String[] args) {
sign xv = new sign();
xv.getSign();
}
public void getSign() {
// let NativeApi = Java.use("com.weibo.xvideo.NativeApi");
DvmClass NativeApi = vm.resolveClass("com/weibo/xvideo/NativeApi");
// let arg1 = "aid=01AwqqBnklOIBhGlE_TKDKyLBX3Cx7Rboh-igytQig6B0DtIQ.&cfrom=28B5295010&cuid=1766247692&noncestr=MS3e1q5d2tYNEq9nleFPQK0690J79n&platform=ANDROID&sdk_version=1.6.4×tamp=1678267776709&ua=OnePlus-ONEPLUSA6000__oasis__3.5.8__Android__Android10&version=3.5.8&vid=2009961396444&wm=20004_90024";
String arg1 = "aid=01AwqqBnklOIBhGlE_TKDKyLBX3Cx7Rboh-igytQig6B0DtIQ.&cfrom=28B5295010&cuid=1766247692&noncestr=MS3e1q5d2tYNEq9nleFPQK0690J79n&platform=ANDROID&sdk_version=1.6.4×tamp=1678267776709&ua=OnePlus-ONEPLUSA6000__oasis__3.5.8__Android__Android10&version=3.5.8&vid=2009961396444&wm=20004_90024";
// let arg2 = false;
Boolean arg2 = false;
// let ret = NativeApi.$new().s(stringToBytes(arg1), arg2);
// sign is 607c746c0c38d368f16ce26670305809
DvmObject<?> nativeApi = NativeApi.newObject(null);
DvmObject<?> ret = nativeApi.callJniMethodObject(emulator, "s([BZ)Ljava/lang/String;", arg1.getBytes(), arg2);
System.out.println(ret.getValue());
}
}
最后更新于
这有帮助吗?