其他
Youpk: 又一款基于ART的主动调用的脱壳机
本文为看雪论坛优秀文章
看雪论坛作者ID:Youlor
原理
基本流程如下:
1. 从内存中 dump DEX
2. 构造完整调用链,主动调用所有方法并 dump CodeItem
3. 合并 DEX,CodeItem
从内存中 dump DEX
//unpacker.ccstd::list<const DexFile*> Unpacker::getDexFiles() { std::list<const DexFile*> dex_files; Thread* const self = Thread::Current(); ClassLinker* class_linker = Runtime::Current()->GetClassLinker(); ReaderMutexLock mu(self, *class_linker->DexLock()); const std::list<ClassLinker::DexCacheData>& dex_caches = class_linker->GetDexCachesData(); for (auto it = dex_caches.begin(); it != dex_caches.end(); ++it) { ClassLinker::DexCacheData data = *it; const DexFile* dex_file = data.dex_file; dex_files.push_back(dex_file); } return dex_files;}//dex2oat.cccompiler_options_->SetCompilerFilter(CompilerFilter::kVerifyAtRuntime);构造完整调用链, 主动调用所有方法
//unpacker.javapublic static void unpack() { if (Unpacker.unpackerThread != null) { return; } //开启线程调用 Unpacker.unpackerThread = new Thread() { @Override public void run() { while (true) { try { Thread.sleep(UNPACK_INTERVAL); } catch (InterruptedException e) { e.printStackTrace(); } if (shouldUnpack()) { Unpacker.unpackNative(); } } } }; Unpacker.unpackerThread.start();}//unpacker.ccfor (; class_idx < dex_file->NumClassDefs(); class_idx++) {//unpacker.ccmirror::Class* klass = class_linker->ResolveType(*dex_file, dex_file->GetClassDef(class_idx).class_idx_, h_dex_cache, h_class_loader);StackHandleScope<1> hs2(self);Handle<mirror::Class> h_class(hs2.NewHandle(klass));bool suc = class_linker->EnsureInitialized(self, h_class, true, true);//unpacker.ccuint32_t args_size = (uint32_t)ArtMethod::NumArgRegisters(method->GetShorty());if (!method->IsStatic()) { args_size += 1;} JValue result;std::vector<uint32_t> args(args_size, 0);if (!method->IsStatic()) { mirror::Object* thiz = klass->AllocObject(self); args[0] = StackReference<mirror::Object>::FromMirrorPtr(thiz).AsVRegValue(); }method->Invoke(self, args.data(), args_size, &result, method->GetShorty()); //art_method.ccif (UNLIKELY(!runtime->IsStarted() || Dbg::IsForcedInterpreterNeededForCalling(self, this)|| (Unpacker::isFakeInvoke(self, this) && !this->IsNative()))) {if (IsStatic()) {art::interpreter::EnterInterpreterFromInvoke(self, this, nullptr, args, result, /*stay_in_interpreter*/ true);} else {mirror::Object* receiver =reinterpret_cast<StackReference<mirror::Object>*>(&args[0])->AsMirrorPtr();art::interpreter::EnterInterpreterFromInvoke(self, this, receiver, args + 1, result, /*stay_in_interpreter*/ true);}} //interpreter.ccstatic constexpr InterpreterImplKind kInterpreterImplKind = kSwitchImplKind;//interpreter_switch_impl.cc// Code to run before each dex instruction. #define PREAMBLE() \ do { \ inst_count++; \ bool dumped = Unpacker::beforeInstructionExecute(self, shadow_frame.GetMethod(), \ dex_pc, inst_count); \ if (dumped) { \ return JValue(); \ } \ if (UNLIKELY(instrumentation->HasDexPcListeners())) { \ instrumentation->DexPcMovedEvent(self, shadow_frame.GetThisObject(code_item->ins_size_), shadow_frame.GetMethod(), dex_pc); \ } \ } while (false)//unpacker.ccbool Unpacker::beforeInstructionExecute(Thread *self, ArtMethod *method, uint32_t dex_pc, int inst_count) { if (Unpacker::isFakeInvoke(self, method)) { Unpacker::dumpMethod(method); return true; } return false;}合并 DEX, CodeItem
参考链接
刷机
使用方法
adb shell "echo cn.youlor.mydemo >> /data/local/tmp/unpacker.config"adb pull /data/data/cn.youlor.mydemo/unpackerjava -jar dexfixer.jar /path/to/unpacker /path/to/output适用场景
2. 抽取:
nop 占坑型(类似某加密)
naitve化,在<clinit>中解密(类似早期阿里)
goto解密型(类似新版某加密?najia):https://bbs.pediy.com/thread-259448.htm
常见问题
看雪ID:Youlor
https://bbs.pediy.com/user-887601.htm
推荐文章++++