其他
某APP sig3 48位算法逆向分析
本文为看雪论坛优秀文章
看雪论坛作者ID:hczhong
1、unidbg调用sig3算法
2、libksgmain.so去花
3、unidbg 调用去花后的libsgmain.so
DalvikModule dm = vm.loadLibrary("kwsgmain", true);
DalvikModule dm = vm.loadLibrary(new File("unidbg-android/src/test/resources/ks910/libkwsgmain.so"), true);
[23:44:46 552] INFO [com.github.unidbg.linux.AndroidElfLoader] (AndroidElfLoader:459) - libkwsgmain.so load dependency libc++_shared.so failed
stack ts
[23:44:46 633] INFO [com.github.unidbg.linux.ARM32SyscallHandler] (ARM32SyscallHandler:828) - pthread_clone child_stack=RW@0x403be930, thread_id=1, fn=RX@0x401837f5[libc.so]0x3f7f5, arg=RW@0x403be930, flags=[CLONE_VM, CLONE_FS, CLONE_FILES, CLONE_SIGHAND, CLONE_THREAD, CLONE_SYSVSEM, CLONE_SETTLS, CLONE_PARENT_SETTID, CLONE_CHILD_CLEARTID]
stack ts
stack ts
JNIEnv->GetStringUtfChars("/data/app/com.smile.gifmaker-oyRnT1esU1Pf5iDY6JKtjA==/base.apk") was called from RX@0x400451a5[libkwsgmain.so]0x451a5
JNIEnv->ReleaseStringUTFChars("/data/app/com.smile.gifmaker-oyRnT1esU1Pf5iDY6JKtjA==/base.apk") was called from RX@0x4000e305[libkwsgmain.so]0xe305
stack ts
stack ts
stack ts
stack ts
JNIEnv->GetStringUtfChars("d7b7d042-d4f2-4012-be60-d97ff2429c17") was called from RX@0x40051e53[libkwsgmain.so]0x51e53
stack ts
JNIEnv->GetStringUtfChars("com.smile.gifmaker") was called from RX@0x4000de87[libkwsgmain.so]0xde87
JNIEnv->ReleaseStringUTFChars("com.smile.gifmaker") was called from RX@0x4000e305[libkwsgmain.so]0xe305
[23:44:47 663] WARN [com.github.unidbg.arm.AbstractARMEmulator] (AbstractARMEmulator$1:58) - memory failed: address=0x7084, size=1, value=0x0, PC=unidbg@0x7084, LR=RX@0x4004d68d[libkwsgmain.so]0x4d68d
[23:44:47 663] WARN [com.github.unidbg.AbstractEmulator] (AbstractEmulator:389) - emulate RX@0x40053129[libkwsgmain.so]0x53129 exception sp=unidbg@0xbfffec88, msg=unicorn.UnicornException: Invalid memory fetch (UC_ERR_FETCH_UNMAPPED), offset=1003ms
Exception in thread "main" java.lang.NullPointerException
at com.ks910.kwsgmain910.callInit(kwsgmain910.java:97)
at com.ks910.kwsgmain910.main(kwsgmain910.java:73)
3.1 替换外部so报错?尝试查找原因
3.2 换个思路加载外部so
JNIEnv->ReleaseStringUTFChars("d7b7d042-d4f2-4012-be60-d97ff2429c17") was called from RX@0x4000e305[libkwsgmain.so]0xe305
result:d3c2b2915f3804b59b9b9899f95a9abe878c3ae0868a8492
4、trace还原算法
4.1trace配置
4.2 从trace文件中寻找输入
/rest/n/comment/list/firstPagefcac84fe7071434ad19cc4771890acef
2f726573742f6e2f636f6d6d656e742f6c6973742f6669727374506167656663616338346665373037313433346164313963633437373138393061636566
4.3 抽丝剥茧寻找下一步
4.4 通过结果进行回溯
emulator.traceWrite(0xbffff6b8L, 0xbffff6b8L + 0x16);
one
### Memory WRITE at 0xbffff6bc, data size = 4, data value = 0x0
### Memory WRITE at 0xbffff6c0, data size = 4, data value = 0x0
### Memory WRITE at 0xbffff6c4, data size = 4, data value = 0x0
### Memory WRITE at 0xbffff6c8, data size = 4, data value = 0x0
### Memory WRITE at 0xbffff6cc, data size = 4, data value = 0x0
### Memory WRITE at 0xbffff6b8, data size = 4, data value = 0x5141
### Memory WRITE at 0xbffff6ba, data size = 2, data value = 0x22
### Memory WRITE at 0xbffff6bc, data size = 4, data value = 0x2acf568f
### Memory WRITE at 0xbffff6c4, data size = 4, data value = 0x2306c567 // same
### Memory WRITE at 0xbffff6c8, data size = 4, data value = 0x61ba1ea6
### Memory WRITE at 0xbffff6c0, data size = 4, data value = 0x1
### Memory WRITE at 0xbffff6cc, data size = 4, data value = 0xd00
### Memory WRITE at 0xbffff6cc, data size = 4, data value = 0x2c000d00
two
### Memory WRITE at 0xbffff6bc, data size = 4, data value = 0x0
### Memory WRITE at 0xbffff6c0, data size = 4, data value = 0x0
### Memory WRITE at 0xbffff6c4, data size = 4, data value = 0x0
### Memory WRITE at 0xbffff6c8, data size = 4, data value = 0x0
### Memory WRITE at 0xbffff6cc, data size = 4, data value = 0x0
### Memory WRITE at 0xbffff6b8, data size = 4, data value = 0x5141
### Memory WRITE at 0xbffff6ba, data size = 2, data value = 0x22
### Memory WRITE at 0xbffff6bc, data size = 4, data value = 0x6c4d7d4f
### Memory WRITE at 0xbffff6c4, data size = 4, data value = 0x2306c567 //same
### Memory WRITE at 0xbffff6c8, data size = 4, data value = 0x61ba1ec1
### Memory WRITE at 0xbffff6c0, data size = 4, data value = 0x1
### Memory WRITE at 0xbffff6cc, data size = 4, data value = 0xd00
### Memory WRITE at 0xbffff6cc, data size = 4, data value = 0x6a000d00
0xfffffba3 & 0xFF = 0xa3
0x100000000 - 0x45d = 0xfffffba3
5、验证算法正确性
5.1hook+postern进行抓包
5.2对请求重发进行抓包
看雪ID:hczhong
https://bbs.pediy.com/user-home-847002.htm
# 往期推荐
3.Windows本地提权漏洞CVE-2014-1767分析及EXP编写指导
4.高级进程注入总结
球分享
球点赞
球在看
点击“阅读原文”,了解更多!