-
-
[第二阶段第3题]攻防竞赛第二阶段第3题(攻击篇)答题
-
发表于: 2014-11-2 10:51 5020
-
分析文章
反调试:
首先对dvmLoadNativeCode函数与 pthread_create函数 下断 ,创建4棵以上线程,其中做反调试的如下。
ibcrackme.so:8053261C MOV R1, R3
libcrackme.so:80532620 BL strcmp
libcrackme.so:80532624 MOV R3, R0
libcrackme.so:80532628 CMP R3, #0
libcrackme.so:8053262C BEQ loc_80532680
libcrackme.so:80532630 SUB R3, R11, #0x21C
libcrackme.so:80532634 ADD R3, R3, #4
libcrackme.so:80532638 MOV R0, R3
libcrackme.so:8053263C LDR R3, =(a_Android_serve - 0x80532648)
libcrackme.so:80532640 ADD R3, PC, R3 ; "./android_server"
libcrackme.so:80532644 MOV R1, R3
libcrackme.so:80532648 BL strcmp
libcrackme.so:8053264C MOV R3, R0
libcrackme.so:80532650 CMP R3, #0
libcrackme.so:80532654 BEQ loc_80532680
libcrackme.so:80532658 SUB R3, R11, #0x21C
libcrackme.so:8053265C ADD R3, R3, #4
libcrackme.so:80532660 MOV R0, R3
libcrackme.so:80532664 LDR R3, =(aXposed - 0x80532670)
libcrackme.so:80532668 ADD R3, PC, R3 ; "xposed"
libcrackme.so:8053266C MOV R1, R3
libcrackme.so:80532670 BL strstr
libcrackme.so:80532674 MOV R3, R0
ibcrackme.so:80533D94 SUB R3, R3, #4
libcrackme.so:80533D98 MOV R0, R3
libcrackme.so:80533D9C LDR R3, =(aProcDTaskSStat - 0x80533DA8)
libcrackme.so:80533DA0 ADD R3, PC, R3 ; "/proc/%d/task/%s/stat"
libcrackme.so:80533DA4 MOV R1, R3
libcrackme.so:80533DA8 MOV R3, R12
libcrackme.so:80533DAC BL sprintf
libcrackme.so:80533DB0 SUB R3, R11, #0x610
libcrackme.so:80533DB4 SUB R3, R3, #4
libcrackme.so:80533DB8 SUB R3, R3, #4
libcrackme.so:80533DBC MOV R0, R3
libcrackme.so:80533DC0 MOV R1, #0
libcrackme.so:80533DC4 BL open
libcrackme.so:80533DC8 MOV R3, R0
libcrackme.so:80533DCC STR R3, [R11,#-0x18]
libcrackme.so:80533CD4 MOV R1, #0
libcrackme.so:80533CD8 BL memset_0
libcrackme.so:80533CDC MOV R3, #0
libcrackme.so:80533CE0 STR R3, [R11,#-0x10]
libcrackme.so:80533CE4 MOV R3, #0
libcrackme.so:80533CE8 STR R3, [R11,#-0x14]
libcrackme.so:80533CEC BL getpid_0
libcrackme.so:80533CF0 MOV R3, R0
libcrackme.so:80533CF4 MOV R2, R3
libcrackme.so:80533CF8 SUB R3, R11, #0x640
libcrackme.so:80533CFC SUB R3, R3, #4
libcrackme.so:80533D00 SUB R3, R3, #8
libcrackme.so:80533D04 MOV R0, R3
libcrackme.so:80533D08 LDR R3, =(unk_8053D580 - 0x80533D14)
libcrackme.so:80533D0C ADD R3, PC, R3 ; unk_8053D580
libcrackme.so:80533D10 MOV R1, R3
libcrackme.so:80533D14 BL sprintf
libcrackme.so:80533D18 SUB R3, R11, #0x640
libcrackme.so:80533D1C SUB R3, R3, #4
libcrackme.so:80533D20 SUB R3, R3, #8
libcrackme.so:80533D24 MOV R0, R3
libcrackme.so:80533D28 BL opendir
libcrackme.so:80533D2C MOV R3, R0
libcrackme.so:80533D30 STR R3, [R11,#-0x10]
libcrackme.so:80533D34 LDR R3, [R11,#-0x10]
libcrackme.so:80533D38 CMP R3, #0
libcrackme.so:80533D3C BNE loc_80533ED4
libcrackme.so:80533D40 MOV R3, #0xFFFFFFFF
libcrackme.so:80533D44 B loc_80533F10
libcrackme.so:80533D48 ; ---------------------------------------------------------------------------
libcrackme.so:80533D48
libcrackme.so:80533D48 loc_80533D48 ; CODE XREF: libcrackme.so:80533F00j
libcrackme.so:80533D48 LDR R3, [R11,#-0x14]
libcrackme.so:80533D4C ADD R3, R3, #0x13
libcrackme.so:80533D50 LDR R0, [R11,#-0x650]
libcrackme.so:80533D54 MOV R1, R3
libcrackme.so:80533D58 BL loc_805337B4
libcrackme.so:80533D5C MOV R3, R0
libcrackme.so:80533D60 CMP R3, #0
libcrackme.so:80533D64 MOVEQ R3, #0
libcrackme.so:80533D68 MOVNE R3, #1
libcrackme.so:80533D6C AND R3, R3, #0xFF
libcrackme.so:80533D70 CMP R3, #0
libcrackme.so:80533D74 BEQ loc_80533ED8
libcrackme.so:80533D78 BL getpid_0
libcrackme.so:80533D7C MOV R3, R0
libcrackme.so:80533D80 MOV R2, R3
libcrackme.so:80533D84 LDR R3, [R11,#-0x14]
libcrackme.so:80533D88 ADD R12, R3, #0x13
libcrackme.so:80533D8C SUB R3, R11, #0x610
libcrackme.so:80533D90 SUB R3, R3, #4
libcrackme.so:80533D94 SUB R3, R3, #4
libcrackme.so:80533D98 MOV R0, R3
libcrackme.so:80533D9C LDR R3, =(aProcDTaskSStat - 0x80533DA8)
libcrackme.so:80533DA0 ADD R3, PC, R3 ; "/proc/%d/task/%s/stat"
libcrackme.so:80533DA4 MOV R1, R3
libcrackme.so:80533DA8 MOV R3, R12
libcrackme.so:80533DAC BL sprintf
libcrackme.so:80533DB0 SUB R3, R11, #0x610
libcrackme.so:80533DB4 SUB R3, R3, #4
libcrackme.so:80533DB8 SUB R3, R3, #4
libcrackme.so:80533DBC MOV R0, R3
libcrackme.so:80533DC0 MOV R1, #0
libcrackme.so:80533DC4 BL open
libcrackme.so:80533DC8 MOV R3, R0
libcrackme.so:80533DCC STR R3, [R11,#-0x18]
libcrackme.so:80533DD0 LDR R3, [R11,#-0x18]
libcrackme.so:80533DD4 CMN R3, #1
libcrackme.so:80533DD8 BNE loc_80533DE4
libcrackme.so:80533DDC MOV R3, #0xFFFFFFFF
libcrackme.so:80533DE0 B loc_80533F10
libcrackme.so:80533DE4 ; ---------------------------------------------------------------------------
libcrackme.so:80533DE4
libcrackme.so:80533DE4 loc_80533DE4 ; CODE XREF: libcrackme.so:80533DD8j
libcrackme.so:80533DE4 SUB R3, R11, #0x410
libcrackme.so:80533DE8 SUB R3, R3, #4
libcrackme.so:80533DEC SUB R3, R3, #4
libcrackme.so:80533DF0 LDR R0, [R11,#-0x18]
libcrackme.so:80533DF4 MOV R1, R3
libcrackme.so:80533DF8 MOV R2, #0x400
libcrackme.so:80533DFC BL read_0
libcrackme.so:80533E00 MOV R3, R0
//定位关键算法,(其实与第2题定位方法一样),通过查看安卓源码,Dalvik虚拟机JNI方法的注册过程得知,在dvmUseJNIBridge函数下断很快就会到关键算法函数了,
//----------注册函数
libcrackme.so:80505E74 ; ---------------------------------------------------------------------------
libcrackme.so:80505E74 PUSH {R3-R7,LR}
libcrackme.so:80505E76 MOVS R7, R3
libcrackme.so:80505E78 LDR R3, [R0]
libcrackme.so:80505E7A MOVS R5, #0x2A4
libcrackme.so:80505E7E LDR R3, [R3,R5]
libcrackme.so:80505E80 MOVS R1, R2
libcrackme.so:80505E82 MOVS R2, #0
libcrackme.so:80505E84 MOVS R4, R0
libcrackme.so:80505E86 BLX R3
libcrackme.so:80505E88 LDR R3, [R4]
libcrackme.so:80505E8A MOVS R6, R0
libcrackme.so:80505E8C MOVS R1, R7
libcrackme.so:80505E8E LDR R3, [R3,R5]
libcrackme.so:80505E90 MOVS R2, #0
libcrackme.so:80505E92 MOVS R0, R4
libcrackme.so:80505E94 BLX R3
libcrackme.so:80505E96 MOVS R1, R0
libcrackme.so:80505E98 MOVS R0, R6
libcrackme.so:80505E9A BL sub_80505E18
libcrackme.so:80505E9E LDR R1, =(unk_80516340 - 0x80505EA8)
libcrackme.so:80505EA0 LDR R2, [R4]
libcrackme.so:80505EA2 MOVS R3, #0xA7
libcrackme.so:80505EA4 ADD R1, PC ; unk_80516340
libcrackme.so:80505EA6 LSLS R3, R3, #2
libcrackme.so:80505EA8 ADDS R1, #4
libcrackme.so:80505EAA LDR R3, [R2,R3]
libcrackme.so:80505EAC MOVS R0, R4
libcrackme.so:80505EAE BLX R3
libcrackme.so:80505EB0 POP {R3-R7,PC}
//--------往下分析就是算法了,
// 申请空间存放密码与帐户
libcrackme.so:8050565A MOVS R0, R5
libcrackme.so:8050565C BLX strlen_0
libcrackme.so:80505660 STR R0, [SP,#8]
libcrackme.so:80505662 MOVS R7, R0
libcrackme.so:80505664 MOVS R0, R6
libcrackme.so:80505666 BLX strlen_0
libcrackme.so:8050566A ADDS R7, #1
libcrackme.so:8050566C MOVS R3, R0
libcrackme.so:8050566E ADDS R3, #1
libcrackme.so:80505670 STR R0, [SP,#0xC]
libcrackme.so:80505672 MOVS R0, R7
libcrackme.so:80505674 STR R3, [SP,#4]
libcrackme.so:80505676 BLX new ; 申请空间存放密码与帐户
libcrackme.so:8050567A STR R0, [R4,#0x34]
libcrackme.so:8050567C LDR R0, [SP,#4]
libcrackme.so:8050567E BLX new
libcrackme.so:80505682 LDR R3, [R4,#0x34]
libcrackme.so:80505684 STR R0, [R4,#0x38]
libcrackme.so:80505686 CMP R3, #0
libcrackme.so:80505688 BEQ loc_805056B6
ibcrackme.so:80505692 MOVS R2, R7
libcrackme.so:80505694 BLX memset_0
libcrackme.so:80505698 MOVS R1, #0
libcrackme.so:8050569A LDR R2, [SP,#4]
libcrackme.so:8050569C LDR R0, [R4,#0x38]
libcrackme.so:8050569E BLX memset_0
libcrackme.so:805056A2 MOVS R1, R5
libcrackme.so:805056A4 LDR R2, [SP,#8]
libcrackme.so:805056A6 LDR R0, [R4,#0x34]
libcrackme.so:805056A8 BLX memcpy_0 ; 拷贝帐户与密码
libcrackme.so:805056AC LDR R0, [R4,#0x38]
libcrackme.so:805056AE MOVS R1, R6
libcrackme.so:805056B0 LDR R2, [SP,#0xC]
libcrackme.so:805056B2 BLX memcpy_0
//判断帐户与密码长度是否合法
ibcrackme.so:805056CC BEQ loc_805056E8
libcrackme.so:805056CE MOVS R0, R3
libcrackme.so:805056D0 BLX strlen_0
libcrackme.so:805056D4 MOVS R6, R0
libcrackme.so:805056D6 SUBS R6, #6
libcrackme.so:805056D8 MOVS R0, R5
libcrackme.so:805056DA BLX strlen_0
libcrackme.so:805056DE CMP R6, #0xE ; 判断帐户与密码长度是否合法
libcrackme.so:805056E0 BHI loc_805056E8
libcrackme.so:805056E2 SUBS R0, #0xC
libcrackme.so:805056E4 CMP R0, #0x12
libcrackme.so:805056E6 BLS loc_805056FC
//判断密码中是否包含字符'-'
libcrackme.so:80505D5E LDR R3, [R2,#0x38]
libcrackme.so:80505D60 LDRB R2, [R3,#3]
libcrackme.so:80505D62 CMP R2, #0x2D ; 判断密码中是否包含字符'-'
libcrackme.so:80505D64 BNE loc_80505D72
libcrackme.so:80505D66 LDRB R2, [R3,#7]
libcrackme.so:80505D68 CMP R2, #0x2D
libcrackme.so:80505D6A BNE loc_80505D72
//去掉字符'-'
ibcrackme.so:8050574A BNE loc_80505768
libcrackme.so:8050574C LDR R3, [SP,#4]
libcrackme.so:8050574E LDR R1, [SP,#8]
libcrackme.so:80505750 LDR R2, [SP,#4]
libcrackme.so:80505752 STR R3, [SP,#0x10]
libcrackme.so:80505754 LDR R3, [R1,#0x38]
libcrackme.so:80505756 LDRB R3, [R3,R2]
libcrackme.so:80505758 CMP R3, #0x2D ; 去掉字符'-'
libcrackme.so:8050575A BEQ loc_80505780
libcrackme.so:8050575C LDR R0, =(unk_80516240 - 0x80505762)
libcrackme.so:8050575E ADD R0, PC ; unk_80516240
libcrackme.so:80505760 BLX setjmp_0
libcrackme.so:80505764 CMP R0, #0
libcrackme.so:80505766 BEQ loc_8050576E
libcrackme.so:80505D6C LDRB R3, [R3,#0xB]
libcrackme.so:80505D6E CMP R3, #0x2D
libcrackme.so:80505D70 BEQ loc_80505D88
//判断是否创建表,否就创建
libcrackme.so:80505524 loc_80505524 ; CODE XREF: libcrackme.so:8050551Cj
libcrackme.so:80505524 LDR R4, =(byte_80516340 - 0x8050552A)
libcrackme.so:80505526 ADD R4, PC ; byte_80516340
libcrackme.so:80505528 LDRB R3, [R4]
libcrackme.so:8050552A CMP R3, #0 ; 判断是否创建表
libcrackme.so:8050552C BNE loc_80505536
libcrackme.so:8050552E BL loc_80505494 ; 创建
libcrackme.so:80505532 MOVS R3, #1
libcrackme.so:80505534 STRB R3, [R4]
//开始查表
libcrackme.so:8050556A loc_8050556A ; CODE XREF: libcrackme.so:80505582j
libcrackme.so:8050556A LDR R6, [SP,#8] ; 查表开始
libcrackme.so:8050556C ADDS R5, R6, R3
libcrackme.so:8050556E LDRB R5, [R5,R1]
libcrackme.so:80505570 LDRB R6, [R4,R5]
libcrackme.so:80505572 ADD R5, SP, #0x1C
libcrackme.so:80505574 STRB R6, [R1,R5]
libcrackme.so:80505576 LSLS R6, R6, #0x18
libcrackme.so:80505578 BPL loc_8050557E
libcrackme.so:8050557A MOV R6, R12
libcrackme.so:8050557C STRB R6, [R1,R5]
libcrackme.so:80505DA2 LDR R2, [SP,#0xC]
libcrackme.so:80505DA4 ADDS R0, #0x3C
libcrackme.so:80505DA6 BLX memcpy_0 ; 拷贝查表计算后的值
libcrackme.so:80505DAA CMP R4, #0
libcrackme.so:80505DAC BEQ loc_80505DB4
libcrackme.so:80505DB6 BL loc_805057D4 ; 比较计算后的值与帐号值是否相同
ibcrackme.so:80505842 loc_80505842 ; CODE XREF: libcrackme.so:80505872j
libcrackme.so:80505842 LDR R3, [SP,#0xC]
libcrackme.so:80505844 LDR R0, [SP,#4]
libcrackme.so:80505846 LDR R2, [R3,#0x34]
libcrackme.so:80505848 ADDS R3, R3, R0
libcrackme.so:8050584A ADDS R3, #0x3C
libcrackme.so:8050584C LDRB R2, [R2,R0]
libcrackme.so:8050584E LDRB R3, [R3]
libcrackme.so:80505850 CMP R2, R3 ; 比较计算后的值与帐户值是否相同
libcrackme.so:80505852 BEQ loc_80505862
libcrackme.so:80505854
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
赞赏
- [原创]App防Bot新版ATT方案浅析与算法还原 39640
- [原创]ppp买菜IOS版设备风控浅析与算法还原 32136
- [原创]Anti-Bot安全SDK SGAVMP浅析 99523