-
-
[原创] APK加固之类抽取分析与修复
-
发表于: 2015-8-25 14:22
-
测试环境与工具
手机系统: 华为U9508 android 4.2.2
IDA Pro 6.8
AndroidKiller 1.2
高手不要见笑,仅供小菜玩乐,有不对或不足的地方还请多多指教,不胜感激! 
0x00 简单介绍
目前我己知的APK加固主要有以下两种方式(或有其它的方式有待发现)
隐藏dex文件:通过对目标DEX文件进行整体加密或压缩方式把整个dex转换为另外一个文件存放在assets文件夹中或者其它地方,然后利用类加载器技术进行内存解密并加载运行。
修改dex结构:抽取DexCode中的字节码指令后用零去填充,或者修改方法属性等操作,运行时在内存中做修正、修复等处理工作。
0x01 APK加固前后对比
整体来看一下原始APK包和加固后的APK包结构相关变化
图1
图1所示加固后的APK包变化如下:
新增2个文件夹:
assets文件夹中增加3个文件
data
dx
pk
lib文件夹中增加了2个so文件
libedog.so
libfdog.so
被修改的文件:
AndroidManifest.xml
classes.dex
0x02 壳流程分析
我们用AndroidKiller反编译加固后的APK, 反编译出错,错误日志如下:
图2
从图2可以看出反编译时出现了很多错误,我们用IDA对DEX进行反编译查看代码,发现方法指令都被零填充了,反编译后代码显示为nop样式,如图3所示。
图3
我们再来看看APK中的AndroidManifest.xml文件被修改了什么地方?
图4
从图4看到AndroidManifest.xml中的application新增了如下项做为壳的入口android:name="com.edog.AppWrapper"该类为壳的入口,继续分析AppWrapper都做了些什么?
图5
图6
图7
从图5-7可以看出最终会调用到libedog.so中的dl函数,下面就开始动态调试分析该so的功能流程(如何动态调试就不说了,网上己经有很多的教程了)。
通过动态分析libedog.so中的dl函数主要功能是: 获得系统版本号->验证加固前后的签名是否一致->反调试->将抽走的指令映射到内存中还原指令时用到->HOOK函数dvmResolveClass->结束。
代码流程如下:
libedog.so:5D692C18 Java_com_edog_ELibrary_d1
libedog.so:5D692C18
libedog.so:5D692C18 var_F0= -0xF0
libedog.so:5D692C18 var_EC= -0xEC
libedog.so:5D692C18 var_E4= -0xE4
libedog.so:5D692C18 var_1C= -0x1C
libedog.so:5D692C18 arg_0= 0
libedog.so:5D692C18
libedog.so:5D692C18 F0 B5 PUSH {R4-R7,LR}
libedog.so:5D692C1A 28 4F LDR R7, =(dword_5D6A5E60 - 0x5D692C24)
libedog.so:5D692C1C B7 B0 SUB SP, SP, #0xDC
libedog.so:5D692C1E 00 93 STR R3, [SP,#0xF0+var_F0]
libedog.so:5D692C20 7F 44 ADD R7, PC ; dword_5D6A5E60
libedog.so:5D692C22 3F 68 LDR R7, [R7]
libedog.so:5D692C24 3C 99 LDR R1, [SP,#0xF0+arg_0]
libedog.so:5D692C26 04 1C MOVS R4, R0
libedog.so:5D692C28 3B 68 LDR R3, [R7]
libedog.so:5D692C2A 01 91 STR R1, [SP,#0xF0+var_EC]
libedog.so:5D692C2C A9 21 MOVS R1, #0xA9
libedog.so:5D692C2E 35 93 STR R3, [SP,#0xF0+var_1C]
libedog.so:5D692C30 03 68 LDR R3, [R0]
libedog.so:5D692C32 89 00 LSLS R1, R1, #2
libedog.so:5D692C34 22 4D LDR R5, =(aFjFj0fjFjFj4fj - 0x5D692C42)
libedog.so:5D692C36 5B 58 LDR R3, [R3,R1]
libedog.so:5D692C38 11 1C MOVS R1, R2
libedog.so:5D692C3A 00 22 MOVS R2, #0
libedog.so:5D692C3C 98 47 BLX R3
libedog.so:5D692C3E 7D 44 ADD R5, PC ; "$fj] fj]0fj](fj],fj]4fj]i]"
libedog.so:5D692C40 2D 68 LDR R5, [R5] ; "$fj] fj]0fj](fj],fj]4fj]i]"
libedog.so:5D692C42 20 4E LDR R6, =(aFjFj0fjFjFj4fj+4 - 0x5D692C50)
libedog.so:5D692C44 28 60 STR R0, [R5]
libedog.so:5D692C46 20 1C MOVS R0, R4
libedog.so:5D692C48 00 F0 5C F8 BL _Z17ANDROID_API_LEVELP7_JNIEnv
libedog.so:5D692C4C 7E 44 ADD R6, PC ; " fj]0fj](fj],fj]4fj]i]"
libedog.so:5D692C4E 36 68 LDR R6, [R6] ; " fj]0fj](fj],fj]4fj]i]"
libedog.so:5D692C50 30 60 STR R0, [R6]
libedog.so:5D692C52 20 1C MOVS R0, R4
libedog.so:5D692C54 00 F0 82 F8 BL _Z24ANDROID_PLATFORM_VERSIONP7_JNIEnv
libedog.so:5D692C58 20 1C MOVS R0, R4
libedog.so:5D692C5A 00 F0 A9 F8 BL _Z22ANDROID_PLATFORM_MODELP7_JNIEnv
libedog.so:5D692C5E 20 1C MOVS R0, R4
libedog.so:5D692C60 00 F0 D0 F8 BL _Z22ANDROID_PLATFORM_BRANDP7_JNIEnv
libedog.so:5D692C64 20 1C MOVS R0, R4
libedog.so:5D692C66 01 99 LDR R1, [SP,#0xF0+var_EC]
libedog.so:5D692C68 00 F0 8A FC BL _Z6verifyP7_JNIEnvP8_jobject ; 比较加固前后的签名是否一致
libedog.so:5D692C6C 16 49 LDR R1, =(aDataDataSLibLi - 0x5D692C76)
libedog.so:5D692C6E 2A 68 LDR R2, [R5]
libedog.so:5D692C70 03 A8 ADD R0, SP, #0xF0+var_E4
libedog.so:5D692C72 79 44 ADD R1, PC ; "/data/data/%s/lib/libfdog.so"
libedog.so:5D692C74 FF F7 B0 EE BLX sprintf
libedog.so:5D692C78 03 A8 ADD R0, SP, #0xF0+var_E4
libedog.so:5D692C7A 01 1C MOVS R1, R0
libedog.so:5D692C7C 00 F0 02 FD BL _Z4antiPKcS0_ ; 反调试
libedog.so:5D692C80 00 F0 3E F9 BL _Z10openMemoryv ; 将抽走的指令映射到内存中来
libedog.so:5D692C80 ; assets中的data文件
libedog.so:5D692C84 23 68 LDR R3, [R4]
libedog.so:5D692C86 A9 22 92 00 MOVS R2, #0x2A4
libedog.so:5D692C8A 9B 58 LDR R3, [R3,R2]
libedog.so:5D692C8C 00 99 LDR R1, [SP,#0xF0+var_F0]
libedog.so:5D692C8E 20 1C MOVS R0, R4
libedog.so:5D692C90 00 22 MOVS R2, #0
libedog.so:5D692C92 98 47 BLX R3
libedog.so:5D692C94 0D 49 LDR R1, =(unk_5D6A2A0D - 0x5D692C9A)
libedog.so:5D692C96 79 44 ADD R1, PC
libedog.so:5D692C98 FF F7 A4 EE BLX strstr
libedog.so:5D692C9C 00 28 CMP R0, #0
libedog.so:5D692C9E 02 D1 BNE loc_5D692CA6
libedog.so:5D692CA0 33 68 LDR R3, [R6]
libedog.so:5D692CA2 14 2B CMP R3, #0x14 ; 判断版本
libedog.so:5D692CA4 00 DD BLE loc_5D692CA8 ; 根据操作系统的版本
libedog.so:5D692CA4 ; hook对应的dvmResolveClass函数
libedog.so:5D692CA6
libedog.so:5D692CA6 loc_5D692CA6 ; CODE XREF: Java_com_edog_ELibrary_d1+86j
libedog.so:5D692CA6 01 20 MOVS R0, #1
libedog.so:5D692CA8
libedog.so:5D692CA8 loc_5D692CA8 ; CODE XREF: Java_com_edog_ELibrary_d1+8Cj
libedog.so:5D692CA8 00 F0 E8 FB BL _Z7restorei ; 根据操作系统的版本
libedog.so:5D692CA8 ; hook对应的dvmResolveClass函数
libedog.so:5D692CAC 35 9A LDR R2, [SP,#0xF0+var_1C]
libedog.so:5D692CAE 3B 68 LDR R3, [R7]
libedog.so:5D692CB0 9A 42 CMP R2, R3
libedog.so:5D692CB2 01 D0 BEQ loc_5D692CB8
libedog.so:5D692CB4 FF F7 9C EE BLX sub_5D6929F0
libedog.so:5D692CB8 ; ---------------------------------------------------------------------------
libedog.so:5D692CB8
libedog.so:5D692CB8 loc_5D692CB8 ; CODE XREF: Java_com_edog_ELibrary_d1+9Aj
libedog.so:5D692CB8 37 B0 ADD SP, SP, #0xDC
libedog.so:5D692CBA F0 BD POP {R4-R7,PC}
libedog.so:5D692CBA ; End of function Java_com_edog_ELibrary_d1
libedog.so:5D692CBA
libedog.so:5D692CBA ; -------------------------------------
struct DexCode {
u2 registersSize;
u2 insSize;
u2 outsSize;
[COLOR="Red"] u2 triesSize;
u4 debugInfoOff; /* file offset to debug info stream */
u4 insnsSize; /* size of the insns array, in u2 units */[/COLOR]
u2 insns[1];
};
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
不至于,我的心还没那么脆弱。网上的免费版本,类抽取本身的控制程序edog就没有加我们自己的so壳。 以便和收费版本做区分。 三哥v5。。。
类抽取,so壳。 唯一一家 免费放出的, 只有我们,所以你们想要免费体验的。 到www.nagain.com上自己用就好了。 因为是免费,各位同学想研究,自己耍就好了。 但是千万别加木马病毒。 高抬贵手了。 
|
|
|
|
|
|
|
|
|
嗯。
|
|
|
 。。。。
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
不是早就发个了么?
|
