1. jeb分析apk

没什么好看的, 验证逻辑在so里

if(utils.check(v1.toString().trim()))
public static native boolean check(utils this, String arg1) {

2. 分析so

IDA调试

adb shell am start -D -n com.miss.rfchen/com.miss.rfchen.MainActivity

jdb -connect com.sun.jdi.SocketAttach:hostname=127.0.0.1,port=xxxx

这里垃圾指令模式比较单一, 看到像垃圾指令的直接拉滚动条就行了

.text:00003C68 ; jint __stdcall JNI_OnLoad(JavaVM *vm, void *reserved)

反调试ptrace(PTRACE_TRACEME, 0, 0, 0), 直接nop掉即可

.text:00003C74                 MOVS            R1, #0
.text:00003C76                 MOVS            R2, #0
.text:00003C7A                 MOVS            R3, #0
.text:00003C86                 MOVS            R0, #0
.text:00003CEE                 BLX             ptrace

注册check对应的native函数

.text:00003CF2                 LDR             R0, [R4]
.text:00003D08                 ADD             R1, PC  ; "com/miss/rfchen/utils"
.text:00003D0A                 LDR             R2, [R2,#JNINativeInterface_.FindClass]
.text:00003D0C                 BLX             R2
.text:00003D0E                 MOV             R1, R0
.text:00003D80                 LDR.W           R4, [R2,#JNINativeInterface_.RegisterNatives]
.text:00003D84                 LDR             R2, =(off_20004 - 0x3D8A)
.text:00003D86                 ADD             R2, PC ; off_20004
.text:00003D88                 BLX             R4
.data:00020004 off_20004       DCD aCheck              ; DATA XREF: sub_3D58+2Eo
.data:00020008                 DCD aLjavaLangStrin     ; "(Ljava/lang/String;)Z"
.data:0002000C                 DCD _Z5checkP7_JNIEnvP7_jclassP8_jstring+1 ; check(_JNIEnv *,_jclass *,_jstring *)

3. 分析check函数

.text:00002814 ; check(_JNIEnv *, _jclass *, _jstring *)

失败6次就死循环了

.text:0000284C                 LDR.W           R0, [R12]
.text:00002850                 CMP             R0, #6
.text:00002852                 BLT             loc_2874
.text:00002854                 B               loop_endless

初始化字符串: JPyjup3eCyJjlkV6DmSmGHQ=

.text:000028F2                 MOVS            R0, #'J'
.text:000028F4                 MOVS            R1, #'y'
.text:0000295C                 STRH.W          R0, [SP,#0x22]
.text:000029C6                 STRH.W          R1, [SP,#0x24]
...

获取sn

.text:000036BE                 LDR.W           R3, [R0,#JNINativeInterface_.GetStringUTFChars]
.text:000036C2                 MOV             R0, R9
.text:000036C4                 BLX             R3

buf=malloc(len(sn)+1)

.text:00019F80                 MOV             R0, R4  ; size
.text:00019F82                 BLX             malloc
...
.text:00019FF0                 BLX             __aeabi_memclr

rc4_init(&ctx, "199310124853", 8)

.text:0001A0C8                 BL              rc4_init

rc4_crypt(&ctx, sn, len(sn))

.text:0001A13A                 BL              rc4_crypt

base64

.text:0001A222                 ADD             R1, R0
.text:0001A224                 MOV             R0, R5
.text:0001A226                 BL              base64

将b64结果与字符串JPyjup3eCyJjlkV6DmSmGHQ=比较

.text:00003798                 LDR.W           R0, =(unk_20020 - loc_38D2)
.text:000038CE                 ADD             R0, PC
.text:000038D0                 LDRB            R2, [R1,R4]
.text:000038D2                 LDRB            R3, [R0,R4]
.text:000038D4                 CMP             R3, R2
.text:000038D6                 BNE.W           sub_39B0
.text:000038DA                 ADDS            R4, #1
...
.text:00003942                 CMP             R4, #0x18
.text:00003944                 BNE             loc_38D0

>>> madebyericky94528

[培训]《安卓高级研修班(网课)》月薪三万计划，掌握调试、分析还原ollvm、vmp的方法，定制art虚拟机自动化脱壳的方法