首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 看雪社区
  2. 求助问答
    3. 发新帖
[求助]初学逆向,遇到个so文件直接头皮扣烂!
2023-12-21 10:54 2223

[求助]初学逆向,遇到个so文件直接头皮扣烂!

雪花一号 活跃值
2023-12-21 10:54
2223

论坛泡久了对逆向有点上瘾,奈何技术储备太浅,面对so文件时感觉很无力,特来求助一下,寻找一下思路,希望大佬们能指明一条学习路线

1.首先打开的是JNI_OnLoad文件,点击进入了off_5F9E8

2.根据java中入口方法_de_intercept,传入的是一个Lokhttp3/Interceptor$Chain对象,选择了sub_5BE6C

3点开qword_64828,qword_64830,sub_2A3D8,感觉如同看天书,没有任何头绪
qword_64828,qword_64830的代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
  __int64 v5; // x21
  __int64 v6; // x0
  __int64 v7; // x20
  __int64 v8; // x21
  __int64 v9; // x23
  __int64 v10; // x24
  __int64 v11; // x0
  __int64 v12; // x0
  _BYTE v13[12]; // [xsp+0h] [xbp-1A70h] BYREF
  char v14[28]; // [xsp+Ch] [xbp-1A64h] BYREF
  char dest[6720]; // [xsp+28h] [xbp-1A48h] BYREF
  __int64 v16; // [xsp+1A68h] [xbp-8h]
 
  v16 = *(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
  if ( !qword_64828 )
  {
    v1 = result;
    v2 = sub_5D63C();
    memcpy(dest, &unk_1A924, sizeof(dest));
    v3 = sub_2C368(v1, v2, dest, 6720LL, "/d1x4.dex");
    v4 = qword_64810;
    v5 = v3;
    v6 = (*(*v1 + 1336LL))(v1, "cn.fxlcy.mh.mp");
    v7 = sub_2A3D8(v1, v5, v4, v6);
    v8 = (*(*v1 + 264LL))(v1, v7, "<init>", "(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)V");
    __strlcpy_chk(
      v14,
      "ys6n2GvmgEyB3rELDX1gaTBf2pnB3NI2BhMN63Lte/nviZdVsu0uef4n4+XNuMk0Xgo63WLSTk0qcWhIZGxuyeZGfDRw8QzRrZ8feIe4aYqt3ihhZJP20bqYrGX/+s8qcpvdzYsg0Tu26HqkKNQXH+fYWLuf1iY9GmJ/mgyZUOt6Lr6+AReTHSQmwOdZHabAigZiO8SfbFZiad7XVhoYffoJg8DvVuVC9PIaoo6jXNQsElc5XXOnXICzoK6llWoOW2wMB53UJrcaC5n/RiLx4xUjfk5HwZ4K2iI4w7O3M9cMwH6JG4Sd8aiHoQXP02d+bALgI9O4jCOS1gugvXIfvwIDAQAB",
      25LL,
      25LL);
    v14[24] = 0;
    __strlcpy_chk(
      v13,
      "2pnB3NI2BhMN63Lte/nviZdVsu0uef4n4+XNuMk0Xgo63WLSTk0qcWhIZGxuyeZGfDRw8QzRrZ8feIe4aYqt3ihhZJP20bqYrGX/+s8qcpvdzYsg0Tu26HqkKNQXH+fYWLuf1iY9GmJ/mgyZUOt6Lr6+AReTHSQmwOdZHabAigZiO8SfbFZiad7XVhoYffoJg8DvVuVC9PIaoo6jXNQsElc5XXOnXICzoK6llWoOW2wMB53UJrcaC5n/RiLx4xUjfk5HwZ4K2iI4w7O3M9cMwH6JG4Sd8aiHoQXP02d+bALgI9O4jCOS1gugvXIfvwIDAQAB",
      9LL,
      9LL);
    v13[8] = 0;
    v9 = (*(*v1 + 1336LL))(v1, v14);
    v10 = (*(*v1 + 1336LL))(v1, v13);
    v11 = (*(*v1 + 1336LL))(
            v1,
            "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAys6n2GvmgEyB3rELDX1gaTBf2pnB3NI2BhMN63Lte/nviZdVsu0uef4n4+XNuMk0"
            "Xgo63WLSTk0qcWhIZGxuyeZGfDRw8QzRrZ8feIe4aYqt3ihhZJP20bqYrGX/+s8qcpvdzYsg0Tu26HqkKNQXH+fYWLuf1iY9GmJ/mgyZUOt6"
            "Lr6+AReTHSQmwOdZHabAigZiO8SfbFZiad7XVhoYffoJg8DvVuVC9PIaoo6jXNQsElc5XXOnXICzoK6llWoOW2wMB53UJrcaC5n/RiLx4xUj"
            "fk5HwZ4K2iI4w7O3M9cMwH6JG4Sd8aiHoQXP02d+bALgI9O4jCOS1gugvXIfvwIDAQAB");
    v12 = sub_2C100(v1, v7, v8, v9, v10, v11);
    qword_64828 = (*(*v1 + 168LL))(v1, v12);
    qword_64830 = (*(*v1 + 264LL))(v1, v7, "i", "(Lokhttp3/Interceptor$Chain;)Lokhttp3/Response;");
    qword_64838 = (*(*v1 + 264LL))(v1, v7, "pps", "(Ljava/lang/String;Z)[Ljava/lang/String;");
    qword_64840 = (*(*v1 + 264LL))(v1, v7, "deb", "([B)[B");
    result = (*(*v1 + 1720LL))(v1, v7, off_5FB38, 2LL);
    if ( result )
      result = sub_5B59C();
    byte_64848 = 1;
  }
  return result;
}

sub_2A3D8代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
__int64 sub_2A3D8(_JNIEnv *a1, void *a2, struct _jmethodID *a3, ...)
{
  jobject (__fastcall *CallObjectMethodV)(JNIEnv *, jobject, jmethodID, va_list); // x8
  gcc_va_list va1; // [xsp+B0h] [xbp-50h] BYREF
  gcc_va_list va; // [xsp+D8h] [xbp-28h] BYREF
  __int64 v7; // [xsp+F8h] [xbp-8h]
 
  va_start(va, a3);
  v7 = *(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
  CallObjectMethodV = a1->functions->CallObjectMethodV;
  va_copy(va1, va);
  return CallObjectMethodV(&a1->functions, a2, a3, va1);
}

java入口文件代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
package cn.fxlcy.anative;
 
import android.content.Context;
import androidx.annotation.Keep;
import java.io.IOException;
import okhttp3.Interceptor;
import okhttp3.Response;
 
/* loaded from: classes.dex */
public class Native {
    @Keep
    public static final Object ALOCK;
 
    /* renamed from: a  reason: collision with root package name */
    public static boolean f1145a;
 
    static {
        System.loadLibrary("fcore");
        f1145a = true;
        ALOCK = new Object();
    }
 
    public static native String _channel();
 
    public static native Response _de_intercept(Interceptor.Chain chain) throws IOException;
 
    public static Response a(Interceptor.Chain chain) throws IOException {
        try {
            if (f1145a) {
                synchronized (ALOCK) {
                    u_auth();
                }
                f1145a = false;
            }
            Response _de_intercept = _de_intercept(chain);
            return _de_intercept == null ? chain.proceed(chain.request()) : _de_intercept;
        } catch (Throwable th) {
            if (th instanceof IOException) {
                throw th;
            }
            throw new IOException(th);
        }
    }
 
    public static native byte[] de(byte[] bArr);
 
    public static native String[] dra(String str, boolean z);
 
    public static native String gpk();
 
    public static native String gqm();
 
    public static native void init(Context context);
 
    public static native long system_currentTimeSeconds();
 
    public static native void u_auth();
 
    public static native String url_auth(String str);
}

后续更新:

而且在java中显示调用的so,似乎只在启动的时候加载了,然后就被更名存储在内存中,最主要的是so中方法,好像一直在从java中调用类和方法,传进去的值也没看到在那被处理
这是一种混淆吗?还是我单纯的太菜了

这是java中被调用native方法的代码

1
2
3
4
5
6
7
8
9
10
11
12
13
__int64 __fastcall sub_5BE6C(__int64 a1, __int64 a2, __int64 a3)
{
  if ( (byte_64848 & 1) == 0 )
  {
    do
      usleep(0xBB8u);
    while ( byte_64848 != 1 );
  }
  if ( qword_64828 )
    return sub_2A3D8(a1, qword_64828, qword_64830, a3);
  else
    return 0LL;
}

这是根据代码中的qword_64828, qword_64830所查找到的另一个方法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
__int64 __fastcall sub_5BB70(__int64 result)
{
  _JNIEnv *v1; // x19
  __int64 v2; // x20
  __int64 v3; // x0
  __int64 v4; // x20
  __int64 v5; // x21
  __int64 v6; // x0
  __int64 v7; // x20
  __int64 v8; // x21
  __int64 v9; // x23
  __int64 v10; // x24
  __int64 v11; // x0
  __int64 v12; // x0
  _BYTE v13[12]; // [xsp+0h] [xbp-1A70h] BYREF
  char v14[28]; // [xsp+Ch] [xbp-1A64h] BYREF
  char dest[6720]; // [xsp+28h] [xbp-1A48h] BYREF
  __int64 v16; // [xsp+1A68h] [xbp-8h]
 
  v16 = *(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
  if ( !qword_64828 )
  {
    v1 = result;
    // v2是一个jobject
    v2 = sub_5D63C();                           //
    memcpy(dest, &unk_1A924, sizeof(dest));
    v3 = sub_2C368(v1, v2, dest, 6720LL, "/d1x4.dex");// v3是一个jobject
    v4 = qword_64810;                           // v4是一个MethodID
    v5 = v3;
    v6 = v1->functions->NewStringUTF(&v1->functions, "cn.fxlcy.mh.mp");
    v7 = sub_2A3D8(v1, v5, v4, v6);             // v7是一个jobject
    v8 = v1->functions->GetMethodID(
           &v1->functions,
           v7,
           "<init>",
           "(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)V");
    __strlcpy_chk(
      v14,
      "ys6n2GvmgEyB3rELDX1gaTBf2pnB3NI2BhMN63Lte/nviZdVsu0uef4n4+XNuMk0Xgo63WLSTk0qcWhIZGxuyeZGfDRw8QzRrZ8feIe4aYqt3ihhZJP20bqYrGX/+s8qcpvdzYsg0Tu26HqkKNQXH+fYWLuf1iY9GmJ/mgyZUOt6Lr6+AReTHSQmwOdZHabAigZiO8SfbFZiad7XVhoYffoJg8DvVuVC9PIaoo6jXNQsElc5XXOnXICzoK6llWoOW2wMB53UJrcaC5n/RiLx4xUjfk5HwZ4K2iI4w7O3M9cMwH6JG4Sd8aiHoQXP02d+bALgI9O4jCOS1gugvXIfvwIDAQAB",
      25LL,
      25LL);
    v14[24] = 0;
    __strlcpy_chk(
      v13,
      "2pnB3NI2BhMN63Lte/nviZdVsu0uef4n4+XNuMk0Xgo63WLSTk0qcWhIZGxuyeZGfDRw8QzRrZ8feIe4aYqt3ihhZJP20bqYrGX/+s8qcpvdzYsg0Tu26HqkKNQXH+fYWLuf1iY9GmJ/mgyZUOt6Lr6+AReTHSQmwOdZHabAigZiO8SfbFZiad7XVhoYffoJg8DvVuVC9PIaoo6jXNQsElc5XXOnXICzoK6llWoOW2wMB53UJrcaC5n/RiLx4xUjfk5HwZ4K2iI4w7O3M9cMwH6JG4Sd8aiHoQXP02d+bALgI9O4jCOS1gugvXIfvwIDAQAB",
      9LL,
      9LL);
    v13[8] = 0;
    v9 = v1->functions->NewStringUTF(&v1->functions, v14);
    v10 = v1->functions->NewStringUTF(&v1->functions, v13);
    v11 = v1->functions->NewStringUTF(
            &v1->functions,
            "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAys6n2GvmgEyB3rELDX1gaTBf2pnB3NI2BhMN63Lte/nviZdVsu0uef4n4+XNuMk0"
            "Xgo63WLSTk0qcWhIZGxuyeZGfDRw8QzRrZ8feIe4aYqt3ihhZJP20bqYrGX/+s8qcpvdzYsg0Tu26HqkKNQXH+fYWLuf1iY9GmJ/mgyZUOt6"
            "Lr6+AReTHSQmwOdZHabAigZiO8SfbFZiad7XVhoYffoJg8DvVuVC9PIaoo6jXNQsElc5XXOnXICzoK6llWoOW2wMB53UJrcaC5n/RiLx4xUj"
            "fk5HwZ4K2iI4w7O3M9cMwH6JG4Sd8aiHoQXP02d+bALgI9O4jCOS1gugvXIfvwIDAQAB");
    v12 = sub_2C100(v1, v7, v8, v9, v10, v11);
    qword_64828 = v1->functions->NewGlobalRef(&v1->functions, v12);
    qword_64830 = v1->functions->GetMethodID(&v1->functions, v7, "i", "(Lokhttp3/Interceptor$Chain;)Lokhttp3/Response;");
    qword_64838 = v1->functions->GetMethodID(&v1->functions, v7, "pps", "(Ljava/lang/String;Z)[Ljava/lang/String;");
    qword_64840 = v1->functions->GetMethodID(&v1->functions, v7, "deb", "([B)[B");
    result = (v1->functions->RegisterNatives)(v1, v7, off_5FB38, 2LL);
    if ( result )
      result = sub_5B59C();
    byte_64848 = 1;
  }
  return result;
}

[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界

上传的附件:
收藏
点赞0
打赏
分享
最新回复 (2)
New对象处
雪    币: 22
活跃值: (3629)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
New对象处 2023-12-21 11:28
2
0
你先导入jni.h,然后改结构体为jnienv,就一目了然
mb_ldbucrik
雪    币: 6
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
私信
mb_ldbucrik 2023-12-21 17:52
3
0
高版本的ida直接改就行
游客
登录 | 注册 方可回帖
 回帖  表情 雪币赚取及消费
高级回复
返回