入门学习逆向的个人笔记,预览(欢迎探讨)

[原创] 肉丝的r0env2022(kali linux)配置xrdp远程桌面,以及Genymotion安卓11的ssh登陆问题和11系统amr64转译问题.
[分享] (Android) 逆向入门记录 一篇杂文, 记录.
[分享] Adndroid逆向的基础环境准备 的一些记录 , 抄袭royuse的课 第3课
[分享] 安卓逆向课题之4, Activity,service,content provider,broadcast receiver和实例演示,完毕
[分享] 安卓逆向课题之5, mobile spider get started. 两天高度集中学习, 承上启下的流程,a明白,b上手练.(5th完结)
[分享] 安卓逆向课题之6, mobile spider get started. Object的自动化动态分析和快速定位(笔记完毕)
[分享] 安卓逆向课题之7, mobile spider get started. 看电视直播App(未加固)去广告升级 (笔记待完善)
[分享] 安卓逆向课题之8, 真实App实操带壳App重打包去强制升级(部分抄袭别人笔记)(一次不完美的实践)
[讨论] Android Reverse Project No.9, "Types of App Security Protection, Identification and Handling Methods"
[原创] Android Reverse Project No.9, "Types of App Protection“ ---- Video Course

Thanks

Thank you to all the people for the shared spirit, thank you to r0yuse, thank you to the wechat group of royuse fans, thanks for KanXUE.

What is native, the closer to the CPU definition.
dex file, in fact, is explained in java. Native program, natively interpreted by Android.

libart.so written by CPP , and run at CPU.

This is android system architecture.

Too easy

When Android first started, around 2010, not to mention the security of APPs, even the security of the Android system itself was not taken seriously.

After all, the protagonists of the world are still PC and WEB.

However, the world is relatively fair. Although there are no security measures, there is no need for cracking. It would be good if a new platform could perform the functions that a mobile operating system should have. As for other third-party applications, there were very few paid applications. The mobile network environment at that time was completely different from today.

In the beginning

The people who are most concerned about Android security should be hackers and blackmailers.

After all, the meal still needs to be ate, and the virus still needs to be written. .

In 2009, smali/baksmali turned out. This should be the first public DEX assembler/disassembler. Most people’s Android cracking road, Android reverse road, Android virus analysis road, and Android ** road , also starts from here.

So in 2010, Kaspersky intercepted the first Android virus...

In the same year, various technical papers on Android virus analysis and Android security began to appear, such as smali-based static analysis, sandbox-based dynamic analysis, etc.

In the same year, excellent Android reverse analysis tools such as dex2jar and apktool began to be developed and open sourced. In the following years, the black industry based on these two tools became increasingly prosperous...

Taishi

2010 can be said to be the beginning of the rapid development of Android security.

If you want to crack a software without protection, you only need to use apktool, dex2jar and other tools to clearly and completely see the original code logic of a product. Coupled with perseverance and a certain amount of reverse thinking, you can It can be done.

Although there was no one-click APP reinforcement service like today, code protection technology was not new, and the routines could be copied and used.

One of the most commonly used protection methods is: code obfuscation

For example, Google comes with the obfuscator ProGuard. The only function of ProGuard is to modify class names, method names, and field names. There are two main benefits. One is symbol obfuscation. Changing the original XXXActivity to a makes it difficult for you to guess the purpose of this class. Another benefit is the compressed file size. After all, there are tens of thousands of types, and the byte ratio of symbol strings in the dex file is not small.

Another representative one is DexGuard, another product from the same developer as ProGuard. The difference is that it has richer functions and is a commercial software sold for money, while ProGuard is a free software for all developers to use for free. Dexguard's obfuscation function is more powerful and supports functions such as string encryption, flower instructions, and resource encryption. With development now, DexGuard has richer functions and even some runtime protections. It is no longer a simple obfuscator.

Commonly used protection methods include: dynamic loading

Compile the code that needs to be protected separately, encrypt it and decrypt it while the program is running, and use ClassLoader to load it dynamically. This is a common way to protect code on PC, and it was also the basis for the first generation of shells.

Please Check the artcile blow.
https://github.com/xiaokanghub/Android

Dynamic Loading Method 1: Android Reinforcement Application Hook Method-Frida

I apologize for the obfuscation. Here's the explanation of the provided code using a copyable Markdown source format:

Explanation:

1. The code uses Java.perform to execute the provided code in the context of the running Android application.

2. It obtains a reference to the android.app.Application class.

3. It hooks the attach method of the android.app.Application class, specifically targeting the overload that takes a parameter of type android.content.Context.

4. The original attach method is called with the provided context, and its result is stored.

5. The class loader from the provided context is obtained.

6. The obtained class loader is set as the loader for the Java class factory in Frida.

7. The com.zcm.MainWindow class is loaded using the Java class factory.

8. Information about the loaded class is output to the console.

9. The Button_UserLogin$ByClick method of the com.zcm.MainWindow class is hooked, allowing the interception and modification of its behavior when called.

10. The value of the ReturnValueAAAA property of the this object (which represents the instance of the hooked method) is output to the console.

Dynamic Loading Method 2 : List loaded classes

Explanation:

• Java.enumerateLoadedClasses: This function is provided by Frida and is used to enumerate all currently loaded Java classes in the application.

• "onMatch": function(className) { console.log(className) }: This is a callback function that will be invoked for each matched class name during the enumeration. It simply logs each class name to the console.

• "onComplete": function() { }: This is another callback function that will be invoked when the enumeration is complete. In this case, it is an empty function, meaning it does not perform any specific action.

Overall, this code is designed to log the names of all loaded Java classes in the application, providing insights into the class structure and loaded components during runtime.

Certainly! Here's the explanation of the provided code using Markdown source format:

Dynamic Loading Method 3 : Hook dynamically loaded classes ----》 Get the parameters of the constructor

Explanation:

1. The code uses Java.perform to execute the provided code in the context of the running Android application.

2. It creates a wrapper for the DexClassLoader class.

3. It hooks the constructor $init of the DexClassLoader class and prints its four parameters: dexPath, optimizedDirectory, librarySearchPath, and parent.

4. The original logic of the constructor is not disrupted; it calls the original constructor.

5. It logs a message indicating that the hooking process is completed.

if you wanted the known where is the function from, You can search the keywords "dalvik.system.DexClassLoader" , you may get the new page to understood , how it is implemented?

Positive development ideas Android dynamically loading dex,

Please refer to the following web links.
https://blog.csdn.net/lx768863620/article/details/79414010

so the most important problem is to realize and write on by yourself.

The most hard-core protection: Native development

Use NDK to write applications and directly generate native code

They are using NDK developmented. by C++ or C .

Because he writes the key logic in the so file, which makes it difficult for you to analyze.

Java-level protectino is almost abandoned now.

Well, this is the basis of today's java2cpp technology. . .

The most modern protection: core data and functions are cloud-based.

Put all important functions and data into cloud computing, and the client can be used only for display. Well, this is barely the basis of current risk control. . .

Therefore, most of the current code protection methods on the mobile terminal are constantly upgraded and adapted based on the predecessors.

Taisu

If protection is standing on the shoulders of giants, then cracking is standing on the shoulders of God.

Since static analysis is not possible, the attacker can also perform dynamic analysis from a God's perspective.

Regarding dynamic analysis, I wrote a special article "Summary of Android Dynamic Analysis Attack and Defense" and talked about some routines. You can check the historical information on the official account.

In the face of dynamic analysis, dynamic loading, which was originally the most direct, effective and low-cost method, has become the most fragile protection method.

Usually you only need to attach a process to do a memory roaming search for dex.035 or even look directly at the Segment name to find the dynamically loaded dex file in the memory and dump it. As of 2020, this method is still effective for most hardened generation protections. .

Of course, there's a lot of manual work, such as dvmDexFileOpenPartial and other function break points about loading code, and you can easily find the decrypted dex file by doing Hook.

This is the unpacking method of Android hardened No. 1 machine.

Because simple dynamic loading alone cannot stop people at all, there are probably several other development routes for application protection at this time:

Fight against debuggers

This part has been discussed a lot in the article "Android Dynamic Analysis Offense and Defense Summary" published by the public account (Hu Ke Laoshiji), you can refer to it.

Of course, there are not many methods at the beginning, but they are obtained through continuous exploration, competitive product analysis, and community sharing by all parties.

Fight against decompilers

By looking for vulnerabilities and BUGs in various decompilers and disassemblers, the payload is inserted into the DEX or resource files that need to be protected, causing the tool to crash and prevent it from running normally.

However, this road is obviously a dead end. With the continuous maintenance of various tools, compatibility becomes stronger and stronger. It is not easy to find such bugs that can be bypassed directly. Even if there are any, they will be quickly fixed.

Typical examples are Black Hat USA 2012 - Dex Education: Practicing Safe Dex, and 360 hardening which also had some such protection before.

Against people: disgusting flow

The code protects millions of roads, but only disgusting people are the king.

So the responsibility of this road is to carry forward the essence of obfuscation: "disgusting".

for example:

1. Symbol obfuscation upgraded version:

Previously, the class name, method name, and field name were replaced by abcd. Later, I started to use a obfuscation dictionary, which includes various small language symbols and invisible symbols. Just use the symbols in these dictionaries to generate new class names, method names, and field names. The final effect is that it looks garbled or blank.

Of course, there are many countermeasures. For example, the anti-obfuscation function of the open source decompiler Jadx supports automatic renaming of symbols into meaningless names like abcd;

Another example is another anti-obfuscation function, which reads the sourcefile attribute from the DEX file to restore the real class name. However, this is just debugging information, so many obfuscators will directly remove this field.

More advanced, such as blank obfuscation.

The effect shown by the code

So the most effective tool to combat this kind of obfuscation is: people

2. String encryption enhanced version:

Many of the initial string encryptions were relatively monotonous. Generally, there was a decryption method that accepted an encrypted string or byte[] and then returned a string. This is of course easy to target. As long as you first use dex2jar and then dynamically load the Jar package and call the decryption method through reflection, you can get the plaintext string.

So many mutation methods appeared later, probably the following:

1. Guerrilla play method, group strings and use multiple algorithms to encrypt them. Instead of relying on only one method to decrypt, each decryption method corresponds to a different algorithm, so you can't catch them all at once.
2. The Self-Defense Force’s approach is to check the running environment when initializing the decryption algorithm, or rely on the context environment to increase the difficulty of calling.
3. Use native decryption and SO protection.*

3. Native protection

For Native's disgusting flow protection, the most popular and most effective one is OLLVM. OLLVM is something that only appeared since 2013, and may have a lot of content. I will talk about this later.

As for other Native protection, there are basically only two methods at the beginning:

1. Destroy the ELF file structure and even customize the linker to load customized SO.
2. Encrypt the code segment and decrypt it at runtime, which is similar to Dex dynamic loading. Or directly apply a traditional ELF shell such as UPX.

While dynamic DUMPing of memory can result in real code, not being able to repair the complete file structure leaves a lot missing that can aid in analysis.

4. Other obfuscations:

I have seen before that there is no normal file in the APK package except the necessary manifest. The assert, lib, dex, and res are all protected (including some of the methods mentioned above), let alone compatibility. Or how about the performance, anyway, it’s really disgusting...

Tai Chi

2010 was the year of creation of Android application security. By about 2013, various code protection technologies for Android applications had basically taken shape, and most of the above technologies had been stably implemented.

It can be said that the period from 2009 to 2012 was a period when Android application security went from Wuji to Tai Chi and ushered in a new era.

During this time, Android has captured most of the mobile phone market.

In 2013, the global market share of Android mobile phones was as high as 80%, and a large number of users and developers poured in.

Google’s Android empire is unstoppable.

At the same time, the spring of the Android application security market is also coming.

To predict what will happen in the future, please press and hold the QR code below to follow Hu Ke Lao Shi Ji and listen to the next chapter's breakdown...
​

Here function was not encrypted. read directly.

Here, you can look directly at his logic without any obfuscation.

earch for the main dex file of 学而思

// check the dumped file size

There are too many files, and it is confusing to look directly.

The goal is to use frida -- interceptors of this goal

The specific location of the error, the core requirements, and the okhttp3hook .js of the restore system (the course and the steps to detail how to build a js file)

why the script report error.

There are two ways for Frida to load scripts

objection -g com.xes.jazhanghui.activity explore -P /root/.objection/plugin

a, solve the problem of envirment configuration .

// Here is Spanwan Mode ---->

// Here is Attach Mode ---->

// system envirmoment configuration only for Jul 28, 2020

// installing step
// The installation order here should not be messed up, and the frida must be in front of the frida-tools first

// debug the App called com.xes.jazhanghui.activity

dumped path is

Author dumped path of Course is

I didn't have a problem with my operation，But I have these files included in my script.

The following 3 package names should exist in the system and have been installed.

Problems mentioned in the script

As you can see from the lesson, my phone doesn't have these two files, so the error is reported.
The solution is to comment out all the useless code blocks and manually load them into Frida

As you can see from the screenshot above, there is no obfuscation.
We can go directly to the target class name okhttp3 by way of script.

Follow the final Video Requirements toggle

Modified js script （maybe it was correct ）

b, Troubleshoot issues and execute them successfully

execute following Script.

There are several practical examples of obfuscation

examples of no obfuscation XueErSi APP

This is an obvious certificate binding class

Only one we care about that is the operation of the OkHttp3 sub class interceptor

<!-- -->

<!-- -->

<!-- -->

This is offcial API handbook of Interceptors. Its structure can be roughly guessed

This is we wanted find the target of interceptor function of okhttp3.client class

examples of obfuscation Mooc

Generally, it is cracked with a confusing mode.

you can using Frida Hook to print the Area's result.

we can use this idea to replace the idea of the interceptor as a whole.

we were dynamic position this class.

ok , this is correct .

How to judge ? it is based on his class name.

examples of obfuscation Free cinema APP

this App className alll was disappeard.

how to judge the class is correct or not.
watch them structure is correct.

this is for the obfs later charector.

Almost exactly the same as the normal function structure.

ok， finally, i will write the javascript to the loaded manually.

All reference links

nexus 5x brush machine pointing North
https://www.jianshu.com/p/f0dc69b75476

Flash magisk for nexus with ADB Sideload !
https://bbs.kanxue.com/thread-279435-1.htm#1759925

frida js script using methods
https://papayawd.github.io/2020/10/18/frida-js%E8%84%9A%E6%9C%AC%E4%BD%BF%E7%94%A8%E6%96%B9%E6%B3%95/

https://cmsblogs.cn/3706.html
Android Frida Reverse & Packet Grabbing Combat PDF Download

Android: Create a Screenshot with ADB
https://supportcommunity.zebra.com/s/article/000021675?language=en_US

OkHttpClient (OkHttp 3.7.0 API).
https://javadoc.io/static/com.squareup.okhttp3/okhttp/3.7.0/okhttp3/OkHttpClient.html#connectionSpecs--

Location analysis based on memory roaming
https://onejane.github.io/2021/02/12/%E5%9F%BA%E4%BA%8E%E5%86%85%E5%AD%98%E6%BC%AB%E6%B8%B8%E5%AE%9A%E4%BD%8D%E5%88%86%E6%9E%90/#%E6%A1%88%E4%BE%8B%E4%B8%80

Socket&Websocket&ProtobufSelf-spitting and killing Everything can be reversed
https://onejane.github.io/2021/03/14/Socket&Websocket&Protobuf%E8%87%AA%E5%90%90%E9%80%9A%E6%9D%80/#%E5%85%B3%E9%94%AE%E7%B1%BB%E5%AE%9A%E4%BD%8D

siyujie_OkHttpLogger-Frida Frida implements a script that intercepts okhttp
https://github.com/siyujie/OkHttpLogger-Frida

r0gson.dex
https://github.com/r0ysue/AndroidSecurityStudy/blob/master/FRIDA/r0gson.dex.zip

xiaokanghub_Android Android 加固应用Hook方式-Frida
https://github.com/xiaokanghub/Android

Basic Syntax Markdown Guide
https://www.markdownguide.org/basic-syntax/

Android App Protection (1)
https://mp.weixin.qq.com/s/tI89U6eht0F_KrMJXooo1A

siyujie_okhttp_find Search for okhttp3 based on features and use java reflection.
https://github.com/siyujie/okhttp_find/

adb - How to mount _system rewritable or read-only (RW_RO) - Android Enthusiasts Stack Exchange
https://android.stackexchange.com/questions/110927/how-to-mount-system-rewritable-or-read-only-rw-ro

How to connect Burp Suite to an Android Emulator by artx MII Cyber Security Consulting Services Medium
https://medium.com/mii-cybersec/how-to-connect-burp-suite-to-an-android-emulator-9da19b0ad2c3

[Original] null obfuscation - android security - see snow - security community _ security recruitment _ kanxue.com
https://bbs.kanxue.com/thread-247680.htm

Boutique Serial丨Android App Reverse Course No. 3 frida injected Okhttp Capture Packet Part I
https://mp.weixin.qq.com/s?__biz=Mzg3MjU3NzU1OA==&mid=2247496420&idx=1&sn=9a1460a6755524f3e22bf53878a4802c&source=41#wechat_redirect

GitHub - w296488320_NullProguard_ Blank Obfuscation source code
https://github.com/w296488320/NullProguard

https://blog.cxplay.org/works/vscode-to-markdown-editor/
将 VS Code 打造成一个体验舒适的 Markdown 编辑器 _ CXPLAY World

http://www.dtasecurity.cn:20080/androidjunior/readme.html
0822 class Course 9th : real app practice

Android App Protection (2)
https://mp.weixin.qq.com/s/DkpQ_71Gt-jkwOuRU1Mv0A?

DexClassLoader Android Developers
https://developer.android.com/reference/dalvik/system/DexClassLoader

Concerns about the cybersecurity industry in Japan

「onMatch function(instance){」の検索結果 - Yahoo!検索
https://
search.yahoo.co.jp/search?p=onMatch%3Afunction(instance)%7B&ei=UTF-8&ts=498&aq=-1&x=nl&rkf=1&fl=2

How many security industry researchers are there in Japan?
株式会社アクティブディフェンス研究所
http://blog.activedefense.co.jp/2021/12/fridaandroid-malwaremoqhao-xloader.html

事業概要 - 株式会社アクティブディフェンス研究所
https://www.activedefense.co.jp/consultingetc/

改竄とリバースエンジニアリング (Android)
https://github.com/coky-t/owasp-mastg-ja/blob/master/Document/0x05c-Reverse-Engineering-and-Tampering.md

Frida Tutorial 1 - HackTricks
https://book.hacktricks.xyz/v/jp/mobile-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1

Useful Words

[培训]《安卓高级研修班(网课)》月薪三万计划，掌握调试、分析还原ollvm、vmp的方法，定制art虚拟机自动化脱壳的方法