首页
社区
课程
招聘
[原创] Android Reverse Project No.9, "Types of App Protection“ ---- Video Course
发表于: 2024-1-4 17:22 2918

[原创] Android Reverse Project No.9, "Types of App Protection“ ---- Video Course

2024-1-4 17:22
2918

入门学习逆向的个人笔记,预览(欢迎探讨)

[原创] 肉丝的r0env2022(kali linux)配置xrdp远程桌面,以及Genymotion安卓11的ssh登陆问题和11系统amr64转译问题.
[分享] (Android) 逆向入门记录 一篇杂文, 记录.
[分享] Adndroid逆向的基础环境准备 的一些记录 , 抄袭royuse的课 第3课
[分享] 安卓逆向课题之4, Activity,service,content provider,broadcast receiver和实例演示,完毕
[分享] 安卓逆向课题之5, mobile spider get started. 两天高度集中学习, 承上启下的流程,a明白,b上手练.(5th完结)
[分享] 安卓逆向课题之6, mobile spider get started. Object的自动化动态分析和快速定位(笔记完毕)
[分享] 安卓逆向课题之7, mobile spider get started. 看电视直播App(未加固)去广告升级 (笔记待完善)
[分享] 安卓逆向课题之8, 真实App实操带壳App重打包去强制升级(部分抄袭别人笔记)(一次不完美的实践)
[讨论] Android Reverse Project No.9, "Types of App Security Protection, Identification and Handling Methods"
[原创] Android Reverse Project No.9, "Types of App Protection“ ---- Video Course


IMG_20240104_171728

课程来源, r0yuse. 入门第九课,重点讲解了, app 加固的几种方式, 以及混淆后,如何找到, 在混淆的类中找到对应的位置。
三个实践案例,针对性非常强。 技术本质不会改变!

这个视频仅作个人学习备忘录。欢迎参考,
具体的请下载观看。
本人首次做视屏,逻辑性,严密性,欠缺,忘海涵。
1月 4 号 11 点—16点制作。
估计时长 3 小时 30 分钟。
视屏可能有点花,录制一气呵成,没有剪辑过。
用的上古软件, S-demo 2.0! 需要播放器 配合播放。
观感不好,我的目标是后面如果可以提取那个鼠标指针(因为他的那个指针过于经典,所以用他。后续开发能力上来了,估计就提取资源,自己写一个录屏软件。哎。)

https://www.123pan.com/s/XA9Cjv-dt2Av.html提取码:call

本人从立项到开工,40h+
因为菜鸡一直而已。所以慢。
因为兴趣吧。

第一部分
IMG_20240104_171313

第二部分

IMG_20240104_171410

第三部分

IMG_20240104_171503

第四部分

IMG_20240104_171534
IMG_20240104_171600

视屏笔记

here are 3 App

two app is education app, one app, is free cinema.app

0, we will check the envirment.
using this version of frida server
frida-server-12.11.17-android-arm64-Sep22-2020 // this server is make at sep22, 2020.
and the frida version , yes, 12.11.17. ok the same.

1, android architecture.is
dex, is java file
so, is cpp file, c plus plus file. . ok ,this is art virtual mintine of java.
android app was Java loyalt. layout.

architecture hava many part. for history.

arm32, -- called abi
arm64, v7a, v8a
x86, intel architecture. 32bit , runing at pc /macos , microsoft. windows.
x86-64, intel architecture , 64bit. runing at pc /macos , microsoft. windows. or linux. example. virtualbox. vmware. yes. not real cellphone.

2, what is abi,v7a,x86,

3, the app protection method. history.
android start at 2008, by google.

hacker need write the virus. .
hacker need write the virus. for food.

the app class Name was obfs.
]form class ClassName to 0o000OO, let cracker eyes was bland.

the free cinema app was not permit cracker crack it . the Author was obfuscation the class name normal to named from: ثيغه.ﻝبـق.ﻝبـق.ﻝبـق
// maybe you can not realized. ? yes, the Arabic alphabet. i can not understood.

the proguard . these was no rules. for protect. you can custom it to protect your applicaton not permitt to creak.
Java.perform(function () { // this is javascript language for Frida.

enumerate Loaded Classes,
enumerate means, like gun , you can catch it by your tools.

Dex Class Loader.
Means the , file is needed at the fioe adjdege by frida. using dex file.

DexClassLoader(String dexPath, String optimizedDirectory, String librarySearchPath, ClassLoader parent)

dexPath // where is the dex path.
if you get the path , you can load it.

the Read marked , is offical using method.

you watched the code , is standard method to adjust the class in Dex file alone.

Java.openclassfile.

Android dynamically loading dex,// this is application author using to protect him application.

this code was using by Javascript for Frida.
Frida offerd this function to call the function in Alone Dex file at Cellphone.
just like this . okhttplogging.dex.

public class MainActivity extends AppCompatActivity {
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
start();
}
public void start(){
File dexOutputDir = getDir("dex", 0);
//Dex 文件存放位置
String dexPath ="/storage/emulated/0/output.jar";// Environment.getExternalStorageDirectory().toString() + File.separator + "output.jar";
DexClassLoader loader = new DexClassLoader(dexPath,
dexOutputDir.getAbsolutePath(),
null, ClassLoader.getSystemClassLoader().getParent());
try {
Class clz = loader.loadClass("com.youbo.switchsky.LogUtils");
Object instance= clz.newInstance();
Method method = clz.getMethod("show", Context.class);
method.invoke(instance,this);
} catch (Exception e) {
Log.d("TEST111", "error happened", e);
}
}

}

sorry ,this code is android java code. to call the dex function code.

if you want to get the high tips.
so the most important problem is to realize and write protection code by yourself.

Native development ('protection)

remember this sentence.
Java-level protectino is almost abandoned now.
caussing , the java code decomilped later, looks like source code.

read this pragrah, is an craker written it down , hluwa. he is famuous in China. and over 10years. of the securty.

Giant , and God.
Android Dynamic Analysis Offense and Defense Summary
if you want to read more information you can follwing his public socity account of wechat.

disgusting. people.

Symbol obfuscation upgraded version:

class name was renamed abdc. aaAA0b8. not mean words..

So the most effective tool to combat this kind of obfuscation is: people

Now the hard core is ---->Native protection

customize the linker to load customized SO, this way needed powerful ability to achievement. look like big company.

it’s really disgusting...

ok here is done. for anlyasi. for protection method.

then i will prepard the part Three. please follow me.

----this is Part Three.

/root/Downloads/anzhuo-yingyong-rumen2/20240104/com.xes.jazhanghui.activity
using , plugin. hluwa , writeing the plugin of objection.

636K 0xbdbb201c.dex
6.8M 0xbe56501c.dex
21M 0xc278f000.dex
3.9M 0xc513d000.dex
6.4M 0xc550f000.dex
1.7M 0xc5b73000.dex
2.5M 0xc5d18000.dex
4.4M 0xc6377000.dex
2.0M 0xc67d4000.dex
5.4M 0xc69c8000.dex
5.8M 0xc6f18000.dex
1.7M 0xc75d3000.dex
2.1M 0xc7869000.dex
3.1M 0xc7e7a000.dex
6.8M 0xc84f7000.dex
1.3M 0xc8bb3000.dex
4.1M 0xc8cfc000.dex
1.8M 0xc9535000.dex
1.4M 0xc9c1c000.dex
21M 0xcc15c01c.dex
216K 0xcd84d01c.dex
4.0K 0xd20f61d8.dex
72K 0xe7c7500

those all dex had Okhttp3 class.

Found 159 classes // Found many class. There NO obfucation.

and we are using the objection.
Now i will using javascript file to find targe function and printing it to the bash shell
Now we will using xueersi.js to find the target information of Okhttp3 conceptors.

we were load the js file manually.

  1. found instance: okhttp3.OkHttpClient@6046fbb
  2. instance.interceptors(): java.util.Collections$UnmodifiableRandomAccessList
  3. instance._interceptors: java.util.Collections$UnmodifiableRandomAccessList
  4. interceptors: [com.networkbench.agent.impl.h.b@13a6831, com.tal.xes.app.net.interceptor.LocalCacheInterceptor@8837b16, com.tal.xes.app.net.interceptor.HttpLoggingInterceptor@8804c97, com.xes.cloudlearning.bcmpt.net.CommonHeaderIntercept@9c0ce84, com.tal.xes.app.netbusiness.interceptor.ServerStatusInterceptor@41c566d, com.tal.xes.app.netbusiness.interceptor.AppHeadersInterceptor@7b432a2, com.tal.xes.app.netbusiness.interceptor.AppParamsInterceptor@a731b33, com.tal.xes.app.netbusiness.interceptor.SaveServerTimeInterceptor@1be4ef0, com.tal.xes.app.net.interceptor.ParamsInterceptor@7b4ec69, com.tal.xes.app.netbusiness.interceptor.SignInterceptor@a46d6ee, com.tal.xes.app.netbusiness.interceptor.NetResponseErrorInterceptor@fba378f, com.tal.xes.app.net.retrofit_url.RetrofitUrlManager$1@326e625]
  5. interceptors: [com.networkbench.agent.impl.h.b@13a6831, com.tal.xes.app.net.interceptor.LocalCacheInterceptor@8837b16, com.tal.xes.app.net.interceptor.HttpLoggingInterceptor@8804c97, com.xes.cloudlearning.bcmpt.net.CommonHeaderIntercept@9c0ce84, com.tal.xes.app.netbusiness.interceptor.ServerStatusInterceptor@41c566d, com.tal.xes.app.netbusiness.interceptor.AppHeadersInterceptor@7b432a2, com.tal.xes.app.netbusiness.interceptor.AppParamsInterceptor@a731b33, com.tal.xes.app.netbusiness.interceptor.SaveServerTimeInterceptor@1be4ef0, com.tal.xes.app.net.interceptor.ParamsInterceptor@7b4ec69, com.tal.xes.app.netbusiness.interceptor.SignInterceptor@a46d6ee, com.tal.xes.app.netbusiness.interceptor.NetResponseErrorInterceptor@fba378f, com.tal.xes.app.net.retrofit_url.RetrofitUrlManager$1@326e625]
  6. interceptors: java.util.ArrayList

ok we found the target interceptors of OkHttp3 sub class .

why the script report error.
, this error. was solved by myself. and my bisic knowlege was not good.

examples of no obfuscation XueErSi APP

okhttp3.CertificatePinner _certificatePinner // this certification binding. class.

java.util.List _interceptors; => [0x2976]:// here is interceptors of class OkHttpClient function.
yes , go on.

let us go to the detail of function interceptors of class OkHttpClient function.

class Collections$UnmodifiableRandomAccessList // here is standard format of function interceptors of class OkHttpClient function.

we can watch out the next function , network interceptors.

ava.util.List _networkInterceptors; => [0x29c2]: [com.tal.xes.app.net.interceptor.NetCacheInterceptor@a5e6369] // here is standard format of function networkInterceptors of class OkHttpClient function.

class Collections$UnmodifiableRandomAccessList // there are the same structure. networkInterceptors and interceptors

The double function . networkInterceptors() and Interceptors() They are the same structure.

ok go on .

examples of obfuscation Mooc

let find the class name directly.

plugin wallbreaker objectdump --fullname 0x3f02
plugin wallbreaker objectsearch okhttp3.OkHttpClient
plugin load /root/.objection/plugins/Wallbreaker
plugin load /root/.objection/plugins/dexdump/frida_dexdump

ok , at the obfucation App , you can not find the normal class Name.
and you can to jadx , look out the information.

/* renamed from: okhttp3.O0000ooO reason: case insensitive filesystem */
maybe this is correct. let us guess.

we found the class okhttp3.OkHttpClient this class.

and go on , find the Interceptors(), and networkInterceptors().

package okhttp3 class O0000ooO // ok ,this is normal format of okhttp3 client.

class Collections$UnmodifiableRandomAccessList // ok, found the Interceptors() function. his name is java.util.List _O0000OOo, the memory address is 0x26a6

we can find next funciton networkInterceptors().

java.util.List _O0000Oo; => [0x2676]: [com.imooc.net.network.engineimpl.interceptor.O000000o@18e16ba] // i think maybe this is ture.

test it.
class Collections$UnmodifiableRandomAccessList { // yes , we find it.

ok , we will using javascript file by frida . automantic to call it.
go on.

ok , the javascript was modify done. test it !
the function called searchClient(), go adjust it.

[Nexus 5X::慕课网]-> searchClient()

  1. found instance: okhttp3.O0000ooO@f7bcc9
  2. instance.interceptors(): sun.net.spi.DefaultProxySelector

console.log("2. instance.interceptors():",instance.O0000ooO().$className)
//error disappeard. modify it ,

console.log("3. instance._interceptors:",instance._O0000OOo.value.$className) // it was correct.
5, 6,7 ,8, to end , reported error , i was comment. it . !!!

  1. instance._interceptors: java.util.Collections$UnmodifiableRandomAccessList

// --->Collections$UnmodifiableRandomAccessList // okay ,they are same. !!!

TypeError: undefined not callable (property 'toArray' of [object Object])
at [anon] (../../../frida-gum/bindings/gumjs/duktape.c:67616)
at /imooc.js:9
at frida/node_modules/frida-java-bridge/lib/class-factory.js:310
at frida/node_modules/frida-java-bridge/lib/class-factory.js:264
at tt (frida/node_modules/frida-java-bridge/lib/android.js:462)
[Nexus 5X::慕课网]->

  1. found instance: okhttp3.O0000ooO@f7bcc9
  2. instance.interceptors(): okhttp3.O0000o0
  3. instance._interceptors: java.util.Collections$UnmodifiableRandomAccessList

3, later , code, i will commment. !!!
test it !

[Nexus 5X::慕课网]-> searchClient()

  1. found instance: okhttp3.O0000ooO@f7bcc9
  2. instance.interceptors(): okhttp3.O0000o0
  3. instance._interceptors: java.util.Collections$UnmodifiableRandomAccessList
  4. found instance: okhttp3.O0000ooO@176cfce
  5. instance.interceptors(): okhttp3.O0000o0
  6. instance._interceptors: java.util.Collections$UnmodifiableRandomAccessList
  7. found instance: okhttp3.O0000ooO@a3b6eef
  8. instance.interceptors(): okhttp3.O0000o0
  9. instance._interceptors: java.util.Collections$UnmodifiableRandomAccessList
  10. found instance: okhttp3.O0000ooO@2f53dfc
  11. instance.interceptors(): okhttp3.O0000o0
  12. instance._interceptors: java.util.Collections$UnmodifiableRandomAccessList
  13. found instance: okhttp3.O0000ooO@8365c85
  14. instance.interceptors(): okhttp3.O0000o0
  15. instance._interceptors: java.util.Collections$UnmodifiableRandomAccessList
    Search complete!

good. very good.

here , im searching by plugin wallbreaker, find the five condition result.
it is

we using the script to success found it!!
ok !!

Go ON !!!

The okhttp3.OkHttpClient function offical function is here .

Class OkHttpClient , offical explain. and the page.

Method Summary
All MethodsInstance MethodsConcrete Methods Modifier and Type Method and Description
Authenticator authenticator()
Cache cache()
int callTimeoutMillis()
Default call timeout (in milliseconds).
CertificatePinner certificatePinner()
ConnectionPool connectionPool()
List<ConnectionSpec> connectionSpecs()
int connectTimeoutMillis()
Default connect timeout (in milliseconds).
CookieJar cookieJar()

and this picture. is standard structure.

so , reverse engineer, is more care development. so, if you can developemnt complex application , you can find the more info.

ok , Go ON , ok this is part Four, welcome to come back !!!!

examples of obfuscation Free cinema APP

com.singleman.freevideo (the packageName)

first , look at the jadx. no more info you can get! !
every class name was obfucatin.
NO, no
our target is , OkHttpClient --> so , search it.

the jadx tells me. the name is . (way 1)
/* renamed from: فمضﺝ.ﻙﺫتك reason: contains not printable characters /
/
loaded from: classes.dex */

we using the apktools . test it *(way 2)

└─# grep -ril "OkHttpClient" *
cinema/classes.dex
Free-cinema-v2.1.0_210/smali/فمضﺝ/ﻙﺫتك$ﻝبـق.smali
Free-cinema-v2.1.0_210/smali/فمضﺝ/ﻙﺫتك$ﺯﺵتﻝ.smali
Free-cinema-v2.1.0_210/smali/فمضﺝ/ﻙﺫتك.smali

we were using Free-cinema-v2.1.0_210/smali/فمضﺝ/ﻙﺫتك.smali this file.
head -10 Free-cinema-v2.1.0_210/smali/فمضﺝ/ﻙﺫتك.smali

[Nexus 5X::免费电影院]-> searchClient()

  1. found instance: فمضﺝ.ﻙﺫتك@36f4194
    TypeError: [object Object] not callable (property 'فمضﺝ' of [object Object])
    at [anon] (../../../frida-gum/bindings/gumjs/duktape.c:67616)
    at /free-cinema.js:6
    at frida/node_modules/frida-java-bridge/lib/class-factory.js:310
    at frida/node_modules/frida-java-bridge/lib/class-factory.js:264
    at tt (frida/node_modules/frida-java-bridge/lib/android.js:462)

└─# head -10 Free-cinema-v2.1.0_210/smali/فمضﺝ/ﻙﺫتك.smali
.class public Lفمضﺝ/ﻙﺫتك;
.super Ljava/lang/Object;
.source "OkHttpClient.java"

interfaces

.implements Ljava/lang/Cloneable;
.implements Lفمضﺝ/ثيغه$ﻝبـق;
.implements Lفمضﺝ/ﺝﺏﺩﺡ$ﻝبـق;

this calss name is فمضﺝ.ﻙﺫتك
there is No result. we need click the app, login it.
ok ,there is result.

com.singleman.freevideo on (google: 8.1.0) [usb] # plugin wallbreaker objectsearch ف
مضﺝ.ﻙﺫتك
[0x25f6]: فمضﺝ.ﻙﺫتك@48361e7
[0x1dc2]: فمضﺝ.ﻙﺫتك@36f4194
[0x2616]: فمضﺝ.ﻙﺫتك@8d2343d
[0x2626]: فمضﺝ.ﻙﺫتك@1990432

com.singleman.freevideo on (google: 8.1.0) [usb] # plugin wallbreaker objectdump --
fullname 0x25f6

package فمضﺝ

class ﻙﺫتك {

1
2
3
4
5
6
7
8
9
/* static fields */                                                        
static java.util.List ـشﺥع; => [0x23f6]: [ConnectionSpec(cipherSuites=[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA], tlsVersions=[TLS_1_3, TLS_1_2, TLS_1_1, TLS_1_0], supportsTlsExtensions=true), ConnectionSpec()]                      
static java.util.List وكﺝﺭ; => [0x22ba]: [h2, http/1.1]
 
/* instance fields */
int shadow$_monitor_; => -2071764505
java.lang.Class shadow$_klass_; => [0x2636]: class فمضﺝ.ﻙﺫتك
فمضﺝ.ﺯﺵتﻝ ﻍغجﺡ; => [0x265a]: فمضﺝ.ﺯﺵتﻝ$ﻝبـق@89e6f81
javax.net.ssl.HostnameVerifier غطدس; => [0x267a]: okhttp3.internal.tls.OkHostnameVerifier@1c0a6df     

ok , we get the information.

then find the target.

From the development experencee .

فمضﺝ.ﺯﺵتﻝ يﺭسل; => [0x26f6]: فمضﺝ.ﺯﺵتﻝ$ﻝبـق@89e6f81
java.util.List ﻭﻍﺫﻉ; => [0x2706]: [ﻝبـق.ﻍبﺯﺫ.ﻝبـق.ﻝبـق.بﺙذن.بﺙذن.ﻝبـق@760adf5]
فمضﺝ.ﻝفﻱه ثيغه; => [0x272a]: فمضﺝ.ﻝفﻱه@9a8e78a
فمضﺝ.بﺙذن ﺯكعض; => null
boolean طكزﺹ; => true
فمضﺝ.ﺹﻅﻍز ﺩذحﺽ; => [0x274a]: فمضﺝ.ﺹﻅﻍز@232d1fb
java.util.List فمضﺝ; => [0x2756]: [ConnectionSpec(cipherSuites=[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA], tlsVersions=[TLS_1_3, TLS_1_2, TLS_1_1, TLS_1_0], supportsTlsExtensions=true), ConnectionSpec()]

java.util.List فمضﺝ; => [0x2756]: [ConnectionSpec // this is interceptors()

java.util.List ﻭﻍﺫﻉ; => [0x2706]: [ﻝبـق.ﻍبﺯﺫ.ﻝبـق.ﻝبـق.بﺙذن.بﺙذن. // this is networkInterceptors()

test it .

ok !

com.singleman.freevideo on (google: 8.1.0) [usb] # plugin wallbreaker objectdump --f
ullname 0x2756

package java.util

class Collections$UnmodifiableRandomAccessList {

ok !

com.singleman.freevideo on (google: 8.1.0) [usb] # plugin wallbreaker objectdump --f
ullname 0x2706

package java.util

class Collections$UnmodifiableRandomAccessList {

All it was success !!

next , we will write the javascript to archieve it!

[Nexus 5X::免费电影院]-> searchClient()

  1. found instance: فمضﺝ.ﻙﺫتك@36f4194
  2. instance._interceptors: java.util.Collections$UnmodifiableRandomAccessList
  3. interceptors: [ﻝبـق.ﻍبﺯﺫ.ﻝبـق.ﻝبـق.بﺙذن.بﺙذن.ﻝبـق@f9da6ad]
  4. found instance: فمضﺝ.ﻙﺫتك@8d2343d
  5. instance._interceptors: java.util.Collections$UnmodifiableRandomAccessList
  6. interceptors: [ﻝبـق.ﻍبﺯﺫ.ﻝبـق.ﻝبـق.بﺙذن.بﺙذن.ﻝبـق@5b6dde2]

ok !!!

its done!


[招生]系统0day安全班,企业级设备固件漏洞挖掘,Linux平台漏洞挖掘!

最后于 2024-1-19 23:02 被calleng编辑 ,原因:
上传的附件:
收藏
免费 2
支持
分享
最新回复 (1)
雪    币: 10
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
2
点赞
2024-1-4 18:11
0
游客
登录 | 注册 方可回帖
返回
//