-
-
[原创]【安卓逆向】libmsaoaidsec.so反调试及算法逆向案例(爱库存)
-
发表于: 2024-12-14 22:09
-
charles + 系统代理就可以抓包
我们本次主要分析这个sign
附加frida,发现秒退,这个时候我们已经是魔改的fridaGitHub - taisuii/rusda: 对frida 16.2.1的patch并且更换端口了
hook 一下dlopen
在 libmsaoaidsec.so 处退出,app没有结束,frida被杀掉了
这个检测其实就是在加载so的时候,创建了检测线程,具体的话可以分析libmsaoaidsec.so的 .init_proc函数
那么其实已经有很多网友分析过这个了,hook__system_property_get函数寻找hook时机,找到创建线程的地方然后把它替换掉固然是个好方法
不过这里直接粗暴一点,hook pthread_create,只要是在libmsaoaidsec.so里面创建的线程,我们统统替换掉
成功过掉检测,一共两处线程创建的地方:0x175f8和0x16d30,
这个检测在很多app中都是存在的,这个方式在其他app中不一定适用
无套路定位到
无套路,可读性非常高,都是字符串拼接
这个digest函数是调用的java层进行加密的
获取加密参数以及sha256 的参数,结果一致
(base) r@R aikucun % frida -H 127.0.0.1:12345 -f com.aikucun.akapp ____
/ _ | Frida 16.2.1 - A world-class dynamic instrumentation toolkit| (_| |> _ | Commands:/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .. . . . More info at https://frida.re/docs/home/
. . . .. . . . Connected to 127.0.0.1:12345 (id=socket@127.0.0.1:12345)
Spawned `com.aikucun.akapp`. Resuming main thread! [Remote::com.aikucun.akapp ]-> Process terminated[Remote::com.aikucun.akapp ]->Thank you for using Frida!
(base) r@R aikucun % (base) r@R aikucun % frida -H 127.0.0.1:12345 -f com.aikucun.akapp ____
/ _ | Frida 16.2.1 - A world-class dynamic instrumentation toolkit| (_| |> _ | Commands:/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .. . . . More info at https://frida.re/docs/home/
. . . .. . . . Connected to 127.0.0.1:12345 (id=socket@127.0.0.1:12345)
Spawned `com.aikucun.akapp`. Resuming main thread! [Remote::com.aikucun.akapp ]-> Process terminated[Remote::com.aikucun.akapp ]->Thank you for using Frida!
(base) r@R aikucun % function hookdlopen() {
var dlopen = Module.findExportByName(null, "dlopen");
var android_dlopen_ext = Module.findExportByName(null, "android_dlopen_ext");
Interceptor.attach(dlopen, {
onEnter: function (args) {
var path_ptr = args[0];
var path = ptr(path_ptr).readCString();
console.log("[dlopen:]", path);
},
onLeave: function (retval) {
}
});
Interceptor.attach(android_dlopen_ext, {
onEnter: function (args) {
var path_ptr = args[0];
var path = ptr(path_ptr).readCString();
console.log("[dlopen_ext:]", path);
},
onLeave: function (retval) {
}
});
}function hookdlopen() {
var dlopen = Module.findExportByName(null, "dlopen");
var android_dlopen_ext = Module.findExportByName(null, "android_dlopen_ext");
Interceptor.attach(dlopen, {
onEnter: function (args) {
var path_ptr = args[0];
var path = ptr(path_ptr).readCString();
console.log("[dlopen:]", path);
},
onLeave: function (retval) {
}
});
Interceptor.attach(android_dlopen_ext, {
onEnter: function (args) {
var path_ptr = args[0];
var path = ptr(path_ptr).readCString();
console.log("[dlopen_ext:]", path);
},
onLeave: function (retval) {
}
});
}(base) r@R aikucun % frida -H 127.0.0.1:12345 -f com.aikucun.akapp -l hook.js ____
/ _ | Frida 16.2.1 - A world-class dynamic instrumentation toolkit| (_| |> _ | Commands:/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .. . . . More info at https://frida.re/docs/home/
. . . .. . . . Connected to 127.0.0.1:12345 (id=socket@127.0.0.1:12345)
Spawned `com.aikucun.akapp`. Resuming main thread! [Remote::com.aikucun.akapp ]-> [dlopen_ext:] /system/framework/oat/arm64/org.apache.http.legacy.boot.odex
[dlopen_ext:] /data/app/com.aikucun.akapp-Gqd0OXL0bAt7H-zUkRSKuA==/oat/arm64/base.odex
[dlopen_ext:] /data/app/com.aikucun.akapp-Gqd0OXL0bAt7H-zUkRSKuA==/lib/arm64/libc++_shared.so
[dlopen_ext:] /data/app/com.aikucun.akapp-Gqd0OXL0bAt7H-zUkRSKuA==/lib/arm64/libmarsxlog.so
[dlopen_ext:] /data/app/com.aikucun.akapp-Gqd0OXL0bAt7H-zUkRSKuA==/lib/arm64/libmmkv.so
[dlopen_ext:] /data/app/com.aikucun.akapp-Gqd0OXL0bAt7H-zUkRSKuA==/lib/arm64/libmsaoaidsec.so
Process terminated[Remote::com.aikucun.akapp ]->Thank you for using Frida!
(base) r@R aikucun % (base) r@R aikucun % frida -H 127.0.0.1:12345 -f com.aikucun.akapp -l hook.js ____
/ _ | Frida 16.2.1 - A world-class dynamic instrumentation toolkit| (_| |> _ | Commands:/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .. . . . More info at https://frida.re/docs/home/
. . . .. . . . Connected to 127.0.0.1:12345 (id=socket@127.0.0.1:12345)
Spawned `com.aikucun.akapp`. Resuming main thread! [Remote::com.aikucun.akapp ]-> [dlopen_ext:] /system/framework/oat/arm64/org.apache.http.legacy.boot.odex
[dlopen_ext:] /data/app/com.aikucun.akapp-Gqd0OXL0bAt7H-zUkRSKuA==/oat/arm64/base.odex
[dlopen_ext:] /data/app/com.aikucun.akapp-Gqd0OXL0bAt7H-zUkRSKuA==/lib/arm64/libc++_shared.so
[dlopen_ext:] /data/app/com.aikucun.akapp-Gqd0OXL0bAt7H-zUkRSKuA==/lib/arm64/libmarsxlog.so
[dlopen_ext:] /data/app/com.aikucun.akapp-Gqd0OXL0bAt7H-zUkRSKuA==/lib/arm64/libmmkv.so
[dlopen_ext:] /data/app/com.aikucun.akapp-Gqd0OXL0bAt7H-zUkRSKuA==/lib/arm64/libmsaoaidsec.so
Process terminated[Remote::com.aikucun.akapp ]->Thank you for using Frida!
(base) r@R aikucun % function replace(addr) {
Interceptor.replace(addr, new NativeCallback(function () {
console.log(`replace ${addr}`)
}, 'void', []));
}function hook_pthread_create(soname) {
let replaces = []; // 用来记录已经替换的函数偏移
// int pthread_create(pthread_t *thread, const pthread_attr_t *attr, void *(*start_routine)(void*), void *arg);
let pthread_create = Module.findExportByName("libc.so", "pthread_create");
if (!pthread_create) {
console.log("pthread_create not found in libc.so");
return;
}
Interceptor.attach(pthread_create, {
onEnter: function (args) {
let start_routine = args[2];
let libmsaoaidsec = Process.findModuleByAddress(start_routine);
if (libmsaoaidsec && libmsaoaidsec.name === soname) {
if (!replaces.includes(start_routine.toString())) {
let libmsaoaidsec_addr = libmsaoaidsec.base;
let func_offset = start_routine.sub(libmsaoaidsec_addr);
console.log("The thread function offset address in libmsaoaidsec.so(" + libmsaoaidsec_addr + ") is " + func_offset);
console.log("replace: " + func_offset);
replaces.push(start_routine.toString());
replace(start_routine)
}
}
}
});
}function replace(addr) {
Interceptor.replace(addr, new NativeCallback(function () {
console.log(`replace ${addr}`)
}, 'void', []));
}function hook_pthread_create(soname) {
let replaces = []; // 用来记录已经替换的函数偏移
// int pthread_create(pthread_t *thread, const pthread_attr_t *attr, void *(*start_routine)(void*), void *arg);
let pthread_create = Module.findExportByName("libc.so", "pthread_create");
if (!pthread_create) {
console.log("pthread_create not found in libc.so");
return;
}
Interceptor.attach(pthread_create, {
onEnter: function (args) {
let start_routine = args[2];
let libmsaoaidsec = Process.findModuleByAddress(start_routine);
if (libmsaoaidsec && libmsaoaidsec.name === soname) {
if (!replaces.includes(start_routine.toString())) {
let libmsaoaidsec_addr = libmsaoaidsec.base;
let func_offset = start_routine.sub(libmsaoaidsec_addr);
console.log("The thread function offset address in libmsaoaidsec.so(" + libmsaoaidsec_addr + ") is " + func_offset);
console.log("replace: " + func_offset);
replaces.push(start_routine.toString());
replace(start_routine)
}
}
}
});
}(base) r@R aikucun % frida -H 127.0.0.1:12345 -l hook.js -f com.aikucun.akapp ____
/ _ | Frida 16.2.1 - A world-class dynamic instrumentation toolkit| (_| |> _ | Commands:/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .. . . . More info at https://frida.re/docs/home/
. . . .. . . . Connected to 127.0.0.1:12345 (id=socket@127.0.0.1:12345)
Spawned `com.aikucun.akapp`. Resuming main thread! [Remote::com.aikucun.akapp ]-> replace 0x7b6b55a5f8replace 0x7b6b559d30[Remote::com.aikucun.akapp ]->赞赏记录
参与人
雪币
留言
时间
CIH_D39
谢谢你的细致分析,受益匪浅!
2025-3-10 16:16
吃芒果不吐皮
你的分享对大家帮助很大,非常感谢!
2025-2-10 13:18
by_Lin
感谢你分享这么好的资源!
2024-12-20 04:16
菜小基
感谢你的贡献,论坛因你而更加精彩!
2024-12-18 15:46
mb_lwbibjys
非常支持你的观点!
2024-12-17 17:50
mb_shzsxtje
感谢你的贡献,论坛因你而更加精彩!
2024-12-17 14:14
bbpk
感谢你的贡献,论坛因你而更加精彩!
2024-12-16 12:26
你瞒我瞒
你的分享对大家帮助很大,非常感谢!
2024-12-16 09:13
mr2222
期待更多优质内容的分享,论坛有你更精彩!
2024-12-15 16:23
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
msa ,移动安全联盟 |
|
|
__system_property_get 是获取系统的一些信息的,参数是key和value,一般情况下这个so在创建检测线程之前会调用这个函数获取一些系统的信息,当这个函数在so中被调用的时候再hook线程创建,然后patch掉或者替换掉就可以过检测了 |
|
|
|
|
|
|
|
|
我在某一个app里面做过这种操作,完全没问题 |
|
|
好的,谢谢 |
|
|
我猜是某物 
|
