Analysis of a series a e-commerce app docommandnative

One 、 The goal is

Boss Li ： Fly hard ,x-sign You've been reading several articles , Has been Apk Spin inside , When shall we analyze it so？

Fly hard : Step by step , We just located it last time so, Today, let's analyze .

App edition : v4.15.1

Two 、 step

Native The entrance to the floor

Remember this stack first

[NewStringUTF] bytes:x-sign
Rc Full call stack:dalvik.system.VMStack.getThreadStackTrace(Native Method)
 tt: java.lang.Thread.getStackTrace(Thread.java:1538)
 tt: com.txxxao.wireless.security.adapter.JNICLibrary.doCommandNative(Native Method)
 tt: com.axxbxxx.wireless.security.mainplugin.а.doCommand(Unknown Source:0)
 tt: com.axxbxxx.wireless.security.middletierplugin.c.d.a.a(Unknown Source:280)
 tt: com.axxbxxx.wireless.security.middletierplugin.c.d.a$a.invoke(Unknown Source:56)
 tt: java.lang.reflect.Proxy.invoke(Proxy.java:913)
 tt: $Proxy12.getSecurityFactors(Unknown Source)
 tt: mtopsdk.security.d.a(lt:620)
 tt: mtopsdk.mtop.a.a.a.a.a(lt:218)
 tt: mtopsdk.framework.a.b.d.b(lt:45)
 tt: mtopsdk.framework.b.a.a.a(lt:60)

0xcb434e10 libsgmiddletierso-6.5.50.so!0x33e10
0xcb404e28 libsgmiddletierso-6.5.50.so!0x3e28
0xc9dd5536 libsgmainso-6.5.49.so!0x10536
0xc9dd71c8 libsgmainso-6.5.49.so!0x121c8
0xf365607a libart.so!art_quick_generic_jni_trampoline+0x29
0xf364068a libart.so!MterpAddHotnessBatch+0x29
0xf3651b76 libart.so!art_quick_invoke_stub_internal+0x45

The stack can talk , He told us

1、jni The function is called com.txxxao.wireless.security.adapter.JNICLibrary.doCommandNative.

2、doCommandNative Implementation in libsgmainso-6.5.49.so in , It may be offset 0x121c8 near .

First Hook jni A function

jni Function will tell us type of the input and return values , So we can't let go .

This jni The declaration of the function is in libsgmain.so This fake so Inside

This jni Function has two arguments , The first parameter is int type , The second parameter is Object Array

Let's go first frida Let's see if it's our goal .

Java.enumerateClassLoaders({
    "onMatch": function(loader) {
        if (loader.toString().indexOf("libsgmain.so") >= 0 ) {
            Java.classFactory.loader = loader; //  Will the current class factory Medium loader Specify what we need 					
            console.log("loader = ",loader.toString());

        }
    },
    "onComplete": function() {
        console.log("success");
    }
});

//  You need to use  Java.classFactory.use
var  signCls =  Java.classFactory.use('com.txxxao.wireless.security.adapter.JNICLibrary');
signCls.doCommandNative.implementation = function(a,b){
    var retval = this.doCommandNative(a,b);
    console.log(" #### >>> a = " + a);

    if( a == 70102){
        console.log(" #### >>> Obj = " + b);
    }

    console.log(" #### >>> rc= " + retval)  // .entrySet().toArray());

    // var stack = threadinstance.currentThread().getStackTrace();
    // console.log("#### >>> Rc Full call stack:" + Where(stack));

    return retval;
}
// */

Let's explain this first 70102 The origin of ,doCommandNative Obviously, it undertakes a lot of functions , We all printed it out. It's too messy .

From previous stack com.axxbxxx.wireless.security.middletierplugin.c.d.a.a This class knows how to do x-sign The command parameter used when signing is 70102 ( The corresponding code is in libsgmiddletier.so This fake so Inside )

Run

Confirmed eye contact , Is it the .

TIP: Frida spawn When running this script in mode , loader No output , At this time, change the script to any space , And then save .Frida Will automatically reload , Only then can Have output .

ida once libsgmainso-6.5.49.so

This so It's still very interesting .

First of all, he can't find... In his export function doCommandNative It shows that it is dynamically registered .

The second is so The functions with a little bit of identity are all dynamic jumps . Effectively resist ida Of F5.

Let's solve it one by one .

We are not afraid of dynamic registration ,Hook RegisterNatives You can handle it

[RegisterNatives] java_class: com.txxxao.wireless.security.adapter.JNICLibrary name: doCommandNative sig: (I[Ljava/lang/Object;)Ljava/lang/Object; fnPtr: 0x7637c25ba4 module_name: libsgmainso-6.5.49.so module_base: 0x7637c07000 offset: 0x1eba4

The results come out , Our goal is 0x1eba4

What's more embarrassing is ,ida Medium 0x1eba4 It doesn't look like a function at all .

What do I do ？

From this so From the various manifestations of , Will it have some self modification and other playing methods when running ？

No matter how much , So let's take this so From runtime dump Come out again .

TIP: dump so Refer to http://91fans.com.cn/post/carcommunitytwo/

My test phone is 64 Bit , therefore dump There comes out a 64 Bit so

It's so interesting this time , But because of the annoying BR X11 Dynamic jump , It still makes us unhappy f5

Fix it

If we know this BR X11 The directive x11 Value , Then change it to a static jump , Is it possible to repair the poor F5？

Do as you say

var mbase = Module.getBaseAddress('libsgmainso-6.5.49.so');
Interceptor.attach(mbase.add(0x1EC18),{
		onEnter:function(args){						
		console.log('Context  : ' + JSON.stringify(this.context));
	}
});

Print out

Context  : {"pc":"0x7637921c18","sp":"0x7639089340","x0":"0x20","x1":"0x76390893e4","x2":"0x2776","x3":"0x28","x4":"0x1","x5":"0x0","x6":"0x4","x7":"0x0","x8":"0x16","x9":"0x7639089350","x10":"0x7637a6cd60","x11":"0x7637921c2c","x12":"0x76390893e8","x13":"0x76390893d8","x14":"0x1","x15":"0x0","x16":"0x76dadbf000","x17":"0x76da67d440","x18":"0x0","x19":"0x76506125e0","x20":"0x0","x21":"0x2776","x22":"0x76390896bc","x23":"0x7650261ddf","x24":"0x8","x25":"0x196","x26":"0x763908d588","x27":"0x2","x28":"0x76390893e8","fp":"0x76390893b0","lr":"0x76dadbf60c"}

The current address is 0x7637921c18 - 0x1EC18 = 0x763793000, explain so The base address is 0x763793000 , x11 The value of is 0x7637921c2c - 0x763793000 = 0x1EC2C, It means that we should jump to 0x1EC2C

Then change this line of instructions to b 0x1EC2C

Again F5 once , It's more beautiful than before

Hook This Native Layer of doCommandNative

Here is mainly to introduce Hook Native Function , How to print Object[] Parameters of type

var mbase = Module.getBaseAddress('libsgmainso-6.5.49.so');
// 1ed4c
Interceptor.attach(mbase.add(0x1EBA4),{
    onEnter:function(args){
        console.log('doCommandNative = ' + args[2].toString(10));


        var Object_javaArray = Java.use('[Ljava.lang.Object;');
        var ArrayArgs_3 = Java.cast(args[3], Object_javaArray);
        var ArrayClz = Java.use("java.lang.reflect.Array");
        var len = ArrayClz.getLength(ArrayArgs_3);

        if( args[2].toString(10) == 70102) {
            for(let i=0;i!=len;i++){
                var objUse = ArrayClz.get(ArrayArgs_3,i);
                if(objUse != null){
                    console.log("args[3] String value:", objUse.toString());
                }
            }
        }

    }
});

First use Java.cast Change the type , And then again java.lang.reflect.Array To traverse .

The result is quite beautiful

3、 ... and 、 summary

Native The protective measures of the layer are more , Everyone is too voluminous .

Have a good command of java Reflection usage , Is to play well frida Necessary conditions .

ida Of F5 It is also strictly guarded by everyone , Therefore, the repair scheme should also be understood .

I wanted to play in the world , Why is it finally played by human games .

TIP: The only purpose of this paper is to learn more reverse skills and ideas , If someone uses this technology to carry out illegal business, the legal responsibility brought by the profit is borne by the operator himself , It has nothing to do with this article and the author , The code projects involved in this article can go to Feifei friends The planet of knowledge takes itself , Welcome to the knowledge planet to learn and explore technology . If you have any questions, you can add me wx: fenfei331 Under discussion .

Pay attention to WeChat public number : It's safe to fly , Latest technology real time push of dry goods