当前位置:网站首页>搜狗微信APP逆向(二)so层

搜狗微信APP逆向(二)so层

2022-07-01 21:47:00 Codeooo

接着上文:https://blog.csdn.net/weixin_38927522/article/details/124726015
本次分析搜狗app so 层加密相关逻辑。

首先在导出函数查找一下:
在这里插入图片描述
点进去 Java_com_sogou_scoretools_ScEncryptWall_encrypt 查看
在这里插入图片描述
在这里插入图片描述
GetStringUTF 转化为C#的字符串,utf编码。
malloc 开辟空间
j_Sc_EncryptWallEncode 按照代码逻辑这个是核心代码

继续进:
在这里插入图片描述
进到这个函数我们看下参数,根据jni前两个都是固定的,后面几个是传进来的参数。
我们静态分析,手动更改下jni头,让其更快更好识别。

int __fastcall Java_com_sogou_scoretools_ScEncryptWall_encrypt(JNIEnv *env, jclass clazz, int a3, int a4, int a5)

在这里插入图片描述

在这里插入图片描述
这块看到了 参数加密的字符串如下:
在这里插入图片描述
v10 = operator new(0x30u);
EncryptWall::WallKey::WallKey(v10);
申请一个 30字节空间内存地址 赋值v10,将v10传入
在这里插入图片描述
看上去像是一顿循环填充,把刚刚内存空间填充完整。

v12 = RSA_Encrypt(v10 + 16, 0x20u, &v60, &v59);
往回推:v10 :开辟30字节内存地址 +16个字节 &v60:v60地址指针, &v59 :v59地址指针

在这里插入图片描述

那么这个this是啥,其实就是url
在这里插入图片描述

a2 a3 就是分析的postdata

RSA加密方式:
在这里插入图片描述
秘钥生成方法,一个是生成后加密方法。
n_crypto::SetSignPubKey :秘钥

n_crypto::PublicEnc 看着像是rsa最后加密方法,我们去看下
在这里插入图片描述
而且我们观察参数,n_crypto::PublicEnc(v8, v9, v6, &v11, v4);

v8: a1:传进来第一个参数
v9: a2:传进来第二个参数
v6: 80字节空间内存 这个可以怀疑作为返回值接收
&v11 :v11地址
v4 :秘钥

我在HOOK的时候发现并未走 n_crypto::SetSignPubKey(逻辑。

"""20220402"""
SetSignPubKey1 = """
Java.perform(function(){
    
    var str_name_so = "libSCoreTools.so";    //要hook的so名
    var n_addr_func_offset = 0x0111E4;

    //加载到内存后 函数地址 = so地址 + 函数偏移
    var n_addr_so = Module.findBaseAddress(str_name_so);
    console.log("func addr is ---" + n_addr_so);

    var n_addr_func = n_addr_so.add(n_addr_func_offset+1);
    
    Interceptor.attach(n_addr_func, 
    {
    
        onEnter: function(args) 
        {
    
            console.log("hook on enter no exp");
            console.log("-----------0----------")
            console.log(hexdump(args[0]))
            console.log("-----------1----------")
            console.log(hexdump(args[1]))
            console.log("------------2---------")
            console.log(args[2])
        },
        onLeave:function(retval)
        {
    
            console.log("hook on Leave no exp");
            console.log(hexdump(retval))
            console.log("return:"+retval);
        }
    });
});
"""

在这里插入图片描述

在这里插入图片描述
这是plt节 就是跳转用的 会跳到got表 两条指令是短指令 可能hook不到 继续跟

plt:00008A18                 ADRL            R12, 0x39A20
.plt:00008A20                 LDR             PC, [R12,#(_ZN8n_crypto12SetEncKeySymEP10aes_key_stPKvi_ptr - 0x39A20)]! ; n_crypt

got:00039C9C _ZN8n_crypto12SetEncKeySymEP10aes_key_stPKvi_ptr DCD _ZN8n_crypto12SetEncKeySymEP10aes_key_stPKvi+1

看到没大量异或运算,,,,这就是加密类型的特征

so: if ( !s_pKey ) 并不成立。
我们需要内存中dumps 秘钥
在这里插入图片描述
dump脚本:
在这里插入图片描述

在这里插入图片描述
继续往下走, GenXor_S(v10 + 16, (*(a7 + 6) + 16), 32, 32);

在这里插入图片描述
这个自定义一些逻辑,抠出来即可。

接下来看到 n_crypto::Base64Encode base64操作
我们先看下最基础的有无更换码表,有无魔改方法。

在这里插入图片描述
进来查看了一下,最起码码表无更换,以后面试总该不会不知道base64码表是多少了吧?

在这里插入图片描述
之后我们点进去这个函数看下:
在这里插入图片描述
v11 = zip_compress(v7, v6, v9, v8, &v17);
压缩方法:后续hook下参数。

v12 = AES_Encrypt(v10, v11, &v16, v5, 0x20u, v4, 0x10u);

接下来我们又看到AES加密:
在这里插入图片描述
n_crypto::SetEncKeySym 设置秘钥
常规:

 AES_set_encrypt_key(aes_key, sizeof(aes_key) * 8, &enc_key);

n_crypto::SetEncKeySym(&v20, v10, 8 * a5);
在这里插入图片描述

参数分析: v20地址 , v10 = a4;参数 ,8 * a5 = 8 *32 = 256
在这里插入图片描述
在这里插入图片描述

n_crypto::GetPaddingLen 填充方式
v12 = n_crypto::GetPaddingLen(v7, 0x10u, v11);

我们直接看下最后一步加密流程:
n_crypto::EncSym
在这里插入图片描述
AES 的 cbc模式 aes -cbc -256

n_crypto::EncSym(&v21, v9, v18, v14, &v20);

AES_set_encrypt_key(aes_key, sizeof(aes_key) * 8, &enc_key);
 
 
 这就是原函数类型 采用了openssl库

Y3wQ+xj1oWTxGhO3bdsLdPQJCeSCKPfZuK1gQsMAxg8=
uK1gQsMAxg8=....A  B  C  D  E  F  0123456789ABCDEF
cb2d5b60  c3 11 a3 f5 cc fa 9f 42 eb ef b2 1f 47 57 92 66  .......B....GW.f
cb2d5b70  11 08 ba 88 6b e4 6e 01 f4 a0 4b ed f2 a0 8a b5  ....k.n...K.....
cb2d5b80  54 65 63 68 6e 6f 6c 6f 67 79 20 61 6e 64 20 45  Technology and E
cb2d5b90  6e 67 69 6e 65 65 72 69 6e 67 20 44 65 70 61 72  ngineering Depar
cb2d5ba0  74 6d 65 6e 74 00 00 00 00 00 00 00 00 00 00 00  tment...........
cb2d5bb0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
cb2d5bc0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
cb2d5bd0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
cb2d5be0  77 61 70 2e 73 6f 67 6f 75 2e 63 6f 6d 3a 34 34  wap.sogou.com:44
cb2d5bf0  33 2f 68 74 74 70 5f 6e 65 74 77 6f 72 6b 5f 73  3/http_network_s
cb2d5c00  65 73 73 69 6f 6e 2f 30 2f 31 30 00 ff ff ff ff  ession/0/10.....
cb2d5c10  54 65 63 68 6e 6f 6c 6f 67 79 20 61 6e 64 20 45  Technology and E
cb2d5c20  6e 67 69 6e 65 65 72 69 6e 67 20 44 65 70 61 72  ngineering Depar
cb2d5c30  74 6d 65 6e 74 00 6f 2e 2c 20 4c 74 64 2e 00 00  tment.o., Ltd...
cb2d5c40  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
cb2d5c50  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
返回值 :  0x0
参数值 :
           0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
cb2d5b60  c3 11 a3 f5 cc fa 9f 42 eb ef b2 1f 47 57 92 66  .......B....GW.f
cb2d5b70  11 08 ba 88 6b e4 6e 01 f4 a0 4b ed f2 a0 8a b5  ....k.n...K.....
cb2d5b80  54 65 63 68 6e 6f 6c 6f 67 79 20 61 6e 64 20 45  Technology and E
cb2d5b90  6e 67 69 6e 65 65 72 69 6e 67 20 44 65 70 61 72  ngineering Depar
cb2d5ba0  74 6d 65 6e 74 00 00 00 00 00 00 00 00 00 00 00  tment...........
cb2d5bb0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
cb2d5bc0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
cb2d5bd0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
cb2d5be0  77 61 70 2e 73 6f 67 6f 75 2e 63 6f 6d 3a 34 34  wap.sogou.com:44
cb2d5bf0  33 2f 68 74 74 70 5f 6e 65 74 77 6f 72 6b 5f 73  3/http_network_s
cb2d5c00  65 73 73 69 6f 6e 2f 30 2f 31 30 00 ff ff ff ff  ession/0/10.....
cb2d5c10  54 65 63 68 6e 6f 6c 6f 67 79 20 61 6e 64 20 45  Technology and E
cb2d5c20  6e 67 69 6e 65 65 72 69 6e 67 20 44 65 70 61 72  ngineering Depar
cb2d5c30  74 6d 65 6e 74 00 6f 2e 2c 20 4c 74 64 2e 00 00  tment.o., Ltd...
cb2d5c40  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
cb2d5c50  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
返回值 :  0x0
参数值 :
           0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
cb2d5b60  c3 11 a3 f5 cc fa 9f 42 eb ef b2 1f 47 57 92 66  .......B....GW.f
cb2d5b70  11 08 ba 88 6b e4 6e 01 f4 a0 4b ed f2 a0 8a b5  ....k.n...K.....
cb2d5b80  54 65 63 68 6e 6f 6c 6f 67 79 20 61 6e 64 20 45  Technology and E
cb2d5b90  6e 67 69 6e 65 65 72 69 6e 67 20 44 65 70 61 72  ngineering Depar
cb2d5ba0  74 6d 65 6e 74 00 00 00 00 00 00 00 00 00 00 00  tment...........
cb2d5bb0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
cb2d5bc0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
cb2d5bd0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
cb2d5be0  77 61 70 2e 73 6f 67 6f 75 2e 63 6f 6d 3a 34 34  wap.sogou.com:44
cb2d5bf0  33 2f 68 74 74 70 5f 6e 65 74 77 6f 72 6b 5f 73  3/http_network_s
cb2d5c00  65 73 73 69 6f 6e 2f 30 2f 31 30 00 ff ff ff ff  ession/0/10.....
cb2d5c10  54 65 63 68 6e 6f 6c 6f 67 79 20 61 6e 64 20 45  Technology and E
cb2d5c20  6e 67 69 6e 65 65 72 69 6e 67 20 44 65 70 61 72  ngineering Depar
cb2d5c30  74 6d 65 6e 74 00 6f 2e 2c 20 4c 74 64 2e 00 00  tment.o., Ltd...
cb2d5c40  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
cb2d5c50  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
返回值 :  0x0
参数值 : 
           0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
cb2d5b60  c3 11 a3 f5 cc fa 9f 42 eb ef b2 1f 47 57 92 66  .......B....GW.f
cb2d5b70  11 08 ba 88 6b e4 6e 01 f4 a0 4b ed f2 a0 8a b5  ....k.n...K.....
cb2d5b80  54 65 63 68 6e 6f 6c 6f 67 79 20 61 6e 64 20 45  Technology and E
cb2d5b90  6e 67 69 6e 65 65 72 69 6e 67 20 44 65 70 61 72  ngineering Depar
cb2d5ba0  74 6d 65 6e 74 00 00 00 00 00 00 00 00 00 00 00  tment...........
cb2d5bb0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
cb2d5bc0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
cb2d5bd0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
cb2d5be0  77 61 70 2e 73 6f 67 6f 75 2e 63 6f 6d 3a 34 34  wap.sogou.com:44
cb2d5bf0  33 2f 68 74 74 70 5f 6e 65 74 77 6f 72 6b 5f 73  3/http_network_s
cb2d5c00  65 73 73 69 6f 6e 2f 30 2f 31 30 00 ff ff ff ff  ession/0/10.....
cb2d5c10  54 65 63 68 6e 6f 6c 6f 67 79 20 61 6e 64 20 45  Technology and E
cb2d5c20  6e 67 69 6e 65 65 72 69 6e 67 20 44 65 70 61 72  ngineering Depar
cb2d5c30  74 6d 65 6e 74 00 6f 2e 2c 20 4c 74 64 2e 00 00  tment.o., Ltd...
cb2d5c40  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
cb2d5c50  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
返回值 :  0x0
[Pixel::搜狗搜索]->
[Pixel::搜狗搜索]->
[Pixel::搜狗搜索]->
[Pixel::搜狗搜索]->
[Pixel::搜狗搜索]-> 参数值 : 
           0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
cb2d3130  44 72 b6 41 a7 94 3f 45 68 38 f4 d1 c7 93 fb 01  Dr.A..?Eh8......
cb2d3140  79 f4 2e b8 99 69 20 19 2c 82 ae 0e 4f 2d 3d 05  y....i .,...O-=.
cb2d3150  fc 25 4f ee 24 00 00 00 04 4e 41 ee 00 00 6f 00  .%O.$....NA...o.
cb2d3160  00 00 00 00 61 00 63 00 00 00 00 00 00 00 00 00  ....a.c.........
cb2d3170  00 00 00 00 00 00 73 00 00 00 00 00 00 00 00 00  ......s.........
cb2d3180  4c 6f 63 61 6c 41 73 79 6e 63 20 54 68 72 65 61  LocalAsync Threa
cb2d3190  64 20 23 33 30 00 20 6d 61 6e 61 67 65 64 20 70  d #30. managed p
cb2d31a0  65 65 72 3e 00 00 00 00 00 00 00 00 00 00 00 00  eer>............
cb2d31b0  46 72 65 73 63 6f 44 65 63 6f 64 65 45 78 65 63  FrescoDecodeExec
cb2d31c0  75 74 6f 72 2d 33 00 6d 61 6e 61 67 65 64 20 70  utor-3.managed p
cb2d31d0  65 65 72 3e 00 79 00 2f 2e 2e 2e 00 70 73 3b 00  eer>.y./....ps;.
cb2d31e0  fc 25 4f ee 24 00 00 00 04 4e 41 ee 00 72 69 74  .%O.$....NA..rit
cb2d31f0  00 00 00 00 74 77 6f 72 00 00 00 00 00 00 00 00  ....twor........
cb2d3200  01 00 00 00 00 63 79 3b 00 00 00 00 00 00 00 00  .....cy;........
cb2d3210  00 00 00 00 d0 9e 5a a8 31 00 00 00 24 00 00 00  ......Z.1...$...
cb2d3220  b0 2e 31 cd 31 00 00 00 24 00 00 00 70 32 2d cb  ..1.1...$...p2-.
返回值 :  0x0
参数值 :
           0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
cb2d3130  44 72 b6 41 a7 94 3f 45 68 38 f4 d1 c7 93 fb 01  Dr.A..?Eh8......
cb2d3140  79 f4 2e b8 99 69 20 19 2c 82 ae 0e 4f 2d 3d 05  y....i .,...O-=.
cb2d3150  fc 25 4f ee 24 00 00 00 04 4e 41 ee 00 00 6f 00  .%O.$....NA...o.
cb2d3160  00 00 00 00 61 00 63 00 00 00 00 00 00 00 00 00  ....a.c.........
cb2d3170  00 00 00 00 00 00 73 00 00 00 00 00 00 00 00 00  ......s.........
cb2d3180  4c 6f 63 61 6c 41 73 79 6e 63 20 54 68 72 65 61  LocalAsync Threa
cb2d3190  64 20 23 33 30 00 20 6d 61 6e 61 67 65 64 20 70  d #30. managed p
cb2d31a0  65 65 72 3e 00 00 00 00 00 00 00 00 00 00 00 00  eer>............
cb2d31b0  46 72 65 73 63 6f 44 65 63 6f 64 65 45 78 65 63  FrescoDecodeExec
cb2d31c0  75 74 6f 72 2d 33 00 6d 61 6e 61 67 65 64 20 70  utor-3.managed p
cb2d31d0  65 65 72 3e 00 79 00 2f 2e 2e 2e 00 70 73 3b 00  eer>.y./....ps;.
cb2d31e0  fc 25 4f ee 24 00 00 00 04 4e 41 ee 00 72 69 74  .%O.$....NA..rit
cb2d31f0  00 00 00 00 74 77 6f 72 00 00 00 00 00 00 00 00  ....twor........
cb2d3200  01 00 00 00 00 63 79 3b 00 00 00 00 00 00 00 00  .....cy;........
cb2d3210  00 00 00 00 d0 9e 5a a8 31 00 00 00 24 00 00 00  ......Z.1...$...
cb2d3220  b0 2e 31 cd 31 00 00 00 24 00 00 00 70 32 2d cb  ..1.1...$...p2-.
返回值 :  0x0
参数值 :
           0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
cb2d3130  44 72 b6 41 a7 94 3f 45 68 38 f4 d1 c7 93 fb 01  Dr.A..?Eh8......
cb2d3140  79 f4 2e b8 99 69 20 19 2c 82 ae 0e 4f 2d 3d 05  y....i .,...O-=.
cb2d3150  fc 25 4f ee 24 00 00 00 04 4e 41 ee 00 00 6f 00  .%O.$....NA...o.
cb2d3160  00 00 00 00 61 00 63 00 00 00 00 00 00 00 00 00  ....a.c.........
cb2d3170  00 00 00 00 00 00 73 00 00 00 00 00 00 00 00 00  ......s.........
cb2d3180  4c 6f 63 61 6c 41 73 79 6e 63 20 54 68 72 65 61  LocalAsync Threa
cb2d3190  64 20 23 33 30 00 20 6d 61 6e 61 67 65 64 20 70  d #30. managed p
cb2d31a0  65 65 72 3e 00 00 00 00 00 00 00 00 00 00 00 00  eer>............
cb2d31b0  46 72 65 73 63 6f 44 65 63 6f 64 65 45 78 65 63  FrescoDecodeExec
cb2d31c0  75 74 6f 72 2d 33 00 6d 61 6e 61 67 65 64 20 70  utor-3.managed p
cb2d31d0  65 65 72 3e 00 79 00 2f 2e 2e 2e 00 70 73 3b 00  eer>.y./....ps;.
cb2d31e0  fc 25 4f ee 24 00 00 00 04 4e 41 ee 00 72 69 74  .%O.$....NA..rit
cb2d31f0  00 00 00 00 74 77 6f 72 00 00 00 00 00 00 00 00  ....twor........
cb2d3200  01 00 00 00 00 63 79 3b 00 00 00 00 00 00 00 00  .....cy;........
cb2d3210  00 00 00 00 d0 9e 5a a8 31 00 00 00 24 00 00 00  ......Z.1...$...
cb2d3220  b0 2e 31 cd 31 00 00 00 24 00 00 00 70 32 2d cb  ..1.1...$...p2-.
返回值 :  0x0
参数值 : 
           0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
cb2d3130  44 72 b6 41 a7 94 3f 45 68 38 f4 d1 c7 93 fb 01  Dr.A..?Eh8......
cb2d3140  79 f4 2e b8 99 69 20 19 2c 82 ae 0e 4f 2d 3d 05  y....i .,...O-=.
cb2d3150  fc 25 4f ee 24 00 00 00 04 4e 41 ee 00 00 6f 00  .%O.$....NA...o.
cb2d3160  00 00 00 00 61 00 63 00 00 00 00 00 00 00 00 00  ....a.c.........
cb2d3170  00 00 00 00 00 00 73 00 00 00 00 00 00 00 00 00  ......s.........
cb2d3180  4c 6f 63 61 6c 41 73 79 6e 63 20 54 68 72 65 61  LocalAsync Threa
cb2d3190  64 20 23 33 30 00 20 6d 61 6e 61 67 65 64 20 70  d #30. managed p
cb2d31a0  65 65 72 3e 00 00 00 00 00 00 00 00 00 00 00 00  eer>............
cb2d31b0  46 72 65 73 63 6f 44 65 63 6f 64 65 45 78 65 63  FrescoDecodeExec
cb2d31c0  75 74 6f 72 2d 33 00 6d 61 6e 61 67 65 64 20 70  utor-3.managed p
cb2d31d0  65 65 72 3e 00 79 00 2f 2e 2e 2e 00 70 73 3b 00  eer>.y./....ps;.
cb2d31e0  fc 25 4f ee 24 00 00 00 04 4e 41 ee 00 72 69 74  .%O.$....NA..rit
cb2d31f0  00 00 00 00 74 77 6f 72 00 00 00 00 00 00 00 00  ....twor........
cb2d3200  01 00 00 00 00 63 79 3b 00 00 00 00 00 00 00 00  .....cy;........


这就是该函数加密关键点


每次调用都会走

看到下面有好多 XorBase64_S 去赋值其他参数的,我们点进去看下:
在这里插入图片描述
其逻辑与上面无议。

原网站

版权声明
本文为[Codeooo]所创,转载请带上原文链接,感谢
https://blog.csdn.net/weixin_38927522/article/details/124726029

边栏推荐

猜你喜欢

随机推荐