当前位置:网站首页>搜狗微信APP逆向(二)so层
搜狗微信APP逆向(二)so层
2022-07-01 21:47:00 【Codeooo】
接着上文:https://blog.csdn.net/weixin_38927522/article/details/124726015
本次分析搜狗app so 层加密相关逻辑。
首先在导出函数查找一下:
点进去 Java_com_sogou_scoretools_ScEncryptWall_encrypt 查看
GetStringUTF 转化为C#的字符串,utf编码。
malloc 开辟空间
j_Sc_EncryptWallEncode 按照代码逻辑这个是核心代码
继续进:
进到这个函数我们看下参数,根据jni前两个都是固定的,后面几个是传进来的参数。
我们静态分析,手动更改下jni头,让其更快更好识别。
int __fastcall Java_com_sogou_scoretools_ScEncryptWall_encrypt(JNIEnv *env, jclass clazz, int a3, int a4, int a5)
这块看到了 参数加密的字符串如下:
v10 = operator new(0x30u);
EncryptWall::WallKey::WallKey(v10);
申请一个 30字节空间内存地址 赋值v10,将v10传入
看上去像是一顿循环填充,把刚刚内存空间填充完整。
v12 = RSA_Encrypt(v10 + 16, 0x20u, &v60, &v59);
往回推:v10 :开辟30字节内存地址 +16个字节 &v60:v60地址指针, &v59 :v59地址指针
那么这个this是啥,其实就是url
a2 a3 就是分析的postdata
RSA加密方式:
秘钥生成方法,一个是生成后加密方法。
n_crypto::SetSignPubKey :秘钥
n_crypto::PublicEnc 看着像是rsa最后加密方法,我们去看下
而且我们观察参数,n_crypto::PublicEnc(v8, v9, v6, &v11, v4);
v8: a1:传进来第一个参数
v9: a2:传进来第二个参数
v6: 80字节空间内存 这个可以怀疑作为返回值接收
&v11 :v11地址
v4 :秘钥
我在HOOK的时候发现并未走 n_crypto::SetSignPubKey(逻辑。
"""20220402"""
SetSignPubKey1 = """
Java.perform(function(){
var str_name_so = "libSCoreTools.so"; //要hook的so名
var n_addr_func_offset = 0x0111E4;
//加载到内存后 函数地址 = so地址 + 函数偏移
var n_addr_so = Module.findBaseAddress(str_name_so);
console.log("func addr is ---" + n_addr_so);
var n_addr_func = n_addr_so.add(n_addr_func_offset+1);
Interceptor.attach(n_addr_func,
{
onEnter: function(args)
{
console.log("hook on enter no exp");
console.log("-----------0----------")
console.log(hexdump(args[0]))
console.log("-----------1----------")
console.log(hexdump(args[1]))
console.log("------------2---------")
console.log(args[2])
},
onLeave:function(retval)
{
console.log("hook on Leave no exp");
console.log(hexdump(retval))
console.log("return:"+retval);
}
});
});
"""
这是plt节 就是跳转用的 会跳到got表 两条指令是短指令 可能hook不到 继续跟
plt:00008A18 ADRL R12, 0x39A20
.plt:00008A20 LDR PC, [R12,#(_ZN8n_crypto12SetEncKeySymEP10aes_key_stPKvi_ptr - 0x39A20)]! ; n_crypt
got:00039C9C _ZN8n_crypto12SetEncKeySymEP10aes_key_stPKvi_ptr DCD _ZN8n_crypto12SetEncKeySymEP10aes_key_stPKvi+1
看到没大量异或运算,,,,这就是加密类型的特征
so: if ( !s_pKey ) 并不成立。
我们需要内存中dumps 秘钥
dump脚本:
继续往下走, GenXor_S(v10 + 16, (*(a7 + 6) + 16), 32, 32);
这个自定义一些逻辑,抠出来即可。
接下来看到 n_crypto::Base64Encode base64操作
我们先看下最基础的有无更换码表,有无魔改方法。
进来查看了一下,最起码码表无更换,以后面试总该不会不知道base64码表是多少了吧?
之后我们点进去这个函数看下:
v11 = zip_compress(v7, v6, v9, v8, &v17);
压缩方法:后续hook下参数。
v12 = AES_Encrypt(v10, v11, &v16, v5, 0x20u, v4, 0x10u);
接下来我们又看到AES加密:
n_crypto::SetEncKeySym 设置秘钥
常规:
AES_set_encrypt_key(aes_key, sizeof(aes_key) * 8, &enc_key);
n_crypto::SetEncKeySym(&v20, v10, 8 * a5);
参数分析: v20地址 , v10 = a4;参数 ,8 * a5 = 8 *32 = 256
n_crypto::GetPaddingLen 填充方式
v12 = n_crypto::GetPaddingLen(v7, 0x10u, v11);
我们直接看下最后一步加密流程:
n_crypto::EncSym
AES 的 cbc模式 aes -cbc -256
n_crypto::EncSym(&v21, v9, v18, v14, &v20);
AES_set_encrypt_key(aes_key, sizeof(aes_key) * 8, &enc_key);
这就是原函数类型 采用了openssl库
Y3wQ+xj1oWTxGhO3bdsLdPQJCeSCKPfZuK1gQsMAxg8=
uK1gQsMAxg8=....A B C D E F 0123456789ABCDEF
cb2d5b60 c3 11 a3 f5 cc fa 9f 42 eb ef b2 1f 47 57 92 66 .......B....GW.f
cb2d5b70 11 08 ba 88 6b e4 6e 01 f4 a0 4b ed f2 a0 8a b5 ....k.n...K.....
cb2d5b80 54 65 63 68 6e 6f 6c 6f 67 79 20 61 6e 64 20 45 Technology and E
cb2d5b90 6e 67 69 6e 65 65 72 69 6e 67 20 44 65 70 61 72 ngineering Depar
cb2d5ba0 74 6d 65 6e 74 00 00 00 00 00 00 00 00 00 00 00 tment...........
cb2d5bb0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cb2d5bc0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cb2d5bd0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cb2d5be0 77 61 70 2e 73 6f 67 6f 75 2e 63 6f 6d 3a 34 34 wap.sogou.com:44
cb2d5bf0 33 2f 68 74 74 70 5f 6e 65 74 77 6f 72 6b 5f 73 3/http_network_s
cb2d5c00 65 73 73 69 6f 6e 2f 30 2f 31 30 00 ff ff ff ff ession/0/10.....
cb2d5c10 54 65 63 68 6e 6f 6c 6f 67 79 20 61 6e 64 20 45 Technology and E
cb2d5c20 6e 67 69 6e 65 65 72 69 6e 67 20 44 65 70 61 72 ngineering Depar
cb2d5c30 74 6d 65 6e 74 00 6f 2e 2c 20 4c 74 64 2e 00 00 tment.o., Ltd...
cb2d5c40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cb2d5c50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
返回值 : 0x0
参数值 :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
cb2d5b60 c3 11 a3 f5 cc fa 9f 42 eb ef b2 1f 47 57 92 66 .......B....GW.f
cb2d5b70 11 08 ba 88 6b e4 6e 01 f4 a0 4b ed f2 a0 8a b5 ....k.n...K.....
cb2d5b80 54 65 63 68 6e 6f 6c 6f 67 79 20 61 6e 64 20 45 Technology and E
cb2d5b90 6e 67 69 6e 65 65 72 69 6e 67 20 44 65 70 61 72 ngineering Depar
cb2d5ba0 74 6d 65 6e 74 00 00 00 00 00 00 00 00 00 00 00 tment...........
cb2d5bb0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cb2d5bc0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cb2d5bd0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cb2d5be0 77 61 70 2e 73 6f 67 6f 75 2e 63 6f 6d 3a 34 34 wap.sogou.com:44
cb2d5bf0 33 2f 68 74 74 70 5f 6e 65 74 77 6f 72 6b 5f 73 3/http_network_s
cb2d5c00 65 73 73 69 6f 6e 2f 30 2f 31 30 00 ff ff ff ff ession/0/10.....
cb2d5c10 54 65 63 68 6e 6f 6c 6f 67 79 20 61 6e 64 20 45 Technology and E
cb2d5c20 6e 67 69 6e 65 65 72 69 6e 67 20 44 65 70 61 72 ngineering Depar
cb2d5c30 74 6d 65 6e 74 00 6f 2e 2c 20 4c 74 64 2e 00 00 tment.o., Ltd...
cb2d5c40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cb2d5c50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
返回值 : 0x0
参数值 :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
cb2d5b60 c3 11 a3 f5 cc fa 9f 42 eb ef b2 1f 47 57 92 66 .......B....GW.f
cb2d5b70 11 08 ba 88 6b e4 6e 01 f4 a0 4b ed f2 a0 8a b5 ....k.n...K.....
cb2d5b80 54 65 63 68 6e 6f 6c 6f 67 79 20 61 6e 64 20 45 Technology and E
cb2d5b90 6e 67 69 6e 65 65 72 69 6e 67 20 44 65 70 61 72 ngineering Depar
cb2d5ba0 74 6d 65 6e 74 00 00 00 00 00 00 00 00 00 00 00 tment...........
cb2d5bb0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cb2d5bc0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cb2d5bd0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cb2d5be0 77 61 70 2e 73 6f 67 6f 75 2e 63 6f 6d 3a 34 34 wap.sogou.com:44
cb2d5bf0 33 2f 68 74 74 70 5f 6e 65 74 77 6f 72 6b 5f 73 3/http_network_s
cb2d5c00 65 73 73 69 6f 6e 2f 30 2f 31 30 00 ff ff ff ff ession/0/10.....
cb2d5c10 54 65 63 68 6e 6f 6c 6f 67 79 20 61 6e 64 20 45 Technology and E
cb2d5c20 6e 67 69 6e 65 65 72 69 6e 67 20 44 65 70 61 72 ngineering Depar
cb2d5c30 74 6d 65 6e 74 00 6f 2e 2c 20 4c 74 64 2e 00 00 tment.o., Ltd...
cb2d5c40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cb2d5c50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
返回值 : 0x0
参数值 :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
cb2d5b60 c3 11 a3 f5 cc fa 9f 42 eb ef b2 1f 47 57 92 66 .......B....GW.f
cb2d5b70 11 08 ba 88 6b e4 6e 01 f4 a0 4b ed f2 a0 8a b5 ....k.n...K.....
cb2d5b80 54 65 63 68 6e 6f 6c 6f 67 79 20 61 6e 64 20 45 Technology and E
cb2d5b90 6e 67 69 6e 65 65 72 69 6e 67 20 44 65 70 61 72 ngineering Depar
cb2d5ba0 74 6d 65 6e 74 00 00 00 00 00 00 00 00 00 00 00 tment...........
cb2d5bb0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cb2d5bc0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cb2d5bd0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cb2d5be0 77 61 70 2e 73 6f 67 6f 75 2e 63 6f 6d 3a 34 34 wap.sogou.com:44
cb2d5bf0 33 2f 68 74 74 70 5f 6e 65 74 77 6f 72 6b 5f 73 3/http_network_s
cb2d5c00 65 73 73 69 6f 6e 2f 30 2f 31 30 00 ff ff ff ff ession/0/10.....
cb2d5c10 54 65 63 68 6e 6f 6c 6f 67 79 20 61 6e 64 20 45 Technology and E
cb2d5c20 6e 67 69 6e 65 65 72 69 6e 67 20 44 65 70 61 72 ngineering Depar
cb2d5c30 74 6d 65 6e 74 00 6f 2e 2c 20 4c 74 64 2e 00 00 tment.o., Ltd...
cb2d5c40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
cb2d5c50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
返回值 : 0x0
[Pixel::搜狗搜索]->
[Pixel::搜狗搜索]->
[Pixel::搜狗搜索]->
[Pixel::搜狗搜索]->
[Pixel::搜狗搜索]-> 参数值 :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
cb2d3130 44 72 b6 41 a7 94 3f 45 68 38 f4 d1 c7 93 fb 01 Dr.A..?Eh8......
cb2d3140 79 f4 2e b8 99 69 20 19 2c 82 ae 0e 4f 2d 3d 05 y....i .,...O-=.
cb2d3150 fc 25 4f ee 24 00 00 00 04 4e 41 ee 00 00 6f 00 .%O.$....NA...o.
cb2d3160 00 00 00 00 61 00 63 00 00 00 00 00 00 00 00 00 ....a.c.........
cb2d3170 00 00 00 00 00 00 73 00 00 00 00 00 00 00 00 00 ......s.........
cb2d3180 4c 6f 63 61 6c 41 73 79 6e 63 20 54 68 72 65 61 LocalAsync Threa
cb2d3190 64 20 23 33 30 00 20 6d 61 6e 61 67 65 64 20 70 d #30. managed p
cb2d31a0 65 65 72 3e 00 00 00 00 00 00 00 00 00 00 00 00 eer>............
cb2d31b0 46 72 65 73 63 6f 44 65 63 6f 64 65 45 78 65 63 FrescoDecodeExec
cb2d31c0 75 74 6f 72 2d 33 00 6d 61 6e 61 67 65 64 20 70 utor-3.managed p
cb2d31d0 65 65 72 3e 00 79 00 2f 2e 2e 2e 00 70 73 3b 00 eer>.y./....ps;.
cb2d31e0 fc 25 4f ee 24 00 00 00 04 4e 41 ee 00 72 69 74 .%O.$....NA..rit
cb2d31f0 00 00 00 00 74 77 6f 72 00 00 00 00 00 00 00 00 ....twor........
cb2d3200 01 00 00 00 00 63 79 3b 00 00 00 00 00 00 00 00 .....cy;........
cb2d3210 00 00 00 00 d0 9e 5a a8 31 00 00 00 24 00 00 00 ......Z.1...$...
cb2d3220 b0 2e 31 cd 31 00 00 00 24 00 00 00 70 32 2d cb ..1.1...$...p2-.
返回值 : 0x0
参数值 :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
cb2d3130 44 72 b6 41 a7 94 3f 45 68 38 f4 d1 c7 93 fb 01 Dr.A..?Eh8......
cb2d3140 79 f4 2e b8 99 69 20 19 2c 82 ae 0e 4f 2d 3d 05 y....i .,...O-=.
cb2d3150 fc 25 4f ee 24 00 00 00 04 4e 41 ee 00 00 6f 00 .%O.$....NA...o.
cb2d3160 00 00 00 00 61 00 63 00 00 00 00 00 00 00 00 00 ....a.c.........
cb2d3170 00 00 00 00 00 00 73 00 00 00 00 00 00 00 00 00 ......s.........
cb2d3180 4c 6f 63 61 6c 41 73 79 6e 63 20 54 68 72 65 61 LocalAsync Threa
cb2d3190 64 20 23 33 30 00 20 6d 61 6e 61 67 65 64 20 70 d #30. managed p
cb2d31a0 65 65 72 3e 00 00 00 00 00 00 00 00 00 00 00 00 eer>............
cb2d31b0 46 72 65 73 63 6f 44 65 63 6f 64 65 45 78 65 63 FrescoDecodeExec
cb2d31c0 75 74 6f 72 2d 33 00 6d 61 6e 61 67 65 64 20 70 utor-3.managed p
cb2d31d0 65 65 72 3e 00 79 00 2f 2e 2e 2e 00 70 73 3b 00 eer>.y./....ps;.
cb2d31e0 fc 25 4f ee 24 00 00 00 04 4e 41 ee 00 72 69 74 .%O.$....NA..rit
cb2d31f0 00 00 00 00 74 77 6f 72 00 00 00 00 00 00 00 00 ....twor........
cb2d3200 01 00 00 00 00 63 79 3b 00 00 00 00 00 00 00 00 .....cy;........
cb2d3210 00 00 00 00 d0 9e 5a a8 31 00 00 00 24 00 00 00 ......Z.1...$...
cb2d3220 b0 2e 31 cd 31 00 00 00 24 00 00 00 70 32 2d cb ..1.1...$...p2-.
返回值 : 0x0
参数值 :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
cb2d3130 44 72 b6 41 a7 94 3f 45 68 38 f4 d1 c7 93 fb 01 Dr.A..?Eh8......
cb2d3140 79 f4 2e b8 99 69 20 19 2c 82 ae 0e 4f 2d 3d 05 y....i .,...O-=.
cb2d3150 fc 25 4f ee 24 00 00 00 04 4e 41 ee 00 00 6f 00 .%O.$....NA...o.
cb2d3160 00 00 00 00 61 00 63 00 00 00 00 00 00 00 00 00 ....a.c.........
cb2d3170 00 00 00 00 00 00 73 00 00 00 00 00 00 00 00 00 ......s.........
cb2d3180 4c 6f 63 61 6c 41 73 79 6e 63 20 54 68 72 65 61 LocalAsync Threa
cb2d3190 64 20 23 33 30 00 20 6d 61 6e 61 67 65 64 20 70 d #30. managed p
cb2d31a0 65 65 72 3e 00 00 00 00 00 00 00 00 00 00 00 00 eer>............
cb2d31b0 46 72 65 73 63 6f 44 65 63 6f 64 65 45 78 65 63 FrescoDecodeExec
cb2d31c0 75 74 6f 72 2d 33 00 6d 61 6e 61 67 65 64 20 70 utor-3.managed p
cb2d31d0 65 65 72 3e 00 79 00 2f 2e 2e 2e 00 70 73 3b 00 eer>.y./....ps;.
cb2d31e0 fc 25 4f ee 24 00 00 00 04 4e 41 ee 00 72 69 74 .%O.$....NA..rit
cb2d31f0 00 00 00 00 74 77 6f 72 00 00 00 00 00 00 00 00 ....twor........
cb2d3200 01 00 00 00 00 63 79 3b 00 00 00 00 00 00 00 00 .....cy;........
cb2d3210 00 00 00 00 d0 9e 5a a8 31 00 00 00 24 00 00 00 ......Z.1...$...
cb2d3220 b0 2e 31 cd 31 00 00 00 24 00 00 00 70 32 2d cb ..1.1...$...p2-.
返回值 : 0x0
参数值 :
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
cb2d3130 44 72 b6 41 a7 94 3f 45 68 38 f4 d1 c7 93 fb 01 Dr.A..?Eh8......
cb2d3140 79 f4 2e b8 99 69 20 19 2c 82 ae 0e 4f 2d 3d 05 y....i .,...O-=.
cb2d3150 fc 25 4f ee 24 00 00 00 04 4e 41 ee 00 00 6f 00 .%O.$....NA...o.
cb2d3160 00 00 00 00 61 00 63 00 00 00 00 00 00 00 00 00 ....a.c.........
cb2d3170 00 00 00 00 00 00 73 00 00 00 00 00 00 00 00 00 ......s.........
cb2d3180 4c 6f 63 61 6c 41 73 79 6e 63 20 54 68 72 65 61 LocalAsync Threa
cb2d3190 64 20 23 33 30 00 20 6d 61 6e 61 67 65 64 20 70 d #30. managed p
cb2d31a0 65 65 72 3e 00 00 00 00 00 00 00 00 00 00 00 00 eer>............
cb2d31b0 46 72 65 73 63 6f 44 65 63 6f 64 65 45 78 65 63 FrescoDecodeExec
cb2d31c0 75 74 6f 72 2d 33 00 6d 61 6e 61 67 65 64 20 70 utor-3.managed p
cb2d31d0 65 65 72 3e 00 79 00 2f 2e 2e 2e 00 70 73 3b 00 eer>.y./....ps;.
cb2d31e0 fc 25 4f ee 24 00 00 00 04 4e 41 ee 00 72 69 74 .%O.$....NA..rit
cb2d31f0 00 00 00 00 74 77 6f 72 00 00 00 00 00 00 00 00 ....twor........
cb2d3200 01 00 00 00 00 63 79 3b 00 00 00 00 00 00 00 00 .....cy;........
这就是该函数加密关键点
每次调用都会走
看到下面有好多 XorBase64_S 去赋值其他参数的,我们点进去看下:
其逻辑与上面无议。
边栏推荐
- Internet of things RFID, etc
- "The silk road is in its youth and looks at Fujian" is in the hot collection of works in the Fujian foreign youth short video competition
- 【图像分割】2021-SegFormer NeurIPS
- 园区全光技术选型-中篇
- Several ways of writing main function in C
- Sonic cloud real machine learning summary 6 - 1.4.1 server and agent deployment
- The leader of the cloud native theme group of beacon Committee has a long way to go!
- Redis configuration and optimization
- Training on the device with MIT | 256Kb memory
- Mask wearing detection method based on yolov5
猜你喜欢
Yan Rong looks at how to formulate a multi cloud strategy in the era of hybrid cloud
List announced | outstanding intellectual property service team in China in 2021
linux下清理系统缓存并释放内存
【juc学习之路第9天】屏障衍生工具
Chapter 9 Yunji datacanvas company has been ranked top 3 in China's machine learning platform market
Aidl basic use
YOLOv5.5 调用本地摄像头
Recent public ancestor offline practice (tarjan)
高攀不起的希尔排序,直接插入排序
leetcode - 287. 寻找重复数
随机推荐
从零开始学 MySQL —数据库和数据表操作
Mysql——》索引存储模型推演
内存导致的电脑游戏中显示hdmi无信号 从而死机的情况
详解LockSupport的使用
快乐数[环类问题之快慢指针]
plantuml介绍与使用
【MySQL】索引的创建、查看和删除
Several ways of writing main function in C
flink sql-client 使用 对照并熟悉官方文档
详解JMM
The leader of the cloud native theme group of beacon Committee has a long way to go!
Matlab traverses images, string arrays and other basic operations
linux下清理系统缓存并释放内存
A debugging to understand the slot mechanism of redis cluster
IDA动态调试apk
linux下清理系统缓存并释放内存
LC669. 修剪二叉搜索树
CSDN购买的课程从哪里可以进入
Why does blocprovider feel similar to provider?
3DE 资源没东西或不对