Python Wechat ordering applet course video

https://edu.csdn.net/course/detail/36074

Python Actual quantitative transaction financial management system

https://edu.csdn.net/course/detail/35475
Li Jianwei .2017 year 7 June joined qunar.com as an intern in spring recruitment , After graduation, I have been engaged in capture and anti capture related work , He has been responsible for building intelligent coding 、 Services such as equipment fingerprint and environmental detection . At present, it is mainly responsible for the construction of basic safety products of anti climbing risk control . Interested in all kinds of cheating principles .

0x01- Preface

This paper mainly introduces the thinking in the evolution of basic safety products related to anti climbing risk control .

The article is based on - Tell in the form of points , It is divided into three parts ：（1） Product evolution ;（2） Environmental testing ;（3） Detection and analysis .

I hope some of these thoughts can inspire you .

I don't know much , Doing too little . Welcome criticism 、 correct .

0x02- Basic security products

Product evolution

One 、 problem

​ stay 19 Years ago Qunar Anti reptile of 、 Anti cheating and other scenarios are that business lines fight their own battles . As one of the earliest participants in ticket anti climbing , In charge of air tickets App During the anti climbing period, there was a problem that had been bothering me , My work has been going on 、 Write recognition strategies repeatedly , The amount of work depends entirely on the number of reptiles , Defense is completely passive . Is there any way to fundamentally solve this kind of repetitive labor problem .

Two 、 Example

for instance . Blue in the figure below （CRITICAL） The representative has been identified as a suspected user . yellow （ATTACK） Represents a user who has been identified as an exception .

Every time blue and yellow alternate , It represents an offensive and defensive confrontation , It means that we need to make a strategic adjustment . Examples of strategies ：

（1） A misspelled parameter was found ;

​（2） A device information is found missing ;

​（3） Find a corresponding account number IP Too many .

​ A similar strategy adjustment requires investment 0.5-1pd Human resources to code 、 Publish and verify .

3、 ... and 、 reflection

​ Repetitive work is bound to make the team fall into a passive, busy and non accumulation state , How to solve this situation ？

​ Fortunately , In my first year of graduation, when I was in charge of the intelligent coding platform, I studied the third-generation verification codes of several major security manufacturers , In this process, I have certain reverse skills , Let me have some new ideas and ideas on solving this problem .

1、 The phenomenon looks at the essence

The above examples ：

Our problem is to find A parameter is misspelled , Phenomenon is Spelling mistakes , But in fact, the most important thing we should pay attention to is Why are parameters tampered with and By what means .

resolvent ：

（1） Method 1 ： Solve the phenomenon problem . Write judgment strategy identifies abnormal requests with misspellings . This solution can only solve a single problem , The next time the same type of problem occurs, you still have to write a similar strategy to solve it .

（2） Method 2 ： Solve essential problems . Find out why it was tampered with , How to tamper . Targeted detection can solve similar problems at one time .

2、 Raise the threshold of cheating

​ Like a social pyramid , The pyramid of cheating people is the same , principle 、 The creators of tools are a few . If we can identify cheaters from the level of cheating tools and cheating principles , You can raise the threshold of cheating , Fundamentally solve the problem of repeated and passive defense .

Four 、 solve

​ Starting from the above two points ,“ The essence ” In fact, it is to sort out the characteristics of the problem ,“ Cheating threshold ” The way to improve is to find the principle behind the problem .

Take the anti climbing scene as an example

​ I roughly divide reptile characteristics into four categories .

1、 Problem feature classification 1

（1） Data with a certain scale is valuable ;

（2） Grab equipment for cost considerations , Need to control the number of equipment .

Combined with the above feature points , The problem we need to solve is ： How to tag real devices .

2、 Problem feature classification II

（1） The protection code will be analyzed ;

（2） Security data can be tampered with .

Combined with the above feature points , The problem we need to solve is ： How to ensure the authenticity of data .

3、 Problem feature classification III

（1） The machine automatically grabs ;

（2） Intercept data and simulation requests .

Combined with the above feature points , The problem we need to solve is ： How to identify abnormal equipment environment more efficiently and accurately .

4、 Problem feature classification IV

（1） Out of container simulation request .

Combined with the above feature points , The problem we need to solve is ： How to identify the request to leave the container .

Finally, we will solve the problems to incubate security products , Identify a type of cheater by means of safety products , In this way, even if there are new “ The phenomenon ”, We can also pass the most “ The essence ” The principle of identifying them .

Environmental testing

Because there are many points involved , Limited space , I think we can talk in detail about environmental testing in more interesting safety products .

One 、 What is it?

Based on the current running environment of the application , Check whether the equipment has the risk of cheating .

Two 、 Why?

There are two reasons ：

（1） Cheating machines will certainly tamper with the application running environment ;

（2） Through the detection of the principle of cheating , It can fundamentally solve the problem of cheating , Convert passive defense to active defense .

3、 ... and 、 How do you do it?

I can sum up the following three points ：

（1） Analysis of cheating principle ;

（2） Cheating feature extraction ;

（3） Feature detection service .

Four 、 Analysis of cheating principle

I divide the cheating analysis into two parts . Namely Analysis of cheating equipment and Analysis of cheating methods

1、 Analysis of cheating equipment

​ Analyze the risk of external operation environment of the application through cheating equipment .

​ I roughly divide cheating equipment into three types ： Real machine 、 Simulators and cloud phones .

Real machine - Application multiple open

By changing the application name or running in multiple open containers , So that multiple identical applications can be run simultaneously in the same device .（ Common multi open applications are VirtualApp、 Xiaomi, etc ）.

Simulator

Simulate the hardware operation of mobile devices through software , bring App It can be shipped directly ⾏ stay PC On .（ Common simulators include Tencent Simulator 、 Night God simulator, etc ）

Cloud phone

adopt ARM Server and virtualization technology , Virtual native mobile phone instance in the cloud .（ Baidu cloud mobile phones are common 、 Red finger cloud mobile phone, etc ）

2、 Analysis of cheating methods

​ The risk of tampering in the application of cheating analysis . I roughly divide cheating into two ways ： Tampering and non tampering .

Repack

​ Repackaging refers to decompiling an application , Package again after modifying or adding code , Install it on the device , The application will be loaded when it runs .

HOOK

​ When a program is executing a piece of code , Control its execution of malicious code . This kind of tampering is called HOOK.

Automation tools

​ be based on Google/ Apple released an automated testing framework , Make some columns, such as clicking 、 slide 、 Keyboard input and other operations .

Detection and analysis

​ Because of space , Don't talk too much about the details . I choose to analyze the dynamic tampering in interesting cheating methods in detail .

One 、 Introduce

​ Whether it's Android still iOS End , Different layers of code have different HOOK Framework and its corresponding principle .

Two 、 analysis

​ There are many frameworks and principles , Frame to Xposed For example ,HOOK Principle to Inline HOOK As an example to analyze .

1、 Frame detection -Xposed

（1） To understand Xposed frame , You need to learn what is Zygote.

​ Init Is the first user process started by the kernel ,zygote By init Process created .zygote The corresponding executable program is app-process, The corresponding source file is app-main.cpp. be-all app The process is all by zygote process fork Coming out .

（2） Let's take a look at Xposed The initialization process

（3）Xposed The code analysis

​ doubt 1：Xposed What has been modified ？

​ answer 1：

a. Xposed In order to give priority to loading when the system starts xposed Module and hook System resources . Will be the original ZygoteInit Replace class with XposedBridge class .

b. Changes in the order in which functions are executed , It will be reflected in the stack .

​ doubt 2：Xposed What exactly is loaded ？

​ answer 2：

a. Load core code libxposed_art.so.

b. The corresponding features of its core code will inevitably appear in the running memory .

2、 Principle detection -INLINE HOOK

（1）Android Inline Hook The framework source code

（2）Inline Hook Principle analysis

Core code meaning

​ 1）LDR PC, [PC, 4] ： Address is PC + 4 Continuity of 4 A byte of data is read in PC register ;

​ 2）[PC, 4] ： With PC The register is the anchor point , Add an offset to identify the absolute address .（PC Relative addressing ）;

​ 3）LDR PC, hook Function address ： take hook Function address read in PC In the register , Realize function jump ;

​ 4） Reason for the change of instruction offset ： There is a difference between the value of the three-stage pipeline and the execution 2 Orders , So the offset needs to be adjusted .

Assembly instruction

​ ARM Under the architecture CPU Three stage assembly line ：CPU The operation is divided into three steps: addressing 、 escape 、 perform , Threads can be understood as three parallel steps . The difference between addressing and execution 2 Orders . for example ： Execute to 0x00006004 when ,pc Register value 0x00006012.

（3）Inline Hook technological process

After understanding the principle , Only by burying detection points in the only way, we can achieve the purpose of principle detection of cheating methods .

3、 As a service

​ Analyze the problem through the scenario , Propose solutions to problems , Incubate the target safety products according to the scheme . Provide the incubated basic security products to the upstream business risk control . Professional competence provided by basic safety products , It can lower the threshold of business security participants , The upstream system can focus more on the business protection itself .

0x03- reflection

（1） To promote prevention . Starting from the business security scenario , Think from the cheater's point of view , From data 、 Principle discovery solves problems . Continuous offensive and defensive confrontation , In order to make R & D personnel and systems grow .

（2） Real people . The evolution of reality is from protocol cracking to simulator , Then to the real machine , At present, it is developing towards crowdsourcing of real people . How to define and identify real users and cheaters is a new problem .

0x04- ending

There is no silver bullet in software engineering , Reverse engineering always wins .

I don't know much , Doing too little . Welcome criticism 、 correct .