目录:一、产品基本介绍二、产品整体框架三、JAVA与JNI初始化四、VM虚拟机基本逻辑五、环境检测与设备信息采集六、加密流程分析七、加密漏洞还原与中人间攻击过程八、总结
5.8、采集设备信息
初始化获取设备信息的类名与对应的方法名
000000709EDF9090 00 00 00 00 00 00 00 00 05 00 00 00 61 6E 64 72 ............andr000000709EDF90A0 6F 69 64 2E 74 65 6C 65 70 68 6F 6E 79 2E 54 65 oid.telephony.Te000000709EDF90B0 6C 65 70 68 6F 6E 79 4D 61 6E 61 67 65 72 00 00 lephonyManager..000000709EDF90C0 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 44 ............getD000000709EDF90D0 65 76 69 63 65 49 64 00 00 00 00 00 00 00 00 00 eviceId.........000000709EDF90E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF90F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9120 00 00 00 00 00 00 00 00 06 00 00 00 61 6E 64 72 ............andr000000709EDF9130 6F 69 64 2E 74 65 6C 65 70 68 6F 6E 79 2E 54 65 oid.telephony.Te000000709EDF9140 6C 65 70 68 6F 6E 79 4D 61 6E 61 67 65 72 00 00 lephonyManager..000000709EDF9150 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 56 ............getV000000709EDF9160 6F 69 63 65 4D 61 69 6C 4E 75 6D 62 65 72 00 00 oiceMailNumber..000000709EDF9170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF91A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF91B0 00 00 00 00 00 00 00 00 07 00 00 00 61 6E 64 72 ............andr000000709EDF91C0 6F 69 64 2E 74 65 6C 65 70 68 6F 6E 79 2E 54 65 oid.telephony.Te000000709EDF91D0 6C 65 70 68 6F 6E 79 4D 61 6E 61 67 65 72 00 00 lephonyManager..000000709EDF91E0 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 53 ............getS000000709EDF91F0 69 6D 53 65 72 69 61 6C 4E 75 6D 62 65 72 00 00 imSerialNumber..000000709EDF9200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9240 00 00 00 00 00 00 00 00 08 00 00 00 61 6E 64 72 ............andr000000709EDF9250 6F 69 64 2E 74 65 6C 65 70 68 6F 6E 79 2E 54 65 oid.telephony.Te000000709EDF9260 6C 65 70 68 6F 6E 79 4D 61 6E 61 67 65 72 00 00 lephonyManager..000000709EDF9270 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 4E ............getN000000709EDF9280 65 74 77 6F 72 6B 43 6F 75 6E 74 72 79 49 73 6F etworkCountryIso000000709EDF9290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF92A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF92B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF92C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF92D0 00 00 00 00 00 00 00 00 09 00 00 00 61 6E 64 72 ............andr000000709EDF92E0 6F 69 64 2E 74 65 6C 65 70 68 6F 6E 79 2E 54 65 oid.telephony.Te000000709EDF92F0 6C 65 70 68 6F 6E 79 4D 61 6E 61 67 65 72 00 00 lephonyManager..000000709EDF9300 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 4E ............getN000000709EDF9310 65 74 77 6F 72 6B 4F 70 65 72 61 74 6F 72 4E 61 etworkOperatorNa000000709EDF9320 6D 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 me..............000000709EDF9330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9360 00 00 00 00 00 00 00 00 0A 00 00 00 61 6E 64 72 ............andr000000709EDF9370 6F 69 64 2E 74 65 6C 65 70 68 6F 6E 79 2E 54 65 oid.telephony.Te000000709EDF9380 6C 65 70 68 6F 6E 79 4D 61 6E 61 67 65 72 00 00 lephonyManager..000000709EDF9390 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 53 ............getS000000709EDF93A0 69 6D 4F 70 65 72 61 74 6F 72 4E 61 6D 65 00 00 imOperatorName..000000709EDF93B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF93C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF93D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF93E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF93F0 00 00 00 00 00 00 00 00 0B 00 00 00 61 6E 64 72 ............andr000000709EDF9400 6F 69 64 2E 74 65 6C 65 70 68 6F 6E 79 2E 54 65 oid.telephony.Te000000709EDF9410 6C 65 70 68 6F 6E 79 4D 61 6E 61 67 65 72 00 00 lephonyManager..000000709EDF9420 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 50 ............getP000000709EDF9430 68 6F 6E 65 54 79 70 65 00 00 00 00 00 00 00 00 honeType........000000709EDF9440 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9450 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9460 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9470 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9480 00 00 00 00 00 00 00 00 0C 00 00 00 61 6E 64 72 ............andr000000709EDF9490 6F 69 64 2E 74 65 6C 65 70 68 6F 6E 79 2E 54 65 oid.telephony.Te000000709EDF94A0 6C 65 70 68 6F 6E 79 4D 61 6E 61 67 65 72 00 00 lephonyManager..000000709EDF94B0 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 4E ............getN000000709EDF94C0 65 74 77 6F 72 6B 54 79 70 65 00 00 00 00 00 00 etworkType......000000709EDF94D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF94E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF94F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9500 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9510 00 00 00 00 00 00 00 00 0D 00 00 00 61 6E 64 72 ............andr000000709EDF9520 6F 69 64 2E 74 65 6C 65 70 68 6F 6E 79 2E 54 65 oid.telephony.Te000000709EDF9530 6C 65 70 68 6F 6E 79 4D 61 6E 61 67 65 72 00 00 lephonyManager..000000709EDF9540 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 43 ............getC000000709EDF9550 65 6C 6C 4C 6F 63 61 74 69 6F 6E 00 00 00 00 00 ellLocation.....000000709EDF9560 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9570 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9580 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9590 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF95A0 00 00 00 00 00 00 00 00 0E 00 00 00 61 6E 64 72 ............andr000000709EDF95B0 6F 69 64 2E 74 65 6C 65 70 68 6F 6E 79 2E 54 65 oid.telephony.Te000000709EDF95C0 6C 65 70 68 6F 6E 79 4D 61 6E 61 67 65 72 00 00 lephonyManager..000000709EDF95D0 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 44 ............getD000000709EDF95E0 65 76 69 63 65 53 6F 66 74 77 61 72 65 56 65 72 eviceSoftwareVer000000709EDF95F0 73 69 6F 6E 00 00 00 00 00 00 00 00 00 00 00 00 sion............000000709EDF9600 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9610 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9620 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9630 00 00 00 00 00 00 00 00 0F 00 00 00 61 6E 64 72 ............andr000000709EDF9640 6F 69 64 2E 6E 65 74 2E 77 69 66 69 2E 57 69 66 oid.net.wifi.Wif000000709EDF9650 69 49 6E 66 6F 00 00 00 00 00 00 00 00 00 00 00 iInfo...........000000709EDF9660 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 4D ............getM000000709EDF9670 61 63 41 64 64 72 65 73 73 00 00 00 00 00 00 00 acAddress.......000000709EDF9680 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9690 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF96A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF96B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF96C0 00 00 00 00 00 00 00 00 10 00 00 00 61 6E 64 72 ............andr000000709EDF96D0 6F 69 64 2E 6E 65 74 2E 77 69 66 69 2E 57 69 66 oid.net.wifi.Wif000000709EDF96E0 69 49 6E 66 6F 00 00 00 00 00 00 00 00 00 00 00 iInfo...........000000709EDF96F0 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 49 ............getI000000709EDF9700 70 41 64 64 72 65 73 73 00 00 00 00 00 00 00 00 pAddress........000000709EDF9710 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9720 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9730 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9740 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9750 00 00 00 00 00 00 00 00 11 00 00 00 61 6E 64 72 ............andr000000709EDF9760 6F 69 64 2E 6E 65 74 2E 77 69 66 69 2E 57 69 66 oid.net.wifi.Wif000000709EDF9770 69 49 6E 66 6F 00 00 00 00 00 00 00 00 00 00 00 iInfo...........000000709EDF9780 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 53 ............getS000000709EDF9790 53 49 44 00 00 00 00 00 00 00 00 00 00 00 00 00 SID.............000000709EDF97A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF97B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF97C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF97D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF97E0 00 00 00 00 00 00 00 00 12 00 00 00 61 6E 64 72 ............andr000000709EDF97F0 6F 69 64 2E 6E 65 74 2E 77 69 66 69 2E 57 69 66 oid.net.wifi.Wif000000709EDF9800 69 49 6E 66 6F 00 00 00 00 00 00 00 00 00 00 00 iInfo...........000000709EDF9810 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 42 ............getB000000709EDF9820 53 53 49 44 00 00 00 00 00 00 00 00 00 00 00 00 SSID............000000709EDF9830 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9840 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9850 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9860 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9870 00 00 00 00 00 00 00 00 13 00 00 00 61 6E 64 72 ............andr000000709EDF9880 6F 69 64 2E 6E 65 74 2E 77 69 66 69 2E 57 69 66 oid.net.wifi.Wif000000709EDF9890 69 4D 61 6E 61 67 65 72 00 00 00 00 00 00 00 00 iManager........000000709EDF98A0 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 43 ............getC000000709EDF98B0 6F 6E 6E 65 63 74 69 6F 6E 49 6E 66 6F 00 00 00 onnectionInfo...000000709EDF98C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF98D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF98E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF98F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9900 00 00 00 00 00 00 00 00 14 00 00 00 61 6E 64 72 ............andr000000709EDF9910 6F 69 64 2E 6E 65 74 2E 77 69 66 69 2E 57 69 66 oid.net.wifi.Wif000000709EDF9920 69 4D 61 6E 61 67 65 72 00 00 00 00 00 00 00 00 iManager........000000709EDF9930 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 44 ............getD000000709EDF9940 68 63 70 49 6E 66 6F 00 00 00 00 00 00 00 00 00 hcpInfo.........000000709EDF9950 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9960 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9970 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9980 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9990 00 00 00 00 00 00 00 00 15 00 00 00 61 6E 64 72 ............andr000000709EDF99A0 6F 69 64 2E 6E 65 74 2E 77 69 66 69 2E 57 69 66 oid.net.wifi.Wif000000709EDF99B0 69 4D 61 6E 61 67 65 72 00 00 00 00 00 00 00 00 iManager........000000709EDF99C0 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 53 ............getS000000709EDF99D0 63 61 6E 52 65 73 75 6C 74 73 00 00 00 00 00 00 canResults......000000709EDF99E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF99F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9A00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9A10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9A20 00 00 00 00 00 00 00 00 16 00 00 00 6A 61 76 61 ............java000000709EDF9A30 2E 6E 65 74 2E 4E 65 74 77 6F 72 6B 49 6E 74 65 .net.NetworkInte000000709EDF9A40 72 66 61 63 65 00 00 00 00 00 00 00 00 00 00 00 rface...........000000709EDF9A50 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 4E ............getN000000709EDF9A60 65 74 77 6F 72 6B 49 6E 74 65 72 66 61 63 65 73 etworkInterfaces000000709EDF9A70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9A80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9A90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9AA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9AB0 00 00 00 00 00 00 00 00 17 00 00 00 61 6E 64 72 ............andr000000709EDF9AC0 6F 69 64 2E 6E 65 74 2E 50 72 6F 78 79 00 00 00 oid.net.Proxy...000000709EDF9AD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9AE0 00 00 00 00 00 00 00 00 00 00 00 00 67 65 74 48 ............getH000000709EDF9AF0 6F 73 74 00 00 00 00 00 00 00 00 00 00 00 00 00 ost.............000000709EDF9B00 00 00 00 00 00 00 00 00 00 00 00 00 61 6E 64 72 ............andr000000709EDF9B10 6F 69 64 2E 63 6F 6E 74 65 6E 74 2E 43 6F 6E 74 oid.content.Cont000000709EDF9B20 65 78 74 00 00 00 00 00 00 00 00 00 00 00 00 00 ext.............000000709EDF9B30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................000000709EDF9B40 00 00 00 00 00 00 00 00 18 00 00 00 61 6E 64 72 ............andr000000709EDF9B50 6F 69 64 2E 6E 65 74 2E 50 72 6F 78 79 00 00 00 oid.net.Proxy...
多层反射获取设备信息
双重反射获取设备信息forName getDeclaredMethod getModifiers.text:000000709EB03C70 62 9E 43 F9 LDR X2, [X19,#0x738].text:000000709EB03C74 64 3A 43 F9 LDR X4, [X19,#0x670].text:000000709EB03C78 60 6A 41 F9 LDR X0, [X19,#0x2D0].text:000000709EB03C7C 61 66 41 F9 LDR X1, [X19,#0x2C8].text:000000709EB03C80 63 EA 41 F9 LDR X3, [X19,#0x3D0].text:000000709EB03C84 68 62 01 F9 STR X8, [X19,#0x2C0].text:000000709EB03C88 69 5E 01 F9 STR X9, [X19,#0x2B8].text:000000709EB03C8C 6A 5A 01 F9 STR X10, [X19,#0x2B0].text:000000709EB03C90 6B AE 02 B9 STR W11, [X19,#0x2AC].text:000000709EB03C94 6C AA 02 B9 STR W12, [X19,#0x2A8].text:000000709EB03C98 6D A6 02 B9 STR W13, [X19,#0x2A4].text:000000709EB03C9C D2 0D 00 94 BL GetStaticMethodID_sub_786D1853E4 ; forName.text:000000709EB0682C 0C 00 80 52 MOV W12, #0.text:000000709EB06830 60 86 43 F9 LDR X0, [X19,#0x708].text:000000709EB06834 6D E6 46 B9 LDR W13, [X19,#0x6E4].text:000000709EB06838 EE 03 0D 2A MOV W14, W13.text:000000709EB0683C CE 7D 40 93 SXTW X14, W14.text:000000709EB06840 29 7D 0E 9B MUL X9, X9, X14.text:000000709EB06844 6E B2 41 F9 LDR X14, [X19,#0x360].text:000000709EB06848 C9 01 09 8B ADD X9, X14, X9.text:000000709EB0684C 28 01 08 8B ADD X8, X9, X8.text:000000709EB06850 E1 03 08 AA MOV X1, X8.text:000000709EB06854 6C 72 00 B9 STR W12, [X19,#0x70].text:000000709EB06858 6A 6E 00 B9 STR W10, [X19,#0x6C].text:000000709EB0685C 6B 6A 00 B9 STR W11, [X19,#0x68].text:000000709EB06860 A1 89 01 94 BL NewStringUTF_sub_786D1E6EE4 ; 方法名.text:000000709EB06860.text:000000709EB06864 60 3A 02 F9 STR X0, [X19,#0x470].text:000000709EB06868 68 86 43 F9 LDR X8, [X19,#0x708].text:000000709EB0686C 08 01 40 F9 LDR X8, [X8].text:000000709EB06870 00 85 40 F9 LDR X0, [X8,#0x108].text:000000709EB06874 61 86 43 F9 LDR X1, [X19,#0x708].text:000000709EB06878 62 7E 43 F9 LDR X2, [X19,#0x6F8].text:000000709EB0687C 63 AE 41 F9 LDR X3, [X19,#0x358].text:000000709EB06880 64 AA 41 F9 LDR X4, [X19,#0x350].text:000000709EB06884 00 04 00 94 BL GetMethodID_sub_709EB06884 ; getDeclaredMethod.text:000000709EB06884.text:000000709EB06888 60 36 02 F9 STR X0, [X19,#0x468].text:000000709EB0688C 68 86 43 F9 LDR X8, [X19,#0x708].text:000000709EB06890 08 01 40 F9 LDR X8, [X8].text:000000709EB06894 00 91 43 F9 LDR X0, [X8,#0x720].text:000000709EB06898 61 86 43 F9 LDR X1, [X19,#0x708].text:000000709EB0689C 0E 04 00 94 BL ExceptionCheck_sub_709EB068D4.text:000000709EB06954 0A 00 80 52 MOV W10, #0.text:000000709EB06958 6B 86 43 F9 LDR X11, [X19,#0x708].text:000000709EB0695C 6B 01 40 F9 LDR X11, [X11].text:000000709EB06960 60 89 40 F9 LDR X0, [X11,#0x110].text:000000709EB06964 61 86 43 F9 LDR X1, [X19,#0x708].text:000000709EB06968 62 36 43 F9 LDR X2, [X19,#0x668].text:000000709EB0696C 63 36 42 F9 LDR X3, [X19,#0x468].text:000000709EB06970 64 3A 42 F9 LDR X4, [X19,#0x470].text:000000709EB06974 65 22 43 F9 LDR X5, [X19,#0x640].text:000000709EB06978 68 62 00 B9 STR W8, [X19,#0x60].text:000000709EB0697C 69 5E 00 B9 STR W9, [X19,#0x5C].text:000000709EB06980 6A 5A 00 B9 STR W10, [X19,#0x58].text:000000709EB06984 E6 03 00 94 BL CallObjectMethod_sub_709EB0691C ; 获取设备信息
其它设备信息:
在跳出VM的Hadnle处下断点即可分析出获取其它的设备信息。
5.9、VM加密设备信息
每获取一次设备信息加密一次,在VM中执行对应Handle加密。
.text000000709EA93920 A8 02 40 B9 LDR W8, [X21].text:000000709EA93924 98 02 40 F9 LDR X24, [X20].text:000000709EA93928 09 91 03 51 SUB W9, W8, #0xE4.text:000000709EA9392C 0A F1 01 51 SUB W10, W8, #0x7C ; '|'.text:000000709EA93930 3F 81 00 71 CMP W9, #0x20 ; ' '.text:000000709EA93934 48 31 88 1A CSEL W8, W10, W8, CC.text:000000709EA93938 09 1D 03 51 SUB W9, W8, #0xC7.text:000000709EA9393C 3F 71 00 71 CMP W9, #0x1C.text:000000709EA93940 A8 00 00 54 B.HI loc_709EA93954.text:000000709EA93940.text:000000709EA93944 C8 4E 29 8B ADD X8, X22, W9,UXTW#3.text:000000709EA93948 08 21 40 F9 LDR X8, [X8,#0x40] ; 值的基址,取值.text:000000709EA9394C 08 03 00 F9 STR X8, [X24] ; 存值.text:000000709EA93950 37 00 00 14 B loc_709EA93A2C.text:000000709EA941E4 ; __unwind {.text:000000709EA941E4 68 00 02 8B ADD X8, X3, X2.text:000000709EA941E8 28 00 00 F9 STR X8, [X1].text:000000709EA941EC C0 03 5F D6 RET.text:000000709EA941EC ; } // starts at 709EA941E4.text:000000709EA941EC.text:000000709EA941EC.text:000000709EA941F0.text:000000709EA941F0.text:000000709EA941F0.text:000000709EA941F0 sub_709EA941F0.text:000000709EA941F0 ; __unwind {.text:000000709EA941F0 48 00 03 CB SUB X8, X2, X3.text:000000709EA941F4 28 00 00 F9 STR X8, [X1].text:000000709EA941F8 C0 03 5F D6 RET.text:000000709EA941F8 ; } // starts at 709EA941F0.text:000000709EA941F8.text:000000709EA941F8 ; End of function sub_709EA941F0.text:000000709EA941F8.text:000000709EA941FC.text:000000709EA941FC.text:000000709EA941FC.text:000000709EA941FC SUB_sub_709EA941FC.text:000000709EA941FC ; __unwind {.text:000000709EA941FC 48 00 03 CB SUB X8, X2, X3.text:000000709EA94200 28 00 00 F9 STR X8, [X1].text:000000709EA94204 C0 03 5F D6 RET.text:000000709EA94204 ; } // starts at 709EA941FC.text:000000709EA94204.text:000000709EA94204 ; End of function SUB_sub_709EA941FC.text:000000709EA94204.text:000000709EA94208 ; __unwind {.text:000000709EA94208 E8 03 01 2A MOV W8, W1.text:000000709EA9420C 3F 34 00 71 CMP W1, #0xD ; switch 14 cases.text:000000709EA94210 E8 04 00 54 B.HI def_709EA94224 ;.text:000000709EA94210.text:000000709EA94214 29 00 00 F0 29 C1 38 91 ADRL X9, jpt_709EA94224.text:000000709EA9421C 28 79 A8 B8 LDRSW X8, [X9,X8,LSL#2].text:000000709EA94220 08 01 09 8B ADD X8, X8, X9.text:000000709EA94224 00 01 1F D6 BR X8 ; switch jump
六、加密流程分析
6.1、压缩设备数据
计算设备信息CRC与设备数据组合
.text:000000709EB765F8 EncData_sub_70576365F8.text:000000709EB765F8 ; __unwind { // 1000.text:000000709EB765F8 28 7A AB 52 A8 32+MOV W8, #0x5BD1E995.text:000000709EB765F8 9D 72.text:000000709EB76600 49 00 01 4A EOR W9, W2, W1.text:000000709EB76604 2A 10 00 71 SUBS W10, W1, #4.text:000000709EB76608 E3 01 00 54 B.CC loc_709EB76644.text:000000709EB76608.text:000000709EB7660C 4B 75 1E 12 AND W11, W10, #0xFFFFFFFC.text:000000709EB76610 6C 11 00 91 ADD X12, X11, #4.text:000000709EB76614 ED 03 00 AA MOV X13, X0.text:000000709EB76614.text:000000709EB76618.text:000000709EB76618 loc_709EB76618.text:000000709EB76618 AE 45 40 B8 LDR W14, [X13],#4.text:000000709EB7661C 29 7D 08 1B MUL W9, W9, W8.text:000000709EB76620 21 10 00 51 SUB W1, W1, #4.text:000000709EB76624 CE 7D 08 1B MUL W14, W14, W8.text:000000709EB76628 CE 61 4E 4A EOR W14, W14, W14,LSR#24.text:000000709EB7662C CE 7D 08 1B MUL W14, W14, W8.text:000000709EB76630 C9 01 09 4A EOR W9, W14, W9.text:000000709EB76634 3F 0C 00 71 CMP W1, #3.text:000000709EB76638 08 FF FF 54 B.HI loc_709EB76618.text:000000709EB76638.text:000000709EB7663C 41 01 0B 4B SUB W1, W10, W11.text:000000709EB76640 00 00 0C 8B ADD X0, X0, X12.text:000000709EB76640.text:000000709EB76644.text:000000709EB76644 loc_709EB76644.text:000000709EB76644 3F 04 00 71 CMP W1, #1.text:000000709EB76648 20 01 00 54 B.EQ loc_709EB7666C.text:000000709EB76648.text:000000709EB7664C 3F 08 00 71 CMP W1, #2.text:000000709EB76650 A0 00 00 54 B.EQ loc_709EB76664.text:000000709EB76650.text:000000709EB76654 3F 0C 00 71 CMP W1, #3.text:000000709EB76658 01 01 00 54 B.NE loc_709EB76678.text:000000709EB76658.text:000000709EB7665C 0A 08 40 39 LDRB W10, [X0,#2].text:000000709EB76660 29 41 0A 4A EOR W9, W9, W10,LSL#16.text:000000709EB76660.text:000000709EB76664.text:000000709EB76664 loc_709EB76664.text:000000709EB76664 0A 04 40 39 LDRB W10, [X0,#1].text:000000709EB76668 29 21 0A 4A EOR W9, W9, W10,LSL#8.text:000000709EB76668.text:000000709EB7666C.text:000000709EB7666C loc_709EB7666C.text:000000709EB7666C 0A 00 40 39 LDRB W10, [X0].text:000000709EB76670 49 01 09 4A EOR W9, W10, W9.text:000000709EB76674 29 7D 08 1B MUL W9, W9, W8.text:000000709EB76674.text:000000709EB76678.text:000000709EB76678 loc_709EB76678.text:000000709EB76678 29 35 49 4A EOR W9, W9, W9,LSR#13.text:000000709EB7667C 28 7D 08 1B MUL W8, W9, W8.text:000000709EB76680 00 3D 48 4A EOR W0, W8, W8,LSR#15.text:000000709EB76684 C0 03 5F D6 RET
压缩组合后设备数据
__int64 __fastcall sub_705762D9DC(__int64 a1, _QWORD *a2, __int64 a3, __int64 a4, unsigned int a5){int v5; // w8int v6; // w0int v7; // w0int v8; // w11unsigned int v10; // [xsp+54h] [xbp-CCh]int i; // [xsp+58h] [xbp-C8h]unsigned int v12; // [xsp+5Ch] [xbp-C4h]__int64 v13; // [xsp+60h] [xbp-C0h] BYREFint v14; // [xsp+68h] [xbp-B8h]__int64 v15; // [xsp+78h] [xbp-A8h]unsigned int v16; // [xsp+80h] [xbp-A0h]__int64 v17; // [xsp+88h] [xbp-98h]__int64 v18; // [xsp+A0h] [xbp-80h]__int64 v19; // [xsp+A8h] [xbp-78h]__int64 v20; // [xsp+B0h] [xbp-70h]unsigned int v21; // [xsp+D4h] [xbp-4Ch]__int64 v22; // [xsp+D8h] [xbp-48h]__int64 v23; // [xsp+E0h] [xbp-40h]_QWORD *v24; // [xsp+E8h] [xbp-38h]__int64 v25; // [xsp+F0h] [xbp-30h]unsigned int v26; // [xsp+FCh] [xbp-24h]__int64 v27; // [xsp+100h] [xbp-20h]__int64 v28; // [xsp+108h] [xbp-18h]v25 = a1;v24 = a2;v23 = a3;v22 = a4;v21 = a5;v13 = a3;v14 = a4;v15 = a1;v16 = *a2;v27 = v16;v28 = *a2;for ( i = 1425515106; ; i = 2121135395 ){while ( 1 ){while ( 1 ){while ( 1 ){while ( 1 ){while ( 1 ){while ( 1 ){while ( 1 ){while ( 1 ){while ( i == 1425515106 ){if ( v27 == v28 )v5 = 1946294605;elsev5 = 711699392;i = v5;}if ( i != 711699392 )break;v26 = -5;i = 2121135395;}if ( i != 1946294605 )break;v18 = 0LL;v19 = 0LL;v20 = 0LL;v12 = sub_709EB6DFD8(&v13, v21, "2.3.3", 112LL);if ( v12 )v6 = 1708398168;elsev6 = -1398807773;i = v6;}if ( i != 1708398168 )break;v26 = v12;i = 2121135395;}if ( i != -1398807773 )break;v12 = sub_709EB6ECDC(&v13, 4LL);if ( v12 == 1 )v7 = 1641238281;elsev7 = -1560729400;i = v7;}if ( i != -1560729400 )break;sub_709EB6E244(&v13);if ( v12 )v8 = -1477061934;elsev8 = -1711647064;i = v8;}if ( i != -1711647064 )break;i = 584363032;v10 = -5;}if ( i != -1477061934 )break;i = 584363032;v10 = v12;}if ( i != 584363032 )break;v26 = v10;i = 2121135395;}if ( i != 1641238281 )break;*v24 = v17;v12 = sub_709EB6E244(&v13);v26 = v12;}return v26;}
6.2、生成AES KEY IV
随机数组合生成AES KEY IV
gettimeofdaysrand.text:000000709EB328A0 sprintf_sub_70575F28A0.text:000000709EB328A0.text:000000709EB328A0 var_24= -0x24.text:000000709EB328A0 format= -0x20.text:000000709EB328A0 s= -0x18.text:000000709EB328A0 var_10= -0x10.text:000000709EB328A0.text:000000709EB328A0 ; __unwind { // 1000.text:000000709EB328A0 FF C3 00 D1 SUB SP, SP, #0x30.text:000000709EB328A4 FE 13 00 F9 STR X30, [SP,#0x30+var_10].text:000000709EB328A8 E0 0F 00 F9 STR X0, [SP,#0x30+s].text:000000709EB328AC E1 0B 00 F9 STR X1, [SP,#0x30+format].text:000000709EB328B0 E2 0F 00 B9 STR W2, [SP,#0x30+var_24].text:000000709EB328B4 E0 0F 40 F9 LDR X0, [SP,#0x30+s] ; s.text:000000709EB328B8 E1 0B 40 F9 LDR X1, [SP,#0x30+format] ; format.text:000000709EB328BC E2 0F 40 B9 LDR W2, [SP,#0x30+var_24].text:000000709EB328C0 98 B6 FE 97 BL .sprintf.text:000000709EB328C0.text:000000709EB328C4 FE 13 40 F9 LDR X30, [SP,#0x30+var_10].text:000000709EB328C8 FF C3 00 91 ADD SP, SP, #0x30 ; '0'.text:000000709EB328CC C0 03 5F D6 RET//生成随机数AES KEY IVfda958f6-07e5-47 KEYe4ae2f7b-96b5-4a IV
6.3、RSA加密AES KEY IV
将随机数AES KEY IV组合成一个字符串fda958f6-07e5-47e4ae2f7b-96b5-4a,RSA私钥加密该字符串。
RSA私钥(隐去部分):
MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALE2OfQ8BYg9Lq4nKGTamXyia6raCc1adzCOsFrnk/VN0s2W8yQJfYdq+QUNRHv0zANW0Uafh7nHCWeBn/GOC26xTsUku3/ElECGthT5ED0MOO8EQ6dhci4So/Y/fNuAczqDFk5RKRbmo1gz7xuCdUTQYmD+h1cjl95HGrY6TMinAgMBAAECgYBCHYwjvh0GRmVbHkrozdID+QkYdj6/+eeMG0BauhmupLlocNAH+u51joiXxOpvINbYzBRKOAzIWCT/FBKbabaDl5IhuUwV+CJ90SBLAbs/Wd+QjnUhXbyKb+Tm3+Uz2y26xWc7XdhGNe3Wjyz2+fN8CbfdC2SlUnibADOEQXJFIQJBAOUgSH/+uyIJKo6DOHJSfrhDlYX875H4Yq8ifuS1R7hQcK5T8sYV/OIzTRSvFaYL+FG8nA9vr8rulojcDPYzqrcCQQDF/yuUtb1wliR+zH7iE/5pv0dGfuwhSec777TYuLEP6VnX68zI/Kyq2JdIYYO7MidjH4bFd50NnRacHi3AtKGRAkEAiU+Gg0Y6CVSq70sOSdzMWksOUYTaYYUURtaKay+Ecp2qWZ6vkCxfJ4QM/odKlv73aqx4bfvFwvymtBADqIwgEwJBAIHtZq3ZbQz6mcxTaVf2Atdl2+HY3B8kHgdoz2YAHMDyQjC83c9ub+hU5UFsLEOlL8+OGqRuT7NlSDb+Xsu8POECQQDPcNOysMNbrLh1mGe6ydUsojSbheAIOZPQ/lhUbhzPXAXTYaPkTq7uty6SYZOMtWLxIFZ1eA9HHm3tJOCgC888反射调用JAVA加密:
.text:000000709EB328D0 decode_sub_70575F28D0.text:000000709EB328D0.text:000000709EB328D0 var_3C= -0x3C.text:000000709EB328D0 var_38= -0x38.text:000000709EB328D0 var_30= -0x30.text:000000709EB328D0 var_28= -0x28.text:000000709EB328D0 var_20= -0x20.text:000000709EB328D0 var_18= -0x18.text:000000709EB328D0 var_10= -0x10.text:000000709EB328D0.text:000000709EB328D0 ; __unwind { // 1000.text:000000709EB328D0 FF 03 01 D1 SUB SP, SP, #0x40.text:000000709EB328D4 FE 1B 00 F9 STR X30, [SP,#0x40+var_10].text:000000709EB328D8 E0 17 00 F9 STR X0, [SP,#0x40+var_18].text:000000709EB328DC E1 13 00 F9 STR X1, [SP,#0x40+var_20].text:000000709EB328E0 E2 0F 00 F9 STR X2, [SP,#0x40+var_28].text:000000709EB328E4 E3 0B 00 F9 STR X3, [SP,#0x40+var_30].text:000000709EB328E8 E4 07 00 F9 STR X4, [SP,#0x40+var_38].text:000000709EB328EC E5 07 00 B9 STR W5, [SP,#0x40+var_3C].text:000000709EB328F0 E0 17 40 F9 LDR X0, [SP,#0x40+var_18].text:000000709EB328F4 E1 13 40 F9 LDR X1, [SP,#0x40+var_20].text:000000709EB328F8 E2 0F 40 F9 LDR X2, [SP,#0x40+var_28].text:000000709EB328FC E3 0B 40 F9 LDR X3, [SP,#0x40+var_30].text:000000709EB32900 E4 07 40 F9 LDR X4, [SP,#0x40+var_38].text:000000709EB32904 E5 07 40 B9 LDR W5, [SP,#0x40+var_3C].text:000000709EB32908 2B 83 00 94 BL CallObjectMethod_sub_786D1D15B4.text:000000709EB32908.text:000000709EB3290C FE 1B 40 F9 LDR X30, [SP,#0x40+var_10].text:000000709EB32910 FF 03 01 91 ADD SP, SP, #0x40 ; '@'.text:000000709EB32914 C0 03 5F D6 RET.text:000000709EB32958 getInstance_sub_70575F2958.text:000000709EB32958.text:000000709EB32958 var_38= -0x38.text:000000709EB32958 var_30= -0x30.text:000000709EB32958 var_28= -0x28.text:000000709EB32958 var_20= -0x20.text:000000709EB32958 var_18= -0x18.text:000000709EB32958 var_10= -0x10.text:000000709EB32958.text:000000709EB32958 ; __unwind { // 1000.text:000000709EB32958 FF 03 01 D1 SUB SP, SP, #0x40.text:000000709EB3295C FE 1B 00 F9 STR X30, [SP,#0x40+var_10].text:000000709EB32960 E0 17 00 F9 STR X0, [SP,#0x40+var_18].text:000000709EB32964 E1 13 00 F9 STR X1, [SP,#0x40+var_20].text:000000709EB32968 E2 0F 00 F9 STR X2, [SP,#0x40+var_28].text:000000709EB3296C E3 0B 00 F9 STR X3, [SP,#0x40+var_30].text:000000709EB32970 E4 07 00 F9 STR X4, [SP,#0x40+var_38].text:000000709EB32974 E0 17 40 F9 LDR X0, [SP,#0x40+var_18].text:000000709EB32978 E1 13 40 F9 LDR X1, [SP,#0x40+var_20].text:000000709EB3297C E2 0F 40 F9 LDR X2, [SP,#0x40+var_28].text:000000709EB32980 E3 0B 40 F9 LDR X3, [SP,#0x40+var_30].text:000000709EB32984 E4 07 40 F9 LDR X4, [SP,#0x40+var_38].text:000000709EB32988 0B 83 00 94 BL CallObjectMethod_sub_786D1D15B4.text:000000709EB32988.text:000000709EB3298C FE 1B 40 F9 LDR X30, [SP,#0x40+var_10].text:000000709EB32990 FF 03 01 91 ADD SP, SP, #0x40 ; '@'.text:000000709EB32994 C0 03 5F D6 RET.text:000000709EB32998 generatePrivate_sub_70575F2998.text:000000709EB32998.text:000000709EB32998 var_38= -0x38.text:000000709EB32998 var_30= -0x30.text:000000709EB32998 var_28= -0x28.text:000000709EB32998 var_20= -0x20.text:000000709EB32998 var_18= -0x18.text:000000709EB32998 var_10= -0x10.text:000000709EB32998.text:000000709EB32998 ; __unwind { // 1000.text:000000709EB32998 FF 03 01 D1 SUB SP, SP, #0x40.text:000000709EB3299C FE 1B 00 F9 STR X30, [SP,#0x40+var_10].text:000000709EB329A0 E0 17 00 F9 STR X0, [SP,#0x40+var_18].text:000000709EB329A4 E1 13 00 F9 STR X1, [SP,#0x40+var_20].text:000000709EB329A8 E2 0F 00 F9 STR X2, [SP,#0x40+var_28].text:000000709EB329AC E3 0B 00 F9 STR X3, [SP,#0x40+var_30].text:000000709EB329B0 E4 07 00 F9 STR X4, [SP,#0x40+var_38].text:000000709EB329B4 E0 17 40 F9 LDR X0, [SP,#0x40+var_18].text:000000709EB329B8 E1 13 40 F9 LDR X1, [SP,#0x40+var_20].text:000000709EB329BC E2 0F 40 F9 LDR X2, [SP,#0x40+var_28].text:000000709EB329C0 E3 0B 40 F9 LDR X3, [SP,#0x40+var_30].text:000000709EB329C4 E4 07 40 F9 LDR X4, [SP,#0x40+var_38].text:000000709EB329C8 B5 7C 00 94 BL calljavamethond_sub_786D1CFC9C.text:000000709EB329C8.text:000000709EB329CC FE 1B 40 F9 LDR X30, [SP,#0x40+var_10].text:000000709EB329D0 FF 03 01 91 ADD SP, SP, #0x40 ; '@'.text:000000709EB329D4 C0 03 5F D6 RET.text:000000709EB32A60 doFinal_sub_70575F2A60.text:000000709EB32A60.text:000000709EB32A60 var_38= -0x38.text:000000709EB32A60 var_30= -0x30.text:000000709EB32A60 var_28= -0x28.text:000000709EB32A60 var_20= -0x20.text:000000709EB32A60 var_18= -0x18.text:000000709EB32A60 var_10= -0x10.text:000000709EB32A60.text:000000709EB32A60 ; __unwind { // 1000.text:000000709EB32A60 FF 03 01 D1 SUB SP, SP, #0x40.text:000000709EB32A64 FE 1B 00 F9 STR X30, [SP,#0x40+var_10].text:000000709EB32A68 E0 17 00 F9 STR X0, [SP,#0x40+var_18].text:000000709EB32A6C E1 13 00 F9 STR X1, [SP,#0x40+var_20].text:000000709EB32A70 E2 0F 00 F9 STR X2, [SP,#0x40+var_28].text:000000709EB32A74 E3 0B 00 F9 STR X3, [SP,#0x40+var_30].text:000000709EB32A78 E4 07 00 F9 STR X4, [SP,#0x40+var_38].text:000000709EB32A7C E0 17 40 F9 LDR X0, [SP,#0x40+var_18].text:000000709EB32A80 E1 13 40 F9 LDR X1, [SP,#0x40+var_20].text:000000709EB32A84 E2 0F 40 F9 LDR X2, [SP,#0x40+var_28].text:000000709EB32A88 E3 0B 40 F9 LDR X3, [SP,#0x40+var_30].text:000000709EB32A8C E4 07 40 F9 LDR X4, [SP,#0x40+var_38].text:000000709EB32A90 83 7C 00 94 BL calljavamethond_sub_786D1CFC9C.text:000000709EB32A90.text:000000709EB32A94 FE 1B 40 F9 LDR X30, [SP,#0x40+var_10].text:000000709EB32A98 FF 03 01 91 ADD SP, SP, #0x40 ; '@'.text:000000709EB32A9C C0 03 5F D6 RET
RSA私钥加密后的AES KEY IV:
00000000 98 93 1B 85 66 82 76 26 88 2B 09 13 AA 22 4E 7600000020 9B 3F 47 93 8B A7 CD D7 A6 48 3D C9 70 55 29 6A00000040 57 B7 65 AE F4 3E 2C CB 5C E1 CD 6B 57 B5 86 2F00000060 1D 81 FC A3 56 27 64 13 27 42 A0 84 C3 23 CD 0D00000080 05 D1 0D B0 22 36 FE 36 B5 17 61 6F 19 14 1D B100000100 67 A0 1F F4 F2 09 83 CA C1 9A C4 64 14 F4 54 7D00000120 DA
6.4、AES加密压缩后设备数据
用随机数生成的KEY加密压缩后的设备数据:
// X0:key,x1:长度,X2:返回值__int64 __fastcall AES_initkey_sub_70576377C8(unsigned int *a1, int a2, unsigned int *a3){unsigned int v3; // w8unsigned int v29; // w17v3 = -1;if ( a1 && a3 ){if ( a2 != 128 && a2 != 256 && a2 != 192 )return 4294967294LL;if ( a2 == 128 ){v4 = 10;}else if ( a2 == 192 ){v4 = 12;}else{v4 = 14;}a3[60] = v4;v6 = _byteswap_ulong(*a1);*a3 = v6;a3[1] = _byteswap_ulong(a1[1]);a3[2] = _byteswap_ulong(a1[2]);a3[3] = _byteswap_ulong(a1[3]);if ( a2 == 128 ){v7 = 0LL;v8 = a3 + 4;do{v9 = *(v8 - 1);v6 ^= dword_709EBD4F74[BYTE2(v9)] & 0xFF000000 ^ dword_709EBD5374[BYTE1(v9)] & 0xFF0000 ^ dword_709EBD5774[(unsigned __int8)v9] & 0xFF00 ^ byte_709EBD5B74[4 * HIBYTE(v9)] ^ *(_DWORD *)((char *)&unk_709EBD5F74 + v7);v10 = *(v8 - 2);v7 += 4LL;v11 = *(v8 - 3) ^ v6;*v8 = v6;v8[1] = v11;v12 = v10 ^ v11;v8[2] = v12;v8[3] = v9 ^ v12;v8 += 4;}while ( v7 != 40 );}else{a3[4] = _byteswap_ulong(a1[4]);a3[5] = _byteswap_ulong(a1[5]);if ( a2 == 192 ){v13 = 0LL;for ( i = a3 + 6; ; i += 6 ){v16 = *(i - 1);v6 ^= dword_709EBD4F74[BYTE2(v16)] & 0xFF000000 ^ dword_709EBD5374[BYTE1(v16)] & 0xFF0000 ^ dword_709EBD5774[(unsigned __int8)v16] & 0xFF00 ^ byte_709EBD5B74[4 * HIBYTE(v16)] ^ *(_DWORD *)((char *)&unk_709EBD5F74 + v13);v17 = *(i - 3);v18 = *(i - 5) ^ v6;v19 = *(i - 4) ^ v18;*i = v6;i[1] = v18;i[2] = v19;i[3] = v17 ^ v19;if ( v13 == 28 )break;v13 += 4LL;v15 = *(i - 2) ^ v17 ^ v19;i[4] = v15;i[5] = v16 ^ v15;}}else{a3[6] = _byteswap_ulong(a1[6]);a3[7] = _byteswap_ulong(a1[7]);v20 = 0LL;for ( j = a3 + 8; ; j += 8 ){v25 = *(j - 1);v6 ^= dword_709EBD4F74[BYTE2(v25)] & 0xFF000000 ^ dword_709EBD5374[BYTE1(v25)] & 0xFF0000 ^ dword_709EBD5774[(unsigned __int8)v25] & 0xFF00 ^ byte_709EBD5B74[4 * HIBYTE(v25)] ^ *(_DWORD *)((char *)&unk_709EBD5F74 + v20);v26 = *(j - 5);v27 = *(j - 7) ^ v6;v28 = *(j - 6) ^ v27;*j = v6;j[1] = v27;j[2] = v28;j[3] = v26 ^ v28;if ( v20 == 24 )break;v29 = v26 ^ v28;v22 = dword_709EBD4F74[HIBYTE(v29)] & 0xFF000000 ^ *(j - 4) ^ dword_709EBD5374[BYTE2(v29)] & 0xFF0000 ^ dword_709EBD5774[BYTE1(v29)] & 0xFF00 ^ byte_709EBD5B74[4 * (unsigned __int8)v29];v23 = *(j - 2);v24 = *(j - 3) ^ v22;j[4] = v22;j[5] = v24;v20 += 4LL;j[6] = v23 ^ v24;j[7] = v25 ^ v23 ^ v24;}}}return 0;}return v3;}// X0:原数据,X1:返回,x2:大小,x3:初始化后key,x4:IVlong double __fastcall AES_enc_data_sub_705760C380(_QWORD *a1,long double *a2,unsigned __int64 a3,__int64 a4,long double *a5,void (__fastcall *a6)(long double *, long double *, __int64)){unsigned __int64 v6; // x24unsigned __int64 v10; // x8unsigned __int64 v11; // x22unsigned __int64 v12; // x27long double *v13; // x26unsigned __int64 v14; // x19long double *v15; // x8_QWORD *v16; // x28long double *v17; // x25long double *v18; // x8__int64 v19; // x24unsigned __int64 v20; // x25_QWORD *v21; // x22long double *v22; // x10unsigned __int64 v23; // x27unsigned __int64 v24; // x10unsigned __int64 v25; // x13__int128 v26; // q0__int128 v27; // q1_OWORD *v28; // x14unsigned __int64 v29; // x9__int64 v30; // x14long double *v31; // x23__int64 v32; // x13__int64 v33; // x15unsigned __int64 v34; // x10__int64 v35; // x11long double *v36; // x17unsigned __int64 v37; // x14unsigned __int64 v38; // x13int8x16_t v39; // q0int8x16_t v40; // q1int8x16_t v41; // q2int8x16_t v42; // q3int8x16_t *v43; // x15unsigned __int64 v44; // x11unsigned __int64 v45; // x12long double result; // q0_QWORD *v48; // [xsp+8h] [xbp-58h]_QWORD *v49; // [xsp+8h] [xbp-58h]v6 = a3;v10 = a3 - 16;if ( a3 < 0x10 ){v18 = a5;v13 = a2;v14 = a3;}else{v11 = v10 & 0xFFFFFFFFFFFFFFF0LL;v12 = (v10 & 0xFFFFFFFFFFFFFFF0LL) + 16;v13 = (long double *)((char *)a2 + v12);v14 = v10 - (v10 & 0xFFFFFFFFFFFFFFF0LL);v15 = a5;v16 = a1;v17 = a2;v48 = a1;do{*(_QWORD *)v17 = *(_QWORD *)v15 ^ *v16;*((_QWORD *)v17 + 1) = *((_QWORD *)v15 + 1) ^ v16[1];a6(v17, v17, a4);v6 -= 16LL;v15 = v17++;v16 += 2;}while ( v6 > 0xF );v18 = (long double *)((char *)a2 + v11);a1 = (_QWORD *)((char *)v48 + v12);}if ( v14 ){v19 = 0LL;v20 = -(__int64)v14;v21 = a1;v22 = v13;v23 = v14;v49 = a1;while ( 1 ){v30 = 2 * v19;v29 = 0LL;v31 = v22;if ( v20 <= 0xFFFFFFFFFFFFFFF0LL )v32 = -16LL;elsev32 = v20;if ( 16 * v19 - v14 <= 0xFFFFFFFFFFFFFFF0LL )v33 = -16LL;elsev33 = 16 * v19 - v14;v34 = (unsigned __int64)&v13[(unsigned __int64)v30 / 2];v35 = -v33;if ( (unsigned __int64)-v33 <= 0x1F )goto LABEL_26;v29 = 0LL;if ( (v35 & 0xFFFFFFFFFFFFFFE0LL) == 0 )goto LABEL_26;v36 = (long double *)((char *)&v13[(unsigned __int64)v30 / 2 - 1] - v33 + 15);if ( v34 <= (unsigned __int64)&v49[v30 - 1] - v33 + 7 && &v49[v30] <= (_QWORD *)v36 )goto LABEL_26;if ( v34 <= (unsigned __int64)v18 - v33 - 1 && v18 <= v36 )goto LABEL_26;v37 = 0LL;v38 = -v32 & 0xFFFFFFFFFFFFFFE0LL;v29 = v35 & 0xFFFFFFFFFFFFFFE0LL;do{v39 = *(int8x16_t *)&v21[v37 / 8];v40 = *(int8x16_t *)&v21[v37 / 8 + 2];v41 = *(int8x16_t *)&v18[v37 / 0x10];v42 = *(int8x16_t *)&v18[v37 / 0x10 + 1];v43 = (int8x16_t *)&v31[v37 / 0x10];v37 += 32LL;*v43 = veorq_s8(v41, v39);v43[1] = veorq_s8(v42, v40);}while ( v38 != v37 );if ( (v35 & 0xFFFFFFFFFFFFFFE0LL) != v35 ){LABEL_26:do{*((_BYTE *)v31 + v29) = *((_BYTE *)v18 + v29) ^ *((_BYTE *)v21 + v29);++v29;}while ( v29 <= 0xF && v29 < v23 );}if ( v29 > 0xF )goto LABEL_34;v44 = 16 - v29;if ( 16 - v29 > 0x1F&& (v45 = v44 & 0xFFFFFFFFFFFFFFE0LL, (v44 & 0xFFFFFFFFFFFFFFE0LL) != 0)&& (v34 + v29 > (unsigned __int64)v18 + 15 || (char *)v18 + v29 > (char *)v13 + ((16 * v19) | 0xF)) ){v24 = v29 + v45;v25 = v44 & 0xFFFFFFFFFFFFFFE0LL;do{v26 = *(_OWORD *)((char *)v18 + v29);v27 = *(_OWORD *)((char *)v18 + v29 + 16);v28 = (_OWORD *)((char *)v31 + v29);v29 += 32LL;v25 -= 32LL;*v28 = v26;v28[1] = v27;}while ( v25 );if ( v44 == v45 )goto LABEL_34;}else{v24 = v29;}do{*((_BYTE *)v31 + v24) = *((_BYTE *)v18 + v24);++v24;}while ( v24 != 16 );LABEL_34:a6(v31, v31, a4);if ( v23 >= 0x11 ){v23 -= 16LL;v21 += 2;v22 = v31 + 1;++v19;v20 += 16LL;v18 = v31;if ( v23 )continue;}goto LABEL_38;}}v31 = v18;LABEL_38:result = *v31;*a5 = *v31;return result;}
6.5、组合数据发送服务器
RSA加密后的AES KEY IV与AES加密的设备数据组合发送给服务器,组合格式图6-5所示:
图6-5
urlhttps://fp.fraudmetrix.cn/android3_5/profile.json?partner=missfreshaq&version=3.6.7&clientSeqId=1654331726915998700反射调用如下类发送网络cn/tongdun/android/shell/common/HttpHelperprivate static String connect(URL arg9, byte[] body, String url, int arg12) throws Exception {int v4;int v1;HttpsURLConnection v9;if(arg9.getProtocol().toLowerCase().equals("https")) {v9 = (HttpsURLConnection)arg9.openConnection(Proxy.NO_PROXY);if(arg12 == 1) {HttpHelper.trustSSL(v9);}else if(arg12 == 2) {v9.setHostnameVerifier(HttpHelper.NAME_VERIFY);}}else {v9 = (HttpURLConnection)arg9.openConnection(Proxy.NO_PROXY);}HttpHelper.setHttpParams(v9);v9.setRequestMethod("POST");OutputStream v11 = v9.getOutputStream();v11.write(body);v11.flush();int v10 = v9.getResponseCode();if(v10 != 200) {String v9_1 = "Connect failed, response code " + v10;xxo000000xxxoo00_Log.xxo0o0ox0oxxoo(v9_1);return v9_1;}try {Map v10_2 = v9.getHeaderFields();if(v10_2 != null) {List v10_3 = (List)v10_2.get("Set-Cookie");if(v10_3 != null && v10_3.size() > 0) {int v12 = v10_3.size();v1 = 0;while(true) {label_60:if(v1 >= v12) {break;}String v2 = (String)v10_3.get(v1);if(v2.contains("XXID=")) {String[] v2_1 = v2.split(";");v4 = 0;while(true) {label_76:if(v4 >= v2_1.length) {break;}String v5 = v2_1[v4];if(!v5.startsWith("XXID")) {++v4;goto label_76;}String v5_1 = v5.substring(5, v5.length());if(TextUtils.isEmpty(v5_1)) {++v4;goto label_76;}FMAgent.xxid = v5_1;break;}}++v1;}}}}catch(Exception v10_1) {v10_1.printStackTrace();}goto label_99;++v4;goto label_76;++v1;goto label_60;label_99:InputStream v9_2 = v9.getInputStream();BufferedReader v10_4 = new BufferedReader(new InputStreamReader(v9_2, "utf-8"));StringBuilder v12_1 = new StringBuilder();while(true) {String v0 = v10_4.readLine();if(v0 == null) {break;}v12_1.append(v0);}v9_2.close();v11.close();return v12_1.toString();}
成功后服务器返回blackbox:
{"code":"000","desc":"k9OCtUBncUi1/r3N84z30FFW3AwxnmZnJfuKa2bhCcS/s9mKZAuBFnJ6BYRDDpUkz+fxJhWvD+bbun3eUbCyiw=="}这个值是根据硬件ID,OAID、文件ID生成。
七、加密漏洞还原与中人间攻击过程
7.1、通过私钥解析出公钥
理论上我们很难从私钥(只有d,n)中推导公钥的,也无法通过公钥推导出私钥,但是该SDK使用了私钥为PKCS编码格式,该私钥数据可以按如下结构进行解析:
RSAPrivateKey ::= SEQUENCE {versionVersion,modulusINTEGER, -- npublicExponentINTEGER, -- eprivateExponentINTEGER, -- dprime1INTEGER, -- pprime2INTEGER, -- qexponent1INTEGER, -- d mod (p-1)exponent2INTEGER, -- d mod (q-1)coefficientINTEGER, -- (inverse of q) mod potherPrimeInfosOtherPrimeInfos OPTIONAL}
从结构中可以看出私钥其实是含有生成密钥对的p和q以及公私钥对(e,n)。通过私钥格式分析可以分析出公钥数据,用代码实现如下:
加载私钥:
/*** 从字符串中获取私钥* @param privateKeyStr* @return* @throws Exception*/public static RSAPrivateKey loadPrivateKeyByStr(String privateKeyStr) throws Exception {try {byte[] buffer = java.util.Base64.getDecoder().decode(privateKeyStr);PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(buffer);KeyFactory keyFactory = KeyFactory.getInstance("RSA");return (RSAPrivateKey) keyFactory.generatePrivate(keySpec);} catch (NoSuchAlgorithmException e) {throw new Exception("无此算法");} catch (InvalidKeySpecException e) {throw new Exception("私钥非法");} catch (NullPointerException e) {throw new Exception("私钥数据为空");}}public static String gethexPublicKey(String modulus, String exponent) {try {BigInteger b1 = new BigInteger(modulus,16); //此处为进制数BigInteger b2 = new BigInteger(exponent,16);KeyFactory keyFactory = KeyFactory.getInstance("RSA");RSAPublicKeySpec keySpec = new RSAPublicKeySpec(b1, b2);RSAPublicKey publicKey = (RSAPublicKey) keyFactory.generatePublic(keySpec);String publicKeyString = Base64.encode(publicKey.getEncoded());return publicKeyString;} catch (Exception e) {e.printStackTrace();return null;}}
解析出公钥:
//从SDK中的私钥解析出公钥(隐去部分)String strprivatekey = "MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALE2OfQ8BYg9Lq4nKGTamXyia6raCc1adzCOsFrnk/VN0s2W8yQJfYdq+QUNRHv0zANW0Uafh7nHCWeBn/GOC26xTsUku3/ElECGthT5ED0MOO8EQ6dhci4So/Y/fNuAczqDFk5RKRbmo1gz7xuCdUTQYmD+h1cjl95HGrY6TMinAgMBAAECgYBCHYwjvh0GRmVbHkrozdID+QkYdj6/+eeMG0BauhmupLlocNAH+u51joiXxOpvINbYzBRKOAzIWCT/FBKbabaDl5IhuUwV+CJ90SBLAbs/Wd+QjnUhXbyKb+Tm3+Uz2y26xWc7XdhGNe3Wjyz2+fN8CbfdC2SlUnibADOEQXJFIQJBAOUgSH/+uyIJKo6DOHJSfrhDlYX875H4Yq8ifuS1R7hQcK5T8sYV/OIzTRSvFaYL+FG8nA9vr8rulojcDPYzqrcCQQDF/yuUtb1wliR+zH7iE/5pv0dGfuwhSec777TYuLEP6VnX68zI/Kyq2JdIYYO7MidjH4bFd50NnRacHi3AtKGRAkEAiU+Gg0Y6CVSq70sOSdzMWksOUYTaYYUURtaKay+Ecp2qWZ6vkCxfJ4QM/odKlv73aqx4bfvFwvymtBADqIwgEwJBAIHtZq3ZbQz6mcxTaVf2Atdl2+HY3B8kHgdoz2YAHMDyQjC83c9ub+hU5UFsLEOlL8+OGqRuT7NlSDb+Xsu8POECQQDPcNOysMNbrLh1mGe6ydUsojSbheAIOZPQ/lhUbhzPXAXTYaPkTq7uty6SYZOMtWLxIFZ1eA9HHm3tJOCgC888";RSAPrivateKey privateKey = RSAUtils.loadPrivateKeyByStr(strprivatekey);// 得到公钥BigInteger modulus = privateKey.getModulus();byte[] bmodulus = modulus.toByteArray();String modulusString = StringToHex.bytesToHex(bmodulus);System.out.println("modulusString:"+modulusString);String publicKeyString = RSAEncrypt.gethexPublicKey(modulusString, "010001");System.out.println("publicKeyString:"+publicKeyString);
7.2、公钥解密出AES KEY IV
得到公钥后做解密测试,只要能把上报到服务器端的请求体中加密的AES KEY IV解密出来就能解出AES加密的设备数据。
//私钥加密的AES KEY IVbyte[] keydata = {(byte)0x98, (byte)0x93, 0x1B, (byte)0x85, 0x66, (byte)0x82, 0x76, 0x26, (byte)0x88, 0x2B, 0x09, 0x13, (byte)0xAA, 0x22, 0x4E, 0x76,(byte)0x9B, 0x3F, 0x47, (byte)0x93, (byte)0x8B, (byte)0xA7, (byte)0xCD, (byte)0xD7, (byte)0xA6, 0x48, 0x3D, (byte)0xC9, 0x70, 0x55, 0x29, 0x6A,0x57, (byte)0xB7, 0x65, (byte)0xAE, (byte)0xF4, 0x3E, 0x2C, (byte)0xCB, 0x5C, (byte)0xE1, (byte)0xCD, 0x6B, 0x57, (byte)0xB5, (byte)0x86, 0x2F,0x1D, (byte)0x81, (byte)0xFC, (byte)0xA3, 0x56, 0x27, 0x64, 0x13, 0x27, 0x42, (byte)0xA0, (byte)0x84, (byte)0xC3, 0x23, (byte)0xCD, 0x0D,0x05, (byte)0xD1, 0x0D, (byte)0xB0, 0x22, 0x36, (byte)0xFE, 0x36, (byte)0xB5, 0x17, 0x61, 0x6F, 0x19, 0x14, 0x1D, (byte)0xB1,0x67, (byte)0xA0, 0x1F, (byte)0xF4, (byte)0xF2, 0x09, (byte)0x83, (byte)0xCA, (byte)0xC1, (byte)0x9A, (byte)0xC4, 0x64, 0x14, (byte)0xF4, 0x54, 0x7D,(byte)0xDA, 0x3A, 0x40, 0x75, 0x28, 0x6B, (byte)0x9C, 0x2D, 0x34, 0x02, 0x3A, 0x7C, 0x74, 0x58, (byte)0xD0, 0x68,0x4C, 0x1D, (byte)0xD3, (byte)0x80, (byte)0xD0, (byte)0xF8, 0x49, 0x17, (byte)0x99, (byte)0xE3, (byte)0xB9, 0x25, (byte)0x8C, 0x44, (byte)0xFA, (byte)0xC4};String publicKey = publicKeyString;//公钥解出出AEK KEY IVString aeskey = new String(RSAUtils.publicKeyDecrypt(publicKey, keydata)); //前16字节是AES key, 后16字节是IVSystem.out.println("aeskey:"+aeskey);//解密后的值fda958f6-07e5-47e4ae2f7b-96b5-4a
7.3、AES解密出压缩后设备数据
/**** @param FilePath 待解密的 deump 压缩后的设备数据* @return 解密后的压缩数据*/public static byte[] aesDecrypt(String FilePath, String key, String iv) {try {if (FilePath.isEmpty() || key.isEmpty()){return null;}// 将字符串转为byte,返回解码后的byte[]byte[] encryptBytes = {};encryptBytes = FileUtils.getContent(FilePath);// 创建密码器KeyGenerator kgen = KeyGenerator.getInstance(EncryptAesUtil.AES);kgen.init(128);// 初始化为解密模式的密码器Cipher cipher = Cipher.getInstance(ALGORITHMS);cipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(key.getBytes(), EncryptAesUtil.AES), new IvParameterSpec(iv.getBytes(StandardCharsets.UTF_8)));byte[] decryptBytes = cipher.doFinal(encryptBytes);String decstr = bytesToHex(decryptBytes);System.out.println("decryptBytes:"+decstr);return decryptBytes;} catch (Exception e) {System.out.println(e.getMessage() + e);}return null;}//前16字节是AES key, 后16字节是IVString key = "fda958f6-07e5-47";String iv = "e4ae2f7b-96b5-4a";//AES 解密压缩后设备数据EncryptAesUtil.aesDecrypt("dump_deviceinfo_AES.data",key, iv);
还有一层解密是VM中的,要还原大部分Handle,VM代码没有强混淆,分析起来还是比较容易的,这里就留一个坑吧,给有意愿深入搞搞的同学入坑。
八、总结
业务:
该产品也是多年的老品牌,最近几年从营销与渠道反作弊转向金融安全领域,可能在营销与渠道反作弊发力点偏弱,产品从体验、移定、易用、安全方面都有很多的不足点。
代码:
产品包休过大,架构不够精简,模块过多,代码冗余,对抗逆向方面将部分算法进行VM还是比较有效的。很多空数据加密时未做判断,导致空数据时也要执行VM引擎影响性能。
安全:
安全能力还是可以的,代码中字符串加密,代码逻辑通过AB两个模块拆分逻辑,A模块中大多数方法逻辑通过B模块中的VM引擎来实现,增加逆向度,不足点就是使用了不安全的密钥加密方式。
样本获取方式,关注公众号,公众号输入框回复“td” 获取下载链接。
作者简介:
我是小三,目前从事软件安全相关工作,虽己工作多年,但内心依然有着执着的追求,信奉终身成长,不定义自己,热爱技术但不拘泥于技术,爱好分享,喜欢读书和乐于结交朋友,欢迎加我微信与我交朋友(公众号输入框回复“wx”即可)
文章来源: https://mp.weixin.qq.com/s?__biz=MzU3MDc0MTY1MA==&mid=2247484080&idx=1&sn=c475cb405478abbec270a67d87d66187&chksm=fceb844dcb9c0d5b1aee9265c05fd99b7ea7da0ed6ea225da7a951e0436dfbe6a2fa52a8846e&scene=58&subscene=0#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh