荣耀彩票代理

  • 热门专题

Apk脱壳圣战之 脱掉“360加固”的壳

作者:  发布日期:2016-06-28 21:23:13
  • 一、前言

    荣耀彩票代理XIANZAIZHULIUDEJIAGUPINGTAIYOU:BANGBANGJIAGU,AIJIAMI,360JIAGU,TENGXUNJIAGU,ZAIZHIQIANDEYIPIANWENZHANGZHONGJIESHAOLE:RUHETUODIAO“AIJIAMI”DEQIAO,XIANZAIZHEILIYAOTUODIAOLINGWAIYIGEPINGTAIDEQIAO:360JIAGU,YINWEIYOULEZHIQIANDETUOQIAOJINGYAN,HENDUOJICHUZHISHIHEZHUNBEIGONGZUOZHEILIJIUBUXIANGXIJIESHAOLE,WEILENENGGOUTUODIAOTAJIADEQIAO,YONGYIGEANLILAIQU360PINGTAIJINXINGJIAGU,RANHOUJINXINGTUOQIAO。XIAMIANJIULAIKAISHITUOQIAO:

     

    二、分析360加固的原理

    荣耀彩票代理SHOUXIANNADAOJIAGUZHIHOUDEapk,ZHEILIWEILEFANGBIANCHAKANNEIBUXINXI,XIANBUYONGdex2jar+jd-guiGONGJUJINXINGFENXILE,ZHIJIESHIYONGWOMENZHIQIANFENXILEYUANMADEYIGEGONGJU:Jadx,ZHIJIECHAKAN:

    QISHIXIANZAIDEJIAGUDECHANGGUITAOLUDOUCHABUDUO,ZHEILIKANDAOHEZHIQIANFENXIDEAIJIAMIJIAGUDEXINGSHIJIHUYIYANG,ZHEILIDEQIAOApplicationSHIStubApplicationZAIattachBaseContextZHONGZUOYIXIECHUSHIHUACAOZUO,YIBANSHIJIANGassetsMULUZHONGDEsoWENJIANKAOBEIDAOCHENGXUDESHAHEMULUXIA:/data/data/xxx/files/..;RANHOUZAIYONGSystem.loadJINXINGJIAZAI,TONGGUOCHAKANKEYIDEZHIYUANCHENGXUapkYIJINGBEIJIAMILE,JIUSHICUNFANGZAIZHEILIDEsoZHONG,ZHIQIANDEWENZHANGYESHIFENXILE,YIBANYUANCHENGXUJIAMIZHIHOUJIUCUNFANGZAINEIJIGEMULUXIA,YIBANSHI:dexWENJIANWEIBU,libsMULU,assetsMULU。

     

    下面再来看一下他的Android荣耀彩票代理Manifest.xml文件:

    荣耀彩票代理ZHAODAOLETADERUKOUActivityLE,DANSHIZHEILIMEIYOUandroid:debuggable="true",SUOYICHENGXUSHIBUNENGBEIDIAOSHIDE,SUOYIWOMENXUYAOTIANJIAZHEIGESHUXING,RANHOUZAIJINXINGHUIBIANYIJINXINGDIAOSHI,ZHEISHIHOUJIUXUYAOSHIYONGDAOapktoolGONGJULE:

    荣耀彩票代理HAOLE,ZHEILIKANDAO,360JIAGUWEILEFANGZHIapktoolFANBIANYIGONGNENG,TIANJIALEYIGEqihooSHUXING,ZHEIGESHUXINGapktoolBURENSHIJIUBAOCUOLE,DANSHIWOMENZHIQIANDEYIPIANWENZHANGYIJINGJIESHAOLE:ApktoolGONGJUCUOWUXIUFU,WOMENYOULEapktoolYUANMA,KEYIZHIJIEJINXINGXIUFUDE,RANHOUJINXINGFANBIANYI:

    反编译成功了,查看他的Android荣耀彩票代理Manifest.xml文件内容:

    荣耀彩票代理DEQUE,SHIYOUYIGESHUXINGqihoo,ZHEIGEJIUSHIAndroidXITONGZAIJIEXIapkWENJIANDESHIHOU,FAXIANBUCUNZAIDESHUXINGZHIJIELVEGUO,DANSHIapktoolGONGJUQUEBUHUI,360JIAGUJIUSHILIYONGZHEIGELOUDONGLAIZENGJIAFANBIANYINANDUDE,DANSHIWOMENZHIQIANDEYIPIANWENZHANGZHONGJIESHAOLERUHEXIUFU,ZHEILIXIUFUHENJIANDANLE。SUOYISHUOZHIYAOYOULEapktoolYUANMA,SHENMEDOUHAOZUOLE。

    荣耀彩票代理RANHOUWOMENZAITIANJIAandroid:debuggableSHUXING:

    RANHOUHUIBIANYI:

     

    ZHEISHIHOUKANDAO,ZAIHUIBIANYIDESHIHOUYESHIBAOCUOLE,SHUOZHAOBUDAOZHEIGESHUXING,WEILEFANGBIANZHEILIZHIJIEBAandroid:qihooJIGANDIAO,YINWEIQISHITAMEIYOURENHEZUOYONGDE,JIUSHIWEILEGANRAOFANBIANYIGONGZUODE,SUOYIZHIJIEQUDIAOJIKE,RANHOUZAIHUIBIANYI:

    HAOLE,HUIBIANYICHENGGONG,RANHOUZAIJINXINGQIANMINGDABAOJIKE。ZHEILIJIUBUZAIJIESHAOLE。

     

    NEIMECONGSHANGMIANWOMENKEYIKANDAO,QISHI360JIAGUWEILEFANGZHIFANBIANYI,JIULIYONGLEAndroidXITONGBENSHENZAIJIEXIapkDESHIHOU,YUDAOBURENSHIDESHUXINGZHIJIELVEGUO,ERapktoolGONGJUQUEBUHUIDELOUDONGLAIJIAndroidManifest.xmlZHONGTIANJIAYIGEHUNXIAOFANBIANYIDESHUXING:qihoo,XINGHAOWOMENYOUYUANMA,KEYIXIUFUZHEIGEWENTI,ZAIJINXINGFANBIANYIJIKE,ZHEILIYEXIWANGapktoolGUANWANGNENGGOUJISHIXIUFUZHEIGELOUDONG。WEILEHUIBIANYICHENGGONG,WOMENKEYIZHIJIEBAZHEIGESHUXINGSHANCHU。BURANHUIBIANYIYESHIHUIBAOCUODE。ZHEIGESHUXINGZHISHI360WEILEHUNXIAOFANBIANYIGONGZUO,SUOYISHANCHUDUICHENGXULUOJIMEIYOURENHEYINGXIANGDE。

     

    三、打开系统的调试总开关

    ZHEILIJIUYAOKAISHIJIESHAOBENWENDEDIYIGEZHONGDIANLE:RUHEZAIBUXUYAOFANBIANYIDEQINGKUANGXIA,TIANJIAandroid:debuggableSHUXING,JIUKEYIJINXINGDIAOSHI。

    ZHEIGEXIANZAIYIJINGYOUHENDUOGONGJUKEYIZUOLE,XIANLAISHUOSHUOJUTIDEYUANLIBA:

    荣耀彩票代理QISHIAndroidZHONGYOUYIXIECHANGYONGDEPEIZHIXINXIDOUSHICUNFANGZAIYIGEWENJIANZHONG,BIRUSHEBEIDEXITONG,BANBENHAO,cpuXINGHAODENGXINXI,ERZHEIGEWENJIANWEIZHIZAI:

    /system/build.prop

    荣耀彩票代理WOMENCHAKANWENJIANDENEIRONG,KEYIKANDAOHENDUOSHEBEIDEXINXI,ERQIEZHEIXIEroKAITOUDEBIAOSHIZHEIXIESHUXINGZHISHIZHIDUDE,BUNENGJINXINGXIUGAIDE。

    同时Android中提供了两个命令来操作这些信息:getprop和setprop命令:

    荣耀彩票代理CHAKANXITONGDEsdkBANBENHAO

    SHEZHIXITONGDEsdkBANBENHAOWEI22,KESHIZHEILIBINGMEIYOUXIUGAICHENGGONG,YUANYINJIUSHIYINWEIroKAITOUDESHUXINGSHIBUYUNXUHOUQIXIUGAIDE,GAIYESHIKEYIXIUGAIDE,XUYAOZHONGXINBIANYIXITONGJINGXIANGWENJIANboot.img,DANSHIZHEILIBINGBUSHIBENRENJIESHAODEZHONGDIANLE。

     

    既然Android中的一些系统属性值存放在一个文件中的,而且这些值是只读的,当然不仅可以通过getprop命令读取,有一个api也是可以直接读取的,就是:System.getProperty("ro.build.version.sdk");荣耀彩票代理其实这个方法是native层实现的,具体就不分析了。

    荣耀彩票代理NEIMEZHEIGEWENJIANSHICUNCHUZHEIXIESHUXINGZHIDE,NEIMESHISHEILAIJINXINGJIEXIJIAZAIDAONEICUNZHONG,NENGGOUJIMEIGEappDOUNENGFANGWENDAONI?

     

    荣耀彩票代理ZHEIGEGONGZUOJIUSHIinit.rcJINCHENGCAOZUODE,WOMENYINGGAILEJIELEXITONGQIDONGDESHIHOUDIYIBUJIUSHIJIEXIinit.rcWENJIAN,ZHEIGEWENJIANSHIZAIXITONGDEGENMULUXIA,ZHEILIHUIZUOHENDUOCHUSHIHUACAOZUO,ZHEILIBUXIANGXIFENXILE,HOUMIANZAIFENXIAndroidZHONGXITONGQIDONGLIUCHENGDESHIHOUZAIXIANGXIFENXI。ZHEILITONGSHIHUIZUOSHUXINGWENJIANDEJIEXIGONGZUO,SUOYI,Android SHUXINGXITONGTONGGUOXITONGFUWUTIGONGXITONGPEIZHIHEZHUANGTAIDEGUANLI。WEILERANGYUNXINGZHONGDESUOYOUJINCHENGGONGXIANGXITONGYUNXINGSHISUOXUYAODEGEZHONGSHEZHIZHI,XITONGHUIKAIPIYIGESHUXINGCUNCHUQUYU,BINGTIGONGFANGWENGAINEICUNQUYUDE API。SUOYOUJINCHENGDOUKEYIFANGWENSHUXINGZHI,DANSHIZHIYOU init JINCHENGKEYIXIUGAISHUXINGZHI,QITAJINCHENGRUOXIANGXIUGAISHUXINGZHI,XUYAOXIANG init JINCHENGFACHUQINGQIU,ZUIZHONGYOU init JINCHENGFUZEXIUGAISHUXINGZHI。

     

    那么上面说到的是system/build.prop荣耀彩票代理文件。里面主要是系统的配置信息,其实还有一个重要文件在根目录下面:default.prop:

    荣耀彩票代理ZHEILIYOUYIGEZHONGYAOSHUXING:ro.debuggable,DUIZHEILIJIUSHIGUANXIDAOXITONGZHONGMEIGEYINGYONGSHIFOUNENGGOUBEIDIAOSHIDEGUANJIAN。QISHIZAIAndroidXITONGZHONGYIGEYINGYONGNENGFOUBEIDIAOSHISHIZHEIMEPANDUANDE:

    当Dalvik虚拟机从android应用框架中启动时,系统属性ro.debuggable为1,如果该值被置1,系统中所有的程序都是可以调试的。如果系统中的 ro.debuggable 为0,则会判断程序的AndroidManifest.xml中application标签中的 android:debuggable元素是否为true,如果为true则开启调试支持。

     

    荣耀彩票代理HAOLEDAOZHEILI,WOMENKEYIZONGJIEYIXIALE:

    AndroidXITONGZHONGYOUYIGEKEYIDIAOSHISUOYOUSHEBEIZHONGDEYINGYONGDEKAIGUAN,ZAIGENMULUZHONGDEdefault.propWENJIANZHONGDEro.debuggableSHUXINGZHI,RUGUOBAZHEIGEZHISHEZHICHENG1DEHUA,NEIMESHEBEIZHONGSUOYOUYINGYONGDOUKEYIBEIDIAOSHI,JISHIZAIAndroidManifest.xmlZHONGMEIYOUandroid:debuggable=true,HAISHIKEYIDIAOSHIDE。ERZHEIXIEXITONGSHUXINGDEWENJIANsystem/build.propHEdefault.prop,DOUSHIinitJINCHENGLAIJINXINGJIEXIDE,XITONGQIDONGDESHIHOUJIUHUIQUJIEXIinit.rcWENJIAN,ZHEIGEWENJIANZHONGYOUPEIZHIGUANYUXITONGSHUXINGDEJIEXIGONGZUOXINXI。RANHOUHUIBAZHEIXIEXITONGSHUXINGXINXIJIEXIDAONEICUNZHONG,TIGONGJISUOYOUappJINXINGFANGWEN,ZHEIKUAIXINXIYESHINEICUNGONGXIANGDE。DANSHIZHEIXIEroKAITOUDESHUXINGXINXIZHINENGinitJINCHENGJINXINGXIUGAI。XIAMIANLAIFENXIYIXIAXIUGAIZHEIGESHUXINGZHIDESANZHONGFANGSHI:

     

    第一种:直接修改default.prop文件中的值,然后重启设备

    NEIMEXIANZAIRUGUOANZHAOSHANGMIANDEMUDE:JIUSHIBUXUYAOFANBIANYIapk,TIANJIAandroid:debuggableSHUXINGDEHUA,ZHIJIEXIUGAIdefault.propWENJIAN,BAro.debuggableSHUXINGGAICHENG1JIKE,DANSHITONGGUOSHANGMIANDEFENXI,XIUGAIWANCHENGZHIHOUKENDINGXUYAOZHONGQISHEBEIDE,YINWEIXUYAORANGinitJINCHENGZHONGXINJIEXISHUXINGWENJIAN,BASHUXINGXINXIJIAZAINEICUNZHONGFANGKEQIZUOYONGDE。DANSHIBINGMEIYOUNEIMESHUNLI,ZAISHIJIANDEGUOCHENGZHONG,XIUGAILEZHEIGESHUXING,JIEGUOCHUXIANDEJIEGUOJIUSHISHEBEISIJILE,QISHIXIANGXIANGYESHIZHENGCHANGDE,RUGUOSHUXINGNENGGOUTONGGUOZHEIXIEWENJIANLAIXIUGAIDEHUA,NEIJIUGANJUEXITONGHUICHUXIANGEZHONGWENTILE,GANJUEXITONGSHIBUHUIRANGXIUGAIZHEIXIEWENJIANDENEIRONGDE。

     

    第二种:改写系统文件,重新编译系统镜像文件,然后刷入到设备中

    NEIMESHANGMIANXIUGAIdefault.propWENJIAN,JIEGUODAOZHISIJI,ZUIZHONGYESHIMEIYOUXIUGAICHENGGONG,WOMENHAIYOUSHENMEBANFANI?QISHISHANGMIANYIJINGTIDAOGUOYICILE,JIUSHIZHEIXIESHUXINGWENJIANQISHISHIZAIXITONGJINGXIANGWENJIANboot.imgZAIXITONGQIDONGDESHIHOU,SHIFANGDAOJUTIMULUZHONGDE,YEJIUSHISHUORUGUOWOMENNENGGOUZHIJIEXIUGAIboot.imgZHONGDEZHEIGESHUXINGJIKE,NEIMEZHEIGECAOZUOSHIKEYIJINXINGDE,DANSHIKUNNANNEISHIBUYIBANDESHUNLI,ZHISHAOWOMEICHENGGONGGUO,XIUGAIXITONGWENJIAN,RANHOUZHONGXINBIANYIJINGXIANGWENJIAN,ZUIHOUZAISHUADAOSHEBEIZHONG。ZHEIGEGUOCHENGWOCHANGSHIGUOSHISHIBAILE,BUGUOLILUNSHANGSHIKEYIDE。ERQIEZHEIZHONGFANGSHIRUGUOCHENGGONGLE,NEIMEZHEIGESHEBEIJIUSHIYONGYUANKEYIJINXINGGEZHONGYINGYONGDEDIAOSHILE。

     

    第三种:注入init进程,修改内存中的属性值

    NEIMESHANGMIANZHIJIEZHONGXINBIANYIboot.img,RANHOUZAISHUADAOSHEBEIZHONGDEGONGZUOSHISHIBAIDE,NEIMEHAIYOUQITAFANGFAMA?KENDINGSHIYOUDE,WOMENQISHIZAISHANGMIANFENXILE,initJINCHENGHUIJIEXIZHEIGESHUXINGWENJIAN,RANHOUBAZHEIXIESHUXINGXINXIJIEXIDAONEICUNZHONG,JISUOYOUappJINXINGFANGWENSHIYONG,SUOYIZAIinitJINCHENGDENEICUNKUAIZHONGSHICUNZAIZHEIXIESHUXINGZHIDE,NEIMEZHEISHIHOUJIUHAOBANLE,YOUYIGEJISHUKEYIZUODAOLE,JIUSHIJINCHENGZHURUJISHU,WOMENKEYISHIYONGptraceZHURUDAOinitJINCHENG,RANHOUXIUGAINEICUNZHONGDEZHEIXIESHUXINGZHI,ZHIYAOinitJINCHENGBUZHONGQIDEHUA,NEIMEZHEIXIESHUXINGZHIJIUHUIQIXIAO。HAOLE,ZHEIGEFANGFAKEYICHANGSHI,DANSHIZHEIGEFANGFAYOUYIGEBIDUAN,JIUSHIRUGUOinitJINCHENGGUALEZHONGQIDEHUA,NEIMESHEZHIJIUMEIYOURENHEXIAOGUOLE,BIXUZHONGXINCAOZUOLE,SUOYIYOUXIAOQIBUSHIHENZHANG,DANSHIYIBANQINGKUANGXIAZHIYAOBAOZHENGSHEBEIBUZHONGQIDEHUA,initJINCHENGHUIYIZHICUNZAIDE,ERQIERUGUOFASHENGLEinitJINCHENGGUADIAODEQINGKUANG,NEIMESHEBEIKENDINGHUIZHONGQIDE。DAOSHIHOUZAIZHONGXINCAOZUOYIXIAJIKE。

     

    荣耀彩票代理HAOLESHANGMIANFENXILESANZHONGFANGSHIQUSHEZHIXITONGZHONGDEDIAOSHISHUXINGZONGKAIGUAN,NEIMEZUIHOUYIZHONGFANGSHISHIZUIKAOPUDE。

    ERQIESILUYEHENJIANDAN,DANSHIWOMENBUHUIZHONGXINQUXIEZHEIGEDAIMALUOJIDE,YINWEIYIJINGYOUDASHENZUOLEZHEIJIANSHI,JUTIGONGJUHOUMIANHUIJICHUXIAZAIDIZHI:

    荣耀彩票代理ZHEIGEGONGJUYONGFAHENJIANDAN,SHOUXIANBAKEZHIXINGWENJIANmpropKAOBEIDAOSHEBEIZHONGDEMULUXIA,RANHOUYUNXINGMINGLING:

    ./mprop ro.debuggable 1

    ZHEIGEGONGJUKEYIXIUGAINEICUNZHONGSUOYOUDESHUXINGZHI,BAOKUOJIXINGXINXI。

    ZHEILIXIUGAIWANCHENGZHIHOU,SHIYONGgetpropMINGLINGZAICHAKANZHI,FAXIANXIUGAICHENGGONGLE,DANSHIXUYAOZHUYIDESHI,WOMENXIUGAIDESHINEICUNDEZHI,ERBUSHIWENJIANZHONGDEZHI。SUOYIdefault.propWENJIANZHONGDENEIRONGSHIMEIYOUFASHENGBIANHUADE。

    荣耀彩票代理ZHEISHIHOU,WOMENKEYISHIYONGEclipseDEDDMSLAICHAKANKEYIDIAOSHIDEYINGYONGLIEBIAO:

    DANGRANYEKEYISHIYONGadb jdwpMINGLINGLAICHAKANKEYIDIAOSHIDEJINCHENGid:

    DANSHIKEXIDESHI,FAXIANHAISHIMEIYOUZHANSHISHEBEIZHONGSUOYOUDEYINGYONG,QISHIZHEILISHIYOUYIGEXIJIEWENTILE,YINWEIWOMENSUIRANXIUGAILENEICUNZHI,DANSHIYOUYIGEJINCHENGWOMENXUYAOZHONGQIYIXIA,NAGEJINCHENGNI?NEIJIUSHIadbdZHEIGEJINCHENG,ZHEIGEJINCHENGSHIadbDESHOUHUJINCHENG,JIUSHISHEBEILIANJIEXINXICHUANSHUHOUTAIJINCHENG,SUOYIXIANGKANDAOKEYIDIAOSHIDEJINCHENGXINXIDEHUA,NEIMEXUYAOZHONGQIZHEIGEJINCHENG,ZHEIYANGLIANJIEXINXICAIHUIGENGXIN。

    重启这个进程很简单:直接使用stop;start命令即可

    QISHIZHEISHILIANGGEMINGLING,YONGFENHAOGEKAI,SHOUXIANSHIGANDIAOJINCHENG,RANHOUZAIZHONGQI。

    荣耀彩票代理YUNXINGWANMINGLINGZHIHOU,ZAIQUKANDDMSCHUANGKOUXINXI:

    ZHEISHIHOUSUOYOUDEYINGYONGJINCHENGDOUSHIKEYIDIAOSHIDELE,ZHEISHIHOUWOMENZAISHIYONGdumpsys packageMINGLINGCHAKANYIGEYINGYONGDEBAOXINXI:

    ZHEILIKEYIKANDAO,ZHEIGEYINGYONGDEflagsBIAOZHIZHONGBINGMEIYOUdebuggableSHUXINGZHI,DANSHIZHEIGEYINGYONGSHIKEYIDIAOSHIDE。SUOYIKANDAOro.debuggableZHEIGESHIZONGKAIGUAN,ZHIYAOTAWEI1,KAIQIDEHUA,JISHIMEIYOUandroid:debuggableYESHIKEYIDELE。

     

    HAOLEDAOZHEILI,WOMENLAIZONGJIEYIXIA:

    1、WOMENDEMUDESHIZENMEZAIBUXUYAOFANBIANYIapkBAO,TIANJIAandroid:debuggableSHUXING,JIUKEYIJINXINGapkDEDIAOSHI?

    2、WOMENTONGGUOFENXIXITONGSHUXINGWENJIANHEXITONGQIDONGLIUCHENGYIJIJIEXIXITONGSHUXINGWENJIANDELIUCHENG,ZHIDAOLESHEBEIZHONGGUANYUDIAOSHIYOUYIGEZONGKAIGUANSHUXINGZHI:ro.debuggable,MORENSHI0,BUKAIQIDE。NEIMEZHEISHIHOUWOMENJIUKEYICAIXIANGYOUZHEIJIZHONGFANGSHIKEYIQUXIUGAI。

    荣耀彩票代理3、FENXILESANZHONGFANGSHIQUXIUGAIZHEIGESHUXINGZHI:

    第一种方式:直接修改default.prop文件中的这个字段值,但是可惜的是修改失败,在修改的过程中出现死机,重启设备之后,属性值还是0。

    第二种方式:荣耀彩票代理修改系统源码的编译脚本,直接修改属性值,然后重新编译镜像文件boot.img,然后刷入到设备中,但是在实践的过程中并没有成功,所以放弃了,而且这种方式有一个好处就是一旦修改了,只要不在重新刷系统,那么这个字段将永远有效。

    第三种方式:注入到init进程,修改内存中的这些系统属性值,这种方式实现是最简单的,但是有一个问题,就是一旦设备重启,init进程重新解析default.prop文件的话,那么ro.debuggable值将又重新被清空,需要再次注入修改。

    4、ZUIHOUCAIYONGLEDISANZHONGFANGSHI,BUGUOWANGSHANGYIJINGYOURENXIELEZHEIYANGDEGONGJU,YONGFAYEHENJIANDAN:./mprop ro.debuggable 1;DANSHIXIUGAIWANCHENGZHIHOU,YIDINGYAOJIDEZHONGXINQIDONGadbdJINCHENG,ZHEIYANGCAINENGGOUHUOQUDAOKEYIDIAOSHIYINGYONGXINXI。

    荣耀彩票代理5、SHIYONGGONGJUXIUGAIWANCHENGZHIHOU,ZAIEclipseZHONGDEDDMSCHUANGKOUFAXIAN,SHEBEIZHONGDESUOYOUYINGYONGDOUCHUYUKEYIDIAOSHIZHUANGTAILE。YEJIUSHISHUOWOMENDECAOZUOCHENGGONGLE。

     

    NEIMESHANGMIANDEZHEIGEGUOCHENGCHENGGONGZHIHOUDEYIYIHAISHIHENDADE:BIAOZHIZHEWOMENYIHOURUGUOSHIDANCHUNDEXIANGRANGYIGEapkNENGGOUBEIDIAOSHI,QUFANBIANYIZAITIANJIASHUXINGZHIDEHUA,QISHIZHEIZHONGFANGSHIHENGAOXIAODE。KEYIRANGRENYIYIGEapkCHUYUBEIDIAOSHIZHUANGTAI。

     

    四、开始脱壳

    JIANGWANLESHANGMIANDEYIGEZHONGDIANZHIHOU,XIAMIANWOMENJIUKAISHILAIJIANGJIEBENWENDELINGWAIYIGEZHONGDIAN,KAISHITUOQIAOLE。

    第一步:开启android_server

     

    第二步:端口转发

     

    第三步:启动应用

    adb shell am start -D -n com.CMapp/com.e4a.runtime.android.mainActivity

     

    第四步:开启IDA,附加进程

     

    第五步:设置Debugger Option选项

     

    第六步:运行jdb调试等待

    荣耀彩票代理jdb -connect com.sun.jdi.SocketAttach:hostname=127.0.0.1,port=10265

    注意:这里需要注意了,因为我们改了系统的ro.debuggable属性,设备中所有的应用都处于可调式状态,基本端口8700已经被占用了,那么这时候需要使用被调试程序的独有端口了,可以在DDMS窗口进行查看。

     

    第七步:关键函数下断点

    SHOUXIANZHAODAOmmapHANSHUDENEICUNDIZHI,ZHEILIKEYIZHIJIESHIYONGGJIAN,TONGGUOHANSHUMINGLAITIAOZHUAN:

    注意:荣耀彩票代理这里和之前的脱爱加密的壳方法可能不一样了,还记得之前脱爱加密的壳的时候,给fopen和fgets函数下断点,因为如果有反调试的话,肯定是读取/proc/pid/status文件中的TracerPid字段值的,然后修改TracerPid值为0即可,但是这个方法对360加固的不好使了,因为360加固的反调试是通过mmap函数来读取/proc/pid/status,所以这里需要给mmap函数下断点了,而且后面还会看到给dvmDexFileOpenPartial这个函数下断点也不好使了,原因是360加固自己在底层实现了解析dex的函数来替代了这个dvmDexFileOpenPartial函数。但是不管是他自己实现dex解析加载,最终都是需要把dex文件加载到内存中,还是得用mmap函数来进行操作。所以在脱360加固的壳的时候mmap函数是重点。

     

    HAOLEJImmapHANSHUXIALEDUANDIAN,XIAMIANJIUF9YUNXINGCHENGXUBA:

    JINRUDAOLEmmapDEDUANDIANCHU,ZHEILIYINWEImmapHANSHUDAIMABIJIAOZHANG,WEILEJIESHENGSHIJIAN,WOMENKEYIZAImmapHANSHUDEJIESHUCHUXIAYIGEDUANDIAN,RANHOUZHIJIEF9YUNXINGDAOHANSHUDEJIEWEICHU,YINWEIXITONGZHONGYOUHENDUOGEsoXUYAOJIAZAIDAONEICUNZHONG,SUOYImmapHANSHUHUIZHIXINGDUOCI,DANSHIQISHIWOMENZUIGUANXINDESHIJIAZAIWOMENZIJIDEsoWENJIAN,JIlibjiagu.soWENJIAN,YINWEIZHEIGECAISHIWOMENDEnativeCENGDAIMA,SUOYIDENGCHUXIANRUXIAJIEMIAN:

    ZHEISHIHOU,SHUOMINGZHEIGEsoWENJIANBEIJIAZAIDAONEICUNZHONGLE,YEJIUSHICHENGXUDEnativeCENGDAIMAKAISHIZHIXINGLE,ZHUYIBUNENGZAIF9LE,ERSHISHIYONGF8DANBUDIAOSHI:

    F8DANBUYUNXINGDAOZHEILIDESHIHOU,YUDAOYIGEWENTI,JIUSHIF8LEHENDUOCI,SHIZHONGZAIZHEIGEDIFANGZHIXING,HOULAIFENXILEarmZHILINGZHIHOU,FAXIANYUANLAIZHEILISHIYIGEXUNHUAN,CHUSHIZHISHI0,CUNCHUZAIR11ZHONG,RANHOUZHUBUJIA1,HER3ZHONGCUNCHUDEYUZHIZUOBIJIAO,TONGGUOCHAKANJICUNQIDEZHI,FAXIANR3JICUNQIZHONGSHIA7,SUOYIZHEILIDEQUXIUGAIJICUNQIR11DEZHILE,BURANWOMENDEDANBUA7CI,ZHEILIZHIJIEBAR11ZHIXIUGAIWEIA6:

    荣耀彩票代理XIUGAIJICUNQIYESHIHENRONGYIDE,ZHIJIEYOUJIJICUNQI:

    荣耀彩票代理DIANJIModify value:

    荣耀彩票代理DIANJIOK,ZHIHOUZAILAIKANKANR11DEJICUNQIDEZHI:

    荣耀彩票代理XIUGAICHENGGONGLE,ZHEISHIHOUZAIDANBUF8,LIANGCIZHIHOUJIUZHIXINGWANLEXUNHUANLE,CONGZHEILIYEKEYIKANDAO,ZHEIGEDIFANGYESUANSHIWEILEFANGZHIBEIDIAOSHI,JIADADIAOSHICHENGBENDEYIZHONGFANGSHI。JIXUWANGXIAZOU:

    DAOZHEILI,ZHIXINGWANBLZHIHOUJIUTUICHUDIAOSHIJIEMIANLE,CHANGSHIDUOCIDOUYIYANG,SUOYICAIXIANGFANDIAOSHIKENDINGZAIZHEILI,KEYIF7GENJINQUKANKAN:

    荣耀彩票代理DAOBLXZHEILI,MEICIZHIQIANWANYESHITUICHUDIAOSHIJIEMIAN,SUOYIZHEILIHAIDEF7DANBUJINRUKANKAN:

    ZHEILIKANDAOLEYIXINGZHONGYAODEarmZHILING:CMPBIJIAOZHILING,ERQIESHIHE0BIJIAO,HENKENENGZHEILIJIUSHIBIJIAOTracerPidDEZHISHIFOUWEI0,RUGUOBUWEI0JIUTUICHU,KEYICHAKANR0JICUNQIDENEIRONG:

    RANHOUZAICHAKANBEIDIAOSHIJINCHENGDETracerPidDEZHI:

    GUORANR0CUNCHUDESHITracerPidDEZHI,WEILEYANZHENGZHENGQUEXING,ZHEILIJIXU:

    荣耀彩票代理GUORAN,YUNXINGDAOLEZISHADEDIFANG,YIZHIDANBUYUNXING:

    TUICHUCHENGXULE。

     

    NEIMESHANGMIANJIUZHIDAOLEFANDIAOSHIDEDIFANG,JIUHAOBANLE,ZHIJIEXIUGAIJICUNQIR0DEZHIWEI0JIKE:

    荣耀彩票代理RANHOUJIXUDANBUF8YUNXING,HOUMIANHAIYOUYIGECMPHE0JINXINGBIJIAODEDIFANG,WOMENYIYANGJINXINGZHILINGCAOZUO,ZAICIDANBUF8,DANGYUNXINGDAOCICHUDESHIHOU:

    KANDAOmemcpyHANSHUDESHIHOU,ZHEISHIHOUKEYIZHIJIEYUNXINGF9,YOUHUIZHIXINGDAOmmapNEILI,RANHOUYICIF9,HAISHIYUNXINGDAOLESHANGMIANDENEIGEXUNHUAN,ZHEIYANGYICILEITUI,ZAIZHEIGEGUOCHENGZHONGWOYUNXINGLE7CIXUNHUAN,GAILER0ZHIGAILE9CI,SUOYIZHEIGEDIFANGHUIZHIXINGDUOCISHIZHENGCHANGDE,DANSHIZHEILIZAIWODUOCIDIAOSHIZHIHOUZONGLEYIGEHAODEFANGFA,JIUSHIKANDAODUOCIZHIXINGDELUXIANDOUCHABUDUO:

    mmap函数=》循环=》(MOV R0,R8)BL=》(MOV LR,R4)BLX=》CMP R0,#0=》mmap....

    ZHEIGEGUOCHENGZHONG,QISHIWEILEJIANBIANWOMENKEYI

    1》在mmap函数的开始处,结束处下一个断点,这两个断点是为了后面加载内存的dex文件做准备

    2》在循环处下一个断点,这个断点是为了修改循环值,节省时间

    3》在BL处下个断点,是为了进入BLX

    4》在BLX处下个断点,是为了进入比较TracerPid处

    5》在CMP下断点,是为了修改TracerPid的值

    荣耀彩票代理TONGSHIZAIZHEIGEGUOCHENGZHONG,XUYAOSHIYONGF9,ZHIJIETIAOZHUANDAOXIAYIGEDUANDIAN,GAOXIAO,ZHIYOUZAIDAODALECMPCHUDESHIHOU,YAOYONGF8DANBUDIAOSHI,ERQIEZHEIGEDIFANGYIDINGYAOXIAOXIN,BUNENGANCUOLE,BURANYOUDECONGTOUZAILAI,WOCHILEHENDUOCIKUI,YEZHONGLAILEHENDUOCI。ZHIYAODANGKANDAOLEmemcpyHANSHUDESHIHOU,ZAICIF9DAOXIAYIGEDUANDIANCHU。GENGXUYAOZHUYIDESHI:MEICIDAODAmmapDUANDIANCHUDESHIHOU,YIDINGYAOKANDANGQIANZHANXINXIDESHITUCHUANGKOU,KANKANSHIFOUCHUXIANLEclasses.dexDEZIYANG,YINWEIZUIZHONGDOUSHISHIYONGmmapLAIBAJIEMIZHIHOUDEdexJIAZAIDAONEICUNZHONGDE,SUOYIZHEILIYIDINGYAOZHUYI,SHIBENCIDIAOSHIDEHEXIN。

    荣耀彩票代理DANGRANZHEIGEZHISHIGERENDEDIAOSHISILU,MEIGERENDOUYOUZIJIDESILU,ZHIYAONENGCHENGGONGDOUKEYI。

     

    荣耀彩票代理JIUZHEIYANGLAIHUIGAOLEJICIZHIHOU,ZHONGYUKANDAOLESHUGUANG:

    DANGZAICILAIDAOLEmmapHANSHUCHUDESHIHOU,ZHONGYUKANDAOLEclasses.dexZIYANGLE,SHUOMINGZHEILIKAISHIJIEMIdexRANHOUJINXINGJIAZAIDAONEICUNLE,ZHEISHIHOUBUNENGZAIF9TIAOZHUANLE,ERSHIF8DANBUYUNXING,RANHOUCHAKANR0JICUNQIDEZHI:

    MEICIDOUSHIZHIXINGWAN__mmap2ZHEIGEHANSHUZHIHOU,R0JIUYOUZHILE,MEICIKANDAOR0ZHONGYOUZHIDESHIHOU,KEYIDAOHex ViewCHUANGKOUZHONGSHIYONGGJIANKAISHIDIZHITIAOZHUAN,CHAKANSHIFOUWEIdexNEIRONG:

    荣耀彩票代理RUGUOFAXIANBUSHI,JIUHAISHIDANBUF8,ZHIDAOmmapHANSHUJIESHU,RANHOUZAICIF9,DAODAmmapHANSHUKAISHICHU,SHIKEKANJINHex View,ZHANCHUANGKOU,R0JICUNQIZHEISANGEDIFANGDEZHI:

    荣耀彩票代理ZAIDUOCICHANGSHIZHIHOU,ZHONGYUCHENGGONGLE,ZHEILIKANDAOLESHUXIDEdexWENJIANDETOUXINXI,GUANYUdexWENJIANDETOUBUXINXIKEYIKANZHEIPIANWENZHANG:DexWENJIANGESHIJIEXI

    荣耀彩票代理SUOYIZHEILIZAITOUBUXINXIDEDI33GEZIJIERANHOULIANXU4GEZIJIEJIUSHIdexDEZHANGDULE,NEIMEXIANZAIYOULEdexZAINEICUNZHONGDEQISHIWEIZHI,ZHANGDUDAXIAO,XIAMIANJIUKEYISHIYONGShirt+F2DAKAIJIAOBENZHIXINGCHUANGKOU,dumpCHUNEICUNZHONGDEdexSHUJU:

    static main(void)
    {
    auto fp, begin, end, dexbyte;
    fp = fopen("E:\dump.dex", "wb");
    begin = 0x755A9000;
    //偏移0x20处,取4字节为dex文件大小
    end = 0x755A9000 + 0x0004BC38;
    for ( dexbyte = begin; dexbyte < end; dexbyte ++ )
    fputc(Byte(dexbyte), fp);
    }

    荣耀彩票代理BAOCUNDAOE:dump.dex,RANHOUZAISHIYONGJadxGONGJUJINXINGCHAKAN:

    ZHEILIKEYICHAKANDAOYUANMALE,ERQIELEIMING,FANGFAMING,BIANLIANGMINGDOUSHIYONGZHONGWENLAIMINGMINGDE,GANJUEHAOBUXIGUAN,DANSHIJavaZHONGSHIZHICHIZHEIMEGANDE,YINWEIJavaCAIYONGDESHIUnicodeBIANMADE。

     

    案例下载:http://download.csdn.net/detail/jiangwei0910410003/9561416

     

    五、脱壳总结

    HAOLEDAOZHEILI,WOMENJIUCHENGGONGLETUODIAOLE360JIAGUDEQIAOLE,XIAMIANLAIZONGJIEYIXIATADEQIAODETEDIANHEDIAOSHIXUYAOZHUYIDEDIAN:

    荣耀彩票代理1、SHOUXIAN360JIAGUYIRANSHIWAIBUTAOYIGEApplicationQIAO:StubApplication,YUANCHENGXUJIAMICUNFANGZAIlibjiagu.so,FANGZAILEassetsMULUXIA,ZAIApplicationQIDONGDESHIHOU,SHIFANGDAOYINGYONGDESHAHEMULUfilesXIAMIAN,RANHOUZAISHIYONGSystem.loadFANGFAJINXINGJIAZAI,ZHEIGEHEAIJIAMIDEFANGSHISHIYIYANGDE

    2、GUANYU360JIAGUDEFANDIAOSHI,YIRANSHIYONGDESHIDUQU/proc/[pid]/statusZHONGDETracerPidZIDUANZHI,PANDUANSHIFOUWEI0,DANSHIZHEILIHEAIJIAMIBUYIYANGDESHI,ZAIDUQUZHEIGEWENJIANDESHIHOUBUSHIYONGDEfopenXITONGHANSHU,ERSHImmapXITONGHANSHU,SUOYIZAIJIEJUEFANDIAOSHIDESHIHOUXUYAOJIZHEIGEHANSHUXIADUANDIAN。

    3、360JIAGUDICENGBUSHICAIYONGdvmDexFileOpenPartialZHEIGEXITONGHANSHULAIJIEXIdexRANHOUJIAZAIDAONEICUNZHONGDE,ERSHIZIJISHIXIANLEYIGEHANSHU,SUOYIJIZHEIGEHANSHUXIADUANDIAN,RANHOUHUOQUCANSHUZHILAIdumpNEICUNZHONGDEdexSHUJUSHIXINGBUTONGDE,DANSHIYOUYIGESILUJIUSHIBUGUANTAYONGNAGEHANSHUQUJIEXIdexJIAZAIDAONEICUN,ZUIZHONGDOUDESHIYONGmmapZHEIGEXITONGHANSHULAICAOZUO,SUOYIHAIDEJIZHEIGEHANSHUXIADUANDIAN,SUOYIZHEILIZAIDIAOSHIDESHIHOUXUYAOSHIKEZHUYIDESHIDANGDUANDIANDAODALEmmapHANSHUCHUDESHIHOU,XUYAOGUANCHAStack ViewZHANCHUANGKOUZHONGSHIFOUCHUXIANLEclasses.dexZIYANG,RUGUOCHUXIANLE,SHUOMINGKAISHIJIEMIdexWENJIAN,ZHUNBEIJIAZAIDAONEICUNZHONGLE,NEIMEZHEISHIHOUXUYAOGUANCHAR0JICUNQIDEZHI,RANHOUZAIHex ViewZHONGTIAOZHUANDAOZHIDINGNEICUNDIZHI,KEYIGUANCHADAOSHIFOUWEIdexNEICUNSHUJU

    4、ZAIGUANCHASHIFOUWEINEICUNSHUJUDESHIHOU,XUYAOZHUYIdexWENJIANSHIYOUZIJIDEWENJIANGESHIDE,NEIMETOUXINXIJIUSHIGEGENJU,SUOYIWOMENKEYICHAKANKAITOUWEI:dex.35 ZHEIYANGDENEIRONGLAIPANDUANCICHUWEIdexSHUJU,YINWEIdexTOUBUXINXIZHONGYEYOUdexDEWENJIANDAXIAO,NEIMEZHEISHIHOUJIUKEYISHIYONGJIAOBENdumpCHUNEICUNZHONGDEdexSHUJULE。

    5、ZAIDIAOSHIDEGUOCHENGZHONG,HUIFAXIANHENDUODUANDIANDUOCIZHIXING,TEBIESHIYOUYIGEXUNHUAN,XUYAOWOMENXIUGAIJICUNQIDEZHILAIKUAISUJIESHUXUNHUAN,ERQIEZAIGUANJIANCHUXIADUANDIAN,YESHIJIAKUAIDIAOSHIXIAOLVDE。

     

    六、技术概要

    1、BENWENKAISHIDESHIHOUJIESHAOLETONGGUOZHURUXITONGinitJINCHENG,XIUGAINEICUNZHONGDEXITONGSHUXINGZHI:ro.debuggable,RANGSHEBEIZHONGSUOYOUDEYINGYONGDOUKEYIBEIDIAOSHI,ZHEIGEGONGNENGJIANGDUIHOUXUNIXIANGPOJIEYOUZHONGDAYIYI,YEHUISHENGQULEFANBIANYIDEGONGZUO。SUOYIZHEIGEFANGSHIHAISHIHENJUYOULICHENGBEIYIYIDE。

    2、ZAITUOAIJIAMIDEQIAODESHIHOU,XUEXIDAOLEJIfopenHEfgetsZHEILIANGGEXITONGHANSHUXIADUANDIANLAIJIEJUEFANDIAOSHI,ZAIZHEILIWOMENYOUDUOLEYIGEXIADUANDIANDEHAOQUCHUJIUSHIJImmapXIADUANDIAN,DANGFAXIANJIfopenHANSHUXIADUANDIANBUHAOSHIDESHIHOU,ZAICHANGSHIJImmapXIAGEDUANDIANBA。

    荣耀彩票代理3、ZAITUOAIJIAMIDEQIAODESHIHOU,JIdvmDexFileOpenPartialHANSHUXIADUANDIAN,LAIHUOQUdexZAINEICUNDEQISHIDIZHIHEDAXIAO,CONGERdumpCHUNEICUNZHONGDEdexSHUJU,DANSHI360JIAGUBINGMEIYOUZOUZHEIGEHANSHU,YINWEIZAIJIZHEIGEHANSHUXIADUANDIANDESHIHOU,TAYAGENMEIZOUDAO,SUOYIDUANDINGTANEIBUSHIYONGLEQITADEHANSHUQUJIEXIdexDE,RANHOUJIAZAIDAONEICUNZHONGDE,DANSHIRUGUOZUIHOUJIAZAIDAONEICUNZHONG,NEIKENDINGYAOYONGDAOmmapHANSHU,SUOYIZHIYAOJImmapHANSHUXIADUANDIANJIKE。

     

    七、总结

    BENPIANWENZHANGJIUJIESHAOLERUHETUODIAO360PINGTAIJIAGUDEapkYINGYONGDEQIAO,ZAIJIEHEZHIQIANDEYIPIANTUODIAOAIJIAMIJIADEQIAODEZHISHI,KANDAOXIANZAIZAITUOQIAODESHIHOUQISHIJIULIANGDIAN,YIDIANSHIZHAODAOGUANJIANCHUJIEJUEFANDIAOSHI,YIBANDOUSHIfopen,fgets,mmap,openDENGXITONGHANSHUXIADUANDIAN,HAIYOUYIDIANJIUSHIRUHEZHAODAONEICUNZHONGdexDEQISHIDIZHIHEdexDEDAXIAO,ZHEIGEYIBANXIANZAIJIUSHIdvmDexFileOpenPartialHANSHUXIADUANDIAN,HAIYOUJIUSHIJImmapHANSHUXIADUANDIAN。

     

延伸阅读:

About IT165 - 广告服务 - 隐私声明 - 版权申明 - 免责条款 - 网站地图 - 网友投稿 - 联系方式
本站内容来自于互联网,仅供用于网络技术学习,学习中请遵循相关法律法规