某老牌反作弊产品分析-(存在加密漏洞可被中间人攻击)二
2022-6-17 11:35:38 Author: mp.weixin.qq.com(查看原文) 阅读量:8 收藏

目录:一、产品基本介绍二、产品整体框架三、JAVA与JNI初始化四、VM虚拟机基本逻辑五、环境检测与设备信息采集六、加密流程分析七、加密漏洞还原与中人间攻击过程八、总结
5.8、采集设备信息
初始化获取设备信息的类名与对应的方法名
000000709EDF9090  00 00 00 00 00 00 00 00  05 00 00 00 61 6E 64 72  ............andr000000709EDF90A0  6F 69 64 2E 74 65 6C 65  70 68 6F 6E 79 2E 54 65  oid.telephony.Te000000709EDF90B0  6C 65 70 68 6F 6E 79 4D  61 6E 61 67 65 72 00 00  lephonyManager..000000709EDF90C0  00 00 00 00 00 00 00 00  00 00 00 00 67 65 74 44  ............getD000000709EDF90D0  65 76 69 63 65 49 64 00  00 00 00 00 00 00 00 00  eviceId.........000000709EDF90E0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF90F0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9100  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9110  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9120  00 00 00 00 00 00 00 00  06 00 00 00 61 6E 64 72  ............andr000000709EDF9130  6F 69 64 2E 74 65 6C 65  70 68 6F 6E 79 2E 54 65  oid.telephony.Te000000709EDF9140  6C 65 70 68 6F 6E 79 4D  61 6E 61 67 65 72 00 00  lephonyManager..000000709EDF9150  00 00 00 00 00 00 00 00  00 00 00 00 67 65 74 56  ............getV000000709EDF9160  6F 69 63 65 4D 61 69 6C  4E 75 6D 62 65 72 00 00  oiceMailNumber..000000709EDF9170  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9190  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF91A0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF91B0  00 00 00 00 00 00 00 00  07 00 00 00 61 6E 64 72  ............andr000000709EDF91C0  6F 69 64 2E 74 65 6C 65  70 68 6F 6E 79 2E 54 65  oid.telephony.Te000000709EDF91D0  6C 65 70 68 6F 6E 79 4D  61 6E 61 67 65 72 00 00  lephonyManager..000000709EDF91E0  00 00 00 00 00 00 00 00  00 00 00 00 67 65 74 53  ............getS000000709EDF91F0  69 6D 53 65 72 69 61 6C  4E 75 6D 62 65 72 00 00  imSerialNumber..000000709EDF9200  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9210  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9220  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9230  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9240  00 00 00 00 00 00 00 00  08 00 00 00 61 6E 64 72  ............andr000000709EDF9250  6F 69 64 2E 74 65 6C 65  70 68 6F 6E 79 2E 54 65  oid.telephony.Te000000709EDF9260  6C 65 70 68 6F 6E 79 4D  61 6E 61 67 65 72 00 00  lephonyManager..000000709EDF9270  00 00 00 00 00 00 00 00  00 00 00 00 67 65 74 4E  ............getN000000709EDF9280  65 74 77 6F 72 6B 43 6F  75 6E 74 72 79 49 73 6F  etworkCountryIso000000709EDF9290  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF92A0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF92B0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF92C0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF92D0  00 00 00 00 00 00 00 00  09 00 00 00 61 6E 64 72  ............andr000000709EDF92E0  6F 69 64 2E 74 65 6C 65  70 68 6F 6E 79 2E 54 65  oid.telephony.Te000000709EDF92F0  6C 65 70 68 6F 6E 79 4D  61 6E 61 67 65 72 00 00  lephonyManager..000000709EDF9300  00 00 00 00 00 00 00 00  00 00 00 00 67 65 74 4E  ............getN000000709EDF9310  65 74 77 6F 72 6B 4F 70  65 72 61 74 6F 72 4E 61  etworkOperatorNa000000709EDF9320  6D 65 00 00 00 00 00 00  00 00 00 00 00 00 00 00  me..............000000709EDF9330  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9340  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9350  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9360  00 00 00 00 00 00 00 00  0A 00 00 00 61 6E 64 72  ............andr000000709EDF9370  6F 69 64 2E 74 65 6C 65  70 68 6F 6E 79 2E 54 65  oid.telephony.Te000000709EDF9380  6C 65 70 68 6F 6E 79 4D  61 6E 61 67 65 72 00 00  lephonyManager..000000709EDF9390  00 00 00 00 00 00 00 00  00 00 00 00 67 65 74 53  ............getS000000709EDF93A0  69 6D 4F 70 65 72 61 74  6F 72 4E 61 6D 65 00 00  imOperatorName..000000709EDF93B0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF93C0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF93D0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF93E0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF93F0  00 00 00 00 00 00 00 00  0B 00 00 00 61 6E 64 72  ............andr000000709EDF9400  6F 69 64 2E 74 65 6C 65  70 68 6F 6E 79 2E 54 65  oid.telephony.Te000000709EDF9410  6C 65 70 68 6F 6E 79 4D  61 6E 61 67 65 72 00 00  lephonyManager..000000709EDF9420  00 00 00 00 00 00 00 00  00 00 00 00 67 65 74 50  ............getP000000709EDF9430  68 6F 6E 65 54 79 70 65  00 00 00 00 00 00 00 00  honeType........000000709EDF9440  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9450  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9460  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9470  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9480  00 00 00 00 00 00 00 00  0C 00 00 00 61 6E 64 72  ............andr000000709EDF9490  6F 69 64 2E 74 65 6C 65  70 68 6F 6E 79 2E 54 65  oid.telephony.Te000000709EDF94A0  6C 65 70 68 6F 6E 79 4D  61 6E 61 67 65 72 00 00  lephonyManager..000000709EDF94B0  00 00 00 00 00 00 00 00  00 00 00 00 67 65 74 4E  ............getN000000709EDF94C0  65 74 77 6F 72 6B 54 79  70 65 00 00 00 00 00 00  etworkType......000000709EDF94D0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF94E0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF94F0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9500  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9510  00 00 00 00 00 00 00 00  0D 00 00 00 61 6E 64 72  ............andr000000709EDF9520  6F 69 64 2E 74 65 6C 65  70 68 6F 6E 79 2E 54 65  oid.telephony.Te000000709EDF9530  6C 65 70 68 6F 6E 79 4D  61 6E 61 67 65 72 00 00  lephonyManager..000000709EDF9540  00 00 00 00 00 00 00 00  00 00 00 00 67 65 74 43  ............getC000000709EDF9550  65 6C 6C 4C 6F 63 61 74  69 6F 6E 00 00 00 00 00  ellLocation.....000000709EDF9560  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9570  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9580  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9590  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF95A0  00 00 00 00 00 00 00 00  0E 00 00 00 61 6E 64 72  ............andr000000709EDF95B0  6F 69 64 2E 74 65 6C 65  70 68 6F 6E 79 2E 54 65  oid.telephony.Te000000709EDF95C0  6C 65 70 68 6F 6E 79 4D  61 6E 61 67 65 72 00 00  lephonyManager..000000709EDF95D0  00 00 00 00 00 00 00 00  00 00 00 00 67 65 74 44  ............getD000000709EDF95E0  65 76 69 63 65 53 6F 66  74 77 61 72 65 56 65 72  eviceSoftwareVer000000709EDF95F0  73 69 6F 6E 00 00 00 00  00 00 00 00 00 00 00 00  sion............000000709EDF9600  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9610  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9620  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9630  00 00 00 00 00 00 00 00  0F 00 00 00 61 6E 64 72  ............andr000000709EDF9640  6F 69 64 2E 6E 65 74 2E  77 69 66 69 2E 57 69 66  oid.net.wifi.Wif000000709EDF9650  69 49 6E 66 6F 00 00 00  00 00 00 00 00 00 00 00  iInfo...........000000709EDF9660  00 00 00 00 00 00 00 00  00 00 00 00 67 65 74 4D  ............getM000000709EDF9670  61 63 41 64 64 72 65 73  73 00 00 00 00 00 00 00  acAddress.......000000709EDF9680  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9690  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF96A0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF96B0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF96C0  00 00 00 00 00 00 00 00  10 00 00 00 61 6E 64 72  ............andr000000709EDF96D0  6F 69 64 2E 6E 65 74 2E  77 69 66 69 2E 57 69 66  oid.net.wifi.Wif000000709EDF96E0  69 49 6E 66 6F 00 00 00  00 00 00 00 00 00 00 00  iInfo...........000000709EDF96F0  00 00 00 00 00 00 00 00  00 00 00 00 67 65 74 49  ............getI000000709EDF9700  70 41 64 64 72 65 73 73  00 00 00 00 00 00 00 00  pAddress........000000709EDF9710  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9720  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9730  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9740  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9750  00 00 00 00 00 00 00 00  11 00 00 00 61 6E 64 72  ............andr000000709EDF9760  6F 69 64 2E 6E 65 74 2E  77 69 66 69 2E 57 69 66  oid.net.wifi.Wif000000709EDF9770  69 49 6E 66 6F 00 00 00  00 00 00 00 00 00 00 00  iInfo...........000000709EDF9780  00 00 00 00 00 00 00 00  00 00 00 00 67 65 74 53  ............getS000000709EDF9790  53 49 44 00 00 00 00 00  00 00 00 00 00 00 00 00  SID.............000000709EDF97A0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF97B0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF97C0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF97D0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF97E0  00 00 00 00 00 00 00 00  12 00 00 00 61 6E 64 72  ............andr000000709EDF97F0  6F 69 64 2E 6E 65 74 2E  77 69 66 69 2E 57 69 66  oid.net.wifi.Wif000000709EDF9800  69 49 6E 66 6F 00 00 00  00 00 00 00 00 00 00 00  iInfo...........000000709EDF9810  00 00 00 00 00 00 00 00  00 00 00 00 67 65 74 42  ............getB000000709EDF9820  53 53 49 44 00 00 00 00  00 00 00 00 00 00 00 00  SSID............000000709EDF9830  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9840  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9850  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9860  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9870  00 00 00 00 00 00 00 00  13 00 00 00 61 6E 64 72  ............andr000000709EDF9880  6F 69 64 2E 6E 65 74 2E  77 69 66 69 2E 57 69 66  oid.net.wifi.Wif000000709EDF9890  69 4D 61 6E 61 67 65 72  00 00 00 00 00 00 00 00  iManager........000000709EDF98A0  00 00 00 00 00 00 00 00  00 00 00 00 67 65 74 43  ............getC000000709EDF98B0  6F 6E 6E 65 63 74 69 6F  6E 49 6E 66 6F 00 00 00  onnectionInfo...000000709EDF98C0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF98D0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF98E0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF98F0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9900  00 00 00 00 00 00 00 00  14 00 00 00 61 6E 64 72  ............andr000000709EDF9910  6F 69 64 2E 6E 65 74 2E  77 69 66 69 2E 57 69 66  oid.net.wifi.Wif000000709EDF9920  69 4D 61 6E 61 67 65 72  00 00 00 00 00 00 00 00  iManager........000000709EDF9930  00 00 00 00 00 00 00 00  00 00 00 00 67 65 74 44  ............getD000000709EDF9940  68 63 70 49 6E 66 6F 00  00 00 00 00 00 00 00 00  hcpInfo.........000000709EDF9950  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9960  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9970  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9980  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9990  00 00 00 00 00 00 00 00  15 00 00 00 61 6E 64 72  ............andr000000709EDF99A0  6F 69 64 2E 6E 65 74 2E  77 69 66 69 2E 57 69 66  oid.net.wifi.Wif000000709EDF99B0  69 4D 61 6E 61 67 65 72  00 00 00 00 00 00 00 00  iManager........000000709EDF99C0  00 00 00 00 00 00 00 00  00 00 00 00 67 65 74 53  ............getS000000709EDF99D0  63 61 6E 52 65 73 75 6C  74 73 00 00 00 00 00 00  canResults......000000709EDF99E0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF99F0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9A00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9A10  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9A20  00 00 00 00 00 00 00 00  16 00 00 00 6A 61 76 61  ............java000000709EDF9A30  2E 6E 65 74 2E 4E 65 74  77 6F 72 6B 49 6E 74 65  .net.NetworkInte000000709EDF9A40  72 66 61 63 65 00 00 00  00 00 00 00 00 00 00 00  rface...........000000709EDF9A50  00 00 00 00 00 00 00 00  00 00 00 00 67 65 74 4E  ............getN000000709EDF9A60  65 74 77 6F 72 6B 49 6E  74 65 72 66 61 63 65 73  etworkInterfaces000000709EDF9A70  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9A80  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9A90  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9AA0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9AB0  00 00 00 00 00 00 00 00  17 00 00 00 61 6E 64 72  ............andr000000709EDF9AC0  6F 69 64 2E 6E 65 74 2E  50 72 6F 78 79 00 00 00  oid.net.Proxy...000000709EDF9AD0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9AE0  00 00 00 00 00 00 00 00  00 00 00 00 67 65 74 48  ............getH000000709EDF9AF0  6F 73 74 00 00 00 00 00  00 00 00 00 00 00 00 00  ost.............000000709EDF9B00  00 00 00 00 00 00 00 00  00 00 00 00 61 6E 64 72  ............andr000000709EDF9B10  6F 69 64 2E 63 6F 6E 74  65 6E 74 2E 43 6F 6E 74  oid.content.Cont000000709EDF9B20  65 78 74 00 00 00 00 00  00 00 00 00 00 00 00 00  ext.............000000709EDF9B30  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................000000709EDF9B40  00 00 00 00 00 00 00 00  18 00 00 00 61 6E 64 72  ............andr000000709EDF9B50  6F 69 64 2E 6E 65 74 2E  50 72 6F 78 79 00 00 00  oid.net.Proxy...

多层反射获取设备信息

双重反射获取设备信息forName getDeclaredMethod getModifiers
.text:000000709EB03C70 62 9E 43 F9 LDR X2, [X19,#0x738].text:000000709EB03C74 64 3A 43 F9 LDR X4, [X19,#0x670].text:000000709EB03C78 60 6A 41 F9 LDR X0, [X19,#0x2D0].text:000000709EB03C7C 61 66 41 F9 LDR X1, [X19,#0x2C8].text:000000709EB03C80 63 EA 41 F9 LDR X3, [X19,#0x3D0].text:000000709EB03C84 68 62 01 F9 STR X8, [X19,#0x2C0].text:000000709EB03C88 69 5E 01 F9 STR X9, [X19,#0x2B8].text:000000709EB03C8C 6A 5A 01 F9 STR X10, [X19,#0x2B0].text:000000709EB03C90 6B AE 02 B9 STR W11, [X19,#0x2AC].text:000000709EB03C94 6C AA 02 B9 STR W12, [X19,#0x2A8].text:000000709EB03C98 6D A6 02 B9 STR W13, [X19,#0x2A4].text:000000709EB03C9C D2 0D 00 94 BL GetStaticMethodID_sub_786D1853E4 ; forName.text:000000709EB0682C 0C 00 80 52 MOV W12, #0.text:000000709EB06830 60 86 43 F9 LDR X0, [X19,#0x708].text:000000709EB06834 6D E6 46 B9 LDR W13, [X19,#0x6E4].text:000000709EB06838 EE 03 0D 2A MOV W14, W13.text:000000709EB0683C CE 7D 40 93 SXTW X14, W14.text:000000709EB06840 29 7D 0E 9B MUL X9, X9, X14.text:000000709EB06844 6E B2 41 F9 LDR X14, [X19,#0x360].text:000000709EB06848 C9 01 09 8B ADD X9, X14, X9.text:000000709EB0684C 28 01 08 8B ADD X8, X9, X8.text:000000709EB06850 E1 03 08 AA MOV X1, X8.text:000000709EB06854 6C 72 00 B9 STR W12, [X19,#0x70].text:000000709EB06858 6A 6E 00 B9 STR W10, [X19,#0x6C].text:000000709EB0685C 6B 6A 00 B9 STR W11, [X19,#0x68].text:000000709EB06860 A1 89 01 94 BL NewStringUTF_sub_786D1E6EE4 ; 方法名.text:000000709EB06860.text:000000709EB06864 60 3A 02 F9 STR X0, [X19,#0x470].text:000000709EB06868 68 86 43 F9 LDR X8, [X19,#0x708].text:000000709EB0686C 08 01 40 F9 LDR X8, [X8].text:000000709EB06870 00 85 40 F9 LDR X0, [X8,#0x108].text:000000709EB06874 61 86 43 F9 LDR X1, [X19,#0x708].text:000000709EB06878 62 7E 43 F9 LDR X2, [X19,#0x6F8].text:000000709EB0687C 63 AE 41 F9 LDR X3, [X19,#0x358].text:000000709EB06880 64 AA 41 F9 LDR X4, [X19,#0x350].text:000000709EB06884 00 04 00 94 BL GetMethodID_sub_709EB06884 ; getDeclaredMethod.text:000000709EB06884.text:000000709EB06888 60 36 02 F9 STR X0, [X19,#0x468].text:000000709EB0688C 68 86 43 F9 LDR X8, [X19,#0x708].text:000000709EB06890 08 01 40 F9 LDR X8, [X8].text:000000709EB06894 00 91 43 F9 LDR X0, [X8,#0x720].text:000000709EB06898 61 86 43 F9 LDR X1, [X19,#0x708].text:000000709EB0689C 0E 04 00 94 BL ExceptionCheck_sub_709EB068D4.text:000000709EB06954 0A 00 80 52 MOV W10, #0.text:000000709EB06958 6B 86 43 F9 LDR X11, [X19,#0x708].text:000000709EB0695C 6B 01 40 F9 LDR X11, [X11].text:000000709EB06960 60 89 40 F9 LDR X0, [X11,#0x110].text:000000709EB06964 61 86 43 F9 LDR X1, [X19,#0x708].text:000000709EB06968 62 36 43 F9 LDR X2, [X19,#0x668].text:000000709EB0696C 63 36 42 F9 LDR X3, [X19,#0x468].text:000000709EB06970 64 3A 42 F9 LDR X4, [X19,#0x470].text:000000709EB06974 65 22 43 F9 LDR X5, [X19,#0x640].text:000000709EB06978 68 62 00 B9 STR W8, [X19,#0x60].text:000000709EB0697C 69 5E 00 B9 STR W9, [X19,#0x5C].text:000000709EB06980 6A 5A 00 B9 STR W10, [X19,#0x58].text:000000709EB06984 E6 03 00 94 BL CallObjectMethod_sub_709EB0691C ; 获取设备信息
其它设备信息:

在跳出VM的Hadnle处下断点即可分析出获取其它的设备信息。

5.9、VM加密设备信息

每获取一次设备信息加密一次,在VM中执行对应Handle加密。

.text000000709EA93920 A8 02 40 B9                   LDR             W8, [X21].text:000000709EA93924 98 02 40 F9                   LDR             X24, [X20].text:000000709EA93928 09 91 03 51                   SUB             W9, W8, #0xE4.text:000000709EA9392C 0A F1 01 51                   SUB             W10, W8, #0x7C ; '|'.text:000000709EA93930 3F 81 00 71                   CMP             W9, #0x20 ; ' '.text:000000709EA93934 48 31 88 1A                   CSEL            W8, W10, W8, CC.text:000000709EA93938 09 1D 03 51                   SUB             W9, W8, #0xC7.text:000000709EA9393C 3F 71 00 71                   CMP             W9, #0x1C.text:000000709EA93940 A8 00 00 54                   B.HI            loc_709EA93954.text:000000709EA93940.text:000000709EA93944 C8 4E 29 8B                   ADD             X8, X22, W9,UXTW#3.text:000000709EA93948 08 21 40 F9                   LDR             X8, [X8,#0x40] ; 值的基址,取值.text:000000709EA9394C 08 03 00 F9                   STR             X8, [X24]     ; 存值.text:000000709EA93950 37 00 00 14                   B               loc_709EA93A2C
.text:000000709EA941E4 ; __unwind {.text:000000709EA941E4 68 00 02 8B ADD X8, X3, X2.text:000000709EA941E8 28 00 00 F9 STR X8, [X1].text:000000709EA941EC C0 03 5F D6 RET.text:000000709EA941EC ; } // starts at 709EA941E4.text:000000709EA941EC.text:000000709EA941EC.text:000000709EA941F0.text:000000709EA941F0.text:000000709EA941F0.text:000000709EA941F0 sub_709EA941F0.text:000000709EA941F0 ; __unwind {.text:000000709EA941F0 48 00 03 CB SUB X8, X2, X3.text:000000709EA941F4 28 00 00 F9 STR X8, [X1].text:000000709EA941F8 C0 03 5F D6 RET.text:000000709EA941F8 ; } // starts at 709EA941F0.text:000000709EA941F8.text:000000709EA941F8 ; End of function sub_709EA941F0.text:000000709EA941F8.text:000000709EA941FC.text:000000709EA941FC.text:000000709EA941FC.text:000000709EA941FC SUB_sub_709EA941FC.text:000000709EA941FC ; __unwind {.text:000000709EA941FC 48 00 03 CB SUB X8, X2, X3.text:000000709EA94200 28 00 00 F9 STR X8, [X1].text:000000709EA94204 C0 03 5F D6 RET.text:000000709EA94204 ; } // starts at 709EA941FC.text:000000709EA94204.text:000000709EA94204 ; End of function SUB_sub_709EA941FC.text:000000709EA94204.text:000000709EA94208 ; __unwind {.text:000000709EA94208 E8 03 01 2A MOV W8, W1.text:000000709EA9420C 3F 34 00 71 CMP W1, #0xD ; switch 14 cases.text:000000709EA94210 E8 04 00 54 B.HI def_709EA94224 ;.text:000000709EA94210.text:000000709EA94214 29 00 00 F0 29 C1 38 91 ADRL X9, jpt_709EA94224.text:000000709EA9421C 28 79 A8 B8 LDRSW X8, [X9,X8,LSL#2].text:000000709EA94220 08 01 09 8B ADD X8, X8, X9.text:000000709EA94224 00 01 1F D6 BR X8 ; switch jump

六、加密流程分析

6.1、压缩设备数据
计算设备信息CRC与设备数据组合
.text:000000709EB765F8                   EncData_sub_70576365F8 .text:000000709EB765F8                   ; __unwind { // 1000.text:000000709EB765F8 28 7A AB 52 A8 32+MOV             W8, #0x5BD1E995.text:000000709EB765F8 9D 72.text:000000709EB76600 49 00 01 4A       EOR             W9, W2, W1.text:000000709EB76604 2A 10 00 71       SUBS            W10, W1, #4.text:000000709EB76608 E3 01 00 54       B.CC            loc_709EB76644.text:000000709EB76608.text:000000709EB7660C 4B 75 1E 12       AND             W11, W10, #0xFFFFFFFC.text:000000709EB76610 6C 11 00 91       ADD             X12, X11, #4.text:000000709EB76614 ED 03 00 AA       MOV             X13, X0.text:000000709EB76614.text:000000709EB76618.text:000000709EB76618                   loc_709EB76618 .text:000000709EB76618 AE 45 40 B8       LDR             W14, [X13],#4.text:000000709EB7661C 29 7D 08 1B       MUL             W9, W9, W8.text:000000709EB76620 21 10 00 51       SUB             W1, W1, #4.text:000000709EB76624 CE 7D 08 1B       MUL             W14, W14, W8.text:000000709EB76628 CE 61 4E 4A       EOR             W14, W14, W14,LSR#24.text:000000709EB7662C CE 7D 08 1B       MUL             W14, W14, W8.text:000000709EB76630 C9 01 09 4A       EOR             W9, W14, W9.text:000000709EB76634 3F 0C 00 71       CMP             W1, #3.text:000000709EB76638 08 FF FF 54       B.HI            loc_709EB76618.text:000000709EB76638.text:000000709EB7663C 41 01 0B 4B       SUB             W1, W10, W11.text:000000709EB76640 00 00 0C 8B       ADD             X0, X0, X12.text:000000709EB76640.text:000000709EB76644.text:000000709EB76644                   loc_709EB76644 .text:000000709EB76644 3F 04 00 71       CMP             W1, #1.text:000000709EB76648 20 01 00 54       B.EQ            loc_709EB7666C.text:000000709EB76648.text:000000709EB7664C 3F 08 00 71       CMP             W1, #2.text:000000709EB76650 A0 00 00 54       B.EQ            loc_709EB76664.text:000000709EB76650.text:000000709EB76654 3F 0C 00 71       CMP             W1, #3.text:000000709EB76658 01 01 00 54       B.NE            loc_709EB76678.text:000000709EB76658.text:000000709EB7665C 0A 08 40 39       LDRB            W10, [X0,#2].text:000000709EB76660 29 41 0A 4A       EOR             W9, W9, W10,LSL#16.text:000000709EB76660.text:000000709EB76664.text:000000709EB76664                   loc_709EB76664.text:000000709EB76664 0A 04 40 39       LDRB            W10, [X0,#1].text:000000709EB76668 29 21 0A 4A       EOR             W9, W9, W10,LSL#8.text:000000709EB76668.text:000000709EB7666C.text:000000709EB7666C                   loc_709EB7666C .text:000000709EB7666C 0A 00 40 39       LDRB            W10, [X0].text:000000709EB76670 49 01 09 4A       EOR             W9, W10, W9.text:000000709EB76674 29 7D 08 1B       MUL             W9, W9, W8.text:000000709EB76674.text:000000709EB76678.text:000000709EB76678                   loc_709EB76678 .text:000000709EB76678 29 35 49 4A       EOR             W9, W9, W9,LSR#13.text:000000709EB7667C 28 7D 08 1B       MUL             W8, W9, W8.text:000000709EB76680 00 3D 48 4A       EOR             W0, W8, W8,LSR#15.text:000000709EB76684 C0 03 5F D6       RET

压缩组合后设备数据

__int64 __fastcall sub_705762D9DC(__int64 a1, _QWORD *a2, __int64 a3, __int64 a4, unsigned int a5){  int v5; // w8  int v6; // w0  int v7; // w0  int v8; // w11  unsigned int v10; // [xsp+54h] [xbp-CCh]  int i; // [xsp+58h] [xbp-C8h]  unsigned int v12; // [xsp+5Ch] [xbp-C4h]  __int64 v13; // [xsp+60h] [xbp-C0h] BYREF  int v14; // [xsp+68h] [xbp-B8h]  __int64 v15; // [xsp+78h] [xbp-A8h]  unsigned int v16; // [xsp+80h] [xbp-A0h]  __int64 v17; // [xsp+88h] [xbp-98h]  __int64 v18; // [xsp+A0h] [xbp-80h]  __int64 v19; // [xsp+A8h] [xbp-78h]  __int64 v20; // [xsp+B0h] [xbp-70h]  unsigned int v21; // [xsp+D4h] [xbp-4Ch]  __int64 v22; // [xsp+D8h] [xbp-48h]  __int64 v23; // [xsp+E0h] [xbp-40h]  _QWORD *v24; // [xsp+E8h] [xbp-38h]  __int64 v25; // [xsp+F0h] [xbp-30h]  unsigned int v26; // [xsp+FCh] [xbp-24h]  __int64 v27; // [xsp+100h] [xbp-20h]  __int64 v28; // [xsp+108h] [xbp-18h]
v25 = a1; v24 = a2; v23 = a3; v22 = a4; v21 = a5; v13 = a3; v14 = a4; v15 = a1; v16 = *a2; v27 = v16; v28 = *a2; for ( i = 1425515106; ; i = 2121135395 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( i == 1425515106 ) { if ( v27 == v28 ) v5 = 1946294605; else v5 = 711699392; i = v5; } if ( i != 711699392 ) break; v26 = -5; i = 2121135395; } if ( i != 1946294605 ) break; v18 = 0LL; v19 = 0LL; v20 = 0LL; v12 = sub_709EB6DFD8(&v13, v21, "2.3.3", 112LL); if ( v12 ) v6 = 1708398168; else v6 = -1398807773; i = v6; } if ( i != 1708398168 ) break; v26 = v12; i = 2121135395; } if ( i != -1398807773 ) break; v12 = sub_709EB6ECDC(&v13, 4LL); if ( v12 == 1 ) v7 = 1641238281; else v7 = -1560729400; i = v7; } if ( i != -1560729400 ) break; sub_709EB6E244(&v13); if ( v12 ) v8 = -1477061934; else v8 = -1711647064; i = v8; } if ( i != -1711647064 ) break; i = 584363032; v10 = -5; } if ( i != -1477061934 ) break; i = 584363032; v10 = v12; } if ( i != 584363032 ) break; v26 = v10; i = 2121135395; } if ( i != 1641238281 ) break; *v24 = v17; v12 = sub_709EB6E244(&v13); v26 = v12; } return v26;}
6.2、生成AES KEY IV

随机数组合生成AES KEY IV

gettimeofdaysrand
.text:000000709EB328A0 sprintf_sub_70575F28A0.text:000000709EB328A0.text:000000709EB328A0 var_24= -0x24.text:000000709EB328A0 format= -0x20.text:000000709EB328A0 s= -0x18.text:000000709EB328A0 var_10= -0x10.text:000000709EB328A0.text:000000709EB328A0 ; __unwind { // 1000.text:000000709EB328A0 FF C3 00 D1 SUB SP, SP, #0x30.text:000000709EB328A4 FE 13 00 F9 STR X30, [SP,#0x30+var_10].text:000000709EB328A8 E0 0F 00 F9 STR X0, [SP,#0x30+s].text:000000709EB328AC E1 0B 00 F9 STR X1, [SP,#0x30+format].text:000000709EB328B0 E2 0F 00 B9 STR W2, [SP,#0x30+var_24].text:000000709EB328B4 E0 0F 40 F9 LDR X0, [SP,#0x30+s] ; s.text:000000709EB328B8 E1 0B 40 F9 LDR X1, [SP,#0x30+format] ; format.text:000000709EB328BC E2 0F 40 B9 LDR W2, [SP,#0x30+var_24].text:000000709EB328C0 98 B6 FE 97 BL .sprintf.text:000000709EB328C0.text:000000709EB328C4 FE 13 40 F9 LDR X30, [SP,#0x30+var_10].text:000000709EB328C8 FF C3 00 91 ADD SP, SP, #0x30 ; '0'.text:000000709EB328CC C0 03 5F D6 RET
//生成随机数AES KEY IVfda958f6-07e5-47 KEYe4ae2f7b-96b5-4a IV
6.3、RSA加密AES KEY IV

将随机数AES KEY IV组合成一个字符串fda958f6-07e5-47e4ae2f7b-96b5-4a,RSA私钥加密该字符串。
RSA私钥(隐去部分):

MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALE2OfQ8BYg9Lq4nKGTamXyia6raCc1adzCOsFrnk/VN0s2W8yQJfYdq+QUNRHv0zANW0Uafh7nHCWeBn/GOC26xTsUku3/ElECGthT5ED0MOO8EQ6dhci4So/Y/fNuAczqDFk5RKRbmo1gz7xuCdUTQYmD+h1cjl95HGrY6TMinAgMBAAECgYBCHYwjvh0GRmVbHkrozdID+QkYdj6/+eeMG0BauhmupLlocNAH+u51joiXxOpvINbYzBRKOAzIWCT/FBKbabaDl5IhuUwV+CJ90SBLAbs/Wd+QjnUhXbyKb+Tm3+Uz2y26xWc7XdhGNe3Wjyz2+fN8CbfdC2SlUnibADOEQXJFIQJBAOUgSH/+uyIJKo6DOHJSfrhDlYX875H4Yq8ifuS1R7hQcK5T8sYV/OIzTRSvFaYL+FG8nA9vr8rulojcDPYzqrcCQQDF/yuUtb1wliR+zH7iE/5pv0dGfuwhSec777TYuLEP6VnX68zI/Kyq2JdIYYO7MidjH4bFd50NnRacHi3AtKGRAkEAiU+Gg0Y6CVSq70sOSdzMWksOUYTaYYUURtaKay+Ecp2qWZ6vkCxfJ4QM/odKlv73aqx4bfvFwvymtBADqIwgEwJBAIHtZq3ZbQz6mcxTaVf2Atdl2+HY3B8kHgdoz2YAHMDyQjC83c9ub+hU5UFsLEOlL8+OGqRuT7NlSDb+Xsu8POECQQDPcNOysMNbrLh1mGe6ydUsojSbheAIOZPQ/lhUbhzPXAXTYaPkTq7uty6SYZOMtWLxIFZ1eA9HHm3tJOCgC888

反射调用JAVA加密:

.text:000000709EB328D0                   decode_sub_70575F28D0.text:000000709EB328D0.text:000000709EB328D0                   var_3C= -0x3C.text:000000709EB328D0                   var_38= -0x38.text:000000709EB328D0                   var_30= -0x30.text:000000709EB328D0                   var_28= -0x28.text:000000709EB328D0                   var_20= -0x20.text:000000709EB328D0                   var_18= -0x18.text:000000709EB328D0                   var_10= -0x10.text:000000709EB328D0.text:000000709EB328D0                   ; __unwind { // 1000.text:000000709EB328D0 FF 03 01 D1       SUB             SP, SP, #0x40.text:000000709EB328D4 FE 1B 00 F9       STR             X30, [SP,#0x40+var_10].text:000000709EB328D8 E0 17 00 F9       STR             X0, [SP,#0x40+var_18].text:000000709EB328DC E1 13 00 F9       STR             X1, [SP,#0x40+var_20].text:000000709EB328E0 E2 0F 00 F9       STR             X2, [SP,#0x40+var_28].text:000000709EB328E4 E3 0B 00 F9       STR             X3, [SP,#0x40+var_30].text:000000709EB328E8 E4 07 00 F9       STR             X4, [SP,#0x40+var_38].text:000000709EB328EC E5 07 00 B9       STR             W5, [SP,#0x40+var_3C].text:000000709EB328F0 E0 17 40 F9       LDR             X0, [SP,#0x40+var_18].text:000000709EB328F4 E1 13 40 F9       LDR             X1, [SP,#0x40+var_20].text:000000709EB328F8 E2 0F 40 F9       LDR             X2, [SP,#0x40+var_28].text:000000709EB328FC E3 0B 40 F9       LDR             X3, [SP,#0x40+var_30].text:000000709EB32900 E4 07 40 F9       LDR             X4, [SP,#0x40+var_38].text:000000709EB32904 E5 07 40 B9       LDR             W5, [SP,#0x40+var_3C].text:000000709EB32908 2B 83 00 94       BL              CallObjectMethod_sub_786D1D15B4.text:000000709EB32908.text:000000709EB3290C FE 1B 40 F9       LDR             X30, [SP,#0x40+var_10].text:000000709EB32910 FF 03 01 91       ADD             SP, SP, #0x40 ; '@'.text:000000709EB32914 C0 03 5F D6       RET
.text:000000709EB32958 getInstance_sub_70575F2958.text:000000709EB32958.text:000000709EB32958 var_38= -0x38.text:000000709EB32958 var_30= -0x30.text:000000709EB32958 var_28= -0x28.text:000000709EB32958 var_20= -0x20.text:000000709EB32958 var_18= -0x18.text:000000709EB32958 var_10= -0x10.text:000000709EB32958.text:000000709EB32958 ; __unwind { // 1000.text:000000709EB32958 FF 03 01 D1 SUB SP, SP, #0x40.text:000000709EB3295C FE 1B 00 F9 STR X30, [SP,#0x40+var_10].text:000000709EB32960 E0 17 00 F9 STR X0, [SP,#0x40+var_18].text:000000709EB32964 E1 13 00 F9 STR X1, [SP,#0x40+var_20].text:000000709EB32968 E2 0F 00 F9 STR X2, [SP,#0x40+var_28].text:000000709EB3296C E3 0B 00 F9 STR X3, [SP,#0x40+var_30].text:000000709EB32970 E4 07 00 F9 STR X4, [SP,#0x40+var_38].text:000000709EB32974 E0 17 40 F9 LDR X0, [SP,#0x40+var_18].text:000000709EB32978 E1 13 40 F9 LDR X1, [SP,#0x40+var_20].text:000000709EB3297C E2 0F 40 F9 LDR X2, [SP,#0x40+var_28].text:000000709EB32980 E3 0B 40 F9 LDR X3, [SP,#0x40+var_30].text:000000709EB32984 E4 07 40 F9 LDR X4, [SP,#0x40+var_38].text:000000709EB32988 0B 83 00 94 BL CallObjectMethod_sub_786D1D15B4.text:000000709EB32988.text:000000709EB3298C FE 1B 40 F9 LDR X30, [SP,#0x40+var_10].text:000000709EB32990 FF 03 01 91 ADD SP, SP, #0x40 ; '@'.text:000000709EB32994 C0 03 5F D6 RET
.text:000000709EB32998 generatePrivate_sub_70575F2998.text:000000709EB32998.text:000000709EB32998 var_38= -0x38.text:000000709EB32998 var_30= -0x30.text:000000709EB32998 var_28= -0x28.text:000000709EB32998 var_20= -0x20.text:000000709EB32998 var_18= -0x18.text:000000709EB32998 var_10= -0x10.text:000000709EB32998.text:000000709EB32998 ; __unwind { // 1000.text:000000709EB32998 FF 03 01 D1 SUB SP, SP, #0x40.text:000000709EB3299C FE 1B 00 F9 STR X30, [SP,#0x40+var_10].text:000000709EB329A0 E0 17 00 F9 STR X0, [SP,#0x40+var_18].text:000000709EB329A4 E1 13 00 F9 STR X1, [SP,#0x40+var_20].text:000000709EB329A8 E2 0F 00 F9 STR X2, [SP,#0x40+var_28].text:000000709EB329AC E3 0B 00 F9 STR X3, [SP,#0x40+var_30].text:000000709EB329B0 E4 07 00 F9 STR X4, [SP,#0x40+var_38].text:000000709EB329B4 E0 17 40 F9 LDR X0, [SP,#0x40+var_18].text:000000709EB329B8 E1 13 40 F9 LDR X1, [SP,#0x40+var_20].text:000000709EB329BC E2 0F 40 F9 LDR X2, [SP,#0x40+var_28].text:000000709EB329C0 E3 0B 40 F9 LDR X3, [SP,#0x40+var_30].text:000000709EB329C4 E4 07 40 F9 LDR X4, [SP,#0x40+var_38].text:000000709EB329C8 B5 7C 00 94 BL calljavamethond_sub_786D1CFC9C.text:000000709EB329C8.text:000000709EB329CC FE 1B 40 F9 LDR X30, [SP,#0x40+var_10].text:000000709EB329D0 FF 03 01 91 ADD SP, SP, #0x40 ; '@'.text:000000709EB329D4 C0 03 5F D6 RET
.text:000000709EB32A60 doFinal_sub_70575F2A60 .text:000000709EB32A60.text:000000709EB32A60 var_38= -0x38.text:000000709EB32A60 var_30= -0x30.text:000000709EB32A60 var_28= -0x28.text:000000709EB32A60 var_20= -0x20.text:000000709EB32A60 var_18= -0x18.text:000000709EB32A60 var_10= -0x10.text:000000709EB32A60.text:000000709EB32A60 ; __unwind { // 1000.text:000000709EB32A60 FF 03 01 D1 SUB SP, SP, #0x40.text:000000709EB32A64 FE 1B 00 F9 STR X30, [SP,#0x40+var_10].text:000000709EB32A68 E0 17 00 F9 STR X0, [SP,#0x40+var_18].text:000000709EB32A6C E1 13 00 F9 STR X1, [SP,#0x40+var_20].text:000000709EB32A70 E2 0F 00 F9 STR X2, [SP,#0x40+var_28].text:000000709EB32A74 E3 0B 00 F9 STR X3, [SP,#0x40+var_30].text:000000709EB32A78 E4 07 00 F9 STR X4, [SP,#0x40+var_38].text:000000709EB32A7C E0 17 40 F9 LDR X0, [SP,#0x40+var_18].text:000000709EB32A80 E1 13 40 F9 LDR X1, [SP,#0x40+var_20].text:000000709EB32A84 E2 0F 40 F9 LDR X2, [SP,#0x40+var_28].text:000000709EB32A88 E3 0B 40 F9 LDR X3, [SP,#0x40+var_30].text:000000709EB32A8C E4 07 40 F9 LDR X4, [SP,#0x40+var_38].text:000000709EB32A90 83 7C 00 94 BL calljavamethond_sub_786D1CFC9C.text:000000709EB32A90.text:000000709EB32A94 FE 1B 40 F9 LDR X30, [SP,#0x40+var_10].text:000000709EB32A98 FF 03 01 91 ADD SP, SP, #0x40 ; '@'.text:000000709EB32A9C C0 03 5F D6 RET

RSA私钥加密后的AES KEY IV:

00000000   98 93 1B 85 66 82 76 26  88 2B 09 13 AA 22 4E 76  00000020   9B 3F 47 93 8B A7 CD D7  A6 48 3D C9 70 55 29 6A 00000040   57 B7 65 AE F4 3E 2C CB  5C E1 CD 6B 57 B5 86 2F  00000060   1D 81 FC A3 56 27 64 13  27 42 A0 84 C3 23 CD 0D00000080   05 D1 0D B0 22 36 FE 36  B5 17 61 6F 19 14 1D B1  00000100   67 A0 1F F4 F2 09 83 CA  C1 9A C4 64 14 F4 54 7D 00000120   DA
6.4、AES加密压缩后设备数据

用随机数生成的KEY加密压缩后的设备数据:

// X0:key,x1:长度,X2:返回值__int64 __fastcall AES_initkey_sub_70576377C8(unsigned int *a1, int a2, unsigned int *a3){  unsigned int v3; // w8  unsigned int v29; // w17
v3 = -1; if ( a1 && a3 ) { if ( a2 != 128 && a2 != 256 && a2 != 192 ) return 4294967294LL; if ( a2 == 128 ) { v4 = 10; } else if ( a2 == 192 ) { v4 = 12; } else { v4 = 14; } a3[60] = v4; v6 = _byteswap_ulong(*a1); *a3 = v6; a3[1] = _byteswap_ulong(a1[1]); a3[2] = _byteswap_ulong(a1[2]); a3[3] = _byteswap_ulong(a1[3]); if ( a2 == 128 ) { v7 = 0LL; v8 = a3 + 4; do { v9 = *(v8 - 1); v6 ^= dword_709EBD4F74[BYTE2(v9)] & 0xFF000000 ^ dword_709EBD5374[BYTE1(v9)] & 0xFF0000 ^ dword_709EBD5774[(unsigned __int8)v9] & 0xFF00 ^ byte_709EBD5B74[4 * HIBYTE(v9)] ^ *(_DWORD *)((char *)&unk_709EBD5F74 + v7); v10 = *(v8 - 2); v7 += 4LL; v11 = *(v8 - 3) ^ v6; *v8 = v6; v8[1] = v11; v12 = v10 ^ v11; v8[2] = v12; v8[3] = v9 ^ v12; v8 += 4; } while ( v7 != 40 ); } else { a3[4] = _byteswap_ulong(a1[4]); a3[5] = _byteswap_ulong(a1[5]); if ( a2 == 192 ) { v13 = 0LL; for ( i = a3 + 6; ; i += 6 ) { v16 = *(i - 1); v6 ^= dword_709EBD4F74[BYTE2(v16)] & 0xFF000000 ^ dword_709EBD5374[BYTE1(v16)] & 0xFF0000 ^ dword_709EBD5774[(unsigned __int8)v16] & 0xFF00 ^ byte_709EBD5B74[4 * HIBYTE(v16)] ^ *(_DWORD *)((char *)&unk_709EBD5F74 + v13); v17 = *(i - 3); v18 = *(i - 5) ^ v6; v19 = *(i - 4) ^ v18; *i = v6; i[1] = v18; i[2] = v19; i[3] = v17 ^ v19; if ( v13 == 28 ) break; v13 += 4LL; v15 = *(i - 2) ^ v17 ^ v19; i[4] = v15; i[5] = v16 ^ v15; } } else { a3[6] = _byteswap_ulong(a1[6]); a3[7] = _byteswap_ulong(a1[7]); v20 = 0LL; for ( j = a3 + 8; ; j += 8 ) { v25 = *(j - 1); v6 ^= dword_709EBD4F74[BYTE2(v25)] & 0xFF000000 ^ dword_709EBD5374[BYTE1(v25)] & 0xFF0000 ^ dword_709EBD5774[(unsigned __int8)v25] & 0xFF00 ^ byte_709EBD5B74[4 * HIBYTE(v25)] ^ *(_DWORD *)((char *)&unk_709EBD5F74 + v20); v26 = *(j - 5); v27 = *(j - 7) ^ v6; v28 = *(j - 6) ^ v27; *j = v6; j[1] = v27; j[2] = v28; j[3] = v26 ^ v28; if ( v20 == 24 ) break; v29 = v26 ^ v28; v22 = dword_709EBD4F74[HIBYTE(v29)] & 0xFF000000 ^ *(j - 4) ^ dword_709EBD5374[BYTE2(v29)] & 0xFF0000 ^ dword_709EBD5774[BYTE1(v29)] & 0xFF00 ^ byte_709EBD5B74[4 * (unsigned __int8)v29]; v23 = *(j - 2); v24 = *(j - 3) ^ v22; j[4] = v22; j[5] = v24; v20 += 4LL; j[6] = v23 ^ v24; j[7] = v25 ^ v23 ^ v24; } } } return 0; } return v3;}
// X0:原数据,X1:返回,x2:大小,x3:初始化后key,x4:IVlong double __fastcall AES_enc_data_sub_705760C380( _QWORD *a1, long double *a2, unsigned __int64 a3, __int64 a4, long double *a5, void (__fastcall *a6)(long double *, long double *, __int64)){ unsigned __int64 v6; // x24 unsigned __int64 v10; // x8 unsigned __int64 v11; // x22 unsigned __int64 v12; // x27 long double *v13; // x26 unsigned __int64 v14; // x19 long double *v15; // x8 _QWORD *v16; // x28 long double *v17; // x25 long double *v18; // x8 __int64 v19; // x24 unsigned __int64 v20; // x25 _QWORD *v21; // x22 long double *v22; // x10 unsigned __int64 v23; // x27 unsigned __int64 v24; // x10 unsigned __int64 v25; // x13 __int128 v26; // q0 __int128 v27; // q1 _OWORD *v28; // x14 unsigned __int64 v29; // x9 __int64 v30; // x14 long double *v31; // x23 __int64 v32; // x13 __int64 v33; // x15 unsigned __int64 v34; // x10 __int64 v35; // x11 long double *v36; // x17 unsigned __int64 v37; // x14 unsigned __int64 v38; // x13 int8x16_t v39; // q0 int8x16_t v40; // q1 int8x16_t v41; // q2 int8x16_t v42; // q3 int8x16_t *v43; // x15 unsigned __int64 v44; // x11 unsigned __int64 v45; // x12 long double result; // q0 _QWORD *v48; // [xsp+8h] [xbp-58h] _QWORD *v49; // [xsp+8h] [xbp-58h]
v6 = a3; v10 = a3 - 16; if ( a3 < 0x10 ) { v18 = a5; v13 = a2; v14 = a3; } else { v11 = v10 & 0xFFFFFFFFFFFFFFF0LL; v12 = (v10 & 0xFFFFFFFFFFFFFFF0LL) + 16; v13 = (long double *)((char *)a2 + v12); v14 = v10 - (v10 & 0xFFFFFFFFFFFFFFF0LL); v15 = a5; v16 = a1; v17 = a2; v48 = a1; do { *(_QWORD *)v17 = *(_QWORD *)v15 ^ *v16; *((_QWORD *)v17 + 1) = *((_QWORD *)v15 + 1) ^ v16[1]; a6(v17, v17, a4); v6 -= 16LL; v15 = v17++; v16 += 2; } while ( v6 > 0xF ); v18 = (long double *)((char *)a2 + v11); a1 = (_QWORD *)((char *)v48 + v12); } if ( v14 ) { v19 = 0LL; v20 = -(__int64)v14; v21 = a1; v22 = v13; v23 = v14; v49 = a1; while ( 1 ) { v30 = 2 * v19; v29 = 0LL; v31 = v22; if ( v20 <= 0xFFFFFFFFFFFFFFF0LL ) v32 = -16LL; else v32 = v20; if ( 16 * v19 - v14 <= 0xFFFFFFFFFFFFFFF0LL ) v33 = -16LL; else v33 = 16 * v19 - v14; v34 = (unsigned __int64)&v13[(unsigned __int64)v30 / 2]; v35 = -v33; if ( (unsigned __int64)-v33 <= 0x1F ) goto LABEL_26; v29 = 0LL; if ( (v35 & 0xFFFFFFFFFFFFFFE0LL) == 0 ) goto LABEL_26; v36 = (long double *)((char *)&v13[(unsigned __int64)v30 / 2 - 1] - v33 + 15); if ( v34 <= (unsigned __int64)&v49[v30 - 1] - v33 + 7 && &v49[v30] <= (_QWORD *)v36 ) goto LABEL_26; if ( v34 <= (unsigned __int64)v18 - v33 - 1 && v18 <= v36 ) goto LABEL_26; v37 = 0LL; v38 = -v32 & 0xFFFFFFFFFFFFFFE0LL; v29 = v35 & 0xFFFFFFFFFFFFFFE0LL; do { v39 = *(int8x16_t *)&v21[v37 / 8]; v40 = *(int8x16_t *)&v21[v37 / 8 + 2]; v41 = *(int8x16_t *)&v18[v37 / 0x10]; v42 = *(int8x16_t *)&v18[v37 / 0x10 + 1]; v43 = (int8x16_t *)&v31[v37 / 0x10]; v37 += 32LL; *v43 = veorq_s8(v41, v39); v43[1] = veorq_s8(v42, v40); } while ( v38 != v37 ); if ( (v35 & 0xFFFFFFFFFFFFFFE0LL) != v35 ) {LABEL_26: do { *((_BYTE *)v31 + v29) = *((_BYTE *)v18 + v29) ^ *((_BYTE *)v21 + v29); ++v29; } while ( v29 <= 0xF && v29 < v23 ); } if ( v29 > 0xF ) goto LABEL_34; v44 = 16 - v29; if ( 16 - v29 > 0x1F && (v45 = v44 & 0xFFFFFFFFFFFFFFE0LL, (v44 & 0xFFFFFFFFFFFFFFE0LL) != 0) && (v34 + v29 > (unsigned __int64)v18 + 15 || (char *)v18 + v29 > (char *)v13 + ((16 * v19) | 0xF)) ) { v24 = v29 + v45; v25 = v44 & 0xFFFFFFFFFFFFFFE0LL; do { v26 = *(_OWORD *)((char *)v18 + v29); v27 = *(_OWORD *)((char *)v18 + v29 + 16); v28 = (_OWORD *)((char *)v31 + v29); v29 += 32LL; v25 -= 32LL; *v28 = v26; v28[1] = v27; } while ( v25 ); if ( v44 == v45 ) goto LABEL_34; } else { v24 = v29; } do { *((_BYTE *)v31 + v24) = *((_BYTE *)v18 + v24); ++v24; } while ( v24 != 16 );LABEL_34: a6(v31, v31, a4); if ( v23 >= 0x11 ) { v23 -= 16LL; v21 += 2; v22 = v31 + 1; ++v19; v20 += 16LL; v18 = v31; if ( v23 ) continue; } goto LABEL_38; } } v31 = v18;LABEL_38: result = *v31; *a5 = *v31; return result;}
6.5、组合数据发送服务器

RSA加密后的AES KEY IV与AES加密的设备数据组合发送给服务器,组合格式图6-5所示:

图6-5

urlhttps://fp.fraudmetrix.cn/android3_5/profile.json?partner=missfreshaq&version=3.6.7&clientSeqId=1654331726915998700反射调用如下类发送网络cn/tongdun/android/shell/common/HttpHelper
private static String connect(URL arg9, byte[] body, String url, int arg12) throws Exception { int v4; int v1; HttpsURLConnection v9; if(arg9.getProtocol().toLowerCase().equals("https")) { v9 = (HttpsURLConnection)arg9.openConnection(Proxy.NO_PROXY); if(arg12 == 1) { HttpHelper.trustSSL(v9); } else if(arg12 == 2) { v9.setHostnameVerifier(HttpHelper.NAME_VERIFY); } } else { v9 = (HttpURLConnection)arg9.openConnection(Proxy.NO_PROXY); }
HttpHelper.setHttpParams(v9); v9.setRequestMethod("POST"); OutputStream v11 = v9.getOutputStream(); v11.write(body); v11.flush(); int v10 = v9.getResponseCode(); if(v10 != 200) { String v9_1 = "Connect failed, response code " + v10; xxo000000xxxoo00_Log.xxo0o0ox0oxxoo(v9_1); return v9_1; }
try { Map v10_2 = v9.getHeaderFields(); if(v10_2 != null) { List v10_3 = (List)v10_2.get("Set-Cookie"); if(v10_3 != null && v10_3.size() > 0) { int v12 = v10_3.size(); v1 = 0; while(true) { label_60: if(v1 >= v12) { break; }
String v2 = (String)v10_3.get(v1); if(v2.contains("XXID=")) { String[] v2_1 = v2.split(";"); v4 = 0; while(true) { label_76: if(v4 >= v2_1.length) { break; }
String v5 = v2_1[v4]; if(!v5.startsWith("XXID")) { ++v4; goto label_76; }
String v5_1 = v5.substring(5, v5.length()); if(TextUtils.isEmpty(v5_1)) { ++v4; goto label_76; }
FMAgent.xxid = v5_1; break; } }
++v1; } } } } catch(Exception v10_1) { v10_1.printStackTrace(); }
goto label_99; ++v4; goto label_76; ++v1; goto label_60; label_99: InputStream v9_2 = v9.getInputStream(); BufferedReader v10_4 = new BufferedReader(new InputStreamReader(v9_2, "utf-8")); StringBuilder v12_1 = new StringBuilder(); while(true) { String v0 = v10_4.readLine(); if(v0 == null) { break; }
v12_1.append(v0); }
v9_2.close(); v11.close(); return v12_1.toString(); }

成功后服务器返回blackbox:

{"code":"000","desc":"k9OCtUBncUi1/r3N84z30FFW3AwxnmZnJfuKa2bhCcS/s9mKZAuBFnJ6BYRDDpUkz+fxJhWvD+bbun3eUbCyiw=="}

这个值是根据硬件ID,OAID、文件ID生成。

七、加密漏洞还原与中人间攻击过程

7.1、通过私钥解析出公钥

理论上我们很难从私钥(只有d,n)中推导公钥的,也无法通过公钥推导出私钥,但是该SDK使用了私钥为PKCS编码格式,该私钥数据可以按如下结构进行解析:

RSAPrivateKey ::= SEQUENCE {    versionVersion,    modulusINTEGER, -- n    publicExponentINTEGER, -- e    privateExponentINTEGER, -- d    prime1INTEGER, -- p    prime2INTEGER, -- q    exponent1INTEGER, -- d mod (p-1)    exponent2INTEGER, -- d mod (q-1)    coefficientINTEGER, -- (inverse of q) mod p    otherPrimeInfosOtherPrimeInfos OPTIONAL}

从结构中可以看出私钥其实是含有生成密钥对的p和q以及公私钥对(e,n)。通过私钥格式分析可以分析出公钥数据,用代码实现如下:

加载私钥:

 /**     * 从字符串中获取私钥     * @param privateKeyStr     * @return     * @throws Exception     */    public static RSAPrivateKey loadPrivateKeyByStr(String privateKeyStr) throws Exception {        try {            byte[] buffer = java.util.Base64.getDecoder().decode(privateKeyStr);            PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(buffer);            KeyFactory keyFactory = KeyFactory.getInstance("RSA");            return (RSAPrivateKey) keyFactory.generatePrivate(keySpec);        } catch (NoSuchAlgorithmException e) {            throw new Exception("无此算法");        } catch (InvalidKeySpecException e) {            throw new Exception("私钥非法");        } catch (NullPointerException e) {            throw new Exception("私钥数据为空");        }    }
public static String gethexPublicKey(String modulus, String exponent) { try { BigInteger b1 = new BigInteger(modulus,16); //此处为进制数 BigInteger b2 = new BigInteger(exponent,16); KeyFactory keyFactory = KeyFactory.getInstance("RSA"); RSAPublicKeySpec keySpec = new RSAPublicKeySpec(b1, b2); RSAPublicKey publicKey = (RSAPublicKey) keyFactory.generatePublic(keySpec); String publicKeyString = Base64.encode(publicKey.getEncoded()); return publicKeyString; } catch (Exception e) { e.printStackTrace(); return null; } }

解析出公钥:

     //从SDK中的私钥解析出公钥(隐去部分)        String strprivatekey  = "MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALE2OfQ8BYg9Lq4nKGTamXyia6raCc1adzCOsFrnk/VN0s2W8yQJfYdq+QUNRHv0zANW0Uafh7nHCWeBn/GOC26xTsUku3/ElECGthT5ED0MOO8EQ6dhci4So/Y/fNuAczqDFk5RKRbmo1gz7xuCdUTQYmD+h1cjl95HGrY6TMinAgMBAAECgYBCHYwjvh0GRmVbHkrozdID+QkYdj6/+eeMG0BauhmupLlocNAH+u51joiXxOpvINbYzBRKOAzIWCT/FBKbabaDl5IhuUwV+CJ90SBLAbs/Wd+QjnUhXbyKb+Tm3+Uz2y26xWc7XdhGNe3Wjyz2+fN8CbfdC2SlUnibADOEQXJFIQJBAOUgSH/+uyIJKo6DOHJSfrhDlYX875H4Yq8ifuS1R7hQcK5T8sYV/OIzTRSvFaYL+FG8nA9vr8rulojcDPYzqrcCQQDF/yuUtb1wliR+zH7iE/5pv0dGfuwhSec777TYuLEP6VnX68zI/Kyq2JdIYYO7MidjH4bFd50NnRacHi3AtKGRAkEAiU+Gg0Y6CVSq70sOSdzMWksOUYTaYYUURtaKay+Ecp2qWZ6vkCxfJ4QM/odKlv73aqx4bfvFwvymtBADqIwgEwJBAIHtZq3ZbQz6mcxTaVf2Atdl2+HY3B8kHgdoz2YAHMDyQjC83c9ub+hU5UFsLEOlL8+OGqRuT7NlSDb+Xsu8POECQQDPcNOysMNbrLh1mGe6ydUsojSbheAIOZPQ/lhUbhzPXAXTYaPkTq7uty6SYZOMtWLxIFZ1eA9HHm3tJOCgC888";        RSAPrivateKey privateKey = RSAUtils.loadPrivateKeyByStr(strprivatekey);        // 得到公钥        BigInteger modulus = privateKey.getModulus();        byte[] bmodulus = modulus.toByteArray();        String modulusString = StringToHex.bytesToHex(bmodulus);        System.out.println("modulusString:"+modulusString);        String publicKeyString = RSAEncrypt.gethexPublicKey(modulusString, "010001");        System.out.println("publicKeyString:"+publicKeyString);
7.2、公钥解密出AES KEY IV

得到公钥后做解密测试,只要能把上报到服务器端的请求体中加密的AES KEY IV解密出来就能解出AES加密的设备数据。

 //私钥加密的AES KEY IV        byte[] keydata  = {                (byte)0x98, (byte)0x93, 0x1B, (byte)0x85, 0x66, (byte)0x82, 0x76, 0x26, (byte)0x88, 0x2B, 0x09, 0x13, (byte)0xAA, 0x22, 0x4E, 0x76,                (byte)0x9B, 0x3F, 0x47, (byte)0x93, (byte)0x8B, (byte)0xA7, (byte)0xCD, (byte)0xD7, (byte)0xA6, 0x48, 0x3D, (byte)0xC9, 0x70, 0x55, 0x29, 0x6A,                0x57, (byte)0xB7, 0x65, (byte)0xAE, (byte)0xF4, 0x3E, 0x2C, (byte)0xCB, 0x5C, (byte)0xE1, (byte)0xCD, 0x6B, 0x57, (byte)0xB5, (byte)0x86, 0x2F,                0x1D, (byte)0x81, (byte)0xFC, (byte)0xA3, 0x56, 0x27, 0x64, 0x13, 0x27, 0x42, (byte)0xA0, (byte)0x84, (byte)0xC3, 0x23, (byte)0xCD, 0x0D,                0x05, (byte)0xD1, 0x0D, (byte)0xB0, 0x22, 0x36, (byte)0xFE, 0x36, (byte)0xB5, 0x17, 0x61, 0x6F, 0x19, 0x14, 0x1D, (byte)0xB1,                0x67, (byte)0xA0, 0x1F, (byte)0xF4, (byte)0xF2, 0x09, (byte)0x83, (byte)0xCA, (byte)0xC1, (byte)0x9A, (byte)0xC4, 0x64, 0x14, (byte)0xF4, 0x54, 0x7D,                (byte)0xDA, 0x3A, 0x40, 0x75, 0x28, 0x6B, (byte)0x9C, 0x2D, 0x34, 0x02, 0x3A, 0x7C, 0x74, 0x58, (byte)0xD0, 0x68,                0x4C, 0x1D, (byte)0xD3, (byte)0x80, (byte)0xD0, (byte)0xF8, 0x49, 0x17, (byte)0x99, (byte)0xE3, (byte)0xB9, 0x25, (byte)0x8C, 0x44, (byte)0xFA, (byte)0xC4        };        String publicKey = publicKeyString;        //公钥解出出AEK KEY IV        String aeskey  = new String(RSAUtils.publicKeyDecrypt(publicKey, keydata)); //前16字节是AES key, 后16字节是IV        System.out.println("aeskey:"+aeskey);        //解密后的值fda958f6-07e5-47e4ae2f7b-96b5-4a
7.3、AES解密出压缩后设备数据
 /**     *     * @param FilePath 待解密的 deump 压缩后的设备数据     * @return 解密后的压缩数据     */    public static byte[] aesDecrypt(String FilePath, String key, String iv) {        try {            if (FilePath.isEmpty() || key.isEmpty()){                return null;            }            // 将字符串转为byte,返回解码后的byte[]            byte[] encryptBytes = {};            encryptBytes = FileUtils.getContent(FilePath);
// 创建密码器 KeyGenerator kgen = KeyGenerator.getInstance(EncryptAesUtil.AES); kgen.init(128); // 初始化为解密模式的密码器 Cipher cipher = Cipher.getInstance(ALGORITHMS); cipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(key.getBytes(), EncryptAesUtil.AES), new IvParameterSpec(iv.getBytes(StandardCharsets.UTF_8))); byte[] decryptBytes = cipher.doFinal(encryptBytes); String decstr = bytesToHex(decryptBytes); System.out.println("decryptBytes:"+decstr);
return decryptBytes; } catch (Exception e) { System.out.println(e.getMessage() + e); } return null; } //前16字节是AES key, 后16字节是IV String key = "fda958f6-07e5-47"; String iv = "e4ae2f7b-96b5-4a"; //AES 解密压缩后设备数据 EncryptAesUtil.aesDecrypt("dump_deviceinfo_AES.data",key, iv);

还有一层解密是VM中的,要还原大部分Handle,VM代码没有强混淆,分析起来还是比较容易的,这里就留一个坑吧,给有意愿深入搞搞的同学入坑。

八、总结

业务:

该产品也是多年的老品牌,最近几年从营销与渠道反作弊转向金融安全领域,可能在营销与渠道反作弊发力点偏弱,产品从体验、移定、易用、安全方面都有很多的不足点。

代码:

产品包休过大,架构不够精简,模块过多,代码冗余,对抗逆向方面将部分算法进行VM还是比较有效的。很多空数据加密时未做判断,导致空数据时也要执行VM引擎影响性能。

安全:

安全能力还是可以的,代码中字符串加密,代码逻辑通过AB两个模块拆分逻辑,A模块中大多数方法逻辑通过B模块中的VM引擎来实现,增加逆向度,不足点就是使用了不安全的密钥加密方式。

样本获取方式,关注公众号,公众号输入框回复“td” 获取下载链接。

作者简介:
我是小三,目前从事软件安全相关工作,虽己工作多年,但内心依然有着执着的追求,信奉终身成长,不定义自己,热爱技术但不拘泥于技术,爱好分享,喜欢读书和乐于结交朋友,欢迎加我微信与我交朋友(公众号输入框回复“wx”即可)


文章来源: https://mp.weixin.qq.com/s?__biz=MzU3MDc0MTY1MA==&mid=2247484080&idx=1&sn=c475cb405478abbec270a67d87d66187&chksm=fceb844dcb9c0d5b1aee9265c05fd99b7ea7da0ed6ea225da7a951e0436dfbe6a2fa52a8846e&scene=58&subscene=0#rd
如有侵权请联系:admin#unsafe.sh