i茅台app逆向分析frida反调试
短信预约 -IT技能 免费直播动态提醒
文章仅供思路参考,请勿用作非法攻击
环境:
i茅台 1.3.7
frida 14.2.17
安卓 9 系统
frida注入
常规frida不注入任何脚本
frida -U -f com.moutai.mall --no-pause / _ | Frida 14.2.17 - A world-class dynamic instrumentation toolkit | (_| | > _ | Commands: /_/ |_| help -> Displays the help system . . . . object? -> Display information about 'object' . . . . exit/quit -> Exit . . . . . . . . More info at https://frida.re/docs/home/Spawned `com.moutai.mall`. Resuming main thread! [MI 8::com.moutai.mall]-> Process terminated[MI 8::com.moutai.mall]->这种情况就是有frida反调试,frida的反调试可以写在java层或者so层,搜罗网上的方法,比较
普遍的就是:使用葫芦娃版本的frida、改frida_server的名称,修改frida_server的端口,文章中的frida_server均已满足以上条件,情况比较严峻。
反调试定位:
这个app是有壳的,防护大概率会是在so层,毕竟java层的反调试已经过时了,我们可以通过hook安卓系统的libdl.so中的android_dlopen_ext来定位问题出现在哪个so,定位到具体so再定位so里面的反调试线程,找出来反调试线程最终把反调试线程替换成空函数以达到绕过frida检测的目的,以下是hook 安卓系统libdl.so中的android_dlopen_ext函数代码
function hook_dlopen(soName = '') { Interceptor.attach(Module.findExportByName(null, "android_dlopen_ext"), { onEnter: function (args) { var pathptr = args[0]; if (pathptr !== undefined && pathptr != null) { var path = ptr(pathptr).readCString(); console.log(path); } } } );}setImmediate(hook_dlopen,"");以上hook代码的作用用于定位反调试出现在哪个so文件
└─# frida -U -f com.moutai.mall -l imoutai.js --no-pause ____ / _ | Frida 14.2.17 - A world-class dynamic instrumentation toolkit | (_| | > _ | Commands: /_/ |_| help -> Displays the help system . . . . object? -> Display information about 'object' . . . . exit/quit -> Exit . . . . . . . . More info at https://frida.re/docs/home/Spawned `com.moutai.mall`. Resuming main thread! [MI 8::com.moutai.mall]-> /system/framework/oat/arm64/org.apache.http.legacy.boot.odex/data/app/com.moutai.mall-ZqwkhQsJ0Sxyv7X-FRkGlw==/oat/arm64/base.odex/data/app/com.moutai.mall-ZqwkhQsJ0Sxyv7X-FRkGlw==/lib/arm64/libnesec.soProcess terminated[MI 8::com.moutai.mall]->Thank you for using Frida!通过将js代码注入到目标app,根据以上显示可以发现 libnesec.so 的可能性非常大,注入多次后仍然是停留在这个so,说明这个so内部有函数做了反调试处理。我们修改修改js代码,以便能定位反调试线程,新的js代码如下:
var soaddr = null;function hook_dlopen(soName = '') { Interceptor.attach(Module.findExportByName(null, "android_dlopen_ext"), { onEnter: function (args) { var pathptr = args[0]; if (pathptr !== undefined && pathptr != null) { var path = ptr(pathptr).readCString(); if (path.indexOf(soName) != -1) { this.hook = true; } console.log(path); } }, onLeave:function(ret){ if (this.hook = true) { soaddr = Module.findBaseAddress("libnesec.so"); hook_pthread_create(); } } } );}function printNativeStack(context, name) { var trace = Thread.backtrace(context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join("\n"); console.log(trace) }function hook_pthread_create() { Interceptor.attach(Module.findExportByName("libc.so", "pthread_create"), { onEnter(args) { var func_addr = args[2] var offes = func_addr.sub(soaddr); console.log("The thread function address is " + offes); } })}setImmediate(hook_dlopen,"libnesec.so");注入以上代码返回以下
──(root💀r0env)-[~/Desktop/frida_js]└─# frida -U -f com.moutai.mall -l imoutai.js --no-pause ____ / _ | Frida 14.2.17 - A world-class dynamic instrumentation toolkit | (_| | > _ | Commands: /_/ |_| help -> Displays the help system . . . . object? -> Display information about 'object' . . . . exit/quit -> Exit . . . . . . . . More info at https://frida.re/docs/home/Spawned `com.moutai.mall`. Resuming main thread! [MI 8::com.moutai.mall]-> /system/framework/oat/arm64/org.apache.http.legacy.boot.odex/data/app/com.moutai.mall-ZqwkhQsJ0Sxyv7X-FRkGlw==/oat/arm64/base.odex/data/app/com.moutai.mall-ZqwkhQsJ0Sxyv7X-FRkGlw==/lib/arm64/libnesec.soThe thread function address is 0x8abb4The thread function address is 0x8abb4The thread function address is 0x8abb4The thread function address is 0x7598cThe thread function address is 0x7598cThe thread function address is 0x7598cThe thread function address is 0x6e348The thread function address is 0x6e348The thread function address is 0x6e348The thread function address is 0x9baef4fcThe thread function address is 0x9baef4fcThe thread function address is 0x9baef4fcThe thread function address is 0x8ac9cThe thread function address is 0x8ac9cThe thread function address is 0x8ac9cThe thread function address is 0x88e04The thread function address is 0x88e04The thread function address is 0x88e04Process terminated[MI 8::com.moutai.mall]->根据以上结果配合分析得知:0x88e04 这个偏移地址就是frida反调试线程,我们再次修改js代码为如下,把反调试的函数替换成空的函数,达到绕过的目的。
var soaddr = null;function hook_dlopen(soName = '') { Interceptor.attach(Module.findExportByName(null, "android_dlopen_ext"), { onEnter: function (args) { var pathptr = args[0]; if (pathptr !== undefined && pathptr != null) { var path = ptr(pathptr).readCString(); if (path.indexOf(soName) != -1) { this.hook = true; } console.log(path); } }, onLeave:function(ret){ if (this.hook = true) { soaddr = Module.findBaseAddress("libnesec.so"); hook_pthread_create(); } } } );}function printNativeStack(context, name) { var trace = Thread.backtrace(context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join("\n"); console.log(trace) }function hook_pthread_create() { Interceptor.attach(Module.findExportByName("libc.so", "pthread_create"), { onEnter(args) { let func_addr = args[2] var offes = func_addr.sub(soaddr); if (offes == 0x88e04) { Interceptor.replace(func_addr,new NativeCallback(function(){ console.log("0x891b8 replaces"); },'void',[]));} } })}setImmediate(hook_dlopen,"libnesec.so");─# frida -U -f com.moutai.mall -l imoutai.js --no-pause ____ / _ | Frida 14.2.17 - A world-class dynamic instrumentation toolkit | (_| | > _ | Commands: /_/ |_| help -> Displays the help system . . . . object? -> Display information about 'object' . . . . exit/quit -> Exit . . . . . . . . More info at https://frida.re/docs/home/Spawned `com.moutai.mall`. Resuming main thread! [MI 8::com.moutai.mall]-> /system/framework/oat/arm64/org.apache.http.legacy.boot.odex/data/app/com.moutai.mall-ZqwkhQsJ0Sxyv7X-FRkGlw==/oat/arm64/base.odex/data/app/com.moutai.mall-ZqwkhQsJ0Sxyv7X-FRkGlw==/lib/arm64/libsecsdk.so/data/app/com.moutai.mall-ZqwkhQsJ0Sxyv7X-FRkGlw==/lib/arm64/libc++_shared.so/data/app/com.moutai.mall-ZqwkhQsJ0Sxyv7X-FRkGlw==/lib/arm64/libmmkv.so/data/app/com.moutai.mall-ZqwkhQsJ0Sxyv7X-FRkGlw==/lib/arm64/libproperty_get.so/data/app/com.moutai.mall-ZqwkhQsJ0Sxyv7X-FRkGlw==/lib/arm64/libBugly.so/data/app/com.moutai.mall-ZqwkhQsJ0Sxyv7X-FRkGlw==/lib/arm64/libCryptoSeed.so/system/framework/oat/arm64/gson.odex/data/dalvik-cache/arm64/system@app@MiuiContentCatcher@MiuiContentCatcher.apk@classes.dex/data/dalvik-cache/arm64/system@app@CatcherPatch@CatcherPatch.apk@classes.dex/vendor/lib64/hw/gralloc.sdm845.so/vendor/lib64/hw/android.hardware.graphics.mapper@2.0-impl-qti-display.so[MI 8::com.moutai.mall]-> Frida{ "version": "14.2.17"}[MI 8::com.moutai.mall]->完结:
至此本文就结束了,大佬轻喷.。。。交流群:613707164
来源地址:https://blog.csdn.net/zxc979647835/article/details/130682638
免责声明:
① 本站未注明“稿件来源”的信息均来自网络整理。其文字、图片和音视频稿件的所属权归原作者所有。本站收集整理出于非商业性的教育和科研之目的,并不意味着本站赞同其观点或证实其内容的真实性。仅作为临时的测试数据,供内部测试之用。本站并未授权任何人以任何方式主动获取本站任何信息。
② 本站未注明“稿件来源”的临时测试数据将在测试完成后最终做删除处理。有问题或投稿请发送至: 邮箱/279061341@qq.com QQ/279061341
