-
UID:17777
-
- 注册时间2007-05-02
- 最后登录2024-02-16
- 在线时间18416小时
-
- 发帖770867
- 搜Ta的帖子
- 精华0
- 飞翔币207694
- 威望215657
- 飞扬币2511641
- 信誉值8
-
访问TA的空间加好友用道具
- 发帖
- 770867
- 飞翔币
- 207694
- 威望
- 215657
- 飞扬币
- 2511641
- 信誉值
- 8
|
[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]样本:0A2CA97D070A04AECB6EC9B1DA5CD987.apk[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]应用名:相册[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]先用JEB[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]打开软件,发现“相册”软件使用了腾讯乐固进行了加固: [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun][font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]所以,不得不先学习一下脱壳[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]~[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]目测帖子比较长,先来个大概的目录:[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]一、脱壳,得到dex文件[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]二、对dex进行静态分析[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]三、展望一哈未来,手动脱壳~[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]**************************************** 华丽地分割线 即将开始进入正题啦 ********************************************************[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]一、脱壳,得到dex文件[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]参考贴:https://www.52pojie.cn/thread-777287-1-1.html[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun],这个帖子写得非常仔细,很适合我这种小白来学习,感谢一下贴主~[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]使用的工具:VirtualXposed、FDex2(两个工具的下载地址在帖子https://www.52pojie.cn/thread-758726-1-1.html[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]里有)[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]设备:真机[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]1、安装并运行工具[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun](1)VirtualXposed下载链接:https://vxposed.com/download.html。我下载的是0.14.5版本。工具是一个apk[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun](2)FDex2下载链接:https://bbs.pediy.com/thread-224105.htm。工具是一个apk。[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]这样,脱壳的工具(VirtualXposed、FDex2)跟原材料(相册apk)就准备好了。 [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun][font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun](3)利用adb命令,将上方3个apk全都安装到手机上: [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun] [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun][font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun](4)运行VirtualXposed并激活,将FDex2与恶意软件克隆安装到VirtualXposed: [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun] [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun] [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun] [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun][font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]返回刚才的设置界面: [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun] [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun][font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]再次返回设置里的“模块管理”,此时已出现FDex2: [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun][font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]再再次返回设置,找到最下方的“重启”: [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun][font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun](5)返回VirtualXposed主界面,在VirtualXposed里运行FDex2: [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun] [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun][font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]此时尚未对“相册”进行脱壳,故dex输出目录为空(用adb要cd到该目录,得su): [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun][font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]2、脱壳并获取dex文件[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun](1)运行一下“相册”吧: [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun][font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun](“相册”在我这台手机上与mumu模拟器上都无法运行,但这没关系,毕竟当前是学习分析加固恶意软件)[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun](2)获取脱壳后的dex文件到电脑上:[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]此时查看dex输出目录,发现了3个dex文件: [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun][font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]由于该目录访问需要su,不便于直接将dex文件拷贝到电脑上,故可先将这3个dex文件拷贝到/sdcard/目录下,再从/sdcard/目录拷贝到电脑上: [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun] [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun][font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]3、确定主dex文件:[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]将3个dex文件均用jeb打开:[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]首先可以排除mix.dex [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun][font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]com.mycompdgscany.myapp828584.dex是腾讯乐固相关的dex,也可排除: [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun][font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]在com.mycompdgscany.myapp558248.dex里找到Androidmanifest.xml里的入口类v.v.v.MainActivity,故com.mycompdgscany.myapp558248.dex就是“相册”软件的主要dex文件,接下来仅对这个dex文件进行分析即可。 [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun][font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]到此,脱壳完成啦~[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]**************************************** 华丽地分割线 脱壳结束,要开始静态分析dex文件啦 ********************************************************[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]二、对dex进行静态分析[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]在进入分析之前,先剧透一下我后面的分析流程图,避免因繁琐让大家看晕啦。 [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun][font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]1、从v.v.v.MainActivity的oncreate()方法入手,发现该应用的四个行为,即获取IMEI,隐藏应用图标,申请激活设备管理器,启动xservicr服务: [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun][font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]2、那么看下love.qin.co.service.xservicr都做了什么吧:[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun](1)在love.qin.co.service.xservicr注册了短信监视器 [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun][font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]查看所涉及的com.b.a.b.g类与com.b.a.b.f类,首先先看里面的com.b.a.b.f类:[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun](1.1)com.b.a.b.f类是一个Handler,查看handleMessage(),需要着重关注com.b.a.b.d类、com.b.a.b.h类、com.b.a.b.i类: [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun][font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun](1.1.1)先查看:com.b.a.b.d类。com.b.a.b.d类为AsyncTask,故先查看doInBackground()方法: [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun][font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]从截图可看出,关键的就是方框中的b类了,查看b类: [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun][font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]为方便理解,我对上面两个图设计的方法进行下重命名: [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun] [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun][font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]即,在上面两个截图中,“相册”软件给13172043886@163.com发送了一封邮件,邮件内容目前还未知,等下面会分析到。为方便后续分析,暂时先将com.b.a.b.d类重命名为”com.b.a.b.d_发送邮件”[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun](1.1.2)返回com.b.a.b.f,接着看com.b.a.b.h [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun][font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]从上图可先大概猜到,“相册”软件要拦截信息并且发送给恶意主人了。主要的操作如下: [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun][font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]为了方便理解,依旧先重命名一波: [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun] [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun] [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun][font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]这几张图说明,“相册”软件获取了手机的通讯录信息并发给恶意主人。故将com.b.a.b.h类重命名为“com.b.a.b.h_获取通讯录信息”[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun](1.1.3)返回com.b.a.b.f,接着看:com.b.a.b.i[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]分析这个类,跟上述两个类的操作流程一样,所以我就直接放结果啦: [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun] [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun] [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun] [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun] [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun][font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]这几张图说明,“相册”软件设置了来电转移、给通讯录里的人群发短信、将所有短信信息通过邮件发送给恶意主人。故将com.b.a.b.i类重命名为“com.b.a.b.i_来电转移与群发与读取短信” [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun](1.1.4)因此,我们可以总结,com.b.a.b.f这个类主要用于读取短信、通讯录、群发短信、来电转移、将用户信息发给恶意主人。故将com.b.a.b.f这个类重命名为”com.b.a.b.f_短信通信录来电邮件”[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun](1.2)查看love.qin.co.service.xservicr调用的g类,这个类比上面的f类简单很多,做了“删除短信”的操作: [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun][font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun](2)回到love.qin.co.service.xservicr,继续往下分析发现“相册”软件做的事跟上面分析的差不多,就不赘述了。 [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]3、回到v.v.v.MainActivity的oncreate()方法,该方法内调用了v.v.v.MainActivity的a()方法,查看一下里面调用的PAReceiver类: [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun] [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun] [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun] [font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun][font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]从上面几张图可以看出,PAReceiver类在阻止用户取消设备管理器,并进行通风报信。[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]好啦,这个样本分析完啦~技术性要求不高,但是挺需要耐心的,能看到这里的你也是很有耐心的~[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]**************************************** 华丽地分割线 正事都做完啦 ********************************************************[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]三、展望一哈未来,手动脱壳~[font='Segoe UI', Tahoma, 'Hiragino Sans GB', 'Microsoft Yahei', Simsun]去学习学习加固、脱壳的原理,尝试纯手动脱壳,立个flag在这里~希望不要打脸呀。
|
