TGSTC_2020_final

Posted on | In , |

2020 腾讯游戏安全技术竞赛 决赛-Android-Writeup

[TOC]

APK结构

1
2
3
4
5
6
7
8
9
t2/assets
├── Il10I01L                        ELF
├── Il10I01L.idb
├── output.json
├── sec_2020.dat
└── secret                            RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
t2/lib
└── armeabi
└── libcrackme.so

有一个elf和一个音频文件。secret音频文件可正常播放。

初探java层

java层逻辑比较简单,主要有四个class。

  • Class MainActivity。重点关注onCreate函数,将Il10I01L和secret,一个elf一个音频copy出来,测试Il10I01L。检查前会先用root将Il10I01L起起来。

image-20200410113539654

  • Class Native。加载libcrackme.so及两个函数的封装。
  • Class RootUtils。获得su权限
  • Class MyApplication。java层无交叉引用,应该是一个测试/log模块。

初探Il10I01L

go语言编写的elf,尝试利用GoUtils恢复符号信息,go1.7,恢复成功。

image-20200410114922414

Main_main逻辑比较简单,检查文件/data/local/tmp/324972397429374是否存在,创建该文件并其中写入长度116的字符串:

1
39475934759034275930478590743598734095873490573495873490759347593475934759374957349573947593475973495734957349579437

libcrackme.so

尝试恢复符号表

根据.so中的字符串确定编译版本为ndk-r14。自己下载了一个ndk-r14b,编译出带调试信息的.so,用rizzo创建函数签名,希望以此恢复符号表,无果。可能是ndk toolchains的问题吧,没有继续深究了,只好怼无符号的so了。

动态注册函数

JNI_OnLoad中使用RegisterNatives动态注册了两个函数,字符串在.init_array的函数中被赋值。识别出cmd、verify函数。

动态调试

启动android_server后发现verify时应用会自动退出,遂

1
2
3
/data/local/tmp # mkdir tmp
/data/local/tmp # cp ./android_server tmp/1
/data/local/tmp # ./1 -p12345

可以正常verify,判断至少有检测23946端口反调试。

IDA附加上去后,再次运行即会自动退出,猜测有time相关反调试。

suspend那20个线程,patch掉tp_syscall_imp,就可以调试了,但这样可能会出一些问题。

字符串解密

字符串解密函数在0xCEEF6928,通过传入不同参数,返回相应字符串。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
encrypted_string = [
0x1E, 0x1F, 0x27, 0x62, 0xD8, 0x08, 0x0A, 0x4A, 0x5B, 0x62,
0xEE, 0xC5, 0xC6, 0x2B, 0x24, 0x2E, 0x62, 0xDE, 0xB1, 0x96,
0x70, 0x10, 0x16, 0x5A, 0x50, 0x44, 0x52, 0x1B, 0x59, 0x57,
0x59, 0x5F, 0x16, 0x12, 0x36, 0x31, 0x2D, 0x2B, 0x21, 0x7C,
0x61, 0x05, 0x20, 0x2A, 0x3A, 0x2C, 0x61, 0x23, 0x31, 0x3F,
0x35, 0x7C, 0x07, 0x21, 0x24, 0x3E, 0x36, 0x3E, 0x61, 0x62,
0xF6, 0x80, 0x8A, 0x22, 0x22, 0x3D, 0x3B, 0x3B, 0x13, 0x39,
0x37, 0x30, 0x3F, 0x62, 0xD0, 0x22, 0x37, 0x71, 0x16, 0x5A,
0x50, 0x44, 0x52, 0x1B, 0x59, 0x57, 0x59, 0x5F, 0x16, 0x12,
0x36, 0x31, 0x2D, 0x2B, 0x21, 0x7C, 0x61, 0x13, 0x62, 0xBD,
0x44, 0x42, 0x21, 0x3D, 0x2B, 0x33, 0x56, 0x48, 0x62, 0xE5,
0x96, 0xBE, 0x1E, 0x7B, 0x52, 0x58, 0x37, 0x23, 0x6C, 0x28,
0x24, 0x28, 0x20, 0x67, 0x1A, 0x3E, 0x39, 0x25, 0x23, 0x29,
0x74, 0x1C, 0x3B, 0x33, 0x25, 0x35, 0x7A, 0x3A, 0x36, 0x36,
0x3E, 0x75, 0x63, 0x45, 0x40, 0x5A, 0x5A, 0x52, 0x0D, 0x7E,
0x11, 0x63, 0x62, 0xF7, 0x85, 0x8C, 0x31, 0x21, 0x39, 0x0C,
0x3A, 0x34, 0x3B, 0x32, 0x62, 0x62, 0xBF, 0xCD, 0xC4, 0x31,
0x21, 0x39, 0x0C, 0x24, 0x34, 0x22, 0x3F, 0x62, 0x62, 0xB5,
0x7F, 0x75, 0x2C, 0x22, 0x20, 0x28, 0x3D, 0x10, 0x34, 0x38,
0x20, 0x69, 0x62, 0x91, 0x32, 0x3B, 0x6A, 0x20, 0x2B, 0x29,
0x2E, 0x64, 0x21, 0x3C, 0x2A, 0x62, 0xCA, 0xED, 0xCF, 0x2F,
0x22, 0x23, 0x60, 0x24, 0x34, 0x3C, 0x30, 0x31, 0x3B, 0x22,
0x78, 0x2B, 0x3C, 0x39, 0x02, 0x01, 0x03, 0x0A, 0x1F, 0x52,
0x40, 0x52, 0x57, 0x5E, 0x5B, 0x52, 0x17, 0x77, 0x20, 0x36,
0x2A, 0x32, 0x20, 0x62, 0xC8, 0xFC, 0xF3, 0x1F, 0x41, 0x40,
0x5C, 0x53, 0x1E, 0x41, 0x56, 0x58, 0x53, 0x19, 0x5A, 0x59,
0x49, 0x32, 0x62, 0x8D, 0x67, 0x78, 0x73, 0x2D, 0x20, 0x74,
0x7F, 0x4A, 0x49, 0x12, 0x16, 0x57, 0x10, 0x55, 0x12, 0x5B,
0x1C, 0x22, 0x62, 0x66, 0x3C, 0x65, 0x63, 0x3F, 0x72, 0x6C,
0x32, 0x6B, 0x69, 0x38, 0x6E, 0x6A, 0x23, 0x62, 0xD8, 0x32,
0x34, 0x21, 0x23, 0x2B, 0x2D, 0x3D, 0x2F, 0x62, 0xE9, 0x36,
0x3B, 0x66, 0x3A, 0x39, 0x23, 0x2E, 0x61, 0x6A, 0x25, 0x7E,
0x26, 0x32, 0x27, 0x3E, 0x62, 0xCA, 0x61, 0x62, 0x3D, 0x34,
0x3F, 0x62, 0xC9, 0x88, 0x8F, 0x23, 0x35, 0x32, 0x33, 0x3A,
0x39, 0x29, 0x62, 0xC2, 0x09, 0x06, 0x16, 0x31, 0x30, 0x2C,
0x27, 0x6A, 0x63, 0x32, 0x67, 0x3A, 0x3E, 0x2A, 0x38, 0x38,
0x3D, 0x62, 0xAC, 0xBF, 0xB6, 0x16, 0x31, 0x25, 0x26, 0x23,
0x35, 0x18, 0x20, 0x2E, 0x62, 0xDB, 0xEF, 0xEA, 0x61, 0x3F,
0x22, 0x3E, 0x31, 0x62, 0x8C, 0xB8, 0xB0, 0x1B, 0x45, 0x44,
0x58, 0x5B, 0x16, 0x64, 0x37, 0x62, 0xA3, 0xDB, 0xCB, 0x1C,
0x44, 0x47, 0x59, 0x54, 0x17, 0x1C, 0x34, 0x6D, 0x20, 0x29,
0x21, 0x2A, 0x2E, 0x26, 0x2C, 0x62, 0x99, 0x28, 0x25, 0x1B,
0x45, 0x44, 0x58, 0x5B, 0x16, 0x32, 0x27, 0x2F, 0x22, 0x6A,
0x20, 0x23, 0x62, 0x81, 0x36, 0x26, 0x66, 0x3A, 0x39, 0x23,
0x2E, 0x61, 0x3C, 0x35, 0x3D, 0x34, 0x7C, 0x32, 0x31, 0x79,
0x72, 0x2B, 0x62, 0xA9, 0xDA, 0xCA, 0x1D, 0x43, 0x46, 0x5A,
0x55, 0x18, 0x1D, 0x4C, 0x6E, 0x36, 0x22, 0x37, 0x2E, 0x69,
0x62, 0x3D, 0x62, 0xF4, 0x43, 0x4B, 0x79, 0x24, 0x21, 0x2A,
0x2E, 0x55, 0x5C, 0x1D, 0x62, 0x93, 0x84, 0x8C, 0x60, 0x26,
0x34, 0x3C, 0x37, 0x3B, 0x27, 0x79, 0x62, 0xE3, 0x31, 0x34,
0x6B, 0x21, 0x23, 0x31, 0x67, 0x62, 0xC0, 0xD3, 0xDD, 0x35,
0x38, 0x35, 0x77, 0x2E, 0x55, 0x5F, 0x51, 0x56, 0x5A, 0x41,
0x18, 0x5A, 0x55, 0x62, 0x9F, 0xB9, 0xAD, 0x56, 0x59, 0x5A,
0x16, 0x4D, 0x24, 0x2C, 0x20, 0x21, 0x2B, 0x32, 0x69, 0x25,
0x26, 0x28, 0x22, 0x20, 0x28, 0x3F, 0x3E, 0x62, 0x88, 0xCE,
0xC4, 0x32, 0x3D, 0x3E, 0x7A, 0x32, 0x39, 0x38, 0x3F, 0x35,
0x3F, 0x62, 0xB2, 0xE2, 0xF7, 0x22, 0x2D, 0x2E, 0x6A, 0x31,
0x23, 0x29, 0x2B, 0x2C, 0x24, 0x3F, 0x62, 0x2A, 0x2F, 0x22,
0x35, 0x22, 0x26, 0x3A, 0x37, 0x3E, 0x62, 0xD4, 0x45, 0x41,
0x76, 0x38, 0x2A, 0x5B, 0x62, 0xC0, 0x1E, 0x1B, 0x7B, 0x37,
0x27, 0x33, 0x19, 0x62, 0xBE, 0xE1, 0xEC, 0x16, 0x25, 0x23,
0x37, 0x25, 0x6A, 0x22, 0x26, 0x3C, 0x28, 0x65, 0x6E, 0x3F,
0x62, 0xB3, 0x8D, 0xAF, 0x77, 0x3D, 0x3B, 0x44, 0x50, 0x1D,
0x57, 0x55, 0x41, 0x57, 0x18, 0x1D, 0x4A, 0x6E, 0x24, 0x2A,
0x28, 0x20, 0x35, 0x68, 0x3E, 0x20, 0x38, 0x2A, 0x3C, 0x7F,
0x60, 0x3B, 0x23, 0x22, 0x7C, 0x37, 0x35, 0x21, 0x62, 0xA3,
0x0F, 0x02, 0x2A, 0x2E, 0x2A, 0x2A, 0x38, 0x2A, 0x2F, 0x26,
0x23, 0x2A, 0x7E, 0x22, 0x3D, 0x62, 0x88, 0x93, 0x9A, 0x1C,
0x44, 0x47, 0x59, 0x53, 0x4D, 0x5A, 0x35, 0x6D, 0x62, 0xA5,
0x7B, 0x77, 0x35, 0x22, 0x2B, 0x16, 0x78, 0x7B, 0x7E, 0x7D,
0x60, 0x2B, 0x31, 0x25, 0x62, 0x8A, 0x89, 0x99, 0x7B, 0x25,
0x24, 0x38, 0x3B, 0x76, 0x7F, 0x45, 0x1E, 0x51, 0x5E, 0x50,
0x59, 0x5F, 0x59, 0x5D, 0x62, 0x89, 0x78, 0x75, 0x6C, 0x34,
0x37, 0x29, 0x24, 0x67, 0x27, 0x2F, 0x3F, 0x63, 0x39, 0x2D,
0x3F, 0x62, 0x85, 0x34, 0x3A, 0x68, 0x38, 0x3B, 0x25, 0x28,
0x63, 0x23, 0x2B, 0x3B, 0x7F, 0x25, 0x31, 0x23, 0x62, 0x62,
0xE3, 0x37, 0x6D, 0x6F, 0x7F, 0x28, 0x77, 0x6E, 0x6A, 0x60,
0x69, 0x0A, 0x69, 0x71, 0x65, 0x62, 0x0F, 0x78, 0x7C, 0x6A,
0x08, 0x69, 0x08, 0x16, 0x04, 0x01, 0x6E, 0x17, 0x1D, 0x09,
0x73, 0x1A, 0x63, 0x61, 0x75, 0x7E, 0x1F, 0x72, 0x6C, 0x7A,
0x73, 0x14, 0x6D, 0x6B, 0x7F, 0x62, 0x09, 0x68, 0x76, 0x64,
0x6D, 0x3A, 0x0F, 0x78, 0x7C, 0x6A, 0x08, 0x69, 0x12, 0x16,
0x01, 0x40, 0x16, 0x12, 0x00, 0x5D, 0x61, 0x67, 0x2F, 0x31,
0x65, 0x63, 0x23, 0x68, 0x6C, 0x3A, 0x6B, 0x69, 0x21, 0x3B,
0x6F, 0x75, 0x3D, 0x27, 0x73, 0x71, 0x20, 0x76, 0x72, 0x2D,
0x79, 0x7F, 0x54, 0x62, 0xC3, 0x83, 0xF1, 0x6B, 0x7B, 0x34,
0x6B, 0x72, 0x76, 0x64, 0x6D, 0x0E, 0x72, 0x68, 0x61, 0x02,
0x15, 0x01, 0x0A, 0x6B, 0x11, 0x05, 0x0E, 0x6F, 0x02, 0x1C,
0x71, 0x76, 0x1B, 0x64, 0x60, 0x76, 0x7F, 0x10, 0x6C, 0x7A,
0x73, 0x14, 0x68, 0x7E, 0x77, 0x08, 0x74, 0x62, 0x6B, 0x0C,
0x6F, 0x73, 0x67, 0x6C, 0x01, 0x7A, 0x15, 0x01, 0x00, 0x6B,
0x14, 0x10, 0x06, 0x0F, 0x60, 0x03, 0x64, 0x72, 0x7B, 0x1C,
0x65, 0x63, 0x77, 0x7A, 0x11, 0x70, 0x6E, 0x7C, 0x75, 0x22,
0x17, 0x70, 0x74, 0x62, 0x6B, 0x0C, 0x75, 0x73, 0x62, 0x2D,
0x79, 0x7F, 0x08, 0x55, 0x12, 0x16, 0x58, 0x40, 0x16, 0x12,
0x5C, 0x19, 0x64, 0x32, 0x63, 0x61, 0x29, 0x33, 0x67, 0x6D,
0x25, 0x3F, 0x6B, 0x69, 0x38, 0x6E, 0x6A, 0x25, 0x71, 0x77,
0x37, 0x62, 0xB2, 0x0B, 0x05, 0x05, 0x22, 0x29, 0x20, 0x16,
0x35, 0x27, 0x3D, 0x2F, 0x28, 0x38, 0x22, 0x3C, 0x7C, 0x62,
0xB5, 0x3B, 0x32, 0x2A, 0x2A, 0x32, 0x24, 0x35, 0x34, 0x31,
0x27, 0x32, 0x62, 0xCC, 0xA0, 0xA9, 0x76, 0x7A, 0x7E, 0x64,
0x7B, 0x62, 0x7D, 0x60, 0x7E, 0x62, 0x93, 0x54, 0x52, 0x2A,
0x20, 0x24, 0x7C, 0x62, 0x2C, 0x62, 0xE3, 0x3E, 0x29, 0x7E,
0x22, 0x21, 0x3B, 0x36, 0x79, 0x72, 0x3C, 0x76, 0x2E, 0x51,
0x42, 0x59, 0x1C, 0x11, 0x51, 0x19, 0x44, 0x4C, 0x58, 0x35,
0x37, 0x30, 0x62, 0x8D, 0x2D, 0x20, 0x16, 0x31, 0x30, 0x2C,
0x27, 0x6A, 0x63, 0x23, 0x67, 0x3A, 0x3E, 0x2A, 0x38, 0x62,
0xB8, 0x54, 0x41, 0x6C, 0x34, 0x37, 0x29, 0x24, 0x67, 0x6C,
0x2E, 0x64, 0x38, 0x2C, 0x3D, 0x24, 0x7F, 0x74, 0x36, 0x7C,
0x27, 0x21, 0x37, 0x23, 0x62, 0x82, 0x09, 0x07, 0x16, 0x31,
0x30, 0x2C, 0x27, 0x6A, 0x63, 0x23, 0x67, 0x3E, 0x29, 0x23,
0x2D, 0x23, 0x62, 0x94, 0xE0, 0xF6, 0x17, 0x49, 0x33, 0x2D,
0x20, 0x6B, 0x60, 0x22, 0x68, 0x3C, 0x28, 0x39, 0x20, 0x63,
0x68, 0x2A, 0x60, 0x27, 0x32, 0x3A, 0x32, 0x3A, 0x62, 0xB5,
0xC6, 0xCD, 0x39, 0x3E, 0x39, 0x2D, 0x2E, 0x2B, 0x10, 0x23,
0x25, 0x3D, 0x23, 0x62, 0xE1, 0xE7, 0xE2, 0x74, 0x74, 0x71,
0x7D, 0x7C, 0x62, 0x8F, 0x1C, 0x11, 0x7C, 0x24, 0x27, 0x39,
0x34, 0x77, 0x7C, 0x3E, 0x1F, 0x52, 0x5D, 0x5E, 0x59, 0x62,
0xAF, 0x65, 0x70, 0x7B, 0x25, 0x24, 0x38, 0x3B, 0x76, 0x7F,
0x54, 0x1E, 0x46, 0x52, 0x47, 0x5E, 0x19, 0x12, 0x5C, 0x16,
0x22, 0x2D, 0x2E, 0x29, 0x62, 0x81, 0x1C, 0x12, 0x19, 0x10,
0x02, 0x06, 0x77, 0x0C, 0x2B, 0x3B, 0x5E, 0x42, 0x42, 0x5C,
0x46, 0x41, 0x62, 0x9C, 0xE5, 0xEA, 0x0E, 0x01, 0x11, 0x17,
0x68, 0x0C, 0x3C, 0x2E, 0x22, 0x39, 0x6E, 0x07, 0x35, 0x3D,
0x22, 0x62, 0xD8, 0xD7, 0xD8, 0x10, 0x74, 0x66, 0x62, 0x13,
0x77, 0x5A, 0x5B, 0x5A, 0x59, 0x57, 0x25, 0x62, 0x11, 0x21,
0x62, 0xD9, 0x9E, 0x94, 0x29, 0x2F, 0x25, 0x22, 0x2D, 0x3D,
0x3B, 0x62, 0x3E, 0x21, 0x62, 0xA8, 0x2D, 0x26, 0x16, 0x25,
0x27, 0x35, 0x6B, 0x37, 0x27, 0x29, 0x2C, 0x26, 0x27, 0x62,
0xA1, 0xDF, 0xD7, 0x51, 0x4A, 0x50, 0x25, 0x23, 0x79, 0x61,
0x21, 0x62, 0x8B, 0x25, 0x2D, 0x63, 0x77, 0x79, 0x71, 0x76,
0x62, 0x72, 0x7C, 0x62, 0xF9, 0xC3, 0xD3, 0x20, 0x35, 0x21,
0x2D, 0x2B, 0x14, 0x2D, 0x2A, 0x2B, 0x21, 0x24, 0x0E, 0x3F,
0x32, 0x3D, 0x3B, 0x62, 0xF5, 0x17, 0x11, 0x61, 0x2E, 0x20,
0x34, 0x2A, 0x7C, 0x62, 0xF2, 0x2F, 0x2A, 0x24, 0x31, 0x2D,
0x21, 0x27, 0x62, 0xC1, 0xE8, 0xED, 0x75, 0x7F, 0x79, 0x7E,
0x79, 0x62, 0x8B, 0x75, 0x70, 0x0B, 0x76, 0x72, 0x77, 0x77,
0x62, 0xF0, 0x7D, 0x79, 0x09, 0x1C, 0x1E, 0x03, 0x62, 0xF7,
0xBB, 0xA9, 0x5B, 0x51, 0x5B, 0x27, 0x30, 0x2A, 0x20, 0x24,
0x6B, 0x20, 0x29, 0x2D, 0x2D, 0x2E, 0x38, 0x63, 0x3D, 0x20,
0x62, 0x9D, 0x99, 0x88, 0x5F, 0x33, 0x2B, 0x27, 0x25, 0x68,
0x27, 0x20, 0x2D, 0x27, 0x3E, 0x66, 0x7F, 0x7F, 0x60, 0x3C,
0x3F, 0x62, 0xE4, 0x43, 0x52, 0x30, 0x25, 0x31, 0x3D, 0x3B,
0x1D, 0x50, 0x55, 0x56, 0x5A, 0x41, 0x1B, 0x01, 0x0C, 0x17,
0x32, 0x2D, 0x62, 0x96, 0x95, 0xB2, 0x1A, 0x52, 0x56, 0x4C,
0x58, 0x6E, 0x2E, 0x2C, 0x27, 0x24, 0x2A, 0x68, 0x3C, 0x24,
0x3A, 0x64, 0x7D, 0x7F, 0x3C, 0x2A, 0x7E, 0x62, 0x66, 0x35,
0x26, 0x3C, 0x32, 0x36, 0x76, 0x6C, 0x6C, 0x43, 0x54, 0x40,
0x45, 0x51, 0x47, 0x01, 0x0F, 0x62, 0xA7, 0x1E, 0x01, 0x7A,
0x32, 0x36, 0x2C, 0x38, 0x75, 0x5C, 0x5E, 0x51, 0x52, 0x58,
0x1A, 0x42, 0x5A, 0x48, 0x16, 0x33, 0x27, 0x6D, 0x22, 0x37,
0x2F, 0x23, 0x29, 0x67, 0x39, 0x2E, 0x3E, 0x3B, 0x2B, 0x3D,
0x62, 0xCF, 0xBC, 0xB2, 0x7F, 0x58, 0x2C, 0x27, 0x13, 0x36,
0x2A, 0x32, 0x22, 0x2B, 0x3D, 0x25, 0x39, 0x7A, 0x62, 0xBC,
0xCE, 0xDF, 0x25, 0x21, 0x20, 0x0B, 0x3D, 0x34, 0x3C, 0x07,
0x3A, 0x3B, 0x53, 0x59, 0x57, 0x1D, 0x50, 0x54, 0x42, 0x62,
0xE5, 0x5F, 0x4F, 0x03, 0x1C, 0x1C, 0x3E, 0x33, 0x37, 0x11,
0x2D, 0x22, 0x32, 0x36, 0x2A, 0x33, 0x5F, 0x5F, 0x41, 0x62,
0x84, 0x51, 0x5D, 0x74, 0x12, 0x04, 0x2A, 0x2A, 0x21, 0x15,
0x3E, 0x25, 0x2B, 0x25, 0x27, 0x62, 0x9B, 0xA9, 0xB9, 0x1D,
0x02, 0x15, 0x36, 0x20, 0x1C, 0x3B, 0x36, 0x3F, 0x3C, 0x18,
0x49, 0x7F, 0x53, 0x5E, 0x51, 0x62, 0x83, 0xCE, 0xC1, 0x1C,
0x01, 0x10, 0x38, 0x3A, 0x25, 0x32, 0x1E, 0x2C, 0x34, 0x53,
0x45, 0x5B, 0x5C, 0x5A, 0x62, 0xAA, 0x11, 0x1F, 0x05, 0x1A,
0x02, 0x24, 0x23, 0x26, 0x08, 0x3A, 0x3E, 0x32, 0x26, 0x3A,
0x3B, 0x3B, 0x62, 0xE1, 0x57, 0x4E, 0x0B, 0x14, 0x0C, 0x2C,
0x29, 0x24, 0x28, 0x28, 0x07, 0x21, 0x34, 0x38, 0x20, 0x36,
0x37, 0x21, 0x04, 0x32, 0x3E, 0x3C, 0x28, 0x55, 0x5F, 0x51,
0x56, 0x62, 0xF6, 0x6D, 0x7E, 0x7C, 0x61, 0x79, 0x55, 0x43,
0x57, 0x7F, 0x57, 0x56, 0x2A, 0x01, 0x2F, 0x25, 0x36, 0x35,
0x0B, 0x27, 0x28, 0x2E, 0x62, 0xAC, 0x30, 0x20, 0x0E, 0x17,
0x0F, 0x27, 0x31, 0x29, 0x01, 0x25, 0x24, 0x27, 0x0F, 0x3C,
0x26, 0x34, 0x36, 0x37, 0x62, 0xD1, 0x8B, 0x9B, 0x1B, 0x04,
0x12, 0x38, 0x2C, 0x51, 0x79, 0x5D, 0x5C, 0x5F, 0x78, 0x53,
0x43, 0x50, 0x56, 0x25, 0x62, 0xDB, 0xEF, 0xFA, 0x03, 0x1C,
0x1A, 0x30, 0x24, 0x32, 0x17, 0x27, 0x33, 0x36, 0x2C, 0x3C,
0x15, 0x52, 0x5B, 0x57, 0x50, 0x44, 0x7A, 0x57, 0x4A, 0x62,
0xC1, 0x8E, 0x98, 0x14, 0x09, 0x7A, 0x50, 0x44, 0x52, 0x66,
0x50, 0x5A, 0x52, 0x59, 0x4A, 0x24, 0x0D, 0x21, 0x2E, 0x20,
0x25, 0x33, 0x03, 0x2C, 0x33, 0x62, 0xFF, 0xA9, 0xBB, 0x1D,
0x02, 0x18, 0x32, 0x22, 0x34, 0x11, 0x32, 0x2C, 0x16, 0x38,
0x5A, 0x54, 0x51, 0x47, 0x7F, 0x50, 0x4F, 0x62, 0x85, 0xFF,
0xED, 0x7E, 0x63, 0x7B, 0x53, 0x45, 0x55, 0x66, 0x53, 0x43,
0x77, 0x5B, 0x2B, 0x27, 0x20, 0x30, 0x0E, 0x23, 0x3E, 0x62,
0x8F, 0x46, 0x50, 0x14, 0x09, 0x7A, 0x50, 0x44, 0x52, 0x76,
0x59, 0x53, 0x44, 0x4B, 0x7A, 0x2D, 0x23, 0x30, 0x37, 0x09,
0x29, 0x26, 0x2C, 0x2C, 0x38, 0x62, 0xE0, 0x80, 0x8F, 0x27,
0x25, 0x2F, 0x3D, 0x3A, 0x32, 0x22, 0x26, 0x21, 0x35, 0x21,
0x33, 0x79, 0x2B, 0x36, 0x62, 0x81, 0x70, 0x63, 0x58, 0x5C,
0x54, 0x44, 0x4D, 0x5B, 0x32, 0x36, 0x31, 0x25, 0x31, 0x23,
0x6A, 0x2C, 0x3F, 0x27, 0x65, 0x3F, 0x22, 0x62, 0xD9, 0x9B,
0x8E, 0x2E, 0x2A, 0x26, 0x04, 0x28, 0x23, 0x3A, 0x26, 0x23,
0x2F, 0x0F, 0x34, 0x2A, 0x26, 0x31, 0x7F, 0x31, 0x2A, 0x7A,
0x26, 0x39, 0x62, 0xC5, 0x4C, 0x45, 0x47, 0x40, 0x54, 0x44,
0x4C, 0x4B, 0x20, 0x36, 0x26, 0x62, 0xDF, 0x80, 0x9A, 0x2A,
0x22, 0x29, 0x3C, 0x20, 0x39, 0x35, 0x7D, 0x32, 0x24, 0x25,
0x79, 0x16, 0x3B, 0x2D, 0x33, 0x46, 0x58, 0x46, 0x4A, 0x60,
0x5D, 0x44, 0x52, 0x59, 0x5D, 0x62, 0xF7, 0x43, 0x56, 0x35,
0x22, 0x2A, 0x2B, 0x3F, 0x5E, 0x45, 0x73, 0x50, 0x40, 0x5C,
0x40, 0x5E, 0x4C, 0x40, 0x15, 0x2A, 0x31, 0x21, 0x24, 0x22,
0x62, 0xC9, 0xB5, 0xAB, 0x19, 0x1B, 0x7F, 0x55, 0x5B, 0x52,
0x45, 0x57, 0x50, 0x25, 0x6D, 0x22, 0x34, 0x35, 0x69, 0x06,
0x2B, 0x3D, 0x23, 0x3D, 0x25, 0x39, 0x37, 0x1B, 0x38, 0x23,
0x37, 0x32, 0x30, 0x6E, 0x62, 0xE0, 0xC3, 0xCD, 0x21, 0x22,
0x3C, 0x08, 0x3A, 0x3B, 0x20, 0x24, 0x2D, 0x2E, 0x24, 0x38,
0x3D, 0x3D, 0x62, 0xD2, 0xA8, 0xB3, 0x67, 0x79, 0x1D, 0x33,
0x3D, 0x30, 0x27, 0x39, 0x3E, 0x3C, 0x76, 0x3B, 0x40, 0x41,
0x1D, 0x72, 0x44, 0x45, 0x5A, 0x5E, 0x5B, 0x58, 0x35, 0x2B,
0x2C, 0x2A, 0x7E, 0x62, 0x9D, 0x44, 0x53, 0x36, 0x36, 0x3D,
0x28, 0x5F, 0x58, 0x56, 0x1C, 0x57, 0x5A, 0x58, 0x43, 0x5D,
0x57, 0x35, 0x6D, 0x00, 0x2B, 0x2B, 0x32, 0x22, 0x30, 0x3D,
0x62, 0xFE, 0x5E, 0x4C, 0x2A, 0x2B, 0x3B, 0x13, 0x3E, 0x3C,
0x27, 0x31, 0x3B, 0x22, 0x05, 0x3D, 0x2A, 0x35, 0x5C, 0x47,
0x57, 0x41, 0x62, 0xF1, 0x90, 0xB3, 0x18, 0x18, 0x7E, 0x52,
0x5A, 0x51, 0x44, 0x58, 0x51, 0x5D, 0x6E, 0x21, 0x2C, 0x2A,
0x31, 0x23, 0x29, 0x3C, 0x66, 0x09, 0x24, 0x22, 0x39, 0x2B,
0x21, 0x24, 0x03, 0x37, 0x20, 0x3B, 0x39, 0x20, 0x32, 0x2A,
0x62, 0x62, 0xB4, 0x25, 0x05, 0x50, 0x5C, 0x57, 0x46, 0x5A,
0x5F, 0x53, 0x17, 0x49, 0x33, 0x2D, 0x35, 0x2D, 0x21, 0x23,
0x35, 0x67, 0x1A, 0x2F, 0x3F, 0x38, 0x24, 0x20, 0x28, 0x23,
0x75, 0x01, 0x36, 0x37, 0x20, 0x24, 0x32, 0x62, 0xC2, 0x82,
0x89, 0x0C, 0x0A, 0x0D, 0x0F, 0x14, 0x1C, 0x12, 0x16, 0x19,
0x13, 0x13, 0x62, 0xEE, 0x0C, 0x1E, 0x0F, 0x2E, 0x24, 0x30,
0x26, 0x67, 0x25, 0x2B, 0x25, 0x2B, 0x62, 0x1D, 0x3B, 0x22,
0x38, 0x3C, 0x34, 0x6F, 0x62, 0xB2, 0xED, 0xEB, 0x2B, 0x28,
0x3A, 0x06, 0x3E, 0x25, 0x62, 0xDB, 0x17, 0x20, 0x66, 0x03,
0x31, 0x3F, 0x36, 0x21, 0x3B, 0x3C, 0x32, 0x78, 0x3B, 0x36,
0x34, 0x44, 0x54, 0x5C, 0x47, 0x1B, 0x76, 0x59, 0x59, 0x4C,
0x5C, 0x2F, 0x36, 0x11, 0x21, 0x36, 0x29, 0x2B, 0x3E, 0x2C,
0x38, 0x70, 0x00, 0x27, 0x2F, 0x39, 0x31, 0x7E, 0x3E, 0x32,
0x3A, 0x32, 0x79, 0x04, 0x2C, 0x2B, 0x33, 0x5E, 0x56, 0x09,
0x7A, 0x1D, 0x7C, 0x62, 0xEF, 0x84, 0x98, 0x2E, 0x3E, 0x35,
0x20, 0x3C, 0x3D, 0x31, 0x79, 0x34, 0x37, 0x37, 0x2E, 0x55,
0x5F, 0x46, 0x1C, 0x7D, 0x5B, 0x42, 0x52, 0x56, 0x4D, 0x07,
0x2B, 0x2F, 0x30, 0x20, 0x34, 0x62, 0xF3, 0x70, 0x79, 0x55,
0x51, 0x52, 0x76, 0x5B, 0x4D, 0x28, 0x2D, 0x2D, 0x62, 0xE1,
0x02, 0x17, 0x1A, 0x7F, 0x5E, 0x54, 0x40, 0x56, 0x17, 0x55,
0x20, 0x2C, 0x24, 0x6B, 0x16, 0x32, 0x35, 0x21, 0x27, 0x2D,
0x70, 0x65, 0x1B, 0x62, 0xB3, 0x59, 0x7C, 0x29, 0x27, 0x2E,
0x39, 0x23, 0x24, 0x2A, 0x61, 0x38, 0x30, 0x20, 0x37, 0x23,
0x34, 0x24, 0x32, 0x76, 0x2C, 0x29, 0x52, 0x1F, 0x53, 0x50,
0x40, 0x5C, 0x59, 0x59, 0x16, 0x6C, 0x12, 0x00, 0x1C, 0x17,
0x11, 0x07, 0x13, 0x0D, 0x62, 0xFE, 0xDA, 0xCA, 0x40, 0x56,
0x53, 0x5C, 0x45, 0x43, 0x5D, 0x4B, 0x13, 0x27, 0x20, 0x21,
0x2C, 0x30, 0x22, 0x3A, 0x62, 0xC7, 0x9D, 0xC6, 0x6C, 0x09,
0x27, 0x29, 0x2C, 0x3B, 0x25, 0x22, 0x28, 0x62, 0x2D, 0x20,
0x3E, 0x25, 0x37, 0x3D, 0x20, 0x7A, 0x14, 0x25, 0x37, 0x38,
0x3E, 0x53, 0x50, 0x41, 0x47, 0x66, 0x50, 0x55, 0x52, 0x51,
0x4F, 0x24, 0x30, 0x78, 0x08, 0x24, 0x28, 0x23, 0x3A, 0x26,
0x23, 0x2F, 0x63, 0x2E, 0x21, 0x21, 0x24, 0x34, 0x3C, 0x27,
0x7B, 0x1C, 0x38, 0x23, 0x3D, 0x37, 0x2E, 0x76, 0x58, 0x5E,
0x47, 0x51, 0x47, 0x0D, 0x1E, 0x74, 0x58, 0x2F, 0x26, 0x31,
0x2B, 0x2C, 0x22, 0x68, 0x2B, 0x26, 0x24, 0x3F, 0x29, 0x23,
0x3A, 0x60, 0x19, 0x3F, 0x26, 0x36, 0x3A, 0x21, 0x6D, 0x62,
0x8A, 0x5B, 0x4D, 0x2B, 0x25, 0x28, 0x3F, 0x21, 0x26, 0x34,
0x7E, 0x31, 0x3C, 0x3A, 0x21, 0x33, 0x39, 0x2C, 0x76, 0x13,
0x5E, 0x45, 0x57, 0x5D, 0x40, 0x62, 0xAF, 0x2E, 0x27, 0x26,
0x27, 0x37, 0x01, 0x3D, 0x32, 0x35, 0x29, 0x3A, 0x62, 0xE1,
0x5A, 0x4F, 0x61, 0x63, 0x07, 0x2D, 0x23, 0x2A, 0x3D, 0x3F,
0x38, 0x36, 0x7C, 0x3B, 0x26, 0x79, 0x15, 0x2D, 0x37, 0x3E,
0x5C, 0x54, 0x09, 0x62, 0xFA, 0x7F, 0x6E, 0x2B, 0x25, 0x28,
0x3F, 0x21, 0x26, 0x34, 0x7E, 0x3D, 0x20, 0x7B, 0x17, 0x23,
0x39, 0x3C, 0x35, 0x3F, 0x62, 0xF6, 0x44, 0x4E, 0x30, 0x3D,
0x2D, 0x18, 0x5F, 0x5E, 0x5E, 0x56, 0x55, 0x5B, 0x62, 0xC0,
0xBF, 0xA9, 0x6A, 0x0F, 0x2E, 0x24, 0x30, 0x26, 0x67, 0x25,
0x2B, 0x25, 0x2B, 0x62, 0x1D, 0x3B, 0x22, 0x38, 0x3C, 0x34,
0x6F, 0x0F, 0x7F, 0x0D, 0x62, 0xA5, 0x06, 0x0F, 0x55, 0x58,
0x56, 0x57, 0x24, 0x21, 0x37, 0x21, 0x21, 0x62, 0xC1, 0x93,
0x95, 0x0F, 0x5D, 0x5B, 0x5F, 0x43, 0x06, 0x62, 0xEC, 0x1E,
0x1D, 0x7D, 0x7F, 0x01, 0x62, 0xFC, 0x39, 0x3A, 0x62, 0x3E,
0x21, 0x62, 0x82, 0x87, 0x8F, 0x7D, 0x31, 0x3D, 0x3A, 0x38,
0x3E, 0x3B, 0x76, 0x62, 0xFF, 0x4F, 0x47, 0x18, 0x4B, 0x40,
0x32, 0x36, 0x26, 0x29, 0x6A, 0x62, 0x8D, 0x1F, 0x05, 0x35,
0x38, 0x35, 0x76, 0x2E, 0x55, 0x42, 0x46, 0x1C, 0x40, 0x52,
0x45, 0x43, 0x5B, 0x66, 0x73, 0x72, 0x71, 0x74, 0x6A, 0x08,
0x26, 0x3C, 0x20, 0x3C, 0x2E, 0x62, 0xB5, 0x96, 0xB1, 0x1E,
0x7B, 0x52, 0x58, 0x37, 0x23, 0x6C, 0x28, 0x24, 0x28, 0x20,
0x67, 0x1A, 0x3E, 0x39, 0x25, 0x23, 0x29, 0x74, 0x1C, 0x3B,
0x33, 0x25, 0x35, 0x7A, 0x3A, 0x36, 0x36, 0x3E, 0x75, 0x63,
0x45, 0x40, 0x5A, 0x5A, 0x52, 0x0D, 0x1E, 0x71, 0x62, 0x94,
0x0B, 0x04, 0x6D, 0x30, 0x20, 0x26, 0x27, 0x35, 0x2C, 0x66,
0x79, 0x7D, 0x7C, 0x62, 0x7F, 0x7D, 0x63, 0x62, 0x87, 0xDE,
0xC1, 0x19, 0x53, 0x59, 0x4D, 0x20, 0x6D, 0x2F, 0x2B, 0x26,
0x27, 0x2B, 0x67, 0x3D, 0x27, 0x3B, 0x63, 0x7E, 0x7C, 0x7B,
0x69, 0x66, 0x60, 0x60, 0x6D, 0x62, 0x62, 0x65, 0x61, 0x6A,
0x6D, 0x04, 0x62, 0xFB, 0x39, 0x33, 0x3F, 0x38, 0x6E, 0x62,
0x33, 0x71, 0x75, 0x76, 0x27, 0x72, 0x62, 0xE0, 0x76, 0x62,
0x32, 0x37, 0x63, 0x69, 0x26, 0x66, 0x60, 0x2B, 0x21, 0x27,
0x24, 0x28, 0x6D, 0x79, 0x78, 0x67, 0x71, 0x77, 0x20, 0x73,
0x62, 0xAF, 0xE3, 0xEA, 0x67, 0x30, 0x6B, 0x36, 0x23, 0x24,
0x3A, 0x2C, 0x3E, 0x62, 0xDA, 0x00, 0x00, 0x00
]

decrypt_string_list = [0] * 2905

import string

charset = string.digits + string.ascii_uppercase

print "idx\t(len): string"

def decrypt(idx):
v4 = encrypted_string[idx] ^ encrypted_string[idx+1]
v23 = encrypted_string[idx] % 36

decrypt_string_list[idx] = 1
decrypt_string_list[idx+1] = v4
idx += 2
for i in range(v4):
decrypt_string_list[idx+i] = encrypted_string[idx+i] ^ ord(charset[(v23+i) % 36])
# print "[%d] = %d ^ %d" % (idx+i, encrypted_string[idx+i], ord(charset[(v23+i) % 36]))
print "%d\t(%d): %s" % (idx-2, v4, "".join(chr(i) for i in decrypt_string_list[idx:idx+v4]))
return idx+v4+2

_ = 0
while _ <= 2904:
_ = decrypt(_)

得到所有解密的字符串:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
idx    (len): string
0    (1): r
5    (2): rb
11    (3): cmd
18    (39): (ILjava/lang/String;)Ljava/lang/String;
61    (10): inputCheck
75    (21): (Ljava/lang/String;)Z
100    (6): verify
110    (40): (Ljava/lang/String;Ljava/lang/String;I)Z
154    (9): apk_name:
167    (9): apk_path:
180    (10): files_dir:
194    (9): /flag.jpg
207    (34): com/tencent/sec2019+gveogT3epmzi
w
264    (31): %zx-%zx %c%c%c%c %x %x:%x %u %s
299    (6): delete
309    (13): /proc/%u/task
326    (3): mem
333    (7): pagemap
344    (15): /proc/%u/status
363    (9): TracerPid
376    (5): /proc
385    (8): /proc/%u
397    (16): /proc/%u/cmdline
417    (13): /proc/self/fd
434    (16): /proc/self/fd/%s
454    (16): /proc/%u/task/%u
474    (8): /system/
486    (8): /vendor/
498    (5): /dev/
507    (14): com.tencent.mm
525    (20): com.tencent.mobileqq
549    (10): com.google
563    (21): com.tencent.gamestick
588    (4): .apk
596    (5): .apk@
605    (13): /data/data/%s
622    (34): /data/data/%s/files/virap2.tss.dat
660    (13): libcrackme.so
677    (9): /product/
690    (12): sec_2020.dat
706    (16): /proc/%u/cmdline
726    (13): /proc/net/tcp
743    (14): /proc/net/tcp6
761    (90): %4d: %08X:%04X %08X:%04X %02X %08X:%08X %02X:%08lX %08X %5u %8d %lu %d %p %lu %lu %u %u %d
855    (114): %4d: %08X%08X%08X%08X:%04X %08X%08X%08X%08X:%04X %02X %08X:%08X %02X:%08lX %08X %5u %8d %lu %d %p %lu %lu %u %u %d
973    (14): GameProtector3
991    (9): debuggerd
1004    (9): 127.0.0.1
1017    (6): ida:%d
1027    (23): /proc/%d/task/%d/status
1054    (13): /proc/%d/stat
1071    (21): /proc/%d/task/%d/stat
1096    (14): /proc/%d/wchan
1114    (22): /proc/%d/task/%d/wchan
1140    (11): ptrace_stop
1155    (5): 23946
1164    (13): /proc/%d/comm
1181    (21): /proc/%d/task/%d/comm
1206    (14): JDWP Transport
1224    (15): JDWP Event Help
1243    (15): JDWP Command Re
1262    (10): libjdwp.so
1276    (11): /dev/random
1291    (8): frida:%d
1303    (8): REJECTED
1315    (16): frida_agent_main
1335    (6): /apex/
1345    (5): frida
1354    (5): 27042
1363    (5): 27043
1372    (4): AUTH
1380    (18): libfrida-gadget.so
1402    (17): frida-agent-32.so
1423    (17): frida-agent-64.so
1444    (39): /data/local/tmp/12re.34frida.56server78
1487    (31): /data/local/tmp/re.frida.server
1522    (14): GameProtector6
1540    (17): tss_hbk_cache.dat
1561    (16): MSLoadExtensions
1581    (12): MSFindSymbol
1597    (16): MSGetImageByName
1617    (15): MSCloseFunction
1636    (14): MSHookFunction
1654    (25): MSDecodeIndirectReference
1683    (19): MSJavaHookClassLoad
1706    (16): MSJavaHookBridge
1726    (16): MSJavaHookMethod
1746    (21): MSJavaCreateObjecpOa}
1771    (22): MSJavaReleaseObjectKey
1797    (18): MSJavaGetObjectKey
1819    (18): MWNerm_4nagxGiu
1841    (22): MSJavaBlessClassLoader
1867    (15): libsubstrate.so
1886    (19): libsubstrate-dvm.so
1909    (21): libAndroidCydia.cy.so
1934    (9): substrate
1947    (26): android/app/ActivityThread
1977    (21): currentActivityThread
2002    (30): ()Landroid/app/ActivityThread;
2036    (14): getApplication
2054    (27): ()Landroid/app/Application;
2085    (23): android/content/Context
2112    (18): getContentResolver
2134    (35): ()Landroid/content/ContentResolver;
2173    (32): android/provider/Settings$Secure
2209    (11): ADB_ENABLED
2224    (18): Ljava/lang/String;
2246    (6): getInt
2256    (55): (Landroid/content/ContentResolver;Ljava/lang/String;I)I
2315    (28): android/content/IntentFilter
2347    (9): addAction
2360    (21): (Ljava/lang/String;)V
2385    (37): android.hardware.usb.action.USB_STATE
2426    (16): registerReceiver
2446    (91): (Landroid/content/BroadcastReceiver;Landroid/content/IntentFilter;)Landroid/content/Intent;
2541    (22): android/content/Intent
2567    (9): getExtras
2580    (21): ()Landroid/os/Bundle;
2605    (17): android/os/Bundle
2626    (10): getBoolean
2640    (22): (Ljava/lang/String;Z)Z
2666    (9): connected
2679    (6): <init>
2689    (3): ()V
2696    (3): .so
2703    (8): /bionic/
2715    (8): /system/
2727    (26): com/test/tgstc_2020/Native
2757    (39): (Ljava/lang/String;Ljava/lang/String;)I
2800    (15): /sdcard/360/123
2819    (31): /data/local/tmp/324972397429374
2854    (10): su -c '%s'
2868    (20): su -c 'chmod 777 %s'
2892    (9): %s/secret

利用idapython在IDA中注释:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
import idautils
import idc
import idaapi
func_decrypt_string = 0xCEEF6928

d = {0: 'r', 1027: '/proc/%d/task/%d/status', 1540: 'tss_hbk_cache.dat', 5: 'rb', 2054: '()Landroid/app/Application;', 2567: 'getExtras', 11: 'cmd', 525: 'com.tencent.mobileqq', 18: '(ILjava/lang/String;)Ljava/lang/String;', 2819: '/data/local/tmp/324972397429374', 2580: '()Landroid/os/Bundle;', 1561: 'MSLoadExtensions', 1054: '/proc/%d/stat', 549: 'com.google', 1581: 'MSFindSymbol', 1071: '/proc/%d/task/%d/stat', 563: 'com.tencent.gamestick', 61: 'inputCheck', 2112: 'getContentResolver', 2626: 'getBoolean', 2315: 'android/content/IntentFilter', 1096: '/proc/%d/wchan', 75: '(Ljava/lang/String;)Z', 588: '.apk', 2640: '(Ljava/lang/String;Z)Z', 1617: 'MSCloseFunction', 596: '.apk@', 2134: '()Landroid/content/ContentResolver;', 1636: 'MSHookFunction', 1114: '/proc/%d/task/%d/wchan', 605: '/data/data/%s', 100: 'verify', 2666: 'connected', 622: '/data/data/%s/files/virap2.tss.dat', 1140: 'ptrace_stop', 1654: 'MSDecodeIndirectReference', 2679: '<init>', 2173: 'android/provider/Settings$Secure', 2689: '()V', 1155: '23946', 2696: '.so', 1164: '/proc/%d/comm', 194: '/flag.jpg', 2703: '/bionic/', 1683: 'MSJavaHookClassLoad', 660: 'libcrackme.so', 110: '(Ljava/lang/String;Ljava/lang/String;I)Z', 154: 'apk_name:', 2715: '/system/', 1181: '/proc/%d/task/%d/comm', 2209: 'ADB_ENABLED', 677: '/product/', 167: 'apk_path:', 1706: 'MSJavaHookBridge', 2224: 'Ljava/lang/String;', 690: 'sec_2020.dat', 180: 'files_dir:', 1206: 'JDWP Transport', 1726: 'MSJavaHookMethod', 706: '/proc/%u/cmdline', 2757: '(Ljava/lang/String;Ljava/lang/String;)I', 2246: 'getInt', 1224: 'JDWP Event Help', 207: 'com/tencent/sec2019+gveog\x1a\x10T3epmzi', 2256: '(Landroid/content/ContentResolver;Ljava/lang/String;I)I', 1746: 'MSJavaCreateObjecpOa}', 726: '/proc/net/tcp', 1243: 'JDWP Command Re', 2426: 'registerReceiver', 2085: 'android/content/Context', 743: '/proc/net/tcp6', 1771: 'MSJavaReleaseObjectKey', 1262: 'libjdwp.so', 2800: '/sdcard/360/123', 245: '/prog+wa`jX\x18\x1a\rw', 761: '%4d: %08X:%04X %08X:%04X %02X %08X:%08X %02X:%08lX %08X %5u %8d %lu %d %p %lu %lu %u %u %d', 1276: '/dev/random', 2347: 'addAction', 1797: 'MSJavaGetObjectKey', 264: '%zx-%zx %c%c%c%c %x %x:%x %u %s', 1291: 'frida:%d', 2605: 'android/os/Bundle', 1303: 'REJECTED', 1819: 'MWNerm_\x12\x014\x1fnagxGiu', 1315: 'frida_agent_main', 2854: "su -c '%s'", 299: 'delete', 1841: 'MSJavaBlessClassLoader', 2868: "su -c 'chmod 777 %s'", 309: '/proc/%u/task', 1335: '/apex/', 2360: '(Ljava/lang/String;)V', 1345: 'frida', 326: 'mem', 1354: '27042', 1867: 'libsubstrate.so', 2892: '%s/secret', 333: 'pagemap', 2385: 'android.hardware.usb.action.USB_STATE', 1363: '27043', 2446: '(Landroid/content/BroadcastReceiver;Landroid/content/IntentFilter;)Landroid/content/Intent;', 855: '%4d: %08X%08X%08X%08X:%04X %08X%08X%08X%08X:%04X %02X %08X:%08X %02X:%08lX %08X %5u %8d %lu %d %p %lu %lu %u %u %d', 344: '/proc/%u/status', 1372: 'AUTH', 1886: 'libsubstrate-dvm.so', 1380: 'libfrida-gadget.so', 363: 'TracerPid', 1597: 'MSGetImageByName', 1909: 'libAndroidCydia.cy.so', 376: '/proc', 1402: 'frida-agent-32.so', 385: '/proc/%u', 397: '/proc/%u/cmdline', 1934: 'substrate', 1423: 'frida-agent-64.so', 1947: 'android/app/ActivityThread', 417: '/proc/self/fd', 1444: '/data/local/tmp/12re.34frida.56server78', 498: '/dev/', 434: '/proc/self/fd/%s', 1977: 'currentActivityThread', 454: '/proc/%u/task/%u', 973: 'GameProtector3', 1487: '/data/local/tmp/re.frida.server', 2002: '()Landroid/app/ActivityThread;', 474: '/system/', 991: 'debuggerd', 486: '/vendor/', 2727: 'com/test/tgstc_2020/Native', 1004: '127.0.0.1', 2541: 'android/content/Intent', 1522: 'GameProtector6', 2036: 'getApplication', 1017: 'ida:%d', 507: 'com.tencent.mm'}

def set_hexrays_comment(address, text):
'''
set comment in decompiled code
'''
cfunc = idaapi.decompile(address)
tl = idaapi.treeloc_t()
tl.ea = address
tl.itp = idaapi.ITP_SEMI
cfunc.set_user_cmt(tl, text)
cfunc.save_user_cmts()

for inst in idautils.CodeRefsTo(func_decrypt_string, 0):
print "%x" % idc.PrevHead(inst)
print "%s" % idc.GetDisasm(idc.PrevHead(inst))
print "%s" % idc.GetDisasm(inst)

print "%d" % idc.GetOpType(idc.PrevHead(inst), 1)
print "%s" % idc.GetOpnd(idc.PrevHead(inst), 1)
print ""
if idc.GetOpType(idc.PrevHead(inst), 1) == 2 or idc.GetOpType(idc.PrevHead(inst), 1) == 5:
try:
op_value = int(idc.GetOpnd(idc.PrevHead(inst), 1)[1:], 16)
idc.MakeComm(inst, d[op_value])
except:
break
print "finish"

.init_proc函数

反调+mprotect将代码段设置为可写。

image-20200411003356292

JNI_OnLoad函数

跟java层做了一些交互,有usb相关的,暂时看不出有什么用。

起了十对(20个)TrashThread。值得注意的是TrashThread为TPThread的子类。

image-20200410212401960

线程函数使用time进行反调试。

image-20200410214512580

cmd函数

image-20200410230126788

处理”files_dir:”时起了一个selfcheck类的线程,内部十分复杂。struct_2_init内部也有反调试。

selfcheck继承自TPThread。

verify函数

将go跑起来后,自修改一段代码、encode license后进loc_CEF538DC检查,出来后还原。

image-20200411003148675

IDApython将这块区域异或0xDB。

1
2
3
4
5
6
7
from idaapi import *

begin_addr = 0xcef538dc

for i in range(0xF8):
t = get_bytes(begin_addr+i, 1)
patch_byte(begin_addr+i, ord(t) ^ 0xDB)

sub_CEF598DC函数

用户名16字节

注册码24字节

image-20200411131004750

进入到check函数

image-20200411141106298

典型的平坦化控制流

image-20200411140938948

image-20200411151844713

绕过下图中的反调,挂起那20个线程即可进行调试。

image-20200412023802760

key使用逐字节比较,用于比较的数组由name生成。

调试获得一对可用的id和key:

1
2
id: 1234567890123456
key: Lr6DzZgyEj2j78530LmQpfzEyafQmFon

加密方式

image-20200412023445851

动态调了一下,确认了几个大数运算函数功能,怀疑是ECDSA

192bit椭圆曲线secp192r1,产生384bit签名,用低192bit验证。

利用IDApython 进行trace

代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
from idaapi import *
from idc import *

class FuncCoverage(DBG_Hooks):
def __init__(self):
DBG_Hooks.__init__(self)
def dbg_bpt(self, tid, ea):
print "%x: %s" % (ea, GetDisasm(ea))

debugger = FuncCoverage()
# debugger.hook()

begin_addr = 0xD1825440
end_addr = begin_addr+0x141C
inst = begin_addr
while inst < end_addr:
disasm = GetDisasm(inst)
if "BL" in disasm and "loc" not in disasm:
print disasm
AddBpt(inst)
SetBptAttr(inst, BPTATTR_FLAGS, BPT_ENABLED|BPT_TRACE)
inst = idc.NextHead(inst)

image-20200412175436406

发现是使用的大数运算源码,https://github.com/esxgx/easy-ecc/blob/master/ecc.c。标函数。

image-20200412175426015

image-20200412175627938

有部分代码被内联进入ECDSA_sign中,重写如下:

1
2
3
4
EccPoint_mult(只走到 vli_modMult_fast(z, z, p_point->x);   /* xP * Yb * (X1 - X0) */, trace 383

vli_modInv (383行开始)
......

发现就是一个点乘操作EccPoint_mult函数(https://github.com/esxgx/easy-ecc/blob/master/ecc.c#L956)。。。。。

keygen

sage代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
import hashlib
import binascii
import base64

# username = "1234567890123456"
username = raw_input("plaese input your username(16 byte):\n")
assert len(username) == 16
md51 = hashlib.md5(username).digest()

data_2 = "\x34\x37" + md51[2:] + "\xd0\x0b\xb5\xea\xab\x71\x3a\x40\x37\x23\x1d\xfd\x0f\x37\x38\x40\x1c\x35\xa7\x66\xaf\x4c\x38\x40\x08\xb1\x8e\x09\x84\x6f\x37\x40\x91\x28\xa0\x49\x2e\xe7\x36\x40\x7b\x18\x8d\x65\x45\xcc\x38\x40\x33\xbe\xf4\x02\xae\x06\x39\x40\xc1\x46\x68\xb6\x22\x2c\x3b\x40\xa9\x17\xa8\x90\x3e\x08\x39\x40\xae\x18\x12\x8b\x88\x32\x39\x40\x2c\x09\xbe\x5e\x36\xb2\x39\x40\xae\x43\x66\x34\xd6\x25\x3a\x40\x28\xd2\x0a\x9e\x0c\xa3\x38\x40\xae\xd9\xba\xb5\x10\x95\x3b\x40"

username_hash = int(binascii.hexlify(hashlib.md5(data_2).digest()[::-1]), 16)

#username_hash = 337936598822869388762888929081428330529

n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF
a = n - 3
b = 0x64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1
g = (602046282375688656758213480587526111916698976636884684818, 174050332293622031404857552280219410364023488927386650641)

F = IntegerModRing(n)
E = EllipticCurve(F, [a, b])

g = E(g)

sig = (username_hash * g).xy()

s = list(map(lambda x: binascii.unhexlify(x.lift().hex()), sig))

key = base64.b64encode(s[0][::-1])

print("username:")
print(username)
print("\nkey:")
print(key)

python:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
#!/usr/bin/env python3
# coding=utf-8

import collections
import hashlib
import random

EllipticCurve = collections.namedtuple('EllipticCurve', 'name p a b g n h')

curve = EllipticCurve(
'secp192r1',
# Field characteristic.
# p=0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f,
# # Curve coefficients.
# a=0,
# b=7,
# # Base point.
# g=(0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798,
#    0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8),
# # Subgroup order.
# n=0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141,
# Subgroup cofactor.
h=1,
p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF,
n = 0xffffffffffffffffffffffff99def836146bc9b1b4d22831,
a = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF - 3,
b = 0x64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1,
g = (602046282375688656758213480587526111916698976636884684818, 174050332293622031404857552280219410364023488927386650641),

)


# Modular arithmetic ##########################################################

def inverse_mod(k, p):
"""Returns the inverse of k modulo p.
This function returns the only integer x such that (x * k) % p == 1.
k must be non-zero and p must be a prime.
"""
if k == 0:
raise ZeroDivisionError('division by zero')

if k < 0:
# k ** -1 = p - (-k) ** -1  (mod p)
return p - inverse_mod(-k, p)

# Extended Euclidean algorithm.
s, old_s = 0, 1
t, old_t = 1, 0
r, old_r = p, k

while r != 0:
quotient = old_r // r
old_r, r = r, old_r - quotient * r
old_s, s = s, old_s - quotient * s
old_t, t = t, old_t - quotient * t

gcd, x, y = old_r, old_s, old_t

assert gcd == 1
assert (k * x) % p == 1

return x % p


# Functions that work on curve points #########################################

def is_on_curve(point):
"""Returns True if the given point lies on the elliptic curve."""
if point is None:
# None represents the point at infinity.
return True

x, y = point

return (y * y - x * x * x - curve.a * x - curve.b) % curve.p == 0


def point_neg(point):
"""Returns -point."""
assert is_on_curve(point)

if point is None:
# -0 = 0
return None

x, y = point
result = (x, -y % curve.p)

assert is_on_curve(result)

return result


def point_add(point1, point2):
"""Returns the result of point1 + point2 according to the group law."""
assert is_on_curve(point1)
assert is_on_curve(point2)

if point1 is None:
# 0 + point2 = point2
return point2
if point2 is None:
# point1 + 0 = point1
return point1

x1, y1 = point1
x2, y2 = point2

if x1 == x2 and y1 != y2:
# point1 + (-point1) = 0
return None

if x1 == x2:
# This is the case point1 == point2.
m = (3 * x1 * x1 + curve.a) * inverse_mod(2 * y1, curve.p)
else:
# This is the case point1 != point2.
m = (y1 - y2) * inverse_mod(x1 - x2, curve.p)

x3 = m * m - x1 - x2
y3 = y1 + m * (x3 - x1)
result = (x3 % curve.p,
-y3 % curve.p)

assert is_on_curve(result)

return result


def scalar_mult(k, point):
"""Returns k * point computed using the double and point_add algorithm."""
assert is_on_curve(point)

if k % curve.n == 0 or point is None:
return None

if k < 0:
# k * point = -k * (-point)
return scalar_mult(-k, point_neg(point))

result = None
addend = point

while k:
if k & 1:
# Add.
result = point_add(result, addend)

# Double.
addend = point_add(addend, addend)

k >>= 1

assert is_on_curve(result)

return result

import hashlib
import binascii
import base64

# username = b"1234567890123456"
username = input("plaese input your username(16 byte):\n").encode()
assert len(username) == 16
md51 = hashlib.md5(username).digest()

data_2 = b"\x34\x37" + md51[2:] + b"\xd0\x0b\xb5\xea\xab\x71\x3a\x40\x37\x23\x1d\xfd\x0f\x37\x38\x40\x1c\x35\xa7\x66\xaf\x4c\x38\x40\x08\xb1\x8e\x09\x84\x6f\x37\x40\x91\x28\xa0\x49\x2e\xe7\x36\x40\x7b\x18\x8d\x65\x45\xcc\x38\x40\x33\xbe\xf4\x02\xae\x06\x39\x40\xc1\x46\x68\xb6\x22\x2c\x3b\x40\xa9\x17\xa8\x90\x3e\x08\x39\x40\xae\x18\x12\x8b\x88\x32\x39\x40\x2c\x09\xbe\x5e\x36\xb2\x39\x40\xae\x43\x66\x34\xd6\x25\x3a\x40\x28\xd2\x0a\x9e\x0c\xa3\x38\x40\xae\xd9\xba\xb5\x10\x95\x3b\x40"

username_hash = int(binascii.hexlify(hashlib.md5(data_2).digest()[::-1]), 16)

t = scalar_mult(username_hash, curve.g)

# print(hex(t[0])[2:])

# key = base64.b64encode(t[0][::-1])
key = base64.b64encode(binascii.a2b_hex(hex(t[0])[2:])[::-1])

print("username:")
print(username.decode())
print("\nkey:")
print(key.decode())

再附上两对name-key:

1
2
3
4
5
# 0987654321123456
# f3Or+qfcTmUwnwHgtmsyRBlPo9XVQGs+

# hahahahahahahaha
# vkI1jRxzVN1nx+d9D7Q7gCrHPY3Dm5rO

其他

调试方式:

挂起那20个线程,检查tracer pid函数前下断点,手动修改PC(其实就只有下图中一处)

image-20200412214234009