0


i茅台app逆向分析frida反调试

文章仅供思路参考,请勿用作非法攻击

环境:

i茅台 1.3.7

frida 14.2.17

安卓 9 系统


frida注入

常规frida不注入任何脚本

frida -U -f com.moutai.mall --no-pause
    / _  |   Frida 14.2.17 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
Spawned `com.moutai.mall`. Resuming main thread!                        
[MI 8::com.moutai.mall]-> Process terminated
[MI 8::com.moutai.mall]->

这种情况就是有frida反调试,frida的反调试可以写在java层或者so层,搜罗网上的方法,比较

普遍的就是:使用葫芦娃版本的frida、改frida_server的名称,修改frida_server的端口,文章中的frida_server均已满足以上条件,情况比较严峻。

反调试定位:

这个app是有壳的,防护大概率会是在so层,毕竟java层的反调试已经过时了,我们可以通过hook安卓系统的libdl.so中的android_dlopen_ext来定位问题出现在哪个so,定位到具体so再定位so里面的反调试线程,找出来反调试线程最终把反调试线程替换成空函数以达到绕过frida检测的目的,以下是hook 安卓系统libdl.so中的android_dlopen_ext函数代码

function hook_dlopen(soName = '') {
    Interceptor.attach(Module.findExportByName(null, "android_dlopen_ext"),
        {
            onEnter: function (args) {
                var pathptr = args[0];
                
                if (pathptr !== undefined && pathptr != null) {
                    var path = ptr(pathptr).readCString();
                    console.log(path);
                    
                }
            }
        }
    );
}

setImmediate(hook_dlopen,"");

以上hook代码的作用用于定位反调试出现在哪个so文件

└─# frida -U -f com.moutai.mall -l imoutai.js --no-pause
     ____
    / _  |   Frida 14.2.17 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
Spawned `com.moutai.mall`. Resuming main thread!                        
[MI 8::com.moutai.mall]-> /system/framework/oat/arm64/org.apache.http.legacy.boot.odex
/data/app/com.moutai.mall-ZqwkhQsJ0Sxyv7X-FRkGlw==/oat/arm64/base.odex
/data/app/com.moutai.mall-ZqwkhQsJ0Sxyv7X-FRkGlw==/lib/arm64/libnesec.so
Process terminated
[MI 8::com.moutai.mall]->

Thank you for using Frida!

通过将js代码注入到目标app,根据以上显示可以发现 libnesec.so 的可能性非常大,注入多次后仍然是停留在这个so,说明这个so内部有函数做了反调试处理。我们修改修改js代码,以便能定位反调试线程,新的js代码如下:

var soaddr = null;
function hook_dlopen(soName = '') {
    Interceptor.attach(Module.findExportByName(null, "android_dlopen_ext"),
        {
            onEnter: function (args) {
                var pathptr = args[0];
                
                if (pathptr !== undefined && pathptr != null) {
                    var path = ptr(pathptr).readCString();
                    if (path.indexOf(soName) != -1) {
                        
                        this.hook = true;
                        
                    }
                    console.log(path);
                    
                }
            },
            onLeave:function(ret){
                if (this.hook = true) {
                  
                    soaddr = Module.findBaseAddress("libnesec.so");
                    hook_pthread_create();
                }
            }
        }
    );
}
function printNativeStack(context, name) {
    var trace = Thread.backtrace(context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join("\n");
   console.log(trace)
  }
function hook_pthread_create() {
    
    Interceptor.attach(Module.findExportByName("libc.so", "pthread_create"), {
        onEnter(args) {
            var func_addr = args[2]
            
            var offes = func_addr.sub(soaddr);
            console.log("The thread function address is " + offes);
           
            
            
        }
    })
}
setImmediate(hook_dlopen,"libnesec.so");

注入以上代码返回以下

──(root💀r0env)-[~/Desktop/frida_js]
└─# frida -U -f com.moutai.mall -l imoutai.js --no-pause
     ____
    / _  |   Frida 14.2.17 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
Spawned `com.moutai.mall`. Resuming main thread!                        
[MI 8::com.moutai.mall]-> /system/framework/oat/arm64/org.apache.http.legacy.boot.odex
/data/app/com.moutai.mall-ZqwkhQsJ0Sxyv7X-FRkGlw==/oat/arm64/base.odex
/data/app/com.moutai.mall-ZqwkhQsJ0Sxyv7X-FRkGlw==/lib/arm64/libnesec.so
The thread function address is 0x8abb4
The thread function address is 0x8abb4
The thread function address is 0x8abb4
The thread function address is 0x7598c
The thread function address is 0x7598c
The thread function address is 0x7598c
The thread function address is 0x6e348
The thread function address is 0x6e348
The thread function address is 0x6e348
The thread function address is 0x9baef4fc
The thread function address is 0x9baef4fc
The thread function address is 0x9baef4fc
The thread function address is 0x8ac9c
The thread function address is 0x8ac9c
The thread function address is 0x8ac9c
The thread function address is 0x88e04
The thread function address is 0x88e04
The thread function address is 0x88e04
Process terminated
[MI 8::com.moutai.mall]->

根据以上结果配合分析得知:0x88e04 这个偏移地址就是frida反调试线程,我们再次修改js代码为如下,把反调试的函数替换成空的函数,达到绕过的目的。

var soaddr = null;
function hook_dlopen(soName = '') {
    Interceptor.attach(Module.findExportByName(null, "android_dlopen_ext"),
        {
            onEnter: function (args) {
                var pathptr = args[0];
                
                if (pathptr !== undefined && pathptr != null) {
                    var path = ptr(pathptr).readCString();
                    if (path.indexOf(soName) != -1) {
                        
                        this.hook = true;
                        
                    }
                    console.log(path);
                    
                }
            },
            onLeave:function(ret){
                if (this.hook = true) {
                  
                    soaddr = Module.findBaseAddress("libnesec.so");
                    hook_pthread_create();
                }
            }
        }
    );
}
function printNativeStack(context, name) {
    var trace = Thread.backtrace(context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join("\n");
   console.log(trace)
  }
function hook_pthread_create() {
    
    Interceptor.attach(Module.findExportByName("libc.so", "pthread_create"), {
        onEnter(args) {
            let func_addr = args[2]
            
            var offes = func_addr.sub(soaddr);
  
            if (offes == 0x88e04) {
            
                
                Interceptor.replace(func_addr,new NativeCallback(function(){
                    console.log("0x891b8 replaces");
                },'void',[]));
                
            }
            
            
        }
    })
}
setImmediate(hook_dlopen,"libnesec.so");
─# frida -U -f com.moutai.mall -l imoutai.js --no-pause
     ____
    / _  |   Frida 14.2.17 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
Spawned `com.moutai.mall`. Resuming main thread!                        
[MI 8::com.moutai.mall]-> /system/framework/oat/arm64/org.apache.http.legacy.boot.odex
/data/app/com.moutai.mall-ZqwkhQsJ0Sxyv7X-FRkGlw==/oat/arm64/base.odex
/data/app/com.moutai.mall-ZqwkhQsJ0Sxyv7X-FRkGlw==/lib/arm64/libsecsdk.so
/data/app/com.moutai.mall-ZqwkhQsJ0Sxyv7X-FRkGlw==/lib/arm64/libc++_shared.so
/data/app/com.moutai.mall-ZqwkhQsJ0Sxyv7X-FRkGlw==/lib/arm64/libmmkv.so
/data/app/com.moutai.mall-ZqwkhQsJ0Sxyv7X-FRkGlw==/lib/arm64/libproperty_get.so
/data/app/com.moutai.mall-ZqwkhQsJ0Sxyv7X-FRkGlw==/lib/arm64/libBugly.so
/data/app/com.moutai.mall-ZqwkhQsJ0Sxyv7X-FRkGlw==/lib/arm64/libCryptoSeed.so
/system/framework/oat/arm64/gson.odex
/data/dalvik-cache/arm64/system@app@[email protected]@classes.dex
/data/dalvik-cache/arm64/system@app@[email protected]@classes.dex
/vendor/lib64/hw/gralloc.sdm845.so
/vendor/lib64/hw/[email protected]
[MI 8::com.moutai.mall]-> Frida
{
    "version": "14.2.17"
}
[MI 8::com.moutai.mall]->

完结:

至此本文就结束了,大佬轻喷.。。。交流群:613707164


本文转载自: https://blog.csdn.net/zxc979647835/article/details/130682638
版权归原作者 皮特庞 所有, 如有侵权,请联系我们删除。

“i茅台app逆向分析frida反调试”的评论:

还没有评论