i茅台app逆向分析frida反调试

java android 开发语言安全 2023-09-01 06:09:00 295人浏览独家记忆

摘要

文章仅供思路参考，请勿用作非法攻击环境： i茅台 1.3.7 frida 14.2.17 安卓 9 系统 frida注入常规frida不注入任何脚本 frida -U -f com.moutai.mall --no-pause

文章仅供思路参考，请勿用作非法攻击

环境：

i茅台 1.3.7

frida 14.2.17

安卓 9 系统

frida注入

常规frida不注入任何脚本

frida -U -f com.moutai.mall --no-pause

    / _  |   Frida 14.2.17 - A world-class dynamic instrumentation toolkit   | (_| |    > _  |   Commands:   /_/ |_|       help      -> Displays the help system   . . . .       object?   -> Display information about 'object'   . . . .       exit/quit -> Exit   . . . .   . . . .   More info at https://frida.re/docs/home/Spawned `com.moutai.mall`. Resuming main thread!                        [MI 8::com.moutai.mall]-> Process terminated[MI 8::com.moutai.mall]->

这种情况就是有frida反调试，frida的反调试可以写在java层或者so层，搜罗网上的方法，比较

普遍的就是：使用葫芦娃版本的frida、改frida_server的名称，修改frida_server的端口，文章中的frida_server均已满足以上条件，情况比较严峻。

反调试定位：

这个app是有壳的，防护大概率会是在so层，毕竟java层的反调试已经过时了，我们可以通过hook安卓系统的libdl.so中的Android_dlopen_ext来定位问题出现在哪个so，定位到具体so再定位so里面的反调试线程，找出来反调试线程最终把反调试线程替换成空函数以达到绕过frida检测的目的，以下是hook 安卓系统libdl.so中的android_dlopen_ext函数代码

function hook_dlopen(soName = '') {    Interceptor.attach(Module.findExportByName(null, "android_dlopen_ext"),        {            onEnter: function (args) {                var pathptr = args[0];    if (pathptr !== undefined && pathptr != null) {                    var path = ptr(pathptr).readCString();                    console.log(path);        }            }        }    );}setImmediate(hook_dlopen,"");

以上hook代码的作用用于定位反调试出现在哪个so文件

└─# frida -U -f com.moutai.mall -l imoutai.js --no-pause     ____    / _  |   Frida 14.2.17 - A world-class dynamic instrumentation toolkit   | (_| |    > _  |   Commands:   /_/ |_|       help      -> Displays the help system   . . . .       object?   -> Display information about 'object'   . . . .       exit/quit -> Exit   . . . .   . . . .   More info at https://frida.re/docs/home/Spawned `com.moutai.mall`. Resuming main thread!                        [MI 8::com.moutai.mall]-> /system/framework/oat/arm64/org.apache.http.legacy.boot.odex/data/app/com.moutai.mall-ZqwkhQsJ0Sxyv7X-FRkGlw==/oat/arm64/base.odex/data/app/com.moutai.mall-ZqwkhQsJ0Sxyv7X-FRkGlw==/lib/arm64/libnesec.soProcess terminated[MI 8::com.moutai.mall]->Thank you for using Frida!

通过将js代码注入到目标app，根据以上显示可以发现 libnesec.so 的可能性非常大，注入多次后仍然是停留在这个so，说明这个so内部有函数做了反调试处理。我们修改修改js代码，以便能定位反调试线程，新的js代码如下：

var soaddr = null;function hook_dlopen(soName = '') {    Interceptor.attach(Module.findExportByName(null, "android_dlopen_ext"),        {            onEnter: function (args) {                var pathptr = args[0];    if (pathptr !== undefined && pathptr != null) {                    var path = ptr(pathptr).readCString();                    if (path.indexOf(soName) != -1) {                    this.hook = true;                }                    console.log(path);        }            },            onLeave:function(ret){                if (this.hook = true) {          soaddr = Module.findBaseAddress("libnesec.so");                    hook_pthread_create();                }            }        }    );}function printNativeStack(context, name) {    var trace = Thread.backtrace(context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join("\n");   console.log(trace)  }function hook_pthread_create() {        Interceptor.attach(Module.findExportByName("libc.so", "pthread_create"), {        onEnter(args) {            var func_addr = args[2]                        var offes = func_addr.sub(soaddr);            console.log("The thread function address is " + offes);               }    })}setImmediate(hook_dlopen,"libnesec.so");

注入以上代码返回以下

──(root💀r0env)-[~/Desktop/frida_js]└─# frida -U -f com.moutai.mall -l imoutai.js --no-pause     ____    / _  |   Frida 14.2.17 - A world-class dynamic instrumentation toolkit   | (_| |    > _  |   Commands:   /_/ |_|       help      -> Displays the help system   . . . .       object?   -> Display information about 'object'   . . . .       exit/quit -> Exit   . . . .   . . . .   More info at https://frida.re/docs/home/Spawned `com.moutai.mall`. Resuming main thread!                        [MI 8::com.moutai.mall]-> /system/framework/oat/arm64/org.apache.http.legacy.boot.odex/data/app/com.moutai.mall-ZqwkhQsJ0Sxyv7X-FRkGlw==/oat/arm64/base.odex/data/app/com.moutai.mall-ZqwkhQsJ0Sxyv7X-FRkGlw==/lib/arm64/libnesec.soThe thread function address is 0x8abb4The thread function address is 0x8abb4The thread function address is 0x8abb4The thread function address is 0x7598cThe thread function address is 0x7598cThe thread function address is 0x7598cThe thread function address is 0x6e348The thread function address is 0x6e348The thread function address is 0x6e348The thread function address is 0x9baef4fcThe thread function address is 0x9baef4fcThe thread function address is 0x9baef4fcThe thread function address is 0x8ac9cThe thread function address is 0x8ac9cThe thread function address is 0x8ac9cThe thread function address is 0x88e04The thread function address is 0x88e04The thread function address is 0x88e04Process terminated[MI 8::com.moutai.mall]->

根据以上结果配合分析得知：0x88e04 这个偏移地址就是frida反调试线程，我们再次修改js代码为如下，把反调试的函数替换成空的函数，达到绕过的目的。

var soaddr = null;function hook_dlopen(soName = '') {    Interceptor.attach(Module.findExportByName(null, "android_dlopen_ext"),        {            onEnter: function (args) {                var pathptr = args[0];    if (pathptr !== undefined && pathptr != null) {                    var path = ptr(pathptr).readCString();                    if (path.indexOf(soName) != -1) {                    this.hook = true;                }                    console.log(path);        }            },            onLeave:function(ret){                if (this.hook = true) {          soaddr = Module.findBaseAddress("libnesec.so");                    hook_pthread_create();                }            }        }    );}function printNativeStack(context, name) {    var trace = Thread.backtrace(context, Backtracer.ACCURATE).map(DebugSymbol.fromAddress).join("\n");   console.log(trace)  }function hook_pthread_create() {        Interceptor.attach(Module.findExportByName("libc.so", "pthread_create"), {        onEnter(args) {            let func_addr = args[2]                        var offes = func_addr.sub(soaddr);              if (offes == 0x88e04) {                Interceptor.replace(func_addr,new NativeCallback(function(){                    console.log("0x891b8 replaces");                },'void',[]));}    }    })}setImmediate(hook_dlopen,"libnesec.so");

─# frida -U -f com.moutai.mall -l imoutai.js --no-pause     ____    / _  |   Frida 14.2.17 - A world-class dynamic instrumentation toolkit   | (_| |    > _  |   Commands:   /_/ |_|       help      -> Displays the help system   . . . .       object?   -> Display information about 'object'   . . . .       exit/quit -> Exit   . . . .   . . . .   More info at https://frida.re/docs/home/Spawned `com.moutai.mall`. Resuming main thread!                        [MI 8::com.moutai.mall]-> /system/framework/oat/arm64/org.apache.http.legacy.boot.odex/data/app/com.moutai.mall-ZqwkhQsJ0Sxyv7X-FRkGlw==/oat/arm64/base.odex/data/app/com.moutai.mall-ZqwkhQsJ0Sxyv7X-FRkGlw==/lib/arm64/libsecsdk.so/data/app/com.moutai.mall-ZqwkhQsJ0Sxyv7X-FRkGlw==/lib/arm64/libc++_shared.so/data/app/com.moutai.mall-ZqwkhQsJ0Sxyv7X-FRkGlw==/lib/arm64/libmmkv.so/data/app/com.moutai.mall-ZqwkhQsJ0Sxyv7X-FRkGlw==/lib/arm64/libproperty_get.so/data/app/com.moutai.mall-ZqwkhQsJ0Sxyv7X-FRkGlw==/lib/arm64/libBugly.so/data/app/com.moutai.mall-ZqwkhQsJ0Sxyv7X-FRkGlw==/lib/arm64/libCryptoSeed.so/system/framework/oat/arm64/gson.odex/data/dalvik-cache/arm64/system@app@MiuiContentCatcher@MiuiContentCatcher.apk@classes.dex/data/dalvik-cache/arm64/system@app@CatcherPatch@CatcherPatch.apk@classes.dex/vendor/lib64/hw/gralloc.sdm845.so/vendor/lib64/hw/android.hardware.graphics.mapper@2.0-impl-qti-display.so[MI 8::com.moutai.mall]-> Frida{    "version": "14.2.17"}[MI 8::com.moutai.mall]->