ollvm9

Android逆向解题-ollvm9

资源

[原创]浅尝ollvm轻度混淆后的加密算法分析-Android安全-看雪-安全社区|安全招聘|kanxue.com

简介

包名：”com.kanxue.ollvm_ndk_9”

行为

一个Check按钮，点击后，中间的Text框输出随机的字符串。

Java层静态分析

public void onClick(View view) {
    String randomAlphanumeric = RandomStringUtils.randomAlphanumeric(36);
    String UUIDCheckSum = MainActivity.UUIDCheckSum(randomAlphanumeric);
    textView.setText(UUIDCheckSum);
    Log.e("kanxue", "input: " + randomAlphanumeric + " output: " + UUIDCheckSum);
}

生成一个包含36个字符的随机字符串，其中字符由字母和数字组成。

然后进入一个叫做UUIDCheckSum的自定义Native函数，得到UUIDCheckSum字符串，最后用setText打印到Text框上。

所以核心点就在于这个Native函数UUIDCheckSum。

public static native String UUIDCheckSum(String str);

Native层静态分析

arm64架构的libnative-lib.so。

直接看Export，看到里导出函数：

jstring __fastcall Java_com_kanxue_ollvm_1ndk_MainActivity_UUIDCheckSum(JNIEnv *env, jclass clazz, jstring str)

稍微肉眼看了一下，恢复了部分逻辑，但是下面有平坦化的地方还是很混乱。：

jstring __fastcall Java_com_kanxue_ollvm_1ndk_MainActivity_UUIDCheckSum(JNIEnv *env, jclass clazz, jstring str)
{
  int len; // w23
  const char *cstr; // x0
  const char *cstr_; // x22
  int v8; // w26
  char *dup_cstr; // x20
  const char *v10; // x1
  int v11; // w15
  int i; // w16
  jstring v14; // x19
  int v15; // w8
  char v16; // [xsp+8h] [xbp-88h]
  _BYTE v17[7]; // [xsp+9h] [xbp-87h] BYREF
  void *ptr; // [xsp+18h] [xbp-78h]
  __int64 iarr[3]; // [xsp+20h] [xbp-70h] BYREF
  __int64 v20; // [xsp+38h] [xbp-58h]

  v20 = *(_QWORD *)(_ReadStatusReg(ARM64_SYSREG(3, 3, 13, 0, 2)) + 40);
  len = (*env)->GetStringLength(env, str);
  cstr = (*env)->GetStringUTFChars(env, str, 0LL);
  if ( len < 36 )
    return (*env)->NewStringUTF(env, aUuidchecksum);
  cstr_ = cstr;
  if ( !cstr )
    return (*env)->NewStringUTF(env, aUuidchecksum);
  v8 = 0x2E5E37DA;
  dup_cstr = strdup(cstr);
  do_sth1(dup_cstr, len);                       // 干了些啥坏事
  memset(iarr, 0, sizeof(iarr));
  do_sth2(iarr, dup_cstr, len);                 // dup_cstr --> iarr
  do_sth3((__int128 *)iarr);                    // iarr --> iarr
  (*env)->ReleaseStringUTFChars(env, str, cstr_);
  if ( (v16 & 1) != 0 )
    v11 = 1545132552;
  else
    v11 = -772533585;
  for ( i = -2045775675; ; i = 1802661055 )
  {
    while ( i <= 1545132551 )
    {
      if ( i == -2045775675 )
      {
        i = v11;
      }
      else
      {
        i = 1802661055;
        v10 = v17;
      }
    }
    if ( i != 1545132552 )
      break;
    v10 = (const char *)ptr;
  }
  v14 = (*env)->NewStringUTF(env, v10);
  free(dup_cstr);
  v15 = 777926618;
  while ( v15 != -1148884330 )
  {
    if ( v15 == -237918423 )
    {
      operator delete(ptr);
      v15 = -1148884330;
    }
    else if ( (v16 & 1) != 0 )
    {
      v15 = -237918423;
    }
    else
    {
      v15 = -1148884330;
    }
  }
  while ( v8 != -1148884330 )
  {
    if ( v8 == -237918423 )
    {
      operator delete((void *)iarr[2]);
      v8 = -1148884330;
    }
    else if ( (iarr[0] & 1) != 0 )
    {
      v8 = -237918423;
    }
    else
    {
      v8 = -1148884330;
    }
  }
  return v14;
}

其中的符号aUuidchecksum指向了一块字符串，但是会在.init_array时首先被解密。因此后面先用动态Frida Hook的方法把解密后的数据给拿到。

看Log

因为Java层里面有：

Log.e("kanxue", "input: " + randomAlphanumeric + " output: " + UUIDCheckSum);

所以直接用Logcat看：

2023-06-04 15:06:48.347 8563-8563/? E/kanxue: input: Lc8m3svDL7v5IvOmgO8pbWTqEyNKP5wnPbcT output: hk8Tp39MrOiHbBqOg2OOp6nc_l5xjzj4_lvdgz4OrAXfmN8T
2023-06-04 15:06:51.025 8563-8563/? E/kanxue: input: 8WIWJZX0eXLEhYgchAxVSeS8izV6nSTb08n1 output: cjn8jyHpkh4HkiP4ogOOmAz0_jrgn59C_lHlbQXgjkaLchqQ
2023-06-04 15:06:51.259 8563-8563/? E/kanxue: input: gd8Q1iaYyDf4k1by8RofMWbjGHAnWP8vFQ9W output: nAiTi31Cm5uHfkqPowOOs3zh_krajAb6_iz0pPnfclr7i65w
2023-06-04 15:06:51.474 8563-8563/? E/kanxue: input: jd6N0WJfxlEiSak08RTzV6HsRQuVUTFopTxz output: oQiRhN5kgQqHpifCiwOOahzh_lHlbOzh_j1OjPfjfQTLjkiP
2023-06-04 15:06:51.667 8563-8563/? E/kanxue: input: qAeU7PqvJ7asBD8GeJGaXGlT3UwwRv5Ep1gE output: q41yj3nfq7qHbA1MeMOOfAf__k1nfAOM_jfQrzbRb4fLa38L
2023-06-04 15:06:51.875 8563-8563/? E/kanxue: input: 4BIj8n4DFQEnXGbddyKDxwpV1OmSXxyGTYTG output: bib8oNzJbiiHi4fJkgOOnkjS_ijTrB4K_iTGizzTs4njk3fA
2023-06-04 15:06:52.125 8563-8563/? E/kanxue: input: xvdxRMPaXgMh5ilxY32JJ9XQ8720QpLCD46a output: slrzsjbaik0HnyLDb2OOsjuM_iH_c5yT_hmNaj1Lhi95bkeO
2023-06-04 15:06:52.375 8563-8563/? E/kanxue: input: 1yGEPuy5eF5wWO9mpq9N5ZdHz3jEUrwP5ECe output: a7v6f55Os3eHfNfQjwOOp75K_iWOkQjV_h9Ff5fNrz4Of3iK
2023-06-04 15:06:52.609 8563-8563/? E/kanxue: input: HOugDY19qudSyXOKRK6UcTU8rNLGN0qRUIh7 output: giTOnyjma3uHr6jgs2OOgzb-_jfwjjfN_iXbfyWLq5big64R
2023-06-04 15:06:52.826 8563-8563/? E/kanxue: input: AiNpBAwquWEZDvpH1OH8xs2GIL9eNp0fPjKq output: e6vdqib0rB0HjyfpfgOOgh1c_hzTqxb8_iOSn4XLakrfoQ9x
2023-06-04 15:06:53.018 8563-8563/? E/kanxue: input: qcynzhQ7eETzSK4CThFbVMT5e4PE1rMKXGwk output: q69SpRHDi3mHf5jViwOOezjD_kblh5jy_hjff31Nh4DnfA9v
2023-06-04 15:06:53.210 8563-8563/? E/kanxue: input: 8v4Qv8hCbdcRLlA0KnCbpjDsAMUJTFnuZQWf output: clqPi7qToi8Hnk9hhgOOaiDJ_kbLoOj0_iLigPj7pRfpi6mK
2023-06-04 15:06:54.970 8563-8563/? E/kanxue: input: f34IzGz0nnc34zKo8hR5EUUjzTnkx8k8ON9O output: nN8Pg7H6sN4HpQ8MbgOOpxzD_hf4j5fV_jjJoByToxzchNbx
2023-06-04 15:06:55.128 8563-8563/? E/kanxue: input: 75giBCao52GCErwUjyAOH6lg9eFBFRUrfUlT output: bxfAo4b2m6SHaOn2f2OOj6HS_iT9bQOS_kf7eOrhj7bBj3bx
2023-06-04 15:06:55.320 8563-8563/? E/kanxue: input: rZk4qvdfgvn3dJEylz0EQSaiFcOCMH4faEk2 output: qPHEbl1RnkqHrQWMngOOs6PV_ifeiA17_k9ceyL9bkruf30L
2023-06-04 15:06:55.487 8563-8563/? E/kanxue: input: RKOkpB3JHC28DctVvqDww2Fj6PFRvcqFdnwM output: iODcoB53ayGHexaTfgOOjRrK_lnQaOqR_j57iRrwq4rzpQ5w
2023-06-04 15:06:55.662 8563-8563/? E/kanxue: input: ozS2Ew2mld5802OSI3YmSjaiCY4skwCSfW17 output: pBHgaOfQaQKHnheTagOOiyuM_kLgoQ12_juPqADQez9BjAaN
2023-06-04 15:06:55.862 8563-8563/? E/kanxue: input: Te7R7Z75EFox1I2dK81Ntpes9YApnuapA1As output: jkeQiNnpbxeHfQTTa2OOniCT_iXPqkeS_jv0qkXOm750a3eR
2023-06-04 15:06:56.054 8563-8563/? E/kanxue: input: t0byMHvTRtmTAex77SdYHIB7Xmuxw45JCQWb output: rh5xs4L9rPiHrkLje2OObxng_jv9g4bn_kLOslmPb4H2i34O
2023-06-04 15:06:56.229 8563-8563/? E/kanxue: input: tO2FlE8q6nRZ1vEHcKO2MvWRd76RpiGQDXOS output: riSNfQP4cl0HpPbpa2OOgk9-_hbarPnz_hmRiR5Cfz15kh9y
2023-06-04 15:06:56.388 8563-8563/? E/kanxue: input: 76BJMFrIC3mYzqdBvfYAT2KcqHwQ7yre2j7C output: bxr3gOL7qOuHaALmsMOOeRrB_i1jaODK_izQi3nSqQeNoQjw
2023-06-04 15:06:56.572 8563-8563/? E/kanxue: input: XzcuSQpy4l72ZEnDGh5EV2CFHXfcZZ80yyqs output: klHwr59eqluHphmNkMOOfinD_iflaO99_jzBmzHpch5Ss30R

Frida分析

dump datadiv数据

.init段内有自动解密数据的函数。这里我用Frida把它执行后的结果直接dump出来了。

hook_ollvm9.js

//8.0以下所有的so加载都通过dlopen
function hook_dlopen() {
    var dlopen = Module.findExportByName(null, "dlopen");
    if(dlopen==null) {
        console.log("cannot find dlopen, exiting...");
        return;
    }
    Interceptor.attach(dlopen, {
        onEnter: function (args) {
            this.call_hook = false;
            var so_name = ptr(args[0]).readCString();
            // console.log("dlopen:", so_name);
            if (so_name.indexOf("libnative-lib.so") >= 0) {
                console.log("dlopen:", ptr(args[0]).readCString());
                this.call_hook = true;//dlopen函数找到了
            }
 
        }, onLeave: function (retval) {
            if (this.call_hook) {//dlopen函数找到了就hook so
                console.log("calling inline_hook.")
                inline_hook();
            }
        }
    });
    // 高版本Android系统使用android_dlopen_ext
    var android_dlopen_ext = Module.findExportByName(null, "android_dlopen_ext");
    if(android_dlopen_ext==null) {
        console.log("cannot find android_dlopen_ext , exiting...");
        return;
    }
    Interceptor.attach(android_dlopen_ext, {
        onEnter: function (args) {
            this.call_hook = false;
            var so_name = ptr(args[0]).readCString();
            // console.log("dlopen:", so_name);
            if (so_name.indexOf("libnative-lib.so") >= 0) {
                console.log("android_dlopen_ext:", ptr(args[0]).readCString());
                this.call_hook = true;
            }
 
        }, onLeave: function (retval) {
            if (this.call_hook) {
                console.log("calling inline_hook.");
                inline_hook();
            }
        }
    });
}

function inline_hook() {
    Java.perform(function() {
        // var mods:Module[] = Process.enumerateModules();
        // for(var mod of mods) {
            // if(mod.name.indexOf("libnative-lib.so") > -1) {
                var mod = Process.getModuleByName("libnative-lib.so")
                console.log("lib base:", mod.base);
                // var mod = Module.load("libnative-lib.so")
                var base = mod.base;
                // var decode_func_base = base.add(0x10D70);
                // var decode_func = new NativeFunction(decode_func_base, 'pointer', []);
                var data_base = base.add(0x37010);

                console.log(hexdump(data_base, 
                                {
                                    offset: 0,
                                    length: 0x370F3-0x37010+1,
                                    header: true,
                                    ansi: true
                                }));

                // Interceptor.attach(decode_func, {
                //     onEnter(args) {
                //         console.log("Entering decode_func.")
                //     },
                //     onLeave(retval) {
                //         console.log(hexdump(data_base, 
                //             {
                //                 offset: 0,
                //                 length: 0x370F3-0x37010+1,
                //                 header: true,
                //                 ansi: true
                //             }))
                //     },
                // })
            // } 
        }
    // }
    )
}

setImmediate(hook_dlopen, 0)

执行后得到结果：

             0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
7c5cc78010  30 31 32 33 34 35 36 37 38 39 2d 5f 61 62 63 64  0123456789-_abcd
7c5cc78020  65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74  efghijklmnopqrst
7c5cc78030  75 76 77 78 79 7a 41 42 43 44 45 46 47 48 49 4a  uvwxyzABCDEFGHIJ
7c5cc78040  4b 4c 4d 4e 4f 50 51 52 53 54 55 56 57 58 59 5a  KLMNOPQRSTUVWXYZ
7c5cc78050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7c5cc78060  30 31 32 33 34 35 36 37 38 39 61 62 63 64 65 66  0123456789abcdef
7c5cc78070  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
7c5cc78080  55 55 49 44 43 68 65 63 6b 53 75 6d 20 65 72 72  UUIDCheckSum err
7c5cc78090  6f 72 21 00 00 00 00 00 62 61 73 69 63 5f 73 74  or!.....basic_st
7c5cc780a0  72 69 6e 67 00 00 00 00 00 00 00 00 00 00 00 00  ring............
7c5cc780b0  61 6c 6c 6f 63 61 74 6f 72 3c 54 3e 3a 3a 61 6c  allocator<T>::al
7c5cc780c0  6c 6f 63 61 74 65 28 73 69 7a 65 5f 74 20 6e 29  locate(size_t n)
7c5cc780d0  20 27 6e 27 20 65 78 63 65 65 64 73 20 6d 61 78   'n' exceeds max
7c5cc780e0  69 6d 75 6d 20 73 75 70 70 6f 72 74 65 64 20 73  imum supported s
7c5cc780f0  69 7a 65 00                                      ize.

找到三个有代表性的结构，偏移+10的，+60的，+80的。

Hook sub_FCB4，sub_F9B8

代码写的比较丑，不过问题不大。sub_F9B8（即do_sth3）似乎没Hook到具体干了啥，进入函数和离开函数时，打印的值都是一致的。

var tmp;

var func_do_sth1_addr = base.add(0xfcb4);
var func_do_sth2_addr = base.add(0x1029C);
var func_do_sth3_addr = base.add(0xf9b8);

var func_do_sth1 = new NativeFunction(func_do_sth1_addr, 
    'pointer', ['pointer', 'int'])

var func_do_sth2 = new NativeFunction(func_do_sth2_addr, 
    'pointer', ['pointer', 'pointer', 'uint64'])

// var func_do_sth3 = new NativeFunction(func_do_sth3_addr, 
//     'pointer', ['pointer'])
Interceptor.attach(
    func_do_sth1,
    {
        onEnter(args) {
            console.log("enter do_sth1:");
            console.log("\targs[0]:" + args[0].readCString());
            console.log("\targs[1]:" + args[1]);
            tmp = ptr(args[0]);
        },
        onLeave(retval) {
            console.log("leaving do_sth1:")
            // console.log("\t")
            console.log("\targs[0]:")
            console.log(hexdump(tmp,{
                offset: 0,
                length: 40,
                header: true,
                ansi: true
            }))
            console.log("\tret:")
            console.log(hexdump(retval,{
                offset: 0,
                length: 40,
                header: true,
                ansi: true
            }))
        }
    }
)
// Interceptor.attach(
//     func_do_sth2,
//     {
//         onEnter(args) {
//             console.log("enter do_sth2:");
//             console.log(hexdump(ptr(args[0]), {
//                 offset: 0,
//                 length: 30,
//                 header: true,
//                 ansi: true
//             }))
//             tmp = ptr(args[0])
//         },
//         onLeave(retval) {
//             console.log("leaving do_sth2:");
//             console.log(hexdump(ptr(tmp), {
//                 offset: 0,
//                 length: 30,
//                 header: true,
//                 ansi: true
//             }))
//         }
//     }
// )
Interceptor.attach(
    func_do_sth3_addr,
    {
        onEnter(args) {
            console.log("enter do_sth3:");
            console.log(hexdump(ptr(args[0]), {
                offset: 0,
                length: 40,
                header: true,
                ansi: true
            }))
            console.log(hexdump(ptr(args[1]), {
                offset: 0,
                length: 40,
                header: true,
                ansi: true
            }))
            console.log(args[2]);

            tmp = ptr(args[0])
            this.tmp0 = ptr(args[0])
            this.tmp1 = ptr(args[1])
            // this.tmp2 = ptr(args[2])
        },
        onLeave(retval) {
            console.log("leaving do_sth3:");
            console.log(hexdump(this.tmp0, {
                offset: 0,
                length: 40,
                header: true,
                ansi: true
            }))
            console.log(hexdump(this.tmp1, {
                offset: 0,
                length: 40,
                header: true,
                ansi: true
            }))
            console.log(retval);
            console.log(hexdump(ptr(retval), {
                offset: 0,
                length: 40,
                header: true,
                ansi: true
            }))
        }
    }
)

打印结果：

enter do_sth1:
        args[0]:RVa3Y1e9WPxr9UNRq1s3z3H0QKkLhIpPMlrW
        args[1]:0x24
leaving do_sth1:
        args[0]:
             0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF    
7c9dcfe9d0  53 57 60 32 58 30 64 38 2d 51 79 73 38 2d 34 53  SW`2X0d8-Qys8-4S    
7c9dcfe9e0  70 30 2d 32 7b 32 49 50 2d 4a 6a 4d 69 48 71 51  p0-2{2IP-JjMiHqQ    
7c9dcfe9f0  4c 6d 30 33 00 00 00 00                          Lm03....
        ret:
             0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF    
7c9dcfe9d0  53 57 60 32 58 30 64 38 2d 51 79 73 38 2d 34 53  SW`2X0d8-Qys8-4S
7c9dcfe9e0  70 30 2d 32 7b 32 49 50 2d 4a 6a 4d 69 48 71 51  p0-2{2IP-JjMiHqQ    
7c9dcfe9f0  4c 6d 30 33 00 00 00 00                          Lm03....
enter do_sth3:
             0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF    
7fdd4ae8c0  31 00 00 00 00 00 00 00 24 00 00 00 00 00 00 00  1.......$.......    
7fdd4ae8d0  50 1e d0 9d 7c 00 00 00 cf 2b 09 71 15 07 77 8c  P...|....+.q..w.    
7fdd4ae8e0  01 00 00 00 00 00 00 00                          ........
             0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF    
7c9dcfe9d0  53 57 60 32 58 30 64 38 2d 51 79 73 38 2d 34 53  SW`2X0d8-Qys8-4S    
7c9dcfe9e0  70 30 2d 32 7b 32 49 50 2d 4a 6a 4d 69 48 71 51  p0-2{2IP-JjMiHqQ
7c9dcfe9f0  4c 6d 30 33 00 00 00 00                          Lm03....
0x24
leaving do_sth3:
             0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF    
7fdd4ae8c0  31 00 00 00 00 00 00 00 24 00 00 00 00 00 00 00  1.......$.......    
7fdd4ae8d0  50 1e d0 9d 7c 00 00 00 cf 2b 09 71 15 07 77 8c  P...|....+.q..w.
7fdd4ae8e0  01 00 00 00 00 00 00 00                          ........
             0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF    
7c9dcfe9d0  53 57 60 32 58 30 64 38 2d 51 79 73 38 2d 34 53  SW`2X0d8-Qys8-4S    
7c9dcfe9e0  70 30 2d 32 7b 32 49 50 2d 4a 6a 4d 69 48 71 51  p0-2{2IP-JjMiHqQ    
7c9dcfe9f0  4c 6d 30 33 00 00 00 00                          Lm03....
0x7f0168d6c4
             0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF    
7f0168d6c4  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................    
7f0168d6d4  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................    
7f0168d6e4  00 00 00 00 00 00 00 00                          ........
iPruazuKn3uHilzNc2OOiR0K_h9Vayze_iDEhkz8qj5aph0N

Hook NewStringUTF

v15 = (*env)->NewStringUTF(env, v11);

这里生成的v15就是整个Native函数的返回值了。而这个传入的v11显然就是C语言字符串，而且根据传参调用约定，应该是寄存器X1。

因此直接Hook地址，打印X1即可。

var final = base.add(0x100DC)
Interceptor.attach(final, {
    onEnter(args) {
        console.log(this.context.x1.readCString())
    },
    onLeave(retval) {

    }
})

得到结果：

iPruazuKn3uHilzNc2OOiR0K_h9Vayze_iDEhkz8qj5aph0N

部分总结

sub_FCB4的值是36字节输入，36字节输出，进行了一些自定义修改。

而虽然sub_F9B8的直接输出暂时没看到，但是36字节的输入，到最后整个Native函数的返回值，就类似于一个base64魔改。

0123456789-_abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ

解sub_F9B8（Base64魔改）

import base64
import string

str1 = r"SW`2X0d8-Qys8-4Sp0-2{2IP-JjMiHqQLm03"

string1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
string2 = "0123456789-_abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"

# print (base64.b64decode(str1.translate(str.maketrans(string1,string2))))
print(base64.b64encode(str1.encode()).decode().translate(str.maketrans(string1,string2)))

分析sub_FCB4算法（!TODO）

这一次的核心任务不是嗯看算法，所以暂时这里pass。不过提供一个别人逆向过的代码：

public class Test {

    public static void main(String args[])
    {
        decrypt_ollvm("SWMoSELqaUYnTdaf8lvkQyfcLwW5e7uC2qIt");
    }

    private static void decrypt_ollvm(String oriData)
    {
        //String oriData = "FzcUrBejLhmn4IDC8avfHCYCoL8wC7YJ8qcn";
        byte[] referBytes = "0123456789abcdef".getBytes();
        byte[] oriBytes = oriData.getBytes();
        int oriDataLen = oriBytes.length;
        byte[] resultBytes = new byte[oriDataLen];
        byte initByte = (byte)0xFF;
        long addSum = 0;
        oriBytes[23] = oriBytes[24];
        boolean skip = false;
        for(int i = 0; i < oriDataLen - 2; i++)
        {
            byte targetByte = 0;
            skip = false;
            switch (i)
            {
                case 14:
                    targetByte = 52;
                    skip = true;
                    break;
                case 8:
                case 13:
                case 18:
                case 24:
                    targetByte = 45;
                    skip = true;
                    break;
                default:
                    targetByte = (byte)(oriBytes[i] ^ 1);
                    break;
            }
            resultBytes[i] = targetByte;
            if(!skip)
            {
                initByte ^= oriBytes[i];
                addSum += (long) oriBytes[i];
                //System.out.println(Integer.toHexString(Byte.valueOf(initByte) & 0xFF));
                //System.out.print(addSum);
            }
        }
        resultBytes[oriDataLen - 1] = referBytes[(initByte & 0xF)];
        resultBytes[oriDataLen - 2] = referBytes[(int)(addSum & 0xF)];
        String resultData = CostumBase64.encode((resultBytes));
        // String resultData = new String(resultBytes);
        System.out.println(resultData);
    }
}


class CostumBase64 {
    private static final char[] legalChars = "0123456789-_abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
            .toCharArray();

    public static String encode(byte[] data) {
        int start = 0;
        int len = data.length;
        StringBuilder buf = new StringBuilder(data.length * 3 / 2);

        int end = len - 3;
        int i = start;
        int n = 0;

        while (i <= end) {
            int d = ((((int) data[i]) & 0x0ff) << 16)
                    | ((((int) data[i + 1]) & 0x0ff) << 8)
                    | (((int) data[i + 2]) & 0x0ff);

            buf.append(legalChars[(d >> 18) & 63]);
            buf.append(legalChars[(d >> 12) & 63]);
            buf.append(legalChars[(d >> 6) & 63]);
            buf.append(legalChars[d & 63]);

            i += 3;

            if (n++ >= 14) {
                n = 0;
                buf.append(" ");
            }
        }

        if (i == start + len - 2) {
            int d = ((((int) data[i]) & 0x0ff) << 16)
                    | ((((int) data[i + 1]) & 255) << 8);

            buf.append(legalChars[(d >> 18) & 63]);
            buf.append(legalChars[(d >> 12) & 63]);
            buf.append(legalChars[(d >> 6) & 63]);
            buf.append("=");
        } else if (i == start + len - 1) {
            int d = (((int) data[i]) & 0x0ff) << 16;

            buf.append(legalChars[(d >> 18) & 63]);
            buf.append(legalChars[(d >> 12) & 63]);
            buf.append("==");
        }

        return buf.toString();
    }

}

Unicorn（没分析）

unicornDemo/main.py at main · dqzg12300/unicornDemo (github.com)

main.py

# This is a sample Python script.

# Press ⌃R to execute it or replace it with your code.
# Press Double ⇧ to search everywhere for classes, files, tool windows, actions, and settings.

import unicorn
import random
import string
import capstone
import re
import globalData
import binascii

def ranstr(num):
    salt = ''.join(random.sample(string.ascii_letters + string.digits, num))
    return salt

cs = capstone.Cs(capstone.CS_ARCH_ARM64, capstone.CS_MODE_ARM)
cs.detail = True
all_regs = None
reg_names = {
    "X0": unicorn.arm64_const.UC_ARM64_REG_X0,
    "X1": unicorn.arm64_const.UC_ARM64_REG_X1,
    "X2": unicorn.arm64_const.UC_ARM64_REG_X2,
    "X3": unicorn.arm64_const.UC_ARM64_REG_X3,
    "X4": unicorn.arm64_const.UC_ARM64_REG_X4,
    "X5": unicorn.arm64_const.UC_ARM64_REG_X5,
    "X6": unicorn.arm64_const.UC_ARM64_REG_X6,
    "X7": unicorn.arm64_const.UC_ARM64_REG_X7,
    "X8": unicorn.arm64_const.UC_ARM64_REG_X8,
    "X9": unicorn.arm64_const.UC_ARM64_REG_X9,
    "X10": unicorn.arm64_const.UC_ARM64_REG_X10,
    "X11": unicorn.arm64_const.UC_ARM64_REG_X11,
    "X12": unicorn.arm64_const.UC_ARM64_REG_X12,
    "X13": unicorn.arm64_const.UC_ARM64_REG_X13,
    "X14": unicorn.arm64_const.UC_ARM64_REG_X14,
    "X15": unicorn.arm64_const.UC_ARM64_REG_X15,
    "X16": unicorn.arm64_const.UC_ARM64_REG_X16,
    "X17": unicorn.arm64_const.UC_ARM64_REG_X17,
    "X18": unicorn.arm64_const.UC_ARM64_REG_X18,
    "X19": unicorn.arm64_const.UC_ARM64_REG_X19,
    "X20": unicorn.arm64_const.UC_ARM64_REG_X20,
    "X21": unicorn.arm64_const.UC_ARM64_REG_X21,
    "X22": unicorn.arm64_const.UC_ARM64_REG_X22,
    "X23": unicorn.arm64_const.UC_ARM64_REG_X23,
    "X24": unicorn.arm64_const.UC_ARM64_REG_X24,
    "X25": unicorn.arm64_const.UC_ARM64_REG_X25,
    "X26": unicorn.arm64_const.UC_ARM64_REG_X26,
    "X27": unicorn.arm64_const.UC_ARM64_REG_X27,
    "X28": unicorn.arm64_const.UC_ARM64_REG_X28,
    "W0": unicorn.arm64_const.UC_ARM64_REG_W0,
    "W1": unicorn.arm64_const.UC_ARM64_REG_W1,
    "W2": unicorn.arm64_const.UC_ARM64_REG_W2,
    "W3": unicorn.arm64_const.UC_ARM64_REG_W3,
    "W4": unicorn.arm64_const.UC_ARM64_REG_W4,
    "W5": unicorn.arm64_const.UC_ARM64_REG_W5,
    "W6": unicorn.arm64_const.UC_ARM64_REG_W6,
    "W7": unicorn.arm64_const.UC_ARM64_REG_W7,
    "W8": unicorn.arm64_const.UC_ARM64_REG_W8,
    "W9": unicorn.arm64_const.UC_ARM64_REG_W9,
    "W10": unicorn.arm64_const.UC_ARM64_REG_W10,
    "W11": unicorn.arm64_const.UC_ARM64_REG_W11,
    "W12": unicorn.arm64_const.UC_ARM64_REG_W12,
    "W13": unicorn.arm64_const.UC_ARM64_REG_W13,
    "W14": unicorn.arm64_const.UC_ARM64_REG_W14,
    "W15": unicorn.arm64_const.UC_ARM64_REG_W15,
    "W16": unicorn.arm64_const.UC_ARM64_REG_W16,
    "W17": unicorn.arm64_const.UC_ARM64_REG_W17,
    "W18": unicorn.arm64_const.UC_ARM64_REG_W18,
    "W19": unicorn.arm64_const.UC_ARM64_REG_W19,
    "W20": unicorn.arm64_const.UC_ARM64_REG_W20,
    "W21": unicorn.arm64_const.UC_ARM64_REG_W21,
    "W22": unicorn.arm64_const.UC_ARM64_REG_W22,
    "W23": unicorn.arm64_const.UC_ARM64_REG_W23,
    "W24": unicorn.arm64_const.UC_ARM64_REG_W24,
    "W25": unicorn.arm64_const.UC_ARM64_REG_W25,
    "W26": unicorn.arm64_const.UC_ARM64_REG_W26,
    "W27": unicorn.arm64_const.UC_ARM64_REG_W27,
    "W28": unicorn.arm64_const.UC_ARM64_REG_W28,
    "SP": unicorn.arm64_const.UC_ARM64_REG_SP,
}

#初始化全局数据
def initGlobalData():
    globalData.has_pre=False
    globalData.pre_codestr=""
    globalData.pre_regname=""
    #添加监视列表,trace时打印该内存的变动
    globalData.watch_addrs= {0x7eae07e060:""}


def hook_code(uc: unicorn.Uc, address, size, user_data):
    inst_code=uc.mem_read(address,size)
    for inst in cs.disasm(inst_code,size):
        #判断是否保存有上次的指令，有的话，则先打印上次的指令，并且查询上次的第一个寄存器的新数值
        if globalData.has_pre and globalData.pre_regname:
            regindex = reg_names[globalData.pre_regname.upper()]
            regvalue = uc.reg_read(regindex)
            globalData.pre_codestr+="\t//%s=0x%x" % (globalData.pre_regname,regvalue)
            print(globalData.pre_codestr)
            globalData.pre_codestr=""
            globalData.has_pre=False

        #监控我关心的内存空间，如果发生变动会再打印
        if len(globalData.watch_addrs)>0:
            for i,v in globalData.watch_addrs.items():
                idata= uc.mem_read(i,0x10)
                buf= binascii.b2a_hex(idata)
                hexstr=buf.decode(encoding="utf-8")
                if globalData.watch_addrs[i]==hexstr:
                    continue
                globalData.watch_addrs[i]=hexstr
                print("0x%x\t%s" % (i, hexstr))

        #拼接当前行的汇编指令
        opstr="0x%x:\t%s\t%s" % (address, inst.mnemonic, inst.op_str)
        #从当前行指令中匹配出所有的寄存器
        res = re.findall(r'[^0]([wx][0-9]+)', " " + inst.op_str, re.I | re.M)
        #如果有多个寄存器，取第一个为数值被改变的寄存器
        if len(res)>0:
            globalData.pre_regname = res[0]
        res=list(set(res))
        #如果有sp寄存器，则单独插入
        if "sp" in inst.op_str:
            res.append("sp")
        #如果没有寄存器，则不需要记录为上次的，直接打印即可
        if len(res)<=0:
            has_pre=False
            print(opstr)
            continue
        #记录数据为上次的指令
        fenge = "\t\t------"
        curreg=""
        for regname in res:
            regindex=reg_names[regname.upper()]
            regvalue=uc.reg_read(regindex)
            curreg+="%s=0x%x\t" % (regname,regvalue)
        globalData.pre_codestr=opstr +fenge+ curreg
        globalData.has_pre=True


# Press the green button in the gutter to run the script.
if __name__ == '__main__':
    initGlobalData()
    #创建uc对象
    uc=unicorn.Uc(unicorn.UC_ARCH_ARM64,unicorn.UC_MODE_ARM)
    #从内存中dump下来so的基址
    code_addr=0x7eae047000
    #用来存放so代码的大小，尽量大一点。内存不值钱
    code_size=8*0x1000*0x1000
    #创建一块内存
    uc.mem_map(code_addr,code_size)
    #在上面那块内存后面继续划一片内存来当做栈空间
    stack_addr=code_addr+code_size
    stack_size=0x1000
    #栈顶的位置，这里是64位的，所以偏移8个字节
    stack_top=stack_addr+stack_size-0x8
    #申请一块栈空间
    uc.mem_map(stack_addr,stack_size)
    #栈空间往后继续划一块空间用来存放参数
    args_addr=stack_addr+stack_size
    args_size=0x1000
    uc.mem_map(args_addr, args_size)
    #设置每句汇编执行都会调用hook_code
    uc.hook_add(unicorn.UC_HOOK_CODE,hook_code)
    #读取so
    with open("./libnative-lib.so_0x7eae047000_0x38000.so","rb") as f:
        sodata=f.read()
        #给前面创建的空间写入so的数据
        uc.mem_write(code_addr,sodata)
        #要执行的代码开始位置
        start_addr=code_addr+0xFCB4
        #要执行的代码结束位置
        end_addr=code_addr+0xFF2C
        #随机生成一个入参
        input_str = ranstr(36)
        print("input:%s input_addr:0x%x" % (input_str,args_addr))
        input_byte=str.encode(input_str)
        #将生成的入参写入前面创建的内存空间
        uc.mem_write(args_addr,input_byte)
        #ida中看到的函数有参数1、2，然后分别对应X0和X1，写入对应数据，栈寄存器给一个栈顶的地址
        uc.reg_write(unicorn.arm64_const.UC_ARM64_REG_X0,args_addr)
        uc.reg_write(unicorn.arm64_const.UC_ARM64_REG_X1,len(input_str))
        uc.reg_write(unicorn.arm64_const.UC_ARM64_REG_SP,stack_top)
        #开始执行代码段
        uc.emu_start(start_addr,end_addr)
        #ida中看到返回值是直接写在入参中，所以结果我们直接从入参的内存中读取
        result=uc.mem_read(args_addr,args_size)
        print("result:",result.decode(encoding="utf-8"))
    #最后释放创建的内存
    uc.mem_unmap(args_addr, args_size)
    uc.mem_unmap(stack_addr,stack_size)
    uc.mem_unmap(code_addr,code_size)


# See PyCharm help at https://www.jetbrains.com/help/pycharm/

globalData.py

#上一次汇编指令
global pre_codestr
#上一次汇编的第一个寄存器名称
global pre_regname
#是否有记录上一次的数据
global has_pre
#监控的地址
global watch_addrs

参考

[原创]浅尝ollvm轻度混淆后的加密算法分析-Android安全-看雪-安全社区|安全招聘|kanxue.com

• 本文作者： Taardis
• 本文链接： https://taardisaa.github.io/2023/09/28/Android逆向解题-ollvm9/
• 版权声明： 本博客所有文章除特别声明外，均采用 Apache License 2.0 许可协议。转载请注明出处！