Android逆向解题-r2-pay

字数统计: 1k字   |   阅读时长≈ 5分

Android逆向解题-r2-pay

Android逆向解题-r2-pay

启动APP

Magisk下没Hide,无法启动APP。

Magisk+Shamiko黑名单模式,成功打开。

使用Frida

使用hluda-frida-server,里面的部分Anti-Frida失效。

但是基于遍历.plt来检查libc函数有没有被替换的方法还是有效。

Java层

主逻辑

获取输入:

1
2
3
4
5
6
7
8
9
10
11
12
13
/* renamed from: Φ */
public final boolean hasInput() {
    TextView tv_pincode = (TextView) findViewById(R.id.pincode);
    TextView tv_amount = (TextView) findViewById(R.id.amount);
    this.pincode = tv_pincode.getText().toString();
    this.amount = tv_amount.getText().toString();
    if (this.pincode.equals("") || this.amount.equals("")) {
        Toast.makeText(getApplicationContext(), "Enter PIN code/amount...", 0).show();
        return false;
    }
    return true;
}

看OnClick:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
    @Override // android.view.View.OnClickListener
    public void onClick(View v) {
        if (this.f510 != null) {
            TextView r2coin_token = (TextView) MainActivity.this.findViewById(R.id.r2coin_token);
            if (MainActivity.this.hasInput()) { // 有输入
                try {
                    if (MainActivity.this.pincode.length() == 4) { // pincode长度4
                        MainActivity.this.pincode = String.format("%08d", Integer.valueOf(Integer.parseInt(MainActivity.this.pincode)));
                        if (MainActivity.this.amount.length() <= 8) { // amount长度<=8
                            MainActivity.this.amount = String.format("%08d", Integer.valueOf(Integer.parseInt(MainActivity.this.amount)));
                            byte[] inBuff = (MainActivity.this.pincode + MainActivity.this.amount).getBytes(); // pincode与amount拼接;
                            C0282 rb = new C0282(MainActivity.this.getApplicationContext()); // 处理一些与input无关的东西
                            // 反root逻辑,发现root&frida就触发NullPointerException
                            if (rb.m1161() || (rb.m1154() && rb.m1149())) {
                                MainActivity mainActivity = MainActivity.this;
                                mainActivity.f508 = (byte) (mainActivity.f508 | 15);
                                NullPointerException np = new NullPointerException();
                                np.notify();
                            }
                            Toast.makeText(MainActivity.this.getApplicationContext(), "Tokenizing your r2coin...", 0).show();
                            MainActivity mainActivity2 = MainActivity.this;
                            byte[] out = mainActivity2.gXftm3iswpkVgBNDUp(inBuff, mainActivity2.f508); // 传入此Native方法,第二个参数即刚刚自动生成的
                            byte ret = out[0];
                            if (ret == 81) {
                                r2coin_token.setTextColor(-65536);
                            } else {
                                r2coin_token.setTextColor(Color.parseColor("#10b010"));
                            }
                            r2coin_token.setText("r2c-" + MainActivity.m313(out, 1));
                            return;
                        }
                        Toast.makeText(MainActivity.this.getApplicationContext(), "Enormous amount to tokenize r2coins.\nRadare2 is a non-profit organization :)", 0).show();
                        return;
                    }
                    Toast.makeText(MainActivity.this.getApplicationContext(), "PIN code must be 4 digits long...", 0).show();
                    return;
                } catch (Exception e) {
                    Toast.makeText(MainActivity.this.getApplicationContext(), "Enter PIN code/amount as numeric...", 0).show();
                    return;
                }
            }
            String empty = String.format("%032d", 0);
            r2coin_token.setTextColor(-65536);
            r2coin_token.setText("r2c-" + empty);
        }
    }
}

后面要分析Native层的这个函数:

1
byte[] out = mainActivity2.gXftm3iswpkVgBNDUp(inBuff, mainActivity2.f508);

反Root

下文会提到有利用rootbeer库进行Root检查。

Java层里找到与Native的接口:

1
com.scottyab.rootbeer.RootBeerNative

还有Java层的检测:

1
2
3
4
5
6
this.f508 = (byte) -16;
C0282 rb = new C0282(getApplicationContext());
if (rb.m1161() || (rb.m1154() && rb.m1149())) {
    int i = 1337 / 0;
    this.f508 = (byte) (this.f508 | 15);
}

检测到了之后直接触发除零异常。或者直接抛出零指针解引用异常。

1
2
3
4
5
6
if (rb.m1161() || (rb.m1154() && rb.m1149())) {
    MainActivity mainActivity = MainActivity.this;
    mainActivity.f508 = (byte) (mainActivity.f508 | 15);
    NullPointerException np = new NullPointerException();
    np.notify();
}

Native层

  • libnative-lib.so
  • libtool-checker.so

libtool-checker.so

据说是用于检查root的一个开源库。好久没更新了,应该已经能轻松被Shamiko什么的给隐藏了。

scottyab/rootbeer: Simple to use root checking Android library and sample app (github.com)

libnative-lib.so

.init_array

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
                AREA .init_array, DATA, ALIGN=3
                ; ORG 0x126510
off_126510      DCQ .datadiv_decode9958896245423089702
                                        ; DATA XREF: LOAD:0000000000000088↑o
                DCQ .datadiv_decode10476194973746341988
                DCQ .datadiv_decode16323044921667855934
                DCQ sub_9080
                DCQ sub_77D14
                DCQ .datadiv_decode667225052219618748
                DCQ .datadiv_decode8132880250332170398
                DCQ .datadiv_decode3655886617018729963
                DCQ .datadiv_decode16406252260792032531
                DCQ .datadiv_decode13403071575248320347
                DCQ .datadiv_decode10166339199708120759
                DCQ .datadiv_decode6947288239491606631
                DCQ .datadiv_decode5215956313839507400
                DCQ .datadiv_decode16453495577454072260
                DCQ .datadiv_decode2232395381979711881
                DCQ .datadiv_decode3616803099375592120
                DCQ .datadiv_decode7508704412880078
                DCQ .datadiv_decode12359889718277909110
                DCQ .datadiv_decode8308565232543059785
                DCQ .datadiv_decode975260073957391963
                DCQ .datadiv_decode6567607892789040118
                DCQ .datadiv_decode10503050159241603720
                DCQ .datadiv_decode13491924139369115351
                DCQ .datadiv_decode11181792546141608178
                DCQ .datadiv_decode12651890366787266446
                DCQ .datadiv_decode5272649409258256134
                DCQ .datadiv_decode752053037193189135
                DCQ .datadiv_decode13297804725009435460
                DCQ .datadiv_decode239540915534245188
                DCQ .datadiv_decode8547110498980466166
                DCQ .datadiv_decode6151823196074019122
                DCQ .datadiv_decode4504531045452394929
                DCQ .datadiv_decode1621324636918243993
                DCQ .datadiv_decode15592516946881525584
                DCQ .datadiv_decode14382234000100822947
                DCQ .datadiv_decode7455341735817662764
                DCQ .datadiv_decode15168536422250146368
                DCQ .datadiv_decode6536530729295341072
                DCQ .datadiv_decode639561915042256485
                DCQ .datadiv_decode5045724035189792921
                DCQ .datadiv_decode17696820355701169342
                DCQ .datadiv_decode9620666396990962329
                DCQ .datadiv_decode11748224875505877444
                DCQ .datadiv_decode9693683545841244528
                DCQ .datadiv_decode16543778404651046017
                DCQ .datadiv_decode6698795565486521597
                DCQ .datadiv_decode14387739441052794454
                DCQ .datadiv_decode11213906298653740213
                DCQ .datadiv_decode12260448681197876034
                DCQ .datadiv_decode7440279547223086508
                DCQ .datadiv_decode9484790509479134607
                DCQ .datadiv_decode6609269631691492050
                DCQ .datadiv_decode4393328444386904567
                DCQ .datadiv_decode9351257044845043754
                DCQ .datadiv_decode464262840231298202
                DCQ .datadiv_decode2648118127835277698
                DCQ .datadiv_decode8681122996902782405
                DCQ .datadiv_decode14435790530654225112
                DCQ .datadiv_decode720241107632547484
                DCQ .datadiv_decode16109906379254710117
                DCQ .datadiv_decode7170001898290407736
                DCQ .datadiv_decode12149441590494770451
                DCQ .datadiv_decode15199242840495013025
                DCQ .datadiv_decode15520866186809346521
                DCQ .datadiv_decode8268546904625234180
                DCQ .datadiv_decode9826852974723186241
                DCQ .datadiv_decode9551772232006384798
                DCQ .datadiv_decode9801937241736988485
                DCQ .datadiv_decode16241042334229008910
                DCQ .datadiv_decode173992666791762078
                DCQ .datadiv_decode5050384507563777111
                DCQ .datadiv_decode3049749356643735766
                DCQ .datadiv_decode13003153710004289592
                DCQ .datadiv_decode2917893963619239473
                DCQ .datadiv_decode5786363776426873742
                DCQ .datadiv_decode8662711382183408173
                DCQ .datadiv_decode3857881763333220492
                DCQ .datadiv_decode7825638197316578915
                DCQ .datadiv_decode8132339579652590454
                DCQ .datadiv_decode16045044825694845875
                DCQ .datadiv_decode10968474994545331874
                DCQ .datadiv_decode14089056693050574539
                DCQ .datadiv_decode17394135513596229048
                DCQ .datadiv_decode1737442580097016736
                DCQ .datadiv_decode4402359319743429837
                DCQ .datadiv_decode15592381772365124884
                DCQ .datadiv_decode4248615617351086760
                DCQ .datadiv_decode1500579605738673105
                DCQ .datadiv_decode13434060400201654084
                DCQ .datadiv_decode12289074223533035339
                DCQ .datadiv_decode13959962333764813579
; .init_array   ends

发现.datadiv的基本就是空函数,或者无非是用于解密常量数据的。

重点关注两个函数

1
2
DCQ sub_9080
DCQ sub_77D14

sub_9080(没分析)

严重混淆,平坦化+虚假控制流;无法反编译。

sub_77D14(没分析)

Frida脚本

由于Native层里面有反Frida逻辑,因此需要进行完整分析&Patch后才能运行。

Java层-反反Root(optional)

因为开了Shamiko,所以其实不用。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
// frida -U -l ./bypass-root.js --no-pause -f re.pwnme
Java.perform(function () {
  var RootCheck = Java.use('\u266b.\u1d64');

  RootCheck['₤'].implementation = function () {
    console.log("Skip root");
    return false;
  }

  RootCheck['θ'].overload().implementation = function () {
    console.log("Skip root");
    return false;
  }
})

Native层-

参考

r2-pay: anti-debug, anti-root & anti-frida (part 1) | Romain Thomas

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia-plus根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

A junior undergraduate
studying in the college of cyber science and engineering
in Sichuan University
in Sichuan , China.
Pronouns:He/him.
A core member of 0x401 CTF team
majorly focus on Reverse Engineering chanllenges.