Objective
The recent study of Dex's shelling, by the way, was once again familiar with Dex's standard format and the format in which Dex was parsed in memory. His last officer net added a shell, found not to run up. So to help a few friends, the final sample is the total of the sea apk, very comprehensive, with activity, application, Broadcastreceiver, ContentProvider, and service.
0x1 contrast before and after Shell
Post-Hardening file list changes:
Add an so file and a jar package:
Libbaiduprotect.so
Baiduprotect.jar
Modify:
Meta-inf folder
Androidmanifest.xml
Classes.dex
0x2 Ida Try
Use IDA to debug remotely and run straight away. There seems to be anti-debugging.
From the shell entrance Java layer, find the following statement:
static { if(!Debug.isDebuggerConnected()) { String v0 = Build.CPU_ABI; ifnull && (v0.startsWith("x86"))) { StubApplication.loadX86Library(); return; } System.loadLibrary("baiduprotect"); }}
After the first if is deleted, The program successfully loaded the baiduprotect.so, smoothly into the shell of the airspace, but do not know that the program in so do the integrity check or again to detect the debuggerconnected, each run is entered a dead cycle, and then the program ran off, ran a lot of times are difficult to escape the trap 。 This time is more tangled. Since anti-debugging, think of 360 of the shell with DD can also take off the very perfect, then a different way to try.
0x3 DD Dafa
ddif=/proc/PIDof=XX skip=0 ibs=1 count=LENGTHskipcat /proc/pid/maps
1. First of all, thanks to Dr. Wbyang, the DD Dafa was also learned from the last challenge. The program runs, the memory is dump out, probably more than 100 MB of things. Find a few strings, then scroll up to find the head of the Dex file and find it erased.
The 8 bytes of the front red box are the magic heads of the Odex. The 0x70 byte behind is the head of Dex. In addition to some size and coding flags are not erased, the others are already unrecognizable and repaired as follows:
This puts the Dex file out.
2. Decompile the Dex into a Smali file
The following error occurred:
After repeated checks, it is found that the following offset error is codeitems:
Dex's file size is 0XA30DC, and offset points to something out there. Of course it is impossible to parse, here I have a problem, the third offset, this 0x0220e8e8, pointing to the front of the memory, how is this done? I personally think that Baidu is after the loading is done deliberately changed to this number. If there is a mistake, also hope that the elder.
The three offset will be converted to 0 to achieve the successful anti-compilation, of course, the lack of three dataitem under the premise of the successful compilation. Find the DataItem address that was erased:
The area above three for 0 is where the DEX code before the reinforcement is stored.
So, suppose we can reverse the three-point data from Dex's structure and populate it with the data we should have, then we can get the shell out of the static.
3. How to fix
360 shell the data to be repaired is offset in dataclassdef. And Baidu's more troublesome, not only its offset need to repair, more trouble is DataItem data also to repair. The difficulty is even greater.
The general fix principle is to export the function table and then sequentially fix the erased data in Dex as follows:
Inverse calculates the index value of the function's uleb128, some accessflags of the common function, and the offset that points to the function's contents.
Fix as follows:
The repair process is cumbersome, and sometimes you need to try it several times before you know what size is. So call it a human flesh repair.
Fixed the anti-compilation
:
Found OnCreate function No code, check, and new discoveries!
The original is the OnCreate in the insns[] also was wiped off. This is the most basic unit, the skill is too weak to push back.
Finally, Baidu's shell needs to fix the magic in Dex's head, signature values, checksum values, and various offset. There is also a need to repair dataclassoffset, as well as DataClass and opcodes. The first two can be statically fixed, the last only dynamic debugging to find out. Baidu Shell added a oncreate001 function, called the shell of the D method and the E method, guess is the D method filled with insns[] decryption data, and then the E method for the cleaner, erase the correct data or change to some illegal data. At this time, tears ran. (I thought to myself: Baidu is very wretched ah ...) )
Because the past few days, again write the article again to do again, put all kinds of things to find good, write finished spent nearly three hours, tired sleep do not love ... T T
Because the level is limited, inevitably has the mistake, also hoped everybody crossing to correct.
2015.3.24 by Ericky
Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.
A little attempt of the shelling of Baidu--human flesh repair