0、前言#

创建一个简单的app，里面就是一个数据验证和一句话，然后360免费加固

学习参考来自SWDD大佬和oacia大佬

PKID看确实是360加固

app里的代码：

1
package com.example.learn;
2

3
import androidx.appcompat.app.AlertDialog;
4
import androidx.appcompat.app.AppCompatActivity;
5
import android.os.Bundle;
6
import android.view.View;
7
import android.widget.Button;
8
import android.widget.EditText;
9

10
public class MainActivity extends AppCompatActivity {
11

12
    @Override
13
    protected void onCreate(Bundle savedInstanceState) {
14
        super.onCreate(savedInstanceState);
15
        setContentView(R.layout.activity_main);
16

17
        EditText inputField = findViewById(R.id.inputField);
18
        Button checkButton = findViewById(R.id.checkButton);
19

20
        checkButton.setOnClickListener(new View.OnClickListener() {
21
            @Override
22
            public void onClick(View v) {
23
                String input = inputField.getText().toString().trim();
24

25
                if (input.equals("66")) {
26
                    showSuccessDialog();
27
                }
28
                // 其他输入不做任何反应
29
            }
30
        });
31
    }
32

33
    private void showSuccessDialog() {
34
        new AlertDialog.Builder(this)
35
                .setTitle("结果")
36
                .setMessage("success")
37
                .setPositiveButton("确定", null)
38
                .show();
39
    }
40
}

1
<?xml version="1.0" encoding="utf-8"?>
2
<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
3
    xmlns:tools="http://schemas.android.com/tools"
4
    android:layout_width="match_parent"
5
    android:layout_height="match_parent"
6
    android:orientation="vertical"
7
    android:gravity="center"
8
    android:padding="16dp"
9
    tools:context=".MainActivity">
10

11
    <TextView
12
        android:layout_width="wrap_content"
13
        android:layout_height="wrap_content"
14
        android:text="study by sh4d0w"
15
        android:textSize="18sp"
16
        android:layout_marginBottom="20dp"/>
17

18
    <EditText
19
        android:id="@+id/inputField"
20
        android:layout_width="match_parent"
21
        android:layout_height="wrap_content"
22
        android:hint="请输入数字"
23
        android:inputType="number"/>
24

25
    <Button
26
        android:id="@+id/checkButton"
27
        android:layout_width="wrap_content"
28
        android:layout_height="wrap_content"
29
        android:text="验证"
30
        android:layout_marginTop="20dp"/>
31

32
</LinearLayout>

mt查看如下：

内容如上，输入66才有反应

1、初探#

放入jadx，把learn.so放入ida

java层是可以发现一些蛛丝马迹的，比如这里的libjiagu字符，这是360加固的标志性字符

native层倒是不能直接确定加壳方式

java层初步分析#

我们在资源目录下找到AndroidManifest.xml，从里面可以得知360加固的入口是com.stub.StubApp

因为com.stub.StubApp是第一个实例化的application，且StubApp的attachBaseContext方法是加固逻辑的第一个执行入口

我们在这个类中，不仅能看见attachBaseContext还能找到onCreate

Application 的 onCreate 和 attachBaseContext 是 Application 的两个回调方法，通常我们会在其中做一些初始化操作， attachBaseContext 在 onCreate 之前执行

分析attachBaseContext，中间的内容明显是被加密了的，我们查看a方法

可以发现其实就是异或16的操作，写脚本解密过后注释上去

在 Android 9.0 (API 28) 中，Google 限制了非 SDK 接口的访问。这段代码通过反射绕过该限制，确保加固框架能够正常调用系统隐藏 API
mHiddenApiWarningShown字段控制隐藏 API 警告的显示，设置为true可避免触发警告

下面这些内容就是它会判断手机的架构，针对不同的架构加载不同的Native文件

再往下可以找到DtcLoader初始化的操作，jadx貌似反编译不出来，我们使用jeb

可以发现它调用了native层的jgdtc.so，当DtcLoader被加载到jvm时，会调用这个so文件，但是我们跟着路径去寻找是找不到这个文件的（看其他文章都略过了，应该不重要。。。）

我们要分析的是libjiagu.so，这个 so 在 assets 目录下

壳elf导入导出表修复#

选取libjiagu_a64.so分析，可以发现它导入表导出表都没有内容的，我们需要去修复

先去看看dlopen调用了哪些so文件

1
function hookTest1() {
2
    Interceptor.attach(Module.findExportByName("libdl.so", "android_dlopen_ext"), {
3
        onEnter: function (args) {
4
            console.log("Load -> ", args[0].readCString());
5
        }, onLeave: function () {
6

7
        }
8
    })
9
}
10

11
function main() {
12
    Java.perform(function () {
13
        hookTest1();
14
    });
15
}
16
setImmediate(main);

这也是我们要分析的so，需要把libjiagu_64.sodump下来

1
function hookTest1() {
2
    var libSo = Process.getModuleByName("libjiagu_64.so");
3
    console.log("[+]base: ", libSo.base);
4
    console.log("[+]size: ", ptr(libSo.size));
5
    var save_path = "/data/data/com.example.learn/" + libSo.name + "_Dump";
6
    var handle = new File(save_path, "wb");
7
    Memory.protect(ptr(libSo.base), libSo.size, 'rwx');
8
    var Buffer = libSo.base.readByteArray(libSo.size);
9
    handle.write(Buffer);
10
    handle.flush();
11
    handle.close();
12
    console.log("[+]path: ", save_path);
13
}
14

15
function main() {
16
    Java.perform(function () {
17
        hookTest1();
18
    });
19
}
20
setImmediate(main);
21

22
// [+]base:  0x7250470000
23
// [+]size:  0x27a000
24
// [+]path:  /data/data/com.example.learn/libjiagu_64.so_Dump

然后使用Sofixer工具去修复elf

命令如下./SoFixer-macOS-64 -s /Users/lanzhiqiang/Desktop/360test/protect/assets/libjiagu_64.so_Dump -o /Users/lanzhiqiang/Desktop/360test/protect/assets/libjiagu_fix.so -m 0x7250470000 -d

壳elf分析#

虽然有了导入表和导出表，但是我们还是需要想办法跟踪逻辑找关键函数，那我们就可以hook open函数来看看打开了哪些

1
function hookOpen() {
2
    var openPtr = Module.getExportByName(null, 'open');
3
    console.log("[*]hook open");
4
    Interceptor.attach(openPtr,{
5
        onEnter: function (args) {
6
            this.filename = args[0];
7
            console.log("[+]open: ", this.filename.readCString());
8
        }, onLeave: function (retval) {
9

10
        }
11
    })
12
}
13
function hook_dlopne() {
14
    Interceptor.attach(Module.findExportByName("libdl.so", "android_dlopen_ext"), {
15
        onEnter: function (args) {
16
            var loadFileName = args[0].readCString();
17
            if (loadFileName.indexOf('libjiagu') != -1) {
18
                this.is_can_hook = true;
19
            }
20
        }, onLeave: function () {
21
            if (this.is_can_hook) {
22
                hookOpen();
23
            }
24
        }
25
    })
26
}
27

28
function main() {
29
    Java.perform(function () {
30
        hook_dlopne();
31
    });
32
}
33
setImmediate(main);

这里可以注意到反复调用了/proc/self/maps，这就是典型的内存映射检测反frida，因为frida使用时会在内存中注入frida-agent.so文件

绕过方式呢也不难，即然它检测的这个maps，那我们就手动调用open函数，在其调用maps时重定向至其他自定义maps即可

比如我在data/data/com.example.learn/下新建了一个maps空文件

然后用如下脚本去看看是否成功 and 调用了哪些dex

1
function hookOpen() {
2
    var FakeMaps = "/data/data/com.example.learn/maps";
3
    var openPtr = Module.getExportByName(null, 'open');
4
    console.log("[*] Replacing open function");
5

6
    // 获取原始open函数
7
    var originalOpen = new NativeFunction(openPtr,'int',['pointer', 'int']);
8

9
    // 替换open函数
10
    Interceptor.replace(openPtr, new NativeCallback(function(fileNamePtr, flags) {
11
        var fileName = fileNamePtr.readCString();
12
        if (fileName.indexOf("maps") >= 0) {
13
            console.warn("[-] Intercepted read of maps file");
14
            var fakeFilename = Memory.allocUtf8String(FakeMaps);
15
            return originalOpen(fakeFilename, flags);
16
        }
17
        if (fileName.indexOf('dex') != -1) {
18
            console.log("[+] Opening dex:", fileName);
19
        }
20
        // 其他情况调用原始函数
21
        return originalOpen(fileNamePtr, flags);
22
    }, 'int', ['pointer', 'int']));
23
}
24

25
function hook_dlopne() {
26
    Interceptor.attach(Module.findExportByName("libdl.so", "android_dlopen_ext"), {
27
        onEnter: function(args) {
28
            var loadFileName = args[0].readCString();
29
            if (loadFileName.indexOf('libjiagu') != -1) {
30
                this.is_can_hook = true;
31
            }
32
        },
33
        onLeave: function() {
34
            if (this.is_can_hook) {
35
                hookOpen();
36
            }
37
        }
38
    });
39
}
40

41
function main() {
42
    Java.perform(function() {
43
        hook_dlopne();
44
    });
45
}
46

47
setImmediate(main);

通过返回结果，即可以确定是调用maps去隐藏内存映射，也发现打开了三个dex文件

那么我们就要去追踪这些dex文件的调用情况，即追踪调用栈

我们在上一份代码中加一些内容即可

1
function hookOpen() {
2
    var FakeMaps = "/data/data/com.example.learn/maps";
3
    var openPtr = Module.getExportByName(null, 'open');
4
    console.log("[*] Replacing open function");
5

6
    // 获取原始open函数
7
    var originalOpen = new NativeFunction(openPtr, 'int', ['pointer', 'int']);
8

9
    // 替换open函数
10
    Interceptor.replace(openPtr, new NativeCallback(function (fileNamePtr, flags) {
11
        var fileName = fileNamePtr.readCString();
12
        if (fileName.indexOf("maps") >= 0) {
13
            console.warn("[-] Intercepted read of maps file");
14
            var fakeFilename = Memory.allocUtf8String(FakeMaps);
15
            return originalOpen(fakeFilename, flags);
16
        }
17
        if (fileName.indexOf('dex') != -1) {
18
            console.log("[+] Opening dex:", fileName);
19
            Thread.backtrace(this.context, Backtracer.FUZZY).map(addr_in_so);
20
        }
21
        // 其他情况调用原始函数
22
        return originalOpen(fileNamePtr, flags);
23
    }, 'int', ['pointer', 'int']));
24
}
25

26
function hook_dlopne() {
27
    Interceptor.attach(Module.findExportByName("libdl.so", "android_dlopen_ext"), {
28
        onEnter: function (args) {
29
            var loadFileName = args[0].readCString();
30
            if (loadFileName.indexOf('libjiagu') != -1) {
31
                this.is_can_hook = true;
32
            }
33
        },
34
        onLeave: function () {
35
            if (this.is_can_hook) {
36
                hookOpen();
37
            }
38
        }
39
    });
40
}
41

42
function addr_in_so(addr){
43
    var process_Obj_Module_Arr = Process.enumerateModules();
44
    for(var i = 0; i < process_Obj_Module_Arr.length; i++) {
45
        if(addr>process_Obj_Module_Arr[i].base && addr<process_Obj_Module_Arr[i].base.add(process_Obj_Module_Arr[i].size)){
46
            console.log(addr.toString(16),"is in",process_Obj_Module_Arr[i].name,"offset: 0x"+(addr-process_Obj_Module_Arr[i].base).toString(16));
47
        }
48
    }
49
}
50

51
function main() {
52
    Java.perform(function () {
53
        hook_dlopne();
54
    });
55
}
56

57
setImmediate(main);
58

59
// Backtracer.FUZZY找模糊调用栈，Backtracer.ACCURATE找精确调用栈

这里不管是精确还是模糊，都能看出三个dex文件的调用栈基本一致

根据偏移，我们去ida里寻找

填充的一堆数据，目前也不知道有啥用，往下继续翻到

发现被调用了，查看是sub_8510函数

这里的内容像是so的加载器，这时候是得猜测是自定义linker实现加固so

此时可以hookdlopen验证猜想

1
function hookTest1() {
2
    Interceptor.attach(Module.findExportByName("libdl.so", "android_dlopen_ext"), {
3
        onEnter: function (args) {
4
            console.log("[-]android_dlopen_ext -> ", args[0].readCString());
5
        }, onLeave: function () {
6

7
        }
8
    })
9
}
10

11
function hookTest2(){
12
    Interceptor.attach(Module.findExportByName("libdl.so", "dlopen"), {
13
        onEnter: function (args) {
14
            console.log("[+]dlopen -> ", args[0].readCString());
15
        }, onLeave: function () {
16

17
        }
18
    })
19
}
20

21
function main() {
22
    Java.perform(function () {
23
        hookTest1();
24
        hookTest2();
25
    });
26
}
27
setImmediate(main);

1
[Pixel 3::com.example.learn ]-> [-]android_dlopen_ext ->  /data/data/com.example.learn/.jiagu/libjiagu_64.so
2
[+]dlopen ->  liblog.so
3
[+]dlopen ->  libz.so
4
[+]dlopen ->  libc.so
5
[+]dlopen ->  libm.so
6
[+]dlopen ->  libstdc++.so
7
[+]dlopen ->  libdl.so
8
[+]dlopen ->  libjiagu_64.so
9
[+]dlopen ->  libjiagu_64.so
10
[+]dlopen ->  libart.so
11
[+]dlopen ->  libjiagu_64.so
12
[+]dlopen ->  libjiagu_64.so
13
[+]dlopen ->  libjiagu_64.so
14
[+]dlopen ->  libjiagu_64.so
15
[+]dlopen ->  libjiagu_64.so
16
[+]dlopen ->  libjiagu_64.so
17
[-]android_dlopen_ext ->  libjgdtc.so
18
[-]android_dlopen_ext ->  /data/app/~~ngtLehdiUPtT0kijbL8dtg==/com.example.learn-82fYzt_aqOJ6-F_XHYtjlg==/lib/arm64/libjgdtc.so
19
[+]dlopen ->  libandroid.so
20
[-]android_dlopen_ext ->  /vendor/lib64/hw/gralloc.sdm845.so
21
[+]dlopen ->  libEGL_adreno.so
22
[-]android_dlopen_ext ->  /vendor/lib64/hw/android.hardware.graphics.mapper@2.0-impl-qti-display.so
23
[+]dlopen ->  libandroid.so

明显重复多次调用libjiagu_64.so，标准调用一般是不会重复调用的
- 每次加载时解密不同部分的代码，防止一次性获取完整逻辑
加固后的库被存储在应用私有目录的隐藏文件夹（.jiagu）中

这些信息可以确定它是自定义linker

我们在010中对libjiagu_64.so(壳elf)分析可以找到一个新的elf文件，这里大概率就是上面在ida中找到的自定义linker实现加固so后的so文件

我们需要想办法把它dump下来

1
with open('/Users/lanzhiqiang/Desktop/360test/protect/assets/libjiagu_fix.so','rb') as f:
2
    s=f.read()
3
with open('/Users/lanzhiqiang/Desktop/360test/protect/assets/main.so','wb') as f:
4
    f.write(s[0xe7000::])

然后我们这里dump出来的main.so就是主elf了

主elf分析#

其实是可以看出elf的program header table是被加密了的，ida也无法分析

那我们就需要想办法解密主elf了

壳 elf 在代码中自己实现了解析 ELF 文件的函数，并将解析结果赋值到 soinfo 结构体中，随后调用 dlopen 进行手动加载

soinfo 是 Android 系统中用于表示和管理动态链接库 (Shared Object, SO) 的核心结构体，全称为 “Shared Object Information”。它位于 Bionic C 库 (bionic/libc/include/bits/soinfo.h) 中，是动态链接器 (Linker) 的核心数据结构之一

在ida中对dlopen进行交叉引用，查看调用

这个函数的内容和AOSP里的linker.cpp源码很像，如下 d12d28ae89f336a9c0701a5ea76cc050_720

7a24659789ac95d907a3e77fcc63e7e8_720

这里基本就是自定义linker实现的预链接函数了，我们需要导入soinfo结构体

在 ida 中依次点击 View->Open subviews->Local Types , 然后按下键盘上的 Insert 将下面的结构体添加到对话框中

1
//IMPORTANT
2
//ELF64 启用该宏
3
#define __LP64__  1
4
//ELF32 启用该宏
5
//#define __work_around_b_24465209__  1
6

7
/*
8
//https://android.googlesource.com/platform/bionic/+/master/linker/Android.bp
9
架构为 32 位 定义__work_around_b_24465209__宏
10
arch: {
11
        arm: {cflags: ["-D__work_around_b_24465209__"],},
12
        x86: {cflags: ["-D__work_around_b_24465209__"],},
13
    }
14
*/
15

16
//android-platform\bionic\libc\include\link.h
17
#if defined(__LP64__)
18
#define ElfW(type) Elf64_ ## type
19
#else
20
#define ElfW(type) Elf32_ ## type
21
#endif
22

23
//android-platform\bionic\linker\linker_common_types.h
24
// Android uses RELA for LP64.
25
#if defined(__LP64__)
26
#define USE_RELA 1
27
#endif
28

29
//android-platform\bionic\libc\kernel\uapi\asm-generic\int-ll64.h
30
//__signed__-->signed
31
typedef signed char __s8;
32
typedef unsigned char __u8;
33
typedef signed short __s16;
34
typedef unsigned short __u16;
35
typedef signed int __s32;
36
typedef unsigned int __u32;
37
typedef signed long long __s64;
38
typedef unsigned long long __u64;
39

40
//A12-src\msm-google\include\uapi\linux\elf.h
41
/* 32-bit ELF base types. */
42
typedef __u32  Elf32_Addr;
43
typedef __u16  Elf32_Half;
44
typedef __u32  Elf32_Off;
45
typedef __s32  Elf32_Sword;
46
typedef __u32  Elf32_Word;
47

48
/* 64-bit ELF base types. */
49
typedef __u64  Elf64_Addr;
50
typedef __u16  Elf64_Half;
51
typedef __s16  Elf64_SHalf;
52
typedef __u64  Elf64_Off;
53
typedef __s32  Elf64_Sword;
54
typedef __u32  Elf64_Word;
55
typedef __u64  Elf64_Xword;
56
typedef __s64  Elf64_Sxword;
57

58
typedef struct dynamic{
59
  Elf32_Sword d_tag;
60
  union{
61
    Elf32_Sword  d_val;
62
    Elf32_Addr  d_ptr;
63
  } d_un;
64
} Elf32_Dyn;
65

66
typedef struct {
67
  Elf64_Sxword d_tag;    /* entry tag value */
68
  union {
69
    Elf64_Xword d_val;
70
    Elf64_Addr d_ptr;
71
  } d_un;
72
} Elf64_Dyn;
73

74
typedef struct elf32_rel {
75
  Elf32_Addr  r_offset;
76
  Elf32_Word  r_info;
77
} Elf32_Rel;
78

79
typedef struct elf64_rel {
80
  Elf64_Addr r_offset;  /* Location at which to apply the action */
81
  Elf64_Xword r_info;  /* index and type of relocation */
82
} Elf64_Rel;
83

84
typedef struct elf32_rela{
85
  Elf32_Addr  r_offset;
86
  Elf32_Word  r_info;
87
  Elf32_Sword  r_addend;
88
} Elf32_Rela;
89

90
typedef struct elf64_rela {
91
  Elf64_Addr r_offset;  /* Location at which to apply the action */
92
  Elf64_Xword r_info;  /* index and type of relocation */
93
  Elf64_Sxword r_addend;  /* Constant addend used to compute value */
94
} Elf64_Rela;
95

96
typedef struct elf32_sym{
97
  Elf32_Word  st_name;
98
  Elf32_Addr  st_value;
99
  Elf32_Word  st_size;
100
  unsigned char  st_info;
101
  unsigned char  st_other;
102
  Elf32_Half  st_shndx;
103
} Elf32_Sym;
104

105
typedef struct elf64_sym {
106
  Elf64_Word st_name;    /* Symbol name, index in string tbl */
107
  unsigned char  st_info;  /* Type and binding attributes */
108
  unsigned char  st_other;  /* No defined meaning, 0 */
109
  Elf64_Half st_shndx;    /* Associated section index */
110
  Elf64_Addr st_value;    /* Value of the symbol */
111
  Elf64_Xword st_size;    /* Associated symbol size */
112
} Elf64_Sym;
113

114

115
#define EI_NIDENT  16
116

117
typedef struct elf32_hdr{
118
  unsigned char  e_ident[EI_NIDENT];
119
  Elf32_Half  e_type;
120
  Elf32_Half  e_machine;
121
  Elf32_Word  e_version;
122
  Elf32_Addr  e_entry;  /* Entry point */
123
  Elf32_Off  e_phoff;
124
  Elf32_Off  e_shoff;
125
  Elf32_Word  e_flags;
126
  Elf32_Half  e_ehsize;
127
  Elf32_Half  e_phentsize;
128
  Elf32_Half  e_phnum;
129
  Elf32_Half  e_shentsize;
130
  Elf32_Half  e_shnum;
131
  Elf32_Half  e_shstrndx;
132
} Elf32_Ehdr;
133

134
typedef struct elf64_hdr {
135
  unsigned char  e_ident[EI_NIDENT];  /* ELF "magic number" */
136
  Elf64_Half e_type;
137
  Elf64_Half e_machine;
138
  Elf64_Word e_version;
139
  Elf64_Addr e_entry;    /* Entry point virtual address */
140
  Elf64_Off e_phoff;    /* Program header table file offset */
141
  Elf64_Off e_shoff;    /* Section header table file offset */
142
  Elf64_Word e_flags;
143
  Elf64_Half e_ehsize;
144
  Elf64_Half e_phentsize;
145
  Elf64_Half e_phnum;
146
  Elf64_Half e_shentsize;
147
  Elf64_Half e_shnum;
148
  Elf64_Half e_shstrndx;
149
} Elf64_Ehdr;
150

151
/* These constants define the permissions on sections in the program
152
   header, p_flags. */
153
#define PF_R    0x4
154
#define PF_W    0x2
155
#define PF_X    0x1
156

157
typedef struct elf32_phdr{
158
  Elf32_Word  p_type;
159
  Elf32_Off  p_offset;
160
  Elf32_Addr  p_vaddr;
161
  Elf32_Addr  p_paddr;
162
  Elf32_Word  p_filesz;
163
  Elf32_Word  p_memsz;
164
  Elf32_Word  p_flags;
165
  Elf32_Word  p_align;
166
} Elf32_Phdr;
167

168
typedef struct elf64_phdr {
169
  Elf64_Word p_type;
170
  Elf64_Word p_flags;
171
  Elf64_Off p_offset;    /* Segment file offset */
172
  Elf64_Addr p_vaddr;    /* Segment virtual address */
173
  Elf64_Addr p_paddr;    /* Segment physical address */
174
  Elf64_Xword p_filesz;    /* Segment size in file */
175
  Elf64_Xword p_memsz;    /* Segment size in memory */
176
  Elf64_Xword p_align;    /* Segment alignment, file & memory */
177
} Elf64_Phdr;
178

179
typedef struct elf32_shdr {
180
  Elf32_Word  sh_name;
181
  Elf32_Word  sh_type;
182
  Elf32_Word  sh_flags;
183
  Elf32_Addr  sh_addr;
184
  Elf32_Off  sh_offset;
185
  Elf32_Word  sh_size;
186
  Elf32_Word  sh_link;
187
  Elf32_Word  sh_info;
188
  Elf32_Word  sh_addralign;
189
  Elf32_Word  sh_entsize;
190
} Elf32_Shdr;
191

192
typedef struct elf64_shdr {
193
  Elf64_Word sh_name;    /* Section name, index in string tbl */
194
  Elf64_Word sh_type;    /* Type of section */
195
  Elf64_Xword sh_flags;    /* Miscellaneous section attributes */
196
  Elf64_Addr sh_addr;    /* Section virtual addr at execution */
197
  Elf64_Off sh_offset;    /* Section file offset */
198
  Elf64_Xword sh_size;    /* Size of section in bytes */
199
  Elf64_Word sh_link;    /* Index of another section */
200
  Elf64_Word sh_info;    /* Additional section information */
201
  Elf64_Xword sh_addralign;  /* Section alignment */
202
  Elf64_Xword sh_entsize;  /* Entry size if section holds table */
203
} Elf64_Shdr;
204

205

206
//android-platform\bionic\linker\linker_soinfo.h
207
typedef void (*linker_dtor_function_t)();
208
typedef void (*linker_ctor_function_t)(int, char**, char**);
209

210
#if defined(__work_around_b_24465209__)
211
#define SOINFO_NAME_LEN 128
212
#endif
213

214
struct soinfo {
215
#if defined(__work_around_b_24465209__)
216
  char old_name_[SOINFO_NAME_LEN];
217
#endif
218
  const ElfW(Phdr)* phdr;
219
  size_t phnum;
220
#if defined(__work_around_b_24465209__)
221
  ElfW(Addr) unused0; // DO NOT USE, maintained for compatibility.
222
#endif
223
  ElfW(Addr) base;
224
  size_t size;
225

226
#if defined(__work_around_b_24465209__)
227
  uint32_t unused1;  // DO NOT USE, maintained for compatibility.
228
#endif
229

230
  ElfW(Dyn)* dynamic;
231

232
#if defined(__work_around_b_24465209__)
233
  uint32_t unused2; // DO NOT USE, maintained for compatibility
234
  uint32_t unused3; // DO NOT USE, maintained for compatibility
235
#endif
236

237
  soinfo* next;
238
  uint32_t flags_;
239

240
  const char* strtab_;
241
  ElfW(Sym)* symtab_;
242

243
  size_t nbucket_;
244
  size_t nchain_;
245
  uint32_t* bucket_;
246
  uint32_t* chain_;
247

248
#if !defined(__LP64__)
249
  ElfW(Addr)** unused4; // DO NOT USE, maintained for compatibility
250
#endif
251

252
#if defined(USE_RELA)
253
  ElfW(Rela)* plt_rela_;
254
  size_t plt_rela_count_;
255

256
  ElfW(Rela)* rela_;
257
  size_t rela_count_;
258
#else
259
  ElfW(Rel)* plt_rel_;
260
  size_t plt_rel_count_;
261

262
  ElfW(Rel)* rel_;
263
  size_t rel_count_;
264
#endif
265

266
  linker_ctor_function_t* preinit_array_;
267
  size_t preinit_array_count_;
268

269
  linker_ctor_function_t* init_array_;
270
  size_t init_array_count_;
271
  linker_dtor_function_t* fini_array_;
272
  size_t fini_array_count_;
273

274
  linker_ctor_function_t init_func_;
275
  linker_dtor_function_t fini_func_;
276

277
/*
278
#if defined (__arm__)
279
  // ARM EABI section used for stack unwinding.
280
  uint32_t* ARM_exidx;
281
  size_t ARM_exidx_count;
282
#endif
283
  size_t ref_count_;
284
// 怎么找不 link_map 这个类型的声明...
285
  link_map link_map_head;
286

287
  bool constructors_called;
288

289
  // When you read a virtual address from the ELF file, add this
290
  //value to get the corresponding address in the process' address space.
291
  ElfW (Addr) load_bias;
292

293
#if !defined (__LP64__)
294
  bool has_text_relocations;
295
#endif
296
  bool has_DT_SYMBOLIC;
297
*/
298
};

导入后，在ida中sub_8510函数的a1进行类型声明soinfo* a1

但是我们观察一下可以发现，其实360加固里的soinfo是被魔改了的，比如上图中框起来的部分，没有完全修复

向上找调用关系，去看怎么魔改的

在源码中也可以找到类似的地方 74b53eda8b7930aa01e4fc9ed3f04c44

所以可以直接说sub_4C7C是register_soinfo_tls函数，往里面找到

这里的0x38，我们在010里看对应关系 108f62d9877e6831bfe114e888618c91_720

恰好程序头大小也是0x38，那么这个方法肯定就是在加载程序头了

其他的比较乱，我们去找程序执行流，再通过上面发现的内容去推

推荐oacia大佬的工具https://github.com/oacia/stalker_trace_so

1
[Pixel 3::com.example.learn ]-> start Stalker!
2
Stalker end!
3
call1:JNI_OnLoad
4
call2:j_interpreter_wrap_int64_t
5
call3:interpreter_wrap_int64_t
6
call4:_Znwm
7
call5:sub_13F10
8
call6:_Znam
9
call7:sub_11838
10
call8:memset
11
call9:sub_A534
12
call10:sub_E9F8
13
call11:calloc
14
call12:malloc
15
call13:free
16
call14:sub_EC60
17
call15:_ZdaPv
18
call16:sub_CF64
19
call17:sub_D41C
20
call18:sub_A0E4
21
call19:sub_A0C0
22
call20:sub_D58C
23
call21:sub_D150
24
call22:sub_A220
25
call23:sub_16200
26
call24:sub_16978
27
call25:sub_16A44
28
call26:sub_16578
29
call27:sub_17238
30
call28:sub_165F8
31
call29:sub_162D4
32
call30:sub_16240
33
call31:sub_A05C
34
call32:sub_D474
35
call33:sub_D670
36
call34:sub_D3BC
37
call35:sub_99F8
38
call36:dladdr
39
call37:strstr
40
call38:setenv
41
call39:_Z9__arm_a_1P7_JavaVMP7_JNIEnvPvRi
42
call40:sub_A5B4
43
call41:sub_A0F8
44
call42:sub_10F7C
45
call43:j__ZdlPv_1
46
call44:_ZdlPv
47
call45:sub_9E3C
48
call46:sub_8510
49
call47:__strncpy_chk2
50
call48:sub_62DC
51
call49:sub_6740
52
call50:sub_4EB0
53
call51:sub_6324
54
call52:_ZN9__arm_c_19__arm_c_0Ev
55
call53:sub_AB0C
56
call54:sub_A128
57
call55:sub_A0A0
58
call56:sub_D808
59
call57:sub_6680
60
call58:sub_678C
61
call59:memcpy
62
call60:sub_6894
63
call61:sub_6184
64
call62:j__ZdlPv_3
65
call63:j__ZdlPv_2
66
call64:j__ZdlPv_0
67
call65:sub_AAC0
68
call66:sub_A1EC
69
call67:sub_61DC
70
call68:sub_6234 <- rc4_enc
71
call69:sub_A73C
72
call70:sub_312C
73
call71:sub_399C
74
call72:sub_380C <- uncompress
75
call73:inflateInit_
76
call74:inflate
77
call75:inflateEnd
78
call76:sub_D4D8
79
call77:sub_4D48
80
call78:sub_5544
81
call79:sub_55BC
82
call80:sub_5C4C
83
call81:sub_5794
84
call82:sub_5950
85
call83:mprotect
86
call84:__strlen_chk
87
call85:strncpy
88
call86:sub_3FAC <- preLinker_image
89
call87:dlopen
90
call88:sub_4C7C
91
call89:sub_4364
92
call90:sub_4518
93
call91:sub_3188
94
call92:dlsym
95
call93:strcmp
96
call94:sub_5FB0
97
call95:sub_5588
98
call96:sub_6538
99
call97:sub_8648
100
call98:sub_4FCC
101
call99:sub_8774
102
call100:sub_9068
103
call101:sub_93F8
104
call102:sub_8948
105
call103:interpreter_wrap_int64_t_bridge
106
call104:sub_A4BC
107
call105:sub_164F0
108
call106:puts
109
call107:_Z9__arm_a_2PcmS_Rii
110
[Pixel 3::com.example.learn ]-> Process crashed: Bad access due to invalid address

prelink_image <- sub_4D48 <- sub_4EB0

这是我们在ida里交叉引用的结果，再接下来sub_4EB0 可能被 sub_8510 或 sub_918C 调用，我们看上面的程序流程，可以确定是sub_8510

这个函数并不陌生，我们在分析壳elf时就曾找到过这个函数(世界线收束)

跟着函数调用链一处一处的在 IDA 中跳转到相应的地址进行查看，只用关注这两个函数之间的内容

1
call46:sub_8510
2
call47:__strncpy_chk2
3
call48:sub_62DC
4
call49:sub_6740
5
call50:sub_4EB0
6
call51:sub_6324
7
call52:_ZN9__arm_c_19__arm_c_0Ev
8
call53:sub_AB0C
9
call54:sub_A128
10
call55:sub_A0A0
11
call56:sub_D808
12
call57:sub_6680
13
call58:sub_678C
14
call59:memcpy
15
call60:sub_6894
16
call61:sub_6184
17
call62:j__ZdlPv_3
18
call63:j__ZdlPv_2
19
call64:j__ZdlPv_0
20
call65:sub_AAC0
21
call66:sub_A1EC
22
call67:sub_61DC
23
call68:sub_6234
24
call69:sub_A73C
25
call70:sub_312C
26
call71:sub_399C
27
call72:sub_380C
28
call73:inflateInit_
29
call74:inflate
30
call75:inflateEnd
31
call76:sub_D4D8
32
call77:sub_4D48
33
call78:sub_5544
34
call79:sub_55BC
35
call80:sub_5C4C
36
call81:sub_5794
37
call82:sub_5950
38
call83:mprotect
39
call84:__strlen_chk
40
call85:strncpy
41
call86:sub_3FAC

然后我们找到了rc4的函数sub_6234 # rc4_enc

找到了rc4的加密部分，还要找初始化部分，对其交叉引用

这里没有被识别，按P创建函数

果然是rc4的init函数，基于对rc4加密的理解，可以确定result就是key，也就是args[0]，把它hook出来

1
function hookRc4() {
2
    var module = Process.findModuleByName("libjiagu_64.so");
3
    Interceptor.attach(module.base.add(0x6064), {
4
        onEnter(args) {
5
            console.log("[+]hooked\n",hexdump(args[0], {length: 0x10, header: true,  ansi: true}));
6
        },
7
        onLeave(reval) {
8
        }
9
    });
10
}
11

12
function hook_dlopen() {
13
    Interceptor.attach(Module.findExportByName("libdl.so", "android_dlopen_ext"), {
14
        onEnter: function (args) {
15
            var loadFileName = args[0].readCString();
16
            if (loadFileName.indexOf('libjiagu') != -1) {
17
                this.is_can_hook = true;
18
            }
19
        }, onLeave: function () {
20
            if (this.is_can_hook) {
21
                hookRc4();
22
            }
23
        }
24
    })
25
}
26

27
function main() {
28
    Java.perform(function () {
29
        hook_dlopen();
30
    });
31
}
32
setImmediate(main);

1
[Pixel 3::com.example.learn ]-> [+]hooked
2
              0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
3
74aa7f0630  76 56 57 34 23 91 23 53 56 74 00 00 00 00 00 00  vVW4#.#SVt......
4

5
那么rc4的key就是 key = "vVW4#.#SVt" 了

刚刚对rc4_enc还原中也可以发现rc4是魔改了的，也hook rc4_enc的传入传出参数看看

1
function hookRc4Enc() {
2
    var module = Process.findModuleByName("libjiagu_64.so");
3
    Interceptor.attach(module.base.add(0x6234), {
4
        onEnter: function (args) {
5
            console.log("[+]hook args[0]");
6
            console.log(hexdump(args[0], { offset: 0, length: 0x30, header: true, ansi: true }));
7
            console.log("[+]hook args[1]");
8
            console.log(args[1]);
9

10
            // 将输入缓冲区保存到this对象，使其在onLeave中可用
11
            this.inputBuffer = args[0];
12
        },
13
        onLeave: function (ret) {
14
            // 从this对象获取保存的输入缓冲区
15
            var inputBuffer = this.inputBuffer;
16
            console.log("[+]hooked return value");
17
            console.log(hexdump(inputBuffer, { offset: 0, length: 0x30, header: true, ansi: true }));
18
        }
19
    });
20
}

我们发现传入的第一个参数是sub_8510的v3[0]，也就是qword_3E260数组，第二个参数是sub_8510的v3[1]

而这这个数组的数据就是壳elf填充的，我们解密这一段即可

刚刚分析过程中，知道rc4_enc是魔改过的，且sbox本来是256长度，但他用了257和258，所以我们需要吧sbox hook出来看看(顺便规整这个rc4调用的脚本)

1
function hookRc4Init() {
2
    var module = Process.findModuleByName("libjiagu_64.so");
3
    Interceptor.attach(module.base.add(0x6064), {
4
        onEnter(args) {
5
            console.log("[+]hook rc4_init args[0]");
6
            console.log(hexdump(args[0], { length: 0x10, header: true, ansi: true }));
7
        },
8
        onLeave(reval) {
9
        }
10
    });
11
}
12

13
function hookRc4Enc() {
14
    var module = Process.findModuleByName("libjiagu_64.so");
15
    Interceptor.attach(module.base.add(0x6234), {
16
        onEnter: function (args) {
17
            console.log("[+]hook rc4_enc args[0]");
18
            console.log(hexdump(args[0], { offset: 0, length: 0x30, header: true, ansi: true }));
19
            console.log("[+]hook rc4_enc args[1]");
20
            console.log(args[1]);
21
            console.log("[+]hook rc4_enc args[2]/sbox");
22
            console.log(hexdump(args[2], { offset: 0, length: 258, header: true, ansi: true }));
23

24
            // 将输入缓冲区保存到this对象，使其在onLeave中可用
25
            this.inputBuffer = args[0];
26
        },
27
        onLeave: function (ret) {
28
            // 从this对象获取保存的输入缓冲区
29
            var inputBuffer = this.inputBuffer;
30
            console.log("[+]hooked rc4_enc return value");
31
            console.log(hexdump(inputBuffer, { offset: 0, length: 0x30, header: true, ansi: true }));
32
        }
33
    });
34
}
35

36
function hook_dlopen() {
37
    Interceptor.attach(Module.findExportByName("libdl.so", "android_dlopen_ext"), {
38
        onEnter: function (args) {
39
            var loadFileName = args[0].readCString();
40
            if (loadFileName.indexOf('libjiagu') != -1) {
41
                this.is_can_hook = true;
42
            }
43
        }, onLeave: function () {
44
            if (this.is_can_hook) {
45
                hookRc4Init();
46
                hookRc4Enc();
47
            }
48
        }
49
    })
50
}
51

52
function main() {
53
    Java.perform(function () {
54
        hook_dlopen();
55
    });
56
}
57
setImmediate(main);

1
[Pixel 3::com.example.learn ]-> [+]hook rc4_init args[0]
2
             0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
3
74aa7f06d0  76 56 57 34 23 91 23 53 56 74 00 00 00 00 00 00  vVW4#.#SVt......
4
[+]hook rc4_enc args[0]
5
             0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
6
7480496f70  43 83 7f bf a5 a0 33 14 7a 96 6e ef 17 70 a9 59  C.....3.z.n..p.Y
7
7480496f80  d0 0c 80 56 c5 23 ba 36 87 21 96 26 25 e1 0e c1  ...V.#.6.!.&%...
8
7480496f90  d1 9b 9e 27 63 bf dd 70 6f 2c e4 f0 55 c3 57 2d  ...'c..po,..U.W-
9
[+]hook rc4_enc args[1]
10
0xb8090
11
[+]hook rc4_enc args[2]/sbox
12
             0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
13
754a7f0c70  76 ac 57 5d 84 1a 43 9d fb 5f f8 59 35 9c 05 36  v.W]..C.._.Y5..6
14
754a7f0c80  cd d1 01 cc 39 49 b6 10 0e 5e 2e 2a 29 7f 72 88  ....9I...^.*).r.
15
754a7f0c90  9f 13 2c 6f 44 9b 67 4a e0 ee 77 34 97 0b 68 0c  ..,oD.gJ..w4..h.
16
754a7f0ca0  4f cf 8f 95 83 52 ef 78 6a de 09 1d b5 48 a8 a1  O....R.xj....H..
17
754a7f0cb0  46 85 02 e7 cb 41 b3 3e 71 b9 3b e4 53 c9 73 42  F....A.>q.;.S.sB
18
754a7f0cc0  e5 30 25 75 f9 df 14 38 ae d2 0d 82 6c 93 6e be  .0%u...8....l.n.
19
754a7f0cd0  5b 20 f3 47 d8 f1 8b 64 b1 ab ad f6 b8 7a 80 4d  [ .G...d.....z.M
20
754a7f0ce0  b7 56 ec b0 66 18 c4 92 33 c8 60 4e 31 d9 5a 03  .V..f...3.`N1.Z.
21
754a7f0cf0  e6 15 d3 a3 21 a7 1c c1 26 3c 1e 70 bf a2 c5 c3  ....!...&<.p....
22
754a7f0d00  a0 c2 c0 98 28 89 50 4b 90 6b e1 55 79 7c fd ff  ....(.PK.k.Uy|..
23
754a7f0d10  e3 aa 2b a4 bd 62 2f 16 b4 7e c6 fe 63 da 51 d6  ..+..b/..~..c.Q.
24
754a7f0d20  32 3a 11 c7 3f 8e d5 ea a5 ba ca ed 08 22 74 5c  2:..?........"t\
25
754a7f0d30  24 4c 7b bb a9 8d 96 91 1b f2 17 94 45 19 ce 06  $L{.........E...
26
754a7f0d40  8a 65 37 86 f5 12 9a 69 8c 87 d4 e8 6d eb 58 23  .e7....i....m.X#
27
754a7f0d50  00 40 1f af 99 dd 04 9e 7d 0a a6 81 f0 f7 3d e9  .@......}.....=.
28
754a7f0d60  db 0f bc 27 fa e2 fc f4 b2 d0 dc d7 54 07 2d 61  ...'........T.-a
29
754a7f0d70  03 05                                            ..
30
[+]hooked rc4_enc return value
31
             0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
32
7480496f70  f9 52 1a 00 78 9c 7c dd 01 d8 a3 ff 3d e7 7b 43  .R..x.|.....=.{C
33
7480496f80  83 41 30 08 9d 25 18 a4 3c 88 ee ec 8a 76 54 d8  .A0..%..<....vT.
34
7480496f90  d9 3d b1 66 57 96 41 f0 9c 3d 39 6b 1c 39 bb b3  .=.fW.A..=9k.9..

我们就得到了完整的sbox[258]，直接解密的结果很混乱，继续看调用链

我们能找到sub_380C，且它调用了下面inflateInit_、inflate、inflateEnd三个zlib标准库里面的函数，说明这个函数是解压缩函数，即uncompress

然后我们来尝试解密

1
import zlib
2

3
sbox = [
4
    0x76, 0xAC, 0x57, 0x5D, 0x84, 0x1A, 0x43, 0x9D, 0xFB, 0x5F, 0xF8, 0x59, 0x35, 0x9C, 0x05, 0x36,
5
    0xCD, 0xD1, 0x01, 0xCC, 0x39, 0x49, 0xB6, 0x10, 0x0E, 0x5E, 0x2E, 0x2A, 0x29, 0x7F, 0x72, 0x88,
6
    0x9F, 0x13, 0x2C, 0x6F, 0x44, 0x9B, 0x67, 0x4A, 0xE0, 0xEE, 0x77, 0x34, 0x97, 0x0B, 0x68, 0x0C,
7
    0x4F, 0xCF, 0x8F, 0x95, 0x83, 0x52, 0xEF, 0x78, 0x6A, 0xDE, 0x09, 0x1D, 0xB5, 0x48, 0xA8, 0xA1,
8
    0x46, 0x85, 0x02, 0xE7, 0xCB, 0x41, 0xB3, 0x3E, 0x71, 0xB9, 0x3B, 0xE4, 0x53, 0xC9, 0x73, 0x42,
9
    0xE5, 0x30, 0x25, 0x75, 0xF9, 0xDF, 0x14, 0x38, 0xAE, 0xD2, 0x0D, 0x82, 0x6C, 0x93, 0x6E, 0xBE,
10
    0x5B, 0x20, 0xF3, 0x47, 0xD8, 0xF1, 0x8B, 0x64, 0xB1, 0xAB, 0xAD, 0xF6, 0xB8, 0x7A, 0x80, 0x4D,
11
    0xB7, 0x56, 0xEC, 0xB0, 0x66, 0x18, 0xC4, 0x92, 0x33, 0xC8, 0x60, 0x4E, 0x31, 0xD9, 0x5A, 0x03,
12
    0xE6, 0x15, 0xD3, 0xA3, 0x21, 0xA7, 0x1C, 0xC1, 0x26, 0x3C, 0x1E, 0x70, 0xBF, 0xA2, 0xC5, 0xC3,
13
    0xA0, 0xC2, 0xC0, 0x98, 0x28, 0x89, 0x50, 0x4B, 0x90, 0x6B, 0xE1, 0x55, 0x79, 0x7C, 0xFD, 0xFF,
14
    0xE3, 0xAA, 0x2B, 0xA4, 0xBD, 0x62, 0x2F, 0x16, 0xB4, 0x7E, 0xC6, 0xFE, 0x63, 0xDA, 0x51, 0xD6,
15
    0x32, 0x3A, 0x11, 0xC7, 0x3F, 0x8E, 0xD5, 0xEA, 0xA5, 0xBA, 0xCA, 0xED, 0x08, 0x22, 0x74, 0x5C,
16
    0x24, 0x4C, 0x7B, 0xBB, 0xA9, 0x8D, 0x96, 0x91, 0x1B, 0xF2, 0x17, 0x94, 0x45, 0x19, 0xCE, 0x06,
17
    0x8A, 0x65, 0x37, 0x86, 0xF5, 0x12, 0x9A, 0x69, 0x8C, 0x87, 0xD4, 0xE8, 0x6D, 0xEB, 0x58, 0x23,
18
    0x00, 0x40, 0x1F, 0xAF, 0x99, 0xDD, 0x04, 0x9E, 0x7D, 0x0A, 0xA6, 0x81, 0xF0, 0xF7, 0x3D, 0xE9,
19
    0xDB, 0x0F, 0xBC, 0x27, 0xFA, 0xE2, 0xFC, 0xF4, 0xB2, 0xD0, 0xDC, 0xD7, 0x54, 0x07, 0x2D, 0x61,
20
    0x03, 0x05
21
]
22
def rc4_decrypt(data):
23
    i = sbox[256] # 0x3
24
    j = sbox[257] # 0x5
25
    out = []
26
    for ch in data:
27
        i = (i + 2) % 256
28
        j = (j + sbox[i] + 1) % 256
29
        sbox[i], sbox[j] = sbox[j], sbox[i]
30
        out.append(ch ^ sbox[(sbox[i] + sbox[j]) % 256])
31
    return out
32

33
cipherStart = 0x2E260
34
cipherSize = 0xB8090
35
with open('/Users/lanzhiqiang/Desktop/360test/protect/assets/libjiagu_fix.so','rb') as f:
36
    wrap_elf = f.read()
37

38
# 对密文进行解密
39
dec_compress_elf = rc4_decrypt(wrap_elf[cipherStart:cipherStart+cipherSize])
40
dec_elf = zlib.decompress(bytes(dec_compress_elf[4::]))
41
with open('/Users/lanzhiqiang/Desktop/360test/wrap_elf','wb') as f:
42
    f.write(dec_elf)

但是解密内容肯定是不对的，不过往下翻还是能找到一个elf还需要找其他关键东西

继续看调用链

能看见在sub_55BC里也出现了像样的内容，也有0x38，且这个函数是被sub_4D48所调用的(这个函数同时也调用了preLinker_image，之前分析过)。所以大概率得从这个函数入手分析，从调用链和函数逻辑都合理

1
call79:sub_55BC
2
call80:sub_5C4C
3
call81:sub_5794
4
call82:sub_5950
5
call83:mprotect
6
call84:__strlen_chk
7
call85:strncpy
8
call86:sub_3FAC <- preLinker_image

最后的逻辑范围被缩小到了sub_5C4C、sub_5794、sub_5950之中，我们挨个找，能发现在sub_5C4C中有很奇怪的逻辑

这里是ARM64 NEON 的两个指令，用于向量操作，参考：

https://developer.arm.com/architectures/instruction-sets/intrinsics/#q=vdupq_n_s8

vdupq_n_s8 用于将单个 8 位有符号整数复制到 64 位向量的所有元素
veorq_s8 用于对两个 64 位向量的 8 位有符号整数元素进行按位异或运算

相当于上图，0xBD是要异或的值，后面是长度0x150，依次分组。知道了逻辑就可以继续往下推，在上面解密脚本中添加如下：

1
class part:
2
    def __init__(self):
3
        self.name = ""
4
        self.value = b''
5
        self.offset = 0
6
        self.size = 0
7

8
index = 1
9
extra_part = [part() for _ in range(7)]
10
seg = ["a", "b", "c", "d"]
11
v_xor = dec_elf[0]
12
for i in range(4):
13
    size = int.from_bytes(dec_elf[index:index + 4], 'little')
14
    index += 4
15
    extra_part[i + 1].name = seg[i]
16
    extra_part[i + 1].value = bytes(map(lambda x: x ^ v_xor, dec_elf[index:index + size]))
17
    extra_part[i + 1].size = size
18
    index += size
19
for p in extra_part:
20
    if p.value != b'':
21
        filename = f"libjiagu.so_{hex(p.size)}_{p.name}"
22
        print(f"[{p.name}] get {filename}, size: {hex(p.size)}")
23
        with open(filename, 'wb') as f:
24
            f.write(p.value)
25

26
# [a] get libjiagu.so_0x150_a, size: 0x150
27
# [b] get libjiagu.so_0x1818_b, size: 0x1818
28
# [c] get libjiagu.so_0x23be0_c, size: 0x23be0
29
# [d] get libjiagu.so_0x1b0_d, size: 0x1b0

得到四段，前面我们找过program_header_table有6段，每一段0x38，刚好是0x150，这个a正好满足程序头的大小

然后wrap_elf是由两大部分组成的，wrap_elf中分离出来的4大段数据只是第一部分，长度0x25709，但是我们在wrap_elf找到这个位置

这后面还有一个elf，也就是wrap_elf的第二部分内容，我们把两段分开

1
with open('/Users/lanzhiqiang/Desktop/360test/protect/dumped_main/wrap_elf', 'rb') as f:
2
    wrap_elf = f.read()
3
ELF_magic = bytes([0x7F, 0x45, 0x4C, 0x46])
4
for i in range(len(wrap_elf) - len(ELF_magic) + 1):
5
    if wrap_elf[i:i + len(ELF_magic)] == ELF_magic:
6
        print(hex(i))
7
        with open('/Users/lanzhiqiang/Desktop/360test/protect/dumped_main/wrap_elf_part1', 'wb') as f:
8
            f.write(wrap_elf[0:i])
9
        with open('/Users/lanzhiqiang/Desktop/360test/protect/dumped_main/wrap_elf_part2', 'wb') as f:
10
            f.write(wrap_elf[i::])
11
        break

然后我们继续观察，.rela.plt，.rela.dyn储存的内容是要远远大于dynamic的，所以我们可以锁定dynamic是d

再加上上面我们分析的

1
a -> program_header_table
2
d -> dynamic

一块一块来搞，我们修复的是wrap_elf_part2(主elf)

修复 `program header table`#

复制 libjiagu.so_0x150_a 的所有字节，然后来到 wrap_elf_part2 中选中 struct program_header_table 粘贴

Mac: command+shift+c/v全复制/粘贴

修复 `.dynamic`#

program header table 的 (RW_) Dynamic Segment 的 p_offset 指向 .dynamic 段的位置

然后跳转到该位置去修复，同修复program_header_table

这里来解析一下.dynamic结构

1
.dynamic 节由多个 Elf64_Dyn 组成，每个结构的大小为 16 字节（64 位）
2

3
typedef struct {
4
    Elf64_Sxword d_tag;  // 动态表项类型（标记）
5
    union {
6
        Elf64_Xword d_val;  // 数值（如标志位、版本号等）
7
        Elf64_Addr d_ptr;   // 内存地址（指向其他节或表）
8
    } d_un;
9
} Elf64_Dyn;

修复重定位表#

我们需要通过 .dynamic 段的 d_tag 字段来直到重定位表的位置

对于我们修复主 ELF 比较重要的 tag 有

d_tag	值	含义
DT_JMPREL	0x17	`.rela.plt` 在文件中的偏移
DT_PLTRELSZ	0x2	`.rela.plt` 的大小
DT_RELA	0x7	`.rela.dyn` 在文件中的偏移
DT_RELASZ	0x8	`.rela.dyn` 的大小

我们可以在 .dynamic 中发现这些 tag 以及对应的值

每一个Elf64_Dyn结构大小刚好是16字节，010里面看是一整行，前四个字节代表表项(tag)，依次找0x2、0x17、0x7、0x8

就可以知道.rela.plt 在文件中的偏移为0x2C070，大小为0x1818；.rela.dyn 在文件中的偏移0x8490，大小为0x23BE0。这里的值和我们之前分离出的b和c的大小一样，也证明b是.rela.plt，c是.rela.dyn

修复`.rela.plt`和`.rela.dyn`#

同之前的修复方式，根据找到的偏移和大小去复制粘贴

再把文件基地址设置为0xe7000

至此，主elf就修复完了

dex释放分析#

思路跳回到我们hook open函数的结果，同时ida分析刚刚修复好的主elf

1
[Pixel 3::com.example.learn ]-> [*] Replacing open function
2
[-] Intercepted read of maps file
3
[-] Intercepted read of maps file
4
[-] Intercepted read of maps file
5
[-] Intercepted read of maps file
6
[-] Intercepted read of maps file
7
[-] Intercepted read of maps file
8
[-] Intercepted read of maps file
9
[+] Opening dex: /data/data/com.example.learn/.jiagu/classes.dex
10
6d76864558 is in libjiagu_64.so offset: 0x19f558
11
6d767fac94 is in libjiagu_64.so offset: 0x135c94
12
6dfdf9df48 is in libart.so offset: 0x59df48
13
6dfdca7f2c is in libart.so offset: 0x2a7f2c
14
6dfdd9497c is in libart.so offset: 0x39497c
15
70913c4488 is in libc.so offset: 0x42488
16
6d767f99b4 is in libjiagu_64.so offset: 0x1349b4
17
6d767f99b4 is in libjiagu_64.so offset: 0x1349b4
18
6d766dc29c is in libjiagu_64.so offset: 0x1729c
19
6d766dc29c is in libjiagu_64.so offset: 0x1729c
20
6d767f99b4 is in libjiagu_64.so offset: 0x1349b4
21
6d766dbafc is in libjiagu_64.so offset: 0x16afc
22
6d766d29f8 is in libjiagu_64.so offset: 0xd9f8
23
6d766da4d8 is in libjiagu_64.so offset: 0x154d8
24
6d766dae40 is in libjiagu_64.so offset: 0x15e40
25
[+] Opening dex: /data/data/com.example.learn/.jiagu/classes2.dex
26
6d76864558 is in libjiagu_64.so offset: 0x19f558
27
6d767fad7c is in libjiagu_64.so offset: 0x135d7c
28
6dfdf9df48 is in libart.so offset: 0x59df48
29
6dfdca7f2c is in libart.so offset: 0x2a7f2c
30
6dfdd9497c is in libart.so offset: 0x39497c
31
70913c4488 is in libc.so offset: 0x42488
32
6d767f99b4 is in libjiagu_64.so offset: 0x1349b4
33
6d767f99b4 is in libjiagu_64.so offset: 0x1349b4
34
6d766dc29c is in libjiagu_64.so offset: 0x1729c
35
6d766dc29c is in libjiagu_64.so offset: 0x1729c
36
6d767f99b4 is in libjiagu_64.so offset: 0x1349b4
37
6d766dbafc is in libjiagu_64.so offset: 0x16afc
38
6d766d29f8 is in libjiagu_64.so offset: 0xd9f8
39
6d766da4d8 is in libjiagu_64.so offset: 0x154d8
40
6d766dae40 is in libjiagu_64.so offset: 0x15e40
41
[+] Opening dex: /data/data/com.example.learn/.jiagu/classes3.dex
42
6d76864558 is in libjiagu_64.so offset: 0x19f558
43
6d767fad7c is in libjiagu_64.so offset: 0x135d7c
44
6dfdf9df48 is in libart.so offset: 0x59df48
45
6dfdca7f2c is in libart.so offset: 0x2a7f2c
46
6dfdd9497c is in libart.so offset: 0x39497c
47
70913c4488 is in libc.so offset: 0x42488
48
6d767f99b4 is in libjiagu_64.so offset: 0x1349b4
49
6d767f99b4 is in libjiagu_64.so offset: 0x1349b4
50
6d766dc29c is in libjiagu_64.so offset: 0x1729c
51
6d766dc29c is in libjiagu_64.so offset: 0x1729c
52
6d767f99b4 is in libjiagu_64.so offset: 0x1349b4
53
6d766dbafc is in libjiagu_64.so offset: 0x16afc
54
6d766d29f8 is in libjiagu_64.so offset: 0xd9f8
55
6d766da4d8 is in libjiagu_64.so offset: 0x154d8
56
6d766dae40 is in libjiagu_64.so offset: 0x15e40
57
Process crashed: Bad access due to invalid address

跳转到0x19F558，很明显的open逻辑，那么这里就是open dex的，继续看下一个0x135d7c

再往下就是调用libart.so里的内容，所以解密一定在0x135d7c附近

原因：当应用需要访问某个类（如通过反射或直接调用）时，ART 会通过FindClass在已加载的类定义中查找。若类定义未被正确解密，ART 将无法解析其结构，导致加载失败。

在这个地址所在函数上下去尝试hook，之前我们hook的是Android_dlopen_ext，但是由于这个是主elf不是使用上面的加载的了，所以我们得改用对dlopen做hook，最后找到sub_193D78

这个函数的第二个参数居然就是我们的dex文件，那么我们想办法dump下来就行

1
function hookDex() {
2
    var base = Process.findModuleByName("libjiagu_64.so").base.add(0x193D78);
3
    var fileIndex = 0
4
    Interceptor.attach(base, {
5
        onEnter: function (args) {
6
            // console.log(hexdump(args[1], {offset: 0, length: 0x30, header: true, ansi: true}));
7
            // console.log(args[2]);
8
            try {
9
                var length = args[2].toInt32();
10
                var data = Memory.readByteArray(args[1], length);
11
                var filePath = "/data/data/com.example.learn/files/" + fileIndex + ".dex";
12
                var file_handle = new File(filePath, "wb");
13
                if (file_handle && file_handle != null) {
14
                    file_handle.write(data);
15
                    file_handle.flush();
16
                    file_handle.close();
17
                    console.log("Data written to " + filePath);
18
                    fileIndex++;
19
                } else {
20
                    console.log("Failed to create file: " + filePath);
21
                }
22
            } catch (e) {
23
                console.log("Error: " + e.message);
24
            }
25
        }, onLeave: function (args) { }
26
    })
27
}
28
function hook_dlopne() {
29
    var once = true;
30
    Interceptor.attach(Module.findExportByName(null, "dlopen"), {
31
        onEnter: function (args) {
32
            var loadFileName = args[0].readCString();
33
            if (loadFileName.indexOf('libjiagu') != -1) {
34
                this.is_can_hook = true;
35
            }
36
        }, onLeave: function () {
37
            if (this.is_can_hook && once) {
38
                hookDex();
39
                once = false;
40
            }
41
        }
42
    })
43
}
44

45
function main() {
46
    Java.perform(function () {
47
        hook_dlopne();
48
    });
49
}
50
setImmediate(main);

然后我们把这三个dex pull到电脑上

1
# 1. 将文件复制到公共可访问的/sdcard目录
2
adb shell su -c "cp /data/data/com.example.learn/files/2.dex /sdcard/2.dex"
3

4
# 2. 从/sdcard拉取文件
5
adb pull /sdcard/2.dex /Users/lanzhiqiang/Desktop/360test/protect/dumped_dex/
6

7
# 3. 清理临时文件（可选）
8
adb shell su -c "rm /sdcard/2.dex"

0.dex即可看到我们最开始自己写的逻辑

至此分析完毕

Welcome!