爱加密和梆梆加固的破解方法

总结的比较重要命令

cat /proc/pid/cmdline      查看命令行
cat /proc/pid/status       查看TracerPid.
ls /proc/pid/task         查看有多少线程
cat /proc/pid/task/tid/status  查看线程TracerPid.

dmsg  | grep -i ptrace 利用kernel-model打印ptrace的记录

拿到的事实上是一个odex文件, 里面会包含odex的指令.  通过一个修改过的baksmali处理后可以恢复原始的dex.

更新: 修复odex的方法, 

1. 将系统的/system/framework目录复制到本地的framework目录

2. 运行baksmali -x -d framework  abc.odex   //将输出smali文件到out目录, 请尽量使用linux

3. 运行smali out -o classes.dex  //重新制作dex

目前梆梆加固根据此文附加线程的方式，已经gcore不出正常的数据，数据如下：

00000000h: 7F 45 4C 46 01 01 01 61 00 00 00 00 00 00 00 00 ; ELF...a........
00000010h: 04 00 28 00 01 00 00 00 00 00 00 00 34 00 00 00 ; ..(.........4...
00000020h: 28 02 00 00 00 00 00 00 34 00 20 00 01 00 28 00 ; (.......4. ...(.
00000030h: 03 00 02 00 04 00 00 00 54 00 00 00 00 00 00 00 ; ........T.......
00000040h: 00 00 00 00 C0 01 00 00 00 00 00 00 04 00 00 00 ; ....?..........
00000050h: 01 00 00 00 05 00 00 00 7C 00 00 00 03 00 00 00 ; ........|.......
00000060h: 43 4F 52 45 00 00 00 00 00 00 00 00 00 00 00 00 ; CORE............
00000070h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000080h: 00 00 00 00 61 70 70 5F 70 72 6F 63 65 73 73 00 ; ....app_process.
00000090h: 00 00 00 00 2F 73 79 73 74 65 6D 2F 62 69 6E 2F ; ..../system/bin/
000000a0h: 61 70 70 5F 70 72 6F 63 65 73 73 20 00 00 00 00 ; app_process ....
000000b0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000000c0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000000d0h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
000000e0h: 00 00 00 00 05 00 00 00 94 00 00 00 01 00 00 00 ; ........?......
000000f0h: 43 4F 52 45 00 00 00 00 00 00 00 00 00 00 00 00 ; CORE............
00000100h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000110h: 86 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ?..............
00000120h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000130h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000140h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000150h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000160h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000170h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000180h: 00 00 00 00 65 73 73 20 00 00 00 00 05 00 00 00 ; ....ess ........
00000190h: 74 00 00 00 02 00 00 00 43 4F 52 45 00 00 00 00 ; t.......CORE....
000001a0h: F4 81 25 00 30 25 99 BE 68 25 99 BE 18 25 99 BE ; 魜%.0%櫨h%櫨.%櫨
000001b0h: CC 25 99 BE 00 00 00 00 54 09 3D 00 30 25 99 BE ; ?櫨....T.=.0%櫨
000001c0h: 88 EA 1C 00 38 36 32 00 F4 25 99 BE 40 09 3D 00 ; 堦..862.?櫨@.=.
000001d0h: 10 E7 3C 00 40 09 3D 00 08 00 00 00 90 00 00 00 ; .?.@.=.....?..
000001e0h: D0 09 3D 00 04 25 99 BE EC EB 1C 00 03 00 00 00 ; ?=..%櫨祀......
000001f0h: 74 24 99 BE 7C 00 00 00 00 00 00 00 01 00 00 00 ; t$櫨|...........
00000200h: 00 00 00 00 68 25 99 BE F4 25 99 BE 00 00 00 00 ; ....h%櫨?櫨....
00000210h: 10 E7 3C 00 00 2E 73 68 73 74 72 74 61 62 00 6E ; .?...shstrtab.n
00000220h: 6F 74 65 30 00 00 00 00 00 00 00 00 00 00 00 00 ; ote0............
00000230h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000240h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00000250h: 0B 00 00 00 01 00 00 00 02 00 00 00 00 00 00 00 ; ................
00000260h: 54 00 00 00 C0 01 00 00 00 00 00 00 00 00 00 00 ; T...?..........
00000270h: 01 00 00 00 00 00 00 00 01 00 00 00 03 00 00 00 ; ................
00000280h: 00 00 00 00 00 00 00 00 14 02 00 00 11 00 00 00 ; ................
00000290h: 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ; ................

转:http://www.52pojie.cn/forum.php?mod=viewthread&tid=252099  与

By Bob Pan

梆梆与爱加密都使用了将原有的dex隐藏, 在运行时解压, 并且通过修改app的类加载器的方式实现加固. 参考:AndorIDAPK反逆向解决方案：梆梆加固原理探寻

然而, 不管如何隐藏dex, 最终在运行时都必须释放到内存, 所以本文的思路是从内存中找到解密后的dex文件, 进而得到加固前的apk.

注意: 这个方法截止2014-07-29有效, 后续版本未测试. 由于dalvik的执行机制要求dex在内存中是连续的, 所以想办法拿到内存的coredump总是不错的选择.

更新: 某公司会对名字为gdb的程序进行检测, 请将gdb重命名, 比如hello.  

注意: 如果gdb连不上对应的pid, 请尝试连接/proc/[pid]/task/目录下的

爱加密

爱加密的app并没有做反调试的保护. 打开app之后直接使用gdb连接, 然后用gcore, 产生core dump.

使用ps查看pid

使用gdb连接pid

使用gcore产生core dump

将产生的core.1033复制回电脑, 并使用编辑器打开, 通过类名找到dex中string-data段, 然后通过查找’dex.035’可以找到多离string-data最近的个dex头. dex文件头偏移32的整形值就是dex的文件长度. 使用dd命令可以从内存中抠出dex.

                                       通过类名找string-data段

                       找到最近的dex文件头(0x4f87a08)和dex文件大小0x07c0

                                  使用dd抠出dex

这个文件是个完整的dex文件, 并且可以被dexdump直接打印

更新: 拿到的事实上是一个odex文件, 里面会包含odex的指令.  通过一个修改过的baksmali处理后可以恢复原始的dex.

更新: 修复odex的方法, 

1. 将系统的/system/framework目录复制到本地的framework目录

2. 运行baksmali -x -d framework  abc.odex   //将输出smali文件到out目录, 请尽量使用linux

3. 运行smali out -o classes.dex  //重新制作dex

梆梆

梆梆加固的程序做了anti-ptrace, 表现为使用gdb --pid 连接不上对应的进程, 利用kernel-model打印ptrace的记录, 可以看出梆梆

l  使用了3个进程互相ptrace.

l  发送错误指令来检查ptrace是否被劫持(反回值是-3行, 尝试让1568进程继续执行, 但是1568并未被ptrace, 必须出错),

l  利用ptrace修改另一个进程的数据(action是5的行).

ptrace系统调用的记录, 右边是ptrace的参数

虽然连不上1552, 但是dalvik是一个多线程的程序, 里面包含主进程, gc线程, binder线程等, 虽然我们用gdb连不上主线程, 但是我们可以连上其他线程, 这些线程的tid在/proc/[pid]/task/目录下.

Gdb连接任意一个tid

拿到coredump后与爱加密一样做相同的处理, 可以拿到dex.

总结

爱加密和梆梆通过隐藏dex确实可以让大部分静态分析工具找不到执行代码, 但是在动态运行的时候无可避免的需要将dex在内存中还原. 虽然梆梆做了反调试, 但是通过其他方式也同样可以获取其内存. 通过本文的方法分析其内存然后恢复dex, 更进一步可以完全恢复原始apk. 从这个角度说, 爱加密和梆梆的加固形同虚设.