发现加载的是这个so文件
使用ida分析一下
- 静态注册,在导出函数里面搜一下,没有发现java_XX_deserializeData这个函数
- 动态注册,hook jni函数动态注册,找到了这个函数
发现这个函数就叫deserializeData
int __fastcall deserializeData(int a1, int a2, int a3)
{
int v5; // r8
unsigned int v6; // r0
int v7; // r6
int v8; // r1
char v9; // r0
int v10; // r1
int v11; // r5
_BYTE *v12; // r0
int v13; // r3
unsigned __int8 v15; // [sp+14h] [bp-3Ch] BYREF
_BYTE v16[3]; // [sp+15h] [bp-3Bh] BYREF
int v17; // [sp+18h] [bp-38h]
void *v18; // [sp+1Ch] [bp-34h]
int v19; // [sp+20h] [bp-30h] BYREF
int v20; // [sp+24h] [bp-2Ch]
void *v21; // [sp+28h] [bp-28h]
char v22; // [sp+2Fh] [bp-21h] BYREF
v22 = 0;
v5 = (*(int (__fastcall **)(int, int, char *))(*(_DWORD *)a1 + 736))(a1, a3, &v22);
v6 = (*(int (__fastcall **)(int, int))(*(_DWORD *)a1 + 684))(a1, a3);
v7 = v6;
v19 = 0;
v20 = 0;
v21 = 0;
if ( v6 <= 0xA )
{
if ( v6 )
_memmove_chk((char *)&v19 + 1, v5, v6, 11);
*((_BYTE *)&v19 + v7 + 1) = 0;
if ( (unsigned __int8)v19 << 31 )
v20 = v7;
else
LOBYTE(v19) = 2 * v7;
}
else
{
std::string::__grow_by_and_replace(&v19, 10, v6 - 10, 0, 0, 0, v6, v5);
}
v8 = (unsigned __int8)byte_5822A4;
__dmb(0xBu);
if ( v8 << 31 || !_cxa_guard_acquire((__guard *)&byte_5822A4) )
{
v9 = byte_582342;
if ( !byte_582342 )
goto LABEL_11;
goto LABEL_10;
}
dword_58233C = 438115359;
byte_582342 = 46;
word_582340 = 6171;
_cxa_atexit(
(void (__fastcall *)(void *))ay::obfuscated_data<7u,(char)46>::~obfuscated_data,
&dword_58233C,
&off_54F480);
_cxa_guard_release((__guard *)&byte_5822A4);
v9 = byte_582342;
if ( byte_582342 )
{
LABEL_10:
byte_582342 = v9 ^ 0x2E;
LOBYTE(dword_58233C) = dword_58233C ^ 0x2E;
BYTE1(dword_58233C) ^= 0x2Eu;
BYTE2(dword_58233C) ^= 0x2Eu;
HIBYTE(dword_58233C) ^= 0x2Eu;
LOBYTE(word_582340) = word_582340 ^ 0x2E;
HIBYTE(word_582340) ^= 0x2Eu;
}
LABEL_11:
EuDataBase::StrOpt::decompress_string(&v15, &v19, &dword_58233C);
(*(void (__fastcall **)(int, int, int, int))(*(_DWORD *)a1 + 768))(a1, a3, v5, 2);
v10 = v17;
if ( !(v15 << 31) )
v10 = v15 >> 1;
v11 = (*(int (__fastcall **)(int, int))(*(_DWORD *)a1 + 704))(a1, v10);
v13 = v17;
v12 = v18;
if ( (v15 & 1) == 0 )
v12 = v16;
if ( (v15 & 1) == 0 )
v13 = v15 >> 1;
(*(void (__fastcall **)(int, int, _DWORD, int, _BYTE *))(*(_DWORD *)a1 + 832))(a1, v11, 0, v13, v12);
if ( v15 << 31 )
operator delete(v18);
if ( (unsigned __int8)v19 << 31 )
operator delete(v21);
return v11;
}
尝试用chatGPT改写成python代码失败。
RPC调用
虽然不能还原算法,不过可以用frida rpc调用以下
rpc.exports = {
deserialize: function (param_b) {
var result = ''
//工具相关函数
var base64EncodeChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/',
base64DecodeChars = new Array((-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), (-1), 62, (-1), (-1), (-1), 63, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, (-1), (-1), (-1), (-1), (-1), (-1), (-1), 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, (-1), (-1), (-1), (-1), (-1), (-1), 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, (-1), (-1), (-1), (-1), (-1));
function base64ToBytes(e) {
var r, a, c, h, o, t, d;
for (t = e.length, o = 0, d = []; o < t;) {
do
r = base64DecodeChars[255 & e.charCodeAt(o++)];
while (o < t && r == -1);
if (r == -1)
break;
do
a = base64DecodeChars[255 & e.charCodeAt(o++)];
while (o < t && a == -1);
if (a == -1)
break;
d.push(r << 2 | (48 & a) >> 4);
do {
if (c = 255 & e.charCodeAt(o++), 61 == c)
return d;
c = base64DecodeChars[c]
} while (o < t && c == -1);
if (c == -1)
break;
d.push((15 & a) << 4 | (60 & c) >> 2);
do {
if (h = 255 & e.charCodeAt(o++), 61 == h)
return d;
h = base64DecodeChars[h]
} while (o < t && h == -1);
if (h == -1)
break;
d.push((3 & c) << 6 | h)
}
return d
}
Java.perform(function () {
var cls = Java.use('com.eusoft.dict.util.JniApi');
var obj = cls.$new();
var ObjectMapper = Java.use('com.fasterxml.jackson.databind.ObjectMapper');
var my_objectMapper = ObjectMapper.$new();
var javaBytes = Java.array('byte', base64ToBytes(param_b)); // 巨坑,转成javaBytes才可以传入jni函数,Java.array('byte', jsBytes) 创建了一个与 byte[] 类型匹配的 Java 数组。
result = obj['deserializeData'](javaBytes)
result = my_objectMapper.readTree(result)
var JsonNode = Java.use('com.fasterxml.jackson.databind.JsonNode')
result = Java.cast(result, JsonNode);
});
return result.toString()
}
核心代码就
Java.perform(function () {
var cls = Java.use('com.eusoft.dict.util.JniApi');
var obj = cls.$new();
var ObjectMapper = Java.use('com.fasterxml.jackson.databind.ObjectMapper');
var my_objectMapper = ObjectMapper.$new();
var javaBytes = Java.array('byte', base64ToBytes(param_b)); // 巨坑,转成javaBytes才可以传入jni函数,Java.array('byte', jsBytes) 创建了一个与 byte[] 类型匹配的 Java 数组。
result = obj['deserializeData'](javaBytes)
result = my_objectMapper.readTree(result)
var JsonNode = Java.use('com.fasterxml.jackson.databind.JsonNode')
result = Java.cast(result, JsonNode);
});
有一个巨坑的点,因为参数是byte数组,所以需要用var javaBytes = Java.array('byte', base64ToBytes(param_b))转一下,否则就会报错argument types do not match any of:\n\t.overload('[B')
成功留念
发表于 2024-12-01 22:45
评分
顶
踩
扫码赞助