逆向分析sign演算法

語言: CN / TW / HK

本文為看雪論壇優秀文章

看雪論壇作者ID:飛翔的貓咪

題目: 分析出KanxueSign函式的演算法(題目出自看雪高研班2021年11月份作業)

還原的程式碼在附件中,編譯:g++ main.cpp base64.c

1.分析:

純c演算法的逆向,有很多的ollvm,所以這道題完成以後可以更加熟悉處理ollvm的程式。

2.答案:

經過初步分析演算法的輸入為MainActivity類的firstInstallTime,packageCodePath,randomLong,startTime四個成員變數,與MainActivity.randomLong無關。


固定住輸入好分析:

老方法,使用frida固定住這四個變數的輸入方便記錄分析,我這裡四個變數的取值為:

cls.startTime.value = 0x17d472e9806;
cls.firstInstallTime.value = 0x17d41d64983;
cls.randomLong.value = 0x49536c10125ac000;
cls.packageCodePath.value = "/data/app/com.kanxue.ollvm_ndk_11-7sJSh-MLUIRVBOWzGqFjjw==/base.apk";

經過演算法的輸出為36b0d7a02b934a38fffd51f0be37c661fdf6896e81d82c4dde65fb194268e9cd00c301110281011c028100c302810071007100c300bd0190023e014a01a30281022a00a8020400be014a01900156015602e2023e010b022a011101a3010b02c702c7012c012d01c10208019c0147012c0294023a01d100a900a70249008601ca007202b60135009e02d601e001e002a2028b028b00c3012b028101c100be014a0281007101a3ahryb3qMnhySa3mLbQeOakeQb3ySaK==

三段結果:

結果分為三段,三段由不同的演算法處理,由sprintf組裝,具體的邏輯在sub_12AE4中

1、第一段結果為:36b0d7a02b934a38fffd51f0be37c661fdf6896e81d82c4dde65fb194268e9cd,64個位元組。

2、第二段結果為00c301110281011c028100c302810071007100c300bd0190023e014a01a30281022a00a8020400be014a01900156015602e2023e010b022a011101a3010b02c702c7012c012d01c10208019c0147012c0294023a01d100a900a70249008601ca007202b60135009e02d601e001e002a2028b028b00c3012b028101c100be014a0281007101a3

3、第三段結果為ahryb3qMnhySa3mLbQeOakeQb3ySaK==,可以看出這是一段疑似base64結果

第一段演算法:

再分析過程中發現sha256的常數:0x6a09e667,0xbb67ae85,實現函式為sub_1B1E8,但這個實現是個sha256的變種,輸入的字串有時為64個位元組未做padding的字串,通過nop掉ollvm的控制塊,修復真實塊的關係,以及還原ollvm指令替換,得到的sub_1B1E8函式的程式碼片段為:

v231 = *v594;
v232 = *v588;
v233 = *v590;
v234 = (unsigned int)*v591;
v235 = *v592;
v587 = a2_arg + 1;
v654 = a2_arg + 1;
v236 = a2_arg[1] << 24;
v237 = (*v654 ^ 0xFF00FFFF) & *v654;
v238 = ((*v654 << 8) ^ 0xFF00FF00) & (*v654 << 8);
v657 = HIBYTE(a2_arg[1]);
v658 = v237;
v659 = v657 | (v658 >> 8);
v660 = v238;
v239 = v659 | v236;
v656 = v239 | v660;
v655 = v656;
v581 = v656;
sub_26300(v231, v661, v232, v589, v233, v234, v235, v593, v656 + 1899447441); //2

v240 = *v593;
v241 = *v594;
v242 = *v589;
v243 = *v590;
v244 = (unsigned int)*v591;
v654 = a2_arg + 2;
v245 = a2_arg[2] << 24;
v246 = a2_arg[2] & 0xFF0000;
v247 = (a2_arg[2] << 8) & 0xFF0000;
v657 = HIBYTE(a2_arg[2]);
v658 = v246;
v659 = v657 | (v658 >> 8);
v660 = v247;
v656 = v659 | v245 | v660;
v655 = v656;
v582 = v656;
sub_26300(v240, v241, v661, v588, v242, v243, v244, v592, v656 - 1245643825); //3

v248 = *v592;
v249 = *v593;
v250 = *v594;
v251 = *v588;
v252 = *v589;
v253 = *v590;
v587 = a2_arg + 3;
v654 = a2_arg + 3;
v254 = a2_arg[3] << 24;
v255 = a2_arg[3] & 0xFF0000;
v256 = (a2_arg[3] << 8) & 0xFF0000;
v657 = HIBYTE(a2_arg[3]);
v658 = v255;
v659 = v657 | (v658 >> 8);
v660 = v256;
v257 = v659 | v254;
v656 = v257 | v660;
v655 = v656;
v578 = v656;
sub_26300(v248, v249, v250, &v661, v251, v252, v253, v591, v656 - 373957723); //4

像這樣的程式碼有64處,和sha256的處理吻合。

sub_26300我這裡用了trace的方式還原,程式碼片段如下:

...
w15 = 0x324F4353;
w16 = 0xA7EA7AC2;
w13 = w4 >> 0xB;
w14 = w4 << 0x15;
w19 = w15 & (~w13);
w21 = w13 & (~w15);
w22 = w15 & (~w14);
w14 = w14 & (~w15);
w19 = w19 | w21;
w15 = w16 & (~w6);
w21 = w22 | w14;
w22 = w16 & (~w5);
w5 = w5 & (~w16);
w14 = w6 & (~w16);
w23 = w15 | w14;
w5 = w22 | w5;
w17 = w4 >> 0x19 | w4 << (32 - 0x19);
w19 = w19 ^ w21;
w5 = w23 ^ (~w5);
w20 = *w7_ptr;
w21 = w19 & (~w17);
w19 = w17 & (~w19);
...

其實裡邊的指令是指令替換,一大堆的操作最後可能就是做了一個異或,只不過當時沒看注意。

第一段演算法的運算流程如下:

1、startTime和firstInstallTime組合成字串"17d472e980617d41d64983",經過運算填充成64個位元組的值為:

2、將這個值送入sub_1B1E8中運算並儲存下來,然後這個填充成64位元組的陣列每個元素再^0x6a,再送入sub_1B1E8中運算。

3、接下來用sha256的padding來處理packageCodePath,不過和標準的sha256的padding區別在於最後的長度會多0x200,在維基百科中查到的padding演算法:

padd ing算 法還原如 下:
void padding()
{
size_t str_len = APK_PATH.length();
size = this->RoundUp64(str_len + 1 + 8);
data = new unsigned char[size];
memcpy(data, APK_PATH.c_str(), str_len);
order_of_0x80 = str_len + 1;
data[str_len] = 0x80;
size_t padding_len = str_len * 8 + 0x200;
data[size - 1] = padding_len;
data[size - 2] = padding_len >> 8;
data[size - 3] = padding_len >> 16;
data[size - 4] = padding_len >> 24;
data[size - 5] = padding_len >> 32;
data[size - 6] = padding_len >> 40;
data[size - 7] = padding_len >> 48;
data[size - 8] = padding_len >> 56;
}

4、padding完了以後的字串會送入sub_1B1E8運算。

5、上一步的結果再填充為sha256的64個位元組,送入sub_1B1E8運算得到最終結果。

第二段演算法的運算流程如下:

第二段演算法的還原始碼為:

void second_part()
{
for (int i = 0; i < APK_PATH.length(); i++)
{
unsigned int index = (unsigned int)(random_long % 5) + (APK_PATH.c_str()[i]);
unsigned int v = dword_5C008[index];
printf("%.4x", v);
}
}

其中dword_5C008為642個int長度的陣列,元素列表為:

unsigned int dword_5C008[] = {
0x16a, 0x151, 0xd7, 0x134, 0x196, 0x229, 0x67, 0xfa,
0x269, 0x272, 0x226, 0x122, 0xec, 0x2b5, 0x216, 0x214,
0x179, 0x9f, 0x277, 0x194, 0xf4, 0x2ad, 0xa0, 0x210,
0x26d, 0x1b9, 0x257, 0x2c9, 0xe9, 0xa1, 0x16c, 0x15f,
0x99, 0x2e1, 0xbf, 0x1c6, 0xb4, 0x21d, 0xde, 0x16d,
0xc4, 0x8b, 0x25d, 0x108, 0x11b, 0x12c, 0x14a, 0xc3,
0x195, 0x2c7, 0xca, 0x207, 0x206, 0x1b8, 0x1a0, 0x12d,
0xce, 0x93, 0x2df, 0x205, 0xaa, 0x28b, 0x9b, 0x1df,
0x288, 0x200, 0x86, 0x169, 0x211, 0x297, 0x2d6, 0x135,
0x223, 0xa9, 0x208, 0x1a2, 0x23a, 0x294, 0x1ad, 0x1ca,
0x1e2, 0x102, 0xa7, 0x19c, 0x2b1, 0x1d1, 0x249, 0x72,
0xd4, 0x1dd, 0x173, 0xb5, 0x17a, 0xe1, 0xa5, 0x10b,
0x2d9, 0x281, 0x12b, 0xbd, 0x111, 0xbe, 0x1a9, 0x105,
0x147, 0x82, 0x1e0, 0x1a3, 0x156, 0x23e, 0x22a, 0x190,
0x71, 0x9e, 0x16b, 0x1c1, 0x11c, 0x204, 0x2e2, 0x2a2,
0xa8, 0x14b, 0x2b6, 0xc9, 0x239, 0x116, 0x2a7, 0xd1,
0x273, 0x6c, 0x21c, 0xe2, 0xeb, 0x2d0, 0x1db, 0x6b,
0x232, 0xef, 0x85, 0x13f, 0xf5, 0x9d, 0xf8, 0x267,
0x1f2, 0x75, 0x246, 0x1d8, 0x13b, 0x2d7, 0x2ac, 0xd5,
0x187, 0x29c, 0x176, 0x131, 0x28d, 0x91, 0xb6, 0x114,
0x2d8, 0x275, 0x11a, 0x26c, 0x110, 0x2aa, 0x1c3, 0x19f,
0x1a8, 0x279, 0x2de, 0x15d, 0x2db, 0x6a, 0x230, 0x68,
0x178, 0x2bd, 0x217, 0x146, 0x186, 0x1e6, 0x1b1, 0x143,
0x2e3, 0x2af, 0x8e, 0x1d0, 0xac, 0x1de, 0x260, 0x81,
0x193, 0x266, 0x231, 0x1d2, 0xba, 0x240, 0x18e, 0x7e,
0xc1, 0x1f1, 0x1fe, 0x2a3, 0x250, 0x13a, 0x24a, 0x64,
0x29a, 0x24b, 0x2ca, 0x188, 0xfd, 0x103, 0x100, 0x1d9,
0x9a, 0x1f3, 0x182, 0x7d, 0xda, 0xdf, 0x11f, 0x27e,
0x1b4, 0x215, 0x8f, 0x263, 0x192, 0x150, 0x17d, 0x2a4,
0x154, 0x23b, 0x14f, 0x12f, 0x29f, 0x2ba, 0x237, 0x2bc,
0x126, 0x1fd, 0x168, 0x2c5, 0x254, 0x2e0, 0x1c9, 0x201,
0x172, 0x140, 0x138, 0xe0, 0xb1, 0xbb, 0x2dd, 0x19e,
0x1e7, 0x160, 0x13e, 0x7a, 0x1cb, 0x28c, 0x7f, 0xf9,
0x14e, 0x2b8, 0x101, 0x1ea, 0x1d7, 0x1f7, 0x276, 0x1c2,
0x8a, 0x2cf, 0x238, 0xdc, 0x2ae, 0x94, 0x157, 0x175,
0x21f, 0x2c2, 0xab, 0x130, 0x104, 0xfb, 0x24d, 0x222,
0x221, 0x18c, 0x1fa, 0x1fc, 0x1b5, 0x87, 0x2be, 0x1af,
0x1b7, 0xc2, 0x22b, 0x10a, 0x19b, 0x121, 0x198, 0x148,
0x1f6, 0x280, 0x132, 0x17b, 0x1bb, 0xcd, 0x20e, 0x2bb,
0xb7, 0x1cc, 0x244, 0x2a6, 0x264, 0x1ef, 0x251, 0x76,
0x171, 0x2dc, 0x236, 0x25f, 0x159, 0x1a4, 0x1f4, 0x118,
0x17e, 0x106, 0x115, 0x262, 0x1a6, 0x185, 0x1f5, 0x29b,
0x29e, 0x13d, 0x9c, 0x224, 0xc5, 0x219, 0x25c, 0x149,
0x88, 0x137, 0x2a9, 0xb2, 0x139, 0x24e, 0x183, 0x235,
0x1fb, 0x15b, 0xc7, 0x1c5, 0xd9, 0x26b, 0x7b, 0x1e4,
0xf7, 0x2c6, 0x22f, 0x16f, 0x2d2, 0xfc, 0x177, 0x1cd,
0x241, 0x2ce, 0x1be, 0x1bc, 0x7c, 0x1e3, 0x258, 0x2b0,
0xae, 0x125, 0xa6, 0x2d1, 0x1b6, 0xcf, 0x278, 0x18d,
0x155, 0x1ab, 0x1f8, 0x270, 0x1d5, 0x2c1, 0x1b0, 0x27f,
0x74, 0x1ae, 0xe7, 0x2a5, 0xd0, 0x98, 0x141, 0x289,
0x1f0, 0x1aa, 0x1bf, 0x2cd, 0x1c8, 0x2b7, 0x296, 0x299,
0x6f, 0x17c, 0xd8, 0x77, 0x124, 0xe8, 0x18f, 0x26e,
0x2bf, 0x1dc, 0x21a, 0x209, 0x20a, 0x18a, 0x274, 0x1ac,
0x28a, 0x109, 0x1ee, 0x73, 0x2b3, 0x136, 0x234, 0x1da,
0x10d, 0x27a, 0x2d4, 0x22e, 0x2c4, 0x83, 0x261, 0x18b,
0x20f, 0x167, 0x1e5, 0x1f9, 0x252, 0x1e8, 0x89, 0x25e,
0x23c, 0x129, 0xb3, 0xbc, 0x284, 0x112, 0x11d, 0x22d,
0x2d3, 0x15c, 0x10f, 0xd2, 0xf2, 0x15e, 0x298, 0x28e,
0x2cc, 0xea, 0x120, 0x145, 0xf3, 0x202, 0x197, 0x181,
0x2c3, 0x170, 0x1a7, 0x78, 0xe6, 0xc0, 0xf1, 0x1ff,
0x295, 0x213, 0xc8, 0x164, 0x22c, 0x10c, 0x1d4, 0xcb,
0x165, 0x1ec, 0xcc, 0x282, 0x1bd, 0xb0, 0x24f, 0x80,
0xa2, 0x29d, 0x2d5, 0x14d, 0xe4, 0x16e, 0x158, 0x152,
0xc6, 0x6d, 0xd3, 0x212, 0x184, 0x153, 0x180, 0x66,
0x228, 0x220, 0x259, 0x2ab, 0x70, 0x27d, 0x2b9, 0x291,
0xed, 0xaf, 0x127, 0x255, 0x123, 0x90, 0x293, 0xf0,
0x271, 0x247, 0x162, 0x27c, 0x203, 0x119, 0x218, 0xfe,
0x1c0, 0x1c4, 0x163, 0x243, 0x14c, 0x1d6, 0x1e1, 0x65,
0x12a, 0x2da, 0x292, 0xf6, 0x11e, 0x20d, 0x25b, 0x144,
0xe5, 0xa3, 0x8c, 0x283, 0x1cf, 0x96, 0x191, 0x2a0,
0x225, 0x199, 0x242, 0x92, 0x107, 0x21e, 0x166, 0x8d,
0x290, 0x24c, 0x285, 0x287, 0x113, 0x133, 0x13c, 0x10e,
0x17f, 0x1eb, 0xe3, 0x233, 0x26f, 0x265, 0x26a, 0xd6,
0x19d, 0x15a, 0xad, 0x256, 0x1a1, 0x23f, 0x6e, 0x1a5,
0x245, 0x2c8, 0x1ed, 0x20c, 0xdd, 0x2b4, 0x21b, 0x1c7,
0xa4, 0x97, 0x1b3, 0x2cb, 0x174, 0x1b2, 0x27b, 0x189,
0x20b, 0x23d, 0x142, 0x28f, 0xdb, 0x69, 0x79, 0x2b2,
0x1ce, 0x12e, 0x2a8, 0x268, 0x95, 0x25a, 0x227, 0xb8,
0x253, 0xee, 0xb9, 0x19a, 0x1ba, 0x161, 0x1d3, 0x2c0,
0x128, 0x2a1, 0xff, 0x117, 0x1e9, 0x84, 0x286, 0x248,
0x0, 0x0};

當時看到這麼大的陣列,就懷疑是不是哪個演算法的常量,我沒看出來,但可以確定的是確實是個常量陣列。

第三段演算法:

是一個改了字典表的base64,字典表如下:

也就是"0123456789-_abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ="

還原始碼如下:

void third_part()
{
BYTE buf[1024] = {0};
base64_encode((const BYTE *)startTime_firstInstallTime.c_str(), buf, startTime_firstInstallTime.length(), 1);
printf("%s",buf);
}

看雪ID:飛翔的貓咪

https://bbs.pediy.com/user-home-607812.htm

*本文由看雪論壇 飛翔的貓咪 原創,轉載請註明來自看雪社群

掃碼報名參會

#

往期推薦

1. CVE-2021-38001漏洞利用

2. Frida-objection 基礎使用獲取FLAG

3. “羊了個羊”通關修改思路

4. CVE-2013-3660提權漏洞學習筆記

5. Windows驅動程式設計之NDIS(VPN)

6. 利用AndroidNativeEmu完成多層jni呼叫的模擬

球分享

球點贊

球在看

點選“閱讀原文”,瞭解更多!