美文网首页
某软件反虚拟机、反调试、反hook、反root分析

某软件反虚拟机、反调试、反hook、反root分析

作者: Killshadow | 来源:发表于2019-01-21 18:52 被阅读0次

    [TOC]

    要分析这个dex难度无异于跟一个成熟的商业公司的开发团队做对抗, 而且还是专门做返逆向分析的团队. 不仅对类, 文本字符串, 方法名做了混淆, 还混淆了算术逻辑运算和控制流. 对敏感的API还添加了反射调用.

    0x01 key

    初始化了一个byte数组(猜测是混淆字符串的key):

    private static void c() {
        EmulatorDetector.j = new byte[]{15, 80, -22, 125, 6, 2, 2, 2, -1, 1, 6, 2, 5, -4, 6, 2, 2, 2, -1, 1, 6, 2, 5, -6, 55, 3, 19, -69, 68, -10, 10, 10, -20, 19, -5, 9, -9, -1, -63, 68, 4, -1, -9, 19, -16, 19, -68, 65, -10, 15, 9, -13, -3, 4, 19, 3, -1, -11, 15, 6, 2, 2, 2, -1, 1, 6, 2, 5, -2, -1, -63, 60, -5, 19, -12, 21, -20, 19, -11, 75, 7, -76, 72, 5, 5, -5, -41, -24, 55, 3, 19, -69, 70, -2, -10, 10, -4, 17, -67, 53, 1, 20, -12, -1, 1, 15, -8, -3, 10, 0, 11, 13, -19, 0, 11, -7, 15, -7, -4, -2, 27, -62, 0, -5, 70, -13, 9, -10, 27, -62, 0, -5, 58, 0, 11, -7, 15, -7, -4, -2, 27, -62, 0, 70, 8, -4, 3, -13, 10, -60, 63, -1, -5, -49, 63, -1, -5, 3, -2, 16, -10, 13, 2, 5, -10, -2, 7, 3, -1, 21, -12, -6, 20, -10, 10, 10, -69, 71, -2, -1, -63, 63, -4, 15, -2, -7, 9, -60, 69, -10, 10, 10, -69, 59, 7, -5, 16, 73, 36, -1, 3, -9, 15, 4, 7, -87, 17, -10, -54, -10, 10, 10, -69, 71, -11, -54, 58, -3, 12, -4, -4, 6, 0, 14, -6, 15, -15, 0, 1, 4, 6, -4, 2, 2, 2, 2, 2, 2, 2, 2, 2, 42, -1, -6, 4, 5, 12, -9, 55, 3, 19, -69, 70, -2, -10, 10, -4, 17, -67, 58, 0, 11, 13, -19, 17, -7, 2, -11, 27, -62, 0, -1, -63, 54, 15, 2, 7, -6, 5, -12, 5, 3, 15, 0, 11, -7, 15, -7, -4, -50, 73, -18, 15, 11, -62, 0, 60, -63, 73, -18, 15, 11, -62, 0, 60, -1, -63, 54, 21, -10, 5, -6, -52, 56, 7, 12, -1, -2, -9, 26, -73, 61, -3, 6, 2, 2, 2, -1, 1, 6, 2, 2, 1, 49, 2, -78, 52, 37, -5, 8, -9, 6, -6, -67, 72, 11, 5, -80, 37, 39, 12, -1, 0, -6, -18, 15, 11, -62, 0, 70, 8, -4, -66, 68, -10, 10, 10, -20, 23, 0, -15, 4, 4, 63, 43, 8, -5, -8, -66, 79, -10, 21, -15, 7, 3, 7, -5, -69, 70, -1, 21, -17, -36, -25, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, -1, -63, 54, 21, -10, 5, -6, -52, 68, 4, -1, -9, 19, -16, 19, 70, 8, -4, -66, 55, 3, 19, -11, -4, 4, 16, -66, 73, -11, 11, 4, 3, -18, 13, -59, 64, -2, 12, -14, -50, 52, 15, -8, 16, -1, -4, -3, -3, 4, 5, 0, 47, -8, 16, -1, -4, -3, -1, -63, 63, -4, 15, -2, -7, 9, -60, 53, 15, -8, 16, -1, -4, -3, -52, 69, -10, 10, 10, -15, 10, 10, -7, -9, 21, -3, 5, 55, 3, 19, -69, 70, -2, -10, 10, -4, 17, -67, 68, -10, 10, 10, -15, -1, -63, 63, -4, 15, -2, -7, 9, -60, 69, -10, 10, 10, -6, 9, 1, -7, 6, 2, 2, 2, -1, 1, 6, 2, 2, 5, 3, 3, 3, 3, 3, 3, 3, 3, 3, -6, 3, 3, 3, 3, 85, -9, 9, 8, -7, -6, -66, 74, -5, 23, -15, -67, 68, 5, 2, 11, -76, 71, 10, 5, 6, 7, -73, 6, 2, 2, 2, -1, 1, 6, 2, 2, 3, -13, 9, 0, 17, -36, 25, 17, 5, -6, 5, -5, -32, 39, 8, -13, 15, -10, -3, 4, 4, 16, -1, -63, 71, -12, 0, 20, -1, -11, 0, 11, -7, 15, -7, -4, -50, 58, 10, 2, -6, 7, -5, -4, 22, -13, 9, -58, 58, 0, 11, -7, 15, -7, -4, 15, -8, 16, -1, -4, -3, -52, 55, 14, 1, 8, -13, 11, 8, -68, 23, 46, 1, 8, -13, 21, -2, 6, 2, 2, 2, -1, 1, 6, 2, 3, -4, 0, 17, -31, 40, -4, 3, -13, 10, -24, 20, 15, 6, -11, -4, 4, 67, 4, -1, -10, -50, 54, 15, 7, -10, 7, -6, 11, -25, 6, 2, 2, 2, -1, 1, 6, 2, 3, 0, 6, 2, 2, 2, -1, 1, 6, 2, 3, -2, -13, 16, 3, -69, 7, -3, 13, -68, 71, 5, -17, -51, 69, -10, 10, 10, -70, 69, 4, -1, 3, 5, 70, 8, -4, 3, -13, 10, -60, 53, 9, 7, -61, 68, -10, 10, 10, -70, 69, 4, -1, 3, 5, 0, 17, -38, 31, 7, -7, -50, 31, 41, -6, -9, 5, 15, -5, -1, 5, 3, 10, -7, -18, 15, 11, -62, 0, 60, 10, -1, -6, 4, 5, 12, -9, 0, 17, -49, 49, 2, -2, -1, -4, 0, 21, -9, 8, 1, -41, 46, 1, 8, -13, 21, -2, 63, 43, 8, -5, -8, -66, 86, -3, -2, -4, 11, -50, -24, 60, 7, -3, 13, -68, 59, 10, -1, -6, 4, 5, 12, -9, -56, 70, -13, 13, -15, 13, 2, 5, -10, -51, 59, 10, -1, -6, 4, 5, 12, -9, -56, 71, -2, 0, 17, -36, 25, 17, 5, -6, 5, -5, -26, 35, -9, 15, -15, 21, -3, 5, -34, 21, 14, -6, -1, -63, 68, 4, -1, -9, 19, -16, 19, -68, 54, 18, -15, 15, -8, 6, 2, 2, 2, -1, 1, 6, 2, 3, 4, 67, 4, -1, -10, -50, 60, 8, 3, 1, 5, 4, 1, 67, 4, -1, -10, -50, 70, -12, 9, -4, -53, 64, -10, 17, 5, 6, 2, 2, 2, -1, 1, 6, 2, 3, 2, 56, 2, -68, 28, 6, 2, 2, 2, -1, 1, 6, 2, 4, -3, 7, 12, -1, 0, -2, 14, -6, -1, -63, 68, 4, -1, -9, 19, -16, 19, -68, 65, 4, -9, 3, 9, 6, 2, 2, 2, -1, 1, 6, 2, 4, -5, 0, 17, -31, 24, 6, -24, 20, 15, -7, -6,[...], 9, 1, -7, 28, -10, 3, -17, 21, -13, 3, -7, 3, 5, -1, 1, 5, 1, 1, 2, 2, 2, 9, -1, -2, 1, 9, -3, 0};
        EmulatorDetector.h = 128;
    }
    

    0x02 Decode函数

    然后再用e方法解析, 需要传入三个参:

    private static String e(short arg7, short arg8, byte arg9) {
        int v9 = 118 - arg9;
        byte[] v0 = EmulatorDetector.j;
        int v7 = arg7 + 1;
        byte[] v1 = new byte[v7];
        EmulatorDetector.g = (EmulatorDetector.i + 119) % 128;
        int v3 = 1251 - arg8;
        int v8;
        for(v8 = 0; true; v8 = v4) {
            int v4 = v8 + 1;
            v1[v8] = ((byte)v9);
            if(v4 == v7) {
                break;
            }
    
            ++v3;
            v8 = v0[v3];
            int v5 = EmulatorDetector.g + 25;
            EmulatorDetector.i = v5 % 128;
            int v6 = 57;
            v5 = v5 % 2 == 0 ? 57 : 64;
            v9 = v5 != v6 ? v9 >> v8 << 101 : v9 + v8 - 2;
        }
    
        return new String(v1, 0).intern();
    }
    

    但是调了很久都没有调出来正常运行,EmulatorDetector.i这个全局变量的初始化去找了一下,发现在isRunningInEmulater那里没有初始化它就直接调用了,然而在static{}那里也没有初始化它就直接调用e函数,这就很奇怪了,没有初始化就赋值肯定会出问题。

    0x03 decode字符串

    这肯定就是初始化字符串的静态方法:

    static {
        EmulatorDetector.c();
        String[] v1 = new String[9];
        v1[0] = EmulatorDetector.e(((byte)EmulatorDetector.j[159]), ((short)(EmulatorDetector.h | 298)), ((byte)EmulatorDetector.j[177]));
        v1[1] = EmulatorDetector.e(((byte)EmulatorDetector.j[111]), ((short)(EmulatorDetector.h & 1100 | EmulatorDetector.h ^ 1100)), ((byte)EmulatorDetector.j[177]));
        v1[2] = EmulatorDetector.e(((byte)EmulatorDetector.j[589]), ((short)(EmulatorDetector.h & 1036 | EmulatorDetector.h ^ 1036)), ((byte)EmulatorDetector.j[177]));
        v1[3] = EmulatorDetector.e(((byte)EmulatorDetector.j[159]), ((short)(EmulatorDetector.h | 876)), ((byte)EmulatorDetector.j[177]));
        byte v2 = ((byte)EmulatorDetector.j[159]);
        v1[4] = EmulatorDetector.e(((short)v2), ((short)(v2 ^ 742 | v2 & 742)), ((byte)EmulatorDetector.j[177]));
        v1[5] = EmulatorDetector.e(((byte)EmulatorDetector.j[111]), ((short)(EmulatorDetector.h | 1100)), ((byte)EmulatorDetector.j[177]));
        v1[6] = EmulatorDetector.e(((byte)EmulatorDetector.j[223]), 893, ((byte)EmulatorDetector.j[177]));
        v1[7] = EmulatorDetector.e(((byte)EmulatorDetector.j[75]), ((short)(EmulatorDetector.h << 2)), ((byte)EmulatorDetector.j[177]));
        v1[8] = EmulatorDetector.e(((byte)EmulatorDetector.j[198]), 1109, ((byte)EmulatorDetector.j[177]));
        EmulatorDetector.a = v1;
        v1 = new String[2];
        v2 = ((byte)EmulatorDetector.j[870]);
        v1[0] = EmulatorDetector.e(((short)v2), ((short)(v2 ^ 212 | v2 & 212)), ((byte)EmulatorDetector.j[177]));
        v2 = ((byte)EmulatorDetector.j[198]);
        v1[1] = EmulatorDetector.e(((short)v2), ((short)(v2 ^ 793 | v2 & 793)), ((byte)EmulatorDetector.j[177]));
        EmulatorDetector.d = v1;
        g[] v1_1 = new g[17];
        byte v11 = ((byte)EmulatorDetector.j[627]);
        String v11_1 = EmulatorDetector.e(((short)v11), ((short)(v11 ^ 1193 | v11 & 1193)), ((byte)EmulatorDetector.j[40]));
        String[] v12 = new String[3];
        v12[0] = EmulatorDetector.e(((byte)EmulatorDetector.j[35]), ((short)(-EmulatorDetector.j[729])), ((byte)EmulatorDetector.j[459]));
        byte v5 = ((byte)EmulatorDetector.j[4]);
        v12[1] = EmulatorDetector.e(((short)v5), ((short)(v5 ^ 472 | v5 & 472)), ((byte)EmulatorDetector.j[9]));
        v12[2] = EmulatorDetector.e(((byte)EmulatorDetector.j[80]), 296, ((byte)EmulatorDetector.j[26]));
        v1_1[0] = new g(v11_1, v12);
        v1_1[1] = new g(EmulatorDetector.e(((byte)EmulatorDetector.j[159]), ((short)(EmulatorDetector.h + 2)), ((byte)EmulatorDetector.j[40])), new String[]{EmulatorDetector.e(((byte)EmulatorDetector.j[4]), ((short)(EmulatorDetector.h & 344 | EmulatorDetector.h ^ 344)), ((byte)EmulatorDetector.j[109])), EmulatorDetector.e(((byte)EmulatorDetector.j[4]), 114, ((byte)EmulatorDetector.j[0]))});
        String v5_1 = EmulatorDetector.e(((byte)EmulatorDetector.j[0]), 289, ((byte)EmulatorDetector.j[40]));
        String[] v11_2 = new String[3];
        v11_2[0] = EmulatorDetector.e(((byte)EmulatorDetector.j[5]), ((short)(EmulatorDetector.h | 540)), ((byte)EmulatorDetector.j[25]));
        v11_2[1] = EmulatorDetector.e(((byte)EmulatorDetector.j[80]), ((short)(EmulatorDetector.h & 637 | EmulatorDetector.h ^ 637)), ((byte)EmulatorDetector.j[97]));
        byte v12_1 = ((byte)EmulatorDetector.j[75]);
        v11_2[2] = EmulatorDetector.e(((short)v12_1), ((short)(v12_1 ^ 898 | v12_1 & 898)), ((byte)EmulatorDetector.j[99]));
        v1_1[2] = new g(v5_1, v11_2);
        v5 = ((byte)EmulatorDetector.j[30]);
        v1_1[3] = new g(EmulatorDetector.e(((short)v5), ((short)(v5 | 1173)), ((byte)EmulatorDetector.j[40])), new String[]{EmulatorDetector.e(((byte)EmulatorDetector.j[80]), ((short)(EmulatorDetector.h | 338)), ((byte)EmulatorDetector.j[0])), EmulatorDetector.e(((byte)EmulatorDetector.j[12]), ((short)(EmulatorDetector.h ^ 770 | EmulatorDetector.h & 770)), ((byte)EmulatorDetector.j[109]))});
        v1_1[4] = new g(EmulatorDetector.e(((byte)EmulatorDetector.j[0]), 371, ((byte)EmulatorDetector.j[40])), new String[]{EmulatorDetector.e(((byte)EmulatorDetector.j[4]), 114, ((byte)EmulatorDetector.j[0])), EmulatorDetector.e(((byte)EmulatorDetector.j[80]), 296, ((byte)EmulatorDetector.j[26]))});
        v5_1 = EmulatorDetector.e(((byte)EmulatorDetector.j[111]), ((short)(EmulatorDetector.h & 614 | EmulatorDetector.h ^ 614)), ((byte)EmulatorDetector.j[40]));
        String[] v10 = new String[1];
        v11 = ((byte)EmulatorDetector.j[109]);
        v10[0] = EmulatorDetector.e(((short)v11), ((short)(v11 ^ 758 | v11 & 758)), ((byte)EmulatorDetector.j[188]));
        v1_1[5] = new g(v5_1, v10);
        v5_1 = EmulatorDetector.e(((byte)EmulatorDetector.j[144]), ((short)(EmulatorDetector.h & 519 | EmulatorDetector.h ^ 519)), ((byte)EmulatorDetector.j[40]));
        v10 = new String[1];
        v11 = ((byte)EmulatorDetector.j[109]);
        v10[0] = EmulatorDetector.e(((short)v11), ((short)(v11 | 787)), ((byte)EmulatorDetector.j[92]));
        v1_1[6] = new g(v5_1, v10);
        v1_1[7] = new g(EmulatorDetector.e(((byte)EmulatorDetector.j[0]), 844, ((byte)EmulatorDetector.j[40])), new String[]{EmulatorDetector.e(((byte)EmulatorDetector.j[5]), ((short)(EmulatorDetector.h & 540 | EmulatorDetector.h ^ 540)), ((byte)EmulatorDetector.j[25])), EmulatorDetector.e(((byte)EmulatorDetector.j[4]), ((short)(EmulatorDetector.h & 344 | EmulatorDetector.h ^ 344)), ((byte)EmulatorDetector.j[109])), EmulatorDetector.e(((byte)EmulatorDetector.j[80]), ((short)(EmulatorDetector.h | 860)), ((byte)EmulatorDetector.j[159]))});
        v5_1 = EmulatorDetector.e(((byte)EmulatorDetector.j[26]), 98, ((byte)EmulatorDetector.j[40]));
        v10 = new String[4];
        v10[0] = EmulatorDetector.e(((byte)EmulatorDetector.j[892]), ((short)EmulatorDetector.j[379]), ((byte)EmulatorDetector.j[0]));
        v10[1] = EmulatorDetector.e(((byte)(EmulatorDetector.j[764] - 1)), 1139, ((byte)EmulatorDetector.j[0]));
        v11 = ((byte)EmulatorDetector.j[589]);
        v10[2] = EmulatorDetector.e(((short)v11), ((short)(v11 ^ 614 | v11 & 614)), ((byte)EmulatorDetector.j[0]));
        v10[3] = EmulatorDetector.e(((byte)EmulatorDetector.j[627]), ((short)(EmulatorDetector.h & 841 | EmulatorDetector.h ^ 841)), ((byte)EmulatorDetector.j[0]));
        v1_1[8] = new g(v5_1, v10);
        v5_1 = EmulatorDetector.e(((byte)EmulatorDetector.j[218]), ((short)(EmulatorDetector.h & 853 | EmulatorDetector.h ^ 853)), ((byte)EmulatorDetector.j[40]));
        v10 = new String[1];
        v11 = ((byte)EmulatorDetector.j[4]);
        v10[0] = EmulatorDetector.e(((short)v11), ((short)(v11 ^ 472 | v11 & 472)), ((byte)EmulatorDetector.j[9]));
        v1_1[9] = new g(v5_1, v10);
        v5 = ((byte)EmulatorDetector.j[892]);
        v5_1 = EmulatorDetector.e(((short)v5), ((short)(v5 ^ 929 | v5 & 929)), ((byte)EmulatorDetector.j[40]));
        v10 = new String[1];
        v11 = ((byte)EmulatorDetector.j[40]);
        v10[0] = EmulatorDetector.e(((short)v11), ((short)(v11 ^ 530 | v11 & 530)), ((byte)EmulatorDetector.j[5]));
        v1_1[10] = new g(v5_1, v10);
        v5 = ((byte)EmulatorDetector.j[892]);
        v1_1[11] = new g(EmulatorDetector.e(((short)v5), ((short)(v5 | 512)), ((byte)EmulatorDetector.j[111])), new String[0]);
        v1_1[12] = new g(EmulatorDetector.e(((byte)EmulatorDetector.j[0]), ((short)(EmulatorDetector.h | 17)), ((byte)EmulatorDetector.j[12])), new String[0]);
        v5 = ((byte)EmulatorDetector.j[892]);
        v1_1[13] = new g(EmulatorDetector.e(((short)v5), ((short)(v5 ^ 1025 | v5 & 1025)), ((byte)EmulatorDetector.j[12])), new String[0]);
        v1_1[14] = new g(EmulatorDetector.e(((byte)EmulatorDetector.j[892]), ((short)(EmulatorDetector.h & 35 | EmulatorDetector.h ^ 35)), ((byte)EmulatorDetector.j[12])), new String[0]);
        v1_1[15] = new g(EmulatorDetector.e(((byte)EmulatorDetector.j[627]), 787, ((byte)EmulatorDetector.j[40])), new String[0]);
        v1_1[16] = new g(EmulatorDetector.e(((byte)EmulatorDetector.j[892]), 1073, ((byte)EmulatorDetector.j[40])), new String[0]);
        EmulatorDetector.c = v1_1;
        v1_1 = new g[5];
        v5_1 = EmulatorDetector.e(((byte)EmulatorDetector.j[111]), ((short)(EmulatorDetector.h & 363 | EmulatorDetector.h ^ 363)), ((byte)EmulatorDetector.j[0]));
        v10 = new String[16];
        v10[0] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), ((short)(EmulatorDetector.h & 801 | EmulatorDetector.h ^ 801)), ((byte)EmulatorDetector.j[188]));
        v10[1] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), ((short)(EmulatorDetector.h & 550 | EmulatorDetector.h ^ 550)), ((byte)EmulatorDetector.j[188]));
        v10[2] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), ((short)(EmulatorDetector.h & 597 | EmulatorDetector.h ^ 597)), ((byte)EmulatorDetector.j[188]));
        v10[3] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), 592, ((byte)EmulatorDetector.j[188]));
        v10[4] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), 544, ((byte)EmulatorDetector.j[188]));
        v11 = ((byte)EmulatorDetector.j[30]);
        v10[5] = EmulatorDetector.e(((short)v11), ((short)(v11 ^ 544 | v11 & 544)), ((byte)EmulatorDetector.j[188]));
        v10[6] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), 320, ((byte)EmulatorDetector.j[188]));
        v10[7] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), 356, ((byte)EmulatorDetector.j[188]));
        v10[8] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), 274, ((byte)EmulatorDetector.j[188]));
        v10[9] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), 306, ((byte)EmulatorDetector.j[188]));
        v10[10] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), ((short)(EmulatorDetector.h & 60 | EmulatorDetector.h ^ 60)), ((byte)EmulatorDetector.j[188]));
        v10[11] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), ((short)(EmulatorDetector.h & 84 | EmulatorDetector.h ^ 84)), ((byte)EmulatorDetector.j[188]));
        v10[12] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), ((short)EmulatorDetector.j[321]), ((byte)EmulatorDetector.j[188]));
        v10[13] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), ((short)(EmulatorDetector.h & 1110 | EmulatorDetector.h ^ 1110)), ((byte)EmulatorDetector.j[188]));
        v10[14] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), ((short)(EmulatorDetector.h & 1120 | EmulatorDetector.h ^ 1120)), ((byte)EmulatorDetector.j[188]));
        v10[15] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), ((short)(EmulatorDetector.h & 1065 | EmulatorDetector.h ^ 1065)), ((byte)EmulatorDetector.j[188]));
        v1_1[0] = new g(v5_1, v10);
        v1_1[1] = new g(EmulatorDetector.e(((byte)EmulatorDetector.j[75]), ((short)(EmulatorDetector.h & 264 | EmulatorDetector.h ^ 264)), ((byte)EmulatorDetector.j[0])), new String[]{EmulatorDetector.e(((byte)EmulatorDetector.j[4]), 793, ((byte)EmulatorDetector.j[99]))});
        v1_1[2] = new g(EmulatorDetector.e(((byte)EmulatorDetector.j[97]), 264, ((byte)EmulatorDetector.j[0])), new String[]{EmulatorDetector.e(((byte)EmulatorDetector.j[26]), ((short)EmulatorDetector.j[109]), ((byte)(-EmulatorDetector.j[121])))});
        v1_1[3] = new g(EmulatorDetector.e(((byte)EmulatorDetector.j[223]), ((short)(EmulatorDetector.h & 74 | EmulatorDetector.h ^ 74)), ((byte)EmulatorDetector.j[0])), new String[]{EmulatorDetector.e(((byte)EmulatorDetector.j[223]), 1025, ((byte)EmulatorDetector.j[685]))});
        v1_1[4] = new g(EmulatorDetector.e(((byte)EmulatorDetector.j[30]), 108, ((byte)EmulatorDetector.j[0])), new String[]{EmulatorDetector.e(((byte)EmulatorDetector.j[223]), 858, ((byte)EmulatorDetector.j[92])), EmulatorDetector.e(((byte)EmulatorDetector.j[0]), ((short)(EmulatorDetector.h & 50 | EmulatorDetector.h ^ 50)), ((byte)EmulatorDetector.j[97])), EmulatorDetector.e(((byte)EmulatorDetector.j[223]), ((short)(EmulatorDetector.h | 587)), ((byte)EmulatorDetector.j[92]))});
        EmulatorDetector.e = v1_1;
        g[] v0 = new g[2];
        String v2_1 = EmulatorDetector.e(((byte)EmulatorDetector.j[218]), 346, ((byte)EmulatorDetector.j[177]));
        String[] v5_2 = new String[1];
        byte v7 = ((byte)EmulatorDetector.j[40]);
        v5_2[0] = EmulatorDetector.e(((short)v7), ((short)(v7 ^ 306 | v7 & 306)), ((byte)EmulatorDetector.j[92]));
        v0[0] = new g(v2_1, v5_2);
        v2 = ((byte)EmulatorDetector.j[223]);
        v2_1 = EmulatorDetector.e(((short)v2), ((short)(v2 ^ 320 | v2 & 320)), ((byte)EmulatorDetector.j[177]));
        v5_2 = new String[1];
        v7 = ((byte)EmulatorDetector.j[892]);
        v5_2[0] = EmulatorDetector.e(((short)v7), ((short)(v7 | 392)), ((byte)EmulatorDetector.j[0]));
        v0[1] = new g(v2_1, v5_2);
        EmulatorDetector.b = v0;
        EmulatorDetector.f = new AntiHooking$HookInfo();
        EmulatorDetector.g = (EmulatorDetector.i + 53) % 128;
    }
    

    0x04 外部调用

    外部主要是调用isRunningInEmulator方法:

    public static int isRunningInEmulator(android.content.Context context,
                                          int ok,
                                          int flags)
    
    • This method will use a series of techniques in order to determine if the application is running in an emulator or on a real device.
    • Parameters:
      • context - Application context.
      • ok - Return code indicating no emulator was found.
        flags - Flags enabling some configuration of the employed checks.
    • Returns:
      Returns 'ok' if not on an emulator, a variation of 'ok' containing an error code when an emulator was detected.

    isRunningInEmulator同时利用了重载,下面我们主要分析一下这个方法做了什么:

    package anti_emulator;
    
    import java.lang.reflect.Field;
    import java.lang.reflect.Method;
    import java.util.ArrayList;
    import java.util.HashMap;
    
    public class EmulatorDetector {
        public static void main(String args[]) {
            
        }
        
      public static final int FAIL_ON_MITIGATED_TAMPER_ATTEMPT = 2;
      public static final int IGNORE_TAMPER_ATTEMPTS = 4;
      private static final String[] a = null;
    //  private static final g[] b = null;
    //  private static final g[] c = null;
      private static final String[] d = null;
    //  private static final g[] e = null;
    //  private static AntiHooking$HookInfo f = null;
      private static int g = 1;
      private static int h;
      private static int i = 0;
      private static byte[] j;
      
      static {
        EmulatorDetector.c();
        String[] v1 = new String[9];
        v1[0] = EmulatorDetector.e(((byte)EmulatorDetector.j[159]), ((short)(EmulatorDetector.h | 298)), ((byte)EmulatorDetector.j[177]));
        v1[1] = EmulatorDetector.e(((byte)EmulatorDetector.j[111]), ((short)(EmulatorDetector.h & 1100 | EmulatorDetector.h ^ 1100)), ((byte)EmulatorDetector.j[177]));
        v1[2] = EmulatorDetector.e(((byte)EmulatorDetector.j[589]), ((short)(EmulatorDetector.h & 1036 | EmulatorDetector.h ^ 1036)), ((byte)EmulatorDetector.j[177]));
        v1[3] = EmulatorDetector.e(((byte)EmulatorDetector.j[159]), ((short)(EmulatorDetector.h | 876)), ((byte)EmulatorDetector.j[177]));
        byte v2 = ((byte)EmulatorDetector.j[159]);
        v1[4] = EmulatorDetector.e(((short)v2), ((short)(v2 ^ 742 | v2 & 742)), ((byte)EmulatorDetector.j[177]));
        v1[5] = EmulatorDetector.e(((byte)EmulatorDetector.j[111]), ((short)(EmulatorDetector.h | 1100)), ((byte)EmulatorDetector.j[177]));
        v1[6] = EmulatorDetector.e(((byte)EmulatorDetector.j[223]), (short) 893, ((byte)EmulatorDetector.j[177]));
        v1[7] = EmulatorDetector.e(((byte)EmulatorDetector.j[75]), ((short)(EmulatorDetector.h << 2)), ((byte)EmulatorDetector.j[177]));
        v1[8] = EmulatorDetector.e(((byte)EmulatorDetector.j[198]), (short) 1109, ((byte)EmulatorDetector.j[177]));
        String[] v1 = new String[2];
        byte v2 = ((byte)EmulatorDetector.j[870]);
        v1[0] = EmulatorDetector.e(((short)v2), ((short)(v2 ^ 212 | v2 & 212)), ((byte)EmulatorDetector.j[177]));
        v2 = ((byte)EmulatorDetector.j[198]);
        v1[1] = EmulatorDetector.e(((short)v2), ((short)(v2 ^ 793 | v2 & 793)), ((byte)EmulatorDetector.j[177]));
        
        for(int i = 0; i <= 8; i++) {
          System.out.println(v1[i]);
        }
      }
      
      private static String e(short arg7, short arg8, byte arg9) {
        int v9 = 118 - arg9;
        byte[] v0 = EmulatorDetector.j;
        int v7 = arg7 + 1;
        byte[] v1 = new byte[v7];
        EmulatorDetector.g = (EmulatorDetector.i + 119) % 128;
        int v3 = 1251 - arg8;
        int v8;
        for(int ii = 0; true; ii++) {
            int v4 = ii + 1;
            v1[ii] = ((byte)v9);
            if(v4 == v7) {
                break;
            }
    
            ++v3;
            v8 = v0[v3];
            int v5 = EmulatorDetector.g + 25;
            EmulatorDetector.i = v5 % 128;
            int v6 = 57;
            v5 = v5 % 2 == 0 ? 57 : 64;
            v9 = v5 != v6 ? v9 >> v8 << 101 : v9 + v8 - 2;
        }
    
        return new String(v1, 0).intern();
      }
      
      private static void c() {
        j = new byte[] { 15, 80, -22, 125, 6, 2, 2, 2, -1, 1, 6, 2, 5, -4, 6, 2, 2, 2, -1, 1, 6, 2, 5, -6, 55, 3, 19, -69, 68, -10, 10, 10, -20, 19, -5, 9, -9, -1, -63, 68, 4, -1, -9, 19, -16, 19, -68, 65, -10, 15, 9, -13, -3, 4, 19, 3, -1, -11, 15, 6, 2, 2, 2, -1, 1, 6, 2, 5, -2, -1, -63, 60, -5, 19, -12, 21, -20, 19, -11, 75, 7, -76, 72, 5, 5, -5, -41, -24, 55, 3, 19, -69, 70, -2, -10, 10, -4, 17, -67, 53, 1, 20, -12, -1, 1, 15, -8, -3, 10, 0, 11, 13, -19, 0, 11, -7, 15, -7, -4, -2, 27, -62, 0, -5, 70, -13, 9, -10, 27, -62, 0, -5, 58, 0, 11, -7, 15, -7, -4, -2, 27, -62, 0, 70, 8, -4, 3, -13, 10, -60, 63, -1, -5, -49, 63, -1, -5, 3, -2, 16, -10, 13, 2, 5, -10, -2, 7, 3, -1, 21, -12, -6, 20, -10, 10, 10, -69, 71, -2, -1, -63, 63, -4, 15, -2, -7, 9, -60, 69, -10, 10, 10, -69, 59, 7, -5, 16, 73, 36, -1, 3, -9, 15, 4, 7, -87, 17, -10, -54, -10, 10, 10, -69, 71, -11, -54, 58, -3, 12, -4, -4, 6, 0, 14, -6, 15, -15, 0, 1, 4, 6, -4, 2, 2, 2, 2, 2, 2, 2, 2, 2, 42, -1, -6, 4, 5, 12, -9, 55, 3, 19, -69, 70, -2, -10, 10, -4, 17, -67, 58, 0, 11, 13, -19, 17, -7, 2, -11, 27, -62, 0, -1, -63, 54, 15, 2, 7, -6, 5, -12, 5, 3, 15, 0, 11, -7, 15, -7, -4, -50, 73, -18, 15, 11, -62, 0, 60, -63, 73, -18, 15, 11, -62, 0, 60, -1, -63, 54, 21, -10, 5, -6, -52, 56, 7, 12, -1, -2, -9, 26, -73, 61, -3, 6, 2, 2, 2, -1, 1, 6, 2, 2, 1, 49, 2, -78, 52, 37, -5, 8, -9, 6, -6, -67, 72, 11, 5, -80, 37, 39, 12, -1, 0, -6, -18, 15, 11, -62, 0, 70, 8, -4, -66, 68, -10, 10, 10, -20, 23, 0, -15, 4, 4, 63, 43, 8, -5, -8, -66, 79, -10, 21, -15, 7, 3, 7, -5, -69, 70, -1, 21, -17, -36, -25, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, -1, -63, 54, 21, -10, 5, -6, -52, 68, 4, -1, -9, 19, -16, 19, 70, 8, -4, -66, 55, 3, 19, -11, -4, 4, 16, -66, 73, -11, 11, 4, 3, -18, 13, -59, 64, -2, 12, -14, -50, 52, 15, -8, 16, -1, -4, -3, -3, 4, 5, 0, 47, -8, 16, -1, -4, -3, -1, -63, 63, -4, 15, -2, -7, 9, -60, 53, 15, -8, 16, -1, -4, -3, -52, 69, -10, 10, 10, -15, 10, 10, -7, -9, 21, -3, 5, 55, 3, 19, -69, 70, -2, -10, 10, -4, 17, -67, 68, -10, 10, 10, -15, -1, -63, 63, -4, 15, -2, -7, 9, -60, 69, -10, 10, 10, -6, 9, 1, -7, 6, 2, 2, 2, -1, 1, 6, 2, 2, 5, 3, 3, 3, 3, 3, 3, 3, 3, 3, -6, 3, 3, 3, 3, 85, -9, 9, 8, -7, -6, -66, 74, -5, 23, -15, -67, 68, 5, 2, 11, -76, 71, 10, 5, 6, 7, -73, 6, 2, 2, 2, -1, 1, 6, 2, 2, 3, -13, 9, 0, 17, -36, 25, 17, 5, -6, 5, -5, -32, 39, 8, -13, 15, -10, -3, 4, 4, 16, -1, -63, 71, -12, 0, 20, -1, -11, 0, 11, -7, 15, -7, -4, -50, 58, 10, 2, -6, 7, -5, -4, 22, -13, 9, -58, 58, 0, 11, -7, 15, -7, -4, 15, -8, 16, -1, -4, -3, -52, 55, 14, 1, 8, -13, 11, 8, -68, 23, 46, 1, 8, -13, 21, -2, 6, 2, 2, 2, -1, 1, 6, 2, 3, -4, 0, 17, -31, 40, -4, 3, -13, 10, -24, 20, 15, 6, -11, -4, 4, 67, 4, -1, -10, -50, 54, 15, 7, -10, 7, -6, 11, -25, 6, 2, 2, 2, -1, 1, 6, 2, 3, 0, 6, 2, 2, 2, -1, 1, 6, 2, 3, -2, -13, 16, 3, -69, 7, -3, 13, -68, 71, 5, -17, -51, 69, -10, 10, 10, -70, 69, 4, -1, 3, 5, 70, 8, -4, 3, -13, 10, -60, 53, 9, 7, -61, 68, -10, 10, 10, -70, 69, 4, -1, 3, 5, 0, 17, -38, 31, 7, -7, -50, 31, 41, -6, -9, 5, 15, -5, -1, 5, 3, 10, -7, -18, 15, 11, -62, 0, 60, 10, -1, -6, 4, 5, 12, -9, 0, 17, -49, 49, 2, -2, -1, -4, 0, 21, -9, 8, 1, -41, 46, 1, 8, -13, 21, -2, 63, 43, 8, -5, -8, -66, 86, -3, -2, -4, 11, -50, -24, 60, 7, -3, 13, -68, 59, 10, -1, -6, 4, 5, 12, -9, -56, 70, -13, 13, -15, 13, 2, 5, -10, -51, 59, 10, -1, -6, 4, 5, 12, -9, -56, 71, -2, 0, 17, -36, 25, 17, 5, -6, 5, -5, -26, 35, -9, 15, -15, 21, -3, 5, -34, 21, 14, -6, -1, -63, 68, 4, -1, -9, 19, -16, 19, -68, 54, 18, -15, 15, -8, 6, 2, 2, 2, -1, 1, 6, 2, 3, 4, 67, 4, -1, -10, -50, 60, 8, 3, 1, 5, 4, 1, 67, 4, -1, -10, -50, 70, -12, 9, -4, -53, 64, -10, 17, 5, 6, 2, 2, 2, -1, 1, 6, 2, 3, 2, 56, 2, -68, 28, 6, 2, 2, 2, -1, 1, 6, 2, 4, -3, 7, 12, -1, 0, -2, 14, -6, -1, -63, 68, 4, -1, -9, 19, -16, 19, -68, 65, 4, -9, 3, 9, 6, 2, 2, 2, -1, 1, 6, 2, 4, -5, 0, 17, -31, 24, 6, -24, 20, 15, -7, -6, 13, -28, 41, -6, -9, 5, 15, 70, 8, -4, -66, 55, 3, 19, -11, -4, 4, 16, -66, 70, 8, -4, 3, -13, 10, -60, 54, 15, 7, -68, 54, 15, 7, -67, 1, 54, 15, 7, -13, 14, -11, 14, 6, 2, 2, 2, -1, 1, 6, 2, 4, 1, 0, 17, -31, 36, -17, 19, -14, 17, -7, -5, 5, 15, -39, 29, 6, 2, 2, 2, -1, 1, 6, 2, 4, -1, -49, 1, 9, -3, 2, 1, 3, 4, 47, -42, 49, 2, 3, -51, 1, -10, 10, 10, -69, 71, -11, -54, 64, -7, 3, -3, 7, 3, 11, 7, -8, 13, 7, -10, 10, 10, -69, 60, 17, -71, 65, -10, 10, 7, -1, -4, 22, -4, -1, -63, 68, 4, -1, -9, 19, -16, 19, -68, 56, 3, 19, -11, -4, 4, 0, 11, -7, 15, -7, -4, 0, 17, -46, 35, 19, -11, -4, 4, -26, 29, -1, -63, 54, 21, -10, 5, -6, -52, 58, 5, 7, -5, 0, 15, 0, 4, -7, 7, 8, 0, 11, -7, 15, -7, -4, -50, 70, -13, 9, -58, 58, 0, 11, -7, 15, -7, -4, 6, 2, 2, 2, -1, 1, 6, 2, 4, 3, 32, 11, 13, -10, 4, 7, -9, 8, 1, 72, 8, -9, 8, 2, 0, 1, -52, 15, -8, 16, -1, -4, -3, -52, 68, -9, 15, -3, -2, 12, 2, -8, 8, 1, -62, 38, -11, -2, 5, 29, -13, -6, 9, 1, -7, 28, -10, 3, -17, 21, -13, 3, -7, 3, 5, -1, 1, 5, 1, 1, 2, 2, 2, 9, -1, -2, 1, 9, -3, 0 };
        EmulatorDetector.h = 128;
      }
    }
    
    • EmulatorDetector中的a字符串数组内容如下:
      虚拟机特征目录

    可知这些都是模拟器的特征目录和文件, 应该是要查找是否有这些特征目录的.

    我们选择这个深入分析一下:

    isRunningInEmulator方法里调用了这个字符串数组:

    v2_1 = AntiHooking.e(EmulatorDetector.a, EmulatorDetector.f);
    v3 = v2_1 < 0 ? 1 : 0;
    // EmulatorDetector.f是AntiHooking$HookInfo的实例化.
    

    而v2_1是isRunningInEmulator方法的返回值, 即如果返回值大于0则表示是虚拟机.

    跟进AntiHookinge方法:

    public static int e(String[] arg5, AntiHooking$HookInfo arg6) {
        AntiHooking.m = (AntiHooking.l + 85) % 128;
        AntiHooking.l = ((AntiHooking.m & 37) + (AntiHooking.m | 37)) % 128;
        int v1;
        for(v1 = 0; true; v1 = ((v2 | 96) << 1) - (v2 ^ 96)) {
            int v2 = v1 >= arg5.length ? 0 : 1;
            if(v2 != 1) {
                AntiHooking.m = (((AntiHooking.l | 89) << 1) - (AntiHooking.l ^ 89)) % 128;
                return -1;
            }
    
            AntiHooking.l = ((AntiHooking.m & 39) + (AntiHooking.m | 39)) % 128;
            if(AntiHooking.c(AntiHooking.a(arg5[v1], arg6), arg6)) {
                byte v0 = ((byte)AntiHooking.i[206]);
                byte v2_1 = ((byte)AntiHooking.i[36]);
                new StringBuilder(AntiHooking.a(v0, ((short)v2_1), ((short)(v2_1 ^ 172 | v2_1 & 172)))).append(arg5[v1]);
                AntiHooking.m = ((AntiHooking.l & 3) + (AntiHooking.l | 3)) % 128;
                return v1;
            }
    
            v2 = ((v1 | -95) << 1) - (v1 ^ -95);
        }
    }
    

    我们能看到有一个重要的判断:

    if(AntiHooking.c(AntiHooking.a(arg5[v1], arg6), arg6))
    

    所以我们先分析a方法:

    public static File a(String arg5, AntiHooking$HookInfo arg6) {
        int v5;
        Object v6;
        AntiHooking.l = (((AntiHooking.m | 123) << 1) - (AntiHooking.m ^ 123)) % 128;
        try {
            v6 = AntiHooking.c(File.class.getConstructor(String.class), File.class, new Object[]{arg5}, arg6);
            v5 = AntiHooking.l;
        }
        catch(Exception ) {
            return new File(((String)v5));
        }
    
        AntiHooking.m = ((v5 & 59) + (v5 | 59)) % 128;
        return ((File)v6);
    }
    

    最终我们能跟到c方法中的invoke方法, 也就是我们熟知的反射了:

    return v9_1.invoke(v4_1, v0_2);
    
    • d字符串数组如下:

      /sys/devices/system/cpu/cpu0/cpufreq
      /sys/devices/virtual/misc/android_adb
      

      能看出是要查看CPU信息以及设备版本信息.

    • c字符串数组如下:

      g[] v1_1 = new g[17];
      byte v11 = ((byte)j[627]);
      String v11_1 = e(((short)v11), ((short)(v11 ^ 1193 | v11 & 1193)), ((byte)j[40]));
      //    System.out.println(v11_1);
      String[] v12 = new String[3];
      v12[0] = e(((byte)j[35]), ((short)(-j[729])), ((byte)j[459]));
      byte v5 = ((byte)j[4]);
      v12[1] = e(((short)v5), ((short)(v5 ^ 472 | v5 & 472)), ((byte)j[9]));
      v12[2] = e(((byte)j[80]), (short) 296, ((byte)j[26]));
      v1_1[0] = new g(v11_1, v12);
      v1_1[1] = new g(e(((byte)j[159]), ((short)(h + 2)), ((byte)j[40])), new String[]{e(((byte)j[4]), ((short)(h & 344 | h ^ 344)), ((byte)j[109])), e(((byte)j[4]), (short) 114, ((byte)j[0]))});
      String v5_1 = e(((byte)j[0]), (short) 289, ((byte)j[40]));
      String[] v11_2 = new String[3];
      v11_2[0] = e(((byte)j[5]), ((short)(h | 540)), ((byte)j[25]));
      v11_2[1] = e(((byte)j[80]), ((short)(h & 637 | h ^ 637)), ((byte)j[97]));
      byte v12_1 = ((byte)j[75]);
      v11_2[2] = e(((short)v12_1), ((short)(v12_1 ^ 898 | v12_1 & 898)), ((byte)j[99]));
      v1_1[2] = new g(v5_1, v11_2);
      v5 = ((byte)j[30]);
      v1_1[3] = new g(e(((short)v5), ((short)(v5 | 1173)), ((byte)j[40])), new String[]{e(((byte)j[80]), ((short)(h | 338)), ((byte)j[0])), e(((byte)j[12]), ((short)(h ^ 770 | h & 770)), ((byte)j[109]))});
      v1_1[4] = new g(e(((byte)j[0]), (short) 371, ((byte)j[40])), new String[]{e(((byte)j[4]), (short) 114, ((byte)j[0])), e(((byte)j[80]), (short) 296, ((byte)j[26]))});
      v5_1 = e(((byte)j[111]), ((short)(h & 614 | h ^ 614)), ((byte)j[40]));
      String[] v10 = new String[1];
      v11 = ((byte)j[109]);
      v10[0] = e(((short)v11), ((short)(v11 ^ 758 | v11 & 758)), ((byte)j[188]));
      v1_1[5] = new g(v5_1, v10);
      v5_1 = e(((byte)j[144]), ((short)(h & 519 | h ^ 519)), ((byte)j[40]));
      v10 = new String[1];
      v11 = ((byte)j[109]);
      v10[0] = e(((short)v11), ((short)(v11 | 787)), ((byte)j[92]));
      v1_1[6] = new g(v5_1, v10);
      v1_1[7] = new g(e(((byte)j[0]), (short) 844, ((byte)j[40])), new String[]{e(((byte)j[5]), ((short)(h & 540 | h ^ 540)), ((byte)j[25])), e(((byte)j[4]), ((short)(h & 344 | h ^ 344)), ((byte)j[109])), e(((byte)j[80]), ((short)(h | 860)), ((byte)j[159]))});
      v5_1 = e(((byte)j[26]), (short) 98, ((byte)j[40]));
      v10 = new String[4];
      v10[0] = e(((byte)j[892]), ((short)j[379]), ((byte)j[0]));
      v10[1] = e(((byte)(j[764] - 1)), (short) 1139, ((byte)j[0]));
      v11 = ((byte)j[589]);
      v10[2] = e(((short)v11), ((short)(v11 ^ 614 | v11 & 614)), ((byte)j[0]));
      v10[3] = e(((byte)j[627]), ((short)(h & 841 | h ^ 841)), ((byte)j[0]));
      v1_1[8] = new g(v5_1, v10);
      v5_1 = e(((byte)j[218]), ((short)(h & 853 | h ^ 853)), ((byte)j[40]));
      v10 = new String[1];
      v11 = ((byte)j[4]);
      v10[0] = e(((short)v11), ((short)(v11 ^ 472 | v11 & 472)), ((byte)j[9]));
      v1_1[9] = new g(v5_1, v10);
      v5 = ((byte)j[892]);
      v5_1 = e(((short)v5), ((short)(v5 ^ 929 | v5 & 929)), ((byte)j[40]));
      v10 = new String[1];
      v11 = ((byte)j[40]);
      v10[0] = e(((short)v11), ((short)(v11 ^ 530 | v11 & 530)), ((byte)j[5]));
      v1_1[10] = new g(v5_1, v10);
      v5 = ((byte)j[892]);
      v1_1[11] = new g(e(((short)v5), ((short)(v5 | 512)), ((byte)j[111])), new String[0]);
      v1_1[12] = new g(e(((byte)j[0]), ((short)(h | 17)), ((byte)j[12])), new String[0]);
      v5 = ((byte)j[892]);
      v1_1[13] = new g(e(((short)v5), ((short)(v5 ^ 1025 | v5 & 1025)), ((byte)j[12])), new String[0]);
      v1_1[14] = new g(e(((byte)j[892]), ((short)(h & 35 | h ^ 35)), ((byte)j[12])), new String[0]);
      v1_1[15] = new g(e(((byte)j[627]), (short) 787, ((byte)j[40])), new String[0]);
      v1_1[16] = new g(e(((byte)j[892]), (short) 1073, ((byte)j[40])), new String[0]);
      for(int i = 0; i <= 16; i++) {
          System.out.println(Arrays.toString(v1_1[i].a));
          System.out.println(v1_1[i].b);
      }
      

      输出如下:

      [Genymotion, unknown, chromium]
      ro.product.manufacturer
      [vbox86p, generic]
      ro.product.device
      [sdk, emulator, App Runtime for Chrome]
      ro.product.model
      [goldfish, vbox86]
      ro.hardware
      [generic, chromium]
      ro.product.brand
      [1]
      ro.kernel.qemu
      [0]
      ro.secure
      [sdk, vbox86p, full_x86]
      ro.build.product
      [generic/sdk/generic, generic_x86/sdk_x86/generic_x86, generic/google_sdk/generic, generic/vbox86p/vbox86p]
      ro.build.fingerprint
      [unknown]
      ro.bootloader
      [test-]
      ro.build.display.id
      []
      init.svc.qemu-props
      []
      qemu.hw.mainkeys
      []
      qemu.sf.fake_camera
      []
      qemu.sf.lcd_density
      []
      ro.kernel.android.qemud
      []
      ro.kernel.qemu.gles
      

      可以看到上面是一些关于模拟器相关的包、目录、文件、标志位等。

    • e字符串数组如下:

      g[] v1_1 = new g[5];
      String v5_1 = e(((byte)j[111]), ((short)(h & 363 | h ^ 363)), ((byte)j[0]));
      String[] v10 = new String[16];
      v10[0] = e(((byte)j[30]), ((short)(h & 801 | h ^ 801)), ((byte)j[188]));
      v10[1] = e(((byte)j[30]), ((short)(h & 550 | h ^ 550)), ((byte)j[188]));
      v10[2] = e(((byte)j[30]), ((short)(h & 597 | h ^ 597)), ((byte)j[188]));
      v10[3] = e(((byte)j[30]), (short) 592, ((byte)j[188]));
      v10[4] = e(((byte)j[30]), (short) 544, ((byte)j[188]));
      byte v11 = ((byte)j[30]);
      v10[5] = e(((short)v11), ((short)(v11 ^ 544 | v11 & 544)), ((byte)j[188]));
      v10[6] = e(((byte)j[30]), (short) 320, ((byte)j[188]));
      v10[7] = e(((byte)j[30]), (short) 356, ((byte)j[188]));
      v10[8] = e(((byte)j[30]), (short) 274, ((byte)j[188]));
      v10[9] = e(((byte)j[30]), (short) 306, ((byte)j[188]));
      v10[10] = e(((byte)j[30]), ((short)(h & 60 | h ^ 60)), ((byte)j[188]));
      v10[11] = e(((byte)j[30]), ((short)(h & 84 | h ^ 84)), ((byte)j[188]));
      v10[12] = e(((byte)j[30]), ((short)j[321]), ((byte)j[188]));
      v10[13] = e(((byte)j[30]), ((short)(h & 1110 | h ^ 1110)), ((byte)j[188]));
      v10[14] = e(((byte)j[30]), ((short)(h & 1120 | h ^ 1120)), ((byte)j[188]));
      v10[15] = e(((byte)j[30]), ((short)(h & 1065 | h ^ 1065)), ((byte)j[188]));
      v1_1[0] = new g(v5_1, v10);
      v1_1[1] = new g(e(((byte)j[75]), ((short)(h & 264 | h ^ 264)), ((byte)j[0])), new String[]{e(((byte)j[4]), (short) 793, ((byte)j[99]))});
      v1_1[2] = new g(e(((byte)j[97]), (short) 264, ((byte)j[0])), new String[]{e(((byte)j[26]), ((short)j[109]), ((byte)(-j[121])))});
      v1_1[3] = new g(e(((byte)j[223]), ((short)(h & 74 | h ^ 74)), ((byte)j[0])), new String[]{e(((byte)j[223]), (short) 1025, ((byte)j[685]))});
      v1_1[4] = new g(e(((byte)j[30]), (short) 108, ((byte)j[0])), new String[]{e(((byte)j[223]), (short) 858, ((byte)j[92])), e(((byte)j[0]), ((short)(h & 50 | h ^ 50)), ((byte)j[97])), e(((byte)j[223]), ((short)(h | 587)), ((byte)j[92]))});
      //    e = v1_1;
      for(int i = 0; i <= 4; i++) {
          System.out.println(Arrays.toString(v1_1[i].a));
          System.out.println(v1_1[i].b);
      }
      

      字符串如下:

      [15555215554, 15555215556, 15555215558, 15555215560, 15555215562, 15555215564, 15555215566, 15555215568, 15555215570, 15555215572, 15555215574, 15555215576, 15555215578, 15555215580, 15555215582, 15555215584]
      getLine1Number
      [Android]
      getNetworkOperatorName
      [89014103211118510720]
      getSimSerialNumber
      [310260000000000]
      getSubscriberId
      [000000000000000, e21833235b6eef10, 012345678912345]
      getDeviceId
      

      可以看到, 是一些设备信息.

    • 字符串数组b:

      g[] v0 = new g[2];
      String v2_1 = EmulatorDetector.e(((byte)EmulatorDetector.j[218]), (short) 346, ((byte)EmulatorDetector.j[177]));
      String[] v5_2 = new String[1];
      byte v7 = ((byte)EmulatorDetector.j[40]);
      v5_2[0] = EmulatorDetector.e(((short)v7), ((short)(v7 ^ 306 | v7 & 306)), ((byte)EmulatorDetector.j[92]));
      v0[0] = new g(v2_1, v5_2);
      byte v2 = ((byte)EmulatorDetector.j[223]);
      v2_1 = EmulatorDetector.e(((short)v2), ((short)(v2 ^ 320 | v2 & 320)), ((byte)EmulatorDetector.j[177]));
      v5_2 = new String[1];
      v7 = ((byte)EmulatorDetector.j[892]);
      v5_2[0] = EmulatorDetector.e(((short)v7), ((short)(v7 | 392)), ((byte)EmulatorDetector.j[0]));
      v0[1] = new g(v2_1, v5_2);
      
      for(int i = 0; i <= 1; i++) {
          System.out.println(Arrays.toString(v0[i].a));
          System.out.println(v0[i].b);
      }
      

      字符串解析出来如下:

      [0ff :]
      /proc/ioports
      [gralloc.goldfish.so]
      /proc/self/maps
      

    0x05 RootDector

    检查方法就是通过检查root工具的包名实现的:

    public static final int IGNORE_BINARY_EXISTENCE = 64;
      public static final int NO_CIRCUMSTANTIAL = 8;
      public static final int NO_FAIL_ON_HOOKING = 32;
      public static final int NO_TRICK_APPS = 4;
      public static final int SILENT = 1;
    //  private static final String[] a;
    //  private static final String[] b;
    //  private static final String[] c;
    //  private static final String[] d;
    //  private static final String[] e;
    //  private static j f;
    //  private static AntiHooking.HookInfo g;
    //  private static j h;
    //  private static j i;
      private static String[] j;
      private static int k = 0;
      private static int l = 0;
      private static int m = 1;
      private static byte[] n;
      
      static {
        b();
        String[] v1 = new String[8];
        int v5 = 0;
        v1[0] = d((short) 618, 90, ((byte)n[47]));
        System.out.println(v1[0]);
        v1[1] = d((short) 280, 90, ((byte)n[7]));
        v1[2] = d((short) 198, ((byte)((n[228] & -1) + (n[228] | -1))), ((byte)n[28]));
        v1[3] = d((short) 786, 90, ((byte)n[21]));
        v1[4] = d(((short)(-n[517])), 90, ((byte)n[0]));
        v1[5] = d((short) 260, 90, ((byte)n[34]));
        short v2 = ((short)(((n[228] | -1) << 1) - (n[228] ^ -1)));
        v1[6] = d(v2, ((byte)(v2 - 1 - 1)), ((byte)n[121]));
        v1[7] = d(((short)((n[146] & -1) + (n[146] | -1))), 90, ((byte)n[7]));
    //    d = v1;
        for(int i=0;i<=7;i++) {
          System.out.println(v1[i]);
        }
      }
      
      private static String d(short arg5, int arg6, byte arg7) {
        byte[] v1_1;
        int v7;
        byte[] v0_1;
        int v5;
        int v0 = m + 43;
        l = v0 % 128;
        int v1 = 65;
        v0 = v0 % 2 == 0 ? 65 : 71;
        int v2 = -1;
        if(v0 != v1) {
            arg6 += 20;
            v5 = arg5 + 125;
            v0_1 = n;
            v7 = arg7 | 117;
            v1_1 = new byte[v7];
            v7 += 101;
        }
        else {
            arg6 += 9;
            v5 = arg5 + 4;
            v0_1 = n;
            v7 = 32 - arg7;
            v1_1 = new byte[v7];
            v7 += v2;
        }
    
        m = (l + 49) % 128;
        while(true) {
            ++v2;
            v1_1[v2] = ((byte)arg6);
            ++v5;
            if(v2 == v7) {
                break;
            }
    
            arg6 = arg6 - v0_1[v5] + 9;
        }
    
        return new String(v1_1, 0).intern();
      }
      
      private static void b()
      {
        n = new byte[] { 15, 80, -22, 125, -59, 3, 15, 8, 24, 1, 71, -64, 31, 2, 4, 72, 4, 14, -2, 79, -60, 6, 28, 62, -60, 7, 31, 4, 12, 5, 1, 7, 10, -3, 11, 72, -59, 26, -3, 18, -5, 12, 15, 14, 63, -42, -6, 9, 8, 5, 29, -8, 26, -4, 3, 20, 4, 18, -3, 11, 72, -52, 11, 4, 16, 1, 3, 11, 23, -4, 77, -44, -3, 11, -3, 11, 72, -48, 11, 0, -2, 21, 7, 4, 20, 3, 10, 73, -60, 7, 14, 20, -4, 6, 11, 23, -4, -3, 11, 72, -66, 29, 2, 9, 6, 1, 27, -5, 78, -60, 7, -45, -6, 26, -7, 80, -44, 4, 16, 1, 4, 17, 6, 0, 22, 64, -54, 7, 22, 2, 6, 16, -1, 20, 4, 4, -44, 12, -10, 28, 59, -52, 6, 21, 11, -2, 70, -42, 2, 4, 72, 8, -8, 23, 0, 3, -59, 26, 2, 4, 72, -59, 3, 15, 8, 24, 1, 71, -64, 31, 2, 4, 8, 64, -59, 12, 22, -11, 81, -42, -4, 19, -5, 12, 15, 14, 63, -65, 17, 10, 5, 23, 10, 63, -50, 4, 4, 8, 28, -2, 9, 16, -4, -7, 80, -44, 4, 16, 1, 4, 17, 6, 0, 22, 64, -60, 7, 14, 20, -4, 8, 7, 12, 86, -67, 12, -1, 8, 93, -71, 24, 7, 1, 19, 3, 11, -5, 20, -4, 8, 19, -1, 8, 79, -60, 3, 15, 78, -59, 12, 9, 4, 30, 7, 7, 9, 7, -5, 9, -61, 0, 3, 16, 19, 63, -3, 11, 72, -52, 11, 4, 16, -2, 12, 9, 4, 79, -52, 11, 4, 16, -5, 11, 23, -4, -3, 11, 72, -61, 21, 8, 0, 23, -3, 24, -8, 7, 4, 84, -60, 7, 14, 20, -4, 6, 11, 23, -4, -59, 3, 15, 8, 24, 1, 71, -42, 2, 4, 72, -59, 3, 15, 8, 24, 1, 71, -42, 2, 4, 7, 3, 16, 3, -59, 26, 2, 4, 11, -6, 52, -28, 3, -59, 3, 15, 8, 24, 1, 71, -42, 2, 4, 72, -46, 14, 1, 6, 2, 27, 4, 10, 63, -3, 11, 72, -45, 8, -8, 30, 6, -9, 30, -4, 20, 7, 64, -59, 12, 9, 4, 26, 0, 6, 23, -1, -59, 3, 15, 8, 24, 1, 71, -59, 24, 62, -64, 31, 2, 4, 72, -3, 11, 72, -67, 34, 7, 4, -2, 12, 10, 10, 16, 66, -61, 24, 1, 6, 7, 12, 9, 4, 11, 22, 1, 7, 2, 26, 4, 17, 7, 94, -4, -45, 76, -64, 14, -94, 7, 12, 21, 7, -5, 9, 14, 22, -3, 17, 78, -58, -3, 10, 3, 28, 1, 4, 18, 10, 51, 35, -3, 11, 72, -47, 0, 6, 14, -3, 26, 4, 72, -49, 8, 14, 8, -4, 12, 9, 4, 6, 16, 9, 14, 4, 16, -3, 11, 72, -60, 27, -11, 12, 18, 7, 70, -60, 7, 28, -8, 8, 11, 26, -10, 24, -3, 11, 72, -45, 4, 5, 7, 10, 1, 22, 14, 8, -1, 74, -53, 0, 27, 1, -5, 18, 24, -10, 26, 4, 12, -4, 12, 9, 4, 11, -6, -29, 0, 3, 16, 19, -3, 11, 72, -42, -3, 6, 17, 2, 6, 26, -9, 78, -49, 8, 14, 8, 1, -3, 16, 12, 9, 4, 12, 5, 1, 7, 10, 4, 7, -62, 26, 0, 19, -2, 6, 76, -42, 2, 4, 7, -73, 4, -59, 3, 15, 8, 24, 1, 71, -42, 2, 4, 72, 10, -46, -10, 13, 78, -3, 11, 72, -52, 5, 3, 11, 20, 8, 7, 16, -8, 10, 9, 28, 60, -59, 12, 11, 9, 21, -4, 22, 3, 11, -4, -3, 11, 72, -55, 8, 5, 20, -4, 24, 0, 3, 80, -42, -4, 19, -5, 12, 15, 14, 63, -60, 7, -44, 12, -10, 28, 59, -52, 6, 21, 11, -2, 70, -44, 12, -10, 28, 59, -52, 6, 21, 11, -2, 70, -64, 31, 2, 4, 72, 24, 7, 1, 19, 3, 11, 52, -32, -3, 11, 72, -42, -4, 19, -5, 12, 15, 14, 63, -4, 19, -5, 12, 15, 14, 63, -56, 5, 78, -28, -29, 15, 8, 24, 1, 38, -25, 12, 8, 20, -4, 7, 20, 13, -5, 24, 7, 1, 19, 3, 11, 52, -32, -3, 11, 72, -48, 1, 9, 17, 4, 16, 64, -3, 11, 72, -44, 4, 12, 2, 5, 4, 11, 78, -53, 20, 7, 1, -5, 18, 24, -10, 26, 4, -59, 3, 15, 8, 24, 1, 71, -61, 11, 10, 76, -63, 27, 65, -56, 18, 9, 10, 64, -60, 12, 9, 4, 78, -59, 3, 15, 8, 24, 1, 71, -59, 26, 2, 4, -3, 11, 72, -52, 5, 3, 11, 20, 8, 7, 16, -8, 10, 9, 28, 60, -60, 7, 14, 20, -4, 6, 11, 23, -4, -59, 3, 15, 8, 24, 1 };
        k = 173;
      }
    

    解析出来之后:

    root工具的包名

    很明显上面这些包名就是特征的root工具的包名

    0x06 AntiHooking

    private static Class a = null;
    private static ArrayList b = null;
    private static Class c = null;
    //  private static b d = null;
    private static Class e = null;
    private static Method f = null;
    private static HashMap g = null;
    private static Field h = null;
    private static byte[] i = null;
    private static int j = 0;
    private static int l = 1;
    private static int m;
    
    static {
    d();
    System.out.println(a(((byte)i[193]), (short)97, (short)378));
    System.out.println(a(((byte)(-i[136])), (short) 106, ((short)(212 & j | j ^ 18))));
    System.out.println(a(((byte)i[212]), ((byte)(-i[446])), ((short)(j + 3 - 1))));
    System.out.println(a((byte)i[31], ((byte)(((i[225] | 1) << 1) - (i[225] ^ 1))), ((short)(j & 334 | j ^ 334))));
    byte v1_2 = ((byte)(-i[8]));
    System.out.println(a(v1_2, ((byte)(v1_2 ^ 106 | v1_2 & 106)), ((short)(j | 13))));
    System.out.println(a(((byte)(-i[32])), ((byte)(-i[446])), ((short)(-i[68]))));
    System.out.println(a(((byte)i[212]), (short) 108, ((short)(-i[136]))));
    System.out.println(a(((byte)(-i[33])), ((byte)(-i[312])), (short) 275));
    byte v5 = ((byte)i[208]);
    byte v6 = ((byte)(-i[312]));
    System.out.println(a(v5, ((short)v6), ((short)(v6 ^ 167 | v6 & 167))));
    System.out.println(a(((byte)i[88]), ((byte)i[0]), (short) 344));
    
    
    byte v61 = ((byte)i[36]);
    byte v8 = ((byte)(-i[24]));
    System.out.println(a(v61, ((short)v8), ((short)(v8 ^ 160 | v8 & 160))));
    
    byte v11_1 = ((byte)i[48]);
    byte v51 = ((byte)i[0]);
    System.out.println(a(v11_1, ((short)v51), ((short)((v51 ^ 3) + ((v51 & 3) << 1)))));
    
    System.out.println(a(((byte)i[69]), ((byte)i[0]), ((short)i[151])));
    
    System.out.println(a(((byte)i[34]), ((byte)(-i[387])), ((short)(j | 57))));
    }
    
    private static String a(byte arg8, short arg9, short arg10) {
    int v10 = arg10 + 4;
    byte[] v0 = i;
    int v9 = arg9 + 9;
    int v8 = arg8 + 1;
    byte[] v2 = new byte[v8];
    int v3 = -1;
    v8 += v3;
    l = (m + 37) % 128;
    while(true) {
    ++v3;
    ++v10;
    v2[v3] = ((byte)v9);
    int v4 = 0;
    if(v3 == v8) {
    break;
    }
    
    int v5 = v0[v10];
    int v6 = l + 77;
    m = v6 % 128;
    if(v6 % 2 == 0) {
    v4 = 1;
    }
    
    if(v4 != 0) {
    v9 = v9 - v5 - 11;
    continue;
    }
    
    v9 = v9 % v5 >>> 94;
    }
    
    return new String(v2, 0).intern();
    }
    
    private static void d() {
    i = new byte[]{94, 22, 100, -15, -24, -1, -25, -8, -5, -6, 43, -64, -23, -10, -17, 4, -20, -17, 59, -32, -55, -10, -17, 4, -30, -7, -4, -5, -18, -11, -7, 19, -35, -26, 1, -18, 0, -9, -26, -7, -13, -8, -12, 69, -12, 44, -79, -8, 2, -31, 61, -62, -24, -1, -25, -8, -5, -6, 43, -85, -3, -10, -15, 3, -10, 43, -53, 10, -39, 7, -35, -26, 1, -18, 0, 17, -50, -11, -7, -5, -17, -5, -14, -13, -11, -13, -25, -11, 34, -49, 0, -17, -23, -28, -13, 28, -35, -26, 1, -18, 0, 0, -9, -26, -2, -32, 10, 40, -73, 0, -24, -4, 46, -79, 2, -12, -17, -4, -9, -28, 59, -30, -44, -28, -12, -9, 6, -13, -28, 28, -35, -26, 1, -18, 0, -16, -21, 7, -12, -21, -4, 18, -50, -11, -7, -19, -3, -10, -15, 3, -10, 32, -50, -11, -7, -5, -10, 12, -35, -26, 1, -18, 0, 22, -41, -22, -11, -1, -10, -13, -19, -19, -21, 34, -46, -14, -4, -72, -46, -14, -4, 58, -80, -30, 4, -21, -12, -10, 46, 15, 16, -10, 3, 14, -22, -16, -8, -9, -19, 29, -41, -22, -11, -8, -16, -4, 13, -46, 20, -29, -18, -5, 11, -32, -24, -6, -7, -21, -11, -1, -17, -10, -30, 4, -22, 95, -12, 44, -79, -8, 2, -31, 61, -62, -24, -1, -25, -8, -5, -6, 43, -85, -3, -10, -15, 3, -10, 43, -53, -35, -10, -15, 3, -10, 23, -59, -2, -6, -14, -9, -24, -1, -25, -8, -5, -6, 43, -76, -15, 58, -77, -13, -8, -12, 0, -24, -13, 0, -7, -25, -24, -1, -25, -8, -5, -6, 43, -76, -15, 58, -48, -49, -5, -12, 4, -19, 18, -45, -8, -12, 0, -24, -13, 0, -7, -25, -35, -19, 0, -14, -24, 71, -88, -19, -9, -12, 73, -77, -14, 58, -88, -3, -26, 1, -18, 0, 57, -90, -14, 71, -78, -23, -10, -16, -12, -9, -14, 7, -28, -6, -14, 71, -90, 2, -19, -6, -9, -28, 59, -9, -26, 25, -45, -8, -12, 0, -24, -13, -16, 51, 16, -81, -6, -19, -14, -4, -10, 57, -95, -6, 68, -81, -14, -16, -1, 57, -78, -20, 0, -29, -11, 72, -18, -2, -32, 10, 40, -83, -2, 52, -83, 6, -24, -12, -1, -17, -10, -30, 4, -21, -12, -10, -2, -32, 10, 40, -73, 0, -24, -4, 46, -79, 2, -12, -17, -4, -9, -28, 59, -30, -60, -13, 28, -35, -26, 1, -18, 0, -38, -19, -14, -4, -10, 57, -95, -6, 68, -78, -26, 2, -7, -30, 4, 58, -76, 54, -91, -13, -8, 1, -13, -25, -11, 58, -30, 8, -9, -21, 36, -48, -20, 2, -9, -28, -6, -14, -18, -16, -19, -4, -7, -5, 11, -46, -2, -9, -13, -16, 2, -22, 20, -35, -26, 1, -18, 0};
    j = 128;
    }
    

    解析的部分字符串:


    hook的一些特征模块

    猜测一下, 应该是在检测xposed模块了. 举例:

    AntiHooking.e = Class.forName(AntiHooking.a(((byte)(-AntiHooking.i[32])), ((byte)(-AntiHooking.i[v3])), ((short)(-AntiHooking.i[68]))), true, ClassLoader.getSystemClassLoader());
    // 其中传入的字符串就是"de.robv.android.xposed.XC_MethodHook"
    

    0x07 DebugDetector

        public static void main(String args[]) {
          Object[] v4 = new Object[1];
          byte v5 = ((byte)b[89]);
        short v7 = ((short)(v5 ^ 95 | v5 & 95));
        v4[0] = b(v5, v7, ((byte)(v7 & 48)));
        System.out.println(v4[0].toString());
            System.out.println(b(((byte)b[26]), (short) 304, ((byte)b[82])));
            System.out.println(b(((byte)b[32]), ((short)(c | 392)), ((byte)b[89])));
            System.out.println(b(((byte)(-b[135])), (short) 329, ((byte)b[63])));
    //      System.out.println(b(((byte)(-b[583])), (short) 6623, ((byte)b[114])));
            System.out.println(b(((byte)(-b[133])), (short) 273, ((byte)b[29])));
            System.out.println(b(((byte)(b[129] - 1)), ((short)b[129]), ((byte)b[272])));
            byte v2 = ((byte)(-b[370]));
            System.out.println(b(v2, ((short)(v2 | 256)), ((byte)b[85])));
            System.out.println(b(((byte)(-b[133])), (short) 273, ((byte)b[29])));
            System.out.println(b(((byte)(b[129] - 1)), (short) 258, ((byte)b[78])));
            String[] str = new String[19];
            
            v7 = 360;
            str[0] = b(((byte)(-b[v7])), ((short)(c & 106 | c ^ 106)), ((byte)b[250]));
            byte v3 = ((byte)b[130]);
            str[1] = b(v3, ((short)(v3 | 321)), (short) 30);
            int v8 = 129;
        int v11 = 272;
        int v16 = 7;
            str[2] = b(((byte)(b[v8] - 1)), ((short)b[v8]), ((byte)b[v11]));
            int v10 = 370;
        byte v9 = ((byte)(-b[v10]));
        short v12 = ((short)(v9 ^ 325 | v9 & 325));
            str[3] = b(v9, v12, ((byte)(v12 & 16)));
            str[4] = b(((byte)(((b[v8] | -1) << 1) - (b[v8] ^ -1))), ((short)b[v8]), ((byte)b[v11]));
            str[5] = b(((byte)(-b[v10])), ((short)(c & 392 | c ^ 392)), ((byte)b[v16]));
            str[6] = b(((byte)(b[v8] - 1)), (short) 184, ((byte)b[0]));
            str[7] = b(((byte)(-b[v10])), (short) 291, ((byte)b[v16]));
            str[8] = b(((byte)(b[v8] - 1)), (short) 220, ((byte)(c & 24 | c ^ 24)));
            str[9] = b(((byte)b[104]), (short) 249, ((byte)b[5]));
            str[10] = b(((byte)(b[1] - 1)), (short) 216, ((byte)b[270]));
            str[11] = b(((byte)(-b[v7])), (short) 148, ((byte)b[355]));
            str[12] = b(((byte)(-b[v10])), (short) 410, ((byte)b[44]));
            str[13] = b(((byte)(b[v8] - 1)), (short) 420, ((byte)b[182]));
            str[14] = b(((byte)b[26]), (short) 371, ((byte)b[44]));
            str[15] = b(((byte)(-b[v7])), (short) 148, ((byte)b[355]));
            str[16] = b(((byte)(-b[370])), ((short)b[89]), ((byte)b[29]));
            str[17] = b(((byte)(-b[v7])), ((short)b[29]), ((byte)b[273]));
            str[18] = b(((byte)(-b[370])), ((short)(b[134] - 1)), ((byte)b[272]));
            for(int i=0; i<str.length; i++) {
              System.out.println(str[i]);
            }
            
        }
        
        private static byte[] b = null;
      private static int c = 0;
      private static int d = 0;
      private static int e = 1;
      
      static {
        c();
      }
      
    
      private static void c() {
        b = new byte[]{32, 42, 34, 123, -2, 9, -9, 13, -17, 19, -15, -34, 34, 13, 2, -11, -3, 3, -6, -2, 19, -15, -9, 21, -21, -51, 69, -14, -2, 18, -3, -9, 11, 5, -75, 53, 2, 13, 2, -70, 42, -35, -5, 9, 10, 34, 13, 2, -11, -3, 3, -6, -2, 19, -15, 13, -10, 14, -3, -6, -5, -54, 53, 12, -1, 6, -15, 9, 6, -70, 21, 44, -1, 6, -15, 19, -4, -2, 15, -33, 34, -19, 8, -5, -2, 17, -28, -35, -5, 0, 32, 34, -9, 5, -11, 6, 7, -15, 11, 65, 2, -3, -12, -52, 68, -14, 7, -6, -55, 68, 1, -19, 19, 1, -2, -9, 21, -21, 23, -74, 69, -14, -2, 18, -3, -9, 11, 5, -75, 51, 20, -1, -12, -58, 74, -67, -5, 0, -2, 42, -35, -5, 0, 32, 34, -9, 5, -11, 6, 7, -15, 11, -9, 21, -21, -51, 69, -14, -2, 18, -3, -9, 11, 5, -75, 53, 2, 13, 2, -70, 21, 34, 13, 2, -11, -3, 3, -6, -2, 19, -15, -31, 27, 2, 17, -5, 3, 7, 13, -10, 14, -3, -6, -5, -54, 53, 12, -1, 6, -15, 9, 6, -70, 66, -3, -63, 34, 17, 2, 8, -10, 6, -2, -24, 20, 13, -13, 6, -2, 13, -42, 7, -5, 9, 13, -10, 14, -3, -6, -5, -54, 53, 12, -1, 6, -15, 9, 6, -70, 66, -3, -63, 34, 17, 2, 8, -10, 6, -2, -28, 37, -8, 9, -10, -2, 7, -13, 19, 1, -3, -13, 14, 13, -10, 14, -3, -6, -5, -54, 65, 4, -69, 22, 33, -3, 19, -14, 10, -47, 33, -3, 19, -14, 0, -2, 13, -47, 44, -1, 0, -9, -2, 17, -15, -1, -2, 15, -36, 17, 2, 8, -10, 6, -2, -28, 37, -8, 9, -2, -17, 2, 2, 13, -2, -7, -5, -2, 15, -51, 47, 0, -4, -3, -6, -2, 19, -11, 6, -1, -37, 37, -8, 9, -3, -65, 54, 1, -3, 19, -14, 0, -6, 1, 10, -7, 11, -17, 4, 45, -10, 14, -3, -6, -5, -68, 36, 33, -3, 19, -14, -59, 35, -18, 4, 45, -10, 14, -3, -6, -5, -56, 23, -6, 24, -2, -5, -45, 55, -5, -15, -36, 49, 0, -17, 24, -2, 15, -36, 17, 2, 8, -10, 6, -2, -24, 20, 13, -13, 6, -2, 13, -2, 15, -36, 17, 2, 8, -10, 6, -2, -23, 19, 12, -8, -2, 15, -43, 37, 5, 1, -19, 13, -11, 2, 13, -10, 14, -3, -6, -5, -54, 53, 12, -1, 6, -15, 9, 6, -70, 66, -3, -63, 37, 22, -2, 7, -13, 19, 1, -3, -13};
        c = 5;
      }
      
      private static String b(int arg7, short arg8, short arg9) {
        e = (d + 41) % 128;
        int v9 = arg9 + 1;
        byte[] v0 = b;
        byte[] v1 = new byte[v9];
        int v3 = arg8 + 4;
        int v8 = arg7 + 47;
        for(int ii = 0; true; ii++) {
            int v4 = ii + 1;
            v1[ii] = ((byte)v8);
            if(v4 == v9) {
                break;
            }
    
    //        arg7 = v0[v3];
            d = (e + 53) % 128;
            v8 += v0[v3];
            ++v3;
        }
    
        String v7 = new String(v1, 0).intern();
        e = (d + 25) % 128;
        return v7;
      }
    

    解析出来的字符串如下:

    /proc/self/status
    tracerpid
    :
    ro.debuggable
    isDebuggerConnected
    android.content.Context
    getApplicationInfo
    isDebuggerConnected
    android.os.Debug
    javax.security.auth.x500.X500Principal
    CN=Android Debug,O=Android,C=US
    android.content.Context
    getPackageManager
    android.content.Context
    getPackageName
    android.content.pm.PackageManager
    getPackageInfo
    android.content.pm.PackageInfo
    signatures
    X.509
    java.security.cert.CertificateFactory
    getInstance
    android.content.pm.Signature
    toByteArray
    java.security.cert.CertificateFactory
    generateCertificate
    java.security.cert.X509Certificate
    getSubjectX500Principal
    

    从上面可以看到, 不仅查看了程序的status(状态), 还查询ptrace的pid, 标志位(ro.debuggable), x509证书等多种方式来判断是否处于调试状态.

    0x08 后记

    dex是一位大佬通过重编译安卓源码提取出来的, 实际就是脱了壳, 原本有native层的加固(某灰产软件). 可以考虑一下写一个jeb插件去解析这些字符串, 可以省好多时间. 这个保护其实是某国外安全公司开发的, 详见

    相关文章

      网友评论

          本文标题:某软件反虚拟机、反调试、反hook、反root分析

          本文链接:https://www.haomeiwen.com/subject/nvkhjqtx.html