[TOC]
要分析这个dex难度无异于跟一个成熟的商业公司的开发团队做对抗, 而且还是专门做返逆向分析的团队. 不仅对类, 文本字符串, 方法名做了混淆, 还混淆了算术逻辑运算和控制流. 对敏感的API还添加了反射调用.
0x01 key
初始化了一个byte数组(猜测是混淆字符串的key):
private static void c() {
EmulatorDetector.j = new byte[]{15, 80, -22, 125, 6, 2, 2, 2, -1, 1, 6, 2, 5, -4, 6, 2, 2, 2, -1, 1, 6, 2, 5, -6, 55, 3, 19, -69, 68, -10, 10, 10, -20, 19, -5, 9, -9, -1, -63, 68, 4, -1, -9, 19, -16, 19, -68, 65, -10, 15, 9, -13, -3, 4, 19, 3, -1, -11, 15, 6, 2, 2, 2, -1, 1, 6, 2, 5, -2, -1, -63, 60, -5, 19, -12, 21, -20, 19, -11, 75, 7, -76, 72, 5, 5, -5, -41, -24, 55, 3, 19, -69, 70, -2, -10, 10, -4, 17, -67, 53, 1, 20, -12, -1, 1, 15, -8, -3, 10, 0, 11, 13, -19, 0, 11, -7, 15, -7, -4, -2, 27, -62, 0, -5, 70, -13, 9, -10, 27, -62, 0, -5, 58, 0, 11, -7, 15, -7, -4, -2, 27, -62, 0, 70, 8, -4, 3, -13, 10, -60, 63, -1, -5, -49, 63, -1, -5, 3, -2, 16, -10, 13, 2, 5, -10, -2, 7, 3, -1, 21, -12, -6, 20, -10, 10, 10, -69, 71, -2, -1, -63, 63, -4, 15, -2, -7, 9, -60, 69, -10, 10, 10, -69, 59, 7, -5, 16, 73, 36, -1, 3, -9, 15, 4, 7, -87, 17, -10, -54, -10, 10, 10, -69, 71, -11, -54, 58, -3, 12, -4, -4, 6, 0, 14, -6, 15, -15, 0, 1, 4, 6, -4, 2, 2, 2, 2, 2, 2, 2, 2, 2, 42, -1, -6, 4, 5, 12, -9, 55, 3, 19, -69, 70, -2, -10, 10, -4, 17, -67, 58, 0, 11, 13, -19, 17, -7, 2, -11, 27, -62, 0, -1, -63, 54, 15, 2, 7, -6, 5, -12, 5, 3, 15, 0, 11, -7, 15, -7, -4, -50, 73, -18, 15, 11, -62, 0, 60, -63, 73, -18, 15, 11, -62, 0, 60, -1, -63, 54, 21, -10, 5, -6, -52, 56, 7, 12, -1, -2, -9, 26, -73, 61, -3, 6, 2, 2, 2, -1, 1, 6, 2, 2, 1, 49, 2, -78, 52, 37, -5, 8, -9, 6, -6, -67, 72, 11, 5, -80, 37, 39, 12, -1, 0, -6, -18, 15, 11, -62, 0, 70, 8, -4, -66, 68, -10, 10, 10, -20, 23, 0, -15, 4, 4, 63, 43, 8, -5, -8, -66, 79, -10, 21, -15, 7, 3, 7, -5, -69, 70, -1, 21, -17, -36, -25, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, -1, -63, 54, 21, -10, 5, -6, -52, 68, 4, -1, -9, 19, -16, 19, 70, 8, -4, -66, 55, 3, 19, -11, -4, 4, 16, -66, 73, -11, 11, 4, 3, -18, 13, -59, 64, -2, 12, -14, -50, 52, 15, -8, 16, -1, -4, -3, -3, 4, 5, 0, 47, -8, 16, -1, -4, -3, -1, -63, 63, -4, 15, -2, -7, 9, -60, 53, 15, -8, 16, -1, -4, -3, -52, 69, -10, 10, 10, -15, 10, 10, -7, -9, 21, -3, 5, 55, 3, 19, -69, 70, -2, -10, 10, -4, 17, -67, 68, -10, 10, 10, -15, -1, -63, 63, -4, 15, -2, -7, 9, -60, 69, -10, 10, 10, -6, 9, 1, -7, 6, 2, 2, 2, -1, 1, 6, 2, 2, 5, 3, 3, 3, 3, 3, 3, 3, 3, 3, -6, 3, 3, 3, 3, 85, -9, 9, 8, -7, -6, -66, 74, -5, 23, -15, -67, 68, 5, 2, 11, -76, 71, 10, 5, 6, 7, -73, 6, 2, 2, 2, -1, 1, 6, 2, 2, 3, -13, 9, 0, 17, -36, 25, 17, 5, -6, 5, -5, -32, 39, 8, -13, 15, -10, -3, 4, 4, 16, -1, -63, 71, -12, 0, 20, -1, -11, 0, 11, -7, 15, -7, -4, -50, 58, 10, 2, -6, 7, -5, -4, 22, -13, 9, -58, 58, 0, 11, -7, 15, -7, -4, 15, -8, 16, -1, -4, -3, -52, 55, 14, 1, 8, -13, 11, 8, -68, 23, 46, 1, 8, -13, 21, -2, 6, 2, 2, 2, -1, 1, 6, 2, 3, -4, 0, 17, -31, 40, -4, 3, -13, 10, -24, 20, 15, 6, -11, -4, 4, 67, 4, -1, -10, -50, 54, 15, 7, -10, 7, -6, 11, -25, 6, 2, 2, 2, -1, 1, 6, 2, 3, 0, 6, 2, 2, 2, -1, 1, 6, 2, 3, -2, -13, 16, 3, -69, 7, -3, 13, -68, 71, 5, -17, -51, 69, -10, 10, 10, -70, 69, 4, -1, 3, 5, 70, 8, -4, 3, -13, 10, -60, 53, 9, 7, -61, 68, -10, 10, 10, -70, 69, 4, -1, 3, 5, 0, 17, -38, 31, 7, -7, -50, 31, 41, -6, -9, 5, 15, -5, -1, 5, 3, 10, -7, -18, 15, 11, -62, 0, 60, 10, -1, -6, 4, 5, 12, -9, 0, 17, -49, 49, 2, -2, -1, -4, 0, 21, -9, 8, 1, -41, 46, 1, 8, -13, 21, -2, 63, 43, 8, -5, -8, -66, 86, -3, -2, -4, 11, -50, -24, 60, 7, -3, 13, -68, 59, 10, -1, -6, 4, 5, 12, -9, -56, 70, -13, 13, -15, 13, 2, 5, -10, -51, 59, 10, -1, -6, 4, 5, 12, -9, -56, 71, -2, 0, 17, -36, 25, 17, 5, -6, 5, -5, -26, 35, -9, 15, -15, 21, -3, 5, -34, 21, 14, -6, -1, -63, 68, 4, -1, -9, 19, -16, 19, -68, 54, 18, -15, 15, -8, 6, 2, 2, 2, -1, 1, 6, 2, 3, 4, 67, 4, -1, -10, -50, 60, 8, 3, 1, 5, 4, 1, 67, 4, -1, -10, -50, 70, -12, 9, -4, -53, 64, -10, 17, 5, 6, 2, 2, 2, -1, 1, 6, 2, 3, 2, 56, 2, -68, 28, 6, 2, 2, 2, -1, 1, 6, 2, 4, -3, 7, 12, -1, 0, -2, 14, -6, -1, -63, 68, 4, -1, -9, 19, -16, 19, -68, 65, 4, -9, 3, 9, 6, 2, 2, 2, -1, 1, 6, 2, 4, -5, 0, 17, -31, 24, 6, -24, 20, 15, -7, -6,[...], 9, 1, -7, 28, -10, 3, -17, 21, -13, 3, -7, 3, 5, -1, 1, 5, 1, 1, 2, 2, 2, 9, -1, -2, 1, 9, -3, 0};
EmulatorDetector.h = 128;
}
0x02 Decode函数
然后再用e方法解析, 需要传入三个参:
private static String e(short arg7, short arg8, byte arg9) {
int v9 = 118 - arg9;
byte[] v0 = EmulatorDetector.j;
int v7 = arg7 + 1;
byte[] v1 = new byte[v7];
EmulatorDetector.g = (EmulatorDetector.i + 119) % 128;
int v3 = 1251 - arg8;
int v8;
for(v8 = 0; true; v8 = v4) {
int v4 = v8 + 1;
v1[v8] = ((byte)v9);
if(v4 == v7) {
break;
}
++v3;
v8 = v0[v3];
int v5 = EmulatorDetector.g + 25;
EmulatorDetector.i = v5 % 128;
int v6 = 57;
v5 = v5 % 2 == 0 ? 57 : 64;
v9 = v5 != v6 ? v9 >> v8 << 101 : v9 + v8 - 2;
}
return new String(v1, 0).intern();
}
但是调了很久都没有调出来正常运行,EmulatorDetector.i
这个全局变量的初始化去找了一下,发现在isRunningInEmulater
那里没有初始化它就直接调用了,然而在static{}
那里也没有初始化它就直接调用e
函数,这就很奇怪了,没有初始化就赋值肯定会出问题。
0x03 decode字符串
这肯定就是初始化字符串的静态方法:
static {
EmulatorDetector.c();
String[] v1 = new String[9];
v1[0] = EmulatorDetector.e(((byte)EmulatorDetector.j[159]), ((short)(EmulatorDetector.h | 298)), ((byte)EmulatorDetector.j[177]));
v1[1] = EmulatorDetector.e(((byte)EmulatorDetector.j[111]), ((short)(EmulatorDetector.h & 1100 | EmulatorDetector.h ^ 1100)), ((byte)EmulatorDetector.j[177]));
v1[2] = EmulatorDetector.e(((byte)EmulatorDetector.j[589]), ((short)(EmulatorDetector.h & 1036 | EmulatorDetector.h ^ 1036)), ((byte)EmulatorDetector.j[177]));
v1[3] = EmulatorDetector.e(((byte)EmulatorDetector.j[159]), ((short)(EmulatorDetector.h | 876)), ((byte)EmulatorDetector.j[177]));
byte v2 = ((byte)EmulatorDetector.j[159]);
v1[4] = EmulatorDetector.e(((short)v2), ((short)(v2 ^ 742 | v2 & 742)), ((byte)EmulatorDetector.j[177]));
v1[5] = EmulatorDetector.e(((byte)EmulatorDetector.j[111]), ((short)(EmulatorDetector.h | 1100)), ((byte)EmulatorDetector.j[177]));
v1[6] = EmulatorDetector.e(((byte)EmulatorDetector.j[223]), 893, ((byte)EmulatorDetector.j[177]));
v1[7] = EmulatorDetector.e(((byte)EmulatorDetector.j[75]), ((short)(EmulatorDetector.h << 2)), ((byte)EmulatorDetector.j[177]));
v1[8] = EmulatorDetector.e(((byte)EmulatorDetector.j[198]), 1109, ((byte)EmulatorDetector.j[177]));
EmulatorDetector.a = v1;
v1 = new String[2];
v2 = ((byte)EmulatorDetector.j[870]);
v1[0] = EmulatorDetector.e(((short)v2), ((short)(v2 ^ 212 | v2 & 212)), ((byte)EmulatorDetector.j[177]));
v2 = ((byte)EmulatorDetector.j[198]);
v1[1] = EmulatorDetector.e(((short)v2), ((short)(v2 ^ 793 | v2 & 793)), ((byte)EmulatorDetector.j[177]));
EmulatorDetector.d = v1;
g[] v1_1 = new g[17];
byte v11 = ((byte)EmulatorDetector.j[627]);
String v11_1 = EmulatorDetector.e(((short)v11), ((short)(v11 ^ 1193 | v11 & 1193)), ((byte)EmulatorDetector.j[40]));
String[] v12 = new String[3];
v12[0] = EmulatorDetector.e(((byte)EmulatorDetector.j[35]), ((short)(-EmulatorDetector.j[729])), ((byte)EmulatorDetector.j[459]));
byte v5 = ((byte)EmulatorDetector.j[4]);
v12[1] = EmulatorDetector.e(((short)v5), ((short)(v5 ^ 472 | v5 & 472)), ((byte)EmulatorDetector.j[9]));
v12[2] = EmulatorDetector.e(((byte)EmulatorDetector.j[80]), 296, ((byte)EmulatorDetector.j[26]));
v1_1[0] = new g(v11_1, v12);
v1_1[1] = new g(EmulatorDetector.e(((byte)EmulatorDetector.j[159]), ((short)(EmulatorDetector.h + 2)), ((byte)EmulatorDetector.j[40])), new String[]{EmulatorDetector.e(((byte)EmulatorDetector.j[4]), ((short)(EmulatorDetector.h & 344 | EmulatorDetector.h ^ 344)), ((byte)EmulatorDetector.j[109])), EmulatorDetector.e(((byte)EmulatorDetector.j[4]), 114, ((byte)EmulatorDetector.j[0]))});
String v5_1 = EmulatorDetector.e(((byte)EmulatorDetector.j[0]), 289, ((byte)EmulatorDetector.j[40]));
String[] v11_2 = new String[3];
v11_2[0] = EmulatorDetector.e(((byte)EmulatorDetector.j[5]), ((short)(EmulatorDetector.h | 540)), ((byte)EmulatorDetector.j[25]));
v11_2[1] = EmulatorDetector.e(((byte)EmulatorDetector.j[80]), ((short)(EmulatorDetector.h & 637 | EmulatorDetector.h ^ 637)), ((byte)EmulatorDetector.j[97]));
byte v12_1 = ((byte)EmulatorDetector.j[75]);
v11_2[2] = EmulatorDetector.e(((short)v12_1), ((short)(v12_1 ^ 898 | v12_1 & 898)), ((byte)EmulatorDetector.j[99]));
v1_1[2] = new g(v5_1, v11_2);
v5 = ((byte)EmulatorDetector.j[30]);
v1_1[3] = new g(EmulatorDetector.e(((short)v5), ((short)(v5 | 1173)), ((byte)EmulatorDetector.j[40])), new String[]{EmulatorDetector.e(((byte)EmulatorDetector.j[80]), ((short)(EmulatorDetector.h | 338)), ((byte)EmulatorDetector.j[0])), EmulatorDetector.e(((byte)EmulatorDetector.j[12]), ((short)(EmulatorDetector.h ^ 770 | EmulatorDetector.h & 770)), ((byte)EmulatorDetector.j[109]))});
v1_1[4] = new g(EmulatorDetector.e(((byte)EmulatorDetector.j[0]), 371, ((byte)EmulatorDetector.j[40])), new String[]{EmulatorDetector.e(((byte)EmulatorDetector.j[4]), 114, ((byte)EmulatorDetector.j[0])), EmulatorDetector.e(((byte)EmulatorDetector.j[80]), 296, ((byte)EmulatorDetector.j[26]))});
v5_1 = EmulatorDetector.e(((byte)EmulatorDetector.j[111]), ((short)(EmulatorDetector.h & 614 | EmulatorDetector.h ^ 614)), ((byte)EmulatorDetector.j[40]));
String[] v10 = new String[1];
v11 = ((byte)EmulatorDetector.j[109]);
v10[0] = EmulatorDetector.e(((short)v11), ((short)(v11 ^ 758 | v11 & 758)), ((byte)EmulatorDetector.j[188]));
v1_1[5] = new g(v5_1, v10);
v5_1 = EmulatorDetector.e(((byte)EmulatorDetector.j[144]), ((short)(EmulatorDetector.h & 519 | EmulatorDetector.h ^ 519)), ((byte)EmulatorDetector.j[40]));
v10 = new String[1];
v11 = ((byte)EmulatorDetector.j[109]);
v10[0] = EmulatorDetector.e(((short)v11), ((short)(v11 | 787)), ((byte)EmulatorDetector.j[92]));
v1_1[6] = new g(v5_1, v10);
v1_1[7] = new g(EmulatorDetector.e(((byte)EmulatorDetector.j[0]), 844, ((byte)EmulatorDetector.j[40])), new String[]{EmulatorDetector.e(((byte)EmulatorDetector.j[5]), ((short)(EmulatorDetector.h & 540 | EmulatorDetector.h ^ 540)), ((byte)EmulatorDetector.j[25])), EmulatorDetector.e(((byte)EmulatorDetector.j[4]), ((short)(EmulatorDetector.h & 344 | EmulatorDetector.h ^ 344)), ((byte)EmulatorDetector.j[109])), EmulatorDetector.e(((byte)EmulatorDetector.j[80]), ((short)(EmulatorDetector.h | 860)), ((byte)EmulatorDetector.j[159]))});
v5_1 = EmulatorDetector.e(((byte)EmulatorDetector.j[26]), 98, ((byte)EmulatorDetector.j[40]));
v10 = new String[4];
v10[0] = EmulatorDetector.e(((byte)EmulatorDetector.j[892]), ((short)EmulatorDetector.j[379]), ((byte)EmulatorDetector.j[0]));
v10[1] = EmulatorDetector.e(((byte)(EmulatorDetector.j[764] - 1)), 1139, ((byte)EmulatorDetector.j[0]));
v11 = ((byte)EmulatorDetector.j[589]);
v10[2] = EmulatorDetector.e(((short)v11), ((short)(v11 ^ 614 | v11 & 614)), ((byte)EmulatorDetector.j[0]));
v10[3] = EmulatorDetector.e(((byte)EmulatorDetector.j[627]), ((short)(EmulatorDetector.h & 841 | EmulatorDetector.h ^ 841)), ((byte)EmulatorDetector.j[0]));
v1_1[8] = new g(v5_1, v10);
v5_1 = EmulatorDetector.e(((byte)EmulatorDetector.j[218]), ((short)(EmulatorDetector.h & 853 | EmulatorDetector.h ^ 853)), ((byte)EmulatorDetector.j[40]));
v10 = new String[1];
v11 = ((byte)EmulatorDetector.j[4]);
v10[0] = EmulatorDetector.e(((short)v11), ((short)(v11 ^ 472 | v11 & 472)), ((byte)EmulatorDetector.j[9]));
v1_1[9] = new g(v5_1, v10);
v5 = ((byte)EmulatorDetector.j[892]);
v5_1 = EmulatorDetector.e(((short)v5), ((short)(v5 ^ 929 | v5 & 929)), ((byte)EmulatorDetector.j[40]));
v10 = new String[1];
v11 = ((byte)EmulatorDetector.j[40]);
v10[0] = EmulatorDetector.e(((short)v11), ((short)(v11 ^ 530 | v11 & 530)), ((byte)EmulatorDetector.j[5]));
v1_1[10] = new g(v5_1, v10);
v5 = ((byte)EmulatorDetector.j[892]);
v1_1[11] = new g(EmulatorDetector.e(((short)v5), ((short)(v5 | 512)), ((byte)EmulatorDetector.j[111])), new String[0]);
v1_1[12] = new g(EmulatorDetector.e(((byte)EmulatorDetector.j[0]), ((short)(EmulatorDetector.h | 17)), ((byte)EmulatorDetector.j[12])), new String[0]);
v5 = ((byte)EmulatorDetector.j[892]);
v1_1[13] = new g(EmulatorDetector.e(((short)v5), ((short)(v5 ^ 1025 | v5 & 1025)), ((byte)EmulatorDetector.j[12])), new String[0]);
v1_1[14] = new g(EmulatorDetector.e(((byte)EmulatorDetector.j[892]), ((short)(EmulatorDetector.h & 35 | EmulatorDetector.h ^ 35)), ((byte)EmulatorDetector.j[12])), new String[0]);
v1_1[15] = new g(EmulatorDetector.e(((byte)EmulatorDetector.j[627]), 787, ((byte)EmulatorDetector.j[40])), new String[0]);
v1_1[16] = new g(EmulatorDetector.e(((byte)EmulatorDetector.j[892]), 1073, ((byte)EmulatorDetector.j[40])), new String[0]);
EmulatorDetector.c = v1_1;
v1_1 = new g[5];
v5_1 = EmulatorDetector.e(((byte)EmulatorDetector.j[111]), ((short)(EmulatorDetector.h & 363 | EmulatorDetector.h ^ 363)), ((byte)EmulatorDetector.j[0]));
v10 = new String[16];
v10[0] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), ((short)(EmulatorDetector.h & 801 | EmulatorDetector.h ^ 801)), ((byte)EmulatorDetector.j[188]));
v10[1] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), ((short)(EmulatorDetector.h & 550 | EmulatorDetector.h ^ 550)), ((byte)EmulatorDetector.j[188]));
v10[2] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), ((short)(EmulatorDetector.h & 597 | EmulatorDetector.h ^ 597)), ((byte)EmulatorDetector.j[188]));
v10[3] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), 592, ((byte)EmulatorDetector.j[188]));
v10[4] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), 544, ((byte)EmulatorDetector.j[188]));
v11 = ((byte)EmulatorDetector.j[30]);
v10[5] = EmulatorDetector.e(((short)v11), ((short)(v11 ^ 544 | v11 & 544)), ((byte)EmulatorDetector.j[188]));
v10[6] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), 320, ((byte)EmulatorDetector.j[188]));
v10[7] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), 356, ((byte)EmulatorDetector.j[188]));
v10[8] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), 274, ((byte)EmulatorDetector.j[188]));
v10[9] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), 306, ((byte)EmulatorDetector.j[188]));
v10[10] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), ((short)(EmulatorDetector.h & 60 | EmulatorDetector.h ^ 60)), ((byte)EmulatorDetector.j[188]));
v10[11] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), ((short)(EmulatorDetector.h & 84 | EmulatorDetector.h ^ 84)), ((byte)EmulatorDetector.j[188]));
v10[12] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), ((short)EmulatorDetector.j[321]), ((byte)EmulatorDetector.j[188]));
v10[13] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), ((short)(EmulatorDetector.h & 1110 | EmulatorDetector.h ^ 1110)), ((byte)EmulatorDetector.j[188]));
v10[14] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), ((short)(EmulatorDetector.h & 1120 | EmulatorDetector.h ^ 1120)), ((byte)EmulatorDetector.j[188]));
v10[15] = EmulatorDetector.e(((byte)EmulatorDetector.j[30]), ((short)(EmulatorDetector.h & 1065 | EmulatorDetector.h ^ 1065)), ((byte)EmulatorDetector.j[188]));
v1_1[0] = new g(v5_1, v10);
v1_1[1] = new g(EmulatorDetector.e(((byte)EmulatorDetector.j[75]), ((short)(EmulatorDetector.h & 264 | EmulatorDetector.h ^ 264)), ((byte)EmulatorDetector.j[0])), new String[]{EmulatorDetector.e(((byte)EmulatorDetector.j[4]), 793, ((byte)EmulatorDetector.j[99]))});
v1_1[2] = new g(EmulatorDetector.e(((byte)EmulatorDetector.j[97]), 264, ((byte)EmulatorDetector.j[0])), new String[]{EmulatorDetector.e(((byte)EmulatorDetector.j[26]), ((short)EmulatorDetector.j[109]), ((byte)(-EmulatorDetector.j[121])))});
v1_1[3] = new g(EmulatorDetector.e(((byte)EmulatorDetector.j[223]), ((short)(EmulatorDetector.h & 74 | EmulatorDetector.h ^ 74)), ((byte)EmulatorDetector.j[0])), new String[]{EmulatorDetector.e(((byte)EmulatorDetector.j[223]), 1025, ((byte)EmulatorDetector.j[685]))});
v1_1[4] = new g(EmulatorDetector.e(((byte)EmulatorDetector.j[30]), 108, ((byte)EmulatorDetector.j[0])), new String[]{EmulatorDetector.e(((byte)EmulatorDetector.j[223]), 858, ((byte)EmulatorDetector.j[92])), EmulatorDetector.e(((byte)EmulatorDetector.j[0]), ((short)(EmulatorDetector.h & 50 | EmulatorDetector.h ^ 50)), ((byte)EmulatorDetector.j[97])), EmulatorDetector.e(((byte)EmulatorDetector.j[223]), ((short)(EmulatorDetector.h | 587)), ((byte)EmulatorDetector.j[92]))});
EmulatorDetector.e = v1_1;
g[] v0 = new g[2];
String v2_1 = EmulatorDetector.e(((byte)EmulatorDetector.j[218]), 346, ((byte)EmulatorDetector.j[177]));
String[] v5_2 = new String[1];
byte v7 = ((byte)EmulatorDetector.j[40]);
v5_2[0] = EmulatorDetector.e(((short)v7), ((short)(v7 ^ 306 | v7 & 306)), ((byte)EmulatorDetector.j[92]));
v0[0] = new g(v2_1, v5_2);
v2 = ((byte)EmulatorDetector.j[223]);
v2_1 = EmulatorDetector.e(((short)v2), ((short)(v2 ^ 320 | v2 & 320)), ((byte)EmulatorDetector.j[177]));
v5_2 = new String[1];
v7 = ((byte)EmulatorDetector.j[892]);
v5_2[0] = EmulatorDetector.e(((short)v7), ((short)(v7 | 392)), ((byte)EmulatorDetector.j[0]));
v0[1] = new g(v2_1, v5_2);
EmulatorDetector.b = v0;
EmulatorDetector.f = new AntiHooking$HookInfo();
EmulatorDetector.g = (EmulatorDetector.i + 53) % 128;
}
0x04 外部调用
外部主要是调用isRunningInEmulator
方法:
public static int isRunningInEmulator(android.content.Context context,
int ok,
int flags)
- This method will use a series of techniques in order to determine if the application is running in an emulator or on a real device.
- Parameters:
- context - Application context.
- ok - Return code indicating no emulator was found.
flags - Flags enabling some configuration of the employed checks.- Returns:
Returns 'ok' if not on an emulator, a variation of 'ok' containing an error code when an emulator was detected.
isRunningInEmulator
同时利用了重载,下面我们主要分析一下这个方法做了什么:
package anti_emulator;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.util.ArrayList;
import java.util.HashMap;
public class EmulatorDetector {
public static void main(String args[]) {
}
public static final int FAIL_ON_MITIGATED_TAMPER_ATTEMPT = 2;
public static final int IGNORE_TAMPER_ATTEMPTS = 4;
private static final String[] a = null;
// private static final g[] b = null;
// private static final g[] c = null;
private static final String[] d = null;
// private static final g[] e = null;
// private static AntiHooking$HookInfo f = null;
private static int g = 1;
private static int h;
private static int i = 0;
private static byte[] j;
static {
EmulatorDetector.c();
String[] v1 = new String[9];
v1[0] = EmulatorDetector.e(((byte)EmulatorDetector.j[159]), ((short)(EmulatorDetector.h | 298)), ((byte)EmulatorDetector.j[177]));
v1[1] = EmulatorDetector.e(((byte)EmulatorDetector.j[111]), ((short)(EmulatorDetector.h & 1100 | EmulatorDetector.h ^ 1100)), ((byte)EmulatorDetector.j[177]));
v1[2] = EmulatorDetector.e(((byte)EmulatorDetector.j[589]), ((short)(EmulatorDetector.h & 1036 | EmulatorDetector.h ^ 1036)), ((byte)EmulatorDetector.j[177]));
v1[3] = EmulatorDetector.e(((byte)EmulatorDetector.j[159]), ((short)(EmulatorDetector.h | 876)), ((byte)EmulatorDetector.j[177]));
byte v2 = ((byte)EmulatorDetector.j[159]);
v1[4] = EmulatorDetector.e(((short)v2), ((short)(v2 ^ 742 | v2 & 742)), ((byte)EmulatorDetector.j[177]));
v1[5] = EmulatorDetector.e(((byte)EmulatorDetector.j[111]), ((short)(EmulatorDetector.h | 1100)), ((byte)EmulatorDetector.j[177]));
v1[6] = EmulatorDetector.e(((byte)EmulatorDetector.j[223]), (short) 893, ((byte)EmulatorDetector.j[177]));
v1[7] = EmulatorDetector.e(((byte)EmulatorDetector.j[75]), ((short)(EmulatorDetector.h << 2)), ((byte)EmulatorDetector.j[177]));
v1[8] = EmulatorDetector.e(((byte)EmulatorDetector.j[198]), (short) 1109, ((byte)EmulatorDetector.j[177]));
String[] v1 = new String[2];
byte v2 = ((byte)EmulatorDetector.j[870]);
v1[0] = EmulatorDetector.e(((short)v2), ((short)(v2 ^ 212 | v2 & 212)), ((byte)EmulatorDetector.j[177]));
v2 = ((byte)EmulatorDetector.j[198]);
v1[1] = EmulatorDetector.e(((short)v2), ((short)(v2 ^ 793 | v2 & 793)), ((byte)EmulatorDetector.j[177]));
for(int i = 0; i <= 8; i++) {
System.out.println(v1[i]);
}
}
private static String e(short arg7, short arg8, byte arg9) {
int v9 = 118 - arg9;
byte[] v0 = EmulatorDetector.j;
int v7 = arg7 + 1;
byte[] v1 = new byte[v7];
EmulatorDetector.g = (EmulatorDetector.i + 119) % 128;
int v3 = 1251 - arg8;
int v8;
for(int ii = 0; true; ii++) {
int v4 = ii + 1;
v1[ii] = ((byte)v9);
if(v4 == v7) {
break;
}
++v3;
v8 = v0[v3];
int v5 = EmulatorDetector.g + 25;
EmulatorDetector.i = v5 % 128;
int v6 = 57;
v5 = v5 % 2 == 0 ? 57 : 64;
v9 = v5 != v6 ? v9 >> v8 << 101 : v9 + v8 - 2;
}
return new String(v1, 0).intern();
}
private static void c() {
j = new byte[] { 15, 80, -22, 125, 6, 2, 2, 2, -1, 1, 6, 2, 5, -4, 6, 2, 2, 2, -1, 1, 6, 2, 5, -6, 55, 3, 19, -69, 68, -10, 10, 10, -20, 19, -5, 9, -9, -1, -63, 68, 4, -1, -9, 19, -16, 19, -68, 65, -10, 15, 9, -13, -3, 4, 19, 3, -1, -11, 15, 6, 2, 2, 2, -1, 1, 6, 2, 5, -2, -1, -63, 60, -5, 19, -12, 21, -20, 19, -11, 75, 7, -76, 72, 5, 5, -5, -41, -24, 55, 3, 19, -69, 70, -2, -10, 10, -4, 17, -67, 53, 1, 20, -12, -1, 1, 15, -8, -3, 10, 0, 11, 13, -19, 0, 11, -7, 15, -7, -4, -2, 27, -62, 0, -5, 70, -13, 9, -10, 27, -62, 0, -5, 58, 0, 11, -7, 15, -7, -4, -2, 27, -62, 0, 70, 8, -4, 3, -13, 10, -60, 63, -1, -5, -49, 63, -1, -5, 3, -2, 16, -10, 13, 2, 5, -10, -2, 7, 3, -1, 21, -12, -6, 20, -10, 10, 10, -69, 71, -2, -1, -63, 63, -4, 15, -2, -7, 9, -60, 69, -10, 10, 10, -69, 59, 7, -5, 16, 73, 36, -1, 3, -9, 15, 4, 7, -87, 17, -10, -54, -10, 10, 10, -69, 71, -11, -54, 58, -3, 12, -4, -4, 6, 0, 14, -6, 15, -15, 0, 1, 4, 6, -4, 2, 2, 2, 2, 2, 2, 2, 2, 2, 42, -1, -6, 4, 5, 12, -9, 55, 3, 19, -69, 70, -2, -10, 10, -4, 17, -67, 58, 0, 11, 13, -19, 17, -7, 2, -11, 27, -62, 0, -1, -63, 54, 15, 2, 7, -6, 5, -12, 5, 3, 15, 0, 11, -7, 15, -7, -4, -50, 73, -18, 15, 11, -62, 0, 60, -63, 73, -18, 15, 11, -62, 0, 60, -1, -63, 54, 21, -10, 5, -6, -52, 56, 7, 12, -1, -2, -9, 26, -73, 61, -3, 6, 2, 2, 2, -1, 1, 6, 2, 2, 1, 49, 2, -78, 52, 37, -5, 8, -9, 6, -6, -67, 72, 11, 5, -80, 37, 39, 12, -1, 0, -6, -18, 15, 11, -62, 0, 70, 8, -4, -66, 68, -10, 10, 10, -20, 23, 0, -15, 4, 4, 63, 43, 8, -5, -8, -66, 79, -10, 21, -15, 7, 3, 7, -5, -69, 70, -1, 21, -17, -36, -25, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, -1, -63, 54, 21, -10, 5, -6, -52, 68, 4, -1, -9, 19, -16, 19, 70, 8, -4, -66, 55, 3, 19, -11, -4, 4, 16, -66, 73, -11, 11, 4, 3, -18, 13, -59, 64, -2, 12, -14, -50, 52, 15, -8, 16, -1, -4, -3, -3, 4, 5, 0, 47, -8, 16, -1, -4, -3, -1, -63, 63, -4, 15, -2, -7, 9, -60, 53, 15, -8, 16, -1, -4, -3, -52, 69, -10, 10, 10, -15, 10, 10, -7, -9, 21, -3, 5, 55, 3, 19, -69, 70, -2, -10, 10, -4, 17, -67, 68, -10, 10, 10, -15, -1, -63, 63, -4, 15, -2, -7, 9, -60, 69, -10, 10, 10, -6, 9, 1, -7, 6, 2, 2, 2, -1, 1, 6, 2, 2, 5, 3, 3, 3, 3, 3, 3, 3, 3, 3, -6, 3, 3, 3, 3, 85, -9, 9, 8, -7, -6, -66, 74, -5, 23, -15, -67, 68, 5, 2, 11, -76, 71, 10, 5, 6, 7, -73, 6, 2, 2, 2, -1, 1, 6, 2, 2, 3, -13, 9, 0, 17, -36, 25, 17, 5, -6, 5, -5, -32, 39, 8, -13, 15, -10, -3, 4, 4, 16, -1, -63, 71, -12, 0, 20, -1, -11, 0, 11, -7, 15, -7, -4, -50, 58, 10, 2, -6, 7, -5, -4, 22, -13, 9, -58, 58, 0, 11, -7, 15, -7, -4, 15, -8, 16, -1, -4, -3, -52, 55, 14, 1, 8, -13, 11, 8, -68, 23, 46, 1, 8, -13, 21, -2, 6, 2, 2, 2, -1, 1, 6, 2, 3, -4, 0, 17, -31, 40, -4, 3, -13, 10, -24, 20, 15, 6, -11, -4, 4, 67, 4, -1, -10, -50, 54, 15, 7, -10, 7, -6, 11, -25, 6, 2, 2, 2, -1, 1, 6, 2, 3, 0, 6, 2, 2, 2, -1, 1, 6, 2, 3, -2, -13, 16, 3, -69, 7, -3, 13, -68, 71, 5, -17, -51, 69, -10, 10, 10, -70, 69, 4, -1, 3, 5, 70, 8, -4, 3, -13, 10, -60, 53, 9, 7, -61, 68, -10, 10, 10, -70, 69, 4, -1, 3, 5, 0, 17, -38, 31, 7, -7, -50, 31, 41, -6, -9, 5, 15, -5, -1, 5, 3, 10, -7, -18, 15, 11, -62, 0, 60, 10, -1, -6, 4, 5, 12, -9, 0, 17, -49, 49, 2, -2, -1, -4, 0, 21, -9, 8, 1, -41, 46, 1, 8, -13, 21, -2, 63, 43, 8, -5, -8, -66, 86, -3, -2, -4, 11, -50, -24, 60, 7, -3, 13, -68, 59, 10, -1, -6, 4, 5, 12, -9, -56, 70, -13, 13, -15, 13, 2, 5, -10, -51, 59, 10, -1, -6, 4, 5, 12, -9, -56, 71, -2, 0, 17, -36, 25, 17, 5, -6, 5, -5, -26, 35, -9, 15, -15, 21, -3, 5, -34, 21, 14, -6, -1, -63, 68, 4, -1, -9, 19, -16, 19, -68, 54, 18, -15, 15, -8, 6, 2, 2, 2, -1, 1, 6, 2, 3, 4, 67, 4, -1, -10, -50, 60, 8, 3, 1, 5, 4, 1, 67, 4, -1, -10, -50, 70, -12, 9, -4, -53, 64, -10, 17, 5, 6, 2, 2, 2, -1, 1, 6, 2, 3, 2, 56, 2, -68, 28, 6, 2, 2, 2, -1, 1, 6, 2, 4, -3, 7, 12, -1, 0, -2, 14, -6, -1, -63, 68, 4, -1, -9, 19, -16, 19, -68, 65, 4, -9, 3, 9, 6, 2, 2, 2, -1, 1, 6, 2, 4, -5, 0, 17, -31, 24, 6, -24, 20, 15, -7, -6, 13, -28, 41, -6, -9, 5, 15, 70, 8, -4, -66, 55, 3, 19, -11, -4, 4, 16, -66, 70, 8, -4, 3, -13, 10, -60, 54, 15, 7, -68, 54, 15, 7, -67, 1, 54, 15, 7, -13, 14, -11, 14, 6, 2, 2, 2, -1, 1, 6, 2, 4, 1, 0, 17, -31, 36, -17, 19, -14, 17, -7, -5, 5, 15, -39, 29, 6, 2, 2, 2, -1, 1, 6, 2, 4, -1, -49, 1, 9, -3, 2, 1, 3, 4, 47, -42, 49, 2, 3, -51, 1, -10, 10, 10, -69, 71, -11, -54, 64, -7, 3, -3, 7, 3, 11, 7, -8, 13, 7, -10, 10, 10, -69, 60, 17, -71, 65, -10, 10, 7, -1, -4, 22, -4, -1, -63, 68, 4, -1, -9, 19, -16, 19, -68, 56, 3, 19, -11, -4, 4, 0, 11, -7, 15, -7, -4, 0, 17, -46, 35, 19, -11, -4, 4, -26, 29, -1, -63, 54, 21, -10, 5, -6, -52, 58, 5, 7, -5, 0, 15, 0, 4, -7, 7, 8, 0, 11, -7, 15, -7, -4, -50, 70, -13, 9, -58, 58, 0, 11, -7, 15, -7, -4, 6, 2, 2, 2, -1, 1, 6, 2, 4, 3, 32, 11, 13, -10, 4, 7, -9, 8, 1, 72, 8, -9, 8, 2, 0, 1, -52, 15, -8, 16, -1, -4, -3, -52, 68, -9, 15, -3, -2, 12, 2, -8, 8, 1, -62, 38, -11, -2, 5, 29, -13, -6, 9, 1, -7, 28, -10, 3, -17, 21, -13, 3, -7, 3, 5, -1, 1, 5, 1, 1, 2, 2, 2, 9, -1, -2, 1, 9, -3, 0 };
EmulatorDetector.h = 128;
}
}
-
EmulatorDetector
中的a
字符串数组内容如下:
虚拟机特征目录
可知这些都是模拟器的特征目录和文件, 应该是要查找是否有这些特征目录的.
我们选择这个深入分析一下:
在
isRunningInEmulator
方法里调用了这个字符串数组:v2_1 = AntiHooking.e(EmulatorDetector.a, EmulatorDetector.f); v3 = v2_1 < 0 ? 1 : 0; // EmulatorDetector.f是AntiHooking$HookInfo的实例化.
而v2_1是
isRunningInEmulator
方法的返回值, 即如果返回值大于0则表示是虚拟机.跟进
AntiHooking
的e
方法:public static int e(String[] arg5, AntiHooking$HookInfo arg6) { AntiHooking.m = (AntiHooking.l + 85) % 128; AntiHooking.l = ((AntiHooking.m & 37) + (AntiHooking.m | 37)) % 128; int v1; for(v1 = 0; true; v1 = ((v2 | 96) << 1) - (v2 ^ 96)) { int v2 = v1 >= arg5.length ? 0 : 1; if(v2 != 1) { AntiHooking.m = (((AntiHooking.l | 89) << 1) - (AntiHooking.l ^ 89)) % 128; return -1; } AntiHooking.l = ((AntiHooking.m & 39) + (AntiHooking.m | 39)) % 128; if(AntiHooking.c(AntiHooking.a(arg5[v1], arg6), arg6)) { byte v0 = ((byte)AntiHooking.i[206]); byte v2_1 = ((byte)AntiHooking.i[36]); new StringBuilder(AntiHooking.a(v0, ((short)v2_1), ((short)(v2_1 ^ 172 | v2_1 & 172)))).append(arg5[v1]); AntiHooking.m = ((AntiHooking.l & 3) + (AntiHooking.l | 3)) % 128; return v1; } v2 = ((v1 | -95) << 1) - (v1 ^ -95); } }
我们能看到有一个重要的判断:
if(AntiHooking.c(AntiHooking.a(arg5[v1], arg6), arg6))
所以我们先分析
a
方法:public static File a(String arg5, AntiHooking$HookInfo arg6) { int v5; Object v6; AntiHooking.l = (((AntiHooking.m | 123) << 1) - (AntiHooking.m ^ 123)) % 128; try { v6 = AntiHooking.c(File.class.getConstructor(String.class), File.class, new Object[]{arg5}, arg6); v5 = AntiHooking.l; } catch(Exception ) { return new File(((String)v5)); } AntiHooking.m = ((v5 & 59) + (v5 | 59)) % 128; return ((File)v6); }
最终我们能跟到
c
方法中的invoke
方法, 也就是我们熟知的反射了:return v9_1.invoke(v4_1, v0_2);
-
d
字符串数组如下:/sys/devices/system/cpu/cpu0/cpufreq /sys/devices/virtual/misc/android_adb
能看出是要查看CPU信息以及设备版本信息.
-
c
字符串数组如下:g[] v1_1 = new g[17]; byte v11 = ((byte)j[627]); String v11_1 = e(((short)v11), ((short)(v11 ^ 1193 | v11 & 1193)), ((byte)j[40])); // System.out.println(v11_1); String[] v12 = new String[3]; v12[0] = e(((byte)j[35]), ((short)(-j[729])), ((byte)j[459])); byte v5 = ((byte)j[4]); v12[1] = e(((short)v5), ((short)(v5 ^ 472 | v5 & 472)), ((byte)j[9])); v12[2] = e(((byte)j[80]), (short) 296, ((byte)j[26])); v1_1[0] = new g(v11_1, v12); v1_1[1] = new g(e(((byte)j[159]), ((short)(h + 2)), ((byte)j[40])), new String[]{e(((byte)j[4]), ((short)(h & 344 | h ^ 344)), ((byte)j[109])), e(((byte)j[4]), (short) 114, ((byte)j[0]))}); String v5_1 = e(((byte)j[0]), (short) 289, ((byte)j[40])); String[] v11_2 = new String[3]; v11_2[0] = e(((byte)j[5]), ((short)(h | 540)), ((byte)j[25])); v11_2[1] = e(((byte)j[80]), ((short)(h & 637 | h ^ 637)), ((byte)j[97])); byte v12_1 = ((byte)j[75]); v11_2[2] = e(((short)v12_1), ((short)(v12_1 ^ 898 | v12_1 & 898)), ((byte)j[99])); v1_1[2] = new g(v5_1, v11_2); v5 = ((byte)j[30]); v1_1[3] = new g(e(((short)v5), ((short)(v5 | 1173)), ((byte)j[40])), new String[]{e(((byte)j[80]), ((short)(h | 338)), ((byte)j[0])), e(((byte)j[12]), ((short)(h ^ 770 | h & 770)), ((byte)j[109]))}); v1_1[4] = new g(e(((byte)j[0]), (short) 371, ((byte)j[40])), new String[]{e(((byte)j[4]), (short) 114, ((byte)j[0])), e(((byte)j[80]), (short) 296, ((byte)j[26]))}); v5_1 = e(((byte)j[111]), ((short)(h & 614 | h ^ 614)), ((byte)j[40])); String[] v10 = new String[1]; v11 = ((byte)j[109]); v10[0] = e(((short)v11), ((short)(v11 ^ 758 | v11 & 758)), ((byte)j[188])); v1_1[5] = new g(v5_1, v10); v5_1 = e(((byte)j[144]), ((short)(h & 519 | h ^ 519)), ((byte)j[40])); v10 = new String[1]; v11 = ((byte)j[109]); v10[0] = e(((short)v11), ((short)(v11 | 787)), ((byte)j[92])); v1_1[6] = new g(v5_1, v10); v1_1[7] = new g(e(((byte)j[0]), (short) 844, ((byte)j[40])), new String[]{e(((byte)j[5]), ((short)(h & 540 | h ^ 540)), ((byte)j[25])), e(((byte)j[4]), ((short)(h & 344 | h ^ 344)), ((byte)j[109])), e(((byte)j[80]), ((short)(h | 860)), ((byte)j[159]))}); v5_1 = e(((byte)j[26]), (short) 98, ((byte)j[40])); v10 = new String[4]; v10[0] = e(((byte)j[892]), ((short)j[379]), ((byte)j[0])); v10[1] = e(((byte)(j[764] - 1)), (short) 1139, ((byte)j[0])); v11 = ((byte)j[589]); v10[2] = e(((short)v11), ((short)(v11 ^ 614 | v11 & 614)), ((byte)j[0])); v10[3] = e(((byte)j[627]), ((short)(h & 841 | h ^ 841)), ((byte)j[0])); v1_1[8] = new g(v5_1, v10); v5_1 = e(((byte)j[218]), ((short)(h & 853 | h ^ 853)), ((byte)j[40])); v10 = new String[1]; v11 = ((byte)j[4]); v10[0] = e(((short)v11), ((short)(v11 ^ 472 | v11 & 472)), ((byte)j[9])); v1_1[9] = new g(v5_1, v10); v5 = ((byte)j[892]); v5_1 = e(((short)v5), ((short)(v5 ^ 929 | v5 & 929)), ((byte)j[40])); v10 = new String[1]; v11 = ((byte)j[40]); v10[0] = e(((short)v11), ((short)(v11 ^ 530 | v11 & 530)), ((byte)j[5])); v1_1[10] = new g(v5_1, v10); v5 = ((byte)j[892]); v1_1[11] = new g(e(((short)v5), ((short)(v5 | 512)), ((byte)j[111])), new String[0]); v1_1[12] = new g(e(((byte)j[0]), ((short)(h | 17)), ((byte)j[12])), new String[0]); v5 = ((byte)j[892]); v1_1[13] = new g(e(((short)v5), ((short)(v5 ^ 1025 | v5 & 1025)), ((byte)j[12])), new String[0]); v1_1[14] = new g(e(((byte)j[892]), ((short)(h & 35 | h ^ 35)), ((byte)j[12])), new String[0]); v1_1[15] = new g(e(((byte)j[627]), (short) 787, ((byte)j[40])), new String[0]); v1_1[16] = new g(e(((byte)j[892]), (short) 1073, ((byte)j[40])), new String[0]); for(int i = 0; i <= 16; i++) { System.out.println(Arrays.toString(v1_1[i].a)); System.out.println(v1_1[i].b); }
输出如下:
[Genymotion, unknown, chromium] ro.product.manufacturer [vbox86p, generic] ro.product.device [sdk, emulator, App Runtime for Chrome] ro.product.model [goldfish, vbox86] ro.hardware [generic, chromium] ro.product.brand [1] ro.kernel.qemu [0] ro.secure [sdk, vbox86p, full_x86] ro.build.product [generic/sdk/generic, generic_x86/sdk_x86/generic_x86, generic/google_sdk/generic, generic/vbox86p/vbox86p] ro.build.fingerprint [unknown] ro.bootloader [test-] ro.build.display.id [] init.svc.qemu-props [] qemu.hw.mainkeys [] qemu.sf.fake_camera [] qemu.sf.lcd_density [] ro.kernel.android.qemud [] ro.kernel.qemu.gles
可以看到上面是一些关于模拟器相关的包、目录、文件、标志位等。
-
e
字符串数组如下:g[] v1_1 = new g[5]; String v5_1 = e(((byte)j[111]), ((short)(h & 363 | h ^ 363)), ((byte)j[0])); String[] v10 = new String[16]; v10[0] = e(((byte)j[30]), ((short)(h & 801 | h ^ 801)), ((byte)j[188])); v10[1] = e(((byte)j[30]), ((short)(h & 550 | h ^ 550)), ((byte)j[188])); v10[2] = e(((byte)j[30]), ((short)(h & 597 | h ^ 597)), ((byte)j[188])); v10[3] = e(((byte)j[30]), (short) 592, ((byte)j[188])); v10[4] = e(((byte)j[30]), (short) 544, ((byte)j[188])); byte v11 = ((byte)j[30]); v10[5] = e(((short)v11), ((short)(v11 ^ 544 | v11 & 544)), ((byte)j[188])); v10[6] = e(((byte)j[30]), (short) 320, ((byte)j[188])); v10[7] = e(((byte)j[30]), (short) 356, ((byte)j[188])); v10[8] = e(((byte)j[30]), (short) 274, ((byte)j[188])); v10[9] = e(((byte)j[30]), (short) 306, ((byte)j[188])); v10[10] = e(((byte)j[30]), ((short)(h & 60 | h ^ 60)), ((byte)j[188])); v10[11] = e(((byte)j[30]), ((short)(h & 84 | h ^ 84)), ((byte)j[188])); v10[12] = e(((byte)j[30]), ((short)j[321]), ((byte)j[188])); v10[13] = e(((byte)j[30]), ((short)(h & 1110 | h ^ 1110)), ((byte)j[188])); v10[14] = e(((byte)j[30]), ((short)(h & 1120 | h ^ 1120)), ((byte)j[188])); v10[15] = e(((byte)j[30]), ((short)(h & 1065 | h ^ 1065)), ((byte)j[188])); v1_1[0] = new g(v5_1, v10); v1_1[1] = new g(e(((byte)j[75]), ((short)(h & 264 | h ^ 264)), ((byte)j[0])), new String[]{e(((byte)j[4]), (short) 793, ((byte)j[99]))}); v1_1[2] = new g(e(((byte)j[97]), (short) 264, ((byte)j[0])), new String[]{e(((byte)j[26]), ((short)j[109]), ((byte)(-j[121])))}); v1_1[3] = new g(e(((byte)j[223]), ((short)(h & 74 | h ^ 74)), ((byte)j[0])), new String[]{e(((byte)j[223]), (short) 1025, ((byte)j[685]))}); v1_1[4] = new g(e(((byte)j[30]), (short) 108, ((byte)j[0])), new String[]{e(((byte)j[223]), (short) 858, ((byte)j[92])), e(((byte)j[0]), ((short)(h & 50 | h ^ 50)), ((byte)j[97])), e(((byte)j[223]), ((short)(h | 587)), ((byte)j[92]))}); // e = v1_1; for(int i = 0; i <= 4; i++) { System.out.println(Arrays.toString(v1_1[i].a)); System.out.println(v1_1[i].b); }
字符串如下:
[15555215554, 15555215556, 15555215558, 15555215560, 15555215562, 15555215564, 15555215566, 15555215568, 15555215570, 15555215572, 15555215574, 15555215576, 15555215578, 15555215580, 15555215582, 15555215584] getLine1Number [Android] getNetworkOperatorName [89014103211118510720] getSimSerialNumber [310260000000000] getSubscriberId [000000000000000, e21833235b6eef10, 012345678912345] getDeviceId
可以看到, 是一些设备信息.
-
字符串数组
b
:g[] v0 = new g[2]; String v2_1 = EmulatorDetector.e(((byte)EmulatorDetector.j[218]), (short) 346, ((byte)EmulatorDetector.j[177])); String[] v5_2 = new String[1]; byte v7 = ((byte)EmulatorDetector.j[40]); v5_2[0] = EmulatorDetector.e(((short)v7), ((short)(v7 ^ 306 | v7 & 306)), ((byte)EmulatorDetector.j[92])); v0[0] = new g(v2_1, v5_2); byte v2 = ((byte)EmulatorDetector.j[223]); v2_1 = EmulatorDetector.e(((short)v2), ((short)(v2 ^ 320 | v2 & 320)), ((byte)EmulatorDetector.j[177])); v5_2 = new String[1]; v7 = ((byte)EmulatorDetector.j[892]); v5_2[0] = EmulatorDetector.e(((short)v7), ((short)(v7 | 392)), ((byte)EmulatorDetector.j[0])); v0[1] = new g(v2_1, v5_2); for(int i = 0; i <= 1; i++) { System.out.println(Arrays.toString(v0[i].a)); System.out.println(v0[i].b); }
字符串解析出来如下:
[0ff :] /proc/ioports [gralloc.goldfish.so] /proc/self/maps
0x05 RootDector
检查方法就是通过检查root工具的包名实现的:
public static final int IGNORE_BINARY_EXISTENCE = 64;
public static final int NO_CIRCUMSTANTIAL = 8;
public static final int NO_FAIL_ON_HOOKING = 32;
public static final int NO_TRICK_APPS = 4;
public static final int SILENT = 1;
// private static final String[] a;
// private static final String[] b;
// private static final String[] c;
// private static final String[] d;
// private static final String[] e;
// private static j f;
// private static AntiHooking.HookInfo g;
// private static j h;
// private static j i;
private static String[] j;
private static int k = 0;
private static int l = 0;
private static int m = 1;
private static byte[] n;
static {
b();
String[] v1 = new String[8];
int v5 = 0;
v1[0] = d((short) 618, 90, ((byte)n[47]));
System.out.println(v1[0]);
v1[1] = d((short) 280, 90, ((byte)n[7]));
v1[2] = d((short) 198, ((byte)((n[228] & -1) + (n[228] | -1))), ((byte)n[28]));
v1[3] = d((short) 786, 90, ((byte)n[21]));
v1[4] = d(((short)(-n[517])), 90, ((byte)n[0]));
v1[5] = d((short) 260, 90, ((byte)n[34]));
short v2 = ((short)(((n[228] | -1) << 1) - (n[228] ^ -1)));
v1[6] = d(v2, ((byte)(v2 - 1 - 1)), ((byte)n[121]));
v1[7] = d(((short)((n[146] & -1) + (n[146] | -1))), 90, ((byte)n[7]));
// d = v1;
for(int i=0;i<=7;i++) {
System.out.println(v1[i]);
}
}
private static String d(short arg5, int arg6, byte arg7) {
byte[] v1_1;
int v7;
byte[] v0_1;
int v5;
int v0 = m + 43;
l = v0 % 128;
int v1 = 65;
v0 = v0 % 2 == 0 ? 65 : 71;
int v2 = -1;
if(v0 != v1) {
arg6 += 20;
v5 = arg5 + 125;
v0_1 = n;
v7 = arg7 | 117;
v1_1 = new byte[v7];
v7 += 101;
}
else {
arg6 += 9;
v5 = arg5 + 4;
v0_1 = n;
v7 = 32 - arg7;
v1_1 = new byte[v7];
v7 += v2;
}
m = (l + 49) % 128;
while(true) {
++v2;
v1_1[v2] = ((byte)arg6);
++v5;
if(v2 == v7) {
break;
}
arg6 = arg6 - v0_1[v5] + 9;
}
return new String(v1_1, 0).intern();
}
private static void b()
{
n = new byte[] { 15, 80, -22, 125, -59, 3, 15, 8, 24, 1, 71, -64, 31, 2, 4, 72, 4, 14, -2, 79, -60, 6, 28, 62, -60, 7, 31, 4, 12, 5, 1, 7, 10, -3, 11, 72, -59, 26, -3, 18, -5, 12, 15, 14, 63, -42, -6, 9, 8, 5, 29, -8, 26, -4, 3, 20, 4, 18, -3, 11, 72, -52, 11, 4, 16, 1, 3, 11, 23, -4, 77, -44, -3, 11, -3, 11, 72, -48, 11, 0, -2, 21, 7, 4, 20, 3, 10, 73, -60, 7, 14, 20, -4, 6, 11, 23, -4, -3, 11, 72, -66, 29, 2, 9, 6, 1, 27, -5, 78, -60, 7, -45, -6, 26, -7, 80, -44, 4, 16, 1, 4, 17, 6, 0, 22, 64, -54, 7, 22, 2, 6, 16, -1, 20, 4, 4, -44, 12, -10, 28, 59, -52, 6, 21, 11, -2, 70, -42, 2, 4, 72, 8, -8, 23, 0, 3, -59, 26, 2, 4, 72, -59, 3, 15, 8, 24, 1, 71, -64, 31, 2, 4, 8, 64, -59, 12, 22, -11, 81, -42, -4, 19, -5, 12, 15, 14, 63, -65, 17, 10, 5, 23, 10, 63, -50, 4, 4, 8, 28, -2, 9, 16, -4, -7, 80, -44, 4, 16, 1, 4, 17, 6, 0, 22, 64, -60, 7, 14, 20, -4, 8, 7, 12, 86, -67, 12, -1, 8, 93, -71, 24, 7, 1, 19, 3, 11, -5, 20, -4, 8, 19, -1, 8, 79, -60, 3, 15, 78, -59, 12, 9, 4, 30, 7, 7, 9, 7, -5, 9, -61, 0, 3, 16, 19, 63, -3, 11, 72, -52, 11, 4, 16, -2, 12, 9, 4, 79, -52, 11, 4, 16, -5, 11, 23, -4, -3, 11, 72, -61, 21, 8, 0, 23, -3, 24, -8, 7, 4, 84, -60, 7, 14, 20, -4, 6, 11, 23, -4, -59, 3, 15, 8, 24, 1, 71, -42, 2, 4, 72, -59, 3, 15, 8, 24, 1, 71, -42, 2, 4, 7, 3, 16, 3, -59, 26, 2, 4, 11, -6, 52, -28, 3, -59, 3, 15, 8, 24, 1, 71, -42, 2, 4, 72, -46, 14, 1, 6, 2, 27, 4, 10, 63, -3, 11, 72, -45, 8, -8, 30, 6, -9, 30, -4, 20, 7, 64, -59, 12, 9, 4, 26, 0, 6, 23, -1, -59, 3, 15, 8, 24, 1, 71, -59, 24, 62, -64, 31, 2, 4, 72, -3, 11, 72, -67, 34, 7, 4, -2, 12, 10, 10, 16, 66, -61, 24, 1, 6, 7, 12, 9, 4, 11, 22, 1, 7, 2, 26, 4, 17, 7, 94, -4, -45, 76, -64, 14, -94, 7, 12, 21, 7, -5, 9, 14, 22, -3, 17, 78, -58, -3, 10, 3, 28, 1, 4, 18, 10, 51, 35, -3, 11, 72, -47, 0, 6, 14, -3, 26, 4, 72, -49, 8, 14, 8, -4, 12, 9, 4, 6, 16, 9, 14, 4, 16, -3, 11, 72, -60, 27, -11, 12, 18, 7, 70, -60, 7, 28, -8, 8, 11, 26, -10, 24, -3, 11, 72, -45, 4, 5, 7, 10, 1, 22, 14, 8, -1, 74, -53, 0, 27, 1, -5, 18, 24, -10, 26, 4, 12, -4, 12, 9, 4, 11, -6, -29, 0, 3, 16, 19, -3, 11, 72, -42, -3, 6, 17, 2, 6, 26, -9, 78, -49, 8, 14, 8, 1, -3, 16, 12, 9, 4, 12, 5, 1, 7, 10, 4, 7, -62, 26, 0, 19, -2, 6, 76, -42, 2, 4, 7, -73, 4, -59, 3, 15, 8, 24, 1, 71, -42, 2, 4, 72, 10, -46, -10, 13, 78, -3, 11, 72, -52, 5, 3, 11, 20, 8, 7, 16, -8, 10, 9, 28, 60, -59, 12, 11, 9, 21, -4, 22, 3, 11, -4, -3, 11, 72, -55, 8, 5, 20, -4, 24, 0, 3, 80, -42, -4, 19, -5, 12, 15, 14, 63, -60, 7, -44, 12, -10, 28, 59, -52, 6, 21, 11, -2, 70, -44, 12, -10, 28, 59, -52, 6, 21, 11, -2, 70, -64, 31, 2, 4, 72, 24, 7, 1, 19, 3, 11, 52, -32, -3, 11, 72, -42, -4, 19, -5, 12, 15, 14, 63, -4, 19, -5, 12, 15, 14, 63, -56, 5, 78, -28, -29, 15, 8, 24, 1, 38, -25, 12, 8, 20, -4, 7, 20, 13, -5, 24, 7, 1, 19, 3, 11, 52, -32, -3, 11, 72, -48, 1, 9, 17, 4, 16, 64, -3, 11, 72, -44, 4, 12, 2, 5, 4, 11, 78, -53, 20, 7, 1, -5, 18, 24, -10, 26, 4, -59, 3, 15, 8, 24, 1, 71, -61, 11, 10, 76, -63, 27, 65, -56, 18, 9, 10, 64, -60, 12, 9, 4, 78, -59, 3, 15, 8, 24, 1, 71, -59, 26, 2, 4, -3, 11, 72, -52, 5, 3, 11, 20, 8, 7, 16, -8, 10, 9, 28, 60, -60, 7, 14, 20, -4, 6, 11, 23, -4, -59, 3, 15, 8, 24, 1 };
k = 173;
}
解析出来之后:
root工具的包名很明显上面这些包名就是特征的root工具的包名
0x06 AntiHooking
private static Class a = null;
private static ArrayList b = null;
private static Class c = null;
// private static b d = null;
private static Class e = null;
private static Method f = null;
private static HashMap g = null;
private static Field h = null;
private static byte[] i = null;
private static int j = 0;
private static int l = 1;
private static int m;
static {
d();
System.out.println(a(((byte)i[193]), (short)97, (short)378));
System.out.println(a(((byte)(-i[136])), (short) 106, ((short)(212 & j | j ^ 18))));
System.out.println(a(((byte)i[212]), ((byte)(-i[446])), ((short)(j + 3 - 1))));
System.out.println(a((byte)i[31], ((byte)(((i[225] | 1) << 1) - (i[225] ^ 1))), ((short)(j & 334 | j ^ 334))));
byte v1_2 = ((byte)(-i[8]));
System.out.println(a(v1_2, ((byte)(v1_2 ^ 106 | v1_2 & 106)), ((short)(j | 13))));
System.out.println(a(((byte)(-i[32])), ((byte)(-i[446])), ((short)(-i[68]))));
System.out.println(a(((byte)i[212]), (short) 108, ((short)(-i[136]))));
System.out.println(a(((byte)(-i[33])), ((byte)(-i[312])), (short) 275));
byte v5 = ((byte)i[208]);
byte v6 = ((byte)(-i[312]));
System.out.println(a(v5, ((short)v6), ((short)(v6 ^ 167 | v6 & 167))));
System.out.println(a(((byte)i[88]), ((byte)i[0]), (short) 344));
byte v61 = ((byte)i[36]);
byte v8 = ((byte)(-i[24]));
System.out.println(a(v61, ((short)v8), ((short)(v8 ^ 160 | v8 & 160))));
byte v11_1 = ((byte)i[48]);
byte v51 = ((byte)i[0]);
System.out.println(a(v11_1, ((short)v51), ((short)((v51 ^ 3) + ((v51 & 3) << 1)))));
System.out.println(a(((byte)i[69]), ((byte)i[0]), ((short)i[151])));
System.out.println(a(((byte)i[34]), ((byte)(-i[387])), ((short)(j | 57))));
}
private static String a(byte arg8, short arg9, short arg10) {
int v10 = arg10 + 4;
byte[] v0 = i;
int v9 = arg9 + 9;
int v8 = arg8 + 1;
byte[] v2 = new byte[v8];
int v3 = -1;
v8 += v3;
l = (m + 37) % 128;
while(true) {
++v3;
++v10;
v2[v3] = ((byte)v9);
int v4 = 0;
if(v3 == v8) {
break;
}
int v5 = v0[v10];
int v6 = l + 77;
m = v6 % 128;
if(v6 % 2 == 0) {
v4 = 1;
}
if(v4 != 0) {
v9 = v9 - v5 - 11;
continue;
}
v9 = v9 % v5 >>> 94;
}
return new String(v2, 0).intern();
}
private static void d() {
i = new byte[]{94, 22, 100, -15, -24, -1, -25, -8, -5, -6, 43, -64, -23, -10, -17, 4, -20, -17, 59, -32, -55, -10, -17, 4, -30, -7, -4, -5, -18, -11, -7, 19, -35, -26, 1, -18, 0, -9, -26, -7, -13, -8, -12, 69, -12, 44, -79, -8, 2, -31, 61, -62, -24, -1, -25, -8, -5, -6, 43, -85, -3, -10, -15, 3, -10, 43, -53, 10, -39, 7, -35, -26, 1, -18, 0, 17, -50, -11, -7, -5, -17, -5, -14, -13, -11, -13, -25, -11, 34, -49, 0, -17, -23, -28, -13, 28, -35, -26, 1, -18, 0, 0, -9, -26, -2, -32, 10, 40, -73, 0, -24, -4, 46, -79, 2, -12, -17, -4, -9, -28, 59, -30, -44, -28, -12, -9, 6, -13, -28, 28, -35, -26, 1, -18, 0, -16, -21, 7, -12, -21, -4, 18, -50, -11, -7, -19, -3, -10, -15, 3, -10, 32, -50, -11, -7, -5, -10, 12, -35, -26, 1, -18, 0, 22, -41, -22, -11, -1, -10, -13, -19, -19, -21, 34, -46, -14, -4, -72, -46, -14, -4, 58, -80, -30, 4, -21, -12, -10, 46, 15, 16, -10, 3, 14, -22, -16, -8, -9, -19, 29, -41, -22, -11, -8, -16, -4, 13, -46, 20, -29, -18, -5, 11, -32, -24, -6, -7, -21, -11, -1, -17, -10, -30, 4, -22, 95, -12, 44, -79, -8, 2, -31, 61, -62, -24, -1, -25, -8, -5, -6, 43, -85, -3, -10, -15, 3, -10, 43, -53, -35, -10, -15, 3, -10, 23, -59, -2, -6, -14, -9, -24, -1, -25, -8, -5, -6, 43, -76, -15, 58, -77, -13, -8, -12, 0, -24, -13, 0, -7, -25, -24, -1, -25, -8, -5, -6, 43, -76, -15, 58, -48, -49, -5, -12, 4, -19, 18, -45, -8, -12, 0, -24, -13, 0, -7, -25, -35, -19, 0, -14, -24, 71, -88, -19, -9, -12, 73, -77, -14, 58, -88, -3, -26, 1, -18, 0, 57, -90, -14, 71, -78, -23, -10, -16, -12, -9, -14, 7, -28, -6, -14, 71, -90, 2, -19, -6, -9, -28, 59, -9, -26, 25, -45, -8, -12, 0, -24, -13, -16, 51, 16, -81, -6, -19, -14, -4, -10, 57, -95, -6, 68, -81, -14, -16, -1, 57, -78, -20, 0, -29, -11, 72, -18, -2, -32, 10, 40, -83, -2, 52, -83, 6, -24, -12, -1, -17, -10, -30, 4, -21, -12, -10, -2, -32, 10, 40, -73, 0, -24, -4, 46, -79, 2, -12, -17, -4, -9, -28, 59, -30, -60, -13, 28, -35, -26, 1, -18, 0, -38, -19, -14, -4, -10, 57, -95, -6, 68, -78, -26, 2, -7, -30, 4, 58, -76, 54, -91, -13, -8, 1, -13, -25, -11, 58, -30, 8, -9, -21, 36, -48, -20, 2, -9, -28, -6, -14, -18, -16, -19, -4, -7, -5, 11, -46, -2, -9, -13, -16, 2, -22, 20, -35, -26, 1, -18, 0};
j = 128;
}
解析的部分字符串:
hook的一些特征模块
猜测一下, 应该是在检测xposed模块了. 举例:
AntiHooking.e = Class.forName(AntiHooking.a(((byte)(-AntiHooking.i[32])), ((byte)(-AntiHooking.i[v3])), ((short)(-AntiHooking.i[68]))), true, ClassLoader.getSystemClassLoader());
// 其中传入的字符串就是"de.robv.android.xposed.XC_MethodHook"
0x07 DebugDetector
public static void main(String args[]) {
Object[] v4 = new Object[1];
byte v5 = ((byte)b[89]);
short v7 = ((short)(v5 ^ 95 | v5 & 95));
v4[0] = b(v5, v7, ((byte)(v7 & 48)));
System.out.println(v4[0].toString());
System.out.println(b(((byte)b[26]), (short) 304, ((byte)b[82])));
System.out.println(b(((byte)b[32]), ((short)(c | 392)), ((byte)b[89])));
System.out.println(b(((byte)(-b[135])), (short) 329, ((byte)b[63])));
// System.out.println(b(((byte)(-b[583])), (short) 6623, ((byte)b[114])));
System.out.println(b(((byte)(-b[133])), (short) 273, ((byte)b[29])));
System.out.println(b(((byte)(b[129] - 1)), ((short)b[129]), ((byte)b[272])));
byte v2 = ((byte)(-b[370]));
System.out.println(b(v2, ((short)(v2 | 256)), ((byte)b[85])));
System.out.println(b(((byte)(-b[133])), (short) 273, ((byte)b[29])));
System.out.println(b(((byte)(b[129] - 1)), (short) 258, ((byte)b[78])));
String[] str = new String[19];
v7 = 360;
str[0] = b(((byte)(-b[v7])), ((short)(c & 106 | c ^ 106)), ((byte)b[250]));
byte v3 = ((byte)b[130]);
str[1] = b(v3, ((short)(v3 | 321)), (short) 30);
int v8 = 129;
int v11 = 272;
int v16 = 7;
str[2] = b(((byte)(b[v8] - 1)), ((short)b[v8]), ((byte)b[v11]));
int v10 = 370;
byte v9 = ((byte)(-b[v10]));
short v12 = ((short)(v9 ^ 325 | v9 & 325));
str[3] = b(v9, v12, ((byte)(v12 & 16)));
str[4] = b(((byte)(((b[v8] | -1) << 1) - (b[v8] ^ -1))), ((short)b[v8]), ((byte)b[v11]));
str[5] = b(((byte)(-b[v10])), ((short)(c & 392 | c ^ 392)), ((byte)b[v16]));
str[6] = b(((byte)(b[v8] - 1)), (short) 184, ((byte)b[0]));
str[7] = b(((byte)(-b[v10])), (short) 291, ((byte)b[v16]));
str[8] = b(((byte)(b[v8] - 1)), (short) 220, ((byte)(c & 24 | c ^ 24)));
str[9] = b(((byte)b[104]), (short) 249, ((byte)b[5]));
str[10] = b(((byte)(b[1] - 1)), (short) 216, ((byte)b[270]));
str[11] = b(((byte)(-b[v7])), (short) 148, ((byte)b[355]));
str[12] = b(((byte)(-b[v10])), (short) 410, ((byte)b[44]));
str[13] = b(((byte)(b[v8] - 1)), (short) 420, ((byte)b[182]));
str[14] = b(((byte)b[26]), (short) 371, ((byte)b[44]));
str[15] = b(((byte)(-b[v7])), (short) 148, ((byte)b[355]));
str[16] = b(((byte)(-b[370])), ((short)b[89]), ((byte)b[29]));
str[17] = b(((byte)(-b[v7])), ((short)b[29]), ((byte)b[273]));
str[18] = b(((byte)(-b[370])), ((short)(b[134] - 1)), ((byte)b[272]));
for(int i=0; i<str.length; i++) {
System.out.println(str[i]);
}
}
private static byte[] b = null;
private static int c = 0;
private static int d = 0;
private static int e = 1;
static {
c();
}
private static void c() {
b = new byte[]{32, 42, 34, 123, -2, 9, -9, 13, -17, 19, -15, -34, 34, 13, 2, -11, -3, 3, -6, -2, 19, -15, -9, 21, -21, -51, 69, -14, -2, 18, -3, -9, 11, 5, -75, 53, 2, 13, 2, -70, 42, -35, -5, 9, 10, 34, 13, 2, -11, -3, 3, -6, -2, 19, -15, 13, -10, 14, -3, -6, -5, -54, 53, 12, -1, 6, -15, 9, 6, -70, 21, 44, -1, 6, -15, 19, -4, -2, 15, -33, 34, -19, 8, -5, -2, 17, -28, -35, -5, 0, 32, 34, -9, 5, -11, 6, 7, -15, 11, 65, 2, -3, -12, -52, 68, -14, 7, -6, -55, 68, 1, -19, 19, 1, -2, -9, 21, -21, 23, -74, 69, -14, -2, 18, -3, -9, 11, 5, -75, 51, 20, -1, -12, -58, 74, -67, -5, 0, -2, 42, -35, -5, 0, 32, 34, -9, 5, -11, 6, 7, -15, 11, -9, 21, -21, -51, 69, -14, -2, 18, -3, -9, 11, 5, -75, 53, 2, 13, 2, -70, 21, 34, 13, 2, -11, -3, 3, -6, -2, 19, -15, -31, 27, 2, 17, -5, 3, 7, 13, -10, 14, -3, -6, -5, -54, 53, 12, -1, 6, -15, 9, 6, -70, 66, -3, -63, 34, 17, 2, 8, -10, 6, -2, -24, 20, 13, -13, 6, -2, 13, -42, 7, -5, 9, 13, -10, 14, -3, -6, -5, -54, 53, 12, -1, 6, -15, 9, 6, -70, 66, -3, -63, 34, 17, 2, 8, -10, 6, -2, -28, 37, -8, 9, -10, -2, 7, -13, 19, 1, -3, -13, 14, 13, -10, 14, -3, -6, -5, -54, 65, 4, -69, 22, 33, -3, 19, -14, 10, -47, 33, -3, 19, -14, 0, -2, 13, -47, 44, -1, 0, -9, -2, 17, -15, -1, -2, 15, -36, 17, 2, 8, -10, 6, -2, -28, 37, -8, 9, -2, -17, 2, 2, 13, -2, -7, -5, -2, 15, -51, 47, 0, -4, -3, -6, -2, 19, -11, 6, -1, -37, 37, -8, 9, -3, -65, 54, 1, -3, 19, -14, 0, -6, 1, 10, -7, 11, -17, 4, 45, -10, 14, -3, -6, -5, -68, 36, 33, -3, 19, -14, -59, 35, -18, 4, 45, -10, 14, -3, -6, -5, -56, 23, -6, 24, -2, -5, -45, 55, -5, -15, -36, 49, 0, -17, 24, -2, 15, -36, 17, 2, 8, -10, 6, -2, -24, 20, 13, -13, 6, -2, 13, -2, 15, -36, 17, 2, 8, -10, 6, -2, -23, 19, 12, -8, -2, 15, -43, 37, 5, 1, -19, 13, -11, 2, 13, -10, 14, -3, -6, -5, -54, 53, 12, -1, 6, -15, 9, 6, -70, 66, -3, -63, 37, 22, -2, 7, -13, 19, 1, -3, -13};
c = 5;
}
private static String b(int arg7, short arg8, short arg9) {
e = (d + 41) % 128;
int v9 = arg9 + 1;
byte[] v0 = b;
byte[] v1 = new byte[v9];
int v3 = arg8 + 4;
int v8 = arg7 + 47;
for(int ii = 0; true; ii++) {
int v4 = ii + 1;
v1[ii] = ((byte)v8);
if(v4 == v9) {
break;
}
// arg7 = v0[v3];
d = (e + 53) % 128;
v8 += v0[v3];
++v3;
}
String v7 = new String(v1, 0).intern();
e = (d + 25) % 128;
return v7;
}
解析出来的字符串如下:
/proc/self/status
tracerpid
:
ro.debuggable
isDebuggerConnected
android.content.Context
getApplicationInfo
isDebuggerConnected
android.os.Debug
javax.security.auth.x500.X500Principal
CN=Android Debug,O=Android,C=US
android.content.Context
getPackageManager
android.content.Context
getPackageName
android.content.pm.PackageManager
getPackageInfo
android.content.pm.PackageInfo
signatures
X.509
java.security.cert.CertificateFactory
getInstance
android.content.pm.Signature
toByteArray
java.security.cert.CertificateFactory
generateCertificate
java.security.cert.X509Certificate
getSubjectX500Principal
从上面可以看到, 不仅查看了程序的status(状态), 还查询ptrace的pid, 标志位(ro.debuggable), x509证书等多种方式来判断是否处于调试状态.
0x08 后记
dex是一位大佬通过重编译安卓源码提取出来的, 实际就是脱了壳, 原本有native层的加固(某灰产软件). 可以考虑一下写一个jeb插件去解析这些字符串, 可以省好多时间. 这个保护其实是某国外安全公司开发的, 详见
网友评论