hardend

安卓逆向,有点薄弱啊

试试

用jeb打开

看到bytecode的文件夹名称为secshell

检索一下,是邦邦加密

关于各种packer的lib名称

apk各种壳的检测_caiqiiqi的博客-CSDN博客_apk检测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
"libchaosvmp.so":"娜迦",
    "libddog.so":"娜迦",
    "libfdog.so":"娜迦",
    "libedog.so":"娜迦企业版",
    "libexec.so":"爱加密",
    "libexecmain.so":"爱加密",
    "ijiami.dat":"爱加密",
    "ijiami.ajm":"爱加密企业版",
    "libsecexe.so":"梆梆免费版",
    "libsecmain.so":"梆梆免费版",
    "libSecShell.so":"梆梆免费版",
    "libDexHelper.so":"梆梆企业版",
    "libDexHelper-x86.so":"梆梆企业版",
    "libprotectClass.so":"360",
    "libjiagu.so":"360",
    "libjiagu_art.so":"360",
    "libjiagu_x86.so":"360",
    "libegis.so":"通付盾",
    "libNSaferOnly.so":"通付盾",
    "libnqshield.so":"网秦",
    "libbaiduprotect.so":"百度",
    "aliprotect.dat":"阿里聚安全",
    "libsgmain.so":"阿里聚安全",
    "libsgsecuritybody.so":"阿里聚安全",
    "libmobisec.so":"阿里聚安全",
    "libtup.so":"腾讯",
    "libexec.so":"腾讯",
    "libshell.so":"腾讯",
    "mix.dex":"腾讯",
    "lib/armeabi/mix.dex":"腾讯",
    "lib/armeabi/mixz.dex":"腾讯",
    "libtosprotection.armeabi.so":"腾讯御安全",
    "libtosprotection.armeabi-v7a.so":"腾讯御安全",
    "libtosprotection.x86.so":"腾讯御安全",
    "libnesec.so":"网易易盾",
    "libAPKProtect.so":"APKProtect",
    "libkwscmm.so":"几维安全",
    "libkwscr.so":"几维安全",
    "libkwslinker.so":"几维安全",
    "libx3g.so":"顶像科技",
    "libapssec.so":"盛大",
    "librsprotect.so":"瑞星"

对文件进行脱壳

https://github.com/CodingGay/BlackDex

米家的跨屏协作还蛮好用

省去一些文件传输的繁琐

在540752的dex文件中捕捉到关键信息

要匹配

“mXYxnHYp61u/5qksdDel6TgiKqcvUbBkX3xErlR4lO0aEAdU0acJY8PRSVXJxxsRR8Dq9MTJhkWLSbBvCG5gtm==”

这段应该是base64的,不过应该是变表什么之类的,找找变表数据

这里上面调取了一个enc的库

那就回到handened的解包文件中找到libenc.so

用ida64打开

找到对应函数

int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,ENGINE *impl, unsigned char *key, unsigned char *iv);

ooo 为key oo0为iv

base64特征

找找变表

交叉检索检索到变表位置

写个脚本

得出结果

得到aes模式的iv和key后

就可以

得出答案