shihuo sh-sign字段unidbg逆向

环境

app：6891

Java层

GDA搜索sh-sign，

image-20220223102406736

com.shizhi.shihuoapp.module.framework.b.a.h

image-20220223102432621

cn.shihuo.modulelib.utils.bd.a

image-20220223102504101

com.shihuo.shsecsdk.Enviroment.generateSign

image-20220223102812788

image-20220223102836555

可以看到是在libsh_security.so

入口分析

ida搜索java，

image-20220223103125804

没有我们要的generateSign函数。搜索jni，没有结果，说明没有动态注册。那就用frida_hook_libart对libsh_security.so的NewStringUTF进行hook。

image-20220223112629012

发现是在nativeParam函数中生成的，说明最终是调用了nativeParam函数。

固定参数

frida看看输入输出

function hook() {
    var Env = Java.use("com.shihuo.shsecsdk.Enviroment");

    Env.nativeParam.implementation = function(str) {
        console.log(str);
        var ret = this.nativeParam(str);
        console.log(ret);
        return ret;
    }
}

function call_sign() {
    var Env = Java.use("com.shihuo.shsecsdk.Enviroment");
    var inst = Env.$new();
    var str = "{name=everhu}";
    inst.nativeParam(str);
}

image-20220223110747462

image-20220223111548060

unidbg实现

public class Shihuo extends AbstractJni {
    private final AndroidEmulator emulator;
    private final VM vm;
    private final Module module;

    public static String pkgName = "com.hupu.shihuo";
    public static String apkPath = "unidbg-android/src/test/java/com/shihuo/shihuo6891.apk";
    public static String soName = "sh_security";

    public Shihuo() {
        emulator = AndroidEmulatorBuilder.for32Bit().setProcessName(pkgName).build();
        Memory memory = emulator.getMemory();
        memory.setLibraryResolver(new AndroidResolver(23));
        vm = emulator.createDalvikVM(new File(apkPath));
        vm.setJni(this);
        vm.setVerbose(true);
        DalvikModule dm = vm.loadLibrary(soName, true);
        module = dm.getModule();
    }

    public void call_sign() {
        DvmClass clz = vm.resolveClass("com/shihuo/shsecsdk/Enviroment");
        String methodSign = "nativeParam(Ljava/lang/String;)Ljava/lang/String;";
        clz.callStaticJniMethodObject(emulator, methodSign, new StringObject(vm, "{name=everhu}"));
    }

    public static void main(String[] args) {
        Shihuo test = new Shihuo();
        test.call_sign();
    }
}

image-20220223111704829

直接出结果了。

逆向

看看nativeParam

image-20220223104032824

看看汇编

image-20220223104128841

emm，一时间不知道怎么修复。

从nativeParam的汇编从上往下看，调用了哪些函数

sub_60D7C

image-20220223104727824

image-20220223104758016

看不出什么，继续往下翻

image-20220223104840087

image-20220223104900944

a1应该是JNIEnv，改改

image-20220223104949201

继续看看

image-20220223105043463

image-20220223105113616

看起来是个关键的函数，搜索一下上面的magic number，

image-20220223105243642

看来应该是国密3算法了。下个断点看看输入

emulator.attach().addBreakPoint(module.base + 0x4F7C9);

image-20220223111759550

image-20220223111815669

没有拼接其他东西，找个在线SM3测一下

image-20220223112037174

可以看到前32位就是sh-sign