一份礼物.apk的逆向分析

华盟原创文章投稿奖励计划

文章来源:齐鲁师院网络安全社团

事情起因是震惊全国大学生的1013事件!

一份礼物.apk的逆向分析

刚好看到社团群里在讨论这个,于是就发挥专业特长分析一下

一份礼物.apk的逆向分析

拿到apk ,第一步肯定先放到虚拟机里跑一下看下效果

emmm这似曾相识的页面,这熟悉的音量,唯一变化的就是音乐变成了O泡果奶的魔性洗脑广告。

懂了,这不就是 "送给最好的ta.apk" 吗?

一份礼物.apk的逆向分析

使用Android killer或apk改之理分析一下,这里使用Android Killer:

一份礼物.apk的逆向分析一份礼物.apk的逆向分析

通过对比送给最好的ta.apk发现:

多了一个layout.lua文件,不过从名字上看这就是个布局文件,影响不大,再就是mp3文件名字从原来的0.mp3改为了mc.mp3,其他的都没变,甚至软件图标都没变。这个mc.mp3就是播放的广告音频了。

一份礼物.apk的逆向分析

剩下的就简单了,虽然lua文件是加密过的,通过分析java代码,发现加密方式也没变,依旧使用/lib/armeabli-v7a/libluajava.so加密,因此使用ida7.0(x32)对这个文件逆向分析:

一份礼物.apk的逆向分析

查找到在luaL.loadbufferx里面有对文件解密的过程

这里直接拿pcat大佬写的解密脚本:

from ctypes import *
import sys


def decrypt(filename):
    s = open(filename, 'rb').read()
    outfile = 'out.lua'
    if s[0] == chr(0x1b) and s[1] != chr(0x4c):
        rst = chr(0x1b)
        size = len(s)
        v10 = 0
        for i in range(1, size):
            v10 += size
            v = (c_ulonglong(-2139062143 * v10).value >> 32) + v10
            v1 = c_uint(v).value >> 7
            v2 = c_int(v).value < 0
            rst += chr(ord(s[i]) ^ (v10 + v1 + v2) & 0xff)
        with open(outfile, 'wb') as f:
            f.write(rst)
    else:
        pass




def foo():
    print len(sys.argv)
    if len(sys.argv) == 2:
        filename = sys.argv[1]
    else:
        filename = 'main.lua'
    decrypt(filename)




if __name__ == '__main__':
    foo()

将得到的文件使用unluac.jar进行还原,最终得到三个lua文件分别为:

init.lua:

local L0, L1
appname = "\230\143\146\228\187\1829.0"
appver = "9.0"
packagename = "com.ta.cnm"
appcode = "9"
appsdk = "15"
theme = "Theme_DeviceDefault_Light_NoActionBar"
L0 = {}
L1 = "WRITE_EXTERNAL_STORAGE"
L0[1] = L1
user_permission = L0

main.lua:

local L0, L1, L2, L3
L0 = require
L1 = "import"
L0(L1)
L0 = import
L1 = "android.app.*"
L0(L1)
L0 = import
L1 = "android.os.*"
L0(L1)
L0 = import
L1 = "android.widget.*"
L0(L1)
L0 = import
L1 = "android.view.*"
L0(L1)
L0 = import
L1 = "android.view.View"
L0(L1)
L0 = import
L1 = "android.content.Context"
L0(L1)
L0 = import
L1 = "android.media.MediaPlayer"
L0(L1)
L0 = import
L1 = "android.media.AudioManager"
L0(L1)
L0 = import
L1 = "com.androlua.Ticker"
L0(L1)
L0 = activity
L0 = L0.getSystemService
L1 = Context
L1 = L1.AUDIO_SERVICE
L0 = L0(L1)
L0 = L0.setStreamVolume
L1 = AudioManager
L1 = L1.STREAM_MUSIC
L2 = 15
L3 = AudioManager
L3 = L3.FLAG_SHOW_UI
L0(L1, L2, L3)
L0 = activity
L0 = L0.getDecorView
L0 = L0()
L0 = L0.setSystemUiVisibility
L1 = View
L1 = L1.SYSTEM_UI_FLAG_HIDE_NAVIGATION
L2 = View
L2 = L2.SYSTEM_UI_FLAG_IMMERSIVE
L1 = L1 | L2
L0(L1)
L0 = MediaPlayer
L0 = L0()
m = L0
L0 = m
L0 = L0.reset
L0()
L0 = m
L0 = L0.setDataSource
L1 = activity
L1 = L1.getLuaDir
L1 = L1()
L2 = "/mc.mp3"
L1 = L1 .. L2
L0(L1)
L0 = m
L0 = L0.prepare
L0()
L0 = m
L0 = L0.start
L0()
L0 = m
L0 = L0.setLooping
L1 = true
L0(L1)
L0 = Ticker
L0 = L0()
ti = L0
L0 = ti
L0.Period = 10
L0 = ti
function L1()
  local L0, L1, L2, L3
  L0 = activity
  L0 = L0.getSystemService
  L1 = Context
  L1 = L1.AUDIO_SERVICE
  L0 = L0(L1)
  L0 = L0.setStreamVolume
  L1 = AudioManager
  L1 = L1.STREAM_MUSIC
  L2 = 15
  L3 = AudioManager
  L3 = L3.FLAG_SHOW_UI
  L0(L1, L2, L3)
  L0 = activity
  L0 = L0.getDecorView
  L0 = L0()
  L0 = L0.setSystemUiVisibility
  L1 = View
  L1 = L1.SYSTEM_UI_FLAG_HIDE_NAVIGATION
  L2 = View
  L2 = L2.SYSTEM_UI_FLAG_IMMERSIVE
  L1 = L1 | L2
  L0(L1)
end
L0.onTick = L1
L0 = ti
L0 = L0.start
L0()
function L0(A0, A1)
  local L2, L3, L4, L5
  L2 = string
  L2 = L2.find
  L3 = tostring
  L4 = A1
  L3 = L3(L4)
  L4 = "KEYCODE_BACK"
  L2 = L2(L3, L4)
  if L2 ~= nil then
    L2 = activity
    L2 = L2.getSystemService
    L3 = Context
    L3 = L3.AUDIO_SERVICE
    L2 = L2(L3)
    L2 = L2.setStreamVolume
    L3 = AudioManager
    L3 = L3.STREAM_MUSIC
    L4 = 15
    L5 = AudioManager
    L5 = L5.FLAG_SHOW_UI
    L2(L3, L4, L5)
  end
  L2 = true
  return L2
end
onKeyDown = L0

layout.lua:

local L0, L1, L2, L3
L0 = {}
L1 = LinearLayout
L0.layout_width = "fill"
L0.layout_height = "fill"
L2 = {}
L3 = Button
L2.textColor = "#D50000"
L2.text = "\230\131\138\228\184\141\230\131\138\229\150\156 \230\132\143\228\184\141\230\132\143\229\164\150"
L2.layout_height = "match_parent"
L2.layout_width = "match_parent"
L2.background = "#88888888"
L2[1] = L3
L0[1] = L1
L0[2] = L2
return L0

分析这三个文件:

init.lua:  定义了app的名字,版本(已经是9.0了吗),包名(有点暴躁啊这位老哥),sdk版本,使用的主题,需要的权限等数据

main.lua: 具体逻辑都在这里面,大概就是读取mc.mp3 播放 并一直把音量调整到15(最大),监听禁用返回按钮。

layout.lua: 设置页面布局

一份礼物.apk的逆向分析

恶搞一时爽,但是也要有度。

华盟知识星球入口

万一下一次是个带病毒的文件呢?

对了  解决方案-----------关掉进程或关机一份礼物.apk的逆向分析

本文原创,作者:张,其版权均为华盟网所有。如需转载,请注明出处:https://www.77169.net/html/270170.html

发表评论