2bebb2b85345bac93a790d1a6986b3d5
经验
1 貌似特征码,需要在从伪代码切换到汇编模式 ,再点击看具体值
2 找出特征码,然后google 再带 算法,再带c source 如 md5 0x242070DB c source
3 md5 和sha1 在transfrom 4个特征相同,sha1 多两个
重命名经验
根据上下文关系,需要点进去发现特征量,验证后重命名,然后再查交叉引用,对比算法源码,看是啥函数,继续重命名外面函数
hmac md5 逆向思路 // 结果特征是32位长度
md5 源码 https://opensource.apple.com/source/cvs/cvs-19/cvs/lib/md5.c
本质就是2次md5,有一次是和key 进行的
md5再次经过md5,hmac 都需要一个key,这个key经过一个xor 得到一个bufer 就是key
md5(md5(str1+str2)+key )
其中key 是input 一个buffer ,然后 xor 得到md5 要用的 key
hmacmd5 源码如下
https://opensource.apple.com/source/bind9/bind9-42.1/bind9/lib/isc/hmacmd5.c.auto.html
参看源码,hmac 两次md5 updae
逆向思路
1 首选判断是 md5 (通过长度和里面特征)
2 部分常量有hamc 特征表是在
3 对比源码和反编译源码,重命名 (源码相互引用也看)
4 hook 函数 ,对比外面函数和和md5updae
注意标准 hmac md5 的key计算过程,xor 的值可能修改,具体hook hexddump 打印出来的值就是xor 的值
看不懂看 hmac256 分析过程
hmac sha256 // 字符特征是64位长度,(sha256 是64长度)
https://github.com/aperezdc/hmac-sha256/blob/master/hmac-sha256.c
sha256_init (&ss);
sha256_update (&ss, kx, B);
sha256_update (&ss, data, data_len);
sha256_final (&ss, out);
2次update ,hmac 是要配合key的
逆向思路
1 找到 sha256的特征 --。特征表是在 sha256_transform 使用,-sha256_transform 在sha256_update 中使用,可以hook sha256_update
2 从内部特征对比源码得到函数名称,知道函数入参,外部调用的函数入参根据内部已知道函数参数来获得(如果多个已知道函数的参数,那么一个跟丢找另外一个
3 hexdump 出来的数据如果大部分都是...可以忽略
逆向一个 hmac sha256 ,hook updae 函数 ,其中第一个可能是key
js hook 代码
function main()
{
var module=Module.getBaseAddress("libnative-lib.so")
console.log(module.add(0x2F030).readCString());
if(module)
{
// var sub_15030=module.add(0x15030+1);
// Interceptor.attach(sub_15030,{
// onEnter:function(args)
// { this.arg0=args[0];
// this.arg1=args[1];
// console.log("sub_15030:","\r\n", hexdump(args[0]) ,"\r\n",hexdump(args[1]));
// },
// onLeave:function(retval)
// {
// console.log("sub_15030 leverl:",hexdump(this.arg0),"\r\n",hexdump(this.arg1));
// }
// })
var sub_15218=module.add(0x15218+1);
Interceptor.attach(sub_15218,{
onEnter:function(args)
{
console.log("sha246 update enter:","\r\n",hexdump(args[1],{length:parseInt(args[2])}),"\r\n",args[2]);
},
onLeave:function(retval)
{
}
})
var sub_15030=module.add(0x15030+1);
Interceptor.attach(sub_15030,{
onEnter:function(args)
{
this.arg1=args[1];
// console.log("sub_15030 enter:",hexdump(args[1]));
},
onLeave:function(retval)
{
console.log("sub_15030 leave:",hexdump(this.arg1));
}
})
}
}
setImmediate(main);
ha246 update enter:
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
ffa7df40 37 3d 32 24 29 39 03 35 31 25 3d 32 3b 03 69 6e 7=2$)9.51%=2;.in
ffa7df50 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c \\\\\\\\\\\\\\\\
ffa7df60 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c \\\\\\\\\\\\\\\\
ffa7df70 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c \\\\\\\\\\\\\\\\
0x40
sha246 update enter:
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
ffa7df40 5d 57 58 4e 43 53 69 5f 5b 4f 57 58 51 69 03 04 ]WXNCSi_[OWXQi..
ffa7df50 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 6666666666666666
ffa7df60 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 6666666666666666
ffa7df70 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 6666666666666666
0x40
sha246 update enter:
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
e01d0a40 56 78 66 64 79 6d 4c 50 6f 47 4d 6f 72 54 68 62 VxfdymLPoGMorThb
e01d0a50 76 76 47 50 51 69 4a 52 46 59 vvGPQiJRFY
0x1a
sha246 update enter:
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
d10347dd 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
d10347ed 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..............
0x1e
sha246 update enter:
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
ffa7df18 00 00 00 00 00 00 02 d0 ........
0x8
sha246 update enter:
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
ffa7df60 ab 7b 82 01 9c 08 76 e0 5e 80 29 83 48 3b 99 fe .{....v.^.).H;..
ffa7df70 1f 81 9f 19 30 09 0b bc 66 10 1e 49 db c0 87 7a ....0...f..I...z
0x20
sha246 update enter:
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
d10347dd 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
d10347ed 00 00 00 00 00 00 00 00 ........
0x18
sha246 update enter:
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
ffa7df18 00 00 00 00 00 00 03 00 ........
0x8
sub_15030 leave: 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
ffa7e0c8 18 65 0c 6b 41 87 34 6b 0f 24 88 fb b4 32 c1 61 .e.kA.4k.$...2.a
ffa7e0d8 1d e3 bf b4 58 57 49 34 99 be 6d 3a 64 c2 f0 69 ....XWI4..m:d..i
ffa7e0e8 f2 da d8 76 4e 00 00 00 00 a0 1d ec 00 00 00 00 ...vN...........
ffa7e0f8 9c e1 a7 ff e4 40 05 ed 01 00 00 00 00 00 00 00 .....@..........
ffa7e108 f8 e3 a7 ff 63 cf 25 d1 e4 40 05 ed 84 ee a7 ff ....c.%..@......
ffa7e118 02 00 00 00 e0 aa 80 13 d0 51 e5 12 07 00 00 00 .........Q......
ffa7e128 90 e0 a7 ff 22 3b 4a d1 10 3b 4a d1 00 00 00 00 ....";J..;J.....
ffa7e138 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
ffa7e148 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
ffa7e158 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
ffa7e168 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................
ffa7e178 00 00 00 00 f8 e3 a7 ff 4e 00 00 00 00 00 00 00 ........N.......
ffa7e188 9c e1 a7 ff 23 e5 09 ec 00 00 00 00 d0 51 e5 12 ....#........Q..
ffa7e198 f2 da d8 76 97 82 5e d1 01 00 00 00 00 00 00 00 ...v..^.........
ffa7e1a8 f8 e3 a7 ff 4e 00 00 00 10 e2 a7 ff 00 00 00 00 ....N...........
ffa7e1b8 00 00 00 00 9d 2b 0a ec f8 e3 a7 ff 00 00 00 00 .....+..........
看上面 数据
ffa7df40 5d 57 58 4e 43 53 69 5f 5b 4f 57 58 51 69 03 04 ]WXNCSi_[OWXQi..
ffa7df50 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 6666666666666666
ffa7df60 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 6666666666666666
ffa7df70 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 36 6666666666666666
e01d0a40 56 78 66 64 79 6d 4c 50 6f 47 4d 6f 72 54 68 62 VxfdymLPoGMorThb
e01d0a50 76 76 47 50 51 69 4a 52 46 59 vvGPQiJRFY
sha246 update enter:
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
e01d0a40 56 78 66 64 79 6d 4c 50 6f 47 4d 6f 72 54 68 62 VxfdymLPoGMorThb
e01d0a50 76 76 47 50 51 69 4a 52 46 59 vvGPQiJRFY
经过from hexdump sha2 ,选择256
得到 ab7b82019c0876e05e802983483b99fe1f819f1930090bbc66101e49dbc0877a
如前面hexdump
sha246 update enter:
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
ffa7df60 ab 7b 82 01 9c 08 76 e0 5e 80 29 83 48 3b 99 fe .{....v.^.).H;..
ffa7df70 1f 81 9f 19 30 09 0b bc 66 10 1e 49 db c0 87 7a ....0...f..I...z
0x20
这个结果再次和
ha246 update enter:
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
ffa7df40 37 3d 32 24 29 39 03 35 31 25 3d 32 3b 03 69 6e 7=2$)9.51%=2;.in
ffa7df50 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c \\\\\\\\\\\\\\\\
ffa7df60 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c \\\\\\\\\\\\\\\\
ffa7df70 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c \\\\\\\\\\\\\\\\
from hexdump 经过 sha2 ,选择256
得到最终结果,逆向结束
hamc key的一个特点 ,类似
ffa7df40 37 3d 32 24 29 39 03 35 31 25 3d 32 3b 03 69 6e 7=2$)9.51%=2;.in
ffa7df50 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c \\\\\\\\\\\\\\\\
ffa7df60 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c \\\\\\\\\\\\\\\\
ffa7df70 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c \\\\\\\\\\\\\\\\
通过fromhexdump 再xor 0x5c 得到字符本身 (这个例子中有5c和36)
标签:00,魔改,36,update,sha256,hmac,5c,md5 From: https://www.cnblogs.com/chaobao/p/17442940.html