360脱壳

XinYi发布

参考资料

https://www.2cto.com/kf/201605/506072.html
https://blog.csdn.net/QQ1084283172/article/details/53579909

360加固原理

https://www.52pojie.cn/thread-785807-1-1.html

原理、整体上分析
https://www.freebuf.com/articles/terminal/145102.html
360壳源码分析
1.libjgdtc.so:https://blog.csdn.net/feibabeibei_beibei/article/details/88405435
2.com.qihoo.util下的最后一个类:貌似是阻止反调试的代码

360加固工程的结构
https://blog.csdn.net/freakishfox/article/details/79752847

反调试

修改android_server的端口https://blog.csdn.net/tabactivity/article/details/78506637 (不建议新手直接去修改android_server文件,容易搞坏。)

前面IDAPro的调试环境已经搭建好了, 随便用360加固了个应用进行测试,只要调试按钮image.png
“绿色箭头”一点击,程序就崩溃了,程序在一定时间之内,只要一点击就会崩溃,过一会儿就好了。我痛苦的走了上面的流程一遍又一遍,各种尝试,后来才在网上知道这就是360给我们设置的第一道关卡:反调试。
https://www.52pojie.cn/thread-709669-1-1.html这篇文章真是让我感同身受。
关卡1:什么断点也不加
按照上面设置好的调试器选项调试,按下F9程序立马崩溃,控制台打印:

12C00000: deleted segment dalvik_main_space, end: 12E01000
12E01000: deleted segment dalvik_main_space, end: 32C00000
32C00000: deleted segment dalvik_main_space, end: 32C01000
32C01000: deleted segment dalvik_main_space, end: 52C00000
6F49B000: deleted segment system@framework@boot.art, end: 6FEAF000
6FEAF000: deleted segment system@framework@boot.oat, end: 71C79000
71C79000: deleted segment system@framework@boot.oat, end: 73560000
73560000: deleted segment system@framework@boot.oat, end: 73561000
73561000: deleted segment dalvik_zygote_space, end: 73C01000
73C01000: deleted segment dalvik_non_moving_space, end: 73C02000
73C02000: deleted segment dalvik_non_moving_space, end: 73C04000
73C04000: deleted segment dalvik_non_moving_space, end: 76562000
76562000: deleted segment dalvik_non_moving_space, end: 77561000
AAFEC000: deleted segment app_process32_xposed, end: AAFF7000
AAFF7000: deleted segment app_process32_xposed, end: AAFF9000
AAFF9000: deleted segment app_process32_xposed, end: AAFFA000
AB7E5000: deleted segment [heap], end: AB99B000
AB99B000: deleted segment [heap], end: AB99F000
E42A2000: deleted segment data@app@com.chinalwb.are.demo_1@base.apk@classes.dex, end: E446F000
E446F000: deleted segment data@app@com.chinalwb.are.demo_1@base.apk@classes.dex, end: E4491000
E4491000: deleted segment data@app@com.chinalwb.are.demo_1@base.apk@classes.dex, end: E4492000
E4492000: deleted segment dalvik_allocspace_main_rosalloc_space_mark_bitmap_3, end: E4C92000
E4C92000: deleted segment dalvik_allocspace_main_rosalloc_space_live_bitmap_3, end: E5492000
E5492000: deleted segment debug001, end: EB892000

关卡2:ptrace反调试
照着http://m.wfuyu.com/technology/26638.html给libc.so的mmap函数下断点,提示“558CE0A000: got SIGSEGV signal (Segmentation violation) (exc.code b, tid 25389)”错误,但是程序没有崩溃,这已经算是个进步了。
image.png
上面不要点是,否则程序立马崩溃。点击否后提示
image.png
网上说这是个反调试的手段:https://blog.csdn.net/think_ycx/article/details/89974528
目前进度就卡死在这里了,干不过360,还希望路过的大佬能支援一下呢?

分类: 360脱壳

0 条评论

发表回复

您的电子邮箱地址不会被公开。