移動應用中對so檔案,有些函式用了mprotect進行保護,即將加密資料解密後再在記憶體執行,然後再將記憶體資料加密後寫回原位置,通常解密後資料具有反除錯功能。
破解應對措施:ida除錯跟蹤後記憶體加密資料解密還原及加密演算法提取完畢後,將金鑰的記憶體資料和修改後的記憶體資料位址作為idc指令碼輸入,列印輸出生成的加密資料或指令,從而利用ue修改so,實現永久修改的目的,後續直接跟蹤除錯so即可。
將下面的指令碼儲存為xx.idc後在ida中shrift+f2匯入執行即可。
import idaapi
import struct
#input
defdump24c8
(start, len, key, target):
rawinc = idaapi.dbg_read_memory(start, len)
offset = start-0x70d1a4c8
rawincbyte = bytearray(rawinc)
rawinchex = struct.unpack(', rawinc)[0]
print
'rawinchex is ' + str(hex(rawinchex))
rawkey = idaapi.dbg_read_memory(key, 0x6c)
rawkeybyte = bytearray(rawkey)
#rawkeyhex = struct.unpack('#print 'rawkeyhex is ' + str(hex(rawkeyhex))
#rawdex = "hello"
count = 0
offset %= 0x6c
fd = open(target, 'wb')
while (count < len):
print
'the count is:', count
rawincbyte[count] ^= rawkeybyte[(offset + count) % 0x6c]
fd.write(rawinc)
count = count + 1
fd.close()
rawinchex = struct.pack(', rawincbyte[0],rawincbyte[1],rawincbyte[2],rawincbyte[3])
rawinchex1 = struct.unpack(', rawinchex)[0]
print
'rawinchex is ' + str(hex(rawinchex1))
defdump14a4
(start, len, key, target):
rawinc = idaapi.dbg_read_memory(start, len)
print
"rawinc is " + rawinc
offset = start-0x70d194a4
print
"offset is " + str(offset)
rawincbyte = bytearray(rawinc)
#rawincbyte[0] = 0x39
#rawincbyte[1] = 0x00
#rawincbyte[2] = 0x00
#rawincbyte[3] = 0x1a
rawinchex = struct.unpack(', rawinc)[0]
print
'rawinchex is ' + str(hex(rawinchex))
rawkey = idaapi.dbg_read_memory(key + 0x6c, 0x6c)
rawkeybyte = bytearray(rawkey)
#rawkeyhex = struct.unpack('#print 'rawkeyhex is ' + str(hex(rawkeyhex))
#rawdex = "hello"
count = 0
offset %= 0x6c
print
"offset is " + str(offset)
fd = open(target, 'wb')
while (count < len):
print
'the count is:', count
rawincbyte[count] ^= rawkeybyte[(offset + count) % 0x6c]
fd.write(rawinc)
count = count + 1
fd.close()
rawinchex = struct.pack(', rawincbyte[0],rawincbyte[1],rawincbyte[2],rawincbyte[3])
rawinchex1 = struct.unpack(', rawinchex)[0]
print
'rawinchex is ' + str(hex(rawinchex1))
defgetdexlen
(start):
pos = start + 0x20
mem = idaapi.dbg_read_memory(pos, 4)
len = struct.unpack(', mem)[0]
print
'len is ' + str(hex(len))
return int(len)
#input start is 0x78960 len is 0x200 target is c:\\xx.raw
start = askaddr(0, 'input instructor start addr in hex: ')
len = asklong(0, 'input instructor len in hex: ')
key = askaddr(0, 'input key addr in hex: ')
target = askstr('c:\\ins.txt', 'input the dump file path')
print('start is ' + str(hex(start)) + " len is " + str(len) + "key is " + str(hex(key)) + " target is " + target )
if len > 0
and start >= 0x0
and key >= 0
and target and askyn(1, 'start is 0x%0x, len is %d, enc dump to %s' % (start, len, target)) == 1:
dump14a4(start, len, key,target)
print('dump finish')
python 指令碼實現 複製 移動檔案
將某 檔案複製 移動到指定路徑下,例如 move git project1 test.sh tmp tmp 1 test.sh 相對路徑.tmp tmp 1 不一定存在 coding utf 8 usr bin python test copyfile.py import os,shutil def...
python指令碼簡單實現對壓縮檔案是否加密的檢測
它們的壓縮加密方式不同,分別處理這四種格式 zip的加密主要是對加密標誌位的檢測,如果是奇數則為加密,如果是偶數則沒有加密。可以通過python標準庫的zipfile來實現 def check zip file str bool name des 檢測zip格式壓縮保是否加密 param retur...
ActiveX控制項實現安全的初始化和指令碼
想建立乙個能夠在ie中成功載入而沒有 不安全 的警告或者錯誤提示資訊的activex控制項,我們必須實現安全的初始化和指令碼。基本上,所有要做的工作都是在dllregisterserver 和dllunregisterserver這兩個函式中完成的。下面,我們就來一步步地將我們的activex控制項...