某SDK Wtoken分析总结

对自己平时分析的过程做一个简单记录原文地址

网上看到一些前辈对某SDK做过一些分析,一时手痒也来实践操作一下

一.获取样本

我的这个样本来源某网上自行查找,分析一通才发现和大佬说的完全不一样,大厂的更新速度真是太快了.

我这边上传的 wtoken:

0002_84288D08C9374C3BD0201E3A8581A637A4F10635D6C1AD364FF9AD35A3073D4AAD68B431ACBEB332ABC3AC3CA8CB7A3B8815EA47C900QufkJeD6QRw50f/FZmE56tVVB3+Xf7tsOWNwpGmRtV9c+9XVaEGi91mRse0WDGYDqSKE/Fi4XTybRySzpSqrj1b5OkdVEbBlAX1Y0laawyer+eMW3IR7qcVnEbup+zYaNy0rR4i8OSKMf/DrpghjUfkyybAhFBTgzjK5+dvGugTLWxfHU2gnYdnn79x3D/jz/EJEpBrN3O/FdanEn8S5wb0VbqzQ/iRbmMZxwq6hUJzCy7CvSH5gjDPX+8BpJUwaxVAy2VR5EhvhDFqPvm/YAuY6ZcfATB2Zh5x5kVkDUFWZGWtNp3OfWodBY6oT34iNKl7/DJl0v97g4JYEcUlXkVAUNTIb1+hAhRZb6stIR3DJoIO9LVAVTYBN5QzURu017Ob6/NjHUOwAd38REY5M6VLITharAN30Z61J0cYAp/xio4RBhojNqWl2FwPRnKbr

0002应该是该风控的版本号

我们这次来的目的就是为了把 wtoken 给完全解开

二.开始分析

根据官网的说明文档

if(![[AliTigerTally sharedInstance]initialize:@"****OpKLvM6zliu6KopyHIhmneb_****u4ekci2W8i6F9vrgpEezqAzEzj2ANrVUhvAXMwYzgY_****vc51aEQlRovkRoUhRlVsf4IzO9dZp6nN_****Wz8pk2TDLuMo4pVIQvGaxH3vrsnSQiK****"])

{

        NSLog(@"初始化失败");

        return;

}

NSString *signBody =@"hello";

NSString *wToken= [[AliTigerTally sharedInstance] vmpSign:[signBody dataUsingEncoding:NSUTF8StringEncoding]];

NSLog(@"wToken== %@",wToken);

1.固定随机数

首先是hook initialize 方法,拿到其中的appkey

然后hook vmpSign,固定入参,想办法把输出结果固定下来

然后发现生成的结果还是在变,分析其中的导入函数,hook其中可以产生随机值的地方

在hook arc4random 和 gettimeofday 终于将生成的结果固定唯一

2.分析结构组成

wtoken基本由四部分组成

版本号

0002_

时间戳

84288D08C9

整体的签名

374C3BD0201E3A8581A637A4F10635D6C1AD364FF9AD35A3073D4AAD68B431ACBEB332ABC3AC3CA8CB7A3B8815EA47C900

设备信息

QufkJeD6QRw50f/FZmE56tVVB3+Xf7tsOWNwpGmRtV9c+9XVaEGi91mRse0WDGYDqSKE/Fi4XTybRySzpSqrj1b5OkdVEbBlAX1Y0laawyer+eMW3IR7qcVnEbup+zYaNy0rR4i8OSKMf/DrpghjUfkyybAhFBTgzjK5+dvGugTLWxfHU2gnYdnn79x3D/jz/EJEpBrN3O/FdanEn8S5wb0VbqzQ/iRbmMZxwq6hUJzCy7CvSH5gjDPX+8BpJUwaxVAy2VR5EhvhDFqPvm/YAuY6ZcfATB2Zh5x5kVkDUFWZGWtNp3OfWodBY6oT34iNKl7/DJl0v97g4JYEcUlXkVAUNTIb1+hAhRZb6stIR3DJoIO9LVAVTYBN5QzURu017Ob6/NjHUOwAd38REY5M6VLITharAN30Z61J0cYAp/xio4RBhojNqWl2FwPRnKbr

3.加密过程分析

整个SDK混淆的比较严重,插入了大量花指令来阻止IDA的分析

从小三大神的文章中得到启示,找到的VMP调用外部函数的调用点

通过x8寄存器跳转到不同的函数里,通过打印x8的流转,然后用Frida来辅助分析.基本可以得到整个加密过程的基本逻辑

其中的加解密就是一些移位异或加减之类的,最后再进行一次AES加密生成的

比如通过字节码的补位来判断采取的加密方式

比如当 w9 为0时,采取的偏移跳转第一个加密块 loc_100038188

从图上可以清楚的看出来,这个一个比特位互换的操作例如 0xAB => 0xBA

还原成C的话就是 new_byte = ((orig_byte << 4) | (orig_byte >> 4)) & 0xff

剩下的15种加密方式就不一一列举了.

最后解密出来的数据基本如下

num:[zxsq-anti-bbcode-0x00] data:[b'com.xxxxxx.cn']

num:[zxsq-anti-bbcode-0x01] data:[b'xxxxxx']

num:[zxsq-anti-bbcode-0x02] data:[b'5.1.0']

num:[zxsq-anti-bbcode-0x03] data:[b'2.1.5']

num:[zxsq-anti-bbcode-0x05] data:[b'apple']

num:[zxsq-anti-bbcode-0x06] data:[b'iPhone13,1']

num:[zxsq-anti-bbcode-0x0a] data:[b'375x812']

num:[zxsq-anti-bbcode-0x0c] data:[b'19A346']

num:[zxsq-anti-bbcode-0x0d] data:[b'15.0']

num:[zxsq-anti-bbcode-0x12] data:[b'\xe4\xb8\xad\xe5\x9b\xbd\xe7\xa7\xbb\xe5\x8a\xa8']

num:[zxsq-anti-bbcode-0x14] data:[b',46002']

num:[zxsq-anti-bbcode-0x24] data:[b'0852D226-E454-44DD-A3C2-5797E8DA7979']

num:[zxsq-anti-bbcode-0x25] data:[b'none']

num:[zxsq-anti-bbcode-0x26] data:[b'57156ED654C6E9FE41DC0D5DBEE2EB18']

num:[zxsq-anti-bbcode-0x64] data:[b'|']

num:[zxsq-anti-bbcode-0x0b] data:[b'Darwin Kernel Version 21.0.0: Sun Aug 15 20:55:58 PDT 2021; root:xnu-8019.12.5~1/RELEASE_ARM64_T8101']

num:[zxsq-anti-bbcode-0x1d] data:[b',fd8d:d307:fcd9:d273:1821:4efe:5d02:b134']

num:[zxsq-anti-bbcode-0x1e] data:[b'192.168.2.1']

num:[zxsq-anti-bbcode-0x27] data:[b'AC0A2433-92DB-4296-82661-F7D2E047C3a']

num:[zxsq-anti-bbcode-0x2e] data:[b'10.42.23.8,fe80::ec8e:52ff:feb4:6ac7']

num:[zxsq-anti-bbcode-0x31] data:[b'/private/var/containers/Bundle/Application/C2D127FB-54E5-436E-BD56-468DDEBE8CD6/SNKRS.app/SNKRS']

num:[zxsq-anti-bbcode-0x33] data:[b'403373.19.420688398']

num:[zxsq-anti-bbcode-0x34] data:[b'31ffddade56c6ab0277263c2eb55dda3']

num:[zxsq-anti-bbcode-0x35] data:[b'1ffabaa42b305297f1c5421a3d89b8c6']

num:[zxsq-anti-bbcode-0x39] data:[b'1198000']

num:[zxsq-anti-bbcode-0x3b] data:[b'zh-Hans-CN|en-CN']

num:[zxsq-anti-bbcode-0x3c] data:[b'ARM64']

num:[zxsq-anti-bbcode-0x6d] data:[b'0']

num:[zxsq-anti-bbcode-0x6e] data:[b'0']

num:[zxsq-anti-bbcode-0x70] data:[b'0']

num:[zxsq-anti-bbcode-0x71] data:[b'0']

num:[zxsq-anti-bbcode-0x72] data:[b'TMPDIR=/private/var/mobile/Containers/Data/Application/B62336DD-18D6-4A17-9FE1-A38B36525045/tmp/|']

num:[zxsq-anti-bbcode-0xc9] data:[b'42|42']

数据有一部分进行了加密或者脱密处理,使我们不能直接看到原始信息

但是在分析过程中,SDK获取的信息基本为:

环境检测

动态库检测

调试检测

hook检测

越狱文件检测

/Applications/Cydia.app

/Library/MobileSubstrate/MobileSubstrate.dylib

/bin/bash

/usr/sbin/sshd

/etc/apt

/usr/bin/cycript

/usr/bin/gdbhd

dladdr检测列表

x0 = 0x00000001a42cefa0  libsystem_c.dylib`sysctl



x0 = 0x00000001a42dd990  libsystem_c.dylib`fopen



x0 = 0x00000001a42f7c08  libsystem_c.dylib`getenv



x0 = 0x00000001a44ad760  libsystem_kernel.dylib`stat



x0 = 0x00000001a44b9608  libdyld.dylib`_dyld_get_image_name



x0 = 0x00000001a44b9710  libdyld.dylib`dladdr



x0 = 0x00000001a4597598  CoreFoundation`-[NSArray containsObject:]



x0 = 0x00000001a459ceb8  CoreFoundation`+[NSLocale preferredLanguages]



x0 = 0x00000001a45b1a74  CoreFoundation`+[NSLocale currentLocale]



x0 = 0x00000001a45b9600  CoreFoundation`+[NSTimeZone localTimeZone]



x0 = 0x00000001a495b73c  SystemConfiguration`CNCopyCurrentNetworkInfo



x0 = 0x00000001a4979a84  Foundation`+[NSBundle mainBundle]



x0 = 0x00000001a497d624  Foundation`+[NSProcessInfo processInfo]



x0 = 0x00000001a497e030  Foundation`-[NSBundle bundleIdentifier]



x0 = 0x00000001a4980f90  Foundation`-[NSString rangeOfString:]



x0 = 0x00000001a498690c  Foundation`-[NSFileManager fileExistsAtPath:]



x0 = 0x00000001a4996978  Foundation`-[NSString initWithUTF8String:]



x0 = 0x00000001a49a1db0  Foundation`+[NSDictionary(NSDictionary) dictionaryWithContentsOfFile:]



x0 = 0x00000001a49b69e4  Foundation`-[NSFileManager attributesOfFileSystemForPath:error:]



x0 = 0x00000001a49b6c6c  Foundation`-[NSFileManager contentsOfDirectoryAtPath:error:]



x0 = 0x00000001a49b7124  Foundation`-[NSFileManager attributesOfItemAtPath:error:]



x0 = 0x00000001a49ff65c  Foundation`-[NSBundle executablePath]



x0 = 0x00000001a79082cc  CFNetwork`CFNetworkCopySystemProxySettings



x0 = 0x00000001a83d8194  UIKitCore`-[UIDevice name]



x0 = 0x00000001a83d81f0  UIKitCore`-[UIDevice model]



x0 = 0x00000001a83d83b0  UIKitCore`-[UIDevice systemVersion]



x0 = 0x00000001a83d8468  UIKitCore`-[UIDevice identifierForVendor]



x0 = 0x00000001a83d8cac  UIKitCore`-[UIDevice batteryState]



x0 = 0x00000001a83d8cb8  UIKitCore`-[UIDevice batteryLevel]



x0 = 0x00000001a83e4198  UIKitCore`-[UIScreen brightness]



x0 = 0x00000001a8eaab3c  CoreTelephony`-[CTCarrier carrierName]



x0 = 0x00000001a8eaab4c  CoreTelephony`-[CTCarrier mobileCountryCode]



x0 = 0x00000001a8eaab5c  CoreTelephony`-[CTCarrier mobileNetworkCode]



x0 = 0x00000001a8eaab6c  CoreTelephony`-[CTCarrier isoCountryCode]



x0 = 0x00000001a8eade3c  CoreTelephony`-[CTTelephonyNetworkInfo currentRadioAccessTechnology]



x0 = 0x00000001a8eae2c4  CoreTelephony`-[CTTelephonyNetworkInfo subscriberCellularProvider]



x0 = 0x00000001bd6b5cc4  AdSupport`-[ASIdentifierManager isAdvertisingTrackingEnabled]



x0 = 0x00000001bd6b5d28  AdSupport`-[ASIdentifierManager advertisingIdentifier]

三.总结

时间过去的有点久,很多入口函数忘记在哪里了,从技术角度来讲确实逆向的难度比较大,主要是掺杂了大量的自定义算法,比如在拼接设备信息之后,按照字节的补位数一共有16种加密算法,还有魔改的sha256,hash算法,大部分时间都花在还原这一部分算法上面了.整体难度很大