Analysis and Research on xiaohongshu reverse shield algorithm

Posted by scoman on Sat, 19 Feb 2022 03:25:14 +0100

Encryption function location

The new yellow book doesn't have shield So, first use frida hook native to see where it is

yang God's open source: https://github.com/lasting-ya...
Check the log in libxyass In so, note that this so is encrypted and needs to be repaired first

dump libxyass.so
The above reference article uses ida + dynamic debugging and repair. However, I can only use the dump script written by the boss to repair it

yang God's open source: https://github.com/lasting-ya...
Execute python3 dump_so.py libxyass.so, after the repair, you can see most of the logic

unidbg
The script written by brother long can be copied and modified with apk so

Just find an interface to verify, and the results are the same

Algorithm restore
Refer to Longge's article: https://blog.csdn.net/qq_3885...
shield encryption algorithm is aes + hmac-md5 + rc4, in which aes + md5 are magic modified and hmac + rc4 is standard. Let's compare with the previous old version of the algorithm step by step to see where there are changes

String traceFile = "";
PrintStream traceStream = null;
try {

traceStream = new PrintStream(new FileOutputStream(traceFile), true);

} catch (FileNotFoundException e) {

e.printStackTrace();

}
emulator.traceCode(module.base, module.base + module.size).setRedirect(traceStream);
First, use unidbg trace to save all instructions to a file

aes algorithm
hmac is based on hm aes algorithm_ ID is decrypted, and the result will be used as the key of hmac-md5. hmac algorithm will use 0x36 and 0x5C to XOR with key first

Directly search the trace log globally, 0x36 keyword, and find the eor XOR instruction

Jump in ida. The logic here looks similar to that of the old version 6.87

Check the assembly instructions. r2 here is the key. Hook and trace here are OK

emulator.traceCode(module.base + 0x2D4A0, module.base + 0x2D4A0).setRedirect(traceStream);
Blogger, this is trace mode

Check the trace log, where all the results of aes decryption are displayed

Compared with the algorithm restored by python, the result is the same, and the new aes algorithm has not changed

hmac-md5 algorithm

Similarly, first search the md5 algorithm constant in the trace log

Jump in ida and directly locate the md5 transform function

public void inlineHookMd5Result() {

emulator.getBackend().hook_add_new(new CodeHook() {
    @Override
    public void onAttach(UnHook unHook) {
    }

    @Override
    public void detach() {
    }

    @Override
    public void hook(Backend backend, long address, int size, Object user) {
        if (address == (module.base + 0x2E082)) {
            Arm32RegisterContext ctx = emulator.getContext();
            long lr = ctx.getLR();

            System.out.println("md5 update a result: 0x" + Long.toHexString(lr));
        }
    }
}, module.base + 0x2E082, module.base + 0x2E082, null);

emulator.getBackend().hook_add_new(new CodeHook() {
    @Override
    public void onAttach(UnHook unHook) {
    }

    @Override
    public void detach() {
    }

    @Override
    public void hook(Backend backend, long address, int size, Object user) {
        if (address == (module.base + 0x2E09C)) {
            Arm32RegisterContext ctx = emulator.getContext();
            long r2 = ctx.getR2Long();

            System.out.println("md5 update b result: 0x" + Long.toHexString(r2));
        }
    }
}, module.base + 0x2E09C, module.base + 0x2E09C, null);

emulator.getBackend().hook_add_new(new CodeHook() {
    @Override
    public void onAttach(UnHook unHook) {
    }

    @Override
    public void detach() {
    }

    @Override
    public void hook(Backend backend, long address, int size, Object user) {
        if (address == (module.base + 0x2E0A4)) {
            Arm32RegisterContext ctx = emulator.getContext();
            long r3 = ctx.getR3Long();

            System.out.println("md5 update c result: 0x" + Long.toHexString(r3));
        }
    }
}, module.base + 0x2E0A4, module.base + 0x2E0A4, null);

emulator.getBackend().hook_add_new(new CodeHook() {
    @Override
    public void onAttach(UnHook unHook) {
    }

    @Override
    public void detach() {
    }

    @Override
    public void hook(Backend backend, long address, int size, Object user) {
        if (address == (module.base + 0x2E0AA)) {
            Arm32RegisterContext ctx = emulator.getContext();
            long r7 = ctx.getR7Long();

            System.out.println("md5 update d result: 0x" + Long.toHexString(r7));
        }
    }
}, module.base + 0x2E0AA, module.base + 0x2E0AA, null);

}
First hook, then abcd

It is found that the result of python is not different from that of unidbg. It seems that the new md5 algorithm has been changed

The specific changes here need to be checked step by step. The specific process is not described. Finally, the constant group T (sinusoidal function table) is modified

Technical exchange

Topics: Programmer

Programmer Think

Analysis and Research on xiaohongshu reverse shield algorithm

Hot Topics