Hacking Book | Free Online Hacking Learning


when a liar meets a modest bull, what happens?

Posted by truschel at 2020-02-27

March 8 is a beautiful holiday for women. The perfect welfare of the company (Anluo Technology) enables women compatriots to enjoy the beautiful holiday early. However, a modest bull of the company "suffered a lot" and received a short letter from the fake base station.

Modest big cattle are not vegetarian. They decide to go back to their roots. The following is the analysis process of modest big cattle.

After a lot of testing, it is found that the website is actually a fake website with 10086 points. It's an old routine, so I won't go over it here. However, a newly modified Android SMS blocking Trojan was caught. Before the blocking horse is basically not encrypted account password source code, it is easy to find the receiving mailbox, password and so on. The following picture:

Obviously, in the old version, the Trojan writer liked to use 163 mobile email as the mail box. It seems that the web can't log in yet, only the client can send and receive.

Let's take a look at the newly modified Trojan.

As shown in the figure above, this APK should be put on the website on March 7. It may not be very accurate, but according to the situation of the website, it should not be much worse.

From the structure of the code, the basic difference between catching an APK and intercepting a horse will not be too big. It can be seen that it is the same gang or from the same upper level personnel. Maybe the previous intercepted horses were found more often. There are many cases on the wooyun website, which basically belong to the same type of APK. But look at this one now. It's obvious that the email information and mobile phone number are encrypted.

According to the encrypted string, we can roughly see that it may be encrypted by DES (this type of encryption is basically symmetric, and the encryption mode should also exist in the code). As long as you find the encryption class and key, you can basically unlock the encryption string.

But the confused code seems to make people speechless. I don't understand java. At first, I looked at the functions one by one, and found that there was a "123456" in the DES encryption and decryption class. I started to steal joy, thinking that I found the key. After some attempts, the key could not restore the encrypted string at all, so I had to continue to find other ways to solve this problem.

Then return to the key class containing the password of the email account to see if there are other breakthroughs. At this point, you can see that in the method of this class, the key key value pair will write the configuration file through Android's SharedPreferences. It seems that the Trojan will write the receiving mobile phone, email account, account password and other information into the configuration file.

After the APK is installed, it is found in / data / data / tanglang.yushing.cloud (APK package name) / shared ﹐ prefs / configurations ﹐ data that there are clear text mobile phone numbers, email account passwords and other data.

Friendly tip: don't install the unknown APK on the root mobile phone easily. Even if you install it, please give your permission carefully. After all, you can't guarantee to uninstall the unknown program completely.

It takes too long to find out, and it's not safe to install this APK. At the same time, I am also an obsessive-compulsive patient. I can't sleep when I don't understand these strings, so I still want to use what method to directly solve the plaintext.

Offering Jeb, the artifact of God, which can be tracked and analyzed, is also the first time I use this tool. It took a long time for me to use the following methods

Check the smail language, look for cross references, and find out which classes call this des class. It is found that only one class has called this des class, which basically determines that there may be key related information in that class, and it may be in the context.

Then we jump to this class. If there is no object, we need to get a new one (O (∩∩) o). We can be sure that this is it, because there is only a string passing parameters here. Then we will use this to calculate the plaintext after ciphertext decryption.

I don't know Java, so I just write a decryption class. The effect is as follows:

Next, you need to get the mailbox server information. I wonder if 163's mailbox needs a real name. I found that Tencent enterprise mail is used by this APK? The mailbox server information is as follows:

Finally is the verification, can use the above information to log in the mailbox successfully is called the result. The two messages shown in the figure below are forged by me.

For the convenience of the future, a special jar is compiled, and the encrypted string can be directly input for decryption.

Last but not least, try not to download unknown software. Even if you download it, do not install it easily. Even if you install it, do not give permission arbitrarily.

The analysis is relatively rough. If there is something wrong or a better analysis idea, please correct the bull in the circle. Thank you!

(Shenzhen Anluo technology original) reprint, please indicate the source. Welcome to our WeChat official account:

Long press identification QR code attention