Reinforcement by using Frida and IDA

Actual shelling 360 strengthening

The text is ： 1741 word 7 chart

Estimated reading time ： 5 minute

1、 Recently, I have been digging for loopholes in industrial control equipment , When an application is infiltrating, the request parameters are encrypted or signed , An exception will be prompted after the requested data is modified , As a result, vulnerability mining cannot be carried out effectively , So keep a record of recent shelling methods , Reverse decompile the application to view

2、 By checking the shell and the above analysis, it is 360 strengthening , Reinforced apk, The source code cannot be obtained by decompiling with conventional methods

3、 Configure the environment and start frida service

4、 Port forwarding

5、 Relevant command

--version show program's version number and exit -h, --help show this help message and exit -D ID, --device=ID connect to device with the given ID -U, --usb connect to USB device -R, --remote connect to remote frida-server -H HOST, --host=HOST connect to remote frida-server on HOST -f FILE, --file=FILE spawn FILE -n NAME, --attach-name=NAME attach to NAME -p PID, --attach-pid=PID attach to PID --debug enable the Node.js compatible script debugger --disable-jit disable JIT -I MODULE, --include-module=MODULE include MODULE -X MODULE, --exclude-module=MODULE exclude MODULE -i FUNCTION, --include=FUNCTION include FUNCTION -x FUNCTION, --exclude=FUNCTION exclude FUNCTION -a MODULE!OFFSET, --add=MODULE!OFFSET add MODULE!OFFSET -T, --include-imports include program's imports -t MODULE, --include-module-imports=MODULE include MODULE imports -m OBJC_METHOD, --include-objc-method=OBJC_METHOD include OBJC_METHOD

6、 Script and put libart.so Take it out . then IDA reverse OpenMemory The corresponding signature function name of .

Interceptor.attach(Module.findExportByName("libart.so", "_ZN3art7DexFile10OpenMemoryEPKhjRKNSt3__112basic_stringIcNS3_11char_traitsIcEENS3_9allocatorIcEEEEjPNS_6MemMapEPKNS_10OatDexFileEPS9_"), {

onEnter: function (args) {

//dex The starting position

var begin = args[1]

// Print magic

console.log("magic : " + Memory.readUtf8String(begin))

//dex fileSize Address

var address = parseInt(begin,16) + 0x20

//dex size

var dex_size = Memory.readInt(ptr(address))

console.log("dex_size :" + dex_size)

var packageName = "com.********"

var file = new File("/data/data/"+packageName+"/" + dex_size + ".dex", "wb")

file.write(Memory.readByteArray(begin, dex_size))

file.flush()

file.close()

},

onLeave: function (retval) {

if (retval.toInt32() > 0) {

/* do something */

}

}

});

7、 After the above script is configured, shelling is carried out as follows

8、 You can see below is our shelling dex file