抖音参数加签算法

layout: post
title: 抖音参数加签算法 date: 2019-02-28 categories: tech —

IOS debugserver with IDA

http://wiki.hawkguide.com/wiki/IOS_debugserver_with_IDA

Setup Scripts To Auto do ASLR

#!/usr/bin/python
#coding:utf-8

import lldb
import commands
import optparse
import shlex
import re


# 获取ASLR偏移地址
def get_ASLR():
    # 获取'image list -o'命令的返回结果
    interpreter = lldb.debugger.GetCommandInterpreter()
    returnObject = lldb.SBCommandReturnObject()
    interpreter.HandleCommand('image list -o', returnObject)
    output = returnObject.GetOutput();
    # 正则匹配出第一个0x开头的16进制地址
    match = re.match(r'.+(0x[0-9a-fA-F]+)', output)
    if match:
        return match.group(1)
    else:
        return None

# Super breakpoint
def sbr(debugger, command, result, internal_dict):

    #用户是否输入了地址参数
    if not command:
        print >>result, 'Please input the address!'
        return

    ASLR = get_ASLR()
    if ASLR:
        #如果找到了ASLR偏移,就设置断点
        debugger.HandleCommand('br set -a "%s+%s"' % (ASLR, command))
    else:
        print >>result, 'ASLR not found!'

def readReg(debugger, register, result, internal_dict):
    interpreter = lldb.debugger.GetCommandInterpreter()
    returnObject = lldb.SBCommandReturnObject()
    debugger.HandleCommand('register read ' + register, returnObject)
    output = returnObject.GetOutput()
    match = re.match(' = 0x(.*)', output)
    if match:
        print match.group(1)
    else:
        print "error: " + output

def readMem(debugger, address, result, internal_dict):
    debugger.HandleCommand('memory read --size 4 --format x --count 32 ' + address)
    
def connLocal(debugger, address, result, internal_dict):
    debugger.HandleCommand('platform select remote-ios')
    debugger.HandleCommand('process connect connect://localhost:2008')

# And the initialization code to add your commands 
def __lldb_init_module(debugger, internal_dict):
    # 'command script add sbr' : 给lldb增加一个'sbr'命令
    # '-f sbr.sbr' : 该命令调用了sbr文件的sbr函数
    debugger.HandleCommand('command script add sbr -f sbr.sbr')
    debugger.HandleCommand('command script add readReg -f sbr.readReg')
    debugger.HandleCommand('command script add connLocal -f sbr.connLocal')
    debugger.HandleCommand('command script add readMem -f sbr.readMem')
    print 'The "sbr" python command has been installed and is ready for use.'

Objective-C Fast Enumeration 的实现原理

http://blog.leichunfeng.com/blog/2016/06/20/objective-c-fast-enumeration-implementation-principle/

IDA调试技巧

https://www.jianshu.com/p/c0afd9186610

Find_equal 出从何处

https://opensource.apple.com/source/libcpp/libcpp-19/include/__tree.auto.html

 { 
        unsigned long sub_func = (_dyld_get_image_vmaddr_slide(0) + 0x101DA0CB4) ;
         NSLog(@"hook sub: founded: %p",sub_func);
         MSHookFunction((void)sub_func , (void)&sub_101DA0CB4_1,(void**)&sub_101DA0CB4_0);
  }

ARM Neon 指令 解释

https://zhuanlan.zhihu.com/p/27334213

http://shell-storm.org/armv8-a/ISA_v84A_A64_xml_00bet7/xhtml/ushll_advsimd.html

Deobfuscation: recovering an OLLVM-protected program

Sign extension and Zero extension in vmivl

https://en.wikipedia.org/wiki/Sign_extension

https://blog.csdn.net/lohiaufung/article/details/49205981

大端字节序:高位字节在前,低位字节在后,这是人类读写数值的方法

而一般ARM CPU也是Little-Endian

##

网络传输一般采用大端序,也被称之为

网络字节序

,或

网络序

IP

协议中定义大端序为网络字节序。

vmovl_high_s16

参数的意思为 high 将目标分为两半,只取目标为高位部分

S16 s: 符号扩展sign extension 16: 16bit to 32 bit

U8 u: zero extension , 8 :一个元素的位数. ,这里意思是把8位扩展到16位

IDA小技巧

左边窗口开一个IDA View 右边开一个Pseudocode点右键同步。

鼠标在伪代码里点到哪一行,左边就可以同步跳到哪一行了.

as 参数的逆向已经完成,接下来as生成mas的函数

抖音在mas函数使用了ollvm的Control Flow Flattening控制流平展模式和Bogus Control Flow控制流伪造模式进行混淆。

Obfuscator-LLVM在iOS中的实践

Deobfuscation: recovering an OLLVM-protected program

MIASM工程

Reverse engineering framework in Python

RE Tools

LLDB 调试,怎么在触发条件断点后添加事件并自动继续运行程序

比如断点触发后,需要打印x0的值

breakpoint modify –condition The breakpoint stops only if this condition expression evaluates to true.

breakpoint modify –auto-continue 1 设置自动继续

https://stackoverflow.com/questions/16345261/how-do-you-add-breakpoint-actions-via-the-lldb-command-line

(lldb) br com add 1
Enter your debugger command(s).  Type 'DONE' to end.
> p i
> bt
> DONE

Lldb 在aslr下断点保存到文件,怎样重新加载

使用sbr.py的sbr命令在lldb下断点, 0000000101F1A620为文件地址,就是从ida或hopper直接看到的地址, 把0000000101F1A620记为fAdr_a

(lldb) sbr 0000000101F1A620 
Breakpoint 2: where = Aweme`std::__1::shared_ptr<Assimp::FBX::PropertyTable const> std::__1::shared_ptr<Assimp::FBX::PropertyTable const>::make_shared<Assimp::FBX::Element const&, std::__1::shared_ptr<Assimp::FBX::PropertyTable const>&>(Assimp::FBX::Element const&&&, std::__1::shared_ptr<Assimp::FBX::PropertyTable const>&&&) + 6405816, address = 0x0000000101fb2620

breakpoint write -f br.json

把断点保存到文件中.

[{"Breakpoint" : {"BKPTOptions" : {"AutoContinue" : false,"ConditionText" : "","EnabledState" : true,"IgnoreCount" : 0,"OneShotState" : false},"BKPTResolver" : {"Options" : {"AddressOffset" : 32581600,"ModuleName" : "","Offset" : 0},"Type" : "Address"},"Hardware" : false,"SearchFilter" : {"Options" : {},"Type" : "Unconstrained"}}}]

值32581600记为brJson_a

要自动加载只需要改动br.json 文件中的二个地方

  1. AddressOffset 一项 把原值加上常数C, C与ASLR无关, C只与文件相关,同一个程序的C值相同

C = fAdr_a - brJson_a

这个C值就是section offset

  1. ModuleName一项改为”Aweme”

lldb read breakpoint 的bug ,如果breakpoint下面没有”ConditionText” : ““会报错。需要手动加上.