作为一项练习,我正在研究在android移动应用程序二进制文件中隐藏秘密的所有方法...是的,我知道,通过或多或少的努力,它们总是可以通过静态分析,运行时来提取。内省或遭受MITM攻击。
在隐藏秘密的研究中,我发现Android的最佳方法是使用JNI / NDK,直到现在我还找不到反向工程的方法。
注意:我了解逆向工程师的高级概念,但是我没有任何经验。
我的尝试
$ strings -aw lib/x86/libnative-lib.so | grep -C 1 -irn 'the-secret-api-key-goes-here' -
932-[^_]
933:the-secret-api-key-goes-here
934-cannot allocate __cxa_eh_globals
所以我在二进制文件中找到了API密钥,因为我知道它,但是我希望能够找到它通过搜索变量可以将其与以下内容关联:
$ strings -aw lib/x86/libnative-lib.so | grep -C 1 -irn 'JNI_API_KEY' -
$
或
$ strings -aw lib/x86/libnative-lib.so | grep -C 1 -irn 'SECRETS_API_KEY' -
$
都没有返回任何结果...我也尝试使用
hexdump
和objdump
,但没有成功!!! 我也尝试了q431207 9q和
radare2
,但是我的知识不足可能无法帮助我找到要访问的API密钥。作为最后一次尝试,我用MobSF反编译了二进制文件,并搜索了smali代码来查找
retdec
, JNI_API_KEY
和SECRETS_API_KEY
没有成功。此时,我不想求助于Frida或xPosed来获得运行时逆向工程技术或MITM攻击方法...
因此,现在我只想知道是否可以使用其他二进制或反编译技术来查找API密钥?
注意:寻找开源工具,而不是商业用途
代码
我用来在Android应用程序中使用JNI和NDK隐藏API密钥的代码如下...
文件:native-lib.cpp
#include <jni.h>
#include <string>
#include "api_key.h"
extern "C" JNIEXPORT jstring JNICALL
Java_com_example_secrets_MainActivity_stringFromJNI(
JNIEnv *env,
jobject /* this */) {
// To add the API_KEY to the mobile app when is compiled you need to:
// * copy `api_key.h.example` to `api_key.h`
// * edit the file and replace this text `place-the-api-key-here` with your desired API_KEY
std::string JNI_API_KEY = SECRETS_API_KEY;
return env->NewStringUTF(JNI_API_KEY.c_str());
}
文件:api_key.h
#ifndef SECRETS_API_KEY
#define SECRETS_API_KEY "the-secret-api-key-goes-here"
#endif / SECRETS_API_KEY
文件:CMakeLists.txt
# For more information about using CMake with Android Studio, read the
# documentation: https://d.android.com/studio/projects/add-native-code.html
# Sets the minimum version of CMake required to build the native library.
cmake_minimum_required(VERSION 3.4.1)
# Creates and names a library, sets it as either STATIC
# orJNI_API_KEY SHARED, and provides the relative paths to its source code.
# You can define multiple libraries, and CMake builds them for you.
# Gradle automatically packages shared libraries with your APK.
add_library( # Sets the name of the library.
native-lib
# Sets the library as a shared library.
SHARED
# Provides a relative path to your source file(s).
native-lib.cpp)
# Searches for a specified prebuilt library and stores the path as a
# variable. Because CMake includes system libraries in the search path by
# default, you only need to specify the name of the public NDK library
# you want to add. CMake verifies that the library exists before
# completing its build.
find_library( # Sets the name of the path variable.
log-lib
# Specifies the name of the NDK library that
# you want CMake to locate.
log)
# Specifies libraries CMake should link to your target library. You
# can link multiple libraries, such as libraries you define in this
# build script, prebuilt third-party libraries, or system libraries.
target_link_libraries( # Specifies the target library.
native-lib
# Links the target library to the log library
# included in the NDK.
${log-lib})
#1 楼
如果API密钥是字符串,则仅运行strings
就可以像在示例中一样不显示grep
。可能还有其他一些字符串,但较长的字符串似乎很突出,因此应该清楚地看到这是有意义的。有了该API密钥,我可能会去使用常规的反汇编程序工具来查看在何处以及如何使用它。 您无法按变量名搜索,因为变量名未保存在二进制(.so)中,而APK可能有些不同。
评论
问题是在.so中搜索有意义的字符串...在我的情况下很容易找到,因为我知道我要查找的字符串...不知道.so二进制文件没有保留变量名,很高兴知道;)
– Exadra37
19-2-10在11:06