擊潰360手機衛(wèi)士三大防護

圖/360作為國內(nèi)專業(yè)的安全公司，在安全界的水平是有目共睹的，我們拋開它在經(jīng)營與病毒防治上的一些極端士這款產(chǎn)品其本身的安全性，并將自己研究時的一點小成果拿出來與大家分享。Android手持設(shè)備的私密性注定以，只是對包名的顯示不太友好，自己寫插件的話也行，不過不在討論范圍ApkTool_GUIdex2jar功能，也可以做輔助分析（synthetic類型的方法不生成代碼。編寫與調(diào)試代士，開始360保護功能的艱苦分析之旅吧！Nservicereceiver，短信的攔截就用到了下面這個receiver：<receiver<receiver<intent-filter<intent-filter<intent-filter214748364732位有符號數(shù)的最大值。也就是試圖設(shè)置最高響應(yīng)優(yōu)先級。Android系統(tǒng)會首先同就響應(yīng)最早安裝的程序，而優(yōu)先級是“adbinstall”高于“adbpush后安裝”方式。運行360手機衛(wèi)士，可以看到它啟動了一個進程與五個服務(wù)，服務(wù)名分別為“NetTraficServicesafeGuardMmsServicePowerCtlServiceSafeManageServiceSafeGuardCallService“safeGuardMmsService”的onCreate()方法中又創(chuàng)建了級別最高的動態(tài)廣播接收者。具體分析代碼我下面會講到1．360短信攔截借助了自己優(yōu)先響應(yīng)廣播的優(yōu)勢獲取信息后就中斷了廣播，我們要做的是在它之前先響應(yīng)2APKFramework的簽名文件進行簽名等等。這樣可能會上面第一種思路是分析所得的結(jié)果，思路如下，首先，要知道360是何時注冊的廣播接收者，打開.method.methodpublic.localsif-eqzv0,:cond_0if-eqzv0,:cond_1 #MobileSafeService->ccp->fconst-classv0,#?獲取SafeGuardMmsService類-->>v0=SafeGuardMmsService.class? #?p2為第二個參數(shù)，-->>p2.setClass(參數(shù)1,SafeGuardMmsService.class);?move-resultv0const-stringv1,new-instancev2,const-stringv3,"onReceive::SDKVer="move-result-objectv2move-result-objectv2invoke-virtual{v2},Ljava/lang/StringBuilder;-move-result-object#調(diào)用als->b()，猜測為打logconst/4v1,if-lev0,v1, const-classv1,const-stringv2,"isOrderedBroadcast" const/4v0,0x0check-castv0, move-result-objectv1const/4v0,check-castv0,[Ljava/lang/Object;#0 move-result-objectv0check-castv0,invoke-virtual{v0Ljava/lang/Boolean .catchLjava/lang/Exception;{:try_start_0..:try_end_0}:catch_0move-resultv0if-eqzv0, #?調(diào)用a()方法?goto:goto_0 #catchmove-exceptionconst-stringv1,new-instancev2,const-stringv3,"invokeerror invoke-virtual{v2,v3},Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;move-result-objectv2move-result-objectv0move-result-objectv0move-result-objectv0invoke-static{v1,v0},Lals;-movev0,v4gotomovev0,v4goto #?啟用了SafeGuardMmsService服務(wù)（開啟舒膚佳短信服務(wù)*^_^*）?goto.end自己打開Small看看，另一個是SafeGuardMmsService了，它的onCreate()代碼如下：.methodpublic.localsconst-stringv0,"SafeGuardMmsService"const-stringv1,invoke-static{v0,v1},Lals;->b(Ljava/lang/String;Ljava/lang/String;)V new-instancev0,Lhl;invoke-direct{v0,p0},Lhl;- #getContentResolver（）獲取ContentResolvermove-result-objectconst/4v2,0x1 #獲取短信的CONTENT_URI，后面對它進行監(jiān)視 const/4v0,0x0sput-booleanv0,Lac;-new-instancev0,invoke-direct{v0,v1},Landroid/content/IntentFilter;-><init>(Ljava/lang/String;)Vconstv1,invoke-virtual{v0,v1},Landroid/content/IntentFilter;->setPriority(I)V new-instancev1,Lcom/qihoo360/mobilesafe/receiver/MessageReceiver;invoke-direct{v1},Lcom/qihoo360/mobilesafe/receiver/MessageReceiver;- #?動態(tài)注冊短信廣播接收者?.endMessageReceiver何時收到？服務(wù)何時啟動呢？我沒有再深入了，不過它不是在開機啟動廣播中啟動的，這為.methodpublic.locals.methodpublic.localsmove-result-widev0invoke-static{},Ljava/lang/System;->currentTimeMillis()J move-result-widev0sput-widev0,Lcom/qihoo360/mobilesafe/ui/index/MobileSafeApplication;->c:J.end.method.methodpublicstatic.locals3new-instancev0,invoke-virtual{v0},Lafc;->i()Zmove-resultif-eqzv0,new-instancev0,const-classv1,invoke-direct{v0,p0,v1},Landroid/content/Intent;-><init>(Landroid/content/Context;Ljava/lang/Class;)Vconst-stringv1,"PROTECTION_LOCK"invoke-virtual{v0,v1,v2},Landroid/content/Intent;- #這里啟動了PROTECTION_LOCK，不管了if-nezv0,:cond_1new-instancev0,Laam;const-stringv1,move-result-objectv2invoke-direct{v0,v1,v2},Laam;-sput-objectv0,Lom;-sget-objectv0,Lom;-invoke-virtual{v0},Laam;- .end360收到短信了。publicpublicclassBootCompletedReceiverextendspublicvoidonReceive(Contextcontext,Intent{,"IntentservicenewIntent(contextTest360Service.class);context.startService(service);//在開機后啟動一個服務(wù)}}publicvoidpublicvoid{Log.i(TAG, =MmsReceiverreceiver=newMmsReceiver();registerReceiver(receiver,localIntentFilter);//=ShutdownReceiverreceiver2=newShutdownReceiver();registerReceiver(receiver2,localIntentFilter2)動態(tài)創(chuàng)建一個關(guān)機廣播接收者}我動態(tài)創(chuàng)建了一個優(yōu)先級為2147483647的短信廣播接收者，收到短信后我只是簡單的啟動了程序的主publicclasspublicclassMmsReceiverextendsBroadcastReceiver{StringreceiveMsg="";publicvoidonReceive(Contextcontext,Intent{//TODOAuto-generatedmethodstubSmsMessage[]Msg=null;Log.i("Test360","收到短信廣播...");Bundlebundleintent.getExtras();if(bundle!=null){Object[]pdusObj=(Object[])bundle.get("pdus");Msg=newSmsMessage[pdusObj.length];for(inti=0;i<pdusObj.length;Msg[i]=}for(inti=0;i<Msg.length;StringMsgTxt=+":"+Msg[i].getMessageBody();//短信發(fā)件人與文本}abortBroadcast();//}}}}Android開發(fā)的可能都會知道，通過添加對“ent.action.BOOT_COMPLETED”處理的廣播就可以實現(xiàn)Smali文件夾中搜索smali\com\qihoo360\mobilesafe\opti\autorun”文件夾。打開“AutoRunManager.smali”文件，我們發(fā)現(xiàn)AsyncTask。關(guān)鍵代碼不在這里，限于篇幅就不列出來了。那怎么找關(guān)鍵點呢？我們看看上面顯示的圖，知道點擊一鍵加速按鈕與任意一欄的List后會執(zhí)行加速動作，我們仔細觀察會發(fā)現(xiàn)在“onCreate(Landroid/os/Bundle;)V”方法的下面有個publiconItemClick()方法，代碼如下：.methodpublic.locals3invoke-virtual{p1},Landroid/widget/AdapterView;->getId()I#IDmove-resultv0packed-switchv0,pswitch_data_0#Switch #iputv1,p0,Lcom/qihoo360/mobilesafe/opti/autorun/AutoRunManager;-iget-booleanv0,p0,Lcom/qihoo360/mobilesafe/opti/autorun/AutoRunManager;-if-nezv0, #?通過p是否為真來進行相應(yīng)的操作?后面分析發(fā)現(xiàn)是啟用還是禁止的Booleangoto:goto_0if-eqzv0,:cond_2iget-booleanv0,v0,Lank;->b:Zif-eqzv0, #uu->bif-ltzp3,invoke-interface{v0},Ljava/util/List;->size()I #獲取List的大小move-resultif-gep3,v0,invoke-virtual{v0,p3},Landroid/widget/ListView;->getItemAtPosition(I)Ljava/lang/Object;move-result-objectv0 check-castv0,Lads;iput-objectv0,p0,Lcom/qihoo360/mobilesafe/opti/autorun/AutoRunManager;->C:Lads;Ciget-booleanv1,v0,Lads;->e:Zif-eqzv1,const-stringv1,"" move-result-object move-result-object .catchLjava/lang/Exception;{:try_start_0..:try_end_0}iget-objectv1,v0,Lads;->b:Ljava/util/ArrayList;move-resultv1iputv1,p0,Lcom/qihoo360/mobilesafe/opti/autorun/AutoRunManager;->E:I保存列表項數(shù)iget-objectv0,v0,Lads;->b:Ljava/util/ArrayList;invoke-virtual{v0Ljava/util/ArrayList;->iterator()Ljava/util/Iterator;獲取Listmove-result-object move-resultv0if-eqzv0,move-result-objectv0check-castv0,iget-objectv0,v0,Laqo;->b:Ljava/lang/String;APKgoto:goto_2 #?調(diào)用b(Ljava/lang/String;)V后繼續(xù)循環(huán)?goto:goto_0 iputv1,p0,Lcom/qihoo360/mobilesafe/opti/autorun/AutoRunManager;-if-eqzv0,:cond_3iget-booleanv0,v0,Lank;->b:Zif-ltzp3,:cond_0invoke-interface{v0},Ljava/util/List;->size()Imove-resultif-gep3,v0,invoke-virtual{v0,p3},Landroid/widget/ListView;->getItemAtPosition(I)Ljava/lang/Object;check-castv0,Lads;const/4v1,0x1iget-booleanv1,v0,Lads;->e:Zif-nezv1,const-stringv1,"" move-result-object move-result-object Lcom/qihoo360/mobilesafe/opti/autorun/AutoRunManager;->w:Landroid/app/ProgressDialog;#顯示進度對話框.catchLjava/lang/Exception;{:try_start_1..:try_end_1}iget-objectv1,v0,Lads;-invoke-virtual{v1},Ljava/util/ArrayList;->size()I move-resultv1iputv1,p0,Lcom/qihoo360/mobilesafe/opti/autorun/AutoRunManager;->E:Iiget-objectv0,v0,Lads;->b:Ljava/util/ArrayList;invoke-virtual{v0Ljava/util/ArrayList #Listmove-result-object#invoke-interface{v1},Ljava/util/Iterator;->hasNext()Z move-resultv0if-eqzv0,move-result-objectv0check-castv0,iget-objectv0,v0,Laqo;-goto:goto_4 #?調(diào)用a(Ljava/lang/String;)V后跳走?{},goto/16goto:goto_3goto/16.packed-switch .endpacked-.end.method.methodprivate.locals.end.methodprivate.localsconst-stringv1,"pm"invoke-direct{v0,v1},Ljava/lang/StringBuffer;-><init>(Ljava/lang/String;)V#"pm"const-stringv1,""#"pm"注意：后面加了空格#"pm參數(shù)1"const-stringv1,"#"pm參數(shù)1"注意：后面加了空格const-stringv1,"$"const-stringv2, move-result-object #"pm參數(shù)1\\參數(shù)2"iget-objectv1,p0,Lcom/qihoo360/mobilesafe/opti/autorun/AutoRunManager;-##這個u{},move-result-objectinvoke-virtual{v1,v0},Lank;- .end.methodprivate.locals.methodprivate.locals.end新建一個“adbshell”后，輸入pm命令返回如圖3所示：意思是傳入“package/class360的禁止開機啟動的方法真相大白了。我們可以在自己創(chuàng)建的服務(wù)代碼里面加上“pmenableXXX”來啟動自己，但是在實際測試過程中，我們的程序開機還是沒有開機啟動，很顯然，360這個“pmdisableXXX”在我們的程序啟動前執(zhí)行了一次，這真是360的“AndroidManifest.xml360手機衛(wèi)士，在初始化時就執(zhí)行了“pmdisableXXX”(XXXAPK軟件包與類名，360自己維持黑白名單的)，鎖屏廣偷看短信、查通話記錄。然后吵架、打架、分手間”這個功能（呵呵，涉嫌幫360做廣告4所示：Email的話會提示發(fā)送新密碼到設(shè)置的郵箱，如圖5所示：開之，點擊“View”-“CodeFolding”->“CollapseAll”將所有的方法收攏，看看有哪些方法。首先看到了.method.methodprotected.localsconst-stringv0,"PrivateSetupPreference"const-stringv1,invoke-staticv0,v1Lals invoke-static{},Lauj;->b()Z move-resultv0if-nezv0,invoke-static{p0},Lauj;-constv0, move-result-objectv0 move-result-objectv1 constv2,0x106000dinvoke-virtual{v1,v2},Landroid/content/res/Resources;->getColor(I)I move-resultv1invoke-virtual{v0,v1},Landroid/widget/ListView;- move-result-objectv1constv2, move-result-objectconstv0,0x7f050003 const-stringv0,"private_auto_sms_content" move-result-object constv2,0x7f070017 #調(diào)用a()返回一個ListPreference move-result-objectv0constv1,invoke-virtual{v0v1},Landroid/content/res/Resources;->getString(I)Ljava/lang/String;獲取一個字符串move-result-objectv0#將字符串賦值給g成員變量 move-result-objectconst-stringv1, move-result-object if-eqzv0, move-result-objectv0 new-instancev1, ?newagrinvoke-direct{v1,p0},Lagr;-><init>(Lcom/qihoo360/mobilesafe/ui/privatespace/PrivateSetupPreference;)V move-result-objectconst-stringv1, move-result-object if-eqzv0, move-result-objectv0 new-instancev1, ?newagoinvoke-direct{v1,p0},Lago;-><init>(Lcom/qihoo360/mobilesafe/ui/privatespace/PrivateSetupPreference;)V move-result-objectconst-stringv1, move-result-object if-eqzv0, move-result-objectv0 new-instancev1,Lagp; ?newagpinvoke-direct{v1,p0},Lagp;-><init>(Lcom/qihoo360/mobilesafe/ui/privatespace/PrivateSetupPreference;)V move-result-objectconst-stringv1, move-result-object if-eqzv0, move-result-objectv0 new-instancev1, ?newagminvoke-direct{v1,p0},Lagm;-><init>(Lcom/qihoo360/mobilesafe/ui/privatespace/PrivateSetupPreference;)V move-result-objectconst-stringv1, move-result-object if-eqzv0, move-result-objectv0 new-instancev1, ?newagninvoke-direct{v1,p0},Lagn;-><init>(Lcom/qihoo360/mobilesafe/ui/privatespace/PrivateSetupPreference;)V goto/16.end監(jiān)聽器方法抽取成一個單獨而隨機的類，而名稱與變量的生成規(guī)則是按照從“a-z”的方式生成，如第一個類方.methodpublicconstructor.methodpublicconstructor.localsinvoke-direct{p0},Ljava/lang/Object;-><init>()V.end.methodpublic.locals #?調(diào)用PrivateSetupPreference的靜態(tài)c方法?returnv0.end響應(yīng)用戶點擊的代碼只是調(diào)用了“PrivateSetupPreference->c（）”方法，真是讓人暈啊，代碼又迂回到了.method.methodpublicstaticsynthetic.locals.end.methodprivate.locals6move-result-objectv0.methodprivate.locals6move-result-objectv0constv1,const/4v2, move-result-objectv2 #獲取Viewconstv0,move-result-objectv0 #?獲取“輸入密碼”的EditText?constv1,0x7f0a0105move-result-objectv1 #?獲取“確認密碼”的EditText?check-castv1,constv4,0x7f0b0065constv5, #初始化一個DialogFactory對象constv5,0x7f0b0090invoke-virtual{v4v5},Landroid/widget/Button;- constv5,invoke-virtual{v4v5},Landroid/widget/Button;- #設(shè)置DialogFactory對象的Viewconst/4v2,invoke-virtual{v3,v2},Lcom/qihoo360/mobilesafe/ui/dialog/DialogFactory;-new-instancev4, newagj idget/EditText;Lcom/qihoo360/mobilesafe/ui/dialog/DialogFactory;)V#初始化監(jiān)聽器 # new-instancev1 ?newbv move-resultmove-resultif-nezv0,invoke-virtual{v3Lcom/qihoo360/mobilesafe/ui/dialog/DialogFactory;- .end.methodpublic.localsiget-objectv0,p0,Lagj;-move-result-objectv0in