网站首页 > 技术教程 正文
本文主角为一款安卓改机工具,微gou改机,这款改机工具去年我们就见过,这一年多的时间已经发展到具有一定的用户规模了。
从最初的QQ群打广告,到现在有三个品牌(VS*师、悟*宝、新微gou),6个商务,1300+帖子的论坛,3000+用户的社交群组,很明显过去这一年多,微gou的小日子过得还挺舒服的…建议各家公司早日盯上它…
抓包分析
这款改机工具与传统的改机工具不太一样,需要先刷指定的ROM,再通过改机工具修改指定的参数。通过抓包解密,我们拿到了其改机相关的数据,相关字段有80多个,主要是设备中需要修改的数据。
抓包解密字段:
{
"accountPassword":"",
"androidId":"",
"androidVer":"",
"api":"",
"appInstallTime":"",
"appPackages":"",
"arpMac":"",
"backupFileName":"",
"board":"",
"bootId":"",
"brand":"",
"bssId":"",
"carrier":"=",
"carrierCode":"",
"constructDate":"",
"coreNumber":,
"countryCode":""
"cpuInfo":"",
"cupFile":"",
"dayNumber":,
"density":,
"description":"",
"device":"",
"deviceFile":"",
"deviceFileVersion":"",
"deviceVersion":"",
"display":"",
"dpi":,
"dummy0MAC":"",
"fingerprint":"",
"fromDayNumber":,
"getIp":,
"gjIso":"",
"glRenderer":"",
"glVendor":"",
"hardware":"",
"height":,
"id":,
"imei":"",
"imei1":"",
"imsi":"",
"ipv6":"",
"lat":,
"log":,
"lymac":"",
"manufacture":"",
"meid":"",
"model":"",
"networkInfoType":,
"networkTor":"",
"networkType":,
"newAdd":,
"p2p0MAC":"",
"pathMessage":"",
"phoneNumber":"",
"phoneType":,
"product":"",
"recoveryId0":"",
"recoveryId1":"",
"remainDevice":"",
"scaledDensity":,
"sdCardCid0":"",
"sdCardCid1":"",
"serial":"",
"simSerial":"",
"simState":,
"simopeName":"",
"survivalVersion":"",
"taskId":"",
"taskSubId":"",
"time":,
"type":,
"updateTime":"",
"used":,
"versionId":"",
"whereDay":,
"width":,
"wifiMac":"",
"wifiName":"",
"xdpi":,
"ydpi":
}其中,deviceFile字段是一个链接,下载下来是比较全面的设备改机数据,整体的逻辑为外层的字段和下载的设备数据结合起来,做为一个完整的设备信息。
通过http://*/api/DeviceInfoFile/getDeviceListByVersion接口可获取所有可改的机型,目前机型300+,涵盖主流安卓机型。同一个机型的deviceFile链接为同一个,这也意味着,propset里面会存在一些固定的字段。设备都较为老旧,最高只到Android 9,几乎没有新机型,不排除后续更新的可能。
逆向分析
点击一键新机后,进入com.mingning179.data.ClientUtil.apply,清理完上次改机的信息后,进入com.mingning179.commonutils.ConversionUtil.conversion函数:
这个函数首先进行了一些设备信息的修改。然后调用各个Util类,将所有设备信息通过自定义的系统类,反射调用SystemProperties.set,保存到prop里面,供framework层以及service层的改机代码获取设备信息。当然这个prop是有权限控制的,普通应用读不到,需要system权限。
root 授权
通过App界面授权后,最终会将被授权App的uid 写入到/dev/wgzs/fsconf 中的wg.cust.grant_su
wg.cust.destUids=10079
wg.cust.emulated=4096,4096,6522359,5031618,5031618,6317056,5036738,5036738,66327,1038,255
wg.cust.system=4096,4096,617098,67446,63350,159360,150930,150930,18446744071771954271,4097,255
wg.cust.data=4096,4096,6522359,5031618,5031618,6317056,5036738,5036738,66327,1038,255
wg.cust.SIMUNET_TYPE=bond0,wlan0,p2p0,dummy0
wg.cust.SIMUNET_wlan0_MAC=90:94:97:4b:68:67
wg.cust.SIMUNET_dummy0_MAC=36:52:fc:24:0c:8e
wg.cust.SIMUNET_p2p0_MAC=92:94:97:4b:68:67
wg.cust.SIMUNET_bond0_MAC=52:a8:f1:b0:b4:d7
wg.cust.SIMUNET_wlan0_IP6=fe80000000000000929497fffe4b6867
wg.cust.SIMUNET_dummy0_IP6=fe800000000000003452fcfffe240c8e
/sys/class/power_supply/battery/temp=/dev/wgzs/files/battery/temp
/sys/class/power_supply/battery/voltage_now=/dev/wgzs/files/battery/voltage_now
/sys/class/power_supply/battery/technology=/dev/wgzs/files/battery/technology
/sys/class/power_supply/battery/status=/dev/wgzs/files/battery/status
/sys/class/power_supply/battery/health=/dev/wgzs/files/battery/health
/sys/class/power_supply/battery/capacity=/dev/wgzs/files/battery/capacity
/sys/class/power_supply/battery/present=/dev/wgzs/files/battery/present
/sys/devices/qpnp-charger-f04f1000/power_supply/battery/capacity=/dev/wgzs/files/devices/qpnp-charger-f04f1000/power_supply/battery/capacity
/proc/meminfo=/dev/wgzs/meminfo
/proc/cpuinfo=/dev/wgzs/files/cpuinfo
/sys/devices/system/cpu/cpufreq/policy0/cpuinfo_max_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/cpuinfo_max_freq
/sys/devices/system/cpu/cpufreq/policy0/scaling_max_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/scaling_max_freq
/sys/devices/system/cpu/cpufreq/policy4/cpuinfo_max_freq=/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq
/dev/wgzs/files/cpu/cpu0/cpufreq/cpuinfo_max_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/scaling_max_freq
/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/cpuinfo_max_freq
/sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/scaling_max_freq
/sys/devices/system/cpu/cpu1/cpufreq/cpuinfo_max_freq=/dev/wgzs/files/cpu/cpu1/cpufreq/cpuinfo_max_freq
/sys/devices/system/cpu/cpu1/cpufreq/scaling_max_freq=/dev/wgzs/files/cpu/cpu1/cpufreq/scaling_max_freq
/sys/devices/system/cpu/cpu2/cpufreq/cpuinfo_max_freq=/dev/wgzs/files/cpu/cpu2/cpufreq/cpuinfo_max_freq
/sys/devices/system/cpu/cpu2/cpufreq/scaling_max_freq=/dev/wgzs/files/cpu/cpu2/cpufreq/scaling_max_freq
/sys/devices/system/cpu/cpu3/cpufreq/cpuinfo_max_freq=/dev/wgzs/files/cpu/cpu3/cpufreq/cpuinfo_max_freq
/sys/devices/system/cpu/cpu3/cpufreq/scaling_max_freq=/dev/wgzs/files/cpu/cpu3/cpufreq/scaling_max_freq
/sys/devices/system/cpu/cpu4/cpufreq/cpuinfo_max_freq=/dev/wgzs/files/cpu/cpu4/cpufreq/cpuinfo_max_freq
/sys/devices/system/cpu/cpu4/cpufreq/scaling_max_freq=/dev/wgzs/files/cpu/cpu4/cpufreq/scaling_max_freq
/sys/devices/system/cpu/cpu5/cpufreq/cpuinfo_max_freq=/dev/wgzs/files/cpu/cpu5/cpufreq/cpuinfo_max_freq
/sys/devices/system/cpu/cpu5/cpufreq/scaling_max_freq=/dev/wgzs/files/cpu/cpu5/cpufreq/scaling_max_freq
/sys/devices/system/cpu/cpu6/cpufreq/cpuinfo_max_freq=/dev/wgzs/files/cpu/cpu6/cpufreq/cpuinfo_max_freq
/sys/devices/system/cpu/cpu6/cpufreq/scaling_max_freq=/dev/wgzs/files/cpu/cpu6/cpufreq/scaling_max_freq
/sys/devices/system/cpu/cpu7/cpufreq/cpuinfo_max_freq=/dev/wgzs/files/cpu/cpu7/cpufreq/cpuinfo_max_freq
/sys/devices/system/cpu/cpu7/cpufreq/scaling_max_freq=/dev/wgzs/files/cpu/cpu7/cpufreq/scaling_max_freq
/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/cpuinfo_min_freq
/sys/devices/system/cpu/cpu0/cpufreq/scaling_min_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/scaling_min_freq
/sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/scaling_cur_freq
/sys/devices/system/cpu/cpufreq/policy0/cpuinfo_min_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/cpuinfo_min_freq
/sys/devices/system/cpu/cpufreq/policy0/scaling_min_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/scaling_min_freq
/sys/devices/system/cpu/cpufreq/policy0/scaling_cur_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/scaling_cur_freq
/sys/devices/system/cpu/cpufreq/policy0/cpuinfo_min_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/cpuinfo_min_freq
/sys/devices/system/cpu/cpufreq/policy0/scaling_min_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/scaling_min_freq
/sys/devices/system/cpu/cpufreq/policy0/scaling_cur_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/scaling_cur_freq
/sys/devices/system/cpu/cpu1/cpufreq/cpuinfo_min_freq=/dev/wgzs/files/cpu/cpu1/cpufreq/cpuinfo_min_freq
/sys/devices/system/cpu/cpu1/cpufreq/scaling_min_freq=/dev/wgzs/files/cpu/cpu1/cpufreq/scaling_min_freq
/sys/devices/system/cpu/cpu1/cpufreq/scaling_cur_freq=/dev/wgzs/files/cpu/cpu1/cpufreq/scaling_cur_freq
/sys/devices/system/cpu/cpu2/cpufreq/cpuinfo_min_freq=/dev/wgzs/files/cpu/cpu2/cpufreq/cpuinfo_min_freq
/sys/devices/system/cpu/cpu2/cpufreq/scaling_min_freq=/dev/wgzs/files/cpu/cpu2/cpufreq/scaling_min_freq
/sys/devices/system/cpu/cpu2/cpufreq/scaling_cur_freq=/dev/wgzs/files/cpu/cpu2/cpufreq/scaling_cur_freq
/sys/devices/system/cpu/cpu3/cpufreq/cpuinfo_min_freq=/dev/wgzs/files/cpu/cpu3/cpufreq/cpuinfo_min_freq
/sys/devices/system/cpu/cpu3/cpufreq/scaling_min_freq=/dev/wgzs/files/cpu/cpu3/cpufreq/scaling_min_freq
/sys/devices/system/cpu/cpu3/cpufreq/scaling_cur_freq=/dev/wgzs/files/cpu/cpu3/cpufreq/scaling_cur_freq
/sys/devices/system/cpu/cpu4/cpufreq/cpuinfo_min_freq=/dev/wgzs/files/cpu/cpu4/cpufreq/cpuinfo_min_freq
/sys/devices/system/cpu/cpu4/cpufreq/scaling_min_freq=/dev/wgzs/files/cpu/cpu4/cpufreq/scaling_min_freq
/sys/devices/system/cpu/cpu4/cpufreq/scaling_cur_freq=/dev/wgzs/files/cpu/cpu4/cpufreq/scaling_cur_freq
/sys/devices/system/cpu/cpu5/cpufreq/cpuinfo_min_freq=/dev/wgzs/files/cpu/cpu5/cpufreq/cpuinfo_min_freq
/sys/devices/system/cpu/cpu5/cpufreq/scaling_min_freq=/dev/wgzs/files/cpu/cpu5/cpufreq/scaling_min_freq
/sys/devices/system/cpu/cpu5/cpufreq/scaling_cur_freq=/dev/wgzs/files/cpu/cpu5/cpufreq/scaling_cur_freq
/sys/devices/system/cpu/cpu6/cpufreq/cpuinfo_min_freq=/dev/wgzs/files/cpu/cpu6/cpufreq/cpuinfo_min_freq
/sys/devices/system/cpu/cpu6/cpufreq/scaling_min_freq=/dev/wgzs/files/cpu/cpu6/cpufreq/scaling_min_freq
/sys/devices/system/cpu/cpu6/cpufreq/scaling_cur_freq=/dev/wgzs/files/cpu/cpu6/cpufreq/scaling_cur_freq
/sys/devices/system/cpu/cpu7/cpufreq/cpuinfo_min_freq=/dev/wgzs/files/cpu/cpu7/cpufreq/cpuinfo_min_freq
/sys/devices/system/cpu/cpu7/cpufreq/scaling_min_freq=/dev/wgzs/files/cpu/cpu7/cpufreq/scaling_min_freq
/sys/devices/system/cpu/cpu7/cpufreq/scaling_cur_freq=/dev/wgzs/files/cpu/cpu7/cpufreq/scaling_cur_freq
/sys/devices/system/cpu/cpu0=/dev/wgzs/files/cpu/cpu0
/sys/devices/system/cpu/cpu1=/dev/wgzs/files/cpu/cpu1
/sys/devices/system/cpu/cpu2=/dev/wgzs/files/cpu/cpu2
/sys/devices/system/cpu/cpu3=/dev/wgzs/files/cpu/cpu3
/sys/devices/system/cpu/cpu4=/dev/wgzs/files/cpu/cpu4
/sys/devices/system/cpu/cpu5=/dev/wgzs/files/cpu/cpu5
/sys/devices/system/cpu/cpu6=/dev/wgzs/files/cpu/cpu6
/sys/devices/system/cpu/cpu7=/dev/wgzs/files/cpu/cpu7
/sys/devices/system/cpu=/dev/wgzs/files/cpu
/sys/devices/system/cpu/online=/dev/wgzs/files/cpu/online
/sys/devices/system/cpu/possible=/dev/wgzs/files/cpu/possible
/sys/devices/system/cpu/present=/dev/wgzs/files/cpu/present
/sys/devices/system/cpu/offline=/dev/wgzs/files/cpu/offline
/proc/net/if_inet6=/dev/wgzs/files/fileFilter/net/if_inet6
/proc/net/arp=/dev/wgzs/files/fileFilter/net/arp
/proc/net/dev=/dev/wgzs/files/fileFilter/net/dev
/proc/net/igmp=/dev/wgzs/files/fileFilter/net/igmp
/proc/net/igmp6=/dev/wgzs/files/fileFilter/net/igmp6
/proc/net/route=/dev/wgzs/files/fileFilter/net/route
/system/etc/selinux/plat_property_contexts=/dev/wgzs/files/plat_property_contexts
/proc/net/ipv6_route=/dev/wgzs/files/fileFilter/net/ipv6_route
/proc/net/xt_qtaguid/iface_stat_all=/dev/wgzs/files/fileFilter/net/xt_qtaguid/iface_stat_all
/proc/net/xt_qtaguid/iface_stat_fmt=/dev/wgzs/files/fileFilter/net/xt_qtaguid/iface_stat_fmt
/proc/net/xt_qtaguid/stats=/dev/wgzs/files/fileFilter/net/xt_qtaguid/stats
/sys/bus/virtio=/system/lost+found
wg.cust.uts_name=Linux,localhost,3.18.66-g7730a1a,#1 SMP PREEMPT Tue Mar 20 11:53:15 CST 2018,aarch64,localdomain
wg.cust.stat.filter=lineage,Lineage,cyanogenmod,wgzs,ppp0,eth0,tun0,TWRP,/dev/socket/mtpd,twrp
wg.cust.file.filter=/net/xt_qtaguid/stats,/net/if_inet6,/net/ipv6_route,/net/xt_qtaguid/iface_stat_all,/net/xt_qtaguid/iface_stat_fmt,/net/arp,/net/igmp,/net/igmp6,/net/route,/net/dev_mcast,/net/maps,/sys/devices/soc0,/net/dev
wg.cust.file.filter.prefix=/dev/wgzs/files/fileFilter
/storage/emulated/0/.temp.txt=/dev/wgzs/properties
/dev/wgzs/properties=/dev/null
/property_contexts=/dev/wgzs/files/property_contexts
wg.cust.cpuinfo=1401000,960000,1401000,960000,0
/proc/sys/kernel/random/boot_id=/dev/wgzs/files/boot_id
/storage/emulated/0/MobileAnJian=/storage/emulated/0/nullFile
/storage/emulated/0/backUpFiles=/dev/z0
wg.cust.grant_su=10079,10103,1000
wg.cust.BSSID=ac:74:09:3b:82:01
wg.cust.wgserverPath=2690736423 3532824459可见除了少部分硬件配置外,大部分都是文件重定向的内容,以及针对IO的一些文件过滤。
具体的实现是在内核中做的,提取内核分析后,发现其存在dofilefilter函数,在所有文件相关操作中都会调用该函数进行过滤。该函数每次都会读取/dev/wgzs/fsconf 的内容,更新配置(内核函数还做了控制流混淆,机智仔
部分引用:
备份还原
备份还原的主要逻辑在com.mingning179.commonutils.BackupUtils
备份:
备份涉及到三个路径,分别是App的沙箱目录,data/user/0/packageName ,也就是data/data/packageName,sdcard 相关目录,以及keystore。
以下是备份sdcard的文件过滤逻辑,其实还是存在部分数据遗漏,这会导致数据还原后部分数据丢失。
public static Set getSdFile(Context arg1) {
String[] v1 = ClearAppUtil.getDestUidsStr(arg1, ",").split(",");
Set v1_1 = ClearAppUtil.getFileRecords(new FileFilter() {
@Override
public boolean accept(File arg2) {
String v2 = arg2.getAbsolutePath();
return (v2.startsWith("/proc/")) || (v2.startsWith("/dev/")) || (v2.startsWith("/system/")) || (v2.startsWith("/vendor/")) || (v2.startsWith("/data/")) || (v2.startsWith("/sys/")) || (v2.contains("/.")) ? 0 : 1;
}
}, v1);
Arrays.sort(((String[])v1_1.toArray(new String[0])));
return v1_1;
}还原:
还原就是把备份的数据解压覆盖回去,涉及到一点权限修复的额外工作。
Build/prop 改机
build
针对Build.class里的字段,其修改逻辑在App启动过程中的handleBindApplication函数中,调用WgzsUtil.modifyBuildClass完成修改:
可见其只修改了AOSP代码里有的公共字段。
Prop
prop部分除了libc函数__system_property_get外,还有java层的SystemProperties类,以及/system/bin 中的getprop。libc函数__system_property_get做了相应的修改。
其他改机
微在系统里添加了WgzsUtil 类,用来辅助改机,其中涉及到是否改机判断的函数有:
shouldGJ涉及:
shouldGJInService涉及:
shouldGjInSystemServer主要是网络连接服务:
具体实现就是在具体函数体中做判断,如果需要改机,就给改机的数据。
总结
微gou改机针对AOSP的改动横跨framework,native libraries以及kernel三个层面,好处就是痕迹少,不过对应维护成本也巨高。改机API方面,虽然涉及的点不多,看似比较完备,但其实Android系统API 茫茫多,更何况还有用户设备环境信息、传感器数据以及生物特征等多维度度数据。从检测的角度讲,本身痕迹较少,要么关注微没有涉及的特征以及用户环境信息,比如sdcard目录等,要么尽可能从不同的地方取同一个设备信息,然后结合策略进行封禁。
- 上一篇: 最新苹果开发者账号注册流程图解分享
- 下一篇: 域名知识:什么是三级域名,二级域名和顶级域名?
猜你喜欢
- 2025-02-03 进出口业务跨境支付交易的操作及风险管理
- 2025-02-03 用国产CH32替代STM32,快来试试看!
- 2025-02-03 英1翻译真题句子及答案(21年英一翻译)
- 2025-02-03 结构化数据,最熟悉的陌生人(结构化数据的含义)
- 2025-02-03 Q新闻丨微软开源新一代浏览器的JavaScript引擎核心代码;使用Akka来优化Spark
- 2025-02-03 域名的分类种类都有哪些?(域名分为几部分,各部分代表什么)
- 2025-02-03 安全人员发现新型苹果 macOS 木马“Cthulhu Stealer”,可窃取用户密码等敏感信息
- 2025-02-03 每日一词∣民法典 the Civil Code
- 2025-02-03 WhatsApp解封方法和防封技巧分享,内附解封话术!
- 2025-02-03 Linux系统USB子系统2---数据结构篇
欢迎 你 发表评论:
- 最近发表
- 标签列表
-
- sd分区 (65)
- raid5数据恢复 (81)
- 地址转换 (73)
- 手机存储卡根目录 (55)
- tcp端口 (74)
- project server (59)
- 双击ctrl (55)
- 鼠标 单击变双击 (67)
- debugview (59)
- 字符动画 (65)
- flushdns (57)
- ps复制快捷键 (57)
- 清除系统垃圾代码 (58)
- web服务器的架设 (67)
- 16进制转换 (69)
- xclient (55)
- ps源文件 (67)
- filezilla server (59)
- 句柄无效 (56)
- word页眉页脚设置 (59)
- ansys实例 (56)
- 6 1 3固件 (59)
- sqlserver2000挂起 (59)
- vm虚拟主机 (55)
- config (61)
本文暂时没有评论,来添加一个吧(●'◡'●)