Obviously momo 4.12 can be cracked using idapro. momo5.0 introduce secneo, a mobile security provider to prevent it from being modified.

This is a new way, and something below is interested.

  1. classses.dex grow smaller
    image
    4.12 clesses.dex are of size 4M.
    So where does the momo code go?
  2. After unpacking it with apktool, classes found in 4.12 are missing in 5.0
    activity being declared in AndroidManifest.xml can not be found in smali directory.
    These are all smali files for 5.0.
    $ find 5.0ec1momo/smali/
    5.0ec1momo/smali/
    5.0ec1momo/smali/com
    5.0ec1momo/smali/com/baidu
    5.0ec1momo/smali/com/baidu/location
    5.0ec1momo/smali/com/baidu/location/f.smali
    5.0ec1momo/smali/com/immomo
    5.0ec1momo/smali/com/immomo/momo
    5.0ec1momo/smali/com/immomo/momo/.MomoApplication.smali.swp
    5.0ec1momo/smali/com/immomo/momo/android
    5.0ec1momo/smali/com/immomo/momo/android/broadcast
    5.0ec1momo/smali/com/immomo/momo/android/broadcast/BootCompletedReceiver.smali
    5.0ec1momo/smali/com/immomo/momo/android/broadcast/HeadsetStatusReceiver.smali
    5.0ec1momo/smali/com/immomo/momo/android/broadcast/NewVersionReceiver.smali
    5.0ec1momo/smali/com/immomo/momo/android/broadcast/SystemDownloadComplete.smali
    5.0ec1momo/smali/com/immomo/momo/MomoApplication.smali
    5.0ec1momo/smali/com/secneo
    5.0ec1momo/smali/com/secneo/guard
    5.0ec1momo/smali/com/secneo/guard/ACall.smali
    5.0ec1momo/smali/com/secneo/guard/MyClassLoader.smali
    5.0ec1momo/smali/com/secneo/guard/Util.smali
    5.0ec1momo/smali/safiap
    5.0ec1momo/smali/safiap/framework
    5.0ec1momo/smali/safiap/framework/CheckUpdateReceiver.smali
    5.0ec1momo/smali/safiap/framework/logreport
    5.0ec1momo/smali/safiap/framework/logreport/monitor
    5.0ec1momo/smali/safiap/framework/logreport/monitor/handler
    5.0ec1momo/smali/safiap/framework/logreport/monitor/handler/LogreportHandler.smali
    5.0ec1momo/smali/safiap/framework/SafFrameworkManager.smali

    Obviously secneo hides them.

  3. How does secneo reduce classes.dex from 4M to 24k?

    Looking at MomoApplication.onCreate, we found:

    com/secneo/guard/Util;->getCustomClassLoader()
    Ldalvik/system/DexClassLoader;->loadClass("com.immomo.momo.MomoApplication")

    The above codes will encapsulate the process of loading the missing dex. Since the dex does not lie in the apk, it might be from internet.  
    Besides below codes is called after loading dex.

       newInstance()  --> realApplication(Landroid/app/Application)
       Lcom/secneo/guard/ACall;->getACall()                -->v3
       Lcom/immomo/momo/MomoApplication;->realApplication  -->v4
       Lcom/immomo/momo/MomoApplication;->getBaseContext() -->v5
       v3;->at1(v4,v5)(Application, Context)
    
       Lcom/immomo/momo/MomoApplication;->cl               -->v5
       Lcom/immomo/momo/MomoApplication;->getBaseContext() -->v6
       v3;->set2(p0, v4, v5, v6)(Application, Applicatoin, ClassLoader, Context)
           v3;->set3(v4)   if release<=2.1
    
       Lcom/secneo/guard/Util;->doProvider()V
       v3;->set8()V

    So what is done next is to analyze

    com/secneo/guard/ACall, its method at1, set2, set8

    com/secneo/guard/Util, its method getCustomClassLoader, doProvider

So what is the sympton for a pirated app to run after being shielded by secneo. The app is automatically closed after being started.

No dialog! No Message! No any hints!

Besides, 3 momo process are created with 2 can not be ptraced.

[localhost /]# ps |grep momo
ps |grep momo
app_61    14404 99    316752 67432 ffffffff 401015b0 S com.immomo.momo
app_61    14421 14404 9616   3596  ffffffff 40012474 S com.immomo.momo
app_61    14423 14421 9200   1916  ffffffff 40011648 S com.immomo.momo

14423&14404 can not be ptraced because it is being ptraced by 14421.

image

image

14421 can be ptraced. But it is ptracing 14423. It is of no use to ptrace 14421.

Sound that we can not do dynamic analysis for momo 5.0.

Is there a method to debug it before the program does self ptrace?

$ grep ptrace 5.0ec1momo -r
匹配到二进制文件 5.0ec1momo/assets/libsecmain.x86.so
匹配到二进制文件 5.0ec1momo/lib/armeabi/libCoreCpt.so
匹配到二进制文件 5.0ec1momo/lib/armeabi/libsecmain.so

What if we remove the codes of calling ptrace from libsecmain.so?

 

note:

  1. http://reverseengineering.stackexchange.com/questions/1930/detecting-tracing-in-linux
  2. http://etutorials.org/Programming/secure+programming/Chapter+12.+Anti-Tampering/12.13+Detecting+Unix+Debuggers/
Advertisements