Category: 日常工作


trap of bash

trap is a command which is rarely used for most linux shell developers. But sometimes it is very useful, especially when u have some background jobs running and would like to cleanup such jobs if the scripts exits abnormally.

http://mywiki.wooledge.org/SignalTrap

This page has an excellent explanation for trap command.

Besides it gives the difference between what “kill –SIGINT pid” does and CTRL+C, it is

  • the first applys to a process pid
  • the second applys to the forground job, all processes which belong to that job will receive SIGINT

Another tip is of using “& wait” make bash script asynchrous, so that  trap Command List can be executed immediately instead of only being run after the script’s  foreground process is complete.

 

ref

model 2

AsPsPbAb

model1

1008px-Binomial_Distribution.svg

remove 2345.com

This is an ugly spyware when u install something from untrusted source.

One key sympton is that when u open default browser, a default url is opened  http://www.hao601.com/?tn5_9_30=27711

Even if u set default home URL to about:blank, that URL is still opened.

In fact, it is implemented by appending that URL to ur browser’s quick start URL. So right click ur browser icon, property, remove “http://www.hao601.com/?tn5_9_30=27711” from target.

When talking about speed, we must talk about time。

What is speed?   (speed = a kind of derivative)

  • speed=delta(something)/delta(time)
  • delta(something) = something1 – something0
  • delta(time) = time1 –time0

This is absolute speed.

There is another kind of speed,relative speed.

  • speed=delta(something)/(delta(time)*initial(something))

Take a look at this, http://betterexplained.com/articles/an-intuitive-guide-to-exponential-functions-e/

It gives an excellent explanation of e.

In this article, we only talked about relative speed.  Relative speed = speed.

The e assumes relative speed to be 1.

e = (1+1/n)^n

Assumption:

  1. Start growing at 1
  2. a unit time period T, T=1
  3. The unit time period can splitted into smaller periods
    say N
  4. for its N periods, the relative speed = 1

There are N smaller periods.

  • If the growing counting mechanism is T, then growth only happens once
    We get 2
  • If the growing counting mechanism is T/2, then it grows 2 times
    (1+1/2)
    (1+1/2)(1+1/2)
    We get 2.25
     
  • If the growing counting mechanism is T/3, then it grows 3 times
    (1+1/3)
    (1+1/3)(1+1/3)
    (1+1/3)(1+1/3)(1+1/3)
    We get 1.3^3 = 2.370370…
  •   ……
  • If the growing counting mechanism is T/n, then it grows n times
    … …
    (1+1/n)(1+1/n)….(1+1/n) = (1+1/n)^n

See something here? 3 points here

  • the counting period count be split into smaller periods
                          N * T/N
  • newly growing parts could also grow
  • The growing relative speed keeps being 1 
    delta(something) = ((1+1/n)^n – (1+1/n)^(n-1))=(1+1/n)^(n-1) * 1/n
    delta(time) = 1/n
    initial(something)= (1+1/n)^(n-1)
    delta(something)/(delta(time) * initial(something))=1

This make sense:to get maximum growth we can do something in a smaller period to generate a smaller product but this smaller product can also join the process of growth。

 

 

Let us take a look at another kind of growth. In such kind of growth newly added product does not join the process of growth. Only the initial one grows。

  • If the growing counting mechanism is T, growth only happens 1 time, we get 2
  • If the growing counting mechanism is T/2, then it grows 2 times
    (1+1/2)
    (1+1/2+1/2)
    We get 2
  • If the growing counting mechanism is T/3, then it grows 3 times
    (1+1/3)
    (1+1/3+1/3)
    (1+1/3+1/3+1/3)
    We get 2
  •   ……
  • If the growing counting mechanism is T/n, then it grows n times
    … …
    (1+1/n+1/n+…+1/n)   1/n exists n times
    We get 2

Such kind of growth relative speed is not constant for its N periods when considering newly added parts。However when not considering newly added parts, its relative speed is 1.

很显然,第一步是建立函数关系。

你关心哪些因素,如何量化这些因素;关心的因素放在右边。假设只有1个因素Y,

再寻找其他影响Y的因素,假设只有1个因素X,

Y和X之间的关系是否很显然?  很容易发现的就是线性了,不容易发现的就是非线性的了。

一句话,Y=f(X)

f如何描述是个问题。

Y有时不止1个,X有时也不止1个也是问题。

遇到实际问题,你是否能想到建立函数关系来解决也是个问题。

就算想到这条路,是否能建立起贴合实际的函数关系也是个问题。

就算能找到合适的函数关系,是否有足够的资源来落实这个关系有时也是个问题。

是否需要找若干X的实例x们,Y的实例y们来发现函数关系也是问题。

还有一种情况是f这个关系也会变,它是时间的函数

note(2015/06/22):

  1. http://www.oecd.org/pisa/keyfindings/pisa-2012-results-overview.pdf
  2. http://data.163.com/15/0608/07/ARIOOEGN00014MTN.html

 

This extension sounds to be from Google.

But turning it on will make your chrome to connect to a website http://cdncache1-a.akamaihd.net from time to time.

That is riduculous. Why an extension of searching local page need to connect to a specific site?

So remove it without doubt.

 

Ref

  1. http://answers.microsoft.com/en-us/windows/forum/windows_7-security/cdncache1-aakamaihdnet/df4a73d0-11cd-4a30-93d1-b360ac75e1af
  2. Take a look at it author, it is highlight-to-search-extension, but in chrome shop it also came from Google 由 Google 提供

secneo(2)

To remove the ptrace codes of secneo libsecmain.so, we need to open it with idapro, and locate these codes.

image

“SHT table size or offset is invalid”? Continue and u will see

image

Searching “ptrace”gives no result.

Similar prolbems happened to libsecexe.so

What happens?

$ readelf.exe -h 5.0ec1momo/lib/armeabi/libsecmain.so
ELF 头:
  Magic:  7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
  Class:                             ELF32
  Data:                              2’s complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX – System V
  ABI Version:                       0
  Type:                              DYN (共享目标文件)
  Machine:                           ARM
  Version:                           0x1
  入口点地址:              0x7acc
  程序头起点:              52 (bytes into file)
  Start of section headers:          45224 (bytes into file)
  标志:             0x5000002, has entry point, Version5 EABI
  本头的大小:       52 (字节)
  程序头大小:       32 (字节)
  Number of program headers:         6
  节头大小:         0 (字节)
  节头数量:         0
  字符串表索引节头: 0

readelf:警告:possibly corrupt ELF file header – it has a non-zero section head
er offset, but no section headers

It tell us that the section header table starts at 45224, but sections size is 0, and the NO. of sections is also zero. So ida pro failed to load these sections for us.

No disassembled codes are given!

No way to remove the codes of calling ptrace!

45224=0xB0A8

Codes at 0xB0A8 does not give any hints. These data may also be randomized by secneo.

 

Qutestions:

  1. Can we debug the process com.immomo.momo before it fork sub process to ptrace the other 2?
  2. Who spawn the process com.immomo.momo? Can we debug this process and then control some part of com.immomo.momo?
    root      99    1     273576 43684 ffffffff 401009a4 S zygote
    
    [localhost /]# ps |grep momo
    ps |grep momo
    app_61    14404 99    432476 103812 ffffffff 401015b0 S com.immomo.momo
    app_61    14421 14404 9616   3596  ffffffff 40012474 S com.immomo.momo
    app_61    14423 14421 22572  15288 ffffffff 40011648 S com.immomo.momo

    zygote spawns the first momo process. Can we debug it?

    Yes, we can debug zygote.

    Zygot will fork itself to be a subprocess subP0. subP0 will later be named com.immomo.momo, in the above case it should be 14404. If we debug 99, 14404 will also be debugged by us. If we set some breakpoint in unique codes of 14494(this code was not executed by 99), it will also break.

    In this way, we successfully changed to debug 14404 and can step into the logic of momo5.0.

Note:

  1. https://sourceware.org/gdb/onlinedocs/gdb/Forks.html
  2. http://stackoverflow.com/questions/5768046/debugging-child-processes-gdb-ddd

secneo(1)

Obviously momo 4.12 can be cracked using idapro. momo5.0 introduce secneo, a mobile security provider to prevent it from being modified.

This is a new way, and something below is interested.

  1. classses.dex grow smaller
    image
    4.12 clesses.dex are of size 4M.
    So where does the momo code go?
  2. After unpacking it with apktool, classes found in 4.12 are missing in 5.0
    activity being declared in AndroidManifest.xml can not be found in smali directory.
    These are all smali files for 5.0.
    $ find 5.0ec1momo/smali/
    5.0ec1momo/smali/
    5.0ec1momo/smali/com
    5.0ec1momo/smali/com/baidu
    5.0ec1momo/smali/com/baidu/location
    5.0ec1momo/smali/com/baidu/location/f.smali
    5.0ec1momo/smali/com/immomo
    5.0ec1momo/smali/com/immomo/momo
    5.0ec1momo/smali/com/immomo/momo/.MomoApplication.smali.swp
    5.0ec1momo/smali/com/immomo/momo/android
    5.0ec1momo/smali/com/immomo/momo/android/broadcast
    5.0ec1momo/smali/com/immomo/momo/android/broadcast/BootCompletedReceiver.smali
    5.0ec1momo/smali/com/immomo/momo/android/broadcast/HeadsetStatusReceiver.smali
    5.0ec1momo/smali/com/immomo/momo/android/broadcast/NewVersionReceiver.smali
    5.0ec1momo/smali/com/immomo/momo/android/broadcast/SystemDownloadComplete.smali
    5.0ec1momo/smali/com/immomo/momo/MomoApplication.smali
    5.0ec1momo/smali/com/secneo
    5.0ec1momo/smali/com/secneo/guard
    5.0ec1momo/smali/com/secneo/guard/ACall.smali
    5.0ec1momo/smali/com/secneo/guard/MyClassLoader.smali
    5.0ec1momo/smali/com/secneo/guard/Util.smali
    5.0ec1momo/smali/safiap
    5.0ec1momo/smali/safiap/framework
    5.0ec1momo/smali/safiap/framework/CheckUpdateReceiver.smali
    5.0ec1momo/smali/safiap/framework/logreport
    5.0ec1momo/smali/safiap/framework/logreport/monitor
    5.0ec1momo/smali/safiap/framework/logreport/monitor/handler
    5.0ec1momo/smali/safiap/framework/logreport/monitor/handler/LogreportHandler.smali
    5.0ec1momo/smali/safiap/framework/SafFrameworkManager.smali

    Obviously secneo hides them.

  3. How does secneo reduce classes.dex from 4M to 24k?

    Looking at MomoApplication.onCreate, we found:

    com/secneo/guard/Util;->getCustomClassLoader()
    Ldalvik/system/DexClassLoader;->loadClass("com.immomo.momo.MomoApplication")

    The above codes will encapsulate the process of loading the missing dex. Since the dex does not lie in the apk, it might be from internet.  
    Besides below codes is called after loading dex.

       newInstance()  --> realApplication(Landroid/app/Application)
       Lcom/secneo/guard/ACall;->getACall()                -->v3
       Lcom/immomo/momo/MomoApplication;->realApplication  -->v4
       Lcom/immomo/momo/MomoApplication;->getBaseContext() -->v5
       v3;->at1(v4,v5)(Application, Context)
    
       Lcom/immomo/momo/MomoApplication;->cl               -->v5
       Lcom/immomo/momo/MomoApplication;->getBaseContext() -->v6
       v3;->set2(p0, v4, v5, v6)(Application, Applicatoin, ClassLoader, Context)
           v3;->set3(v4)   if release<=2.1
    
       Lcom/secneo/guard/Util;->doProvider()V
       v3;->set8()V

    So what is done next is to analyze

    com/secneo/guard/ACall, its method at1, set2, set8

    com/secneo/guard/Util, its method getCustomClassLoader, doProvider

So what is the sympton for a pirated app to run after being shielded by secneo. The app is automatically closed after being started.

No dialog! No Message! No any hints!

Besides, 3 momo process are created with 2 can not be ptraced.

[localhost /]# ps |grep momo
ps |grep momo
app_61    14404 99    316752 67432 ffffffff 401015b0 S com.immomo.momo
app_61    14421 14404 9616   3596  ffffffff 40012474 S com.immomo.momo
app_61    14423 14421 9200   1916  ffffffff 40011648 S com.immomo.momo

14423&14404 can not be ptraced because it is being ptraced by 14421.

image

image

14421 can be ptraced. But it is ptracing 14423. It is of no use to ptrace 14421.

Sound that we can not do dynamic analysis for momo 5.0.

Is there a method to debug it before the program does self ptrace?

$ grep ptrace 5.0ec1momo -r
匹配到二进制文件 5.0ec1momo/assets/libsecmain.x86.so
匹配到二进制文件 5.0ec1momo/lib/armeabi/libCoreCpt.so
匹配到二进制文件 5.0ec1momo/lib/armeabi/libsecmain.so

What if we remove the codes of calling ptrace from libsecmain.so?

 

note:

  1. http://reverseengineering.stackexchange.com/questions/1930/detecting-tracing-in-linux
  2. http://etutorials.org/Programming/secure+programming/Chapter+12.+Anti-Tampering/12.13+Detecting+Unix+Debuggers/