【移动安全】ida idc脚本实现加密指令修改

移动应用中对so文件，有些函数用了mprotect进行保护，即将加密数据解密后再在内存执行，然后再将内存数据加密后写回原位置，通常解密后数据具有反调试功能。
破解应对措施：ida调试跟踪后内存加密数据解密还原及加密算法提取完毕后，将密钥的内存数据和修改后的内存数据地址作为idc脚本输入，打印输出生成的加密数据或指令，从而利用UE修改so，实现永久修改的目的，后续直接跟踪调试so即可。

将下面的脚本保存为xx.idc后在ida中shrift+F2导入执行即可。

import idaapiimport struct#input def dump24c8(start, len, key, target): rawInc = idaapi.dbg_read_memory(start, len) offset = start-0x70d1a4c8 rawIncByte = bytearray(rawInc) rawIncHex = struct.unpack('<I', rawInc)[0] print 'rawIncHex is ' + str(hex(rawIncHex)) rawkey = idaapi.dbg_read_memory(key, 0x6C) rawkeyByte = bytearray(rawkey)   #rawkeyHex = struct.unpack('<I', rawkey)[0] #print 'rawkeyHex is ' + str(hex(rawkeyHex)) #rawdex = "hello" count = 0 offset %= 0x6C fd = open(target, 'wb') while (count < len):   print 'The count is:', count   rawIncByte[count] ^= rawkeyByte[(offset + count) % 0x6C]   fd.write(rawInc)      count = count + 1 fd.close() rawIncHex = struct.pack('<BBBB', rawIncByte[0],rawIncByte[1],rawIncByte[2],rawIncByte[3]) rawIncHex1 = struct.unpack('<I', rawIncHex)[0] print 'rawIncHex is ' + str(hex(rawIncHex1))def dump14a4(start, len, key, target): rawInc = idaapi.dbg_read_memory(start, len) print "rawInc is " + rawInc offset = start-0x70d194a4 print "offset is " + str(offset) rawIncByte = bytearray(rawInc) #rawIncByte[0] = 0x39 #rawIncByte[1] = 0x00 #rawIncByte[2] = 0x00 #rawIncByte[3] = 0x1A rawIncHex = struct.unpack('<I', rawInc)[0] print 'rawIncHex is ' + str(hex(rawIncHex)) rawkey = idaapi.dbg_read_memory(key + 0x6C, 0x6C) rawkeyByte = bytearray(rawkey)   #rawkeyHex = struct.unpack('<I', rawkey)[0] #print 'rawkeyHex is ' + str(hex(rawkeyHex)) #rawdex = "hello" count = 0 offset %= 0x6C print "offset is " + str(offset) fd = open(target, 'wb') while (count < len):   print 'The count is:', count   rawIncByte[count] ^= rawkeyByte[(offset + count) % 0x6C]   fd.write(rawInc)      count = count + 1 fd.close() rawIncHex = struct.pack('<BBBB', rawIncByte[0],rawIncByte[1],rawIncByte[2],rawIncByte[3]) rawIncHex1 = struct.unpack('<I', rawIncHex)[0] print 'rawIncHex is ' + str(hex(rawIncHex1))def getdexlen(start): pos = start + 0x20 mem = idaapi.dbg_read_memory(pos, 4) len = struct.unpack('<I', mem)[0] print 'len is ' + str(hex(len)) return int(len)#input start is 0x78960 len is 0x200 target is c:\\xx.rawstart = AskAddr(0, 'Input instructor start addr in hex: ')len = AskLong(0, 'Input instructor len in hex: ')key = AskAddr(0, 'Input key addr in hex: ')target = AskStr('c:\\ins.txt', 'Input the dump file path')print('start is ' + str(hex(start)) + " len is " + str(len) + "key is " +  str(hex(key)) + " target is " + target )if len > 0 and start >= 0x0 and key >= 0 and target and AskYN(1, 'start is 0x%0x, len is %d, enc dump to %s' % (start, len, target)) == 1: dump14a4(start, len, key,target) print('Dump Finish')