修改android_server默认调试端口号反调试

修改android_server默认调试端口号反调试


July 25, 2017 12:06 PM

IDA载入文件android_server分析

android_server默认调试端口号是: ==23946==, 十六进制值为: ==0x5D8A==

==Shift+F12== 查找字符串

.rodata:00074224 0000004A C IDA Android 32-bit remote debug server(ST) v1.%d. Hex-Rays (c) 2004-2015\n

.rodata:00074160 0000000D C init_sockets

点击数据交叉来到代码区

第一处:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
.text:0000B620 loc_B620 ; CODE XREF: sub_B5DC+22j
.text:0000B620 A9 4B LDR R3, =(off_7FBD0 - 0xB62A)
.text:0000B622 AA 48 LDR R0, =(aIdaAndroid32Bi - 0xB62E)
.text:0000B624 13 21 MOVS R1, #0x13
.text:0000B626 7B 44 ADD R3, PC ; off_7FBD0
.text:0000B628 1B 68 LDR R3, [R3] ; unk_80BB0
.text:0000B62A 78 44 ADD R0, PC ; "IDA Android 32-bit remote debug server("...
.text:0000B62C 1D 78 LDRB R5, [R3]
.text:0000B62E 04 F0 AB FC BL sub_FF88
.text:0000B632 01 2E CMP R6, #1
.text:0000B634 1C DD BLE loc_B670
.text:0000B636 62 68 LDR R2, [R4,#4]
.text:0000B638 13 78 LDRB R3, [R2]
.text:0000B63A 02 22 MOVS R2, #2
.text:0000B63C 93 43 BICS R3, R2
.text:0000B63E 2D 2B CMP R3, #0x2D
.text:0000B640 16 D1 BNE loc_B670
.text:0000B642 00 2D CMP R5, #0
.text:0000B644 00 D1 BNE loc_B648
.text:0000B646 9F E1 B loc_B988
.text:0000B648 ; ---------------------------------------------------------------------------
.text:0000B648
.text:0000B648 loc_B648 ; CODE XREF: sub_B5DC+68j
.text:0000B648 A1 4B LDR R3, =(dword_8074C - 0xB652)
.text:0000B64A A2 4A LDR R2, =(dword_8074C - 0xB654)
.text:0000B64C A2 4D LDR R5, =0x5D8A
.text:0000B64E 7B 44 ADD R3, PC ; dword_8074C
.text:0000B650 7A 44 ADD R2, PC ; dword_8074C
.text:0000B652 99 46 MOV R9, R3
.text:0000B654 01 27 MOVS R7, #1
.text:0000B656 90 46 MOV R8, R2
.text:0000B658
.text:0000B658 loc_B658 ; CODE XREF: sub_B5DC+2BAj
.text:0000B658 63 68 LDR R3, [R4,#4]
.text:0000B65A 58 78 LDRB R0, [R3,#1]
.text:0000B65C 50 38 SUBS R0, #0x50 ; switch 39 cases
.text:0000B65E 26 28 CMP R0, #0x26
.text:0000B660 00 D8 BHI def_B826 ; jumptable 0000B826 default case
.text:0000B662 E0 E0 B loc_B826
第二处:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
.text:0000B97E loc_B97E ; CODE XREF: sub_B5DC+C2j
.text:0000B97E 30 49 LDR R1, =(aInit_sockets - 0xB986)
.text:0000B980 00 20 MOVS R0, #0
.text:0000B982 79 44 ADD R1, PC ; "init_sockets"
.text:0000B984 00 F0 EC FC BL sub_C360
.text:0000B988 ; ---------------------------------------------------------------------------
.text:0000B988
.text:0000B988 loc_B988 ; CODE XREF: sub_B5DC+6Aj
.text:0000B988 2E 4B LDR R3, =(dword_8074C - 0xB992)
.text:0000B98A 2F 4D LDR R5, =0x5D8A
.text:0000B98C 2C 22 MOVS R2, #0x2C
.text:0000B98E 7B 44 ADD R3, PC ; dword_8074C
.text:0000B990 99 46 MOV R9, R3
.text:0000B992 90 46 MOV R8, R2
.text:0000B994 01 27 MOVS R7, #1
.text:0000B996
.text:0000B996 loc_B996 ; CODE XREF: sub_B5DC:loc_B9CCj
.text:0000B996 60 68 LDR R0, [R4,#4]
.text:0000B998 43 78 LDRB R3, [R0,#1]
.text:0000B99A 1A 06 LSLS R2, R3, #0x18
.text:0000B99C 13 0E LSRS R3, R2, #0x18
.text:0000B99E 6B 2B CMP R3, #0x6B
.text:0000B9A0 37 D0 BEQ loc_BA12
.text:0000B9A2 2D D8 BHI loc_BA00
.text:0000B9A4 50 2B CMP R3, #0x50
.text:0000B9A6 3D D0 BEQ loc_BA24
.text:0000B9A8 69 2B CMP R3, #0x69

IDA按 ==Ctrl+J== 列出交叉参考来源

第一处:
1
2
.text:0000B8D8 8A 5D 00 00 dword_B8D8 DCD 0x5D8A ; DATA XREF: sub_B5DC+70r
.text:0000B8D8 ; sub_B5DC:loc_B670r
第二处:
1
2
.text:0000BA44 ; DATA XREF: sub_B5DC:loc_B988r
.text:0000BA48 8A 5D 00 00 dword_BA48 DCD 0x5D8A ; DATA XREF: sub_B5DC+3AEr

用十六进制工具 010 Editor

==Ctrl+G== 到文件物理地址offset去修改,

IDA v6.8里 ==0000B8D8== 和 ==0000BA48== 两处的值 ==0x5D8A== 改为 ==0x41F8==
注意字节序是输入 ==F841==

October 15, 2017 1:00 PM
IDA v7.0里 ==0000FBA0== 处的值 ==0x5D8A== 改为 ==0xFFFF==
注意字节序是输入 ==FFFF==

  • [x] 如果是nonpie版本的,IDA的地址要减去 ==Imagebase:8000== 才能得到文件物理地址offset偏移

几个端口号对应16进制

0x5D8A=23946

0x41F8=16888

0x3039=12345

0x2222=8738

0xEEEE=61166

0xFFFF=65535

将修改过的文件push到手机上,用 ==chmod 777== 添加执行权限

adb push android_server /data/local/tmp/android_server

adb shell chmod 777 /data/local/tmp/android_server

然后运行试试,看看效果

1
2
3
C:\Users\Administrator\Desktop>adb shell /data/local/tmp/android_server
IDA Android 32-bit remote debug server(ST) v1.19. Hex-Rays (c) 2004-2015
Listening on port #16888...

还可以 ==ln -s== ====做一个软链接,链接到/system/xbin/下或者/system/bin/下作为环境命令执行
需要root权限和adbd为root启动

1
adb shell ln -s /data/local/tmp/bs70_nonpie /system/xbin/bs70_nonpie

换言之,就是修改所有v22 = 23946;的地方,参考如下

IDA PRO v7.0 android_server_nonpie_v1.20分析修改参考(右键下载保存)

1
2
3
4
5
6
7
8
9
C:\Users\Administrator\Desktop>adb shell bs70_nonpie
IDA Android 32-bit remote debug server(ST) v1.22. Hex-Rays (c) 2004-2017
Listening on 0.0.0.0:65535...
^C
C:\Users\Administrator\Desktop>adb shell bs70_nonpie -p12345
IDA Android 32-bit remote debug server(ST) v1.22. Hex-Rays (c) 2004-2017
Listening on 0.0.0.0:12345...
^C
C:\Users\Administrator\Desktop>
您觉得好,您就随意打赏点吧(*^__^*)您的鼓励,是我坚持的动力!