JEB编写脚本

2019-10-24  本文已影响0人  xiabodan

通过编写jeb的python脚本,用来解密java的加密函数,如下图得aa.E就是一个加密函数,如果脚本运行完成,这个应该被替换成解密后得字符串。


原函数

我得方法就是遍历每个函数调用,然后找到目标方法,替换成解密后得字符串。结果就是简单得赋值语句能成功替换。

#-*-coding: utf-8 -*-
 
import string
import re,collections
import sys
from java.lang import String
import java.lang
 
from com.pnfsoftware.jeb.client.api import IScript  
from com.pnfsoftware.jeb.client.api import IScript, IGraphicalClientContext  
from com.pnfsoftware.jeb.core import RuntimeProjectUtil  
from com.pnfsoftware.jeb.core.actions import Actions, ActionContext, ActionXrefsData  
from com.pnfsoftware.jeb.core.events import JebEvent, J  
from com.pnfsoftware.jeb.core.output import AbstractUnitRepresentation, UnitRepresentationAdapter  
from com.pnfsoftware.jeb.core.units.code import ICodeUnit, ICodeItem  
from com.pnfsoftware.jeb.core.units.code.java import IJavaSourceUnit, IJavaStaticField, IJavaNewArray, IJavaAssignment, IJavaConstant, IJavaCall, IJavaField, IJavaMethod, IJavaClass  
from com.pnfsoftware.jeb.core.actions import ActionTypeHierarchyData  
from com.pnfsoftware.jeb.core.actions import ActionRenameData  
from com.pnfsoftware.jeb.core.util import DecompilerHelper  
from com.pnfsoftware.jeb.core.output.text import ITextDocument  
from com.pnfsoftware.jeb.core.units.code.android import IDexUnit  
 
from java.lang import Runnable
 
# 将Dec.jar包加入到sys.path中
sys.path.append(r"E:\Download\JEB.android.decompiler.3.0.0.201808031948Pro\scripts\app-debug-dex2jar.jar")
 
from com.example.myapplication import dxshield
 
class deEntry(IScript):
    def run(self, ctx):
        ctx.executeAsync("Running name detection...", JEB2AutoRename(ctx))
        print('Done')
 
class JEB2AutoRename(Runnable):  
    def __init__(self, ctx):
        self.ctx = ctx
 
    def decrypt(self, target):
        return dxshield.E(target)
         
    def run(self):
        ctx = self.ctx
 
        # print self.dec("Y\\\\@W[\\\u001CQ\\LWVF\u0016S[FQ]V\u001C|wtwlw")
        self.decr_method = "Lcom/xshield/aa;->E(Ljava/lang/String;)Ljava/lang/String;"
 
        engctx = ctx.getEnginesContext()
        if not engctx:
            print('Back-end engines not initialized')
 
        projects = engctx.getProjects()
        if not projects:
            print('There is no opened project')
 
        project = projects[0] # Get current project(IRuntimeProject)
        #获取所有的java类
        units = RuntimeProjectUtil.findUnitsByType(project, IJavaSourceUnit, False)
        print('+++++++++++BEGIN++++++++++++++')
 
        for unit in units:
            cstbuilder = unit.getFactories().getConstantFactory()
            class_ = unit.getClassElement()
            # 遍历每个类的方法
            for method in class_.getMethods():
                # print class_.getName(), "  ", method.getName()
                body = method.getBody()
                # 遍历方法中的每行语句
                for i in range(body.size()):
                    part = body.get(i)
                    print "class ", class_.getName(), ", ", method.getName(), ", part ", part
                    self.searchMatchFun(part, part, cstbuilder)
                    # self.onceRun(part, part, cstbuilder)
        print('-----------END--------------')
 
    def searchMatchFun(self, part, elements, cstbuilder):
        # print "searchMatchFun part ", part, " elements ", elements
        if isinstance(elements, IJavaCall):
            # print "searchMatchFun elements ", elements, " fun ", elements.getMethod().getSignature()
            self.renameElementIfNeed(part, cstbuilder, elements)     
        subElements = elements.getSubElements()
        for subElement in subElements:
                    if isinstance(subElement, IJavaClass) or isinstance(subElement, IJavaField) or isinstance(subElement, IJavaMethod):
                continue
            self.searchMatchFun(elements, subElement, cstbuilder)
 
    def renameElementIfNeed(self, part, cstbuilder, element):
        ret = False
        if element.getMethod().getSignature() == self.decr_method:
            for newName in element.getArguments():
                if isinstance(newName, IJavaConstant):
                    self.renameElement(part, cstbuilder, element, newName)
                    ret = True
        return ret
         
    def renameElement(self, part, cstbuilder, element, newName):
        part.replaceSubElement(element, cstbuilder.createString(self.decrypt(newName.getString())))
        print "renameElement ", element, ' to ', self.decrypt(newName.getString()), ", part ", part

其中E:\Download\JEB.android.decompiler.3.0.0.201808031948Pro\scripts\app-debug-dex2jar.jar
这个jar包是根据反编译后的解密函数,重新实现的java方法
解密完成后可以看到正确的字符串
完整的代码见 github xiabodan
apk太大了没上传,需要自己下载一个幽you白书的apk

上一篇下一篇

猜你喜欢

热点阅读