Xhs Little Red Book shield algorithm reverse analysis record

Time:2021-10-18


The algorithm calculation of the shield parameter of little red book is in libshield.so, so we need to analyze it from this so file.
Grab a bag first.
Xhs Little Red Book shield algorithm reverse analysis record

Algorithm source screenshot at the bottom… Can be used as a reference!

Load the libshield.so file with IDA through JNI_ Load found function offset

Xhs Little Red Book shield algorithm reverse analysis record
Where sub_ 2e1f4 is to verify the signature of the app, directly NOP, sub_ 736b0 is some methods that call Java’s okhttp class through JNI. sub_ 7306 is a dynamically registered function.
!Xhs Little Red Book shield algorithm reverse analysis record
Find address off_ 8e0d0, the address of each function is shown in the figure.
!Xhs Little Red Book shield algorithm reverse analysis record
Analyze the function of each function
Initializeinative function
! [uploading…]Xhs Little Red Book shield algorithm reverse analysis record
Xhs Little Red Book shield algorithm reverse analysis record
Initializeinative function is used to initialize some classes of JNI calling Java methods. It is recommended to rename the variable and use C for the class_ Start with M_ The beginning is convenient for subsequent analysis.

Initialize function
Xhs Little Red Book shield algorithm reverse analysis record
The initialize function reads the key from the s.xml file as main_ Value of HMAC.
Xhs Little Red Book shield algorithm reverse analysis record
Use sub for the read value_ AAAC function to transfer parameters, sub_ The main function of AAAC function is to value and device_ ID performs AES to get a key, and stores the key in PTR + 0x28c. If sub_ If the return value of AAAC is 1, the new shield algorithm is used; otherwise, the old s1-s12 algorithm is used.

Intercept function
Intercept is the logical part of shield algorithm,
Xhs Little Red Book shield algorithm reverse analysis record
Determine which algorithm to use by the value of PTR + 650, sub_ Abb8 is a new version, sub_ Ad14 is an old version
!Xhs Little Red Book shield algorithm reverse analysis record
sub_ 1fbb0 function pair sub_ The key of AAAC function performs XOR 0x36 and 0x5C. Here, it is bold to guess that shield uses hmacmd5 algorithm, sub_ 1fbb0 is to initialize the key, sub_ 1fc52 is MD5, sub for URL_ 1fc7e is to finish the previous two steps and calculate the real shield.
Xhs Little Red Book shield algorithm reverse analysis record
Like this, a1 + 12 is a function pointer. I get the function address through dynamic debugging. Using the magic MD5.

AES decrypt method
Xhs Little Red Book shield algorithm reverse analysis record
AES encrypt method
Xhs Little Red Book shield algorithm reverse analysis record
In the process of encryption and decryption, tbox1-4 is used for encryption, tbox5-8 is used for decryption, t is used for the first 9 rounds, and Sbox is used for the last round.
The initialize function analysis is now complete.

Next, let’s take a look at the intercept function. After debugging, we know that the program takes this branch
Xhs Little Red Book shield algorithm reverse analysis record
First, look at the function 105b0, which mainly performs MD5 operation on the request data.
Xhs Little Red Book shield algorithm reverse analysis record
MD5 update function
Xhs Little Red Book shield algorithm reverse analysis record
Enter sub_ 404e8 function, initialize structure and save information. There is nothing static here. Adjust it dynamically

Xhs Little Red Book shield algorithm reverse analysis record
Continue to process the data, look at the string related information, and guess a general function function
Xhs Little Red Book shield algorithm reverse analysis record
Encrypt the processed data.
Initialize encryption table
Xhs Little Red Book shield algorithm reverse analysis record
Encryption function, simple XOR operation
Xhs Little Red Book shield algorithm reverse analysis record
Process the encrypted data, guess according to the relevant string, and see the specific data debugging.

Xhs Little Red Book shield algorithm reverse analysis record

Finally, encode and splice the processed data Base64, and XY is the value of shield.

Xhs Little Red Book shield algorithm reverse analysis record
Xhs Little Red Book shield algorithm reverse analysis record
Finally, a new version of shield is obtained. The algorithm is restored as follows. Part of the code is sensitive and not released

Xhs Little Red Book shield algorithm reverse analysis record
Those who have been in contact with shield algorithm probably know that it is divided into s1-s12, and obvious features appear here
Xhs Little Red Book shield algorithm reverse analysis record
This is the end of the shield analysis. I hope all friends can take this post as a reference. The algorithm source code is welcome to exchange private letters or leave your questions in the comment area!