逆向某风控sdk
背景
市面上用某美SDK的APP越来越多了。去年曾研究过,现在回顾一下,看看一年过去了,都更新了什么内容。
样本:libsmsdk.so
类型头文件:defs.h,用于定义IDA反编译的C代码类型
字符串加解密
解密函数位置sub_60d8
UWRYubYl2XXvaG3S9r5ezWcxX/VsRigluNW58+nIYq4=
/proc/self/maps
X2WZEOYLQ51XAqWG4e50TA==
r-xp
r1EnVtmZXPjsplgtRY1UuA==
libc.so
0ipR5yj3xDKCUSauUs8B9Q==
substrate
95BB9aqUG/jR0E2+7xSLuQ==
Xposed
X2Y2JYRbOMUsec0CcLo1x4PJQdTno4xhKW1yggOmIc0=
/proc/self/cmdline
+qQPvxl2sb16/vR9F1ae8A==
/proc/net/arp
qWEV8FYlwZwcmBK/bleM+g==
tun
zI/xCBxLEmWpmpmL6imY3w==
wlan
h1mkAlGR2Rf8Ie1ySreq+Q==
ro.kernel.qemu
RLnGZa2F3JUR16znb2iyvA==
ro.debuggable
FNYeh0GMAzX6GkstFEERrA==
ro.secure
dZMgvUAEJKmdg7EE5a943Z6W8USjoam7xwQNUrGWkZ4=
ro.build.version.release
dZMgvUAEJKmdg7EE5a943Vjoat16IZzn9r5LIymxtgs=
ro.build.version.sdk
JxCrP6cNa1S/ce8EwsIpWPF7Yjb0nsOcAQfOhFmuc9w=
ro.build.display.id
MWanhffnWbCH3k4Sc5LyRi9kBA0TD8qodGMh6PdWad0=
ro.product.model
tzgkZNPyw5DDAY/BbsNQoZGhgVJ7P1SYFRoPK2kaiPA=
ro.product.board
zUeW0YxDlbFJiAptm6nA0RQAUdfI64Kyw/angR3VVMU=
ro.product.brand
74hbU0pMQBQw7IeNUPeHCKVbs7YDB0QbpZQKF3ejZ/s=
ro.product.name
6qtBfMglRQ/Y48BI+ItYLhMVWc0rv/wVFV1KiARgyXU=
ro.product.manufacturer
MA5EH6uSMbRkjwGb2Q6hay6qiDW0vAuEcC8Mp3qiwbE=
ro.boot.baseband
qj8HEhElpWCcysbLDi5WDVrZs9FlK5bxbTIfOwk6C/s=
ro.boot.bootloader
jZ/lpvwGbppZOn6mg5BdPw==
ro.serialno
rjxzzWrdmWExRgCpNFBSsVWKucYf9oz1KCNiPMHz+EQ=
ro.build.fingerprint
LTvJKyNSNwk83vbzrfkBiQ==
/system/bin/su
4WBiz4rxbsJhKDrekTc3Gi2gBV9B/ScmBgH1vDVBQGo=
/system/xbin/su
6caSLBpFzmUSczbyc439ng==
arm64-v8a
oyJCcSSjTJMSGfhatWw4Ig==
arm
h9+a01iuswRh/QtxDHeuug==
x86
sLjK4demeCuVsKoIFanqOQ==
mips
H9vsPO5fvwz40ojxmfu2+w==
x86_64
wOGmvN+H4Gkezz+YXVvXUzWt7UTKDgnMogOzyQgfRtU=
/proc/asound/pcm
4Oihb6JEDe6pBw1Q7qzR9CkywhUFR+5eN+LI3Q6t/vc=
com/ishumei/dfp/SMSDK
0NU8PtS5NiDvM97HWlZIIQ==
/data/system
KEXxVxhnFL9/5Gr535dg9IALDvd4b2Li6HqIx9jQWQ0=
/vendor/firmware
O9Kc2ACNRgeoXjOsciH3wQ==
/system/bin
NzRESLr1oUAodeZzP4mLkA==
/vendor/lib
RUXmjKWyd10HTzjmSXihxxPx8VoJpkMNWLuStHjI1R0=
/system/framework
nYO3hetsSnDAdBaUHfUlIg==
/system/fonts
wq/FI6LtfAHwZ+PbJU0Y/A==
cd.ds
NR9l/xEqS0aG3E05NaWnUw==
cd.do
jCjKWe6O67zEWPTrsABxcA==
cd.op
uGn4Ax3mTkUyOufY5a+wqQ==
cd.st
Dm/+IUoyO7vKAi53LId+lA==
cd.fo
krOeMmux2xC/VqCqQBhiWw==
cd.gu
PZqPItz1jfj1Or4+/pnX9w==
xposed
eddJNgbip2zFiRmwdWiGJg==
/system/bin/ls
UUNTKuZ2FkqjAACv32cnhokTpMQKyKsPcAdizg0dWcnjz2VsaZWaXVutOsepqx0tF4UzvwTYMEs/MidvfKDHFeEXd9cFXU9Nn6LfHRWAd/vTQHaR0Wpl6+zPW6GoF+3F/sEt+ISOU9r+AjFqqK6OtJDgJJdaT3yWrE945sev3b/zuYKXhv0LTQnLuRnUDvR4+DSfgYsRElEMVXFyaFU9I7Od20pxyB1p2qN+U6bD0LNEFiU4ZzqvDrCj48XoErqUOkYIz5ZsOf95ak9PQpaEoVFNJBd841tkQlREvc84u4Ck0i74Sq8kVXnhOQAYNQgmtBLFNImXb5e/LLg+/F94z2tixp/m265In2CS9966dgiNkSSYB7DzY4x56oqYbDVr3VRJD/r4eyNzxxU/XuYk5+l27n1UJoD8lZVJ1WFkAIye0zDk/BDwx0wagiTQh492MWnps/kmSXQAKXzJKJqF8xIT5acT9amMnIQVcChxtj6roeZlFFLH74+3rjbK5+2t39xvh1IeoUhdNhaEHTkDfZHeU62pMANSRLVmwb9rUQPQ6Rs2ShYnTc+DiKNwu/8hNCBpWulhv82Bqb45oMXbpu+fcISm/SNbBi3s+8BSEqK/iNKTCd+T+dCYwnNjMYc8IM+hmSnZLnZ4ZOhdnF7kPd+iobTpieOflMiO6/wcp8CHYsTWkKrCBRfxNsP+K196jAZ8c4MzmV04G5wH5fHZ9zTBVVpq3StLtqwYXeDFEMcv4id8TXgjrvi9XRHEG/0lHtkAkxp8yoM53GnfeUK8yx2oyzhIZ5NHBwgSw1t0NGcHFkawcRPp0Wu2GG9W0aGaFAG48+Ue7lR40shdnOgSxfwJ79o6Wtqwij2LzQPx2ETYn5Xb0sTzURn0IBxh1G9xs+QfpGdIJHQ1WZUmOe3hH17DUn9jFsxm0x5YS2K8rjO4O+xgW0CdALd6uQk7s9vSQr5fVlo24XKcBUM68Z97M8O9KKNDtiJFU/1/7EoA74LEEyVPjdRFCPx5el/qlQhEEZJJ65trohfor3mPrTkO0vYyhVyEUfu8d4sMFFThVZnovqbnGCfWvrdiVV1MZLy1iCbKnG0FXI166/wSF8/oIBuYF0Q5usOZi45LpXx+gLjeOAtxR/VHOfXfs1wUFvgrmO0q2mOhtIzsZhrPtjNjk2sNp9oM7r2FV0lJXD5pfXtwwlNS4W3FyzgY/rzAA+kBvvYlsQXLfWdhJVqd6/ArAf8FyYvw7mYMYifhOjNPJLGAfbsij2YAYPXk0m648SPkhBNLxWq5e6Ww/g2yCwRSzB07xrxuKq7wptjyjwU1lbk47qiR+XesuiG3p4/IvtLtLjuXzNFkMNfFs1SrAuAYUc0nmu7th0oWRfz+pMUtsLDAQ3shioIaNmy7S9wmqtozKfaHVCUMN+IvSWkrQaCtzRaQB73o0SMkgn5P3RpUfJiHjcWV5egBkHQoh3LX4pHivf1Bf5zJRH/evLXHYf8egmgxKAH4K6SnOFLGbhJyNdJfSS1qyOcvd8aHuai9Bgu16ZD7/yVvyqDbX6KPL90umNj8T6/dkM/4Puly5UbVA+7WdtAMoqEaZzhHXTg70XQQLIsoOH1vyhTlV5jBEtYI/5AOoglt43fHCom869gcLi4avImDYYdPwRLmdXcNBHI/yD0SwGI7gVxWOHCvzd3cYZ2fqkfquzm3OTk+W/YUTfh3q/pnffmuZossqROtjo5rUvyAQh86Y5sQdOUKzS6mWxnA3bJjkWc1su6EjHPjEjhwWPQI97XCqq+AM9zwe2536Vw7CqwdDvTjYaaoMf3wtM8wthIUyyIjN8OblN37H9G+Q/IbIViufH3D5MJWtEfUMEUMMsXNCj+HWP72tlFXwWVDFc2m+uvSXJmzgSGERdUi2LxRq1YA6PZKsBkVI6M+IWmYepBLMdP/JlMlqJBtqtqkt2JpF+CrW/6Pe+DnB71qltw3s8Bj4kNuPrehHk62zPFbK5qbgM9uwsui+fiqwd/gnAlXfbMVLB+pm7BPNt66TZ4UXWzB9s+3xzjZ5NW7bZjn1b8H6d44ibW3hL47jxW+jx5cvOxi2EeLIc+dp/gIowoSUTWymSYHZgTXcoJWA5/xpmR7BKsKnjlTcVnqDnjT3F4YUa28LYtYYRKfFK7BmwZmmR+NwRr4u7mGA0sqGRZM2XwYj2ir/Pk4agps9a6KZyw0zTC8LLibx9WlSbaZcD7vzyyD4JYSYo85O86rVZTe03kKzlE0xZ+8j2MaPNPDRtlJiXzVggf0LzIGahdI2ez6/ZL6Ftab5Gm2f9CRcK0MCKeZeaABeolfGqA7g3sJGQ8KI8ndcR6qALUtmZrvpW6bL8wO9HINg8iQspn3bTRZoGpMfPiFPFAzdfxh9HCgiQD0vsN/T76swvNrd2iAAoAwtGFMLN6T7t29NyFLxaUJh5+etpKi7CKSc+jiiYBUR3SF+PrzhcnUk+HQRLCQJAUfGAUKdnw9KXlkcBYCWB1qUMissDvSI4sfARgMe607LyQlknImNPHAs3ZTnOFN5DzHZxvO8NrvXvHqp8sfzOzUbwc9+5jQPsz4n1nOAQzWUWWITxBGtUaf4i++PDGi6hF8NprhRBmUB+tjlp1xPrzTZD/DQfKtvMSpldgAOBqHHODh0tHR/pp4+Y4Lh+nGDqn/+nnCNseLx2nfmx8P+7Y7ztHLFzHUtyvb+P8ryTxgzgaX8HeMKEmBImwn9otDLNpiUtCAr3Wxc5HT13STAFOFqX615nTV59ob+ohQnrRUsDO+60hRI2G56NMhZo54aMFkawR7pWi2u9Y0ExthPX75wR01pFMOFq3JaeV8PAoMWLa11YQOidnL1g7eG1W83tgQysgfgBokymfTgArQl0muYJdfblBVfGiuktyiSyMgr4rI2ghYFyF6bmeiT2VKxOgXldyaKu29iFxm/pP/XFIWw3qSTZrn/Nbzx84VRagbp5lI3gXPi3kJ1gtfwZPd5GUGAMw7tqh4EwR3qi+9LBAgE72UXrEWV5kLb5gkQ9FCU5YaZUTip6wSVte+TSbG+MUIATub91irzCFb3qcQjoe25QUmi2+tJAqLWRFdWqUmy/38CoyTqV36leqWYv+XCYwi3O25q7/LUM+vMXd1KggSVqNuysYsdEdV37/9iwea1Z6WBCFcKreKRhyGZJ9ML4yGgnvrTcQC16S6uhjZYwXwdDPvKS+71XGKqNXCk9QnBD0aHFOxjrhJDM59wYHwkufFHpqefGtvJ6DxtpCGac6JyEbahWkLieNsc9jMwt3yRJNiXkIljPPB3jNOXPEbg2qAy2BJmXjAxc9itBqc5EVdmhw5ScT/nmD1QDC4u3WtDFadGiYyYgbO6Q76N/Zx7/DlUV8pp3xUMJM5mzacakefeGfkHc0JWmTYsaTjojIRxtgVZDDoKGVIrQWYz5wwSqsLyyLy2R8e7RKRQSPzXN1doU4PdwETjOSNbqdAfWZHQcxmW51dKdulW597eOA6fgsV1O1az4IQ9aFX8E9GLPFBFPaaZGa8DA2PlfMIFyH/hB/vqrwmPp9GlY8XuxpjAxPudyDtjEBDrsCLYQbxYUpe8kberM3GUhJwFdkhsevNkLopzKstVjGb2VIUmsE1WCmrPvNH6MdZ/2eIvWpU61wE15ZqmfPs0fY3l/i3O42vv5ba177PAIWRQFJ6n6yK0VH3CG4bkHsaA+/xISSnMtyjlNHey0rUVDVA8hNKA9Cw12yrHftWoOa+QnNUCX6fGCST1K89aXgSVJQJce9s0MBKmEqLlqXTlghpQkQv5p7GKgq8wpnPnbuK4rccYgQpLM6AyMeyXRvCEvPwPBL3n/XDSKqgHZhJdR5Aaq0DvvTny/ZnDDc8hibu8g8mBX1I+QSiTLfTlBWIKNMg2ojceukUnLuR9aE8kB/F5UvuT/09ClmK5XhYfZKqfNeXdT5iEkIcsNp4kBUnSd2uAzwY+1evKyOcBVK3Q+dORa0IuTORodj8S8eCdu1HST8C3UvAq8OnmVPqJaZYBuQg+6D3JKkoShP7cxULAmhLZXdB0ouNZUJYnUp8Rf+yozHe+ssbpgi46fS4qEuZ3XjpRQiixMztQLwXbw9leWgXJzJ8Qho60BtsOX92qqfb/fEeek5J6SpJx3AtEQO4YJe/h4tc3JsVv2vrqmeJvTID2vDhm6p0DAgxnRYbmRWO76x+SWBRFY6pIGWXh3cATPDEiCRmleAq6oMKb66HxKfoWUh/Xj49RC9vTI5GWZdLedWkrLw=
[{"key":"cputemp","type":"file","path":"file:///sys/class/thermal/thermal_zone0/temp","option":"upload"},{"key":"voltage1","type":"file","path":"file:///sys/class/power_supply/battery/batt_vol_now","option":"upload"},{"key":"voltage2","type":"file","path":"file:///sys/class/power_supply/battery/voltage_now","option":"upload"},{"key":"maps","type":"file","path":"file:///proc/self/maps","option":"match_ic","words":["com.bly.dkplat","com.excelliance.dualaid","com.bfire.da.nui","com.svm.proteinbox_multi","com.boly.wxnewcopy","com.juying.Jixiaomi.fenshen","com.qihoo.magic","com.godinsec.godinsec_private_space","com.sellapk.goapp","com.yizhi.ftd","com.qihoo.magic.xposed","com.excean.dualaid","com.shiyue.avatarlauncher","com.excean.masaid","com.rinzz.avatar","info.red.virtual","com.depu.wxfs","com.sheep2.xyfs","cn.nineox.pupfish","com.shaker.wxxh.moli.fs","com.fssq.weichat","com.smallyin.Avaassis","com.meta.app.fenshen","com.yxd.shpk_multi","com.xiandong.fst","com.xunrui.duokai_box","com.felix.shuangkai","com.dbhydbhy.duokai","com.xuanmutech.fenkai","com.felix.duokai","com.magic.app.reader01","com.cxhcxh.duokai","com.dongguaququ.duokai","com.felix.fenshen","com.nox.mopen.app","com.boly.wxmultopen","com.tyzhzxl.dkwxzs","com.chufa.skzs","com.lbe.parallel","dkmodel","io.virtualapp","com.coloros.oppomultiapp","com.lbe.parallel.intl","com.jumobile.multiapp","com.jumobile.smartapp","info.cloneapp.mochat.in.goast","com.excelliance.multiaccounts","com.ludashi.dualspace","cn.lapstudio.weiduokai","com.parallel.space.lite","com.jiubang.commerce.gomultiple","cn.lapstudio.aid","com.arc.multi","com.nox.mopen.app","io.virtualapp.luohe","com.ludashi.superboost","com.zhushou.weichat","zc.wormhole","com.lanrun.yxjl","com.ivymobi.multiaccount.free","cloner.parallel.space.multiple.accounts.twoface","com.lylm.dkzs","com.rinzz.avatar","com.ludashi.multspace","com.trigtech.privateme","com.jun.virtual","com.pldasoft.dualapp","com.youxi.shuangkai.help","com.jumobile.multiapp.pro","com.applisto.appcloner","multiple.multiple.parallel.accounts.cloner.mochat","com.bba.vma","com.rinzz.wdf"]},{"key":"maps2","type":"file","path":"file:///proc/self/maps","option":"regex","words":["/data/.+\\.so"]},{"key":"virtio","type":"dir","path":"file:///sys/bus/virtio","option":"exists"},{"key":"wlan0","type":"dir","path":"file:///sys/class/net/wlan0","option":"exists"},{"key":"eth0","type":"dir","path":"file:///sys/class/net/eth0","option":"exists"},{"key":"interrupts","type":"file","path":"file:///proc/interrupts","option":"match","words":["hypervisor","goldfish"]},{"key":"iomem","type":"file","path":"file:///proc/iomem","option":"match","words":["qemu-pipe","goldfish","vbox"]},{"key":"ioports","type":"file","path":"file:///proc/ioports","option":"match","words":["virtio","goldfish"]},{"key":"misc","type":"file","path":"file:///proc/misc","option":"match","words":["vbox","qemu"]},{"key":"kallsyms","type":"file","path":"file:///proc/kallsyms","option":"match","words":["vbox","qemu","goldfish"]},{"key":"arp","type":"file","path":"file:///proc/net/arp","option":"match","words":["eth"]},{"key":"route","type":"file","path":"file:///proc/net/route","option":"match","words":["eth"]}]
YiXtsTAzPBotV0zs3B9uacqzvAgnRLBfTecmeSILUEAWOF3T3EMXBodnZxg8JJ8bkO3d52pTPzEOy1tZ8qO4sxC7IOEAga7qLbVEa2ts64+QucGaElDsrFeWrNNzqAGcASyi0ubpkTSynhjwySfrgol6E0VdYCxHHrzuYOvXPo13FVrYCvhYdHF2HcMW5sOXOACwkwGtlc07rDZINYilc4wfa7/xEwO9N2K9kJXd6JlYF7ixys1/pUrboRlB++2h3Ox2u/9pkakIYuQW7apMbr38aox6A1Gn/WD20R5UoQq91ebl/y1bTP31c+s0iItks+RwTtRPxJY+q4YEk/8VZpFDmn33ic1lyd/SXtG/0sP4FEgppjrENiePWyiVrtqIGPkGc2z4ZcxQVDy91OnyK5eJI64Uc4phTNaXSLG1bGkj7n0GvDOE6yp/5vY7p0Go0d48O67G0esGAgIeGtxLQxQsDeQuwt5yOi/3W67JBWciy2di23VLsCDY88EyJ1DtNudyxnJuBPf3HB1GJCphCLyesenmuDEJG5X3wBVsYYNWs+Ctuvo91bFLYqM1XBKCQ7rDpQ4jY5u7H7E6qbuaxrXvn67Evcc5IDDWe8Tror3qKqSDrsseVgDekdF2EB8/V0awT/H16HdiC0OxLis3IlKCtK46tU2g/BbzlRMmMYBU8c9YXky3A4m0hTd3Jc75HHf/AvRJT6uzgswOwXLzvMdozBZjWv7hNuwdoxTdCHU3NJOsoE0FM6w8Dt25fQh+2vLMJyMsZ42+sA4qTc92hya5B8/MkQoGjxk7ePEgfUFGa0qX5KwkfLeEzFAgUt6CQOZUScvv8ty4YfDgQOO3aYhL0of09AQJ5tBmeMn+q14gs1XFgEOPGaaLCr2mLU0rx4lBlyKcJMyqB/3etUAPGa/JZcGKN2/UizbysiLYQKbKt1Hz0MtSoE2b7akbvcDkfKwKbqmPQ2VxucIAe5ZC4T/ZxE/oXiZvIn2aRDFoDHfPz1zGAHazbl0kWHCvWRElhWFuszgv5GDw3hfmAUT9cRYj+aSz4yNzEuxv1VRRIn2jmwDgvd524DXRUF4o41ZkIq1sUkivx4fwD8OVr6Klx3PQK4P0GXIomGRE1Iaxu3G3c0O3A/1jIzJWxaOzJ4blp0eeKV88Rj8M3CJe62Ldo0TnbW9Ge7v6SV4CcQJN6mIGzybTWa1cGDRjhrCIh+uvdolCFKq6NdDLD4WCFb2Mj7NZTn0Yrbg31PVBd8B+4D9OPWtP3CYjJuEaUXbY0fJ/niwF+nn1xqlMZq3HRj6u57b93c+qjds6X8TCdLwelRoMw9iRPgmtxZiw8g6vecQ3Db6xkBw57WH+J3FKIf5H/ljrWUHNbTvODveNmqK9GGzfWL0Xz8N6W8rhvMajyslIbEgMVrZAzcH/HiqK33hOpvxQuI3uyt8hcbfzfkD3CsZYspbKiYlrsJLMuxFgRlWcgJ5/WTKJEO/OWse+fTkw5mZ8esOY9UCZH/rtwQfnAzhve2WZ4Z0+9peWCvqJUxCf3pe5lXOMs0dwzvHepLuBg8dpjVP14ICArkys3Sxv9paJir6L8mkGquWestW6SyoOxT8rP/1+4Kyw/UwboF+Uuoi1HSUVWeu3UVyaZjD5LcF5bHD+QN4FmS11bq3X4AgiW3ILZAklt715CF57VK/iJ7eiZk89GauhNoj15mzriRmnpL0oMmCWc8tLfiHlD0KSxUNmuaLozE/nzzFN3KxsGRp6ucecF/v936fdilQS/Tp19z6QksUY34tSmocc84xaF9vmZp6xeocwTnvQ9JPosvwEkg844B2YOPXxEzrWBZEBcnH29i/dflInf6FD1xeLQIn4esRKX9UgRQX0M8Fgy1A40dNBnNMpra/As/xaGpcftmeOus01aQHnn3fawOulWjE++1eCIDSDr/48s54DkzBr3de1MT7ITk7lpEOyh8l0H1j+IhQe/qfvuV4QZXOBNt2jGAuM6iAL5iAySlXN+sB06YcrNsehMLeIMm8CE5uH+4uecMkl07ybsyMVGFtRSAVSJ+9cgkK0pL3rLLRN1Sn3MTx/McVvtEjFe9UL+WtKu6hz9LDt3X7jfmJ9q9hcBJVW9p3qiPoclGDUaTtDq1EWmmmjXWow5qAokgtGGjPwvnfRAG/mZmCxbk7GjKboeuG1JuuP/zjffRJCzLBMI3MFIR3ewxlrQWEa6Z3hOpTFZLHjCZVWxCpHAECLjbUONrwyeS87undgT0gn4+X95xys1PSDIFYqkHvmslQFnwPxIYikAtfxpO0No90R8pnh8BHxH0b7FcbmeyXx5qf9hTeDbwPDE94wPj652C5v781EYrj2BkHiqIBpRvNkoW7iwX9xOHe0AUgJtViNau/niYllxodtOdb3hDn6hEfLvlmVqE/xoP//3Zc/KWqMNx9L8RSWe1Hkq4ztLktQ72SkB4oBjxw7J8fXNqHwLHej+xPEFMskOBbMYra3DicLQtiR907GFzjCUg56a128sBcZTAega6q3rRZ2hpJFVH4fy3rt/WVsL7uQYDDrsFFdYlxcfbLqFGX5CufzLAflgY+lq6Y1jeBMQUCw4BTQBNCZF0IjByAYUV8krOIa8ya3R02n/vIp6FCk3zQ1kQiHONxtr1owkdk5nvpcZlAWXnKWi94pR0w6M8Vo5z8FPTz193689bJtm5pkMiQeZipfnYIwQ/hSbiiQT6zB2JAzQIBdhuHu53MAGgNh70EH9aYnasAXbXoBhttXM5tN+xcnGGXSku138KbXcXKil8EZyN896Y/xQROm+N3zFlFPIs0/zR/vu54PQ9j9tB5FKrdtu/l8iVVQf+Rd3bJRxzSVKZXT64IUTh8OS3qkwgzL+acR5T1tL0RcJzUS7SyCZu3eIcMz6wtea/aqVe4aihIUy8BJKvCgXMNANmmLoLIKmdMJSZbrTEz8a7mY3kUANYK7pEtF+jPn0/w3o7L9iWjriYW+iYH4vnhhh9Xyhs+FVr+9i5O1SmWCc/yEMTNAqxOFRx5bOd+sSl5CX0DbR8sp5HLbLuAHydK2H0bW2dltiRL69ZSVYw7SuQHkLwAX17ILZ3ego5zj2nEyaOZB9cnkVhJy6i5hOTCZIg2uI2TjmIw21txQgCF5GG4ieBTht2ntLUK6BysuLD03nfc5w3gRWSJfQAzB9ZxALoKZaeLgVSWkyOxEj8kwNcjgLj1mTwwBJdpLq37xknNlYz2mp6Hyf4BiSDNe6gCuv0nEkh/JkXHk1pw0cI8dfuT0wu4iJfORH9HY6/n3R2qc4+1vM19ZTVEAH7ZIorDYgt0onAvR412WgpS+cDpZFWG5gkeasnbCDwY39DVDb1z5Q/7mfe6OxV6HWTF0KNsHlFpUsiwfSjG/qsuWb+OoaZHu5WqB9iKHzbfF58m0rMgu3/D/Xds7hdR+pakdcUPabNo40+HUsbjoHhnyjeDOiZLm6NHSxZnhDsecnrKdr+uyjfOX6m4cAN+SBUWRTTP/YIaVVOKBD9WWkrchEiKw6wLb9b5WrU/haK5W0/JOkjJzx6Tyxs8Wv1utx7R4jB/Hkfxp9EPu+LdP5qBsv1kG7iSIFD2yhpWJv4HB4eKq/teZyaqiwJhesfs28nUf8U4HicPURo/Qm+tJNEvdKwSAV9oftEpHXI0TWTdVsPuPMIyLfABOCqgzAk2ofLtzhOTeAW33OkXAO/AlM6tXNDU1/kZsDHG+9YJbg9Ny7VoS4JI/xTJYMVuz03IwveU4OF16vOml0r/qAFilSHMa7n4i1+qB+XFRWrL0OKveaMFYnoI/CgJJOznixR+VrRu4OlV88e5vh7S0isdn35hhhW5PjLnDH/ILM+VzvbyIPujPPNfRWNWPCdEOuZZojp5x2tQhsmYzHNwY0oE487EkNgFGRyQNfcE1nGdRN64c3ypsvva5hHg+eQT0FDXmMl5InQR7G+NeVK4uTD6aQn9DpGx3iUWFZykEcRbidMOsIEVDyCkxZBg9Xo8UzSRAk7Ei8EUkZC2hPgXD6N4DDKjtj2qLmI84BqQV9Z7SS0kys72CxcxuAcT741xHEPBsIkK8S7alcRm0gy6aXl62mksJt+jquUn/Q+WFIFAqczqb/AzZ3iEYnQR3qekl3aQGXLHI6qS44iqugLqxDi9C14ch8144sLq4dBX0oT5tQtAXwdCBRjuB0YB43JxVVAiR/b4zMbWRDc+LYiDnghq37lozU63PYgEovTA0KnNDeDd22Cfw2KSsizMav3l4Sx93mLvPHMGUhmfk7svCmM8ZTOboKGGbmSHyPpp6mIJ0/g130vrZX95+Y2onY7Cj2OwvOWSpgvZQGCkYJvo2mMryKvPyk7boV4/YFiJTdvOIZP/HkVgW4ZjiDA0L0nH2HMv6cbRUJgRi+UrVZeetCkNU+/Y6zLDODiqAoBIg1j/YxeFe7Ju09LOLGJLpS4JD0KOZO7n6mPddv8EIRH2swQFkHN4yyUhQHph9pBoK2OHQNBpSEouJBBoBBJSnyGAxGEEQlhvolsyFy2Sx0La6qznnHQRdeV+jPRokwcvR+YkEwJPXrSRC2D5vWmFcw2J0FSmVhiRYyORor9yDK10LUAQMtPkCjWHLIO2gzSCjmAi8IQbZKnNOj1WnYIXxyQ8jDHz50wbTze3ZUOoSml1JRqzzUVk8n6UDHLKA7uO8kPgkY1SAZrfhmFXI8olxnzq43LpnjwowQlcC/aufKbSpfjmupMoWGvISglbZk7XwBoovguJrU33zCNLTH63oPE6DCQQVAMEeYx47qjEkU5QxTz3RKnEIqZuIdF0Q0cySrulz4b3mMSlZrpXeIBkyoB/65QAiHB6lRGcVE2RAwAYEkM8OL/N4xkeV8GWH8pT7KQzw6QBe3nKepqPuWyaB6+4J26VFpsBjCP2wYZc6eySIpM1OZx7tNP13sRcf/gfNBY2GX2Cjf3SsiocCSY+WxSTbzcT3S+A3tiTdhnObp8HOcZ/hWMx6hw022DKoI1TmQnjd6qZdKUuLjsz3lkmVSfpjKUAQydpAMnW4CQhKO4izT0YkxwpxnI8yyISushfOjDmfrK0HNzj3ApJq5urZbKeV7D/XpWlezXkqM59aLQsGu2ixam3+qnT9E3UA9V5TefwpMzkAk8X08If68bhl04u1XEgc8RS0vxwbwabIe/5tx/2yGtrXMgWdj052LjJwkFjkR9SUxIJptT/pZ2Vk/2VST4Ljqphq2r8hNtQ0J6zvih7WyoLjw2vqm65SckG93YJ7wNdJ9vqzzn7A4HZF2zn4T9MrFqsil0+01MiuMvnIcApZCavkII4iVa4+SZ6RvO6i6J9Y5VAvNeGeNXX6K5e1vAd+4mUU8LRAHJ6Viu6XPd/kl1lmyWyQYRNNhZLQ6bMxL2Wo+fc8lziRmRCjmckBwWs7wUGoUC3KsDsq4arqhtprAxWq8BvEtxqwAyUpyEwxO+52CMcE7lJGNEt16cxEu/inAoaqu6PKFoR13fby2KjTv6tKp59lF44u1m+Lbe2xjzH070YUSpcr67DzLpInNzNVX4gHUygqwV60dp4hEewXvZ7OfgoLHiCNJDt9ZKa6mo7E3ZcozzzPMDK/S0B6HnOTWD383gmKEFLv3Uh9yUjTkjRXTyQyKAn1cgCQgQboX8zvatCQG6iX4hSDLeu447+/GBXu5ni7Dg3SPd1bhFvJ7vNZeh+XAF6C0VRb7Ceu0TVMozHWBev0hdj6Fghyp1GmYoa3Yv/A5OT+aaUE6k6Q1sLRNqlKfYqa2E7vD5apyYgJxczClp9R6TkjYOcbX4YC5d3IYwNtzjdPu8DiWhO/Rzp3j9N9mn4PopxtilDKyrrgJKAkdC0klPYkT81HD4nK9sL4aN+YMAaA/HbFjbp9OQ+ZbX8s80X5q5PMUcZ+enGo6LDFile6ZLOkF3lrfT70TAAdlLAXOlO3inFdyV4HQ+YIN9pKojEBeOw5ByfrK+AAbBeYlwJy+8apIjYjKCwiOSiOrs5UT9syGorZHcQPhWgwI5onZNWDxyua4S54GrinbUrLTwGSYAfhwtXlbhhTFVvYZ5b4KFrd5Qd3KT3tHPAhaBSNpVEPxeQ2tCrKy207ApOlMzWkhyonbLI7Bz6HWTARBFWp0GHxTb2cTX7iTWc9qG8jy6w+8CMM8/QVxr04cjM2z5pNiukXSVt2+bNCAK47tupes2f48u5dgSnvsIVYQ3wHIxDPRvVkbPxx/8+7tZIF6FgvsrkbDbby3Yi3EYLL7GYkq0/RZ8yRi600nrhH4E/iqI2Xbkb0T6oO3flSVDEKyjBOcCrN/SffE8Us9wSIvLvjl0agJWRFZiUtkUiR8u6X7bI5jLoeVVaQoKVyxTDKIJni4ZK+uCLB2ML5X1E7QVVpEdNl2HNwloGjwCW6pEHMA+k/+JRr3sBGrwURfjzouNYpQj0YTknjKPnCa0/kSKHwVyxLSRgAcA/S44FUPIkXpPcFGKYn6v92AqsyacK66Wd39LCXMSQhrotB+15A9SPewZSFha+5B2TEYZGYjyMGOzeaQsmu+npapJlvGxC53rHISro8qvwAvyBUr0CzRvCG/K9+5aCOzc1gsgFpI1z0LLL/XLVaYN+SKN7eEqZbOseaZZ0tdtqauB8OPK/r4AaNa/rF7Q2IsT9G8TwGMeXFB+Y+i+C7NK+zom8/gNfhOXniP/jfyw94ASi7Z0adq1iani5FZk8AatPMd6+yER4Ty2+jQdGWkUUfiRMXORnnGjxyj5Gc30X8bjKhyZ6O59R3DT7p0DGmkPeV/neT0vIkE0mJnvtZ6QUZaXiO6xQngMMlL2GYE7SIn+bV7LzqMJZRWiZ0F7ufL8b6IRW42aL5FcLFoa6Y9zj4zn1ksM7B5BE1wUYrmp/v6TGlQomCSxdsasXUYno8W0cBPfMKM8CjtH3N4zyGNCUMNAL+n/ux4AgSviVy1rejJJ/GGt5dbGpLqMVjAaPTbQjaP1+hEKSGLtD5qwz1xNUb5M9cvxLfZvq2Ord+hsOjd7ftlyoLN7FzTiIVcsOV7mpSeF2sXWIL3KxalDrzJ/RQS5CjsFZXMDfSZTeovLhQFgkfC8wPruZXOyETTgq0+RIFvtWmJdj3RC30Pae3MTPHQ9s5miLXavqnslVOrjkOSvIy5yYVtoo4UQeCtVH8V3AJVWNuWFggbFpmLQIfdPDkEV7d5O6T6C4dATX2i12Ds0LW+h2ghWMyJg297nePaOWJQZSQCuE8Z9z0wtuLVzYaIteNzx+e+SP5YdE6obuE9OoP7diKkoI6smPJoWM3+kHJXALpY0s2PVQwLungZO4ZV+34Xh07ox7Po8Wa/fB9JvzAlf4mNnwoInoU7PYQ6PxT77Zw/MBmcoAf2MfxsVCTAJOyu1jIrHbuFzlY+u4aY4uABkNCb+nN8uFJbfBAx1bCVM/G7l/Si2M0gP9uKYj+nGASAzGlyNb/MYxIP2n2UXjYw7Y7perwCYXaYBoLrn2YAcoTYynYDYlOCm9e5d06NBuhgXVq9GKMi0L7fiKbU2+5HalGBWPjLhLDZSR9aYf3V0jlGWLbpsbyo8yu8/bVsHYGROMBPhF0MSgvL6qco6+lzyevNwro8EP9AsFccwK3PqEKcCjM/MNknWXFU3TrIaXHYgxPIIyH8XXnUja2lkQHu8K5BYr6nLIq5oBuOrfsusUyjmA70oA7wHKIgVtItvoE6JKylLDz8U0JvMVbTu+iOGwQ9ifbM+lxB6gEWaCZZpI1RTrlKCklsMKGq3CrY/czb+YIumi9m5fpzN57blwcchyn2/YezB74HmGO62LxklMRcg0MmBKYo76Xtj2tZzCOQRcuXrEFXJrWTjzc62paxkTWjJgYR+DsY3LAX5YN5EeKAJT/08P89gcrJj9baFWWLigQ6pbyGcf9YpbZ3finpdABNVpKI6TQsZFrlFBn3YZlrYssbfmcJgzJ5agufWtuWtLwC2BBgt+4Q9ujVZ3rw0aEH2NFw8oZLlPGnL7tMqXccG8Eouv+RA46Im7V2K7n5AdHxBDlEV5rnaeQHinqFnWKkgD0KHui8e9Fyafxu4V3huIrS8UX71lc9rddj+61BvenVQe8L07HEFIknKcIlY2tDv3eyR3w/jDeGlGXVy+6mKSO+bPyc1uh9zaHlr1wxa/ZpTHPKy99Z5klC/C8b9lLjpr110RfDlYG2PpANOTFUYiz5cdUNqvOkSVeUI22ATzbWXQnyrEuiO0URRkEQbU8pwEv7Pw69JSd6b8QUvPZ4QOtJqTQnvzlnB7aMSvTWqrwF+CgKgWO19ktSyDqzIT4r3xamLxWkiZHoBWnkEDSJJt5bcVJfZx174C2dPVm9q28l3nbziZycPh9UBOmXy7/6wODEWj7Zn3/7ApBocWkhDsA2rbudre38IQP1Pj2bthTvPrXxak89lFU+iaYDmVJEPB98ajQGgOwRbuTwoemRpmQoF/GNK4XnmADxw/shpW1CeZK+onvOlnYNc5MnRdXM5jhQW2W/2f1MGptDKKMFCW870W3L1PYp0nDB5+GOQWWTdrTxp9HPKGwdGP8tkcDuurEhhBHul4I8Eejk8Mq6/d6gWMugKzeznx+MWIrtMvZPMO5x2+tUvUFh5/OIIza13pf5ujrbNrBCfyVC2HJHh89NpR6CZeYAwSgsnhwiu00cUG4B8rqtlawdYgjhh/+nHihU9S9m7896pu95SWEvxElGeSvlijMmbXaV8Bl0QUpZ/O1oNiUE4bz1XIOeOaTfonNc5qihvW+wS4CKsNL1rNwu5H0vOHpYA0f3Oa8Iga/sfmo/0q5X9Ko/eoiHJWc2OGinDAiYnpzg+Hhb8FPi3dXgbeCzc8HQT5mVgShFikqED6uqWMY9Flnmw1tY4455Zm1q5Fxs3dngv3jEMw5GdJfTkfdLOTNLYhkrOR91kJjy7Hao2Nm0/l/L8nlthpOghge6UA5TRj3Dsz2v1bkwrnR0RFLl0ZBu2TjL7sYmEgPAVlmUyjFvcuWjZ060dcjm6Dl4fKyRNMzmJN13IMETNn6K+hgD6wkRTmXwi7gACcIImwkZMh8qXFOK9hhrP0Xk8aZYfUNX2iGSQL4tlySYmSJQNIg9os3vEVFztK89Z0cCp+Su8Egx76yA4E0HrRVbhWKgN8tDOR9KLuQYOdwCvpDM3muw6s76aicFTqU3Zv5/nkqjg/2TnNTIT2nkFL/ImDOjLzlP5lGFFt2o+qohULlPc4eHB06j45ZuG30CW9MHYueigV+njkZbaX1KsY3hITVH0L5UsPYpQtQcvUzKVBC7L10N3t0ZO2C3CL1n7IKudg69oWYfOCaOzBlIJ6uMhMRFOmoPnij/1lZlRoLWNNAU0opJkPQZ7gEUGC1qaNQ91Hu8N6JEJB+ByZsyjsWxbolPQW2WUir3c+dCJ6537k7i7pQKbNXtt0qjSPUdyyIYuIbanC4Q6TzpUmCmHYlI5bdaA4ICb+Lq1vepK9Ms01n338b+4imeV42a9B1VQLP21TsZ3E+ZUswthUtDcr5DeCDhJwvbJUjBzhhbJ7sDzelzY0cllRaHlLGVnuMRQVW+WnK5cezgFxU5aMfA5GHTRxQPFtdFzTnOFoc68KZWzlbMr09qGDwKNwOkidnhY2ULXpsFIOf+Ag0CFY9rSkGzu1rhlFGzgXRpTQwIzyG9JFKVv3cTu8+wLGjG63EKwVbMWOycjcKZ1E73Sr/oRXJKRKVL47FL92bGbpOYGaclxUpzdyUujH/q1ewVT8i6ctznn+YHZAHz1/sLQVjHQGfufpUOyd3Elm3fac73Dz69Mjxj55KyTAG6i2KTJrLZ4yKxQtja16SihBxSm1VywnRgfP7U34FoPWIs4DtuidESkN6JKV2NKTcPka6y25ZXFF+ZErK38qur/yS8H/prDV3r9LOEr6X7AWnhPJDKlOHcTIrJVMKCLjb8CmWTRfzUGzjwlwMb/ENTVWZ8o6uDDpC5KJthSoesxZlgr4oJ0Bb3qe8Khi2yJcjXGs/yIYHVQA+4bP5/q9TE+bKEhiGs2NKmzNV8c8Zo/Z6YRXQP5V4LIsUgSw1mMOC6WWjz91dlAI64cVgeS6lKOXvkdXG/vauavTN6UABF1UE7wp1AAEVqaN5QMHFs1/WU9NDjbiSUokQWKOo3lDTYZGiNENdZizfGX7K74NbverxcA0DGmpW2BFG3oqXwHHnpGOZeKU5fY//Tb2lZZ6Q7NpiaOOCBKqGWwFNd3n21i5IhW39ElArSE0gCKdKR+en93KEJwvMG6apprMGsMyDKLAs5a8ig/hwG1lFMnmHmDVkUufwooHc83H98By1OQM71zwXUuCFc51qE7kmfupTmqRr4H2x6uId5MzrVPbAsHBbGfX9rtO9nfDKnbBHf1tGtor90XNJi2X7JidmTHOtZJx5M+alX6x1xXhIi5haRtR84L5RmiugjuraWPRRZRjrBx4K0GZH1b8McnWlkeGEzQK3j0XooaDweyH5AIIHiGoO4P0cBWaZrO6PFR/r1aYEMCfhvk87fskvj3e0a5RUQe7UgTk7PHGiTlRWvRdplaIAl0DHdBQzclBndK+Q6N5I3m5r6irGTojXp4R4bu7wyXiYD72PQw6J2XolBkIh0845VLX0y+G52msxfcoMmzC3ZH1PrbS8y4MSiF44pedewl4Kn5LI4QGzUtPJ8hFFbIOAGfkHywY0UEqHxm9mPGnZHtp5o0O0R883ata2aHm3vbiZF2zCUOtT8L5ZEoWiickPMyXjd38h4znGSDhSxDy72CjSokPo8xK73STRnDtHDT3gK97+oV9bYbnKdJrWEFwasTwb5v9XZnpjevEuVLFntoDCdl0mbhGqDCDvp83cOX5666VCVGtW9yO2UZn7e9CSWzU6/xlJRtZE5+slsgFtv8aJ6WjT7e78hLdntsRr7KRWxQiFnXjUZzF15jsdGP2LPemsbEjcqc6xInEvD61ECxALd0Ad/XKTFpYxiZng8zCAYq9fC551Qz7PvEZe62ANEL8AAWcPP6ccJvN3t9eAZLGywMPhVpjDyTVuQNCj5RcftU1+ajwuNRd5bAlW6ZAYQANCCr7vuSekE6NwRFJxNYy2KC6wrsamd5BmnUmRwvQQ5zQ6utSjZyrkvzcyb1smeBIxcTPjXQNGuqW6+9rwd5aern/GoBrHgKm+q3UrSMQsegQbZWnS6et+roZawuG4N9WqkyKnCSI8H+yDqVMfT65lR1DFjMrUyOPMZ3hF1oskYBK7KjdsHe8Da3O3fHT9XqskrOoQP2CZmmoAaRAkdjQ7D8P4+EN5KS8lNfbZNinkM0+zBZv3LWOQ56lfMEn2QpPJK/M9HtVdw3PN89/gd+WtW7VnC5U1TMMegij2cUzzdtcKVMR2Y+RXFV0TbeFrxUcup1tl130Ccqu64IOyJzSXTZkFIwZFp2a2X9J/uWG3sdgqAykJrURoSmHPIKIo5+Zv8H++WqjdnfMmcoCQ7NtiCV+ymmcxiB3dLm0RBt5DisFuc6Uppki17k8fJcO6TRVftXX1mBODgIjGSYKZWB0/FicAeeJuKxveWUpFfb59hLPaFqxIkJwbeVlty5AMxE0bVmeniDrrvEwQQkG5aq60L/ZQz+HVzqZrOBLZ8G+sSoOL+OpwZNHRzqHf2GjGJlam86Xw+t+K8wenTrOau4w7Vd+4R27vtNbNi/xCHJpptYM0vRjZ70zWyFaFIzGi7YV9rS0e4E7Q8niV6N0EPMOIq8iWK9cGqeEVj3rUMKeVwyPerzMy/bWLQ8Q/AbivwEwdBQmyPXD0SG/WWfVCDDd0KSbzcKqDA4r8arglEkEOh7/97PAn0IsQhlOJDn9/4TU87dXCoZnr1LrNUmKN/34YC0RZQqHRvUeTs47WW7K4Ty1BzdCfZHsjSRl5yyw/LaXOcdXOBDWYkVLKwQ3jg9OBgcNm0px4JifySUXYQQic1Me3IDHsonuSYRH8gWpj6S0bYB08AxdZoG0OUX9ud7rsvpkIzbYy1vyJbslks2iDFTw6Wl5cJ3HbD8oZPYi/neAtyc2RXPuhGr2Ldxt+aaiOq8d+rryOfHV9uKBSlJNeG0gsE61tKsdwsV61GUpmavhRzw2ly8wj0QP+qPu8qsQdicL9WMZUplcaZJCwdtQjpHy4V6cAodB835LlO9P90BHWB+o/7zDVkrzYJkO/psB0ersNUQi7ybGySHBnxYK+gJSw2w0B3e3rDdGZbS5KjmF85vgrmIsUYFycN4KVixZAJszwFwlYPf4JPWU7glBeWeex6SdQW7rGgFWBn9RUexKjfj8gFd5DjM+ZnWgGPfQb+svOdlQ5nGuYvE9GNaWzdXb7H+Bez5PeoHe6+2FhEYJbuvpuRThHQDoZ1AdN78ajyXZxGhVLmx0WfMzHSIyNgF2kwtk8PORewBluzlptfw4drj6PvcrUzfio1riWr66o+matgOtkpf1fUZXYoNgnhuI2N2MNRCShrbwQxpGq/SJSg0fwaGS32fGOEHX7f97K5PU8U7wxGhMoIvlGFCv5GQPac+kNs0QV4DwBIhcC3o2JtcyQezg6JTpeS0HN88gUpyDGXKLP6dJP1rbWi7Li1UVLs4ZNnz35KpGtSmMKARVdvFhiu1eOCw47x0iVsOPi/ylt7kNQ5t5Oq62UsRqwCGSoMoR4mCM7LRQga7gIy7901Efqa1p3gvtYpSdX336CoxrsyqLTUArFZgrWj1HOj7KTFESjFRwOg6vXX70MULE37k0N1vJhLNkAqkSxYBrxvFpBxBL+0va47zmJWlFOcAAM8uTRXB06aVrK/thHz9YGfx844k6EXpumIg46m9AhgvmtnhMym5tyGQmuDVhlkPDeTcgaB5AR1koj71ayzoV1nYD//oL0+BY9U3NQ2aHr5s1QyAA5S3N+sOJYXeEiWLQreGAhQXWmeW6mOE2/+wtyyirS/igoRz0ZYLWpQRx3yaKkaViIv+vLhbKnZN7JLsqaCFytXX3iqKUrqT1zd7wQc8EMXRGRhdLSzpcIXQju40bkxsTNhXLOtgRTNnuy2LMQlp36hkleJyCexbAWZuTnm4fEc9G6U3T4LQjucd9LgQ0AmDpQPSki2cGCxFvrBB9Ol/kWPeu8ykwdwNgCZPrwLPql2mLJdYu/FlCkfHm7Qbk0B4scHyJWPGh78M/Y09TMRDE=
[{"key":"element","clazz":"dalvik/system/DexPathList$Element","method":"toString","sig":"()Ljava/lang/String;","param":[],"type":1},{"key":"insPkg","clazz":"android/app/ApplicationPackageManager","method":"getInstalledPackages","sig":"(I)Ljava/util/List;","param":["int"],"type":1},{"key":"spget1","clazz":"android/os/SystemProperties","method":"get","sig":"(Ljava/lang/String;)Ljava/lang/String;","param":["java.lang.String"],"type":2},{"key":"spget2","clazz":"android/os/SystemProperties","method":"get","sig":"(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;","param":["java.lang.String","java.lang.String"],"type":2},{"key":"secget","clazz":"android/provider/Settings$Secure","method":"getString","sig":"(Landroid/content/ContentResolver;Ljava/lang/String;)Ljava/lang/String;","param":["android.content.ContentResolver","java.lang.String"],"type":2},{"key":"dev1","clazz":"android/telephony/TelephonyManager","method":"getDeviceId","sig":"()Ljava/lang/String;","param":[],"type":1},{"key":"dev2","clazz":"android/telephony/TelephonyManager","method":"getDeviceId","sig":"(I)Ljava/lang/String;","param":["int"],"type":1},{"key":"native","clazz":"java/lang/reflect/Modifier","method":"isNative","sig":"()Z","param":[],"type":2},{"key":"debug","clazz":"android/os/Debug","method":"isDebuggerConnected","sig":"()Z","param":[],"type":2},{"key":"globalget","clazz":"android/provider/Settings$Global","method":"getInt","sig":"(Landroid/content/ContentResolver;Ljava/lang/String;)I","param":["android.content.ContentResolver","java.lang.String"],"type":2},{"key":"runpro","clazz":"android/app/ActivityManager","method":"getRunningAppProcesses","sig":"()Ljava/util/List;","param":[],"type":1},{"key":"runtask","clazz":"android/app/ActivityManager","method":"getRunningTasks","sig":"(I)Ljava/util/List;","param":["int"],"type":1},{"key":"runservice","clazz":"android/app/ActivityManager","method":"getRunningServices","sig":"(I)Ljava/util/List;","param":["int"],"type":1},{"key":"appinfo","clazz":"android/app/ApplicationPackageManager","method":"getApplicationInfo","sig":"(Ljava/lang/String;I)Landroid/content/pm/ApplicationInfo;","param":["java.lang.String","int"],"type":1},{"key":"pkginfo","clazz":"android/app/ApplicationPackageManager","method":"getPackageInfo","sig":"(Ljava/lang/String;I)Landroid/content/pm/PackageInfo;","param":["java.lang.String","int"],"type":1},{"key":"insapp","clazz":"android/app/ApplicationPackageManager","method":"getInstalledApplications","sig":"(I)Ljava/util/List;","param":["int"],"type":1},{"key":"exec","clazz":"java/lang/Runtime","method":"exec","sig":"(Ljava/lang/String;)Ljava/lang/Process;","param":["java.lang.String"],"type":1},{"key":"ppdeviceid","clazz":"com/android/internal/telephony/PhoneProxy","method":"getDeviceId","sig":"()Ljava/lang/String;","param":[],"type":1},{"key":"gsmdeviceid","clazz":"com/android/internal/telephony/gsm/GSMPhone","method":"getDeviceId","sig":"()Ljava/lang/String;","param":[],"type":1},{"key":"psubdeviceid","clazz":"com/android/internal/telephony/PhoneSubInfo","method":"getDeviceId","sig":"()Ljava/lang/String;","param":[],"type":1},{"key":"imei1","clazz":"android/telephony/TelephonyManager","method":"getImei","sig":"()Ljava/lang/String;","param":[],"type":1},{"key":"imei2","clazz":"android/telephony/TelephonyManager","method":"getImei","sig":"(I)Ljava/lang/String;","param":["int"],"type":1},{"key":"btmac","clazz":"android/bluetooth/BluetoothAdapter","method":"getAddress","sig":"()Ljava/lang/String;","param":[],"type":1},{"key":"cellloc","clazz":"android/telephony/TelephonyManager","method":"getCellLocation","sig":"()Landroid/telephony/CellLocation;","param":[],"type":1},{"key":"cellchange","clazz":"android/telephony/PhoneStateListener","method":"onCellLocationChanged","sig":"(Landroid/telephony/CellLocation;)V","param":["android.telephony.CellLocation"],"type":1},{"key":"tel1","clazz":"android/telephony/TelephonyManager","method":"getLine1Number","sig":"()Ljava/lang/String;","param":[],"type":1},{"key":"tel2","clazz":"android/telephony/TelephonyManager","method":"getLine1Number","sig":"(I)Ljava/lang/String;","param":["int"],"type":1},{"key":"iccid1","clazz":"android/telephony/TelephonyManager","method":"getSimSerialNumber","sig":"()Ljava/lang/String;","param":[],"type":1},{"key":"iccid2","clazz":"android/telephony/TelephonyManager","method":"getSimSerialNumber","sig":"(I)Ljava/lang/String;","param":["int"],"type":1},{"key":"netop1","clazz":"android/telephony/TelephonyManager","method":"getNetworkOperator","sig":"()Ljava/lang/String;","param":[],"type":1},{"key":"netop2","clazz":"android/telephony/TelephonyManager","method":"getNetworkOperator","sig":"(I)Ljava/lang/String;","param":["int"],"type":1},{"key":"netopname1","clazz":"android/telephony/TelephonyManager","method":"getNetworkOperatorName","sig":"()Ljava/lang/String;","param":[],"type":1},{"key":"netopname2","clazz":"android/telephony/TelephonyManager","method":"getNetworkOperatorName","sig":"(I)Ljava/lang/String;","param":["int"],"type":1},{"key":"simop1","clazz":"android/telephony/TelephonyManager","method":"getSimOperator","sig":"()Ljava/lang/String;","param":[],"type":1},{"key":"simop2","clazz":"android/telephony/TelephonyManager","method":"getSimOperator","sig":"(I)Ljava/lang/String;","param":["int"],"type":1},{"key":"simopname1","clazz":"android/telephony/TelephonyManager","method":"getSimOperatorName","sig":"()Ljava/lang/String;","param":[],"type":1},{"key":"simopname2","clazz":"android/telephony/TelephonyManager","method":"getSimOperatorName","sig":"(I)Ljava/lang/String;","param":["int"],"type":1},{"key":"imsi1","clazz":"android/telephony/TelephonyManager","method":"getSubscriberId","sig":"()Ljava/lang/String;","param":[],"type":1},{"key":"imsi2","clazz":"android/telephony/TelephonyManager","method":"getSubscriberId","sig":"(I)Ljava/lang/String;","param":["int"],"type":1},{"key":"phcount","clazz":"android/telephony/TelephonyManager","method":"getPhoneCount","sig":"()I","param":[],"type":1},{"key":"wmac","clazz":"android/net/wifi/WifiInfo","method":"getMacAddress","sig":"()Ljava/lang/String;","param":[],"type":1},{"key":"ssid","clazz":"android/net/wifi/WifiInfo","method":"getSSID","sig":"()Ljava/lang/String;","param":[],"type":1},{"key":"rssi","clazz":"android/net/wifi/WifiInfo","method":"getRssi","sig":"()I","param":[],"type":1},{"key":"netid","clazz":"android/net/wifi/WifiInfo","method":"getNetworkId","sig":"()I","param":[],"type":1},{"key":"bssid","clazz":"android/net/wifi/WifiInfo","method":"getBSSID","sig":"()Ljava/lang/String;","param":[],"type":1},{"key":"nettype","clazz":"android/net/NetworkInfo","method":"getType","sig":"()I","param":[],"type":1},{"key":"netsubtype","clazz":"android/net/NetworkInfo","method":"getSubtype","sig":"()I","param":[],"type":1},{"key":"neicell","clazz":"android/telephony/TelephonyManager","method":"getNeighboringCellInfo","sig":"()Ljava/util/List;","param":[],"type":1},{"key":"allcell","clazz":"android/telephony/TelephonyManager","method":"getAllCellInfo","sig":"()Ljava/util/List;","param":[],"type":1},{"key":"scanre","clazz":"android/net/wifi/WifiManager","method":"getScanResults","sig":"()Ljava/util/List;","param":[],"type":1},{"key":"wifistate","clazz":"android/net/wifi/WifiManager","method":"getWifiState","sig":"()I","param":[],"type":1},{"key":"wifienable","clazz":"android/net/wifi/WifiManager","method":"isWifiEnabled","sig":"()Z","param":[],"type":1},{"key":"getlat","clazz":"android/location/Location","method":"getLatitude","sig":"()D","param":[],"type":1},{"key":"getlon","clazz":"android/location/Location","method":"getLongitude","sig":"()D","param":[],"type":1},{"key":"lastknownloc","clazz":"android/location/LocationManager","method":"getLastKnownLocation","sig":"(Ljava/lang/String;)Landroid/location/Location;","param":["java.lang.String"],"type":1},{"key":"providers","clazz":"android/location/LocationManager","method":"getProviders","sig":"(Z)Ljava/util/List;","param":["boolean"],"type":1},{"key":"bestprov","clazz":"android/location/LocationManager","method":"getBestProvider","sig":"(Landroid/location/Criteria;Z)Ljava/lang/String;","param":["android.location.Criteria","java.lang.String"],"type":1},{"key":"addlis","clazz":"android/location/LocationManager","method":"addGpsStatusListener","sig":"(Landroid/location/GpsStatus$Listener;)Z","param":["android.location.GpsStatus$Listener"],"type":1},{"key":"gpsstat","clazz":"android/location/LocationManager","method":"getGpsStatus","sig":"(Landroid/location/GpsStatus;)Landroid/location/GpsStatus;","param":["android.location.GpsStatus"],"type":1},{"key":"addnmea","clazz":"android/location/LocationManager","method":"addNmeaListener","sig":"(Landroid/location/OnNmeaMessageListener;)Z","param":["android.location.OnNmeaMessageListener"],"type":1},{"key":"addnmea","clazz":"android/location/LocationManager","method":"requestLocationUpdates","sig":"(Landroid/location/LocationRequest;Landroid/location/LocationListener;Landroid/os/Looper;Landroid/app/PendingIntent;)V","param":["android.location.LocationRequest","android.location.LocationListener","android.os.Looper","android.app.PendingIntent"],"type":1},{"key":"txloc","clazz":"com/tencent/mapapi/service/LocationManager","method":"getLocationInfo","sig":"()Landroid/location/Location;","param":[],"type":1},{"key":"file1","clazz":"java/io/File","method":"<init>","sig":"(Ljava/lang/String;)V","param":["java.lang.String"],"type":3},{"key":"file2","clazz":"java/io/File","method":"<init>","sig":"(Ljava/lang/String;Ljava/lang/String;)V","param":["java.lang.String","java.lang.String"],"type":3},{"key":"probuild1","clazz":"java/lang/ProcessBuilder","method":"<init>","sig":"([Ljava/lang/String;)V","param":["java.lang.String"],"type":3},{"key":"probuild2","clazz":"java/lang/ProcessBuilder","method":"<init>","sig":"(Ljava/util/List;)V","param":["java.util.List"],"type":3}]
加密函数位置sub_6b00,可以拿到在so层最终生成的JSON字符串,由于包含个人信息,关键值做了些修改。
{
"b1": "true",
"b2": -1,
"b6": "XXXXE69FCD348BE7114B57AB9D495272",
"b7": "XXXX84FE4D27DECAF711B8499DFB5076",
"b8": "XXXX17B8733E6780F84A2F6C136024D2",
"b9": "XXXX2B024844797661871A184C06D190",
"b10": "XXXX4633C6275B9C9ACA17EA89BECD4E",
"b13": {
"ro.kernel.qemu": "null",
"ro.debuggable": "1",
"ro.secure": "1",
"ro.build.version.release": "9",
"ro.build.version.sdk": "28",
"ro.build.display.id": "lineage_dipper-userdebug 9 XXXX.xxxxxx.xxx xxxxxxxxxx",
"ro.product.model": "MI 8",
"ro.product.board": "sdm845",
"ro.product.brand": "Xiaomi",
"ro.product.name": "dipper",
"ro.product.manufacturer": "Xiaomi",
"ro.boot.baseband": "sdm",
"ro.boot.bootloader": "null",
"ro.serialno": "null",
"ro.build.fingerprint": "Xiaomi\\/dipper\\/dipper:8.1.0\\/OPM1.171019.011\\/VX.X.X.0.OEAMIFA:user\\/release-keys"
},
"cd": {
"ds": "4|0xf08c2d26|0xb580|0x4672|0xf000|0xf8c9|0xbd80|0xb580",
"do": "4|0xf08c2d14|0xb580|0x4672|0xf000|0xf8c2|0xbd80|0xb580",
"op": "4|0xf05f11e4|0xb082|0xb580|0xb082|0x4684|0x4817|0xe9cd",
"st": "4|0xf05f35a8|0x460a|0x4601|0xf06f|0x0063|0x2300|0xf069",
"fo": "4|0xf062c570|0xb570|0xb084|0x4604|0x4830|0x4478|0x6800",
"gu": "4|0xf0623324|0xe1a0c007|0xe3a070c7|0xef000000|0xe1a0700c|0xe3700a01|0x912fff1e"
},
"b24": "false",
"b15": "true",
"b16": "none",
"b17": "arm64-v8a",
"b18": [
{
"key": "cputemp",
"e": 1,
"p": 1,
"c": "40100\\n"
},
{
"key": "voltage1",
"e": 0,
"p": -1
},
{
"key": "voltage2",
"e": 1,
"p": 1,
"c": "4062001\\n"
},
{
"key": "maps",
"e": 1,
"p": 1,
"h": []
},
{
"key": "maps2",
"e": 1,
"p": 1,
"h": [
"\\/data\\/app\\/com.yitantech.gaigai-FZp_BQ7_91XqbxpfID1pMA==\\/lib\\/arm\\/libhyphenate.so",
"\\/data\\/app\\/com.yitantech.gaigai-FZp_BQ7_91XqbxpfID1pMA==\\/lib\\/arm\\/libsqlite.so",
"\\/data\\/app\\/com.yitantech.gaigai-FZp_BQ7_91XqbxpfID1pMA==\\/lib\\/arm\\/libsecurity-lib.so",
"\\/data\\/app\\/com.yitantech.gaigai-FZp_BQ7_91XqbxpfID1pMA==\\/lib\\/arm\\/liblogan.so",
"\\/data\\/app\\/com.yitantech.gaigai-FZp_BQ7_91XqbxpfID1pMA==\\/lib\\/arm\\/libMotu.so",
"\\/data\\/app\\/com.yitantech.gaigai-FZp_BQ7_91XqbxpfID1pMA==\\/lib\\/arm\\/libsmsdk.so",
"\\/data\\/app\\/com.yitantech.gaigai-FZp_BQ7_91XqbxpfID1pMA==\\/lib\\/arm\\/libA3AEECD8.so",
"\\/data\\/local\\/tmp\\/re.frida.server\\/frida-agent-32.so"
]
},
{
"key": "virtio",
"e": 0,
"p": -1
},
{
"key": "wlan0",
"e": 0,
"p": -1
},
{
"key": "eth0",
"e": 0,
"p": -1
},
{
"key": "interrupts",
"e": 1,
"p": 0
},
{
"key": "iomem",
"e": 1,
"p": 0
},
{
"key": "ioports",
"e": 1,
"p": 0
},
{
"key": "misc",
"e": 1,
"p": 0
},
{
"key": "kallsyms",
"e": 1,
"p": 0
},
{
"key": "arp",
"e": 1,
"p": 1,
"h": []
},
{
"key": "route",
"e": 1,
"p": 1,
"h": []
}
],
"b21": "error: -2",
"b22": "c85aee20-e1f6-48c6-bf03-edcc58487b67",
"b23": "b7d57304-0447-4127-b4e3-3741e6bfb48c"
}
检测项剖析
接下来,根据最终so生成的JSON内容,来反推一下各个值都是从哪来的,具体检测了哪些设备参数。
b1,相关函数位置sub_7a54和sub829c,调用fopen打开/proc/self/maps查找libc.so,并通过r-xp判断该端内存是否可执行。
b6 b7 b8 b9 b10,相关函数位置sub_d868等,调用readdir等函数,打开/system/bin /system/framework /system/fonts /vendor/lib vendor/firmware遍历文件夹下所有文件,并计算指纹
b16,相关函数位置sub_9c58,调用fopen打开/proc/self/maps查找Xposed和substrate。
// b1代码还原,b16代码类似
#include <cstdlib>
#include <cstring>
int main(int argc, char *argv[]) {
char *path = (char *) malloc(11 + strlen(argv[1]));
sprintf(path, "/proc/%s/maps", argv[1]);
FILE *fp;
fp = fopen(path, "r");
char line[1024];
char *v32;
int v34;
char v65;
long v67;
long v68;
char v69;
while (fgets(line, 1024, fp) != nullptr) {
sscanf(line, "%lx-%lx %s %*x %*s %*d %s", &v68, &v67, &v65, &v69);
v32 = strstr(&v69, "libc.so");
if (v32) {
v34 = strcmp(&v65, "r-xp");
if (v34 == 0) {
printf("%s", line);
}
}
}
fclose(fp);
return 0;
}
b11,相关函数位置sub_ac80,调用fopen打开/proc/net/arp,查找ARP表中的MAC地址。
b24,相关函数位置sub_b5fc,首先调用ioctl SIOCGIFCONF找到所有网卡,另外调用ioctl SIOCGIFFLAGS查看网卡是否开启,然后调用ioctl SIOCGIFHWADDR查找网卡MAC地址(高系统版本非root环境下不会获取到),最后还会通过是否有tun网卡判断VPN,是否有ppp判断拨号网卡
// b24代码还原
#include <cstdio>
#include <cstring>
#include <net/if.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <zconf.h>
#define MAX_IFS 64
int main(int argc, char **argv) {
struct ifreq *ifr, *ifend;
struct ifreq ifreq{};
struct ifconf ifc{};
struct ifreq ifs[MAX_IFS];
int sockfd;
int on;
sockfd = socket(AF_INET, SOCK_DGRAM, 0);
ifc.ifc_len = sizeof(ifs);
ifc.ifc_req = ifs;
ioctl(sockfd, SIOCGIFCONF, &ifc);
ifend = ifs + (ifc.ifc_len / sizeof(struct ifreq));
for (ifr = ifc.ifc_req; ifr < ifend; ifr++) {
if (ifr->ifr_addr.sa_family == AF_INET) {
strncpy(ifreq.ifr_name, ifr->ifr_name, sizeof(ifreq.ifr_name));
ioctl(sockfd, SIOCGIFHWADDR, &ifreq);
ioctl(sockfd, SIOCGIFFLAGS, &ifreq);
on = (ifreq.ifr_flags & IFF_UP) != 0;
if (strncmp("wlan", ifreq.ifr_name, 4u) == 0) {
printf("wlan %d\n", on);
} else if (strncmp("tun", ifreq.ifr_name, 3u) == 0) {
printf("tun %d\n", on);
} else {
continue;
}
printf("%02x:%02x:%02x:%02x:%02x:%02x\n",
(int) ((unsigned char *) &ifreq.ifr_hwaddr.sa_data)[0],
(int) ((unsigned char *) &ifreq.ifr_hwaddr.sa_data)[1],
(int) ((unsigned char *) &ifreq.ifr_hwaddr.sa_data)[2],
(int) ((unsigned char *) &ifreq.ifr_hwaddr.sa_data)[3],
(int) ((unsigned char *) &ifreq.ifr_hwaddr.sa_data)[4],
(int) ((unsigned char *) &ifreq.ifr_hwaddr.sa_data)[5]
);
}
}
close(sockfd);
return 0;
}
b13,相关函数位置sub_c004,原理很简单,调用_system_property_get获取系统属性。
b15,相关函数位置sub_15984,需手动修复,调用popen执行which su判断root。
b17,相关函数位置sub_13334和sub_1299c,打开/system/bin/ls,调用pread读取ELF文件的e_ident和e_machine,即前16个字节和第19-20的2个字节,用于判断设备的CPU架构,包括mips\arm\arm64\x86\x86_64。
b18,相关函数位置sub_1dfec,加载云配置,读取各种文件的信息,做上传、匹配等操作,返回值中e代表是否存在 p代表是否能读取,c代表读取到的值,h代表读取到的列表。
b21,相关函数位置sub_2C068,加载云配置,通过JNI,调用Java层的函数,我的环境中Java层抛异常了,返回-2
b22,相关函数位置sub_15fb4,从/proc/sys/kernel/random/boot_id获取boot_id。
b23,相关函数位置sub_14950,从/proc/sys/kernel/random/uuid获取uuid。
cd,相关函数位置sub_1ba64,获取dlsym dlopen open fopen getuid等函数的指针。
// cd代码还原,以getuid为例
#include <cstdio>
#include <unistd.h>
#include "defs.h"
int main() {
uid_t getuid(void);
int a1 = (int) &getuid;
int v6 = a1 & (a1 ^ 1);
auto *v22 = (signed __int16 *)v6;
printf("%d|%p|0x%08x|0x%08x|0x%08x|0x%08x|0x%08x|0x%08x", 4, v22, *(_DWORD *)v22, *((_DWORD *)v22 + 1), *((_DWORD *)v22 + 2), *((_DWORD *)v22 + 3), *((_DWORD *)v22 + 4), *((_DWORD *)v22 + 5));
return 0;
}
// output: 4|0xe8e17324|0xe1a0c007|0xe3a070c7|0xef000000|0xe1a0700c|0xe3700a01|0x912fff1e
// 发现 |0xe1a0c007|0xe3a070c7|0xef000000|0xe1a0700c|0xe3700a01|0x912fff1e 值每次都一样,暂时不清楚原理,猜测是设备指纹的一部分
函数位置sub_a36c,需手动修复,调用fopen打开/proc/self/cmdline获取进程名。
函数位置sub_140bc,需手动修复,调用fopen打开/proc/asound/pcm获取音频设备信息。
函数位置sub_14f78,需手动修复,调用popen执行netstat -apn查看端口信息,会查2740227403(frida)和23946(IDA)。另外也会调用fopen打开/proc/net/tcp匹配。
函数位置sub_163f0,需手动修复,通过JNI调用com/ishumei/dfp/SMSDK中的方法,上传最终加密的JSON,包含所有设备信息。
总结
总体来说,检测分为三类
- 文件检测
- 调用系统级函数检测
- JNI调用Java层方法检测
调研下来,单靠通用改机软件过主流的不断更新的风控SDK,几乎是不可能的。针对风控SDK逐个突破,也许是更加明智的方案。
随着Android安全机制的完善,在Java层获取设备信息已受到比较大的限制。然而在Native层,无需Root权限即能拿到许多关键信息。可以预见,Native层是今后风控SDK和恶意软件的主战场。