某手__ns_sig3逆向分析教学文档<\/h1>

1. Java层分析<\/h2>

1.1 源码追踪<\/h3>
在源码中搜索发现__NS_sig3<\/code>存储在HashMap中，对应键值为b4<\/code><\/li>
b4<\/code>由函数b()<\/code>生成<\/li>
尝试Hook java.util.HashMap<\/code>失败（可能被检测），转为直接反编译代码追踪<\/li>
<\/ol>
1.2 关键调用链<\/h3>
atlasSign() → d() → c() → a4.g().a()
<\/code><\/pre>

a4.g().a()<\/code>返回b<\/code>的属性f25022a<\/code>，即__ns_sig3<\/code>的字节流<\/li>
中间关键调用：com.kuaishou.android.security.internal.dispatch.e.a(this.f24952a).g().f(a4, "0335")<\/code><\/li>
<\/ul>
1.3 Native层入口<\/h3>
最终调用链：<\/p>
JNICLibrary.doCommandNative(i4, objArr)
<\/code><\/pre>

这是一个native函数<\/li>
通过Hook确认其返回__ns_sig3<\/code><\/li>
<\/ul>
1.4 定位so库<\/h3>

通过日志信息定位库名为f23969b<\/code><\/li>
Hook确认库加载过程<\/li>
<\/ol>
2. SO层分析<\/h2>
2.1 去花指令处理<\/h3>


识别花指令特征：<\/p>

非标准函数栈操作<\/li>
使用STR<\/code>和LDP<\/code>指令传递寄存器值<\/li>
通过BR<\/code>跳转到计算地址<\/li>
<\/ul>
<\/li>

手动Patch方法：<\/p>

将干扰指令NOP掉<\/li>
直接修改为跳转到目标地址<\/li>
<\/ul>
<\/li>

编写脚本批量去花：<\/p>
# IDA去花脚本示例<\/span>
<\/span><\/span>def<\/span> nop_range<\/span>(start, end):
<\/span><\/span>    for<\/span> i in<\/span> range(start, end):
<\/span><\/span>        PatchByte(i, 0x90<\/span>)
<\/span><\/span>
<\/span><\/span># 应用脚本后重新分析程序<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
2.2 Unidbg准备<\/h3>

初始模板遇到初始化校验问题<\/li>
通过Hook doCommandNative<\/code>获取初始化参数<\/li>
补全必要环境：
\/\/ Unidbg初始化示例
<\/span><\/span><\/span><\/span>public<\/span> void<\/span> callInit<\/span>()<\/span> {<\/span>
<\/span><\/span>    List<<\/span>Object><\/span> list =<\/span> new<\/span> ArrayList<>();<\/span>
<\/span><\/span>    list.<\/span>add<\/span>(<\/span>vm.<\/span>getJNIEnv<\/span>());<\/span>
<\/span><\/span>    list.<\/span>add<\/span>(<\/span>0<\/span>);<\/span>
<\/span><\/span>    module.<\/span>callFunction<\/span>(<\/span>emulator,<\/span> 0x10000<\/span>,<\/span> list.<\/span>toArray<\/span>());<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
2.3 固定结果分析<\/h3>

发现结果不固定，怀疑与时间戳相关<\/li>
定位到gettimeofday<\/code>系统调用<\/li>
修改Unidbg源码固定时间：
\/\/ 修改UnixSyscallHandler.java
<\/span><\/span><\/span><\/span>@Override<\/span>
<\/span><\/span>public<\/span> long<\/span> gettimeofday<\/span>(<\/span>UnixEmulator emulator,<\/span> Timeval tv,<\/span> Timezone tz)<\/span> {<\/span>
<\/span><\/span>    if<\/span> (<\/span>tv !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        tv.<\/span>set<\/span>(<\/span>1748752323<\/span>,<\/span> 214000<\/span>);<\/span> \/\/ 固定时间戳
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> 0<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre><\/li>
固定后得到稳定结果：bbaadaf9b2c786b6f3f3f0f19de705a7293cd381eee2ecfa<\/code><\/li>
<\/ol>
2.4 关键字节生成分析<\/h3>


通过Trace从结果反推：<\/p>

搜索结果字节0xbb<\/code>、0xaa<\/code>等<\/li>
定位到关键汇编指令：
ldrb w1, [x21], #1
eor w11, w11, w12
<\/code><\/pre>
<\/li>
<\/ul>
<\/li>

发现24字节结果生成逻辑：<\/p>

从内存地址加载原始字节<\/li>
与0xfa<\/code>进行异或得到最终结果<\/li>
第24字节直接使用0xfa<\/code><\/li>
<\/ul>
<\/li>

伪代码表示：<\/p>
for<\/span> (int<\/span> i =<\/span> 0<\/span>; i <<\/span> 23<\/span>; i++<\/span>) {
<\/span><\/span>    *<\/span>(result +<\/span> i) =<\/span> *<\/span>(src +<\/span> i) ^<\/span> 0xFA<\/span>;
<\/span><\/span>}
<\/span><\/span>*<\/span>(result +<\/span> 23<\/span>) =<\/span> 0xFA<\/span>;
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
2.5 CRC32校验<\/h3>


定位到CRC32运算：<\/p>

多项式：0x04C11DB7<\/code><\/li>
标准CRC32算法<\/li>
<\/ul>
<\/li>

影响范围：<\/p>

URL参数影响13-16字节<\/li>
时间戳影响5-8字节及17-19字节<\/li>
<\/ul>
<\/li>
<\/ol>
2.6 白盒AES分析<\/h3>


定位关键数据：<\/p>

输入：8a536e06f438b1929bd7015fc1d17f70f4a76e00ec0b4fd1c58e44fef47efeafe0ed8ea4aab0c1d5f4519f8d19c4948f<\/code><\/li>
操作地址：0x404e4e40<\/code><\/li>
<\/ul>
<\/li>

识别AES特征：<\/p>

ECB模式（无IV）<\/li>
标准PKCS7填充<\/li>
10轮加密<\/li>
<\/ul>
<\/li>

密钥推导：<\/p>

使用PhoenixAES工具推导最后一轮密钥<\/li>
逆向推导种子密钥<\/li>
<\/ul>
<\/li>

验证：<\/p>

使用推导出的密钥进行标准AES-ECB加密<\/li>
结果与so输出一致<\/li>
<\/ul>
<\/li>
<\/ol>
2.7 HMAC-SHA256分析<\/h3>


输入处理：<\/p>

URL对象作为输入<\/li>
使用两个64字节盐值（类似HMAC的ipad和opad）<\/li>
<\/ul>
<\/li>

关键特征：<\/p>

盐值分别异或0x36<\/code>和0x5c<\/code><\/li>
标准HMAC-SHA256算法<\/li>
<\/ul>
<\/li>

验证：<\/p>
import<\/span> hmac
<\/span><\/span>import<\/span> hashlib
<\/span><\/span>
<\/span><\/span># 示例验证<\/span>
<\/span><\/span>key =<\/span> b<\/span>'...'<\/span>  # 提取的盐值<\/span>
<\/span><\/span>message =<\/span> b<\/span>'urlObj'<\/span>
<\/span><\/span>hmac.<\/span>new(key, message, hashlib.<\/span>sha256).<\/span>hexdigest()
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
3. 完整流程总结<\/h2>


输入处理<\/strong>：<\/p>

接收URL对象和时间戳<\/li>
通过HMAC-SHA256生成中间值<\/li>
<\/ul>
<\/li>

白盒AES加密<\/strong>：<\/p>

使用固定密钥对中间值进行AES-ECB加密<\/li>
生成48字节数据<\/li>
<\/ul>
<\/li>

CRC32校验<\/strong>：<\/p>

对部分数据进行CRC32运算<\/li>
影响最终结果的13-16字节<\/li>
<\/ul>
<\/li>

异或处理<\/strong>：<\/p>

前23字节与0xFA<\/code>异或<\/li>
第24字节固定为0xFA<\/code><\/li>
<\/ul>
<\/li>

输出<\/strong>：<\/p>

生成24字节的__ns_sig3<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
4. 关键技术点<\/h2>


逆向技巧<\/strong>：<\/p>

从Java层到Native层的完整调用链追踪<\/li>
通过Hook和反编译结合分析<\/li>
结果反推生成逻辑<\/li>
<\/ul>
<\/li>

密码学分析<\/strong>：<\/p>

白盒AES识别与密钥提取<\/li>
HMAC-SHA256算法识别<\/li>
CRC32校验分析<\/li>
<\/ul>
<\/li>

反调试对抗<\/strong>：<\/p>

花指令识别与去除<\/li>
Unidbg环境补全<\/li>
<\/ul>
<\/li>

调试技巧<\/strong>：<\/p>

Trace代码定位关键点<\/li>
内存写入监控<\/li>
寄存器状态分析<\/li>
<\/ul>
<\/li>
<\/ol>
5. 参考工具<\/h2>


逆向工具<\/strong>：<\/p>

IDA Pro 7.0+<\/li>
JADX\/GDA<\/li>
Frida<\/li>
<\/ul>
<\/li>

辅助工具<\/strong>：<\/p>

Unidbg<\/li>
PhoenixAES<\/li>
CyberChef<\/li>
<\/ul>
<\/li>

参考文章<\/strong>：<\/p>

花指令处理分析<\/li>
龙哥去花文章<\/li>
杨如画大佬的逆向文章<\/li>
季冬大佬的技术分享<\/li>
<\/ul>
<\/li>
<\/ol>