修改android_server默认调试端口号反调试

修改android_server默认调试端口号反调试


July 25, 2017 12:06 PM

IDA载入文件android_server分析

android_server默认调试端口号是: ==23946==, 十六进制值为: ==0x5D8A==

Shift+F12 查找字符串

.rodata:00074224 0000004A C IDA Android 32-bit remote debug server(ST) v1.%d. Hex-Rays (c) 2004-2015\n

.rodata:00074160 0000000D C init_sockets

点击数据交叉来到代码区

第一处:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
.text:0000B620 loc_B620 ; CODE XREF: sub_B5DC+22j
.text:0000B620 A9 4B LDR R3, =(off_7FBD0 - 0xB62A)
.text:0000B622 AA 48 LDR R0, =(aIdaAndroid32Bi - 0xB62E)
.text:0000B624 13 21 MOVS R1, #0x13
.text:0000B626 7B 44 ADD R3, PC ; off_7FBD0
.text:0000B628 1B 68 LDR R3, [R3] ; unk_80BB0
.text:0000B62A 78 44 ADD R0, PC ; "IDA Android 32-bit remote debug server("...
.text:0000B62C 1D 78 LDRB R5, [R3]
.text:0000B62E 04 F0 AB FC BL sub_FF88
.text:0000B632 01 2E CMP R6, #1
.text:0000B634 1C DD BLE loc_B670
.text:0000B636 62 68 LDR R2, [R4,#4]
.text:0000B638 13 78 LDRB R3, [R2]
.text:0000B63A 02 22 MOVS R2, #2
.text:0000B63C 93 43 BICS R3, R2
.text:0000B63E 2D 2B CMP R3, #0x2D
.text:0000B640 16 D1 BNE loc_B670
.text:0000B642 00 2D CMP R5, #0
.text:0000B644 00 D1 BNE loc_B648
.text:0000B646 9F E1 B loc_B988
.text:0000B648 ; ---------------------------------------------------------------------------
.text:0000B648
.text:0000B648 loc_B648 ; CODE XREF: sub_B5DC+68j
.text:0000B648 A1 4B LDR R3, =(dword_8074C - 0xB652)
.text:0000B64A A2 4A LDR R2, =(dword_8074C - 0xB654)
.text:0000B64C A2 4D LDR R5, =0x5D8A
.text:0000B64E 7B 44 ADD R3, PC ; dword_8074C
.text:0000B650 7A 44 ADD R2, PC ; dword_8074C
.text:0000B652 99 46 MOV R9, R3
.text:0000B654 01 27 MOVS R7, #1
.text:0000B656 90 46 MOV R8, R2
.text:0000B658
.text:0000B658 loc_B658 ; CODE XREF: sub_B5DC+2BAj
.text:0000B658 63 68 LDR R3, [R4,#4]
.text:0000B65A 58 78 LDRB R0, [R3,#1]
.text:0000B65C 50 38 SUBS R0, #0x50 ; switch 39 cases
.text:0000B65E 26 28 CMP R0, #0x26
.text:0000B660 00 D8 BHI def_B826 ; jumptable 0000B826 default case
.text:0000B662 E0 E0 B loc_B826
第二处:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
.text:0000B97E loc_B97E ; CODE XREF: sub_B5DC+C2j
.text:0000B97E 30 49 LDR R1, =(aInit_sockets - 0xB986)
.text:0000B980 00 20 MOVS R0, #0
.text:0000B982 79 44 ADD R1, PC ; "init_sockets"
.text:0000B984 00 F0 EC FC BL sub_C360
.text:0000B988 ; ---------------------------------------------------------------------------
.text:0000B988
.text:0000B988 loc_B988 ; CODE XREF: sub_B5DC+6Aj
.text:0000B988 2E 4B LDR R3, =(dword_8074C - 0xB992)
.text:0000B98A 2F 4D LDR R5, =0x5D8A
.text:0000B98C 2C 22 MOVS R2, #0x2C
.text:0000B98E 7B 44 ADD R3, PC ; dword_8074C
.text:0000B990 99 46 MOV R9, R3
.text:0000B992 90 46 MOV R8, R2
.text:0000B994 01 27 MOVS R7, #1
.text:0000B996
.text:0000B996 loc_B996 ; CODE XREF: sub_B5DC:loc_B9CCj
.text:0000B996 60 68 LDR R0, [R4,#4]
.text:0000B998 43 78 LDRB R3, [R0,#1]
.text:0000B99A 1A 06 LSLS R2, R3, #0x18
.text:0000B99C 13 0E LSRS R3, R2, #0x18
.text:0000B99E 6B 2B CMP R3, #0x6B
.text:0000B9A0 37 D0 BEQ loc_BA12
.text:0000B9A2 2D D8 BHI loc_BA00
.text:0000B9A4 50 2B CMP R3, #0x50
.text:0000B9A6 3D D0 BEQ loc_BA24
.text:0000B9A8 69 2B CMP R3, #0x69

IDA Ctrl+J 列出交叉参考来源

第一处:
1
2
.text:0000B8D8 8A 5D 00 00 dword_B8D8 DCD 0x5D8A ; DATA XREF: sub_B5DC+70r
.text:0000B8D8 ; sub_B5DC:loc_B670r
第二处:
1
2
.text:0000BA44 ; DATA XREF: sub_B5DC:loc_B988r
.text:0000BA48 8A 5D 00 00 dword_BA48 DCD 0x5D8A ; DATA XREF: sub_B5DC+3AEr

用十六进制工具 010 Editor Ctrl+G 修改

0000B8D8 和 0000BA48 两处的值为 ==0x41F8== 注意字节序是输入 ==F841==

几个端口号对应16进制

0x5D8A=23946

0x41F8=16888

0x3039=12345

将修改过的文件push到手机上,用 ==chmod 777== 添加执行权限

adb push android_server /data/local/tmp/android_server

adb shell chmod 777 /data/local/tmp/android_server

然后运行试试,看看效果

1
2
3
C:\Users\Administrator\Desktop>adb shell /data/local/tmp/android_server
IDA Android 32-bit remote debug server(ST) v1.19. Hex-Rays (c) 2004-2015
Listening on port #16888...
您觉得好,您就随意打赏点吧(*^__^*)您的鼓励,是我坚持的动力!