Sample: https://www.52pojie.cn/thread-733283-1-1.html
Hash check: CRC32: ACABCA87
MD5: 1D9C2A55A847EF5B982638DF32E26D76
SHA-1: 5515BABF14E44AA5AC3C056856EB48FCD5EBF400
Locking sample drawing:
Mother packet analysis
After the sample is downloaded and decomcompiled, it can be roughly judged that the sample is reinforced with 360
Then use avd try to build a new 360 shells simulator hulled, details refer to: https://www.52pojie.cn/thread-624275-1-1.html
Once classes.dex is unstuck, jeb analysis is performed and the following code is found
Find that the apK first create /sdcard/ Tencent /QQTS/ CNM folder, then su power (if there is no root to delete the newly created folder), check whether com.example.xphuluxia(this is an app called anti-lock xia) is installed, if so uninstall. Then, save the assets/sisk. TXT file in APK as /system/app/time.apk with Java processing, and change the permission of time.apk. After the phone restarts, the activation lock app will be automatically installed, but adb shell can still be used.
Analysis of sub package
Adb pull /system/app/time.apk
JEB opens it. Go to the entrance first
View manifest.xml, the entry is still MainActivity
See a class called com.test.hlx.hlx initialized
Take a look at the page XML file
The first two locks are unlocked locally, and the third one needs network. According to the control ID provided by XML, find it
Control ID, 2,3,1 respectively, continue to find, find
The first unlock does not have any practical significance, the unlock button does not set the response event, enter the second unlock, the response event is 100000000
Can see v2 store generated a 5 digit, display the decryption of the random number v3 is a com test. HLX. Util. Replace. Re turned to Replace, but is used to validate the random number is still the v2, so the following refers to the random number refers to the v2, which is a positive integer
Discovery is take the input string in the top 5 MD5 encryption three times and then compare with e0119873a9724bcdb625ac612c933655, The input string after five and by random number through com. Test. HLX. Util. PassWord. Get a series of operations to get five characters of the comparison, and then enter the second validation respond to events of 100000001, update the random number
Found that the app to “https://langzichao.wodemo.com/entry/475596” to network authentication, first verify that the url is alive, if live will post relevant information
Refer to the article: https://www.52pojie.cn/thread-678602-1-1.html (thank you bosses)
Summary & Solution:
This locking virus is to induce users to install it first, and then apply device manager and root permission to users when opening it. After successfully obtaining the permission, the virus itself is released to system/ APP. After restarting the device, a full-screen page is constructed through APP to cover the whole screen, thus realizing the locking
The easiest way is to simply delete the software
Since ADB is still available on the command line, you can connect your PC to your phone using a USB cable and open shell or CMD
adb shell su
mount -o rw,remount /system
cd /system/app
rm -rf time.apk
Copy the code
After obtaining read and write permissions for the system, delete time.apk directly, by which time the screen should be back to normal
Then you can go to uninstall the original package, then delete the/data/data/com test. The HLX folder and/sdcard/tencent/QQTS CNM/wx. So the release of the documents
Personally, I feel that this sample is similar to the APK of operation Wild box lock screen, and the name of the bag seems to be written by that author…
In addition, this seems to be a small forum offering free personal site or something, the third verification is passed here, the author ID should be called Langzichao
Nothing don’t just root machine!! Nothing don’t just root machine!! Nothing don’t just root machine!! (Important things say three times)
Finally, write analysis article for the first time, write of not good, have wrong place return hope everybody big guy tell little younger brother 1…