Coder Social home page Coder Social logo

saam's Introduction

SAAM - Scripts for Analysing Android Malware

安装

  1. Python3 环境。

  2. 安装依赖

git clone https://github.com/mikusjelly/saam.git
cd saam
pip install -r requirements.txt
  1. 安装yara, yara-python 先安装yara,再安装yara-python。
$ git clone --recursive https://github.com/rednaga/yara-python-1 yara-python
$ cd yara-python
$ python setup.py build --enable-dex install
  1. readline
  • Mac pip install readline
  • Win pip install pyreadline

  1. 配置

    1. Add saam/bin to PATH
    2. config conf.ini

功能

  • apktool,反编译
  • analyse,交互式分析
  • jadx,阅读代码
  • sign,签名
  • scan,扫描器
  • deobfuscate,反混淆
  • ida,自动调试

deobfuscate,反混淆

✗ deobfuscate.sh 34d8aad4474f86d96b97dbbcea6732bb.apk
I: Using Apktool 2.3.1 on 34d8aad4474f86d96b97dbbcea6732bb.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /Users/bin/Library/apktool/framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...
deobfuscate... detmp/smali
classes ... 33
inner classes ... 1
methods ... 253
fields ... 189
java -jar ... ../tools/apktool/apktool.jar b  -f  -o de-34d8aad4474f86d96b97dbbcea6732bb.apk detmp
I: Using Apktool 2.3.1
I: Smaling smali folder into classes.dex...
I: Building resources...
I: Building apk file...
I: Copying unknown files/dir...
之前 之后

参考

saam's People

Stargazers

Nathan avatar john avatar avatar 小丰丰 avatar Marly avatar

Watchers

kin9-0rz avatar

Forkers

pymmrd sanjingshou11 ellery221holmes

saam's Issues

增加反混淆

有些样本使用了不可读字符作为类名、方法名等,增加了代码阅读的难度。

如:34d8aad4474f86d96b97dbbcea6732bb

get_client_random时报错:Error: access violation accessing 0x30

frida调用ssl.js时,执行到
client_random += ("0" + Memory.readU8(p.add(i)).toString(16).toUpperCase()).substr(-2);
时,报错
Error: access violation accessing 0x30.
看了下日志,发现s3_state_p=0x0。
求解?

【环境】
三星s6 edge Android 7.0.1
frida-server-12.2.29-android-arm64

【DEBUG日志】
SSL_read enter ssl=0xacbbf000 buf=0xacafe000 num=0x2000
get_address_port_pair sockfd=65 isRead=true
get_address_port_pair _addr=0 _port=443
get_address_port_pair _addr=0 _port=46899
get_master_key ssl=0xacbbf000
get_master_key session=0xacbbf280
get_master_key p=0xacbbf290
get_master_key masterkey=D9167BF3DAAD73B61B043C09C48F4AA013E499FE52919994CBE013B6A842B25EC56C8B90E3B0FDD0E358390D574A75D6
get_client_random ssl=0xacbbf000
SDK=[24,25] s3_state_p=0x0
get_client_random p=0x30
{'type': 'error', 'description': 'Error: access violation accessing 0x30', 'stack': 'Error: access violation accessing 0x30\n at get_client_random (/ssl.js:310)\n at /ssl.js:332', 'fileName': '/ssl.js', 'lineNumber': 310, 'columnNumber': 1}
SSL_read ret retval=0x13b

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.