如何制作属于自己的抢票软件?
环境准备
有什么用?
- 逆向分析app/小程序网络协议
- 通过一切手段达到自己的目的
必备工具
- Wireshark: 网络协议分析器
- Burp Suite: Web应用安全测试工具
- IDA Pro/Ghidra: 反汇编器
- x64dbg: Windows动态调试器
- Python: 脚本编写
- Hex Editor: 十六进制编辑器
Python环境配置
pip install requests scapy pycryptodome frida-tools
网络抓包基础
1. Wireshark抓包实例
基本操作
# 启动Wireshark并选择网络接口
# 过滤HTTP流量
http# 过滤特定IP
ip.addr == 192.168.1.100# 过滤端口
tcp.port == 80 or tcp.port == 443
Python抓包脚本
from scapy.all import *
import jsondef packet_handler(packet):"""处理捕获的数据包"""if packet.haslayer(TCP) and packet.haslayer(Raw):try:# 提取HTTP数据payload = packet[Raw].load.decode('utf-8', errors='ignore')if 'HTTP' in payload:print(f"[+] 捕获HTTP数据包:")print(f"源IP: {packet[IP].src}")print(f"目标IP: {packet[IP].dst}")print(f"端口: {packet[TCP].dport}")print(f"数据: {payload[:200]}...")print("-" * 50)except:pass# 开始抓包
print("[*] 开始网络监听...")
sniff(filter="tcp port 80", prn=packet_handler, count=10)
2. 移动应用抓包
使用mitmproxy
# mitm_script.py
from mitmproxy import http
import jsondef request(flow: http.HTTPFlow) -> None:"""拦截请求"""if "api" in flow.request.pretty_url:print(f"[REQUEST] {flow.request.method} {flow.request.pretty_url}")if flow.request.content:try:data = json.loads(flow.request.content)print(f"请求数据: {json.dumps(data, indent=2, ensure_ascii=False)}")except:print(f"请求数据: {flow.request.content}")def response(flow: http.HTTPFlow) -> None:"""拦截响应"""if "api" in flow.request.pretty_url:print(f"[RESPONSE] {flow.response.status_code}")try:data = json.loads(flow.response.content)print(f"响应数据: {json.dumps(data, indent=2, ensure_ascii=False)}")except:print(f"响应数据: {flow.response.content}")print("-" * 80)
协议分析
1. 自定义协议逆向
协议分析脚本
import struct
import binasciiclass ProtocolAnalyzer:def __init__(self):self.packet_count = 0def analyze_packet(self, data):"""分析数据包结构"""self.packet_count += 1print(f"\n=== 数据包 #{self.packet_count} ===")print(f"原始数据: {binascii.hexlify(data).decode()}")print(f"数据长度: {len(data)} 字节")# 尝试解析包头if len(data) >= 8:header = struct.unpack('>HHI', data[:8])print(f"可能的包头结构:")print(f" 字段1 (2字节): 0x{header[0]:04x} ({header[0]})")print(f" 字段2 (2字节): 0x{header[1]:04x} ({header[1]})")print(f" 字段3 (4字节): 0x{header[2]:08x} ({header[2]})")# 查找模式self.find_patterns(data)def find_patterns(self, data):"""查找数据中的模式"""# 查找重复字节for i in range(len(data) - 1):if data[i] == data[i + 1]:print(f"重复字节 0x{data[i]:02x} 在位置 {i}")# 查找可能的字符串try:text = data.decode('utf-8', errors='ignore')if any(c.isprintable() for c in text):print(f"可能的文本: {repr(text)}")except:pass# 使用示例
analyzer = ProtocolAnalyzer()# 模拟数据包
packets = [b'\x00\x01\x00\x10\x00\x00\x00\x20Hello World',b'\x00\x02\x00\x08\x00\x00\x00\x10Test',b'\x00\x03\x00\x0c\x00\x00\x00\x18Python'
]for packet in packets:analyzer.analyze_packet(packet)
2. 加密协议分析
加密检测脚本
import math
from collections import Counterdef entropy_analysis(data):"""计算数据熵值判断是否加密"""if not data:return 0# 计算字节频率counter = Counter(data)length = len(data)# 计算熵值entropy = 0for count in counter.values():p = count / lengthentropy -= p * math.log2(p)return entropydef detect_encryption(data):"""检测数据是否可能被加密"""entropy = entropy_analysis(data)print(f"数据熵值: {entropy:.2f}")if entropy > 7.5:print("高熵值 - 可能是加密或压缩数据")elif entropy > 6.0:print("中等熵值 - 可能是编码数据")else:print("低熵值 - 可能是明文数据")# 检查常见加密特征if len(data) % 16 == 0:print("数据长度是16的倍数 - 可能使用AES加密")if len(data) % 8 == 0:print("数据长度是8的倍数 - 可能使用DES/3DES加密")# 测试不同类型的数据
test_data = [b"Hello World! This is plain text.",b'\x8f\x3a\x9c\x2e\x7b\x1d\x4f\x6a\x9e\x2c\x8b\x5f\x1a\x7d\x3e\x9c',b"AAAAAAAAAAAAAAAA"
]for i, data in enumerate(test_data):print(f"\n--- 测试数据 {i+1} ---")detect_encryption(data)
静态分析
1. PE文件分析
PE解析脚本
import struct
import osclass PEAnalyzer:def __init__(self, filepath):self.filepath = filepathself.data = Noneself.dos_header = Noneself.nt_headers = Nonedef load_file(self):"""加载PE文件"""with open(self.filepath, 'rb') as f:self.data = f.read()def parse_dos_header(self):"""解析DOS头"""if len(self.data) < 64:return Falsedos_header = struct.unpack('<30H4s', self.data[:64])self.dos_header = {'e_magic': dos_header[0],'e_lfanew': dos_header[30]}# 检查DOS签名if self.dos_header['e_magic'] != 0x5A4D: # 'MZ'print("错误: 不是有效的PE文件")return Falseprint(f"DOS头解析成功")print(f"PE头偏移: 0x{self.dos_header['e_lfanew']:08x}")return Truedef parse_nt_headers(self):"""解析NT头"""pe_offset = self.dos_header['e_lfanew']# 检查PE签名pe_signature = struct.unpack('<I', self.data[pe_offset:pe_offset+4])[0]if pe_signature != 0x00004550: # 'PE\0\0'print("错误: PE签名无效")return False# 解析文件头file_header_offset = pe_offset + 4file_header = struct.unpack('<HHIIIHH', self.data[file_header_offset:file_header_offset+20])self.nt_headers = {'machine': file_header[0],'number_of_sections': file_header[1],'time_date_stamp': file_header[2],'characteristics': file_header[6]}print(f"机器类型: 0x{self.nt_headers['machine']:04x}")print(f"节数量: {self.nt_headers['number_of_sections']}")print(f"特征值: 0x{self.nt_headers['characteristics']:04x}")return Truedef find_strings(self, min_length=4):"""提取字符串"""strings = []current_string = ""for byte in self.data:if 32 <= byte <= 126: # 可打印ASCII字符current_string += chr(byte)else:if len(current_string) >= min_length:strings.append(current_string)current_string = ""return stringsdef analyze(self):"""完整分析"""print(f"分析文件: {self.filepath}")print(f"文件大小: {len(self.data)} 字节")if not self.parse_dos_header():returnif not self.parse_nt_headers():return# 提取字符串strings = self.find_strings()print(f"\n发现 {len(strings)} 个字符串:")for i, s in enumerate(strings[:10]): # 只显示前10个print(f" {i+1}: {s}")if len(strings) > 10:print(f" ... 还有 {len(strings) - 10} 个字符串")# 使用示例(需要实际的PE文件)
# analyzer = PEAnalyzer("example.exe")
# analyzer.load_file()
# analyzer.analyze()
2. 反汇编分析
简单反汇编器
import structclass SimpleDisassembler:def __init__(self):# x86指令映射(简化版)self.opcodes = {0x90: "nop",0xC3: "ret",0x50: "push eax",0x51: "push ecx",0x52: "push edx",0x58: "pop eax",0x59: "pop ecx",0x5A: "pop edx",0xB8: "mov eax, imm32",0xB9: "mov ecx, imm32",0xBA: "mov edx, imm32",}def disassemble(self, code, base_addr=0x1000):"""反汇编代码"""offset = 0instructions = []while offset < len(code):addr = base_addr + offsetopcode = code[offset]if opcode in self.opcodes:instruction = self.opcodes[opcode]size = 1# 处理带立即数的指令if "imm32" in instruction:if offset + 4 < len(code):imm = struct.unpack('<I', code[offset+1:offset+5])[0]instruction = instruction.replace("imm32", f"0x{imm:08x}")size = 5instructions.append(f"0x{addr:08x}: {instruction}")offset += sizeelse:instructions.append(f"0x{addr:08x}: db 0x{opcode:02x}")offset += 1return instructions# 测试代码
code = bytes([0x50, # push eax0xB8, 0x01, 0x00, 0x00, 0x00, # mov eax, 10x90, # nop0x58, # pop eax0xC3 # ret
])disasm = SimpleDisassembler()
instructions = disasm.disassemble(code)print("反汇编结果:")
for instr in instructions:print(instr)
动态分析
1. API监控
Windows API Hook
import ctypes
from ctypes import wintypes
import sysclass APIMonitor:def __init__(self):self.kernel32 = ctypes.windll.kernel32self.user32 = ctypes.windll.user32def hook_createfile(self):"""监控CreateFile API调用"""# 这是一个概念性示例,实际实现需要更复杂的Hook技术print("[*] 开始监控CreateFile API...")# 原始API地址original_createfile = self.kernel32.CreateFileWdef hooked_createfile(filename, access, share, security, creation, flags, template):print(f"[API] CreateFile调用:")print(f" 文件名: {filename}")print(f" 访问权限: 0x{access:08x}")print(f" 创建方式: 0x{creation:08x}")# 调用原始APIreturn original_createfile(filename, access, share, security,creation, flags, template)return hooked_createfile# 使用Frida进行动态分析的脚本
frida_script = """
// Frida JavaScript代码
Java.perform(function() {// Hook Android应用的关键函数var MainActivity = Java.use("com.example.app.MainActivity");MainActivity.checkLicense.implementation = function(key) {console.log("[+] checkLicense called with key: " + key);// 记录调用栈console.log("[+] Call stack:");Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new());// 调用原始函数var result = this.checkLicense(key);console.log("[+] Original result: " + result);// 修改返回值console.log("[+] Returning true instead");return true;};// Hook加密函数var CryptoUtils = Java.use("com.example.app.CryptoUtils");CryptoUtils.decrypt.implementation = function(data) {console.log("[+] decrypt called with data: " + data);var result = this.decrypt(data);console.log("[+] Decrypted result: " + result);return result;};
});
"""
2. 内存分析
内存搜索脚本
import struct
import reclass MemoryAnalyzer:def __init__(self, memory_dump):self.memory = memory_dumpdef search_pattern(self, pattern):"""搜索内存中的模式"""matches = []if isinstance(pattern, str):pattern = pattern.encode()for i in range(len(self.memory) - len(pattern) + 1):if self.memory[i:i+len(pattern)] == pattern:matches.append(i)return matchesdef search_strings(self, min_length=4):"""搜索内存中的字符串"""strings = []# ASCII字符串ascii_pattern = rb'[\x20-\x7E]{' + str(min_length).encode() + rb',}'for match in re.finditer(ascii_pattern, self.memory):strings.append({'offset': match.start(),'string': match.group().decode('ascii'),'type': 'ASCII'})# Unicode字符串unicode_pattern = rb'(?:[\x20-\x7E]\x00){' + str(min_length).encode() + rb',}'for match in re.finditer(unicode_pattern, self.memory):try:string = match.group().decode('utf-16le')strings.append({'offset': match.start(),'string': string,'type': 'Unicode'})except:passreturn stringsdef find_crypto_constants(self):"""查找加密算法常量"""crypto_constants = {'AES S-Box': b'\x63\x7c\x77\x7b\xf2\x6b\x6f\xc5','MD5 Constants': b'\x01\x23\x45\x67\x89\xab\xcd\xef','SHA1 Constants': b'\x67\x45\x23\x01\xef\xcd\xab\x89',}found = []for name, constant in crypto_constants.items():matches = self.search_pattern(constant)if matches:found.append({'name': name,'offsets': matches})return found# 模拟内存数据
memory_data = (b"Hello World\x00\x00\x00\x00" +b"P\x00a\x00s\x00s\x00w\x00o\x00r\x00d\x00" + # Unicode "Password"b"\x63\x7c\x77\x7b\xf2\x6b\x6f\xc5" + # AES S-Box开头b"Secret Key: 12345\x00" +b"\x00" * 100
)analyzer = MemoryAnalyzer(memory_data)print("=== 内存分析结果 ===")# 搜索字符串
strings = analyzer.search_strings()
print(f"\n发现 {len(strings)} 个字符串:")
for s in strings:print(f" 0x{s['offset']:08x}: {s['type']} - {repr(s['string'])}")# 搜索加密常量
crypto = analyzer.find_crypto_constants()
print(f"\n发现 {len(crypto)} 个加密常量:")
for c in crypto:print(f" {c['name']}: {[hex(offset) for offset in c['offsets']]}")
经验分享
Android应用逆向分析
环境准备
# 安装必要工具
# 1. 安装Java JDK
# 2. 下载Android SDK
# 3. 安装逆向工具# APK分析工具
wget https://github.com/iBotPeaches/Apktool/releases/download/v2.7.0/apktool_2.7.0.jar
wget https://github.com/skylot/jadx/releases/download/v1.4.7/jadx-1.4.7.zip# 安装Python依赖
pip install frida-tools androguard
APK基础分析
# apk_analyzer.py
import zipfile
import xml.etree.ElementTree as ET
import os
import hashlib
from androguard.core.bytecodes import apk, dvm
from androguard.core.analysis import analysisclass APKAnalyzer:def __init__(self, apk_path):self.apk_path = apk_pathself.apk_obj = Noneself.dex_files = []def basic_info(self):"""获取APK基本信息"""self.apk_obj = apk.APK(self.apk_path)info = {'package_name': self.apk_obj.get_package(),'app_name': self.apk_obj.get_app_name(),'version_name': self.apk_obj.get_androidversion_name(),'version_code': self.apk_obj.get_androidversion_code(),'min_sdk': self.apk_obj.get_min_sdk_version(),'target_sdk': self.apk_obj.get_target_sdk_version(),'permissions': self.apk_obj.get_permissions(),'activities': self.apk_obj.get_activities(),'services': self.apk_obj.get_services(),'receivers': self.apk_obj.get_receivers(),}return infodef extract_strings(self):"""提取字符串资源"""strings = {}# 从resources.arsc提取try:for string_name, string_value in self.apk_obj.get_android_resources().get_strings().items():strings[string_name] = string_valueexcept:passreturn stringsdef analyze_manifest(self):"""分析AndroidManifest.xml"""manifest = self.apk_obj.get_android_manifest_xml()# 查找关键配置analysis_result = {'exported_components': [],'custom_permissions': [],'intent_filters': [],'security_issues': []}# 解析XMLtry:root = ET.fromstring(manifest)# 查找导出的组件for component in root.iter():if component.tag in ['activity', 'service', 'receiver', 'provider']:exported = component.get('{http://schemas.android.com/apk/res/android}exported')if exported == 'true':analysis_result['exported_components'].append({'type': component.tag,'name': component.get('{http://schemas.android.com/apk/res/android}name')})# 查找自定义权限for permission in root.iter('permission'):analysis_result['custom_permissions'].append(permission.get('{http://schemas.android.com/apk/res/android}name'))except Exception as e:analysis_result['error'] = str(e)return analysis_resultdef find_crypto_usage(self):"""查找加密算法使用"""crypto_patterns = ['javax.crypto','java.security','AES', 'DES', 'RSA','MD5', 'SHA1', 'SHA256','encrypt', 'decrypt','cipher', 'digest']found_crypto = []# 分析DEX文件for dex in self.apk_obj.get_dex():dx = analysis.Analysis(dvm.DalvikVMFormat(dex))for class_analysis in dx.get_classes():class_name = class_analysis.get_vm_class().get_name()for method in class_analysis.get_methods():method_name = method.get_method().get_name()# 检查方法体中的加密相关调用for instruction in method.get_method().get_instructions():if hasattr(instruction, 'get_string'):instr_str = instruction.get_string()for pattern in crypto_patterns:if pattern.lower() in instr_str.lower():found_crypto.append({'class': class_name,'method': method_name,'pattern': pattern,'instruction': instr_str})return found_cryptodef detect_obfuscation(self):"""检测代码混淆"""obfuscation_indicators = {'short_class_names': 0,'short_method_names': 0,'meaningless_names': 0}for dex in self.apk_obj.get_dex():dx = analysis.Analysis(dvm.DalvikVMFormat(dex))for class_analysis in dx.get_classes():class_name = class_analysis.get_vm_class().get_name()# 检查类名长度simple_name = class_name.split('/')[-1].replace(';', '')if len(simple_name) <= 2:obfuscation_indicators['short_class_names'] += 1# 检查是否为无意义名称(如a, b, c等)if simple_name in 'abcdefghijklmnopqrstuvwxyz':obfuscation_indicators['meaningless_names'] += 1# 检查方法名for method in class_analysis.get_methods():method_name = method.get_method().get_name()if len(method_name) <= 2 and method_name not in ['<init>', '<clinit>']:obfuscation_indicators['short_method_names'] += 1# 判断混淆程度total_indicators = sum(obfuscation_indicators.values())if total_indicators > 50:obfuscation_level = 'high'elif total_indicators > 20:obfuscation_level = 'medium'else:obfuscation_level = 'low'return {'level': obfuscation_level,'indicators': obfuscation_indicators}# 使用示例
def analyze_apk(apk_path):"""完整APK分析流程"""print(f"=== 分析APK: {apk_path} ===")analyzer = APKAnalyzer(apk_path)# 基本信息print("\n1. 基本信息:")basic_info = analyzer.basic_info()for key, value in basic_info.items():if isinstance(value, list) and len(value) > 5:print(f" {key}: {len(value)} 项")else:print(f" {key}: {value}")# Manifest分析print("\n2. Manifest分析:")manifest_analysis = analyzer.analyze_manifest()for key, value in manifest_analysis.items():print(f" {key}: {value}")# 加密使用检测print("\n3. 加密算法检测:")crypto_usage = analyzer.find_crypto_usage()if crypto_usage:for crypto in crypto_usage[:5]: # 显示前5个print(f" {crypto['class']}.{crypto['method']}: {crypto['pattern']}")else:print(" 未发现明显的加密算法使用")# 混淆检测print("\n4. 代码混淆检测:")obfuscation = analyzer.detect_obfuscation()print(f" 混淆级别: {obfuscation['level']}")print(f" 指标: {obfuscation['indicators']}")# 注意:需要实际的APK文件才能运行
# analyze_apk("example.apk")
Frida动态分析
# frida_android_hook.py
import frida
import sys
import jsonclass AndroidHooker:def __init__(self, package_name):self.package_name = package_nameself.device = Noneself.session = Nonedef connect_device(self):"""连接Android设备"""try:self.device = frida.get_usb_device()print(f"[+] 连接到设备: {self.device}")return Trueexcept Exception as e:print(f"[-] 连接设备失败: {e}")return Falsedef attach_app(self):"""附加到应用进程"""try:self.session = self.device.attach(self.package_name)print(f"[+] 附加到应用: {self.package_name}")return Trueexcept Exception as e:print(f"[-] 附加应用失败: {e}")return Falsedef hook_crypto_functions(self):"""Hook加密相关函数"""script_code = """Java.perform(function() {console.log("[+] 开始Hook加密函数");// Hook AES加密try {var Cipher = Java.use("javax.crypto.Cipher");Cipher.doFinal.overload('[B').implementation = function(input) {console.log("[AES] doFinal called");console.log("[AES] Input: " + Java.use("android.util.Base64").encodeToString(input, 0));var result = this.doFinal(input);console.log("[AES] Output: " + Java.use("android.util.Base64").encodeToString(result, 0));return result;};console.log("[+] AES Hook 设置成功");} catch(e) {console.log("[-] AES Hook 失败: " + e);}// Hook MessageDigest (MD5, SHA等)try {var MessageDigest = Java.use("java.security.MessageDigest");MessageDigest.digest.overload('[B').implementation = function(input) {console.log("[HASH] digest called");console.log("[HASH] Algorithm: " + this.getAlgorithm());console.log("[HASH] Input: " + Java.use("java.lang.String").$new(input));var result = this.digest(input);console.log("[HASH] Output: " + Java.use("android.util.Base64").encodeToString(result, 0));return result;};console.log("[+] MessageDigest Hook 设置成功");} catch(e) {console.log("[-] MessageDigest Hook 失败: " + e);}});"""return self.execute_script(script_code)def hook_network_functions(self):"""Hook网络请求函数"""script_code = """Java.perform(function() {console.log("[+] 开始Hook网络函数");// Hook OkHttptry {var OkHttpClient = Java.use("okhttp3.OkHttpClient");var Request = Java.use("okhttp3.Request");OkHttpClient.newCall.implementation = function(request) {console.log("[HTTP] OkHttp Request:");console.log("[HTTP] URL: " + request.url().toString());console.log("[HTTP] Method: " + request.method());var headers = request.headers();console.log("[HTTP] Headers: " + headers.toString());return this.newCall(request);};console.log("[+] OkHttp Hook 设置成功");} catch(e) {console.log("[-] OkHttp Hook 失败: " + e);}// Hook HttpURLConnectiontry {var HttpURLConnection = Java.use("java.net.HttpURLConnection");HttpURLConnection.getResponseCode.implementation = function() {console.log("[HTTP] HttpURLConnection Request:");console.log("[HTTP] URL: " + this.getURL().toString());console.log("[HTTP] Method: " + this.getRequestMethod());var responseCode = this.getResponseCode();console.log("[HTTP] Response Code: " + responseCode);return responseCode;};console.log("[+] HttpURLConnection Hook 设置成功");} catch(e) {console.log("[-] HttpURLConnection Hook 失败: " + e);}});"""return self.execute_script(script_code)def hook_custom_class(self, class_name, method_name):"""Hook自定义类的方法"""script_code = f"""Java.perform(function() {{console.log("[+] Hook自定义类: {class_name}");try {{var TargetClass = Java.use("{class_name}");TargetClass.{method_name}.implementation = function() {{console.log("[CUSTOM] {method_name} called");console.log("[CUSTOM] Arguments: " + JSON.stringify(arguments));var result = this.{method_name}.apply(this, arguments);console.log("[CUSTOM] Return value: " + result);return result;}};console.log("[+] {class_name}.{method_name} Hook 设置成功");}} catch(e) {{console.log("[-] Hook失败: " + e);}}}});"""return self.execute_script(script_code)def bypass_ssl_pinning(self):"""绕过SSL证书绑定"""script_code = """Java.perform(function() {console.log("[+] 开始绕过SSL Pinning");// Hook OkHttp CertificatePinnertry {var CertificatePinner = Java.use("okhttp3.CertificatePinner");CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function(hostname, peerCertificates) {console.log("[SSL] 绕过证书检查: " + hostname);return;};console.log("[+] OkHttp SSL Pinning 绕过成功");} catch(e) {console.log("[-] OkHttp SSL Pinning 绕过失败: " + e);}// Hook TrustManagertry {var X509TrustManager = Java.use("javax.net.ssl.X509TrustManager");var SSLContext = Java.use("javax.net.ssl.SSLContext");var TrustManager = Java.registerClass({name: "com.example.TrustManager",implements: [X509TrustManager],methods: {checkClientTrusted: function(chain, authType) {console.log("[SSL] checkClientTrusted bypassed");},checkServerTrusted: function(chain, authType) {console.log("[SSL] checkServerTrusted bypassed");},getAcceptedIssuers: function() {return [];}}});console.log("[+] TrustManager 绕过设置成功");} catch(e) {console.log("[-] TrustManager 绕过失败: " + e);}});"""return self.execute_script(script_code)def execute_script(self, script_code):"""执行Frida脚本"""try:script = self.session.create_script(script_code)script.on('message', self.on_message)script.load()return scriptexcept Exception as e:print(f"[-] 脚本执行失败: {e}")return Nonedef on_message(self, message, data):"""处理Frida消息"""if message['type'] == 'send':print(f"[Frida] {message['payload']}")elif message['type'] == 'error':print(f"[Error] {message['stack']}")# 使用示例
def hook_android_app(package_name):"""Hook Android应用"""hooker = AndroidHooker(package_name)if not hooker.connect_device():returnif not hooker.attach_app():returnprint("[+] 设置Hook...")# Hook加密函数hooker.hook_crypto_functions()# Hook网络函数hooker.hook_network_functions()# 绕过SSL Pinninghooker.bypass_ssl_pinning()# Hook自定义类(示例)# hooker.hook_custom_class("com.example.app.LoginActivity", "checkPassword")print("[+] Hook设置完成,开始监控...")try:sys.stdin.read()except KeyboardInterrupt:print("\n[+] 停止监控")# 使用方法:
# 1. 确保Android设备已连接并开启USB调试
# 2. 安装Frida Server到设备
# 3. 运行目标应用
# 4. 执行: hook_android_app("com.example.targetapp")
Native库分析
# native_lib_analyzer.py
import struct
import os
from elftools.elf.elffile import ELFFile
from elftools.elf.sections import SymbolTableSectionclass NativeLibAnalyzer:def __init__(self, so_path):self.so_path = so_pathself.elf_file = Nonedef load_elf(self):"""加载ELF文件"""try:with open(self.so_path, 'rb') as f:self.elf_file = ELFFile(f)return Trueexcept Exception as e:print(f"[-] 加载ELF文件失败: {e}")return Falsedef get_basic_info(self):"""获取基本信息"""if not self.elf_file:return Noneheader = self.elf_file.headerinfo = {'architecture': header['e_machine'],'entry_point': hex(header['e_entry']),'sections': self.elf_file.num_sections(),'segments': self.elf_file.num_segments(),'is_64bit': self.elf_file.elfclass == 64}return infodef extract_symbols(self):"""提取符号表"""symbols = {'exported': [],'imported': [],'local': []}for section in self.elf_file.iter_sections():if isinstance(section, SymbolTableSection):for symbol in section.iter_symbols():symbol_info = {'name': symbol.name,'value': hex(symbol['st_value']),'size': symbol['st_size'],'type': symbol['st_info']['type'],'bind': symbol['st_info']['bind']}if symbol['st_info']['bind'] == 'STB_GLOBAL':if symbol['st_shndx'] == 'SHN_UNDEF':symbols['imported'].append(symbol_info)else:symbols['exported'].append(symbol_info)else:symbols['local'].append(symbol_info)return symbolsdef find_strings(self, min_length=4):"""提取字符串"""strings = []with open(self.so_path, 'rb') as f:data = f.read()current_string = ""offset = 0for i, byte in enumerate(data):if 32 <= byte <= 126: # 可打印ASCIIcurrent_string += chr(byte)else:if len(current_string) >= min_length:strings.append({'offset': hex(offset),'string': current_string})current_string = ""offset = i + 1return stringsdef find_crypto_constants(self):"""查找加密算法常量"""crypto_signatures = {'AES_SBOX': bytes([0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5,0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76]),'MD5_INIT': struct.pack('<4I', 0x67452301, 0xefcdab89, 0x98badcfe, 0x10325476),'SHA1_INIT': struct.pack('>5I', 0x67452301, 0xefcdab89, 0x98badcfe, 0x10325476, 0xc3d2e1f0)}found_crypto = []with open(self.so_path, 'rb') as f:data = f.read()for name, signature in crypto_signatures.items():offset = data.find(signature)if offset != -1:found_crypto.append({'algorithm': name,'offset': hex(offset)})return found_cryptodef analyze_jni_functions(self):"""分析JNI函数"""jni_functions = []symbols = self.extract_symbols()for symbol in symbols['exported']:name = symbol['name']if name.startswith('Java_'):# 解析JNI函数名parts = name.split('_')if len(parts) >= 4:jni_functions.append({'native_name': name,'java_class': parts[1].replace('_', '.'),'java_method': parts[2],'address': symbol['value']})return jni_functions# 使用示例
def analyze_native_lib(so_path):"""分析Native库"""print(f"=== 分析Native库: {so_path} ===")analyzer = NativeLibAnalyzer(so_path)if not analyzer.load_elf():return# 基本信息print("\n1. 基本信息:")basic_info = analyzer.get_basic_info()for key, value in basic_info.items():print(f" {key}: {value}")# 符号分析print("\n2. 符号分析:")symbols = analyzer.extract_symbols()print(f" 导出符号: {len(symbols['exported'])} 个")print(f" 导入符号: {len(symbols['imported'])} 个")print(f" 本地符号: {len(symbols['local'])} 个")# JNI函数print("\n3. JNI函数:")jni_functions = analyzer.analyze_jni_functions()for func in jni_functions[:5]: # 显示前5个print(f" {func['java_class']}.{func['java_method']} -> {func['native_name']}")# 字符串print("\n4. 字符串分析:")strings = analyzer.find_strings()print(f" 发现 {len(strings)} 个字符串")for s in strings[:5]: # 显示前5个print(f" {s['offset']}: {repr(s['string'])}")# 加密常量print("\n5. 加密算法检测:")crypto = analyzer.find_crypto_constants()if crypto:for c in crypto:print(f" {c['algorithm']} 在 {c['offset']}")else:print(" 未发现已知的加密算法常量")# 注意:需要实际的.so文件才能运行
# analyze_native_lib("libnative.so")
完整流程
# android_reverse_workflow.py
import os
import subprocess
import json
from pathlib import Pathclass AndroidReverseWorkflow:def __init__(self, apk_path):self.apk_path = apk_pathself.work_dir = Path("reverse_analysis")self.work_dir.mkdir(exist_ok=True)def step1_apk_extraction(self):"""步骤1: APK解包"""print("=== 步骤1: APK解包 ===")# 使用apktool解包apktool_cmd = f"java -jar apktool.jar d {self.apk_path} -o {self.work_dir}/apktool_output"try:subprocess.run(apktool_cmd, shell=True, check=True)print("[+] APK解包成功")except subprocess.CalledProcessError:print("[-] APK解包失败")return False# 提取DEX文件dex_dir = self.work_dir / "dex_files"dex_dir.mkdir(exist_ok=True)# 使用jadx反编译jadx_cmd = f"jadx -d {self.work_dir}/jadx_output {self.apk_path}"try:subprocess.run(jadx_cmd, shell=True, check=True)print("[+] Java代码反编译成功")except subprocess.CalledProcessError:print("[-] Java代码反编译失败")return Truedef step2_static_analysis(self):"""步骤2: 静态分析"""print("\n=== 步骤2: 静态分析 ===")# 分析AndroidManifest.xmlmanifest_path = self.work_dir / "apktool_output" / "AndroidManifest.xml"if manifest_path.exists():print("[+] 分析AndroidManifest.xml")self.analyze_manifest(manifest_path)# 分析Java代码java_dir = self.work_dir / "jadx_output"if java_dir.exists():print("[+] 分析Java代码")self.analyze_java_code(java_dir)# 分析Native库lib_dir = self.work_dir / "apktool_output" / "lib"if lib_dir.exists():print("[+] 分析Native库")self.analyze_native_libs(lib_dir)def step3_dynamic_analysis(self):"""步骤3: 动态分析"""print("\n=== 步骤3: 动态分析 ===")# 生成Frida脚本frida_script = self.generate_frida_script()script_path = self.work_dir / "frida_hook.js"with open(script_path, 'w') as f:f.write(frida_script)print(f"[+] Frida脚本已生成: {script_path}")print("[+] 使用以下命令进行动态分析:")print(f" frida -U -f com.example.app -l {script_path}")def analyze_manifest(self, manifest_path):"""分析Manifest文件"""# 这里可以添加更详细的Manifest分析print(" - 权限分析")print(" - 组件分析")print(" - Intent过滤器分析")def analyze_java_code(self, java_dir):"""分析Java代码"""suspicious_patterns = ['password', 'secret', 'key', 'token','encrypt', 'decrypt', 'cipher','http', 'url', 'api','root', 'su', 'shell']findings = []for java_file in java_dir.rglob("*.java"):try:with open(java_file, 'r', encoding='utf-8') as f:content = f.read().lower()for pattern in suspicious_patterns:if pattern in content:findings.append({'file': str(java_file.relative_to(java_dir)),'pattern': pattern})except:continueprint(f" - 发现 {len(findings)} 个可疑模式")for finding in findings[:10]: # 显示前10个print(f" {finding['file']}: {finding['pattern']}")def analyze_native_libs(self, lib_dir):"""分析Native库"""so_files = list(lib_dir.rglob("*.so"))print(f" - 发现 {len(so_files)} 个Native库")for so_file in so_files:print(f" {so_file.name}")def generate_frida_script(self):"""生成Frida Hook脚本"""script = """
Java.perform(function() {console.log("[+] Frida Hook 开始");// Hook 常用加密函数try {var Cipher = Java.use("javax.crypto.Cipher");Cipher.doFinal.overload('[B').implementation = function(input) {console.log("[Crypto] Cipher.doFinal called");console.log("[Crypto] Input length: " + input.length);var result = this.doFinal(input);console.log("[Crypto] Output length: " + result.length);return result;};} catch(e) {console.log("[-] Cipher hook failed: " + e);}// Hook 网络请求try {var URL = Java.use("java.net.URL");URL.$init.overload('java.lang.String').implementation = function(url) {console.log("[Network] URL created: " + url);return this.$init(url);};} catch(e) {console.log("[-] URL hook failed: " + e);}// Hook SharedPreferencestry {var SharedPreferences = Java.use("android.content.SharedPreferences");var Editor = Java.use("android.content.SharedPreferences$Editor");Editor.putString.implementation = function(key, value) {console.log("[Storage] SharedPreferences.putString: " + key + " = " + value);return this.putString(key, value);};} catch(e) {console.log("[-] SharedPreferences hook failed: " + e);}console.log("[+] Frida Hook 设置完成");
});"""return scriptdef generate_report(self):"""生成分析报告"""print("\n=== 生成分析报告 ===")report = {'apk_path': str(self.apk_path),'analysis_date': str(Path().cwd()),'findings': {'static_analysis': {},'dynamic_analysis': {},'recommendations': []}}report_path = self.work_dir / "analysis_report.json"with open(report_path, 'w') as f:json.dump(report, f, indent=2)print(f"[+] 分析报告已生成: {report_path}")def run_full_analysis(self):"""运行完整分析流程"""print("开始Android应用逆向分析...")if not self.step1_apk_extraction():returnself.step2_static_analysis()self.step3_dynamic_analysis()self.generate_report()print("\n=== 分析完成 ===")print(f"分析结果保存在: {self.work_dir}")# 使用示例
def reverse_android_app(apk_path):"""逆向分析Android应用"""workflow = AndroidReverseWorkflow(apk_path)workflow.run_full_analysis()# 运行分析
# reverse_android_app("target_app.apk")
案例2: 简单软件注册机制分析
目标程序模拟
// target.c - 模拟目标程序
#include <stdio.h>
#include <string.h>int check_license(const char* key) {// 简单的验证算法int sum = 0;for (int i = 0; i < strlen(key); i++) {sum += key[i] * (i + 1);}return sum == 12345; // 硬编码的验证值
}int main() {char key[100];printf("请输入注册码: ");scanf("%s", key);if (check_license(key)) {printf("注册成功!\n");} else {printf("注册码无效!\n");}return 0;
}
逆向分析脚本
def reverse_license_check():"""逆向分析注册算法"""target_sum = 12345print(f"目标和值: {target_sum}")print("分析算法: sum += key[i] * (i + 1)")# 尝试生成有效的注册码def generate_key():# 简单的暴力破解方法for length in range(1, 20):for base_char in range(ord('A'), ord('Z') + 1):key = chr(base_char) * lengthsum_val = sum(ord(key[i]) * (i + 1) for i in range(len(key)))if sum_val == target_sum:return key# 微调最后一个字符for adjust in range(-10, 11):if base_char + adjust < 32 or base_char + adjust > 126:continuetest_key = key[:-1] + chr(base_char + adjust)sum_val = sum(ord(test_key[i]) * (i + 1) for i in range(len(test_key)))if sum_val == target_sum:return test_keyreturn None# 数学方法求解def solve_mathematically():"""使用数学方法求解"""# 对于简单情况,我们可以构造一个解# 让第一个字符承担大部分权重# key[0] * 1 + key[1] * 2 + ... = 12345# 如果只用一个字符: char * 1 = 12345 (超出ASCII范围)# 如果用两个字符: char1 * 1 + char2 * 2 = 12345for char1 in range(32, 127):for char2 in range(32, 127):if char1 * 1 + char2 * 2 == target_sum:return chr(char1) + chr(char2)# 尝试三个字符for char1 in range(32, 127):for char2 in range(32, 127):remaining = target_sum - char1 * 1 - char2 * 2if remaining > 0 and remaining % 3 == 0:char3 = remaining // 3if 32 <= char3 <= 126:return chr(char1) + chr(char2) + chr(char3)return Noneprint("\n=== 暴力破解方法 ===")key1 = generate_key()if key1:print(f"找到有效注册码: {key1}")# 验证sum_val = sum(ord(key1[i]) * (i + 1) for i in range(len(key1)))print(f"验证: {sum_val} == {target_sum} -> {sum_val == target_sum}")print("\n=== 数学求解方法 ===")key2 = solve_mathematically()if key2:print(f"找到有效注册码: {key2}")# 验证sum_val = sum(ord(key2[i]) * (i + 1) for i in range(len(key2)))print(f"验证: {sum_val} == {target_sum} -> {sum_val == target_sum}")# 运行逆向分析
reverse_license_check()
案例2: 网络协议逆向
协议逆向实例
import socket
import struct
import threading
import timeclass ProtocolReverser:def __init__(self):self.captured_packets = []def capture_traffic(self, host, port):"""捕获网络流量"""def server_thread():server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)server.bind((host, port))server.listen(1)print(f"[*] 监听 {host}:{port}")while True:try:client, addr = server.accept()print(f"[+] 连接来自 {addr}")while True:data = client.recv(1024)if not data:breakself.captured_packets.append({'timestamp': time.time(),'source': addr,'data': data})print(f"[DATA] {len(data)} 字节: {data.hex()}")# 模拟响应response = self.generate_response(data)client.send(response)client.close()except Exception as e:print(f"[ERROR] {e}")thread = threading.Thread(target=server_thread)thread.daemon = Truethread.start()def generate_response(self, request):"""生成响应(基于逆向分析的协议)"""if len(request) >= 8:# 假设协议格式: [magic:2][cmd:2][length:4][data:n]magic, cmd, length = struct.unpack('>HHI', request[:8])print(f"[PROTOCOL] Magic: 0x{magic:04x}, Cmd: {cmd}, Length: {length}")# 构造响应response_data = b"OK"response = struct.pack('>HHI', magic, cmd + 0x8000, len(response_data))response += response_datareturn responsereturn b"ERROR"def analyze_patterns(self):"""分析捕获的数据包模式"""print("\n=== 协议分析结果 ===")if not self.captured_packets:print("没有捕获到数据包")return# 分析包头模式headers = []for packet in self.captured_packets:data = packet['data']if len(data) >= 8:header = struct.unpack('>HHI', data[:8])headers.append(header)print(f"分析了 {len(headers)} 个包头:")for i, (magic, cmd, length) in enumerate(headers):print(f" 包 {i+1}: Magic=0x{magic:04x}, Cmd={cmd}, Length={length}")# 查找模式if headers:magic_values = [h[0] for h in headers]cmd_values = [h[1] for h in headers]print(f"\nMagic值范围: 0x{min(magic_values):04x} - 0x{max(magic_values):04x}")print(f"命令值范围: {min(cmd_values)} - {max(cmd_values)}")# 模拟客户端
def simulate_client():"""模拟客户端发送数据"""time.sleep(1) # 等待服务器启动try:client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)client.connect(('localhost', 8888))# 发送测试数据包test_packets = [struct.pack('>HHI', 0x1234, 1, 4) + b"test",struct.pack('>HHI', 0x1234, 2, 5) + b"hello",struct.pack('>HHI', 0x1234, 3, 3) + b"bye"]for packet in test_packets:client.send(packet)response = client.recv(1024)print(f"[CLIENT] 收到响应: {response.hex()}")time.sleep(0.5)client.close()except Exception as e:print(f"[CLIENT ERROR] {e}")# 运行协议逆向
reverser = ProtocolReverser()
reverser.capture_traffic('localhost', 8888)# 启动模拟客户端
client_thread = threading.Thread(target=simulate_client)
client_thread.start()# 等待一段时间后分析
time.sleep(3)
reverser.analyze_patterns()
进阶
1. 反调试检测绕过
反调试检测脚本
import ctypes
from ctypes import wintypes
import timeclass AntiDebugDetector:def __init__(self):self.kernel32 = ctypes.windll.kernel32self.ntdll = ctypes.windll.ntdlldef check_debugger_present(self):"""检测调试器存在"""# IsDebuggerPresent APIif self.kernel32.IsDebuggerPresent():print("[!] 检测到调试器 (IsDebuggerPresent)")return True# PEB检查try:peb_addr = self.ntdll.NtCurrentPeb()being_debugged = ctypes.c_ubyte.from_address(peb_addr + 2).valueif being_debugged:print("[!] 检测到调试器 (PEB.BeingDebugged)")return Trueexcept:passreturn Falsedef timing_check(self):"""时间检测"""start = time.perf_counter()# 执行一些简单操作for i in range(1000):passend = time.perf_counter()elapsed = end - start# 如果执行时间过长,可能在调试if elapsed > 0.01: # 10ms阈值print(f"[!] 时间异常: {elapsed:.6f}s (可能在调试)")return Truereturn Falsedef hardware_breakpoint_check(self):"""硬件断点检测"""class CONTEXT(ctypes.Structure):_fields_ = [("Dr0", wintypes.DWORD),("Dr1", wintypes.DWORD),("Dr2", wintypes.DWORD),("Dr3", wintypes.DWORD),("Dr6", wintypes.DWORD),("Dr7", wintypes.DWORD),]try:context = CONTEXT()thread_handle = self.kernel32.GetCurrentThread()if self.kernel32.GetThreadContext(thread_handle, ctypes.byref(context)):if context.Dr0 or context.Dr1 or context.Dr2 or context.Dr3:print("[!] 检测到硬件断点")return Trueexcept:passreturn False# 绕过技术示例
def bypass_anti_debug():"""反调试绕过技术"""print("=== 反调试绕过技术 ===")# 1. API Hook绕过print("1. Hook IsDebuggerPresent返回False")# 2. 内存补丁print("2. 修改PEB.BeingDebugged标志")# 3. 时间欺骗print("3. Hook时间相关API")# 4. 异常处理print("4. 设置异常处理器")# 运行检测
detector = AntiDebugDetector()
print("=== 反调试检测 ===")
detector.check_debugger_present()
detector.timing_check()
detector.hardware_breakpoint_check()bypass_anti_debug()
2. 代码混淆分析
混淆代码分析器
import ast
import reclass ObfuscationAnalyzer:def __init__(self):self.patterns = {'string_obfuscation': [r'chr\(\d+\)', # chr(65) + chr(66)r'\\x[0-9a-fA-F]{2}', # \x41\x42r'base64\.b64decode', # base64编码],'control_flow': [r'exec\(', # 动态执行r'eval\(', # 动态求值r'compile\(', # 动态编译],'name_mangling': [r'[a-zA-Z_][a-zA-Z0-9_]*_{2,}[a-zA-Z0-9_]*', # 多下划线r'[Il1O0]{3,}', # 相似字符混淆]}def analyze_code(self, code):"""分析混淆代码"""results = {'obfuscation_level': 'low','techniques': [],'suspicious_patterns': []}# 检查混淆模式for category, patterns in self.patterns.items():for pattern in patterns:matches = re.findall(pattern, code)if matches:results['techniques'].append(category)results['suspicious_patterns'].extend(matches[:5]) # 最多5个示例# 计算混淆级别if len(results['techniques']) > 3:results['obfuscation_level'] = 'high'elif len(results['techniques']) > 1:results['obfuscation_level'] = 'medium'return resultsdef deobfuscate_strings(self, code):"""尝试去混淆字符串"""deobfuscated = code# 处理chr()函数chr_pattern = r'chr\((\d+)\)'def replace_chr(match):return f"'{chr(int(match.group(1)))}'"deobfuscated = re.sub(chr_pattern, replace_chr, deobfuscated)# 处理十六进制字符hex_pattern = r'\\x([0-9a-fA-F]{2})'def replace_hex(match):return chr(int(match.group(1), 16))deobfuscated = re.sub(hex_pattern, replace_hex, deobfuscated)return deobfuscated# 测试混淆代码
obfuscated_code = '''
import base64
exec(base64.b64decode(b'cHJpbnQoImhlbGxvIHdvcmxkIik='))
password = chr(112) + chr(97) + chr(115) + chr(115)
def ___Il1O0O1l___(x):return x + "\\x20\\x77\\x6f\\x72\\x6c\\x64"
'''analyzer = ObfuscationAnalyzer()
results = analyzer.analyze_code(obfuscated_code)print("=== 混淆分析结果 ===")
print(f"混淆级别: {results['obfuscation_level']}")
print(f"检测到的技术: {results['techniques']}")
print(f"可疑模式: {results['suspicious_patterns']}")print("\n=== 去混淆尝试 ===")
deobfuscated = analyzer.deobfuscate_strings(obfuscated_code)
print("去混淆后的代码:")
print(deobfuscated)
3. 自动化分析工具
综合分析框架
import os
import hashlib
import json
from datetime import datetimeclass ReverseEngineeringFramework:def __init__(self):self.analysis_results = {}self.plugins = []def add_plugin(self, plugin):"""添加分析插件"""self.plugins.append(plugin)def analyze_file(self, filepath):"""分析文件"""if not os.path.exists(filepath):return {"error": "文件不存在"}# 基本信息file_info = self.get_file_info(filepath)# 运行所有插件results = {"file_info": file_info}with open(filepath, 'rb') as f:data = f.read()for plugin in self.plugins:try:plugin_result = plugin.analyze(data, filepath)results[plugin.name] = plugin_resultexcept Exception as e:results[plugin.name] = {"error": str(e)}return resultsdef get_file_info(self, filepath):"""获取文件基本信息"""stat = os.stat(filepath)with open(filepath, 'rb') as f:data = f.read()return {"filename": os.path.basename(filepath),"size": stat.st_size,"md5": hashlib.md5(data).hexdigest(),"sha256": hashlib.sha256(data).hexdigest(),"created": datetime.fromtimestamp(stat.st_ctime).isoformat(),"modified": datetime.fromtimestamp(stat.st_mtime).isoformat(),}def generate_report(self, results):"""生成分析报告"""report = {"timestamp": datetime.now().isoformat(),"analysis_results": results,"summary": self.generate_summary(results)}return json.dumps(report, indent=2, ensure_ascii=False)def generate_summary(self, results):"""生成分析摘要"""summary = {"file_type": "unknown","risk_level": "low","key_findings": []}# 根据分析结果生成摘要if "pe_analyzer" in results:summary["file_type"] = "PE"if "string_analyzer" in results:strings = results["string_analyzer"].get("strings", [])if any("password" in s.lower() for s in strings):summary["key_findings"].append("发现密码相关字符串")return summary# 分析插件基类
class AnalysisPlugin:def __init__(self, name):self.name = namedef analyze(self, data, filepath):raise NotImplementedError# 字符串分析插件
class StringAnalyzer(AnalysisPlugin):def __init__(self):super().__init__("string_analyzer")def analyze(self, data, filepath):strings = []current = ""for byte in data:if 32 <= byte <= 126:current += chr(byte)else:if len(current) >= 4:strings.append(current)current = ""# 分类字符串categories = {"urls": [s for s in strings if "http" in s.lower()],"emails": [s for s in strings if "@" in s and "." in s],"passwords": [s for s in strings if "pass" in s.lower()],"keys": [s for s in strings if "key" in s.lower()],}return {"total_strings": len(strings),"categories": categories,"strings": strings[:50] # 前50个字符串}# 熵分析插件
class EntropyAnalyzer(AnalysisPlugin):def __init__(self):super().__init__("entropy_analyzer")def analyze(self, data, filepath):from collections import Counterimport mathif not data:return {"entropy": 0}# 计算熵值counter = Counter(data)length = len(data)entropy = 0for count in counter.values():p = count / lengthentropy -= p * math.log2(p)# 分析结果analysis = {"entropy": entropy,"assessment": "low"}if entropy > 7.5:analysis["assessment"] = "high"analysis["note"] = "可能包含加密或压缩数据"elif entropy > 6.0:analysis["assessment"] = "medium"analysis["note"] = "可能包含编码数据"return analysis# 使用示例
framework = ReverseEngineeringFramework()
framework.add_plugin(StringAnalyzer())
framework.add_plugin(EntropyAnalyzer())# 创建测试文件
test_data = b"Hello World! This is a test file with some passwords: admin123, secret_key_here"
with open("test_file.bin", "wb") as f:f.write(test_data)# 分析文件
results = framework.analyze_file("test_file.bin")
report = framework.generate_report(results)print("=== 自动化分析报告 ===")
print(report)# 清理测试文件
os.remove("test_file.bin")
记住,逆向工程是一门需要大量实践的技术,多练习、多思考是提高的关键!