This post was last edited by Summer on 2025-10-14 10:59
A version of the virtual camera that has been hacked by the author before has posted a video on Bilibili
The previous version I cracked was also cracked
Link:The hyperlink login is visible.
Recently, a client asked me to crack another version of the virtual camera by the same author and simply study it
Check the shell first, Bangbang free reinforcement, relatively simple, just a simple detection of Frida, the above link has made a very detailed analysis of the reinforcement and detection of Bangbang free version, using various tools such as ebpf
Hook with frida first, there are signs of crash, it may be that the footstep is injected too early, or the address is inaccessible when the hook is ready, by correcting the script's hook code to frida
In general, the injection time was delayed a bit, which solved the problem of injection crashes
hook The process of his activation gets the data returned by the activation, and he needs to request the server to verify that he got the activation timestamp
The user is then given time by calculating the difference in time.
This virtual camera also requests root permissions, otherwise there is no version cross-process communication,
In total, this camera has three processes started
One is the main process of the camera app, which is the cross-process communication between the Java layer and the C++ layer
The second is that the main process runs the binary executable vcmplay input parameter on the command line through the java layer to start the second process, which is mainly responsible for the cross-process communication between the main process of the camera vcmpaly and the libvc.so process that injects into the camera camera service of the system, and the main way of communication is ibinder.
The third is the SO file of the camera cameraserver injected into the system service.
If the application cannot obtain root privileges or there is a network problem, the process will fail to start
This camera needs an activation code to activate and use, and by analyzing the Java layer, all its interfaces are hooked out
Activation requires requesting the server to obtain the verification information
The data you get is all encrypted
By analyzing the VCMPLAY binary executable, we can get that the requested data is RSA encryption, and the key is located through the EBPF tool of stackplz, and the encryption key is 128 bits
One more word
This application is very cunning, he added a so suffix to vcmplay, which makes people think it is an SO file, and it needs to be loaded into Java's memory, but it is actually another process.
I hooked the camera service cameraserver libvc.so found that frida crashed as soon as the attach camera service crashed, I don't know if it was detected, I analyzed it for a long time, and accidentally found that VCMPLAY died once, and it was able to hook It is suspected that it may be the VCMPLAY process that detected the cameraserve process
I used ida to debug the VCMpay process, and found that he still had anti-debugging, scanned the tracepid in proc/self/status to determine whether it was debugged, and what was even more terrifying was that he found that the anti-debugging was not a program crash, he actually deleted important files in the Android system through root permissions, and then the phone restarted into a double-clearing state, and the system must be initialized to enter the system, and everything in the phone was gone. I wrote the kernel hook module kpm via kernelpatch and bypassed debugging
After several sleepless nights here, the general logic has been figured out, and it is estimated that it will not be easy to crack.
To be continued later......
|
Posted on 2025-10-14 10:40:57
|
|
|
|
