本文的主角是一款安卓机床，我们去年看到的微gou改机,一年多的时间已经发展到一定的用户规模。

从最初的QQ群广告，到现在有三个品牌(VS*师、武*宝、新圩沟)，六个商家，1300个帖子的论坛，3000个用户的社交群。显然，这一年多来，微苟的小日子过得还挺舒心的……建议各公司尽快抓紧…

抓包分析

这台机床不同于传统机床，需要先刷指定的ROM，再通过改机工具修改指定的参数.通过数据包的捕获和解密，我们得到了与机器修改相关的数据，相关字段有80多个，主要是设备中需要修改的数据。

数据包捕获解密字段：

{ 'accountPassword': ' '，' androidId': ' '，' androidVer': ' '，' api': ' '，' appInstallTime': ' '，' appPackages': ' '，' arpMac': ' '，' backupFileName': ' '，' board': ' '，' bootId': ' '，' brand ' : ' '，' BSB

"networkTor":"", "networkType":, "newAdd":, "p2p0MAC":"", "pathMessage":"", "phoneNumber":"", "phoneType":, "product":"", "recoveryId0":"", "recoveryId1":"", "remainDevice":"", "scaledDensity":, "sdCardCid0":"", "sdCardCid1":"", "serial":"", "simSerial":"", "simState":, "simopeName":"", "survivalVersion":"", "taskId":"", "taskSubId":"", "time":, "type":, "updateTime":"", "used":, "versionId":"", "whereDay":, "width":, "wifiMac":"", "wifiName":"", "xdpi":, "ydpi":}

其中，deviceFile字段是一个链接，下载下来是比较全面的设备改机数据，整体的逻辑为外层的字段和下载的设备数据结合起来，做为一个完整的设备信息。

通过http://*/api/DeviceInfoFile/getDeviceListByVersion接口可获取所有可改的机型，目前机型300+，涵盖主流安卓机型。同一个机型的deviceFile链接为同一个，这也意味着，propset里面会存在一些固定的字段。设备都较为老旧，最高只到Android 9，几乎没有新机型，不排除后续更新的可能。

逆向分析

点击一键新机后，进入com.mingning179.data.ClientUtil.apply，清理完上次改机的信息后，进入com.mingning179.commonutils.ConversionUtil.conversion函数：

这个函数首先进行了一些设备信息的修改。然后调用各个Util类，将所有设备信息通过自定义的系统类，反射调用SystemProperties.set，保存到prop里面，供framework层以及service层的改机代码获取设备信息。当然这个prop是有权限控制的，普通应用读不到，需要system权限。

root 授权

通过App界面授权后，最终会将被授权App的uid 写入到/dev/wgzs/fsconf 中的wg.cust.grant_su

wg.cust.destUids=10079wg.cust.emulated=4096,4096,6522359,5031618,5031618,6317056,5036738,5036738,66327,1038,255wg.cust.system=4096,4096,617098,67446,63350,159360,150930,150930,18446744071771954271,4097,255wg.cust.data=4096,4096,6522359,5031618,5031618,6317056,5036738,5036738,66327,1038,255wg.cust.SIMUNET_TYPE=bond0,wlan0,p2p0,dummy0wg.cust.SIMUNET_wlan0_MAC=90:94:97:4b:68:67wg.cust.SIMUNET_dummy0_MAC=36:52:fc:24:0c:8ewg.cust.SIMUNET_p2p0_MAC=92:94:97:4b:68:67wg.cust.SIMUNET_bond0_MAC=52:a8:f1:b0:b4:d7wg.cust.SIMUNET_wlan0_IP6=fe80000000000000929497fffe4b6867wg.cust.SIMUNET_dummy0_IP6=fe800000000000003452fcfffe240c8e/sys/class/power_supply/battery/temp=/dev/wgzs/files/battery/temp/sys/class/power_supply/battery/voltage_now=/dev/wgzs/files/battery/voltage_now/sys/class/power_supply/battery/technology=/dev/wgzs/files/battery/technology/sys/class/power_supply/battery/status=/dev/wgzs/files/battery/status/sys/class/power_supply/battery/health=/dev/wgzs/files/battery/health/sys/class/power_supply/battery/capacity=/dev/wgzs/files/battery/capacity/sys/class/power_supply/battery/present=/dev/wgzs/files/battery/present/sys/devices/qpnp-charger-f04f1000/power_supply/battery/capacity=/dev/wgzs/files/devices/qpnp-charger-f04f1000/power_supply/battery/capacity/proc/meminfo=/dev/wgzs/meminfo/proc/cpuinfo=/dev/wgzs/files/cpuinfo/sys/devices/system/cpu/cpufreq/policy0/cpuinfo_max_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/cpuinfo_max_freq/sys/devices/system/cpu/cpufreq/policy0/scaling_max_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/scaling_max_freq/sys/devices/system/cpu/cpufreq/policy4/cpuinfo_max_freq=/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq/dev/wgzs/files/cpu/cpu0/cpufreq/cpuinfo_max_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/scaling_max_freq/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/cpuinfo_max_freq/sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/scaling_max_freq/sys/devices/system/cpu/cpu1/cpufreq/cpuinfo_max_freq=/dev/wgzs/files/cpu/cpu1/cpufreq/cpuinfo_max_freq/sys/devices/system/cpu/cpu1/cpufreq/scaling_max_freq=/dev/wgzs/files/cpu/cpu1/cpufreq/scaling_max_freq/sys/devices/system/cpu/cpu2/cpufreq/cpuinfo_max_freq=/dev/wgzs/files/cpu/cpu2/cpufreq/cpuinfo_max_freq/sys/devices/system/cpu/cpu2/cpufreq/scaling_max_freq=/dev/wgzs/files/cpu/cpu2/cpufreq/scaling_max_freq/sys/devices/system/cpu/cpu3/cpufreq/cpuinfo_max_freq=/dev/wgzs/files/cpu/cpu3/cpufreq/cpuinfo_max_freq/sys/devices/system/cpu/cpu3/cpufreq/scaling_max_freq=/dev/wgzs/files/cpu/cpu3/cpufreq/scaling_max_freq/sys/devices/system/cpu/cpu4/cpufreq/cpuinfo_max_freq=/dev/wgzs/files/cpu/cpu4/cpufreq/cpuinfo_max_freq/sys/devices/system/cpu/cpu4/cpufreq/scaling_max_freq=/dev/wgzs/files/cpu/cpu4/cpufreq/scaling_max_freq/sys/devices/system/cpu/cpu5/cpufreq/cpuinfo_max_freq=/dev/wgzs/files/cpu/cpu5/cpufreq/cpuinfo_max_freq/sys/devices/system/cpu/cpu5/cpufreq/scaling_max_freq=/dev/wgzs/files/cpu/cpu5/cpufreq/scaling_max_freq/sys/devices/system/cpu/cpu6/cpufreq/cpuinfo_max_freq=/dev/wgzs/files/cpu/cpu6/cpufreq/cpuinfo_max_freq/sys/devices/system/cpu/cpu6/cpufreq/scaling_max_freq=/dev/wgzs/files/cpu/cpu6/cpufreq/scaling_max_freq/sys/devices/system/cpu/cpu7/cpufreq/cpuinfo_max_freq=/dev/wgzs/files/cpu/cpu7/cpufreq/cpuinfo_max_freq/sys/devices/system/cpu/cpu7/cpufreq/scaling_max_freq=/dev/wgzs/files/cpu/cpu7/cpufreq/scaling_max_freq/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/cpuinfo_min_freq/sys/devices/system/cpu/cpu0/cpufreq/scaling_min_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/scaling_min_freq/sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/scaling_cur_freq/sys/devices/system/cpu/cpufreq/policy0/cpuinfo_min_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/cpuinfo_min_freq/sys/devices/system/cpu/cpufreq/policy0/scaling_min_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/scaling_min_freq/sys/devices/system/cpu/cpufreq/policy0/scaling_cur_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/scaling_cur_freq/sys/devices/system/cpu/cpufreq/policy0/cpuinfo_min_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/cpuinfo_min_freq/sys/devices/system/cpu/cpufreq/policy0/scaling_min_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/scaling_min_freq/sys/devices/system/cpu/cpufreq/policy0/scaling_cur_freq=/dev/wgzs/files/cpu/cpu0/cpufreq/scaling_cur_freq/sys/devices/system/cpu/cpu1/cpufreq/cpuinfo_min_freq=/dev/wgzs/files/cpu/cpu1/cpufreq/cpuinfo_min_freq/sys/devices/system/cpu/cpu1/cpufreq/scaling_min_freq=/dev/wgzs/files/cpu/cpu1/cpufreq/scaling_min_freq/sys/devices/system/cpu/cpu1/cpufreq/scaling_cur_freq=/dev/wgzs/files/cpu/cpu1/cpufreq/scaling_cur_freq/sys/devices/system/cpu/cpu2/cpufreq/cpuinfo_min_freq=/dev/wgzs/files/cpu/cpu2/cpufreq/cpuinfo_min_freq/sys/devices/system/cpu/cpu2/cpufreq/scaling_min_freq=/dev/wgzs/files/cpu/cpu2/cpufreq/scaling_min_freq/sys/devices/system/cpu/cpu2/cpufreq/scaling_cur_freq=/dev/wgzs/files/cpu/cpu2/cpufreq/scaling_cur_freq/sys/devices/system/cpu/cpu3/cpufreq/cpuinfo_min_freq=/dev/wgzs/files/cpu/cpu3/cpufreq/cpuinfo_min_freq/sys/devices/system/cpu/cpu3/cpufreq/scaling_min_freq=/dev/wgzs/files/cpu/cpu3/cpufreq/scaling_min_freq/sys/devices/system/cpu/cpu3/cpufreq/scaling_cur_freq=/dev/wgzs/files/cpu/cpu3/cpufreq/scaling_cur_freq/sys/devices/system/cpu/cpu4/cpufreq/cpuinfo_min_freq=/dev/wgzs/files/cpu/cpu4/cpufreq/cpuinfo_min_freq/sys/devices/system/cpu/cpu4/cpufreq/scaling_min_freq=/dev/wgzs/files/cpu/cpu4/cpufreq/scaling_min_freq/sys/devices/system/cpu/cpu4/cpufreq/scaling_cur_freq=/dev/wgzs/files/cpu/cpu4/cpufreq/scaling_cur_freq/sys/devices/system/cpu/cpu5/cpufreq/cpuinfo_min_freq=/dev/wgzs/files/cpu/cpu5/cpufreq/cpuinfo_min_freq/sys/devices/system/cpu/cpu5/cpufreq/scaling_min_freq=/dev/wgzs/files/cpu/cpu5/cpufreq/scaling_min_freq/sys/devices/system/cpu/cpu5/cpufreq/scaling_cur_freq=/dev/wgzs/files/cpu/cpu5/cpufreq/scaling_cur_freq/sys/devices/system/cpu/cpu6/cpufreq/cpuinfo_min_freq=/dev/wgzs/files/cpu/cpu6/cpufreq/cpuinfo_min_freq/sys/devices/system/cpu/cpu6/cpufreq/scaling_min_freq=/dev/wgzs/files/cpu/cpu6/cpufreq/scaling_min_freq/sys/devices/system/cpu/cpu6/cpufreq/scaling_cur_freq=/dev/wgzs/files/cpu/cpu6/cpufreq/scaling_cur_freq/sys/devices/system/cpu/cpu7/cpufreq/cpuinfo_min_freq=/dev/wgzs/files/cpu/cpu7/cpufreq/cpuinfo_min_freq/sys/devices/system/cpu/cpu7/cpufreq/scaling_min_freq=/dev/wgzs/files/cpu/cpu7/cpufreq/scaling_min_freq/sys/devices/system/cpu/cpu7/cpufreq/scaling_cur_freq=/dev/wgzs/files/cpu/cpu7/cpufreq/scaling_cur_freq/sys/devices/system/cpu/cpu0=/dev/wgzs/files/cpu/cpu0/sys/devices/system/cpu/cpu1=/dev/wgzs/files/cpu/cpu1/sys/devices/system/cpu/cpu2=/dev/wgzs/files/cpu/cpu2/sys/devices/system/cpu/cpu3=/dev/wgzs/files/cpu/cpu3/sys/devices/system/cpu/cpu4=/dev/wgzs/files/cpu/cpu4/sys/devices/system/cpu/cpu5=/dev/wgzs/files/cpu/cpu5/sys/devices/system/cpu/cpu6=/dev/wgzs/files/cpu/cpu6/sys/devices/system/cpu/cpu7=/dev/wgzs/files/cpu/cpu7/sys/devices/system/cpu=/dev/wgzs/files/cpu/sys/devices/system/cpu/online=/dev/wgzs/files/cpu/online/sys/devices/system/cpu/possible=/dev/wgzs/files/cpu/possible/sys/devices/system/cpu/present=/dev/wgzs/files/cpu/present/sys/devices/system/cpu/offline=/dev/wgzs/files/cpu/offline/proc/net/if_inet6=/dev/wgzs/files/fileFilter/net/if_inet6/proc/net/arp=/dev/wgzs/files/fileFilter/net/arp/proc/net/dev=/dev/wgzs/files/fileFilter/net/dev/proc/net/igmp=/dev/wgzs/files/fileFilter/net/igmp/proc/net/igmp6=/dev/wgzs/files/fileFilter/net/igmp6/proc/net/route=/dev/wgzs/files/fileFilter/net/route/system/etc/selinux/plat_property_contexts=/dev/wgzs/files/plat_property_contexts/proc/net/ipv6_route=/dev/wgzs/files/fileFilter/net/ipv6_route/proc/net/xt_qtaguid/iface_stat_all=/dev/wgzs/files/fileFilter/net/xt_qtaguid/iface_stat_all/proc/net/xt_qtaguid/iface_stat_fmt=/dev/wgzs/files/fileFilter/net/xt_qtaguid/iface_stat_fmt/proc/net/xt_qtaguid/stats=/dev/wgzs/files/fileFilter/net/xt_qtaguid/stats/sys/bus/virtio=/system/lost+foundwg.cust.uts_name=Linux,localhost,3.18.66-g7730a1a,#1 SMP PREEMPT Tue Mar 20 11:53:15 CST 2018,aarch64,localdomainwg.cust.stat.filter=lineage,Lineage,cyanogenmod,wgzs,ppp0,eth0,tun0,TWRP,/dev/socket/mtpd,twrpwg.cust.file.filter=/net/xt_qtaguid/stats,/net/if_inet6,/net/ipv6_route,/net/xt_qtaguid/iface_stat_all,/net/xt_qtaguid/iface_stat_fmt,/net/arp,/net/igmp,/net/igmp6,/net/route,/net/dev_mcast,/net/maps,/sys/devices/soc0,/net/devwg.cust.file.filter.prefix=/dev/wgzs/files/fileFilter/storage/emulated/0/.temp.txt=/dev/wgzs/properties/dev/wgzs/properties=/dev/null/property_contexts=/dev/wgzs/files/property_contextswg.cust.cpuinfo=1401000,960000,1401000,960000,0/proc/sys/kernel/random/boot_id=/dev/wgzs/files/boot_id/storage/emulated/0/MobileAnJian=/storage/emulated/0/nullFile/storage/emulated/0/backUpFiles=/dev/z0wg.cust.grant_su=10079,10103,1000wg.cust.BSSID=ac:74:09:3b:82:01wg.cust.wgserverPath=2690736423 3532824459

可见除了少部分硬件配置外，大部分都是文件重定向的内容，以及针对IO的一些文件过滤。

具体的实现是在内核中做的，提取内核分析后，发现其存在dofilefilter函数，在所有文件相关操作中都会调用该函数进行过滤。该函数每次都会读取/dev/wgzs/fsconf 的内容，更新配置（内核函数还做了控制流混淆，机智仔

部分引用：

备份还原

备份还原的主要逻辑在com.mingning179.commonutils.BackupUtils

备份：

备份涉及到三个路径，分别是App的沙箱目录,data/user/0/packageName ，也就是data/data/packageName，sdcard 相关目录，以及keystore。

以下是备份sdcard的文件过滤逻辑，其实还是存在部分数据遗漏，这会导致数据还原后部分数据丢失。

public static Set getSdFile(Context arg1) {        String[] v1 = ClearAppUtil.getDestUidsStr(arg1, ",").split(",");        Set v1_1 = ClearAppUtil.getFileRecords(new FileFilter() {            @Override            public boolean accept(File arg2) {                String v2 = arg2.getAbsolutePath();                return (v2.startsWith("/proc/")) || (v2.startsWith("/dev/")) || (v2.startsWith("/system/")) || (v2.startsWith("/vendor/")) || (v2.startsWith("/data/")) || (v2.startsWith("/sys/")) || (v2.contains("/.")) ? 0 : 1;            }        }, v1);        Arrays.sort(((String[])v1_1.toArray(new String[0])));        return v1_1;    }

还原：

还原就是把备份的数据解压覆盖回去，涉及到一点权限修复的额外工作。

Build/prop 改机

build

针对Build.class里的字段，其修改逻辑在App启动过程中的handleBindApplication函数中，调用WgzsUtil.modifyBuildClass完成修改：

可见其只修改了AOSP代码里有的公共字段。

Prop

prop部分除了libc函数__system_property_get外，还有java层的SystemProperties类，以及/system/bin 中的getprop。libc函数__system_property_get做了相应的修改。

其他改机

微在系统里添加了WgzsUtil 类，用来辅助改机，其中涉及到是否改机判断的函数有：

shouldGJ涉及：

shouldGJInService涉及：

shouldGjInSystemServer主要是网络连接服务：

具体实现就是在具体函数体中做判断，如果需要改机，就给改机的数据。

总结

微gou改机针对AOSP的改动横跨framework，native libraries以及kernel三个层面，好处就是痕迹少，不过对应维护成本也巨高。改机API方面，虽然涉及的点不多，看似比较完备，但其实Android系统API 茫茫多，更何况还有用户设备环境信息、传感器数据以及生物特征等多维度度数据。从检测的角度讲，本身痕迹较少，要么关注微没有涉及的特征以及用户环境信息，比如sdcard目录等，要么尽可能从不同的地方取同一个设备信息，然后结合策略进行封禁。