1, Target
Jiaxuan's long and short sentences say: BMW carved cars are fragrant all over the road. Since then, fragrant car beauty has become standard. No, boss Li hasn't talked for a few mm, and he's ready to change cars again.
Today, our goal is an auto community App v8.0.1.
2, Steps
Shelling
Boss Li said that this App is very drag. It seems to be an enterprise shell. Even Xcube is difficult to use and can't be debugged.
Let's take off the shell with BlackDex regardless of whether he pulls it or not.
BlackDex indicates that the shelling is successful, but there is only one dex file in the corresponding directory, which is obviously wrong
Fortunately, we have a backup plan. It is said that FDex2 shelling is also good. Let's start.
Sadly, FDex2 says it doesn't support my phone. The reason is that my system version is too high Android 10.
Well, we still have many mobile phones. When I applied to boss Li to buy one from Android 4 - Android 10, it was used for testing.
I found an Android 8.1 first. There happens to be BlackDex on this machine. Try it.
Is shelling still related to the system? Warning brothers: high and low versions of Android are available, which can take off and use which
Grab a bag
After counting signature, it's still 32 bits, which is embarrassing. Is it still MD5.
Anyway, search first
There are not many results. This Map.put is too red fruit. Disk it.
I think it should be this sign.
On Frida
var utilCls = Java.use("com.alibaba.sdk.android.oss.common.utils.OSSUtils"); utilCls.sign.implementation = function(a,b,c){ console.log(TAG + "a = " + a); console.log(TAG + "b = " + b); console.log(TAG + "c = " + c); var rc = this.sign(a,b,c); console.log(TAG + "sign = " + rc); return rc; }
Run.
TIP: I forgot to plug in. This App is not so drag. Huluwa-server-15.xx runs in the mobile phone, and then you can run.
Sadly, the wooden reaction. It's not scientific.
Take a closer look at the difference between signature and signature. To make such a low-level mistake. Don't let boss Li know, otherwise it will be the end of the year. He will certainly not give me a salary increase for this reason.
Tick out ignore case. Search again, there are only two results this time, but neither of them looks good.
At this time, we need to sacrifice the great method of finding friends. Find another seemingly rare parameter from the same request package. This time we took a fancy to nonce
There seems to be a play here.
Go in and have a look. We see dear MD5. The Hook without hesitation.
var utilsExCls = Java.use("com.aliyun.common.utils.MD5Util"); utilsExCls.getMD5.implementation = function(a){ console.log(TAG + "a = " + a); var rc = this.getMD5(a); console.log(TAG + "Md5 sign = " + rc); return rc; }
I got it this time
Md5 sign = 35c40cb2b0fcf2a61ad316be7e912370
It's time to finish.
Return data encryption and decryption
From the packet capture results, we can see that there is a set of encrypted data starting with sd = in the request packet and the result. It looks like the data on the details page.
How to locate it? Let's first analyze the following characteristics. This group of data has three characteristics:
1. sd = start
2. The data starts with an uppercase M
3. = = at the end, the probability is Base64
Start with Base64
var Base64Class = Java.use("android.util.Base64"); Base64Class.encodeToString.overload("[B", "int").implementation = function(a,b){ var rc = this.encodeToString(a,b); console.log(">>> Base64 " + rc); return rc; }
Running, sadly, wood has results. (it may be Base64 in the so layer or simply implement the base64 algorithm by itself)
Then search for sd = or "sd" in another way
Easily locate the class CheckCodeUtils
var CheckCodeUtils = Java.use("com.cloudy.lxxxlxxxbang.model.request.retrofit2.CheckCodeUtils"); var encrypt = CheckCodeUtils.encrypt.implementation = function (paramString, paramInt) { console.log(TAG + 'aaa encrypt paramString:' + paramString); console.log(TAG + 'aaa encrypt paramInt:' + paramInt); var result = this.encrypt(paramString, paramInt); console.log(TAG + 'aaa encrypt result:' + result); return result; } var decrypt = CheckCodeUtils.decrypt.implementation = function (paramString) { console.log(TAG + 'aaa decrypt paramString:' + paramString); var result = this.decrypt(paramString); console.log(TAG + 'aaa decrypt result:' + result); return result; }
Perfect, the result is no screenshot.
3, Summary
If you can't find the key string, you can consider looking for their friends.
Reverse analysis is a practical course with no definite method. Don't tangle with details, and don't explore whether the method is orthodox. Just catch a mouse.
Let's run this algorithm with unidbg in the next class. By the way, try to restore it.
Although gold chips are expensive, they fall into a cloud
TIP: the only purpose of this article is to learn more reverse skills and ideas. If someone uses this technology to engage in illegal business and obtain benefits, the legal responsibility is borne by the operator, which has nothing to do with this article and the author. The code projects involved in this article can be taken by the friends who are struggling, Welcome to join the knowledge planet to learn and explore technology. If you have any questions, you can add me wx: fenfei331 to discuss them.
WeChat official account: flair safety, latest technology dry cargo push in real time