Analysis of App signature and encryption and decryption in an automobile community

1, Target

Jiaxuan's long and short sentences say: BMW carved cars are fragrant all over the road. Since then, fragrant car beauty has become standard. No, boss Li hasn't talked for a few mm, and he's ready to change cars again.

Today, our goal is an auto community App v8.0.1.

2, Steps


Boss Li said that this App is very drag. It seems to be an enterprise shell. Even Xcube is difficult to use and can't be debugged.

Let's take off the shell with BlackDex regardless of whether he pulls it or not.

BlackDex indicates that the shelling is successful, but there is only one dex file in the corresponding directory, which is obviously wrong

Fortunately, we have a backup plan. It is said that FDex2 shelling is also good. Let's start.

Sadly, FDex2 says it doesn't support my phone. The reason is that my system version is too high Android 10.

Well, we still have many mobile phones. When I applied to boss Li to buy one from Android 4 - Android 10, it was used for testing.

I found an Android 8.1 first. There happens to be BlackDex on this machine. Try it.

Is shelling still related to the system? Warning brothers: high and low versions of Android are available, which can take off and use which

Grab a bag

After counting signature, it's still 32 bits, which is embarrassing. Is it still MD5.

Anyway, search first

There are not many results. This Map.put is too red fruit. Disk it.

I think it should be this sign.

On Frida

var utilCls = Java.use("");
utilCls.sign.implementation = function(a,b,c){
    console.log(TAG + "a = " + a);
    console.log(TAG + "b = " + b);
    console.log(TAG + "c = " + c);
    var rc = this.sign(a,b,c);
    console.log(TAG + "sign = " + rc);
    return rc;


TIP: I forgot to plug in. This App is not so drag. Huluwa-server-15.xx runs in the mobile phone, and then you can run.

Sadly, the wooden reaction. It's not scientific.

Take a closer look at the difference between signature and signature. To make such a low-level mistake. Don't let boss Li know, otherwise it will be the end of the year. He will certainly not give me a salary increase for this reason.

Tick out ignore case. Search again, there are only two results this time, but neither of them looks good.

At this time, we need to sacrifice the great method of finding friends. Find another seemingly rare parameter from the same request package. This time we took a fancy to nonce

There seems to be a play here.

Go in and have a look. We see dear MD5. The Hook without hesitation.

var utilsExCls =  Java.use("com.aliyun.common.utils.MD5Util");
utilsExCls.getMD5.implementation = function(a){
    console.log(TAG + "a = " + a);
    var rc = this.getMD5(a);
    console.log(TAG + "Md5 sign = " + rc);
    return rc;			

I got it this time

Md5 sign = 35c40cb2b0fcf2a61ad316be7e912370

It's time to finish.

Return data encryption and decryption

From the packet capture results, we can see that there is a set of encrypted data starting with sd = in the request packet and the result. It looks like the data on the details page.

How to locate it? Let's first analyze the following characteristics. This group of data has three characteristics:

1. sd = start

2. The data starts with an uppercase M

3. = = at the end, the probability is Base64

Start with Base64

var Base64Class = Java.use("android.util.Base64");
Base64Class.encodeToString.overload("[B", "int").implementation = function(a,b){
    var rc =  this.encodeToString(a,b);        
    console.log(">>> Base64 " + rc);
    return rc;

Running, sadly, wood has results. (it may be Base64 in the so layer or simply implement the base64 algorithm by itself)

Then search for sd = or "sd" in another way

Easily locate the class CheckCodeUtils

var CheckCodeUtils = Java.use("com.cloudy.lxxxlxxxbang.model.request.retrofit2.CheckCodeUtils");
var encrypt = CheckCodeUtils.encrypt.implementation = function (paramString, paramInt) {
    console.log(TAG + 'aaa encrypt paramString:' + paramString);
    console.log(TAG + 'aaa encrypt paramInt:' + paramInt);
    var result = this.encrypt(paramString, paramInt);
    console.log(TAG + 'aaa encrypt result:' + result);
    return result;

var decrypt = CheckCodeUtils.decrypt.implementation = function (paramString) {
    console.log(TAG + 'aaa decrypt paramString:' + paramString);
    var result = this.decrypt(paramString);
    console.log(TAG + 'aaa decrypt result:' + result);
    return result;

Perfect, the result is no screenshot.

3, Summary

If you can't find the key string, you can consider looking for their friends.

Reverse analysis is a practical course with no definite method. Don't tangle with details, and don't explore whether the method is orthodox. Just catch a mouse.

Let's run this algorithm with unidbg in the next class. By the way, try to restore it.

Although gold chips are expensive, they fall into a cloud

Tags: Java node.js Android

Posted on Mon, 22 Nov 2021 03:04:09 -0500 by brauchii