app下载地址:aHR0cHM6Ly93d3cud2FuZG91amlhLmNvbS9hcHBzLzY2MjI2Mjg=
一:App抓包:这不是重点,直接略过,查看抓包内容
{ "appid": "app", "aru": "*************", "data": "PhPsJe1Ruo/ZZQDg3fJsxdzb+M6mZWXlRt0/AkOCemKy4uMMQGZ8HlyukRvcI96ekwkwTEP4QnYO0/8bhmHwkgVE08BLdPMQ1En7KgIxYSoiB65zh0Uyv2pkXUIT/oHdsyFIBD3Nqu8UVTV8/MVk7p5wdRiA4E14zondKWzZ7yvcOtbw6hXEIlrQvi89ua+8", "sign": "5f4637d358d7d93630389e6a46c62097", "terminal": "android", "version": "5.0.1" }
抓包多次,由抓包内容可以得出,加密参数为:data和sign,其他的参数都为固定值,不需要分析。此篇只分析首页信息的获取,不涉及详情页。
二:参数点查找
jadx打开apk,此时你会发现app被加固了(360加固),如图展示这样
然后从AndroidMainifest.xml中获取到加密后的入口为android.intent.action.MAIN,废话不多说了,直接Fedx脱壳,步骤略。
说说查找脱壳后的怎么分析哪个dex文件是解密的,简单的查找方式:grep -ril "android.intent.action.MAIN" ./ 能很大程度缩小搜索范围,当然一个一个dex文件分析也可以
根据搜索出来的内容进行重点查找,最后找到
可以看到所有的参数都在这里
三:参数解密
简单分析下sign和data的生成,
d为data,k为sign String d = l.d(str3, str2); String k = g0.k(str2);
由代码可知,重点是参数str2,str3只和data的生成有关,直接frida hook一下
# -*- coding:utf-8 -*- import frida, sys hook_params_info = """ //打印堆栈(固定不会变的) function printstack(){ send(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new())); } Java.perform( function(){ //data的加密 l.d(str3, str2) var l = Java.use('f.v.a.j.l'); l.d.overload('java.lang.String', 'java.lang.String').implementation = function(v1, v2){ send("this is join!"); send(v1); send(v2); var data = l.d(v1, v2); send(data); return data; } } ) //打印堆栈(固定不会变的) function showStacks() { Java.perform(function () { send(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new())); }); } """ def on_message(message, data): if message['type'] == 'send': print("[*] {0}".format(message['payload'])) else: print(message) process = frida.get_usb_device().attach('com.showstartfans.activity') script = process.create_script(hook_params_info) script.on('message', on_message) script.load() sys.stdin.read()
{"action":"/app/home/front","deviceName":"Nexus 6P","qtime":1656148360681,"query":{"city":"10"},"ranstr":"RJ3GMWID","sysVersion":"6.0.1"}
四:结果展示
``` # -*- coding:utf-8 -*- import frida, sys import time import requests import json rpc_hook_code = """ rpc.exports = { getsign:function(timestamp, activity_id){ var sig = ""; Java.perform( function(){ send("this is join in!"); var g0 = Java.use('f.v.a.j.g0'); var l = Java.use('f.v.a.j.l'); // 获取随机的8位字符串 var randomStr = g0.r(8); var str2 = '{"action":"/app/home/front","deviceName":"Nexus 6P","qtime":' +timestamp+ ',"query":{"city":"10"},"ranstr":"' +randomStr+ '","sysVersion":"6.0.1"}'; //首页为 var str3 = 'hiyrLAoWR1k4wwee'; //data参数 var data = l.d(str3, str2); //sign参数 var sign = g0.k(str2); send('data:'+data); send('sign:'+sign); sig = data +'&'+ sign; } ) return sig; } } //通用:字符串转为字节数组 function getBytes(s) { var bytes = []; for (var i = 0; i < s.length; i++) { bytes.push(s.charCodeAt(i)); } return bytes; } """ def on_message(message, data): if message['type'] == 'send': print("[*] {0}".format(message['payload'])) else: print(message) def get_parmas(script): timestamp = int(time.time() * 1000) activity_id = 172699 infos = script.exports.getsign(timestamp, activity_id).split('&') params = { "appid": "app", "aru": "axcHZeQPfJz8guxJHFDgkOVRwBM/ZuWdwcRy0yHO0b0=", "data": infos[0], "sign": infos[1], "terminal": "android", "version": "5.0.1" } return params def get_activity_ids(params): """ 获取activity_id :return: """ url = "https://pro2-api.showstart.com/app/000000000000" headers = { 'Host': 'pro2-api.showstart.com', 'user-agent': 'Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MTC20L; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/44.0.2403.117 Mobile Safari/537.36', 'cterminal': 'android', # 'cusystime': '1656134089524', 'cuuserref': 'b3aeb6664c498e43df6e30f48999989c', 'cusut': '', 'content-type': 'application/json;charset=UTF-8' } activity_infos = requests.post(url, headers=headers, data=json.dumps(params)).json() print(activity_infos) # rpc process = frida.get_usb_device().attach('com.showstartfans.activity') script = process.create_script(rpc_hook_code) script.on('message', on_message) script.load() params = get_parmas(script) print(params) get_activity_ids(params) ``` </details>