安卓脱壳实操APP
抓住包就如图所示
基本解码
经过定位确定在这里
日本航空
ida有直接导出函数
JT ring _ fastcall Java _ com _ gold ze _ mvvmhabit _ utils _ native utils _ encrypt (JNI env * a1,int a2,int a3 ) ) ) //r0 const char *v6; //r1 jstring v7; //r4 char v9[12]; //[ sp4h ] [ BP-74h ] ByRef unsigned _ int8v 10; //[ sp10h ] [ BP-68h ] ByRef _ byte v11 [ 11 ]; //[ sp11h ] [ BP-67h ] byrefcharv 12 [ 12 ]; //[ sp1ch ] [ BP-5ch ] ByRef _ dwordv 13 [3]; //[ sp28h ] [ BP-50h ] byrefcharv 14 [ 12 ]; //[ sp34h ] [ BP-44h ] byrefcharv 15 [ 12 ]; //[ sp40h ] [ BP-38h ] byrefcharv 16 [ 12 ]; //[ sp4ch ] [ BP-2ch ] ByRef _ dwordv 17 [3]; //[sp 58h] [bp-20h] BYREF v17[2]=0; v17[0]=0; v17[1]=0; V4=(A1 )-getstringutfchars (a1,a3,0 ); STD : string :3360 basic _ stringdecltype (nullptr ) ) v16、v4; sub_e490(v17; STD : string :3360至string (v 16; v5=time(0; //时间戳STD:3360to_string(v16,v5 ); sub_e4a0(v17; Join(v14、v17、44; sha1 ) v15、v14; //初步查看sha1加密STD :3360 string :3360~string (v 14 ); v13[2]=0; v13[0]=0; v13[1]=0; sub_e4a0(v13; sub_e4a0(v13; Join(v12、v13、44; STD : string :3360 basic _ string (v 9,v12 ); b 64编码(v10,v9 ); //重点特征STD :3360 string :3360~string (V 9; v6=*v11[7]; if (! (v10 31 ) ) v6=v11; V7=(A1 )-new string utf (a1,v6 ); STD : string :3360至string (v10; STD : string :3360至string (v 12; STD :3360 _ vector _ basestd 33603360 string :~_ vector _ base (v 13 ); STD : string :3360至string (v 15; STD : string :3360至string (v 16; STD :3360 _ vector _ basestd 33603360 string :~_ vector _ base (v 17 ); return v7; 对sha1加密只需了解一点
//sha1原型首选项和md5一样是散列算法,核心是没有密钥。 多余信息可自行查看https://en.Wikipedia.org/wiki/sha-1 int sha1 _ update (sha _ CTX * c,const void *data,unsigned long len ); //推测对应位置的sha1:3360add(a2、v6、v7 ); 用frida脚本测试一下吧
//这是写的完整脚本,必须能摆出frida姿势哦。
functionhookjava((Java.perform ) function ) ) var encrypt=Java.use (com.gold ze.mvm habit.utils.native utils ) encrypt.implementation=function (str ) console.log(Javainput: ) str ) varret=this.encrypt ) str; console.log(Javaoutput: ) ret; 返回; }function hook () varbase=module.find base address (lib _ so ); //sha 1:3360 addvaroffset=base.add (0xf 075 ); interceptor.attach(offset, { onenter : function args ) console.log ) native: ) memory.readcstring ) args function main ((interceptor.atttach ) if (路径ptr!==无条件路径ptr!=null(varpath=ptr ) pathptr ).readCString ); //console.log('dlopen: ',path ); if (! this.path(return ) if ) path.indexof ) lib_so )=0) { this.can_hook_libart=true; console.log([dlopen:] )、path ); }、onleave:function(retval ) if ) this.can_hook_libart! is_hook_libart(hook ); is_hook_libart=true; } } interceptor.attach (module.findexportbyname ) null,' android_dlopen_ext ',{ onenter 3360 function } Android==无条件路径ptr!=null(varpath=ptr ) pathptr ).readCString ); //console.log (Android _ dlopen _ ext : ),path ); if(path.indexof(lib_so )=0) { this.can_hook_libart=true; console.log ([ Android _ dlopen _ ext : ] )、path ); }、onleave:function(retval ) if ) this.can_hook_libart! is_hook_libart(hook ); is_hook_libart=true; }}; }setimmediate(hookjava ) set immediate (main )之前分析过,返回的是base64,再次尝试解码
在native:/api/movie,1614831596上重试sha1,结果与base64相同。 分析过程结束~~~python脚本结束的傻瓜花~~~
from base64 importb 64 encodeimporthashlibimporttimeimportrequestsdefsha1(data ) : m=hashlib.sha1 ) m.update (data.sta )=round ) time.time ) ) text=f'/api/movie, {t}'result=sha1 ) text ) API/movie {t} ' token=b64encode(text.encode ().decode ) (return tokendef main ) ) : token=encrypt ) ) URL=f ' https://appen offsed ' headers={ ' log-header ' : ' iamthelogrequestheader.',# ' host ' 3360 ' AAA ' connection ' 3360 ' keep-alive ' user-agent ' 3360 ' ok http/3.10.0 ' headers=headers (print (resp.JSON ) ) if _ name _=' _ main _ ' 3330
这篇文章由ogli324原创。 欢迎分享这篇文章。 转载请留下出处