目標(biāo)app
55uu5qCHYXBw77ya5bCB6Z2i5paw6Ze777yMYXBw54mI5pys77yaOC40LjA=
抓包
jadx搜索欧聘,定位參數(shù)生成位置
frida hook忍捡,查看傳入?yún)?shù)
var SignManager = Java.use("cn.thecover.lib.common.manager.SignManager");
console.log("SignManager: ", SignManager)
SignManager.getSign.implementation = function (str,str1, str2) {
console.log("str: ", str)
console.log("str1: ", str1)
console.log("str2: ", str2)
var res = this.getSign(str,str1, str2)
console.log("result: ", res)
return res
}
unidbg 固定參數(shù)形葬,查看是否有其他的變化
public void getSign() {
ArrayList<Object> args = new ArrayList<>(10);
args.add(vm.getJNIEnv());
args.add(0);
args.add(vm.addLocalObject(new StringObject(vm, "72446173-af9b-49d9-91f8-996cbba53937")));
args.add(vm.addLocalObject(new StringObject(vm, "")));
args.add(vm.addLocalObject(new StringObject(vm, "1672024045773")));
Number number = module.callFunction(emulator, "Java_cn_thecover_lib_common_manager_SignManager_getSign", args.toArray());
System.out.println(vm.getObject(number.intValue()).getValue().toString());
}
unbdig 補(bǔ)環(huán)境
通過(guò)jadx查看擦秽,可以知道此方法是獲取app簽名信息码荔。
- 使用frida hook得到app簽名信息
var LogShutDown = Java.use("cn.thecover.lib.common.utils.LogShutDown");
LogShutDown.getAppSign.implementation = function () {
var res = this.getAppSign()
console.log("getAppSign: ", res)
return res
}
- unidbg補(bǔ)環(huán)境
@Override
public DvmObject<?> callStaticObjectMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
if (signature.equals("cn/thecover/lib/common/utils/LogShutDown->getAppSign()Ljava/lang/String;")) {
return new StringObject(vm, "3A6BCA056DBA41048F26197A91C0613D");
}
return super.callStaticObjectMethodV(vm, dvmClass, signature, vaList);
}
運(yùn)行成功
so層分析
-
第一步
F5 查看偽代碼分析漩勤,通過(guò)java層反射,獲取到appsign缩搅, 并進(jìn)行md5加密
-
第二步
繼續(xù)查看代碼越败,可知對(duì) token,時(shí)間戳硼瓣,account 進(jìn)行字符串拼接究飞,然后進(jìn)行sha1加密
-
第三步
將第一步和第二步加密后即結(jié)果進(jìn)行字符串拼接,再次進(jìn)行md5加密堂鲤,可得到最后結(jié)果
python 代碼實(shí)現(xiàn)
其結(jié)果于hook的到結(jié)果一樣亿傅,至此,整個(gè)sign加密分析結(jié)束