使用frida-hook分析嘟嘟牛加密方法
首先使用PKiD查壳,发现没有加壳
查找加密方法时,发现有两个加密函数,使用frida-hook分析走了哪一个加密函数
frida-hook脚本
Java.perform(function () {
var JsonRequest = Java.use("com.dodonew.online.http.JsonRequest");
console.log("JsonRequest:",JsonRequest);
JsonRequest.paraMap.implementation = function (a) {
console.log("paraMap",a);
this.paraMap(a);
}
JsonRequest.addRequestMap.overload('java.util.Map', 'int').
implementation = function (a,b) {
console.log("addRequestMap",a,b);
this.addRequestMap(a,b);
}
});
|
注入JS脚本,U表示USB设备,F表示注入到最前端的app,l表示脚本路径,可以使用frida –help查看
输出结果
addRequestMap [object Object] 0
|
使用frida-hook获取参数名,向下转型
Java.perform(function () {
var JsonRequest = Java.use("com.dodonew.online.http.JsonRequest");
console.log("JsonRequest:",JsonRequest);
JsonRequest.paraMap.implementation = function (a) {
console.log("paraMap",a);
this.paraMap(a);
}
JsonRequest.addRequestMap.overload('java.util.Map', 'int').
implementation = function (a,b) {
console.log("addRequestMap",a,b);
var bb = Java.cast(a,Java.use("java.util.HashMap"));
console.log("addRequestMap:",bb.toString());
this.addRequestMap(a,b);
}
});
|
输出如下,发现此处还是没有加密,继续往下分析
addRequestMap: {loginImei=Androidnull, equtype=ANDROID, userPwd=gydgyhrrf, username=13859396229}
|
发现此处进行了加密
进入paraMap函数,查看code的值
hook md5函数,查看传入的参数的值,以及返回值
hook代码
Java.perform(function () {
var JsonRequest = Java.use("com.dodonew.online.http.JsonRequest");
console.log("JsonRequest:",JsonRequest);
JsonRequest.paraMap.implementation = function (a) {
console.log("paraMap",a);
this.paraMap(a);
}
JsonRequest.addRequestMap.overload('java.util.Map', 'int').
implementation = function (a,b) {
console.log("addRequestMap",a,b);
var bb = Java.cast(a,Java.use("java.util.HashMap"));
console.log("addRequestMap:",bb.toString());
this.addRequestMap(a,b);
}
var utils = Java.use("com.dodonew.online.util.Utils");
utils.md5.implementation = function (a) {
console.log("md5 params:",a);
var retval = this.md5(a);
console.log("md5 retval:",retval);
return retval;
}
});
|
输出结果
[Pixel XL::嘟嘟牛在线]-> addRequestMap [object Object] 0
addRequestMap: {loginImei=Androidnull, equtype=ANDROID, userPwd=gydgyhrrf, username=13859396229}
md5 params: equtype=ANDROID&loginImei=Androidnull&timeStamp=1728599809711&userPwd=gydgyhrrf&username=13859396229&key=sdlkjsdljf0j2fsjk
md5 retval: 02c804895cd29c929988b7997a7bb436
|
hook encodeDesMap查看code,desKey,desIV的值
hook代码
Java.perform(function () {
var JsonRequest = Java.use("com.dodonew.online.http.JsonRequest");
console.log("JsonRequest:",JsonRequest);
JsonRequest.paraMap.implementation = function (a) {
console.log("paraMap",a);
this.paraMap(a);
}
JsonRequest.addRequestMap.overload('java.util.Map', 'int').
implementation = function (a,b) {
console.log("addRequestMap",a,b);
var bb = Java.cast(a,Java.use("java.util.HashMap"));
console.log("addRequestMap:",bb.toString());
this.addRequestMap(a,b);
}
var utils = Java.use("com.dodonew.online.util.Utils");
utils.md5.implementation = function (a) {
console.log("md5 params:",a);
var retval = this.md5(a);
console.log("md5 retval:",retval);
return retval;
}
var requestUtil = Java.use("com.dodonew.online.http.RequestUtil");
requestUtil.encodeDesMap.overload('java.lang.String', 'java.lang.String', 'java.lang.String').implementation = function (a,b,c) {
console.log("encdeDesMap params:",a);
console.log("encodeDesMap key:",b);
console.log("encodeDesMap iv",c);
var retval = this.encodeDesMap(a,b,c);
console.log("encodeDesMap retval:",retval);
return retval;
}
});
|
输出如下
JsonRequest: <class: com.dodonew.online.http.JsonRequest>
JsonRequest: <class: com.dodonew.online.http.JsonRequest>
addRequestMap [object Object] 0
addRequestMap: {loginImei=Androidnull, equtype=ANDROID, userPwd=gydgyhrrf, username=13859396229}
md5 params: equtype=ANDROID&loginImei=Androidnull&timeStamp=1728601481789&userPwd=gydgyhrrf&username=13859396229&key=sdlkjsdljf0j2fsjk
md5 retval: 57c217fe319182be95d896a5e2502854
encdeDesMap params: {"equtype":"ANDROID","loginImei":"Androidnull","sign":"57C217FE319182BE95D896A5E2502854","timeStamp":"1728601481789","userPwd":"gydgyhrrf","username
":"13859396229"}
encodeDesMap key: 65102933
encodeDesMap iv 32028092
encodeDesMap retval: NIszaqFPos1vd0pFqKlB42Np5itPxaNH//FDsRnlBfgL4lcVxjXii/UNcdXYMk0Er+dH33DGoDYP
hXPheB+HJlbk+UQlndpOERxWUpVEH5lR+rYkg4GVFatSq54cC2sLmRnM1tLb+nq8t7I/YCJyPvXA
NgfCzdVQgEs8ynCP/+0W/6bJTIcUl1kJGmZfCLCF2cTBay+b/HIjQFwIBJmx1Sjljg8+wUZk
|
hook构造函数
Java.perform(function () {
var JsonRequest = Java.use("com.dodonew.online.http.JsonRequest");
console.log("JsonRequest:",JsonRequest);
JsonRequest.paraMap.implementation = function (a) {
console.log("paraMap",a);
this.paraMap(a);
}
JsonRequest.addRequestMap.overload('java.util.Map', 'int').
implementation = function (a,b) {
console.log("addRequestMap",a,b);
var bb = Java.cast(a,Java.use("java.util.HashMap"));
console.log("addRequestMap:",bb.toString());
this.addRequestMap(a,b);
}
var utils = Java.use("com.dodonew.online.util.Utils");
utils.md5.implementation = function (a) {
console.log("md5 params:",a);
var retval = this.md5(a);
console.log("md5 retval:",retval);
return retval;
}
var requestUtil = Java.use("com.dodonew.online.http.RequestUtil");
requestUtil.encodeDesMap.overload('java.lang.String', 'java.lang.String', 'java.lang.String').implementation = function (a,b,c) {
console.log("encdeDesMap params:",a);
console.log("encodeDesMap key:",b);
console.log("encodeDesMap iv",c);
var retval = this.encodeDesMap(a,b,c);
console.log("encodeDesMap retval:",retval);
return retval;
}
var dEsKeySpec = Java.use("javax.crypto.spec.DESKeySpec");
dEsKeySpec.$init.overload('[B')
.implementation = function (a) {
console.log("encodeDesMap params:",a);
this.$init(a);
}
});
|
主动调用app中的静态函数
var base64 = Java.use("android.util.Base64");
var dEsKeySpec = Java.use("javax.crypto.spec.DESKeySpec");
dEsKeySpec.$init.overload('[B')
.implementation = function (a) {
console.log("DESKeySpec params:",base64.encodeToString(a,0));
this.$init(a);
}
|
