A, goals,

There are a lot of fresh food apps on the market, and buying vegetables is indeed a high frequency requirement. These fresh food apps also have some interesting commonalities:

  • Most of them are shelled
  • Most are hard to catch

Today we analyze the MFSIG signature of a fresh App V9.9.59.

Second, the steps

On jadx

Looking at the small number of package names and class names, you can almost conclude that it is a shell.

Then review a hotel App sign, Appcode signature analysis (2) shell analysis

BlackDex hulling

Pull the result of the shell to the PC, jADX quickly, search “MFSIG”

Damn it, I got nothing.

There are two possibilities. One is that App has other routes, and the related operations and processes of MFSIG signature are all in SO. Another possibility is that the shell is not clean and the key data is not out.

Either way, we’re gonna have to think of something else.

hook_libart

Let’s observe that mfSIG signature values all start with MFSNM. That’s where we start.

Review some grass e-commerce App signature algorithm parsing (a) the string matching arrangement.

if (addrNewStringUTF ! = null) { Interceptor.attach(addrNewStringUTF, { onEnter: function (args) { if (args[1] ! = null) { var string = Memory.readCString(args[1]); if(string ! = null) { if(string.toString().indexOf("mfsnm") >= 0 ) { console.log("[NewStringUTF] bytes:" + string); var threadef = Java.use('java.lang.Thread'); var threadinstance = threadef.$new(); var stack = threadinstance.currentThread().getStackTrace(); console.log("Rc Full call stack:" + Where(stack)); console.log(Thread.backtrace(this.context, Backtracer.FUZZY) .map(DebugSymbol.fromAddress).join("\n")) } } } }, onLeave: function (retval) {} }); }Copy the code

run

frida -U -f cn.mxxxfxxxh.application -l ms.js  --no-pause
Copy the code

Lucky for you. Easy catch.

[Pixel 2 XL::cn.mxxxfxxxh.application]-> [NewStringUTF] bytes:mfsnmtyBmRQEmRmAVpF48icnVLkAGJ1KJJ0bGZOGIKWEFIgLLKO7KJK9JKCHJJ5IKk50KZW7I+SII59FG+GHLZcBI654Jl9MKmcDJKWCJkO8IZ95KK P5mBY1ma Rc Full call stack:dalvik.system.VMStack.getThreadStackTrace(Native Method) java.lang.Thread.getStackTrace(Thread.java:1720) cn.mxxxfxxxh.wsg.SecurityLib.nativeSign(Native Method) cn.mxxxfxxxh.wsg.SecurityLib.a(SecurityLib.java:24) cn.mxxxfxxxh.wsg.a.a(SecurityManager.java:42)Copy the code

It’s the native Design, the code that came out of the shell, that comes in handy.

On Frida

var signatureCls = Java.use('cn.mxxxfxxxh.wsg.SecurityLib'); signatureCls.nativeSign.overload('android.content.Context', 'long', '[B').implementation = function(a,b,c){ var retval = this.nativeSign(a,b,c); var StrCls = Java.use('java.lang.String');  var inStr = StrCls.$new(c); console.log(">>> signature inStr = " + inStr); console.log(" >>> signature rc= " + retval);  return retval; }Copy the code

Run it again, and you have the input and the result.

The byte[] argument is printed in a stack backtrace

String a = C15603SecurityLib.m17628a(f13866a, C3748b.m17632a(str).getBytes("UTF-8"));
Copy the code

The byte[] is actually a String, so to print it, all we need to do is call the String constructor.

Third, summary

Shucking is the first productivity, so to master some shucking tools and ROM.

The routines are so similar. If you get familiar with more routines, you will arrange them for new apps.

When we are busy with life, life is gone.

TIP: The purpose of this article is only one is learning more backward techniques and train of thought, if anyone use this technology to get illegal commercial interests the legal liabilities are their operators, and the author and it doesn’t matter, this paper involves the knowledge of code project can go to my friends to fly star come undone, welcome to join star learn together to explore technology knowledge. Have a problem can add me WX: FENfei331 discussion.

Wechat public account: Fenfei safety, the latest technology dry goods real-time push