A, goals,

Today’s target is this sign and Appcode

Second, the steps

Jadx can’t get on

The app added an enterprise version of a bang, and Jadx said it couldn’t do anything about it.

FRIDA-DEXDump

No valid information was found in the DexDump.

Wallbreaker

Wallbreaker can do some shell analysis, but this sample will load with Frida’s Spawn mode, Attach mode will fail. There’s no way to load it into files directly. So you can’t use the Wallbreaker.

r0tracer

Today’s new friend is R0Tracer from The Meat Giant

Github.com/r0ysue/r0tr…

R0tracer can batch trace all methods of a class based on a blacklist or whitelist. Let’s try to trace the class or method that contains sign

function main() { Java.perform(function () { console.Purple("r0tracer begin ... !" Uncomment A line to enable */ //A. TraceClass (" javax.crypto.cipher ") //B. // hook("javax.crypto.Cipher", "$"); // hook("javax.crypto.Cipher", "$"); hook("sign", "$"); //C. If a class cannot be found, enter the class name as the third parameter, for example, the com.roysue.check class cannot be found. // hook("com.roysue.check"," ","com.roysue.check"); })}Copy the code

Spawn mode starts the App

$ frida -U -f com.platexx.boxxoota -l r0tracer.js  --no-pause -o saveLog1.txt
Copy the code

The output

Spawned `com.platexx.boxxoota`. Resuming main thread!                   
[MI NOTE Pro::com.platexx.boxxoota]-> r0tracer begin ... !
start
Begin Search Class...
Found Class => 
Tracing Method : com.wxxotel.app.service.signservice.OpenSignService.execute [1 overload(s)]
Tracing Method : com.wxxotel.app.service.signservice.OpenSignService.getPath [1 overload(s)]
Tracing Method : com.wxxotel.app.service.signservice.OpenSignService.$init [1 overload(s)]
Copy the code

Nothing useful. Let’s try Sign

Output, then, then hang…

Spawned `com.platexx.boxxoota`. Resuming main thread!                   
[MI NOTE Pro::com.platexx.boxxoota]-> r0tracer begin ... !
start
Begin Search Class...
Found Class => 
Tracing Method : libcore.reflect.GenericSignatureParser.isStopSymbol [1 overload(s)]
Tracing Method : libcore.reflect.GenericSignatureParser.expect [1 overload(s)]
Tracing Method : libcore.reflect.GenericSignatureParser.parseClassSignature [1 overload(s)]
Tracing Method : libcore.reflect.GenericSignatureParser.parseClassTypeSignature [1 overload(s)]
Tracing Method : libcore.reflect.GenericSignatureParser.parseFieldTypeSignature [1 overload(s)]
Tracing Method : libcore.reflect.GenericSignatureParser.parseForClass [1 overload(s)]
Copy the code

This libcore.XXXX class doesn’t look like our type, filter it out and try again.

hook("Sign", "libcore");
Copy the code

Aha, that looks really cool. Looks like it’s going to happen.

If I scroll through the output,

com.besxxxhotel.app.whnetcomponent.utils.SignUtil.getAppCode [1 overload(s)]
com.besxxxhotel.app.whnetcomponent.utils.SignUtil.getSignString [1 overload(s)]
Copy the code

These two brothers are pretty suspicious. Let’s track SignUtil this time

hook("SignUtil", "$");
Copy the code
*** entered com.platexx.boxxoota.app.whnetcomponent.utils.SignUtil.getSignString arg[0]: 0 => "0" arg[1]: vadjlr4k3o; qj4io23ug9034uji5rjn34io5u83490u5903huq => "vadjlr4k3o; qj4io23ug9034uji5rjn34io5u83490u5903huq" arg[2]: 00000000-7e21-1806-0000-00000033c587 => "00000000-7e21-1806-0000-00000033c587" arg[3]: 1622430128929 => "arg[4]: 0,0 =>" arg[5]: 6698 => "6698" java.lang.Throwable at com.besxxxhotel.app.whnetcomponent.utils.SignUtil.getSignString(Native Method) at com.besxxxhotel.app.whnetcomponent.net.JJSignInterceptor.handlerRequest(JJSignInterceptor.java:114) at com.besxxxhotel.app.whnetcomponent.net.JJSignInterceptor.intercept(JJSignInterceptor.java:38) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:200) at okhttp3.RealCall$AsyncCall.execute(RealCall.java:147) at okhttp3.internal.NamedRunnable.run(NamedRunnable.java:32) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1133) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607) at java.lang.Thread.run(Thread.java:760) = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = ================================================================================= retval: C5F29B0EF472EDA271313155307E8077 => "C5F29B0EF472EDA271313155307E8077" *** exiting com.besxxxhotel.app.whnetcomponent.utils.SignUtil.getSignStringCopy the code
  • The parameter 0, 1 is a fixed value
  • Parameter 2 should be did
  • Parameter 3 is the current timestamp
  • Parameter 4 is also fixed
  • Parameter 5 is a bit odd. A search in the log shows that 5 is the return value of decodeASCII, which takes a java.util.map as an input.

A little tweak on line 117 to print the map

var strType = JSON.stringify(arguments[j]);
// console.log(strType);
			
if(strType.indexOf('HashMap') > 0){
	console.log(arguments[j].entrySet().toArray());
}
Copy the code

I know it’s the content of this request.

SystemVersion = 7.0, sid = 306267, userId = 0, clientVersion = 5.2.9, deviceType = MI NOTE Pro,did=174670d6754469115964f1387aed0a96,appId=105,deviceCode=,os=androidCopy the code

Done, call it a day…

Third, summary

Take advantage of the tools to make a few, more skills do not pressure the body.

R0tracer name filtering, into regular expressions will not be more handsome?

The shell still needs to be worked on. If the shell is removed, the App will not be difficult.

When you walk on a different road, you are likely to see a different landscape from others

TIP: The purpose of this article is only one is learning more backward techniques and train of thought, if anyone use this technology to get illegal commercial interests the legal liabilities are their operators, and the author and it doesn’t matter, this paper involves the knowledge of code project can go to my friends to fly star come undone, welcome to join star learn together to explore technology knowledge. Have a problem can add me WX: FENfei331 discussion.

Wechat public account: Fenfei safety, the latest technology dry goods real-time push