A hotel App Sign, AppCode signature analysis (2) shell analysis

A, goals,

Before we introduced a hotel App sign, Appcode signature parsing (1) shell analysis R0TRACer.

Shell analysis is a necessity. Who doesn’t want zero contact?

The App has been upgraded to 5.3.3, and so have our tools.

Our new friend today is BlackDex

Github.com/CodingGay/B…

• shell
• Delay the hooks

Second, the steps

BlackDex hulling

• Install BlackDex
• Select com.platexx.boxxoota from the list of processes displayed
• Yes, have to take off the shell, shell after the files in the/sdcard/Android/data/top niunaijun. Blackdexa32 / dump/com. Platexx. Boxxoota

Under the analysis of

According to the analysis of the last time, go to the com. The besxxxhotel. App. Whnetcomponent. Utils. SignUtil look.

Tears in my eyes. It’s nice to see the source code.

Say nothing more, hook it.

var signCls = Java.use("com.besxxxhotel.app.whnetcomponent.utils.SignUtil");
console.log(TAG + "signCls: " + signCls);
signCls.getSignString.implementation = function(a1,a2,a3,a4,a5,a6){
        var result = this.getSignString(a1,a2,a3,a4,a5,a6);
        console.log(TAG + "a1 = " + a1);
        console.log(TAG + "a2 = " + a2);
        console.log(TAG + "a3 = " + a3);
        console.log(TAG + "a4 = " + a4);
        console.log(TAG + "a5 = " + a5);
        console.log(TAG + "a6 = " + a5);
        console.log(TAG + "sign rc = " + result);

        return result;
}

signCls.getAppCode.implementation = function(a1,a2,a3,a4){
        var result = this.getAppCode(a1,a2,a3,a4);
        console.log(TAG + "a1 = " + a1);
        console.log(TAG + "a2 = " + a2);
        console.log(TAG + "a3 = " + a3);
        console.log(TAG + "a4 = " + a4);
        console.log(TAG + "AppCode rc = " + result);

        return result;

}

signCls.decodeASCII.implementation = function(a){
        var result = this.decodeASCII(a);
        console.log(TAG + a.entrySet().toArray());
        console.log(TAG + "decodeASCII: " +result);
        return result;
}

Copy the code

Hang up your beloved Frida and run.

[Redmi 6A::platexx.boxxoota]-> Process crashed: Illegal instruction
Copy the code

Why? It doesn’t make sense. We’re good friends. Did you have fun with the last version?

Try the old version again, same crash

Delay the hooks

Take a deep breath and calm down.

The earlier version also crashes, indicating that the defense policy is not upgraded in the new version. In Spawn mode, the defense policy crashes, but in Attach mode, it is normal

That’s easy. We can add a delay to spawn mode.

function main() { Java.perform(function () { var threadef = Java.use('java.lang.Thread'); var threadinstance = threadef.$new(); / /... xxxHook code ...... }); } setTimeout(main, 1000); // setImmediate(main);Copy the code

No problem this time,

Third, summary

When analyzing the peeling software, consider the attachBaseContext getApplicationContext function inside the hook shell code to find the actual hook code.

Try XcubeBase when Frida gets fucked

Nietzsche said that what doesn’t kill you makes you stronger, but what he doesn’t say is that what almost kills you.

TIP: The purpose of this article is only one is learning more backward techniques and train of thought, if anyone use this technology to get illegal commercial interests the legal liabilities are their operators, and the author and it doesn’t matter, this paper involves the knowledge of code project can go to my friends to fly star come undone, welcome to join star learn together to explore technology knowledge. Questions can be added to me WX: Fenfei331 discussion.

Wechat public account: Fenfei security, the latest technology dry goods real-time push