A, goals,

Boss Li: Fenfei, I met a super awesome App. When it requested, there was a data parameter encryption. After using all the methods you introduced, I couldn’t find out how it was encrypted.

Fenfei: Zi once said, the boss’s mouth is a deceiving ghost. With this awesome App, we’d be out of a job.

A magical App v10.1.0

Click community -> randomly open an article with comments

Today’s target is this data

Second, the steps

Search character string

The target is data, so let’s search “data” first.

There were over 130 results, and I started to analyze them point by point, and the reverse was not so cool, and a lot of it was drudgery.

For example, the classes beginning with Baidu, Meizu, Tencent and Google are most likely used by third-party SDK. You can rule it out.

The hit principle is that “data” and “timestamp” are together.

It is a pity that I did not find it. Maybe it was too many results, dazzling and missed it.

Let’s try “timestamp” again as long as it’s with “data”, also in fortune telling.

This time only 40 results, a serious search for the past, or did not find. This gives up, indicating that the feature string search failed.

Hook Base64

This data looks super Base64, so our first step is Hook Base64

var Base64Class = Java.use("android.util.Base64"); Base64Class.encodeToString.overload("[B", "int").implementation = function(a,b){ var rc = this.encodeToString(a,b);  console.log(">>> Base64 " + rc); return rc; }Copy the code

Frida runs, spawn can’t start, or the package name doesn’t exist, or the app name can’t be found.

Anyway, Attach made it.

However, as expected, there is no output, after all, Boss Li has mixed with us so many times, he must have tried Hook Base64.

Hook Java.lang.StringBuilder String location

If you assemble strings on the Java layer, chances are you won’t be able to escape StringBuilder. Let’s look at the characteristics of Data.

They don’t have the same beginning, but they have the same body, and they both have + in the string

var strCls = Java.use("java.lang.StringBuilder");
strCls.toString.implementation = function(){
    var result = this.toString();

    if(result.toString().indexOf("+") >= 0
        && result.toString().length > 150)
    {
        console.log(" >>> string " +result.toString());

        // var stack = threadinstance.currentThread().getStackTrace();
        // console.log("Rc Full call stack:" + Where(stack));

    }
    return result;
}
Copy the code

We need to match + and the string length is greater than 150, and I’m counting on my fingers, and the length of data is about 190.

Frida ran and attached, but there was still no output. Something was wrong. We printed all the output of hook StringBuilder, but there was still no output.

Maybe there is a problem with Attach mode and will have to spawn mode.

Xcube

Xcube has been ignored for a long time we can come in handy, Xcube can not use frida spawn mode, but provide the same effect as spawn mode, the specific method of use see 91 fans.com.cn/post/antifr… .

Configure xCube. Yaml and run.

Heck, Boss Li was right this time, there was still no output. Xcube doesn’t work either.

In mobile phone

Really, a lot of times netizens ask me, why I can’t hook, why I can’t start, why I can’t catch the bag.

This is really metaphysical. Maybe you can change your phone.

I had several test machines, each with different package capture software and different versions of Android.

Finally, I successfully started the app with Frida Spawn mode on a Google Pixel 2XL and printed out the string information.

Sure, there’s a bunch of Base64 data out there, but not the data we’re looking for.

hook_libart

The Java layer doesn’t hook the data, so let’s go to the Native layer

if (addrGetStringUTFChars ! = null) { Interceptor.attach(addrGetStringUTFChars, { onEnter: function (args) {}, onLeave: function (retval) { if (retval ! = null) { var string = Memory.readCString(retval); if(string ! = null) { if(string.toString().indexOf("+") >= 0 && string.toString().length > 150) { console.log("[GetStringUTFChars] result:" + string); }}}}}); } if (addrNewStringUTF ! = null) { Interceptor.attach(addrNewStringUTF, { onEnter: function (args) { if (args[1] ! = null) { var string = Memory.readCString(args[1]); if(string ! = null) { if(string.toString().indexOf("+") >= 0 && string.toString().length > 150) { console.log("[NewStringUTF] bytes:" + string); } } } }, onLeave: function (retval) {} }); }Copy the code

A little more running, still no data we’re looking for.

Just to summarize a little bit

Strings in App appear either in Java layer or Native layer. We’re hooked, and we still can’t find it.

There’s only one possibility left, this string is not being processed in App.

For example, a browser embedded in the App runs an H5 page in which JS does the encryption and HTTP request…..

In that case, we won’t be able to hook.

Debug JS in a web page

We found the Get request of the article in the packet capture result

Ccgateway.paas.xxxchina.com/ccgateway/s…

And then you can open it directly in Chrome,

Refresh, and you’ll find the data we’ve been longing for

Or was cheated by Boss Li, web js encryption, you can find the App to hell.

Now that we know that the comments-and-reply-ENCRYPT request is from JS,

If you do a search, it comes from articledetail.js

Double-click the search result, locate the JS in the Network window, and right-click Open in Sources Panel to access the source window.

The source code is a bit messy, we click {} icon formatting.

Then search for comments-and-reply-encrypt in the articledetail.js source code

GetCommentEncrypt is located

Continuing the search for getCommentEncrypt, we locate an encryption function called encryptSm4ECB

Such a fancy name, most likely our beloved data encryption.

The function is unambiguous, returning data and timestamp.

Give it a breakpoint and refresh the page. A breakpoint was triggered successfully.

Done. Call it a day.

Third, summary

Strings must be traced, not in APK, but in runtime.

Nowadays, there are many ways to develop App, and traditional skills should not be lost. This sample is just a web page after a long time of tinkering.

When you have eliminated the impossible, whatever remains, however improbable, is the truth.

TIP: The purpose of this article is only one is learning more backward techniques and train of thought, if anyone use this technology to get illegal commercial interests the legal liabilities are their operators, and the author and it doesn’t matter, this paper involves the knowledge of code project can go to my friends to fly star come undone, welcome to join star learn together to explore technology knowledge. Have a problem can add me WX: FENfei331 discussion.

Wechat public account: Fenfei safety, the latest technology dry goods real-time push