A, goals,
Boss Li: Fenfei, I met a super awesome App. When it requested, there was a data parameter encryption. After using all the methods you introduced, I couldn’t find out how it was encrypted.
Fenfei: Zi once said, the boss’s mouth is a deceiving ghost. With this awesome App, we’d be out of a job.
A magical App v10.1.0
Click community -> randomly open an article with comments
Today’s target is this data
Second, the steps
Search character string
The target is data, so let’s search “data” first.
There were over 130 results, and I started to analyze them point by point, and the reverse was not so cool, and a lot of it was drudgery.
For example, the classes beginning with Baidu, Meizu, Tencent and Google are most likely used by third-party SDK. You can rule it out.
The hit principle is that “data” and “timestamp” are together.
It is a pity that I did not find it. Maybe it was too many results, dazzling and missed it.
Let’s try “timestamp” again as long as it’s with “data”, also in fortune telling.
This time only 40 results, a serious search for the past, or did not find. This gives up, indicating that the feature string search failed.
Hook Base64
This data looks super Base64, so our first step is Hook Base64
var Base64Class = Java.use("android.util.Base64"); Base64Class.encodeToString.overload("[B", "int").implementation = function(a,b){ var rc = this.encodeToString(a,b); console.log(">>> Base64 " + rc); return rc; }Copy the code
Frida runs, spawn can’t start, or the package name doesn’t exist, or the app name can’t be found.
Anyway, Attach made it.
However, as expected, there is no output, after all, Boss Li has mixed with us so many times, he must have tried Hook Base64.
Hook Java.lang.StringBuilder String location
If you assemble strings on the Java layer, chances are you won’t be able to escape StringBuilder. Let’s look at the characteristics of Data.
They don’t have the same beginning, but they have the same body, and they both have + in the string
var strCls = Java.use("java.lang.StringBuilder");
strCls.toString.implementation = function(){
var result = this.toString();
if(result.toString().indexOf("+") >= 0
&& result.toString().length > 150)
{
console.log(" >>> string " +result.toString());
// var stack = threadinstance.currentThread().getStackTrace();
// console.log("Rc Full call stack:" + Where(stack));
}
return result;
}
Copy the code
We need to match + and the string length is greater than 150, and I’m counting on my fingers, and the length of data is about 190.
Frida ran and attached, but there was still no output. Something was wrong. We printed all the output of hook StringBuilder, but there was still no output.
Maybe there is a problem with Attach mode and will have to spawn mode.
Xcube
Xcube has been ignored for a long time we can come in handy, Xcube can not use frida spawn mode, but provide the same effect as spawn mode, the specific method of use see 91 fans.com.cn/post/antifr… .
Configure xCube. Yaml and run.
Heck, Boss Li was right this time, there was still no output. Xcube doesn’t work either.
In mobile phone
Really, a lot of times netizens ask me, why I can’t hook, why I can’t start, why I can’t catch the bag.
This is really metaphysical. Maybe you can change your phone.
I had several test machines, each with different package capture software and different versions of Android.
Finally, I successfully started the app with Frida Spawn mode on a Google Pixel 2XL and printed out the string information.
Sure, there’s a bunch of Base64 data out there, but not the data we’re looking for.
hook_libart
The Java layer doesn’t hook the data, so let’s go to the Native layer
if (addrGetStringUTFChars ! = null) { Interceptor.attach(addrGetStringUTFChars, { onEnter: function (args) {}, onLeave: function (retval) { if (retval ! = null) { var string = Memory.readCString(retval); if(string ! = null) { if(string.toString().indexOf("+") >= 0 && string.toString().length > 150) { console.log("[GetStringUTFChars] result:" + string); }}}}}); } if (addrNewStringUTF ! = null) { Interceptor.attach(addrNewStringUTF, { onEnter: function (args) { if (args[1] ! = null) { var string = Memory.readCString(args[1]); if(string ! = null) { if(string.toString().indexOf("+") >= 0 && string.toString().length > 150) { console.log("[NewStringUTF] bytes:" + string); } } } }, onLeave: function (retval) {} }); }Copy the code
A little more running, still no data we’re looking for.
Just to summarize a little bit
Strings in App appear either in Java layer or Native layer. We’re hooked, and we still can’t find it.
There’s only one possibility left, this string is not being processed in App.
For example, a browser embedded in the App runs an H5 page in which JS does the encryption and HTTP request…..
In that case, we won’t be able to hook.
Debug JS in a web page
We found the Get request of the article in the packet capture result
Ccgateway.paas.xxxchina.com/ccgateway/s…
And then you can open it directly in Chrome,
Refresh, and you’ll find the data we’ve been longing for
Or was cheated by Boss Li, web js encryption, you can find the App to hell.
Now that we know that the comments-and-reply-ENCRYPT request is from JS,
If you do a search, it comes from articledetail.js
Double-click the search result, locate the JS in the Network window, and right-click Open in Sources Panel to access the source window.
The source code is a bit messy, we click {} icon formatting.
Then search for comments-and-reply-encrypt in the articledetail.js source code
GetCommentEncrypt is located
Continuing the search for getCommentEncrypt, we locate an encryption function called encryptSm4ECB
Such a fancy name, most likely our beloved data encryption.
The function is unambiguous, returning data and timestamp.
Give it a breakpoint and refresh the page. A breakpoint was triggered successfully.
Done. Call it a day.
Third, summary
Strings must be traced, not in APK, but in runtime.
Nowadays, there are many ways to develop App, and traditional skills should not be lost. This sample is just a web page after a long time of tinkering.
When you have eliminated the impossible, whatever remains, however improbable, is the truth.
TIP: The purpose of this article is only one is learning more backward techniques and train of thought, if anyone use this technology to get illegal commercial interests the legal liabilities are their operators, and the author and it doesn’t matter, this paper involves the knowledge of code project can go to my friends to fly star come undone, welcome to join star learn together to explore technology knowledge. Have a problem can add me WX: FENfei331 discussion.
Wechat public account: Fenfei safety, the latest technology dry goods real-time push