A, goals,

Boss Li: Fenfei, it is said that an e-commerce App has been upgraded and a 64-bit sign has been created. What’s more, the entry parameters are encrypted!

Fenfei: So cool, pull out our pan pan.

v10.3.2

Second, the steps

32-bit and 64-bit

With all the ways we know, what if we search for strings first? Hook first?

Zi once said: if you see a 32-bit signature, you think of MD5 and HmacSHA1; if you see a 64-bit signature, you think of HmacSHA256.

Let’s start with Java cryptographics-related functions:

var secretKeySpec = Java.use('javax.crypto.spec.SecretKeySpec'); secretKeySpec.$init.overload('[B','java.lang.String').implementation = function (a,b) { var result = this.$init(a, b); Console. log(">>> algorithm name "+ b); return result;} // * var MAC = java.use (' javax.crypto.mac ');  mac.getInstance.overload('java.lang.String').implementation = function (a) { // showStacks(); Var result = this. GetInstance (a); the console. The log (" MAC = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = "); the console. The log (" algorithm: " + a); return result; } mac.doFinal.overload('[B').implementation = function (a) { // showStacks();  var result = this.doFinal(a); console.log("mac ======================================"); The console. The log (" doFinal parameters: "+ bytesToString (a)); the console. The log (" doFinal results (hex) :" + bytesToHex (result); The console. The log (" doFinal results (base) : "+ bytesToBase64 (result)); / / var stack = threadinstance. CurrentThread (). The getStackTrace ();  // console.log("Full call stack:" + Where(stack)); return result; } // */Copy the code

Run it.

TIP: remember the article 91 fans.com.cn/post/ldqsig reference before… Change the frida port number

Luckily, it was.

What’s the key?

The difference between HmacSHA256 and md5 is that it passes a key. Let’s try to find this key.

Print the stack first

Full call stack:dalvik.system.VMStack.getThreadStackTrace(Native Method)
java.lang.Thread.getStackTrace(Thread.java:1720)
javax.crypto.Mac.doFinal(Native Method)
com.jxxxxong.sdk.xxcrashreport.a.z.a(XXCrashReportFile:63)
com.jxxxxong.sdk.xxcrashreport.a.z.a(XXCrashReportFile:136)
com.jxxxxong.sdk.xxcrashreport.a.o.Ve(XXCrashReportFile:154)
com.jxxxxong.sdk.xxcrashreport.a.o.<init>(XXCrashReportFile:135)
com.jxxxxong.sdk.xxcrashreport.a.o.<init>(XXCrashReportFile:37)
com.jxxxxong.sdk.xxcrashreport.a.o$a.Vf(XXCrashReportFile:245)
com.jxxxxong.sdk.xxcrashreport.a.ai$a.run(XXCrashReportFile:133)
Copy the code

I tried to find this key directly from static code, but I got confused.

Forget it. Add a Hook.

var getKeyCls = Java.use("com.jxxxxong.sdk.xxcrashreport.a.z"); getKeyCls.a.overload('[B', '[B').implementation = function(a,b){ var result = this.a(a,b);  var StrCls = Java.use('java.lang.String'); var keyStr = StrCls.$new(b); var dataStr = StrCls.$new(a);  console.log(">>> dataStr=" + dataStr); console.log(">>> key=" + keyStr); console.log(">>> rc=" + result);  return result; }Copy the code

Continue to run down the

Under the check

We have the plaintext, we have the key, we have the result. So we can check that out.

def main(): data = "yingyan&R4iSKKKKKKKKKK3Ckm6NCKyP4XpntPMcsmTiVIdoeOlPYBLNS1PK0O4e747X79c5P3zFQbh3LbJlFUCRaaIQTPKmipOYkJUu6OAqZT1xx6MMacw Y/v5yxRvbdYAwdhXVCF7zmi + DHbQ16PPDpn R9PPnPifGbirJeG9yKKKK & R4iSKKKKKKKKKBC0CtGnLKMgYWz/LGKKKK = = & android & 10.3.2 & R4iSKKKKKK KKKOlFz0/FIGUKUpUcZGYKKKK=&R4iSKKKKKKKKKKlShOtDUJLIsFKLKA589d0AKKKK&uvReport&R4iSKKKKKKKKKNC0KKNrTV2rKqKKKK==&huawei&R4i SKKKKKKKKKNC0CJRGCtS3DKSK/BvloKuKKKK = & E1.1 & 1641614274084 & R4iSKKKKKKKKKNDBjBK0JNG1DurECbE0iBGOKNhLaV4GKKKK ". Encode (' utf-8 ') # 890394FD47EB218CADB73B3FFF976CFE571AC255E1BD5F7AFE427CED13B52DBC signature = hmac.new(appsecret, data, digestmod=sha256).hexdigest().upper() print(signature)Copy the code

Life is short. Use Python

Call it a day ~ take a break, the encryption of the entry will be done tomorrow.

Third, summary

I grabbed the package again and compared the signature of pattern &sign= xxX&SV = XXX still exists, and the high probability algorithm is unchanged.

A previous version of 64-bit Sign also exists, and most likely remains the same.

So, the boss is always right.

If you dig down where you’re standing, you’ll find fresh water.

TIP: The purpose of this article is only one is learning more backward techniques and train of thought, if anyone use this technology to get illegal commercial interests the legal liabilities are their operators, and the author and it doesn’t matter, this paper involves the knowledge of code project can go to my friends to fly star come undone, welcome to join star learn together to explore technology knowledge. Have a problem can add me WX: FENfei331 discussion.

Wechat public account: Fenfei safety, the latest technology dry goods real-time push