A, goals,
Today we are aiming at a signature issue for a certain e-commerce App. This Shield has been done for a few years, and the latest version is an upgrade. (v6.73.0)
Previously shield was an MD5-like string, this time it looks like base64
Second, the steps
As usual, go to JADX and search globally for Shield
As expected, there is no useful information, but it is also a consolation that none of these slightly desirable apps will be able to put signatures in the Java layer.
Hook Base64 doesn’t make sense since it already feels like a Java layer. Here we use one of the big guy’s new toysfrida_hook_libart
Github.com/lasting-yan…
You can hook up libart. So on the Native layer. You can hook up libart.
-
Hook_RegisterNatives hook dynamic registration jNI method, which we used in the previous tutorial App signature algorithm analysis (I)
-
Hook_art. js hook functions
-
Hook_artmethod. js more detailed hook, this will be used next time
Hang up your beloved Frida and run hook_art.js
The NewStringUTF function handles the shield signature. This time, we mask the rest of the print information, and then print out the stack information to locate where the signature was processed if the NewStringUTF parameter is greater than 50.
if(addrNewStringUTF ! =null) {
Interceptor.attach(addrNewStringUTF, {
onEnter: function (args) {
if (args[1] != null) {
var string = Memory.readCString(args[1]);
if(string.length > 50)
{
console.log("[NewStringUTF] bytes:" + string);
console.log(Thread.backtrace(this.context, Backtracer.FUZZY)
.map(DebugSymbol.fromAddress).join("\n"}}})),onLeave: function (retval) {}}); }Copy the code
The target appears, the calling function that handles the signature is at libshield.so offset 0x93fa8, open IDA, and do something
The line 0x93fa8 is inside sub_939D8. By whom is sub_939D8 called? Press the ‘X’ key on sub_939D8 to go to the reference call:
Intercept (Lokhttp3/Interceptor”,0x24,”Chain; J)Lokhttp3/Response;
The long-neglected JADX comes on the scene, searchintercept(
-
Why search intercept(: Since intercept is a function, add a “(” to narrow it down further
-
The function must be native, the number of arguments, the type, and the return value are the same, and the class name sheield must be the same.
The hook
var shieldCls = Java.use("com.xxx.shield.http.XhsHttpInterceptor");
shieldCls.intercept.overload('okhttp3.Interceptor$Chain'.'long').implementation = function(chain,j){
var result = this.intercept(chain,j);
var request = chain.request();
console.log(request.toString());
console.log(result.toString());
return result;
}
Copy the code
The printout looks like this:
What? Are the apps so not talking about martial arts now? What about the input? What about the signature calculation?
This App actually put parameter splicing, signature calculation, send request and a series of key and non-key logic in so. You can’t get a clean interface for parameter signing.
Third, summary
How to play now?
-
As usual, I continue to call the intercept function, but hook the process of concatenating parameters in its so, and change some of the parameters. Then hook the function that gets the return value in so to get the HTTP return result.
-
Improve Arm assembly analysis ability, analyze SO honestly
The Times have abandoned you without even saying hello
TIP: The purpose of this article is only one is learning more backward techniques and train of thought, if anyone use this technology to get illegal commercial interests the legal liabilities are their operators, and the author and it doesn’t matter, this paper involves the knowledge of code project can go to my friends to fly star come undone, welcome to join star learn together to explore technology knowledge. Questions can be added to me WX: Fenfei331 discussion.
Wechat public account fenfei security, the latest technology dry goods real-time push