1. Packet capture analysis
When you get an APP, analyze data packets first
Oauth_signature_method oauth_signature_method oauth_signature_method oauth_signature_method Is an hMAC-SHA1-encrypted base64 binary encoded string (%3D is the result of urlencode encoding =).
For this encryption algorithm, the Python code is implemented as follows (PY2, if py3 please note encoding issues) :
import hmac
import hashlib
import base64
print (hmac.new(Token,data,hashlib.sha1).digest().encode('base64').rstrip())
Copy the codeFrom the above, we need to know the data and Token values passed in
2. JEB analyzes the Java layer
Throw apK into JEB, search for “oauth_signature” and find
Java_com_mfw_tnative_AuthorizeHelper_xAuthencode in libmfw.so
3. IDA analysis of SO layer
Click on the Java_com_mfw_tnative_AuthorizeHelper_xAuthencode function, and you can clearly see the entire process of encryption
As long as the Update down break can be found before encryption data
4. frida hook
The frida hook function is chosen to get the value
Why frida? A lot of times if we choose the dynamic debugging function will encounter a variety of anti debugging, crash, compared to Xposed and Substrace Cydia, Frida advantage is that its dynamic execution does not need to restart, and Android \ios\ Linux \ Win \ OSX platform kill
Frida installation and configuration reference: https://www.frida.re/
Get the process where the most front-end Activity is located
import frida
import sys
rdev = frida.get_remote_device()
front_app = rdev.get_frontmost_application()
print (front_app)
Copy the codeGet all processes
import frida
import sys
rdev = frida.get_remote_device()
processes = rdev.enumerate_processes()
for processe in processes:
print (processe)
Copy the codeAn enumeration process loads an export function in the specified module
import frida
import sys
rdev = frida.get_remote_device()
session = rdev.attach("com.mfw.roadbook") # Attach (PID) is also available
modules = session.enumerate_modules()
for module in modules:
# print (module)
if module.name=="libmfw.so":
export_funcs = module.enumerate_exports()
for export_func in export_funcs:
print ("\t%s\t%s"%(export_func.name,hex(export_func.relative_address)))
Copy the codeHook Java layer first, what is the input
import frida
import sys
rdev = frida.get_remote_device()
session = rdev.attach("com.mfw.roadbook")
scr = """ Java.perform(function(){ var native = Java.use("com.mfw.tnative.AuthorizeHelper"); native.xAuthencode.implementation = function(a,b,c,d,f){ console.log('Params : '+a+' || '+b+' || '+c+' || '+d+' || '+f); }}); """
script = session.create_script(scr)
def on_message(message,data):
print (message)
script.on("message",on_message)
script.load()
sys.stdin.read()
Copy the code(This script has a minor error, but does not affect parameter fetching)
Hook the update function in so
import frida
import sys
rdev = frida.get_remote_device()
session = rdev.attach("com.mfw.roadbook")
scr = """
Interceptor.attach(
Module.findExportByName("libmfw.so","_ZN3mfw4Sha18CContext6UpdateEPhjb"),{ onEnter: function(args){ var param = Memory.readUtf8String(args[1]) send("Param : "+param); }}); """
script = session.create_script(scr)
def on_message(message,data):
print (message)
script.on("message",on_message)
script.load()
sys.stdin.read()
Copy the code
In addition to some parameter input frida error, Token and data are already displayed. Token is passed in first, and then data, which is the second parameter passed in by xAuthencode, Token is discovered to control the value through the fourth parameter passed in by xAuthencode
If you want to hook the data output after base64, you can write this
session = rdev.attach("com.mfw.roadbook")
scr = """ Interceptor.attach( Module.findExportByName("libmfw.so","_ZN3mfw6Base6413base64_encodeEPKci"),{ onLeave: function(retval){ send("result : "+Memory.readUtf8String(retval)); }}); """
script = session.create_script(scr)
def on_message(message,data):
print (message)
script.on("message",on_message)
script.load()
sys.stdin.read()
Copy the codeAnalysis so far, the encryption algorithm is omitted