Remember once the reverse of app

Remember the reverse process of APP, and mainly share the problems and solutions.

To do a simple data capture packet monitoring for M station, the first thought is to directly call the data interface of the official APP — simple and simple data structure!

Below are notes analyzing the data interaction between the app client and server.

I have decompiled and analyzed its APP in the early stage, and the basic situation is as follows:

App confusion, no further processing, with ready-made tools decompile successfully, the client HTTPS connection server.

When I saw HTTPS connection, I had no clue when I caught the package, but I found that ITS API can also be accessed using HTTP (this is the premise of the later text, all the work is carried out around this premise), happiness comes too suddenly, SMali file search HTTPS to change to HTTP, repackage and run, and then tcumpdump.

After downloading and installing several versions, it was found that they had enhanced security:

App takes the reverse step further. First, anti-decompile processing, tried several software, when the execution of decompile directly abnormal exit, estimate is for doing processing. Second, the url to interact with the server is written in C and placed in the lib directory liburl.so, which makes decomcompiling more difficult.

How to start?

Online search method, found so file can be used IDAPro6.6(reverse tool) open view, download, install, open, URL all out.

IDAPro6.6 Viewing the content of the so file

Use HTTPS to change the url to HTTP and then run normally, and then capture the url and request variables, but now there are two problems:

1. How to modify the SO file? 2. How to pack it back after modification?

First, modify the so file characters directly using the 010Editor tool.

Follow a rule: When modifying the contents of the file, do not affect the addresses of other contents. This will cause the code to error after the offset value of other information changes.

If the length of the modified string is the same as that of the source string, you can replace it directly. 2. If the length of the modified string is shorter than the length of the source string, use an empty string to complete the string. 3. If the length of the modified string is longer than the length of the source string, add the complement string, and then change the pointer (relative address) of the source string in the code.

After searching for “HTTPS”, there are two HTTPS as IDA saw. In the text bar on the right, change HTTPS to space + HTTPS.

010Editor Modifies the content of the so file

Second, the use of the modified files to replace the apk installation decompression, so file path in the/data/data / / lib/liburl. So, restart the replaced app can browse the HTTP data.

Ps: The general method of packet capture is to use Mi portable WIFI, connect to the hotspot of mobile phone, and set THE IP address as Charles’ proxy port address.

Refer to the article

Android application localization function (modify string content in SO)

Refer to the article

Related Posts

原 文 : Jetpack Compose’s basic implementation principles

LruCache cache class source code parsing

Android package size optimization practices

原文 : Jetpack Compose’s basic implementation principles