https://cloud.tencent.com/developer/article/write/1830331

One 、 The goal is

Today's goal is this sign and appcode

Two 、 step

Jadx I can't make it

app Add the enterprise version of a bang ,Jadx I can't help it .

FRIDA-DEXDump

DexDump come out , Muyou found useful information .

Wallbreaker

Gourd baby's Wallbreaker You can do some shell analysis , But this sample , use Frida Of Spawn Patterns can be loaded ,Attach Patterns fail . And direct use Objection Can't load . So it doesn't work Wallbreaker.

r0tracer

Today's new friend is big brother's r0tracer

https://www.helloworld.net/redirect?target=https://github.com/r0ysue/r0tracer

r0tracer You can batch track all the methods of the class according to the black and white list . Let's try to track down what contains sign Class or method of

function main() { Java.perform(function () { console.Purple("r0tracer begin ... !") /* // There are three modes , Uncomment a line to open */ //A. Simple and easy trace Single function // traceClass("javax.crypto.Cipher") //B. Black and white list trace Multiple functions , The first parameter is the white list ( Include keywords ), The second parameter is the blacklist ( Keywords not included ) // hook("javax.crypto.Cipher", "$"); hook("sign", "$"); //C. When a class cannot be found , Fill in a class name in the third parameter , For example, we can't find com.roysue.check class .（ The first two parameters are still black and white lists ） // hook("com.roysue.check"," ","com.roysue.check"); })}

Spawn mode App

$ frida -U -f com.platexx.boxxoota -l r0tracer.js --no-pause -o saveLog1.txt

Output

Spawned `com.platexx.boxxoota`. Resuming main thread! [MI NOTE Pro::com.platexx.boxxoota]-> r0tracer begin ... !startBegin Search Class...Found Class => Tracing Method : com.wxxotel.app.service.signservice.OpenSignService.execute [1 overload(s)]Tracing Method : com.wxxotel.app.service.signservice.OpenSignService.getPath [1 overload(s)]Tracing Method : com.wxxotel.app.service.signservice.OpenSignService.$init [1 overload(s)]

What useful information does wood have , Let's change try Sign

Output , then , And then I hung up ……

Spawned `com.platexx.boxxoota`. Resuming main thread! [MI NOTE Pro::com.platexx.boxxoota]-> r0tracer begin ... !startBegin Search Class...Found Class => Tracing Method : libcore.reflect.GenericSignatureParser.isStopSymbol [1 overload(s)]Tracing Method : libcore.reflect.GenericSignatureParser.expect [1 overload(s)]Tracing Method : libcore.reflect.GenericSignatureParser.parseClassSignature [1 overload(s)]Tracing Method : libcore.reflect.GenericSignatureParser.parseClassTypeSignature [1 overload(s)]Tracing Method : libcore.reflect.GenericSignatureParser.parseFieldTypeSignature [1 overload(s)]Tracing Method : libcore.reflect.GenericSignatureParser.parseForClass [1 overload(s)]

This libcore.XXXX class , It doesn't look like our food at first sight , Filter it out and try again .

hook("Sign", "libcore");

Ah , It's a very nice look , There seems to be a play .

Turn over the output ,

com.besxxxhotel.app.whnetcomponent.utils.SignUtil.getAppCode [1 overload(s)]com.besxxxhotel.app.whnetcomponent.utils.SignUtil.getSignString [1 overload(s)]

The two brothers are rather suspicious , Let's track it this time SignUtil

hook("SignUtil", "$");

*** entered com.platexx.boxxoota.app.whnetcomponent.utils.SignUtil.getSignStringarg[0]: 0 => "0"arg[1]: vadjlr4k3o;qj4io23ug9034uji5rjn34io5u83490u5903huq => "vadjlr4k3o;qj4io23ug9034uji5rjn34io5u83490u5903huq"arg[2]: 00000000-7e21-1806-0000-00000033c587 => "00000000-7e21-1806-0000-00000033c587"arg[3]: 1622430128929 => "1622430128929"arg[4]: 0,0 => "0,0"arg[5]: 6698 => "6698"java.lang.Throwable at com.besxxxhotel.app.whnetcomponent.utils.SignUtil.getSignString(Native Method) at com.besxxxhotel.app.whnetcomponent.net.JJSignInterceptor.handlerRequest(JJSignInterceptor.java:114) at com.besxxxhotel.app.whnetcomponent.net.JJSignInterceptor.intercept(JJSignInterceptor.java:38) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:200) at okhttp3.RealCall$AsyncCall.execute(RealCall.java:147) at okhttp3.internal.NamedRunnable.run(NamedRunnable.java:32) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1133) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607) at java.lang.Thread.run(Thread.java:760)========================================================================================================================================================================================================retval: C5F29B0EF472EDA271313155307E8077 => "C5F29B0EF472EDA271313155307E8077"*** exiting com.besxxxhotel.app.whnetcomponent.utils.SignUtil.getSignString

Parameters 0 1 It's a fixed value
Parameters 2 Should be did
Parameters 3 It's the current timestamp
Parameters 4 It's also a fixed value
Parameters 5 It's more strange , Search the log , Find out 5 yes function decodeASCII The return value of , Its input parameter is a java.util.Map.

stay 117 OK, fine tune it , Print this map

var strType = JSON.stringify(arguments[j]);// console.log(strType);if(strType.indexOf('HashMap') > 0){ console.log(arguments[j].entrySet().toArray());}

It's the content of this request .

systemVersion=7.0,sid=306267,userId=0,clientVersion=5.2.9,deviceType=MI NOTE Pro,did=174670d6754469115964f1387aed0a96,appId=105,deviceCode=,os=android

Get it done , Call it a day ……

3、 ... and 、 summary

Take advantage of more tools , Many hands make light work .

r0tracer Name filtering for , Will regular expressions be more attractive ？

The shell still needs to be made , If you take the shell off , This App There's no difficulty .

When you're on a different path , You can see the scenery different from others

TIP: The only purpose of this paper is to learn more reverse skills and ideas , If someone uses this technology to carry out illegal business, the legal responsibility brought by the profit is borne by the operator himself , It has nothing to do with this article and the author , The code projects involved in this article can go to Feifei friends The planet of knowledge takes itself , Welcome to the knowledge planet to learn and explore technology . If you have any questions, you can add me wx: fenfei331 Under discussion .

Pay attention to WeChat public number : It's safe to fly , Latest technology real time push of dry goods