https://cloud.tencent.com/developer/article/write/1830331

Official account: flair safety 2021-06-18 04:34:53
https cloud.tencent.com cloud tencent com


One 、 The goal is

main.png

Today's goal is this sign and appcode

Two 、 step

Jadx I can't make it

app Add the enterprise version of a bang ,Jadx I can't help it .

FRIDA-DEXDump

DexDump come out , Muyou found useful information .

Wallbreaker

Gourd baby's Wallbreaker You can do some shell analysis , But this sample , use Frida Of Spawn Patterns can be loaded ,Attach Patterns fail . And direct use Objection Can't load . So it doesn't work Wallbreaker.

r0tracer

Today's new friend is big brother's r0tracer

https://www.helloworld.net/redirect?target=https://github.com/r0ysue/r0tracer

r0tracer You can batch track all the methods of the class according to the black and white list . Let's try to track down what contains sign Class or method of

function main() { Java.perform(function () { console.Purple("r0tracer begin ... !") /* // There are three modes , Uncomment a line to open */ //A. Simple and easy trace Single function // traceClass("javax.crypto.Cipher") //B. Black and white list trace Multiple functions , The first parameter is the white list ( Include keywords ), The second parameter is the blacklist ( Keywords not included ) // hook("javax.crypto.Cipher", "$"); hook("sign", "$"); //C. When a class cannot be found , Fill in a class name in the third parameter , For example, we can't find com.roysue.check class .( The first two parameters are still black and white lists ) // hook("com.roysue.check"," ","com.roysue.check"); })}

Spawn mode App

$ frida -U -f com.platexx.boxxoota -l r0tracer.js --no-pause -o saveLog1.txt

Output

Spawned `com.platexx.boxxoota`. Resuming main thread! [MI NOTE Pro::com.platexx.boxxoota]-> r0tracer begin ... !startBegin Search Class...Found Class => Tracing Method : com.wxxotel.app.service.signservice.OpenSignService.execute [1 overload(s)]Tracing Method : com.wxxotel.app.service.signservice.OpenSignService.getPath [1 overload(s)]Tracing Method : com.wxxotel.app.service.signservice.OpenSignService.$init [1 overload(s)]

What useful information does wood have , Let's change try Sign

Output , then , And then I hung up ……

Spawned `com.platexx.boxxoota`. Resuming main thread! [MI NOTE Pro::com.platexx.boxxoota]-> r0tracer begin ... !startBegin Search Class...Found Class => Tracing Method : libcore.reflect.GenericSignatureParser.isStopSymbol [1 overload(s)]Tracing Method : libcore.reflect.GenericSignatureParser.expect [1 overload(s)]Tracing Method : libcore.reflect.GenericSignatureParser.parseClassSignature [1 overload(s)]Tracing Method : libcore.reflect.GenericSignatureParser.parseClassTypeSignature [1 overload(s)]Tracing Method : libcore.reflect.GenericSignatureParser.parseFieldTypeSignature [1 overload(s)]Tracing Method : libcore.reflect.GenericSignatureParser.parseForClass [1 overload(s)]

This libcore.XXXX class , It doesn't look like our food at first sight , Filter it out and try again .

hook("Sign", "libcore");

Ah , It's a very nice look , There seems to be a play .

Turn over the output ,

com.besxxxhotel.app.whnetcomponent.utils.SignUtil.getAppCode [1 overload(s)]com.besxxxhotel.app.whnetcomponent.utils.SignUtil.getSignString [1 overload(s)]

The two brothers are rather suspicious , Let's track it this time SignUtil

hook("SignUtil", "$");
*** entered com.platexx.boxxoota.app.whnetcomponent.utils.SignUtil.getSignStringarg[0]: 0 => "0"arg[1]: vadjlr4k3o;qj4io23ug9034uji5rjn34io5u83490u5903huq => "vadjlr4k3o;qj4io23ug9034uji5rjn34io5u83490u5903huq"arg[2]: 00000000-7e21-1806-0000-00000033c587 => "00000000-7e21-1806-0000-00000033c587"arg[3]: 1622430128929 => "1622430128929"arg[4]: 0,0 => "0,0"arg[5]: 6698 => "6698"java.lang.Throwable at com.besxxxhotel.app.whnetcomponent.utils.SignUtil.getSignString(Native Method) at com.besxxxhotel.app.whnetcomponent.net.JJSignInterceptor.handlerRequest(JJSignInterceptor.java:114) at com.besxxxhotel.app.whnetcomponent.net.JJSignInterceptor.intercept(JJSignInterceptor.java:38) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:200) at okhttp3.RealCall$AsyncCall.execute(RealCall.java:147) at okhttp3.internal.NamedRunnable.run(NamedRunnable.java:32) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1133) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607) at java.lang.Thread.run(Thread.java:760)========================================================================================================================================================================================================retval: C5F29B0EF472EDA271313155307E8077 => "C5F29B0EF472EDA271313155307E8077"*** exiting com.besxxxhotel.app.whnetcomponent.utils.SignUtil.getSignString
  • Parameters 0 1 It's a fixed value
  • Parameters 2 Should be did
  • Parameters 3 It's the current timestamp
  • Parameters 4 It's also a fixed value
  • Parameters 5 It's more strange , Search the log , Find out 5 yes function decodeASCII The return value of , Its input parameter is a java.util.Map.

stay 117 OK, fine tune it , Print this map

var strType = JSON.stringify(arguments[j]);// console.log(strType);if(strType.indexOf('HashMap') > 0){ console.log(arguments[j].entrySet().toArray());}

It's the content of this request .

systemVersion=7.0,sid=306267,userId=0,clientVersion=5.2.9,deviceType=MI NOTE Pro,did=174670d6754469115964f1387aed0a96,appId=105,deviceCode=,os=android

Get it done , Call it a day ……

3、 ... and 、 summary

Take advantage of more tools , Many hands make light work .

r0tracer Name filtering for , Will regular expressions be more attractive ?

The shell still needs to be made , If you take the shell off , This App There's no difficulty .

ffshow.jpeg

When you're on a different path , You can see the scenery different from others

TIP: The only purpose of this paper is to learn more reverse skills and ideas , If someone uses this technology to carry out illegal business, the legal responsibility brought by the profit is borne by the operator himself , It has nothing to do with this article and the author , The code projects involved in this article can go to Feifei friends The planet of knowledge takes itself , Welcome to the knowledge planet to learn and explore technology . If you have any questions, you can add me wx: fenfei331 Under discussion .

Pay attention to WeChat public number : It's safe to fly , Latest technology real time push of dry goods

版权声明
本文为[Official account: flair safety]所创,转载请带上原文链接,感谢
https://qdmana.com/2021/05/20210531153717541e.html

  1. HTML + CSS + JavaScript to achieve cool Fireworks (cloud like particle text 3D opening)
  2. HTML + CSS + JavaScript realizes 520 advertising love tree (including music), which is necessary for programmers to express themselves
  3. Solve the problem of Web front-end deployment server (it can be deployed online without a server)
  4. HTML + CSS + JS make wedding countdown web page template (520 / Tanabata Valentine's Day / programmer advertisement)
  5. What else can driverless minibus do besides "Park connection"?
  6. Cloud native leads the era of all cloud development
  7. NRM mirror source management tool
  8. Bring it to you, flex Jiugong
  9. Lolstyle UI component development practice (II) -- button group component
  10. Deconstruction assignment in ES6
  11. Luo 2 peerless Tang clan was officially launched. The official gave a key point, and the broadcast time was implied
  12. 20初识前端HTML(1)
  13. 当新零售遇上 Serverless
  14. 20 initial knowledge of front-end HTML (1)
  15. When new retail meets serverless
  16. [golang] - go into go language lesson 5 type conversion
  17. [golang] - go into go language lesson 6 conditional expression
  18. HTML5(八)——SVG 之 path 详解
  19. HTML5 (8) -- detailed explanation of SVG path
  20. 需要开通VIP以后页面内容才能复制怎么办?控制台禁用javascript即可
  21. Web前端|CSS入门教程(超详细的CSS使用讲解,适合前端初学者)
  22. 实践积累 —— 用Vue3简单写一个单行横向滚动组件
  23. Serverless 全能选手,再下一城
  24. What if you need to open a VIP to copy the page content? Just disable JavaScript on the console
  25. Web front end | CSS introductory tutorial (super detailed CSS explanation, suitable for front-end beginners)
  26. Practice accumulation - write a single line horizontal scroll component simply with vue3
  27. Dili Reba is thin again. She looks elegant and high in a strapless hollow skirt, and her "palm waist" is beautiful to a new height
  28. Serverless all-round player, next city
  29. The difference between MySQL semi synchronous replication and lossless semi synchronous replication
  30. Vue表单设计器的终极解决方案
  31. The ultimate solution for Vue form designer
  32. Nginx从理论到实践超详细笔记
  33. Yu Shuxin's red backless swimsuit is split to the waist and tail, with a concave convex figure and excessive color matching, and his face is white to dazzling
  34. Nginx ultra detailed notes from theory to practice
  35. 【动画消消乐|CSS】086.炫酷水波浪Loading过渡动画
  36. typecho全站启用https
  37. CCTV has another popular employee. The off-site interpretation is very professional, and the appearance ability is no less than that of Wang Bingbing
  38. [animation Xiaole | CSS] 086. Cool water wave loading transition animation
  39. Enable HTTPS in Typecho
  40. 50天用JavaScript完成50个web项目,我学到了什么?
  41. 根据JavaScript中原生的XMLHttpRequest实现jQuery的Ajax
  42. What have I learned from completing 50 web projects with JavaScript in 50 days?
  43. "My neighbor doesn't grow up" has hit the whole network. There are countless horse music circles, and actor Zhou Xiaochuan has successfully made a circle
  44. 根据JavaScript中原生的XMLHttpRequest实现jQuery的Ajax
  45. Implement the Ajax of jQuery according to the native XMLHttpRequest in JavaScript
  46. Implement the Ajax of jQuery according to the native XMLHttpRequest in JavaScript
  47. 30 + women still wear less T-shirts and jeans. If they wear them like stars, they will lose weight
  48. 数栈技术分享前端篇:TS,看你哪里逃~
  49. Several stack technology sharing front end: TS, see where you escape~
  50. 舍弃Kong和Nginx,Apache APISIX 在趣链科技 BaaS 平台的落地实践
  51. Abandon the landing practice of Kong and nginx, Apache apisik on the baas platform of fun chain technology
  52. 浪迹天涯king教你用elementui做复杂的表格,去处理报表数据(合并表头,合并表体行和列)
  53. 前端HTML两万字图文大总结,快来看看你会多少!【️熬夜整理&建议收藏️】
  54. Wandering around the world king teaches you to use elementui to make complex tables and process report data (merge header, merge table body rows and columns)
  55. 路由刷新数据丢失 - vuex数据读取的问题
  56. Front end HTML 20000 word graphic summary, come and see how much you can【 Stay up late to sort out & suggestions]
  57. Route refresh data loss - vuex data reading problem
  58. Systemctl系统启动Nginx服务脚本
  59. Systemctl system startup nginx service script
  60. sleepless