安卓逆向Xposed HOOK貝貝APP的_abr_、sign簽名欄位
最近學習安卓逆向,接觸一下貝貝APP,瞭解該APP是做資料安全的,這篇文章主要介紹貝貝APP的簽名引數_abr_、sign的HOOK過程,當然,其他的引數也是可以HOOK的。本文只用於學習交流,請勿他用。
一、環境工具
環境:windows 10
裝置:雷電模擬器,google pixel
HOOK框架:Xposed
插裝工具:Frida
編譯器:android studio
反編譯工具:jadx
抓包工具:Charles
分析APP:貝貝apk(9.42.00_1190)
二、流程步驟
1.抓包分析資料包,將App安裝到模擬器上,設定好模擬器上的VNP代理,開啟Charles工具,在模擬器上進行操作,使App發起網路請求,然後在Charles上檢視抓取到的資料包。
2.使用查殼工具對APP程式檢測,檢視APP是使用什麼加殼軟體進行的加殼的,如果有加殼,首選需要進行脫殼。當然大廠APP是很少進行加殼的。
3.使用jadx反編譯APP,獲取到相關的程式碼,但是反編譯的程式碼也不是全部正確的,這個需要注意一下。
4.依據抓包獲取到的關鍵資訊,使用關鍵欄位名,在jadx反編譯好的程式碼中進行搜尋,查詢到可以程式碼。
5.編寫JS程式碼,然後使用frida插裝到模擬器記憶體或者是手機記憶體進行探測。
6.找到關鍵程式碼後,就需要藉助xposed hook出出關鍵欄位,開發外掛將服務接出來,供爬蟲程式碼進行呼叫。
三、過程展示
1.抓包
列表頁
:method GET
:path /gateway/route?close_profile=0&client_info=%7B%22bd%22%3A%22yingyongbao%22%2C%22abd%22%3A%22019f089375%22%2C%22package%22%3A%22show%22%2C%22os%22%3A%227.1.2%22%2C%22screen%22%3A%22900x1600%22%2C%22dn%22%3A%22SM-G9750%22%2C%22version%22%3A%229.42.00%22%2C%22platform%22%3A%22Android%22%2C%22network%22%3A%22WiFi%22%2C%22app_name%22%3A%22beibei%22%2C%22model%22%3A%22SM-G9750%22%2C%22udid%22%3A%222761a2352060cdee%22%7D&method=beibei.item.search&_abr_=01b2703db5fe7439378a54aae04a434d26ee4ce03e5f7ed0b5&gender_age=0&sign=CC05DE7A3741285738F0CE372A88250A&filter_sellout=0&source=home&sort=hot&price_min=0&target=search_keyword&welfares=0&cat_ids=0&brand_ids=0&baby_info=&page=1&keyword=%E5%A5%BD%E5%A5%87&price_max=0&page_size=20×tamp=1602146485
:authority api.beibei.com
:scheme https
user-agent Beibei/9.42.00 (Android)
x-client-target bb/search/item_search_keyword
x-api-method beibei.item.search
cache-control no-cache
accept-encoding gzip
Query String
close_profile 0
client_info {"bd":"yingyongbao","abd":"019f089375","package":"show","os":"7.1.2","screen":"900x1600","dn":"SM-G9750","version":"9.42.00","platform":"Android","network":"WiFi","app_name":"beibei","model":"SM-G9750","udid":"2761a2352060cdee"}
method beibei.item.search
_abr_ 01b2703db5fe7439378a54aae04a434d26ee4ce03e5f7ed0b5
gender_age 0
sign CC05DE7A3741285738F0CE372A88250A
filter_sellout 0
source home
sort hot
price_min 0
target search_keyword
welfares 0
cat_ids 0
brand_ids 0
baby_info
page 1
keyword 好奇
price_max 0
page_size 20
timestamp 1602146485
2.查殼
3.反編譯
4.搜尋關鍵字
在這裡你搜尋關鍵字,沒有搜尋到相關的程式碼,這時候就需要去搜網路請求中的一些關鍵字,然後在分析追蹤到_abr_、sign生成的地方。這個簽名欄位是實時生成的,並沒有在程式碼中寫死,所以搜尋是搜不到的。
5.插樁探測
[-->] boo: true
[-->] result: _abr_01a7621004ede5bb121650744bbad1706737f200565f7ed74bbaby_infobrand_ids0cat_ids0client_info{"bd":"yingyongbao","abd":"019f089375","package":"show","os":"7.1.2","screen":"900x1600","dn":"SM-G9750","version":"9.42.00","platform":"Android","network":"WiFi","app_name":"beibei","model":"SM-G9750","udid":"2761a2352060cdee"}close_profile0filter_sellout0gender_age0keyword好奇methodbeibei.item.searchpage1page_size20price_max0price_min0sorthotsourcehometargetsearch_keywordtimestamp1602148171welfares0
[-->] boo: false
[-->] result: close_profile=0&client_info=%7B%22bd%22%3A%22yingyongbao%22%2C%22abd%22%3A%22019f089375%22%2C%22package%22%3A%22show%22%2C%22os%22%3A%227.1.2%22%2C%22screen%22%3A%22900x1600%22%2C%22dn%22%3A%22SM-G9750%22%2C%22version%22%3A%229.42.00%22%2C%22platform%22%3A%22Android%22%2C%22network%22%3A%22WiFi%22%2C%22app_name%22%3A%22beibei%22%2C%22model%22%3A%22SM-G9750%22%2C%22udid%22%3A%222761a2352060cdee%22%7D&method=beibei.item.search&_abr_=01a7621004ede5bb121650744bbad1706737f200565f7ed74b&gender_age=0&sign=8FAAF1006364FB9D7A6B9C9F5B4BB7CE&filter_sellout=0&source=home&sort=hot&price_min=0&target=search_keyword&welfares=0&cat_ids=0&brand_ids=0&baby_info=&page=1&keyword=%E5%A5%BD%E5%A5%87&price_max=0&page_size=20×tamp=1602148171
6.編寫xposed外掛
使用Android studio編寫外掛。
四、分析展示
http://api.beibei.com/gateway/route?close_profile=0&client_info=%7B%22bd%22%3A%22xiaomi%22%2C%22abd%22%3A%2201c2227a1%22%2C%22package%22%3A%22show%22%2C%22os%22%3A%227.0%22%2C%22screen%22%3A%221080x1920%22%2C%22dn%22%3A%22Redmi+Note+4X%22%2C%22version%22%3A%229.43.00%22%2C%22platform%22%3A%22Android%22%2C%22network%22%3A%22WiFi%22%2C%22app_name%22%3A%22beibei%22%2C%22model%22%3A%22Redmi+Note+4X%22%2C%22udid%22%3A%2283aa5d72c9dd97c8%22%7D&method=beibei.item.search&_abr_=01f8ff1eb19c246c4a2bdeaaba632b3791d300c7755f7ed883&gender_age=0&sign=CD9EB0E6A7A3FAF97B46E6162E324AE6&filter_sellout=0&source=home&sort=hot&price_min=0&welfares=0&cat_ids=625_626_627_628_682_683_684_2280&brand_ids=0&baby_info=&page=1&price_max=0&page_size=20×tamp=1602148483
http://api.beibei.com/gateway/route?close_profile=0&client_info=%7B%22bd%22%3A%22xiaomi%22%2C%22abd%22%3A%2201c2227a1%22%2C%22package%22%3A%22show%22%2C%22os%22%3A%227.0%22%2C%22screen%22%3A%221080x1920%22%2C%22dn%22%3A%22Redmi+Note+4X%22%2C%22version%22%3A%229.43.00%22%2C%22platform%22%3A%22Android%22%2C%22network%22%3A%22WiFi%22%2C%22app_name%22%3A%22beibei%22%2C%22model%22%3A%22Redmi+Note+4X%22%2C%22udid%22%3A%2283aa5d72c9dd97c8%22%7D&method=beibei.item.search&_abr_=01e223cc783a16f4ef1a46f7b517065663049af1375f7ed8c8&gender_age=0&sign=63AFA9F6633D273019B014AF0C24B140&filter_sellout=0&source=home&sort=hot&price_min=0&welfares=0&cat_ids=625_626_627_628_682_683_684_2280&brand_ids=0&baby_info=&page=1&price_max=0&page_size=20×tamp=1602148552
當然,請求頭中的其他引數也是可以獲取的。
本文只用於學習交流,請勿他用。技術支援,扣扣:3165845957
相關文章
- iOS逆向(3)-APP重簽名iOSAPP
- 對飛豬H5端API介面sign簽名逆向實驗H5API
- IOS 逆向開發(四)App重簽名iOSAPP
- 小程式繞過 sign 簽名
- iOS逆向之旅(進階篇) — 重簽名APP(二)iOSAPP
- iOS逆向之旅(進階篇) — 重簽名APP(一)iOSAPP
- iOS逆向——應用簽名及重簽名原理iOS
- iOS HOOK 注入與重簽名iOSHook
- 安卓防簽名策略安卓
- iOS逆向 應用重簽名+微信重簽名實戰iOS
- APP攻防--安卓逆向&JEB動態除錯&LSPosed模組&演算法提取&Hook技術APP安卓除錯演算法Hook
- 04、cordova-安卓版本簽名安卓
- 『居善地』介面測試 — 11、介面簽名sign原理
- 為IONIC開發的安卓apk簽名安卓APK
- IOS 逆向開發(三)應用簽名iOS
- GO 實現一個把結構體做 Sign 簽名Go結構體
- 開放api介面簽名驗證,新增sign,時間戳API時間戳
- Android逆向之旅---破解某支付軟體防Xposed等框架Hook功能檢測機制Android框架Hook
- App簽名二三事APP
- IOS App簽名原理iOSAPP
- Android App的簽名打包AndroidAPP
- 蘋果簽名是怎樣給手機app簽名的呢?蘋果APP
- iOS逆向 Shell指令碼+指令碼重簽名iOS指令碼
- iOS逆向——shell重簽名及程式碼注入iOS
- iOS逆向 - 應用簽名原理及重簽名 (重籤微信應用實戰)iOS
- iOS逆向之旅(基礎篇) — App的簽名機制【Xcode是如何將App安裝到手機的】iOSAPPXCode
- iOSApp重簽名iOSAPP
- iOSApp簽名原理iOSAPP
- 羽夏逆向指引—— HookHook
- 我的手機憑什麼不給我爽——Xposed Hook混淆且加固後的APPHookAPP
- 逆向工程通過某個欄位排序排序
- 根據欄位查表名
- Sign In with AppleAPP
- SQL Server中獲取資料庫名、表名、欄位名和欄位註釋的SQL語句SQLServer資料庫
- Android Hook框架Xposed原理與原始碼分析AndroidHook框架原始碼
- 安卓APP應用簽名不一致無法安裝的解決方案安卓APP
- 微信APP支付-簽名問題APP
- applet數字簽名APP