安卓逆向Xposed HOOK貝貝APP的_abr_、sign簽名欄位

StriveFarrell發表於2020-10-08

最近學習安卓逆向,接觸一下貝貝APP,瞭解該APP是做資料安全的,這篇文章主要介紹貝貝APP的簽名引數_abr_、sign的HOOK過程,當然,其他的引數也是可以HOOK的。本文只用於學習交流,請勿他用。

一、環境工具

環境:windows 10

裝置:雷電模擬器,google pixel

HOOK框架:Xposed

插裝工具:Frida

編譯器:android studio

反編譯工具:jadx

抓包工具:Charles

分析APP:貝貝apk(9.42.00_1190)

二、流程步驟

1.抓包分析資料包,將App安裝到模擬器上,設定好模擬器上的VNP代理,開啟Charles工具,在模擬器上進行操作,使App發起網路請求,然後在Charles上檢視抓取到的資料包。

2.使用查殼工具對APP程式檢測,檢視APP是使用什麼加殼軟體進行的加殼的,如果有加殼,首選需要進行脫殼。當然大廠APP是很少進行加殼的。

3.使用jadx反編譯APP,獲取到相關的程式碼,但是反編譯的程式碼也不是全部正確的,這個需要注意一下。

4.依據抓包獲取到的關鍵資訊,使用關鍵欄位名,在jadx反編譯好的程式碼中進行搜尋,查詢到可以程式碼。

5.編寫JS程式碼,然後使用frida插裝到模擬器記憶體或者是手機記憶體進行探測。

6.找到關鍵程式碼後,就需要藉助xposed hook出出關鍵欄位,開發外掛將服務接出來,供爬蟲程式碼進行呼叫。

三、過程展示

1.抓包

列表頁

:method	GET
:path	/gateway/route?close_profile=0&client_info=%7B%22bd%22%3A%22yingyongbao%22%2C%22abd%22%3A%22019f089375%22%2C%22package%22%3A%22show%22%2C%22os%22%3A%227.1.2%22%2C%22screen%22%3A%22900x1600%22%2C%22dn%22%3A%22SM-G9750%22%2C%22version%22%3A%229.42.00%22%2C%22platform%22%3A%22Android%22%2C%22network%22%3A%22WiFi%22%2C%22app_name%22%3A%22beibei%22%2C%22model%22%3A%22SM-G9750%22%2C%22udid%22%3A%222761a2352060cdee%22%7D&method=beibei.item.search&_abr_=01b2703db5fe7439378a54aae04a434d26ee4ce03e5f7ed0b5&gender_age=0&sign=CC05DE7A3741285738F0CE372A88250A&filter_sellout=0&source=home&sort=hot&price_min=0&target=search_keyword&welfares=0&cat_ids=0&brand_ids=0&baby_info=&page=1&keyword=%E5%A5%BD%E5%A5%87&price_max=0&page_size=20&timestamp=1602146485
:authority	api.beibei.com
:scheme	https
user-agent	Beibei/9.42.00 (Android)
x-client-target	bb/search/item_search_keyword
x-api-method	beibei.item.search
cache-control	no-cache
accept-encoding	gzip

 Query String

close_profile	0
client_info	{"bd":"yingyongbao","abd":"019f089375","package":"show","os":"7.1.2","screen":"900x1600","dn":"SM-G9750","version":"9.42.00","platform":"Android","network":"WiFi","app_name":"beibei","model":"SM-G9750","udid":"2761a2352060cdee"}
method	beibei.item.search
_abr_	01b2703db5fe7439378a54aae04a434d26ee4ce03e5f7ed0b5
gender_age	0
sign	CC05DE7A3741285738F0CE372A88250A
filter_sellout	0
source	home
sort	hot
price_min	0
target	search_keyword
welfares	0
cat_ids	0
brand_ids	0
baby_info	
page	1
keyword	好奇
price_max	0
page_size	20
timestamp	1602146485

 

2.查殼

 

3.反編譯

 

 

4.搜尋關鍵字

在這裡你搜尋關鍵字,沒有搜尋到相關的程式碼,這時候就需要去搜網路請求中的一些關鍵字,然後在分析追蹤到_abr_、sign生成的地方。這個簽名欄位是實時生成的,並沒有在程式碼中寫死,所以搜尋是搜不到的。

5.插樁探測

[-->]    boo:  true
[-->]     result:  _abr_01a7621004ede5bb121650744bbad1706737f200565f7ed74bbaby_infobrand_ids0cat_ids0client_info{"bd":"yingyongbao","abd":"019f089375","package":"show","os":"7.1.2","screen":"900x1600","dn":"SM-G9750","version":"9.42.00","platform":"Android","network":"WiFi","app_name":"beibei","model":"SM-G9750","udid":"2761a2352060cdee"}close_profile0filter_sellout0gender_age0keyword好奇methodbeibei.item.searchpage1page_size20price_max0price_min0sorthotsourcehometargetsearch_keywordtimestamp1602148171welfares0
[-->]    boo:  false
[-->]     result:  close_profile=0&client_info=%7B%22bd%22%3A%22yingyongbao%22%2C%22abd%22%3A%22019f089375%22%2C%22package%22%3A%22show%22%2C%22os%22%3A%227.1.2%22%2C%22screen%22%3A%22900x1600%22%2C%22dn%22%3A%22SM-G9750%22%2C%22version%22%3A%229.42.00%22%2C%22platform%22%3A%22Android%22%2C%22network%22%3A%22WiFi%22%2C%22app_name%22%3A%22beibei%22%2C%22model%22%3A%22SM-G9750%22%2C%22udid%22%3A%222761a2352060cdee%22%7D&method=beibei.item.search&_abr_=01a7621004ede5bb121650744bbad1706737f200565f7ed74b&gender_age=0&sign=8FAAF1006364FB9D7A6B9C9F5B4BB7CE&filter_sellout=0&source=home&sort=hot&price_min=0&target=search_keyword&welfares=0&cat_ids=0&brand_ids=0&baby_info=&page=1&keyword=%E5%A5%BD%E5%A5%87&price_max=0&page_size=20&timestamp=1602148171

6.編寫xposed外掛

使用Android studio編寫外掛。

四、分析展示

http://api.beibei.com/gateway/route?close_profile=0&client_info=%7B%22bd%22%3A%22xiaomi%22%2C%22abd%22%3A%2201c2227a1%22%2C%22package%22%3A%22show%22%2C%22os%22%3A%227.0%22%2C%22screen%22%3A%221080x1920%22%2C%22dn%22%3A%22Redmi+Note+4X%22%2C%22version%22%3A%229.43.00%22%2C%22platform%22%3A%22Android%22%2C%22network%22%3A%22WiFi%22%2C%22app_name%22%3A%22beibei%22%2C%22model%22%3A%22Redmi+Note+4X%22%2C%22udid%22%3A%2283aa5d72c9dd97c8%22%7D&method=beibei.item.search&_abr_=01f8ff1eb19c246c4a2bdeaaba632b3791d300c7755f7ed883&gender_age=0&sign=CD9EB0E6A7A3FAF97B46E6162E324AE6&filter_sellout=0&source=home&sort=hot&price_min=0&welfares=0&cat_ids=625_626_627_628_682_683_684_2280&brand_ids=0&baby_info=&page=1&price_max=0&page_size=20&timestamp=1602148483

http://api.beibei.com/gateway/route?close_profile=0&client_info=%7B%22bd%22%3A%22xiaomi%22%2C%22abd%22%3A%2201c2227a1%22%2C%22package%22%3A%22show%22%2C%22os%22%3A%227.0%22%2C%22screen%22%3A%221080x1920%22%2C%22dn%22%3A%22Redmi+Note+4X%22%2C%22version%22%3A%229.43.00%22%2C%22platform%22%3A%22Android%22%2C%22network%22%3A%22WiFi%22%2C%22app_name%22%3A%22beibei%22%2C%22model%22%3A%22Redmi+Note+4X%22%2C%22udid%22%3A%2283aa5d72c9dd97c8%22%7D&method=beibei.item.search&_abr_=01e223cc783a16f4ef1a46f7b517065663049af1375f7ed8c8&gender_age=0&sign=63AFA9F6633D273019B014AF0C24B140&filter_sellout=0&source=home&sort=hot&price_min=0&welfares=0&cat_ids=625_626_627_628_682_683_684_2280&brand_ids=0&baby_info=&page=1&price_max=0&page_size=20&timestamp=1602148552

當然,請求頭中的其他引數也是可以獲取的。

本文只用於學習交流,請勿他用。技術支援,扣扣:3165845957

相關文章