安卓逆向Xposed HOOK贝贝APP的_abr_、sign签名字段
最近学习安卓逆向,接触一下贝贝APP,了解该APP是做数据安全的,这篇文章主要介绍贝贝APP的签名参数_abr_、sign的HOOK过程,当然,其他的参数也是可以HOOK的。本文只用于学习交流,请勿他用。
一、环境工具
环境:windows 10
设备:雷电模拟器,google pixel
HOOK框架:Xposed
插装工具:Frida
编译器:android studio
反编译工具:jadx
抓包工具:Charles
分析APP:贝贝apk(9.42.00_1190)
二、流程步骤
1.抓包分析数据包,将App安装到模拟器上,设置好模拟器上的VNP代理,打开Charles工具,在模拟器上进行操作,使App发起网络请求,然后在Charles上查看抓取到的数据包。
2.使用查壳工具对APP进程检测,查看APP是使用什么加壳软件进行的加壳的,如果有加壳,首选需要进行脱壳。当然大厂APP是很少进行加壳的。
3.使用jadx反编译APP,获取到相关的代码,但是反编译的代码也不是全部正确的,这个需要注意一下。
4.依据抓包获取到的关键信息,使用关键字段名,在jadx反编译好的代码中进行搜索,查找到可以代码。
5.编写JS代码,然后使用frida插装到模拟器内存或者是手机内存进行探测。
6.找到关键代码后,就需要借助xposed hook出出关键字段,开发插件将服务接出来,供爬虫代码进行调用。
三、过程展示
1.抓包
列表页
:method GET
:path /gateway/route?close_profile=0&client_info=%7B%22bd%22%3A%22yingyongbao%22%2C%22abd%22%3A%22019f089375%22%2C%22package%22%3A%22show%22%2C%22os%22%3A%227.1.2%22%2C%22screen%22%3A%22900x1600%22%2C%22dn%22%3A%22SM-G9750%22%2C%22version%22%3A%229.42.00%22%2C%22platform%22%3A%22Android%22%2C%22network%22%3A%22WiFi%22%2C%22app_name%22%3A%22beibei%22%2C%22model%22%3A%22SM-G9750%22%2C%22udid%22%3A%222761a2352060cdee%22%7D&method=beibei.item.search&_abr_=01b2703db5fe7439378a54aae04a434d26ee4ce03e5f7ed0b5&gender_age=0&sign=CC05DE7A3741285738F0CE372A88250A&filter_sellout=0&source=home&sort=hot&price_min=0&target=search_keyword&welfares=0&cat_ids=0&brand_ids=0&baby_info=&page=1&keyword=%E5%A5%BD%E5%A5%87&price_max=0&page_size=20×tamp=1602146485
:authority api.beibei.com
:scheme https
user-agent Beibei/9.42.00 (Android)
x-client-target bb/search/item_search_keyword
x-api-method beibei.item.search
cache-control no-cache
accept-encoding gzipQuery String
close_profile 0
client_info {"bd":"yingyongbao","abd":"019f089375","package":"show","os":"7.1.2","screen":"900x1600","dn":"SM-G9750","version":"9.42.00","platform":"Android","network":"WiFi","app_name":"beibei","model":"SM-G9750","udid":"2761a2352060cdee"}
method beibei.item.search
_abr_ 01b2703db5fe7439378a54aae04a434d26ee4ce03e5f7ed0b5
gender_age 0
sign CC05DE7A3741285738F0CE372A88250A
filter_sellout 0
source home
sort hot
price_min 0
target search_keyword
welfares 0
cat_ids 0
brand_ids 0
baby_info
page 1
keyword 好奇
price_max 0
page_size 20
timestamp 1602146485
2.查壳
3.反编译
4.搜索关键字
在这里你搜索关键字,没有搜索到相关的代码,这时候就需要去搜网络请求中的一些关键字,然后在分析追踪到_abr_、sign生成的地方。这个签名字段是实时生成的,并没有在代码中写死,所以搜索是搜不到的。
5.插桩探测
[-->] boo: true
[-->] result: _abr_01a7621004ede5bb121650744bbad1706737f200565f7ed74bbaby_infobrand_ids0cat_ids0client_info{"bd":"yingyongbao","abd":"019f089375","package":"show","os":"7.1.2","screen":"900x1600","dn":"SM-G9750","version":"9.42.00","platform":"Android","network":"WiFi","app_name":"beibei","model":"SM-G9750","udid":"2761a2352060cdee"}close_profile0filter_sellout0gender_age0keyword好奇methodbeibei.item.searchpage1page_size20price_max0price_min0sorthotsourcehometargetsearch_keywordtimestamp1602148171welfares0
[-->] boo: false
[-->] result: close_profile=0&client_info=%7B%22bd%22%3A%22yingyongbao%22%2C%22abd%22%3A%22019f089375%22%2C%22package%22%3A%22show%22%2C%22os%22%3A%227.1.2%22%2C%22screen%22%3A%22900x1600%22%2C%22dn%22%3A%22SM-G9750%22%2C%22version%22%3A%229.42.00%22%2C%22platform%22%3A%22Android%22%2C%22network%22%3A%22WiFi%22%2C%22app_name%22%3A%22beibei%22%2C%22model%22%3A%22SM-G9750%22%2C%22udid%22%3A%222761a2352060cdee%22%7D&method=beibei.item.search&_abr_=01a7621004ede5bb121650744bbad1706737f200565f7ed74b&gender_age=0&sign=8FAAF1006364FB9D7A6B9C9F5B4BB7CE&filter_sellout=0&source=home&sort=hot&price_min=0&target=search_keyword&welfares=0&cat_ids=0&brand_ids=0&baby_info=&page=1&keyword=%E5%A5%BD%E5%A5%87&price_max=0&page_size=20×tamp=16021481716.编写xposed插件
使用Android studio编写插件。
四、分析展示
http://api.beibei.com/gateway/route?close_profile=0&client_info=%7B%22bd%22%3A%22xiaomi%22%2C%22abd%22%3A%2201c2227a1%22%2C%22package%22%3A%22show%22%2C%22os%22%3A%227.0%22%2C%22screen%22%3A%221080x1920%22%2C%22dn%22%3A%22Redmi+Note+4X%22%2C%22version%22%3A%229.43.00%22%2C%22platform%22%3A%22Android%22%2C%22network%22%3A%22WiFi%22%2C%22app_name%22%3A%22beibei%22%2C%22model%22%3A%22Redmi+Note+4X%22%2C%22udid%22%3A%2283aa5d72c9dd97c8%22%7D&method=beibei.item.search&_abr_=01f8ff1eb19c246c4a2bdeaaba632b3791d300c7755f7ed883&gender_age=0&sign=CD9EB0E6A7A3FAF97B46E6162E324AE6&filter_sellout=0&source=home&sort=hot&price_min=0&welfares=0&cat_ids=625_626_627_628_682_683_684_2280&brand_ids=0&baby_info=&page=1&price_max=0&page_size=20×tamp=1602148483
http://api.beibei.com/gateway/route?close_profile=0&client_info=%7B%22bd%22%3A%22xiaomi%22%2C%22abd%22%3A%2201c2227a1%22%2C%22package%22%3A%22show%22%2C%22os%22%3A%227.0%22%2C%22screen%22%3A%221080x1920%22%2C%22dn%22%3A%22Redmi+Note+4X%22%2C%22version%22%3A%229.43.00%22%2C%22platform%22%3A%22Android%22%2C%22network%22%3A%22WiFi%22%2C%22app_name%22%3A%22beibei%22%2C%22model%22%3A%22Redmi+Note+4X%22%2C%22udid%22%3A%2283aa5d72c9dd97c8%22%7D&method=beibei.item.search&_abr_=01e223cc783a16f4ef1a46f7b517065663049af1375f7ed8c8&gender_age=0&sign=63AFA9F6633D273019B014AF0C24B140&filter_sellout=0&source=home&sort=hot&price_min=0&welfares=0&cat_ids=625_626_627_628_682_683_684_2280&brand_ids=0&baby_info=&page=1&price_max=0&page_size=20×tamp=1602148552当然,请求头中的其他参数也是可以获取的。
本文只用于学习交流,请勿他用。技术支持,扣扣:3165845957