最近学习安卓逆向,接触一下TB系的APP,了解大厂APP是做数据安全的,这篇文章主要介绍某宝直播APP的签名参数x-sign的HOOK过程,当然,其他的参数也是可以HOOK的。本文只用于学习交流,请勿他用。
环境:windows 10
设备:雷电模拟器,google pixel
HOOK框架:Xposed
插装工具:Frida
编译器:android studio
反编译工具:jadx
抓包工具:Charles
分析APP:某淘直播apk(com.***.live_1.8.6_50.apk)
1.抓包分析数据包,将App安装到模拟器上,设置好模拟器上的VNP代理,打开Charles工具,在模拟器上进行操作,使App发起网络请求,然后在Charles上查看抓取到的数据包。
2.使用查壳工具对APP进程检测,查看APP是使用什么加壳软件进行的加壳的,如果有加壳,首选需要进行脱壳。当然大厂APP是很少进行加壳的。
3.使用jadx反编译APP,获取到相关的代码,但是反编译的代码也不是全部正确的,这个需要注意一下。
4.依据抓包获取到的关键信息,使用关键字段名,在jadx反编译好的代码中进行搜索,查找到可以代码。
5.编写JS代码,然后使用frida插装到模拟器内存或者是手机内存进行探测。
6.找到关键代码后,就需要借助xposed hook出出关键字段,开发插件将服务接出来,供爬虫代码进行调用。
1.抓包
GET /gw/mtop.***.livex.vcore.hot.ranking.list.query/2.0/?data=%7B%22focusId%22%3A%220%22%2C%22enterPage%22%3A%22hot_search%22%7D HTTP/1.1
x-m-biz-live-bizcode TAOBAO
x-features 27
x-sgext JAHfTfKqFp8VS17V%2Fyrwrw%3D%3D
user-agent MTOPSDK%2F3.1.1.7+%28Android%3B7.1.2%3Bsamsung%3BSM-G9750%29
x-ttid 10005533%40***live_android_1.8.6
cache-control no-cache
a-orange-q appKey=25443018&appVersion=1.8.6&clientAppIndexVersion=1120200928112400415&clientVersionIndexVersion=0
x-appkey 25443018
x-region-channel CN
x-mini-wua HHnB_yY%2BVTP4ONzYAS0JZCZH1kxay0eLuo3X2qtBIE5jr6lZvRAnJJ1G8cadrB8RwL24tN8%2Fh9ghtDlb6k5cAwiNaOKX0mD9%2BFADwgxmVeVcmxYJ8M7DGxIGdoBk2pTZYdROi
x-c-traceid XzFAo6l4I0QDAEtkomuzYMMg1601521245154002312720
content-type application/x-www-form-urlencoded;charset=UTF-8
x-app-conf-v 0
x-app-ver 1.8.6
x-bx-version 6.4.17
x-pv 6.3
x-t 1601521245
f-refer mtop
Cookie unb=2677236496; sn=; lgc=; cookie17=UU6m2Eeo2kZhAw%3D%3D; dnk=; munb=2677236496; cookie2=1da9677cd5d8067a25887efad5399035; tracknick=; ti=; sg=x6e; _l_g_=Ug%3D%3D; _nk_=minizqx; cookie1=U7HzARmj%2B0xuestjyOv43ck2AoCzwROfdIWJFcYSstg%3D; imewweoriw=3%2FxErrexaa2iG0nL9nQkVq6vWzZ2RYFXo60Fqs9r6Y0%3D; WAPFDFDTGFG=%2B4cMKKP%2B8PI%2BMesd%2Bk5vda3o; _w_tb_nick=minizqx; uc3=nk2=DlkyfSB%2Bjw%3D%3D&vt3=F8dCufBEpQar8u2TO3M%3D&id2=UU6m2Eeo2kZhAw%3D%3D&lg2=W5iHLLyFOGW7aA%3D%3D; uc1=existShop=false&cookie14=Uoe0bHJmGwo4lQ%3D%3D&cookie21=W5iHLLyFfX5Xzx7qNYvXUg%3D%3D&cookie15=V32FPkk%2Fw0dUvg%3D%3D; csg=2de8b6f3; t=305ec04f6cebe219662be638fa62aaf9; sgcookie=W100Cx89pixouHdsov7UuolWf0KF4SCZSW%2BghMbGvElGjMjGInUE8ule6s0vwKHP7bE2u%2FV4huIYCVL69Y4Nb609lp%2FZmI%2FnGoxACSa43mcyatM%3D; skt=2c65e2ca24dd1fde; uc4=nk4=0%40DDxxrcvliaXBeEHW%2FzgIyiWv&id4=0%40U2xrdV%2F5ZuJ17PCSrvw8g3giR4gj; _cc_=VT5L2FSpdA%3D%3D; _tb_token_=ed17ebbe55356; ockeqeudmj=mQRlQ%2FY%3D
x-sid 1da9677cd5d8067a25887efad5399035
x-disastergrd
x-utdid XzFAo6l4I0QDAEtkomuzYMMg
x-umt duJLkp5LOjp9tjV04l0sWVWVGrYsNTP%2B
x-devid At0LQnkeo_YpGZF88TSoTGUnqnqNWXm7ezbTK8JEkoHr
x-sign azSdY1002xAAEKX7IpQqlaakQWgkgKXwpHpjVVSKm5h2mnFJOuQWX51LpqfoKidOysB%2BZ%2B1EviEW%2BmG09cHhh3fHdGCl0KXwpdCl8K
x-uid 2677236496
Host acs.m.***.com
Accept-Encoding gzip
Connection Keep-Alive
2.查壳
我没有进行脱壳,因为我在使用jadx-gui能看到代码,如果看不到代码,那可能就需要进行脱壳了。
3.反编译
4.搜索关键字
5.插桩探测
[-->] result :K[x-mini-wua]-->V[HHnB_Ai0JzNjvjpyeSUtZj9lfxHyKwYN4U/I42Jr28lnGLg6QzMU54H22mQJZEjR5reJmg7dSfgV2tJSCFQR/DtiSyTdKpLKJPO8OXuo9Lapqe1cuwdLTn9bb8sjz+HbjQ0xT]
[-->] result :K[x-sgext]-->V[JAEPhzh63E/fm5QFNfo6fw==]
[-->] result :K[x-umt]-->V[duJLkp5LOjp9tjV04l0sWVWVGrYsNTP+]
[-->] result: {x-sign=azSdY1002xAAHrGTXJ0perBksC3AfrGesBR3O0Dkj/Zi9GUnLooCMYklssn8RDMg3q5qCfkqqk8ClHXa4a/16WOpYA6xjrGesY6xnr, wua=, x-mini-wua=HHnB_Ai0JzNjvjpyeSUtZj9lfxHyKwYN4U/I42Jr28lnGLg6QzMU54H22mQJZEjR5reJmg7dSfgV2tJSCFQR/DtiSyTdKpLKJPO8OXuo9Lapqe1cuwdLTn9bb8sjz+HbjQ0xT, x-sgext=JAEPhzh63E/fm5QFNfo6fw==, x-umt=duJLkp5LOjp9tjV04l0sWVWVGrYsNTP+}
6.编写xposed插件
使用Android studio编写插件。
{"x-sign":"azSdY1002xAAGTOrG3oat7W3Cl5CuTOpOyrE7MLTDcHmpOcYgQ2AAK2s8P5+RHf/cTJX5G3EEiBQo/ftY5h33uGe4jkzuTOpM7kzqT","wua":"","x-mini-wua":"HHnB_x95u54gos/jSNsGcF2zvx+yhl8pchUZ/Z7Xke/2HlZZdYjvuuG4H4jZhhr2aUlre8xns7pYnMgr4nHcGSE4p7drYGE+VsuI73+L06luyPp+D/9Nod8fTnfNH4GHkXxzL","x-sgext":"JAFB9aifQ1zyfnYYZQ/y0w\u003d\u003d","x-umt":"XoVLH9JLOu1p1DV04lJL9VD9L4Y4mjV7"}
{"x-sign":"azSdY1002xAAHec7oUg/rsBTX3gmfec9774QeBZH2VUyMDOMVZlUlHk4JGqq0KNrpaaDcLlQxrSENyN5twyjSjUKNq33Hec95x3nPe","wua":"","x-mini-wua":"HHnB_kaq8xeRHJGYkxmlj4Tj7s+AE/ucCilsewjWaBR/V0/e5uhqJcgn26+5kTJBZBgPOHv8CYjmtQ1LAoR856xrcK+29ZT5HnUkMRMgvTm4H2pjm5GkpKhRHgo3VBGdhzvYa","x-sgext":"JAHZbzIH2cRo5uyA/5doSw\u003d\u003d","x-umt":"XoVLH9JLOu1p1DV04lJL9VD9L4Y4mjV7"}
当然,请求头中的其他参数也是可以获取的。
本文只用于学习交流,请勿他用。技术支持,扣扣:3165845957