unidbg 模拟执行案例(某汽车类app)(续)
上一篇文章讲了解密响应数据, 这一篇来看看如何加密请求数据。
打开jadx 搜索关键词, 有一处非常之可疑.
直接frida hook
hookClass.addCheckCode.overload('java.lang.String', 'int').implementation = function (p1, p2) {
console.log('222p1 ===> ' + p1);
console.log('222p2 ===> ' + p2);
console.log('222result ' + this.addCheckCode(p1, p2));
return this.addCheckCode(p1, p2);
}hook结果如下
跟我们抓包得数据对应上了。 java层继续跟踪, 是个native函数
继续使用unidbg
public String llbencode(){
// args list
List运行后,结果如下
补环境 , 代码如下
@Override
public DvmObject callStaticObjectMethod(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
switch (signature) {
// case "android/os/SystemProperties->get(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;":
// return new StringObject(vm, "FA6AT0306923");
case "android/app/ActivityThread->currentPackageName()Ljava/lang/String;":
return new StringObject(vm, "com.xxx.llb");
// case "android/app/ActivityThread->currentActivityThread()Landroid/app/ActivityThread;":
// return vm.resolveClass("android/app/ActivityThread").newObject(null);
}
return super.callStaticObjectMethod(vm, dvmClass, signature, varArg);
}补完环境后,继续运行,结果如下
根据提示,继续补环境,代码如下
@Override
public DvmObject callStaticObjectMethod(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
switch (signature) {
// case "android/os/SystemProperties->get(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;":
// return new StringObject(vm, "FA6AT0306923");
case "android/app/ActivityThread->currentPackageName()Ljava/lang/String;":
return new StringObject(vm, "com.cloudy.linglingbang");
case "android/app/ActivityThread->currentActivityThread()Landroid/app/ActivityThread;":
return vm.resolveClass("android/app/ActivityThread").newObject(null);
}
return super.callStaticObjectMethod(vm, dvmClass, signature, varArg);
}
运行后,结果如下
继续补
代码如下
@Override
public DvmObject callStaticObjectMethod(BaseVM vm, DvmClass dvmClass, String signature, VarArg varArg) {
switch (signature) {
case "android/os/SystemProperties->get(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;":
return new StringObject(vm, "FA6AT0306923");
case "android/app/ActivityThread->currentPackageName()Ljava/lang/String;":
return new StringObject(vm, "com.cloudy.linglingbang");
case "android/app/ActivityThread->currentActivityThread()Landroid/app/ActivityThread;":
return vm.resolveClass("android/app/ActivityThread").newObject(null);
}
return super.callStaticObjectMethod(vm, dvmClass, signature, varArg);
}运行后, 结果如下
补环境代码如下
@Override
public DvmObject callObjectMethod(BaseVM vm, DvmObject dvmObject, String signature, VarArg varArg) {
switch (signature) {
case "android/net/wifi/WifiInfo->getMacAddress()Ljava/lang/String;":
return new StringObject(vm, "02:00:00:00:00:00");
case "java/lang/Object->getConnectionInfo()Landroid/net/wifi/WifiInfo;":
return vm.resolveClass("android/net/wifi/WifiInfo").newObject(null);
case "android/app/ContextImpl->getSystemService(Ljava/lang/String;)Ljava/lang/Object;":
return vm.resolveClass("java/lang/Object").newObject(null);
case "android/app/ContextImpl->getPackageManager()Landroid/content/pm/PackageManager;":
return vm.resolveClass("android/content/pm/PackageManager").newObject(null);
case "android/app/ActivityThread->getSystemContext()Landroid/app/ContextImpl;":
return vm.resolveClass("android/app/ContextImpl").newObject(null);
}
return super.callObjectMethod(vm, dvmObject, signature, varArg);
}补完后,继续运行,报错如下
一个字,补!!!代码如下
@Override
public DvmObject getStaticObjectField(BaseVM vm, DvmClass dvmClass, String signature) {
switch (signature) {
case "android/os/Build$VERSION->SDK:Ljava/lang/String;":
return new StringObject(vm, "18");
case "android/os/Build->MANUFACTURER:Ljava/lang/String;":
return new StringObject(vm, "Google");
case "android/os/Build->MODEL:Ljava/lang/String;":
return new StringObject(vm, "pixel");
}
return super.getStaticObjectField(vm, dvmClass, signature);
}继续运行, 结果如下
搞定,收工!
dng