dedao G-Auth-Sign字段unidbg逆向
Java层
app有加固,尝试使用frida_dump
脱壳失败,使用blackdex32
脱壳成功。
jdax打开,搜索G-Auth-Sign
,没有结果。GDA打开,搜索G-Auth-Sign
com.luojilab.netsupport.utils.b.a
com.luojilab.netsupport.utils.b.a
com.iget.baselib.BaseApi.calcSignature
com.iget.baselib.BaseApi.init
所以最后是调用了libbase-lib.so
里的calcSignature
函数
这时再回到jadx,打开com.luojilab.netsupport.utils.b.a
将选项里的代码注释等级改为DEBUG
(此项功能在旧版中没看到)
保存后再查看
虽然不是真实代码,但是已经能够看到G-Auth-Sign
这个字符串了,最重要的是这个字符串能被搜索到。
至于calcSignature
的输入,由于无法用frida进行hook,只能根据java代码进行构造。
so层
函数窗口搜索java
,没有结果,说明是动态注册。打开JNI_OnLoad
函数
unidbg实现
public class Dedao extends AbstractJni {
private final AndroidEmulator emulator;
private final VM vm;
private final Module module;
public static String pkgName = "com.luojilab.player";
public static String apkPath = "unidbg-android/src/test/java/com/dedao/dedao9100.apk";
public static String soName = "base-lib";
public Dedao() {
emulator = AndroidEmulatorBuilder.for32Bit().setProcessName(pkgName).build();
Memory memory = emulator.getMemory();
memory.setLibraryResolver(new AndroidResolver(23));
vm = emulator.createDalvikVM(new File(apkPath));
vm.setJni(this);
vm.setVerbose(true);
DalvikModule dm = vm.loadLibrary(soName, true);
module = dm.getModule();
vm.callJNI_OnLoad(emulator, module);
}
@Override
public DvmObject callObjectMethodV(BaseVM vm, DvmObject dvmObject, String signature, VaList vaList) {
switch (signature) {
case "java/util/Iterator->next()Ljava/lang/Object;": {
Iterator it = (Iterator) dvmObject.getValue();
return vm.resolveClass("java/util/Map$Entry").newObject(it.next());
}
case "java/util/Map$Entry->getKey()Ljava/lang/Object;": {
Map.Entry entry = (Map.Entry) dvmObject.getValue();
String key = (String) entry.getKey();
return new StringObject(vm, key);
}
case "java/util/Map$Entry->getValue()Ljava/lang/Object;": {
Map.Entry entry = (Map.Entry) dvmObject.getValue();
byte[] barr = (byte[]) entry.getValue();
return new ByteArray(vm, barr);
}
}
return super.callObjectMethodV(vm, dvmObject, signature, vaList);
}
public void call_sign() {
HashMap hashMap = new HashMap();
hashMap.put("path", "/drlog/rule".getBytes());
hashMap.put("method", "GET".getBytes());
hashMap.put("query_string", "did=d5d994ea662e63f1".getBytes());
hashMap.put("timestamp", "1645063949".getBytes());
hashMap.put("nonce", "e4da34c23b39d8783e3ff265c42b7cf6".getBytes());
hashMap.put("secret", "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJpZ2V0Z2V0LmNvbSIsImV4cCI6MTY0NzY1NTk0OSwiaWF0IjoxNjQ1MDYzOTQ5LCJpc3MiOiJEREdXIEpXVCBNSURETEVXQVJFIiwibmJmIjoxNjQ1MDYzOTQ5LCJzdWIiOiIzNDk4OTg0NjIiLCJkZXZpY2VfaWQiOiIiLCJkZXZpY2VfdHlwZSI6IiJ9.knPHNdmEUqm0lp96SxB7vCp5xcfXPSXYVbQ-Tg-L88m4WM0yXPHkOmLyBzPqK0ni5erHTLvQyUgulQpoGeDSqg".getBytes());
// hashMap.put("content-type", "".getBytes());
// hashMap.put("body", "".getBytes());
HashMap hashMap1 = new HashMap();
hashMap1.put("Xi-App-Key", "android-9.10.0".getBytes());
hashMap1.put("Xi-Uid", "349898462".getBytes());
hashMap1.put("Xi-Thumb", "xl".getBytes());
hashMap1.put("Xi-Dt", "phone".getBytes());
hashMap1.put("Xi-Ov", "7.1.2".getBytes());
hashMap1.put("Xi-Net", "wifi".getBytes());
hashMap1.put("Xi-Os", "ANDROID".getBytes());
hashMap1.put("Xi-D", "d5d994ea662e63f1".getBytes());
hashMap1.put("Xi-Dv", "Pixel".getBytes());
hashMap1.put("Xi-T", "json".getBytes());
hashMap1.put("Xi-Chil", "7".getBytes());
hashMap1.put("Xi-V", "2".getBytes());
hashMap1.put("Xi-Av", "9.10.0".getBytes());
hashMap1.put("Xi-Scr", "0".getBytes());
hashMap1.put("Xi-Adv", "1".getBytes());
hashMap1.put("Xi-Seid", "d5d994ea662e63f1".getBytes());
// hashMap1.put("Xi-Span-Id", "".getBytes());
// hashMap1.put("Xi-Trace-Id", "".getBytes());
// hashMap1.put("Xi-Parent-Id", "".getBytes());
List