dedao G-Auth-Sign字段unidbg逆向
Java层
image-20220217112532603
app有加固,尝试使用frida_dump脱壳失败,使用blackdex32脱壳成功。
jdax打开,搜索G-Auth-Sign,没有结果。GDA打开,搜索G-Auth-Sign
image-20220216194527624
com.luojilab.netsupport.utils.b.a
image-20220216194708706
com.luojilab.netsupport.utils.b.a
image-20220216194810133
com.iget.baselib.BaseApi.calcSignature
image-20220216195122938
com.iget.baselib.BaseApi.init
image-20220216195147867
所以最后是调用了libbase-lib.so里的calcSignature函数
这时再回到jadx,打开com.luojilab.netsupport.utils.b.a
image-20220216195607411
将选项里的代码注释等级改为DEBUG(此项功能在旧版中没看到)
image-20220216195655513
保存后再查看
image-20220216195741604
虽然不是真实代码,但是已经能够看到G-Auth-Sign这个字符串了,最重要的是这个字符串能被搜索到。
至于calcSignature的输入,由于无法用frida进行hook,只能根据java代码进行构造。
so层
函数窗口搜索java,没有结果,说明是动态注册。打开JNI_OnLoad函数
image-20220216200448417
image-20220216200508935
image-20220216200552979
unidbg实现
public class Dedao extends AbstractJni {
private final AndroidEmulator emulator;
private final VM vm;
private final Module module;
public static String pkgName = "com.luojilab.player";
public static String apkPath = "unidbg-android/src/test/java/com/dedao/dedao9100.apk";
public static String soName = "base-lib";
public Dedao() {
emulator = AndroidEmulatorBuilder.for32Bit().setProcessName(pkgName).build();
Memory memory = emulator.getMemory();
memory.setLibraryResolver(new AndroidResolver(23));
vm = emulator.createDalvikVM(new File(apkPath));
vm.setJni(this);
vm.setVerbose(true);
DalvikModule dm = vm.loadLibrary(soName, true);
module = dm.getModule();
vm.callJNI_OnLoad(emulator, module);
}
@Override
public DvmObject callObjectMethodV(BaseVM vm, DvmObject dvmObject, String signature, VaList vaList) {
switch (signature) {
case "java/util/Iterator->next()Ljava/lang/Object;": {
Iterator it = (Iterator) dvmObject.getValue();
return vm.resolveClass("java/util/Map$Entry").newObject(it.next());
}
case "java/util/Map$Entry->getKey()Ljava/lang/Object;": {
Map.Entry entry = (Map.Entry) dvmObject.getValue();
String key = (String) entry.getKey();
return new StringObject(vm, key);
}
case "java/util/Map$Entry->getValue()Ljava/lang/Object;": {
Map.Entry entry = (Map.Entry) dvmObject.getValue();
byte[] barr = (byte[]) entry.getValue();
return new ByteArray(vm, barr);
}
}
return super.callObjectMethodV(vm, dvmObject, signature, vaList);
}
public void call_sign() {
HashMap hashMap = new HashMap();
hashMap.put("path", "/drlog/rule".getBytes());
hashMap.put("method", "GET".getBytes());
hashMap.put("query_string", "did=d5d994ea662e63f1".getBytes());
hashMap.put("timestamp", "1645063949".getBytes());
hashMap.put("nonce", "e4da34c23b39d8783e3ff265c42b7cf6".getBytes());
hashMap.put("secret", "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJpZ2V0Z2V0LmNvbSIsImV4cCI6MTY0NzY1NTk0OSwiaWF0IjoxNjQ1MDYzOTQ5LCJpc3MiOiJEREdXIEpXVCBNSURETEVXQVJFIiwibmJmIjoxNjQ1MDYzOTQ5LCJzdWIiOiIzNDk4OTg0NjIiLCJkZXZpY2VfaWQiOiIiLCJkZXZpY2VfdHlwZSI6IiJ9.knPHNdmEUqm0lp96SxB7vCp5xcfXPSXYVbQ-Tg-L88m4WM0yXPHkOmLyBzPqK0ni5erHTLvQyUgulQpoGeDSqg".getBytes());
// hashMap.put("content-type", "".getBytes());
// hashMap.put("body", "".getBytes());
HashMap hashMap1 = new HashMap();
hashMap1.put("Xi-App-Key", "android-9.10.0".getBytes());
hashMap1.put("Xi-Uid", "349898462".getBytes());
hashMap1.put("Xi-Thumb", "xl".getBytes());
hashMap1.put("Xi-Dt", "phone".getBytes());
hashMap1.put("Xi-Ov", "7.1.2".getBytes());
hashMap1.put("Xi-Net", "wifi".getBytes());
hashMap1.put("Xi-Os", "ANDROID".getBytes());
hashMap1.put("Xi-D", "d5d994ea662e63f1".getBytes());
hashMap1.put("Xi-Dv", "Pixel".getBytes());
hashMap1.put("Xi-T", "json".getBytes());
hashMap1.put("Xi-Chil", "7".getBytes());
hashMap1.put("Xi-V", "2".getBytes());
hashMap1.put("Xi-Av", "9.10.0".getBytes());
hashMap1.put("Xi-Scr", "0".getBytes());
hashMap1.put("Xi-Adv", "1".getBytes());
hashMap1.put("Xi-Seid", "d5d994ea662e63f1".getBytes());
// hashMap1.put("Xi-Span-Id", "".getBytes());
// hashMap1.put("Xi-Trace-Id", "".getBytes());
// hashMap1.put("Xi-Parent-Id", "".getBytes());
List
image-20220217112507480
补环境过程省略。结果出来了,但是和抓包结果对不上,可能是有些环境没有初始化。
image-20220217100218324
可以看到有个init函数调用了initImp,查看引用。
image-20220217100330216
image-20220217100353519
那就先调用一下initImp
public void call_init() {
Listpublic static void main(String[] args) {
Dedao test = new Dedao();
test.call_init();
test.call_sign();
}
image-20220217112716896
和抓包结果一致。
unidbg逆向
查看calcSignature函数sub_2A44
image-20220217113041135
v2是最后的sign,它是sub_3A40的返回值,进去看看
image-20220217113218284
下断点看看输入
image-20220217113353735
image-20220217113417679
image-20220217113428959
所以输入的a2中已经保存着结果了。
image-20220217114519621
那就再往前追溯,看看sub_B198
image-20220217113641871
参数个数不太正常,看看跳转处的汇编
image-20220217113731518
只有3个入参,改改声明
image-20220217113914038
image-20220217113935846
函数最后处的调用也不太正常,看看汇编
image-20220217114045950
不太像个函数调用,按U将其转为数据,然后按C将其转为代码
image-20220217114254765
然后在0xB85C处按E将其标记为函数结尾,回到代码F5
image-20220217114944861
已经知道结果保存在a1[2],而a1[2]=v63, v63=v75, v61=v75,所以看看sub_D98C
image-20220217115130069
下断点看看输入(该函数在initImp中也被调用了,需要注意一下)
image-20220217115327637
image-20220217115437308
可以看到a3正是其字节表示。继续往前追溯
image-20220217115611092
看看sub_CE48
image-20220217115725732
明显的HMAC特征,结合sign的长度,用的应该是HMAC-SHA1。
下断点看看输入(该函数有被多次调用,需要注意)
image-20220217120034455
image-20220217120052213
image-20220217120106076
将它们作为key和输入在cyberchef测一下
image-20220217120221589
和抓包结果一致。
unidbg代码
public class Dedao extends AbstractJni {
private final AndroidEmulator emulator;
private final VM vm;
private final Module module;
public static String pkgName = "com.luojilab.player";
public static String apkPath = "unidbg-android/src/test/java/com/dedao/dedao9100.apk";
public static String soName = "base-lib";
public Dedao() {
emulator = AndroidEmulatorBuilder.for32Bit().setProcessName(pkgName).build();
Memory memory = emulator.getMemory();
memory.setLibraryResolver(new AndroidResolver(23));
vm = emulator.createDalvikVM(new File(apkPath));
vm.setJni(this);
vm.setVerbose(true);
DalvikModule dm = vm.loadLibrary(soName, true);
module = dm.getModule();
vm.callJNI_OnLoad(emulator, module);
}
@Override
public DvmObject callObjectMethodV(BaseVM vm, DvmObject dvmObject, String signature, VaList vaList) {
switch (signature) {
case "java/util/Iterator->next()Ljava/lang/Object;": {
Iterator it = (Iterator) dvmObject.getValue();
return vm.resolveClass("java/util/Map$Entry").newObject(it.next());
}
case "java/util/Map$Entry->getKey()Ljava/lang/Object;": {
Map.Entry entry = (Map.Entry) dvmObject.getValue();
String key = (String) entry.getKey();
return new StringObject(vm, key);
}
case "java/util/Map$Entry->getValue()Ljava/lang/Object;": {
Map.Entry entry = (Map.Entry) dvmObject.getValue();
byte[] barr = (byte[]) entry.getValue();
return new ByteArray(vm, barr);
}
}
return super.callObjectMethodV(vm, dvmObject, signature, vaList);
}
public void call_sign() {
HashMap hashMap = new HashMap();
hashMap.put("path", "/drlog/rule".getBytes());
hashMap.put("method", "GET".getBytes());
hashMap.put("query_string", "did=d5d994ea662e63f1".getBytes());
hashMap.put("timestamp", "1645063949".getBytes());
hashMap.put("nonce", "e4da34c23b39d8783e3ff265c42b7cf6".getBytes());
hashMap.put("secret", "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJpZ2V0Z2V0LmNvbSIsImV4cCI6MTY0NzY1NTk0OSwiaWF0IjoxNjQ1MDYzOTQ5LCJpc3MiOiJEREdXIEpXVCBNSURETEVXQVJFIiwibmJmIjoxNjQ1MDYzOTQ5LCJzdWIiOiIzNDk4OTg0NjIiLCJkZXZpY2VfaWQiOiIiLCJkZXZpY2VfdHlwZSI6IiJ9.knPHNdmEUqm0lp96SxB7vCp5xcfXPSXYVbQ-Tg-L88m4WM0yXPHkOmLyBzPqK0ni5erHTLvQyUgulQpoGeDSqg".getBytes());
// hashMap.put("content-type", "".getBytes());
// hashMap.put("body", "".getBytes());
HashMap hashMap1 = new HashMap();
hashMap1.put("Xi-App-Key", "android-9.10.0".getBytes());
hashMap1.put("Xi-Uid", "349898462".getBytes());
hashMap1.put("Xi-Thumb", "xl".getBytes());
hashMap1.put("Xi-Dt", "phone".getBytes());
hashMap1.put("Xi-Ov", "7.1.2".getBytes());
hashMap1.put("Xi-Net", "wifi".getBytes());
hashMap1.put("Xi-Os", "ANDROID".getBytes());
hashMap1.put("Xi-D", "d5d994ea662e63f1".getBytes());
hashMap1.put("Xi-Dv", "Pixel".getBytes());
hashMap1.put("Xi-T", "json".getBytes());
hashMap1.put("Xi-Chil", "7".getBytes());
hashMap1.put("Xi-V", "2".getBytes());
hashMap1.put("Xi-Av", "9.10.0".getBytes());
hashMap1.put("Xi-Scr", "0".getBytes());
hashMap1.put("Xi-Adv", "1".getBytes());
hashMap1.put("Xi-Seid", "d5d994ea662e63f1".getBytes());
// hashMap1.put("Xi-Span-Id", "".getBytes());
// hashMap1.put("Xi-Trace-Id", "".getBytes());
// hashMap1.put("Xi-Parent-Id", "".getBytes());
List其他
不能用frida进行hook的话逆向起来有点困难,不知道有什么方法解决。