问题
几乎99%的软件都有登录功能,而登录这一个动作真的将我们的用户名和密码上传到了服务器吗,会不会有个人隐私呢。根据我们这个问题,我们用FaceU这个软件,逆向来看看他的登录功能到底都传了什么数据。
准备工作
首先下载faceu的APK,具体下载地址大家可以去各大应用市场,我下载的版本是v2.2.6。
需要的工具
- apktool (拆包APK用)
- dex2jar (反编译dex文件用)
需要的工具下载地址:https://github.com/hanhan12312/android_reverse_practice/tree/master/tools
拆包
首先,我们利用apktool拆包apk,执行命令
apktool d faceu.apk
这样在当前文件夹就得到了一个faceu的文件夹。
定位代码
我们打开Faceu软件,点击下面的已有账号在此登录,然后弹出来登录界面,如图所示
我们利用字符串搜索法,这个页面的注册的EditText的hint字为"Faceu号/手机号",我们搜索res文件夹内所有文件的内容,搜索此关键字找到两处,位置都在res/values/strings.xml文件内
strings.xml
Faceu号 / 手机号
Faceu号/手机号
根据name我们也能知道,account_hint是账号的输入框,而另一个是用于搜索的。
我们知道一个布局文件肯定有用到过这个值。所以我们在工程内搜索"str_account_hint",可是结果却发现只有两处引用到,如图
这里写图片描述
看来faceu的程序员们是没有在布局中引用,那就有可能在java代码内引用到,那就去看看"str_account_hint"在代码对应的值是多少。
紧接着我们顺着str_account_hint这个名字在res/values/public.xml文件内搜索"str_account_hint",public.xml是在编译期间生成的文字对应编译后资源的id。
public.xml
由此我们可以看出在java代码内对应的是0x7f070047。因此我们再次在代码里面搜索0x7f070047试试。
找到了引用到这个常量的地方。
在文件com/lemon/faceu/login/b内
const v2, 0x7f070047
invoke-virtual {v1, v2}, Landroid/content/res/Resources;->getString(I)Ljava/lang/String;
move-result-object v1
invoke-virtual {v0, v1}, Lcom/lemon/faceu/uimodule/view/AccountEditText->setHintText(Ljava/lang/String;)V
熟悉smali语法的话,我们能够读懂,这个翻译成Java代码其实就是
String v1 = context.getString(0x7f070047);
editText.setHintText(v1);
目的是找到到这个字符串。
到此为止我们分析一下当前的类是个什么类,是个Activity?Fragment?还是自定义View。
我们找到当前页面网上翻几行,看看还有没有用到什么别的资源id,找到了如下代码
const v0, 0x7f0e026e
invoke-virtual {p1, v0}, Landroid/view/View;->findViewById(I)Landroid/view/View;
move-result-object v0
check-cast v0, Lcom/lemon/faceu/uimodule/view/PasswordEditText;
iput-object v0, p0, Lcom/lemon/faceu/login/b;->bpP:Lcom/lemon/faceu/uimodule/view/PasswordEditText;
很明显,这个凭借PasswordEditText名称我们也能发现他就是密码输入的EditText
翻译成java代码
PasswordEditText v0 = (PasswordEditText)this.findViewById(0x7f0e026e);
this.bpP = v0;
根据这一句话我们在public.xml里面找到对应的xml
然后我们再看看有没有布局文件引用到了cet_login_password,于是找到了4处
cet_login_password
我们进入fragment_login.xml发现他只有登录页面的上半部分。却没有下面的取消和确认按钮。可以猜测他并不是Activity,Fragment,因为没有标志性的onCreate方法,父类最终也没有找到Activity,Fragment等。很可能是一个负责处理业务的类。
但是我们知道了当前的成员变量bpP就是对应的密码的EditText了,那么看看都哪里调用这个bpP了。
通过对当前类分析,我最终找到了Lu方法里面对应到了登录按钮的。
逆向登录代码,查看传递参数
经过一番努力总算找到了登录界面,登录代码,现在我们进行分析,并且加入一段我们自己的代码,进行二次打包。
下面是分析详解
Lcom/lemon/faceu/login/b;
.method Lu()V
.locals 4
.prologue
.line 216
invoke-virtual {p0}, Lcom/lemon/faceu/login/b;->Ls()Z
#检测用户名是否合法
move-result v0
#如果不合法就返回
if-eqz v0, :cond_0
invoke-virtual {p0}, Lcom/lemon/faceu/login/b;->Lt()Z
#检测密码是否合法
move-result v0
#如果不合法就返回
if-nez v0, :cond_1
.line 241
:cond_0
:goto_0
return-void
.line 220
:cond_1
invoke-virtual {p0}, Lcom/lemon/faceu/login/b;->Uv()V
.line 222
const-string v0, "LoginFragment"
const-string v1, "startLogin"
invoke-static {v0, v1}, Lcom/lemon/faceu/sdk/utils/c;->i(Ljava/lang/String;Ljava/lang/String;)V
#调用Faceu自己的统计打点方法
.line 223
iget-object v0, p0, Lcom/lemon/faceu/login/b;->bpO:Lcom/lemon/faceu/uimodule/view/AccountEditText;
invoke-virtual {v0}, Lcom/lemon/faceu/uimodule/view/AccountEditText;->getAccount()Ljava/lang/String;
move-result-object v0
#调用AccountEditText的getAccount方法,并将用户户名存入v0
iput-object v0, p0, Lcom/lemon/faceu/login/b;->aAS:Ljava/lang/String;
#将aAs赋值为用户名
.line 224
iget-object v0, p0, Lcom/lemon/faceu/login/b;->bpP:Lcom/lemon/faceu/uimodule/view/PasswordEditText;
invoke-virtual {v0}, Lcom/lemon/faceu/uimodule/view/PasswordEditText;->getEditText()Landroid/widget/EditText;
move-result-object v0
invoke-virtual {v0}, Landroid/widget/EditText;->getText()Landroid/text/Editable;
move-result-object v0
invoke-virtual {v0}, Ljava/lang/Object;->toString()Ljava/lang/String;
move-result-object v0
#将密码从bpP取出来,并取出String类型的密码复制给v0
.line 227
invoke-static {}, Lcom/lemon/faceu/common/e/a;->xJ()Lcom/lemon/faceu/common/e/a;
move-result-object v1
iget-object v2, p0, Lcom/lemon/faceu/login/b;->aAS:Ljava/lang/String;
invoke-virtual {v1, v2}, Lcom/lemon/faceu/common/e/a;->setAccount(Ljava/lang/String;)V
#将现在的用户名存入sharedprefence,以便于记住用户名下次直接显示
.line 229
new-instance v1, Ljava/util/HashMap;
#new一个HashMap存储进v1
invoke-direct {v1}, Ljava/util/HashMap;->()V
#初始化v1
.line 230
const-string v2, "account"
iget-object v3, p0, Lcom/lemon/faceu/login/b;->aAS:Ljava/lang/String;
invoke-interface {v1, v2, v3}, Ljava/util/Map;->put(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;
#将用户名存入HashMap
.line 231
const-string v2, "pwd"
invoke-static {v0}, Lcom/lemon/faceu/common/i/g;->bS(Ljava/lang/String;)Ljava/lang/String;
move-result-object v0
invoke-interface {v1, v2, v0}, Ljava/util/Map;->put(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;
#将密码调用bS方法加密并且存入map
.line 232
const-string v0, "councode"
const-string v2, "86"
invoke-interface {v1, v0, v2}, Ljava/util/Map;->put(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;
#国家编号86,存入map
.line 233
const-string v0, "manufacture"
sget-object v2, Landroid/os/Build;->MANUFACTURER:Ljava/lang/String;
invoke-interface {v1, v0, v2}, Ljava/util/Map;->put(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;
#将厂商信息存入map
.line 234
const-string v0, "model"
sget-object v2, Landroid/os/Build;->MODEL:Ljava/lang/String;
invoke-interface {v1, v0, v2}, Ljava/util/Map;->put(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;
#将model信息存入map
.line 235
const-string v0, "version"
sget v2, Lcom/lemon/faceu/common/d/b;->aAL:I
invoke-static {v2}, Ljava/lang/String;->valueOf(I)Ljava/lang/String;
move-result-object v2
invoke-interface {v1, v0, v2}, Ljava/util/Map;->put(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;
#将软件版本信息存入map
.line 236
const-string v0, "deviceinfo"
invoke-static {}, Lcom/lemon/faceu/common/b/a;->xt()Lorg/json/JSONObject;
move-result-object v2
#将调用com.lemon.faceu.common.b.a->xt()方法,取回JsonObject并且赋值给v2
invoke-interface {v1, v0, v2}, Ljava/util/Map;->put(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;
#将JSONObject存入map
.line 238
new-instance v0, Lcom/lemon/faceu/common/t/a;
sget-object v2, Lcom/lemon/faceu/common/d/a;->azO:Ljava/lang/String;
invoke-static {}, Landroid/os/Looper;->getMainLooper()Landroid/os/Looper;
move-result-object v3
invoke-direct {v0, v2, v1, v3}, Lcom/lemon/faceu/common/t/a;->(Ljava/lang/String;Ljava/util/Map;Landroid/os/Looper;)V
.line 239
iget-object v1, p0, Lcom/lemon/faceu/login/b;->aKe:Lcom/lemon/faceu/common/t/a$a;
invoke-virtual {v0, v1}, Lcom/lemon/faceu/common/t/a;->a(Lcom/lemon/faceu/common/t/a$a;)V
.line 240
const-string v1, "login"
invoke-static {v0, v1}, Lcom/lemon/faceu/sdk/i/b;->a(Ljava/lang/Runnable;Ljava/lang/String;)V
goto :goto_0
.end method
#此方法主要校验用户名是否合法,错误的话输出错误信息,返回值为boolean
.method Ls()Z
.locals 5
.prologue
const/4 v1, 0x0
#使v0寄存器为0
.line 177
iget-object v0, p0, Lcom/lemon/faceu/login/b;->bpO:Lcom/lemon/faceu/uimodule/view/AccountEditText;
#将成员变量bpO赋值给v0,此时v0就是用户名
invoke-virtual {v0}, Lcom/lemon/faceu/uimodule/view/AccountEditText;->getAccount()Ljava/lang/String;
move-result-object v2
#调用AccountEditText的getAccount方法,并将返回值存入v2
.line 178
invoke-virtual {v2}, Ljava/lang/String;->length()I
#取出用户名长度
move-result v0
#v0 = 用户名长度
if-lez v0, :cond_0
invoke-virtual {v2, v1}, Ljava/lang/String;->charAt(I)C
move-result v0
invoke-static {v0}, Ljava/lang/Character;->isDigit(C)Z
move-result v0
if-eqz v0, :cond_0
.line 180
invoke-static {v2}, Lcom/lemon/faceu/common/u/t;->dz(Ljava/lang/String;)Z
move-result v0
if-nez v0, :cond_4
.line 181
iget-object v0, p0, Lcom/lemon/faceu/login/b;->bpO:Lcom/lemon/faceu/uimodule/view/AccountEditText;
const v2, 0x7f0700ae
invoke-virtual {p0, v2}, Lcom/lemon/faceu/login/b;->getString(I)Ljava/lang/String;
move-result-object v2
invoke-virtual {v0, v2}, Lcom/lemon/faceu/uimodule/view/AccountEditText;->setTips(Ljava/lang/String;)V
.line 202
:goto_0
return v1
.line 185
:cond_0
invoke-virtual {v2}, Ljava/lang/String;->length()I
move-result v0
const/16 v3, 0x14
if-le v0, v3, :cond_1
.line 186
iget-object v0, p0, Lcom/lemon/faceu/login/b;->bpO:Lcom/lemon/faceu/uimodule/view/AccountEditText;
const v2, 0x7f070087
invoke-virtual {p0, v2}, Lcom/lemon/faceu/login/b;->getString(I)Ljava/lang/String;
move-result-object v2
invoke-virtual {v0, v2}, Lcom/lemon/faceu/uimodule/view/AccountEditText;->setTips(Ljava/lang/String;)V
goto :goto_0
.line 188
:cond_1
invoke-virtual {v2}, Ljava/lang/String;->length()I
move-result v0
if-lez v0, :cond_2
invoke-virtual {v2, v1}, Ljava/lang/String;->charAt(I)C
move-result v0
invoke-static {v0}, Lcom/lemon/faceu/sdk/utils/h;->u(C)Z
move-result v0
if-nez v0, :cond_2
.line 189
iget-object v0, p0, Lcom/lemon/faceu/login/b;->bpO:Lcom/lemon/faceu/uimodule/view/AccountEditText;
const v2, 0x7f070086
invoke-virtual {p0, v2}, Lcom/lemon/faceu/login/b;->getString(I)Ljava/lang/String;
move-result-object v2
invoke-virtual {v0, v2}, Lcom/lemon/faceu/uimodule/view/AccountEditText;->setTips(Ljava/lang/String;)V
goto :goto_0
:cond_2
move v0, v1
.line 192
:goto_1
invoke-virtual {v2}, Ljava/lang/String;->length()I
move-result v3
if-ge v0, v3, :cond_4
.line 193
invoke-virtual {v2, v0}, Ljava/lang/String;->charAt(I)C
move-result v3
.line 194
const/16 v4, 0x5f
if-eq v3, v4, :cond_3
invoke-static {v3}, Ljava/lang/Character;->isDigit(C)Z
move-result v4
if-nez v4, :cond_3
invoke-static {v3}, Lcom/lemon/faceu/sdk/utils/h;->u(C)Z
move-result v3
if-nez v3, :cond_3
.line 195
iget-object v0, p0, Lcom/lemon/faceu/login/b;->bpO:Lcom/lemon/faceu/uimodule/view/AccountEditText;
const v2, 0x7f070085
invoke-virtual {p0, v2}, Lcom/lemon/faceu/login/b;->getString(I)Ljava/lang/String;
move-result-object v2
invoke-virtual {v0, v2}, Lcom/lemon/faceu/uimodule/view/AccountEditText;->setTips(Ljava/lang/String;)V
goto :goto_0
.line 192
:cond_3
add-int/lit8 v0, v0, 0x1
goto :goto_1
.line 202
:cond_4
const/4 v1, 0x1
goto :goto_0
.end method
#此方法主要校验密码是否合法,错误的话输出错误信息,做一些动画之类,正确返回true
.method Lt()Z
.locals 2
.prologue
.line 206
iget-object v0, p0, Lcom/lemon/faceu/login/b;->bpP:Lcom/lemon/faceu/uimodule/view/PasswordEditText;
invoke-virtual {v0}, Lcom/lemon/faceu/uimodule/view/PasswordEditText;->getEditText()Landroid/widget/EditText;
move-result-object v0
invoke-virtual {v0}, Landroid/widget/EditText;->getText()Landroid/text/Editable;
move-result-object v0
invoke-virtual {v0}, Ljava/lang/Object;->toString()Ljava/lang/String;
move-result-object v0
invoke-virtual {v0}, Ljava/lang/String;->length()I
move-result v0
.line 207
const/4 v1, 0x6
if-lt v0, v1, :cond_0
const/16 v1, 0x10
if-le v0, v1, :cond_1
.line 208
:cond_0
iget-object v0, p0, Lcom/lemon/faceu/login/b;->bpP:Lcom/lemon/faceu/uimodule/view/PasswordEditText;
const v1, 0x7f0700b5
invoke-virtual {p0, v1}, Lcom/lemon/faceu/login/b;->getString(I)Ljava/lang/String;
move-result-object v1
invoke-virtual {v0, v1}, Lcom/lemon/faceu/uimodule/view/PasswordEditText;->setTips(Ljava/lang/String;)V
.line 209
const/4 v0, 0x0
.line 211
:goto_0
return v0
:cond_1
const/4 v0, 0x1
goto :goto_0
.end method
我们主要看Lu方法里面的以下几行,他调用了com.lemon.faceu.common.b.a->xt()方法,这个主要是用于窃取我们的手机型号,系统,厂商等信息,我们进入方法看看
const-string v0, "deviceinfo"
invoke-static {}, Lcom/lemon/faceu/common/b/a;->xt()Lorg/json/JSONObject;
move-result-object v2
#将调用com.lemon.faceu.common.b.a->xt()方法,取回JsonObject并且赋值给v2
我们进入方法看看
.method public static xt()Lorg/json/JSONObject;
.locals 5
.prologue
.line 34
new-instance v1, Lorg/json/JSONObject;
invoke-direct {v1}, Lorg/json/JSONObject;->()V
.line 36
:try_start_0
const-string v0, "cpu"
invoke-static {}, Lcom/lemon/faceu/common/b/a;->xv()Ljava/lang/String;
move-result-object v2
invoke-virtual {v1, v0, v2}, Lorg/json/JSONObject;->put(Ljava/lang/String;Ljava/lang/Object;)Lorg/json/JSONObject;
#取出你的cpu信息放入json
.line 37
const-string v0, "radio"
invoke-static {}, Lcom/lemon/faceu/common/b/a;->xx()Ljava/lang/String;
move-result-object v2
invoke-virtual {v1, v0, v2}, Lorg/json/JSONObject;->put(Ljava/lang/String;Ljava/lang/Object;)Lorg/json/JSONObject;
#机型的RADIO信息存入json
.line 38
const-string v0, "os_version"
sget v2, Landroid/os/Build$VERSION;->SDK_INT:I
invoke-virtual {v1, v0, v2}, Lorg/json/JSONObject;->put(Ljava/lang/String;I)Lorg/json/JSONObject;
#取出你系统版本
.line 39
const-string v0, "imei"
invoke-static {}, Lcom/lemon/faceu/common/e/a;->xJ()Lcom/lemon/faceu/common/e/a;
move-result-object v2
#取出IMEI号
invoke-virtual {v2}, Lcom/lemon/faceu/common/e/a;->getContext()Landroid/content/Context;
move-result-object v2
invoke-static {v2}, Lcom/lemon/faceu/common/b/a;->bd(Landroid/content/Context;)Ljava/lang/String;
move-result-object v2
invoke-virtual {v1, v0, v2}, Lorg/json/JSONObject;->put(Ljava/lang/String;Ljava/lang/Object;)Lorg/json/JSONObject;
.line 40
const-string v0, "imsi"
invoke-static {}, Lcom/lemon/faceu/common/b/a;->xy()Ljava/lang/String;
move-result-object v2
invoke-virtual {v1, v0, v2}, Lorg/json/JSONObject;->put(Ljava/lang/String;Ljava/lang/Object;)Lorg/json/JSONObject;
.line 41
const-string v0, "iccid"
invoke-static {}, Lcom/lemon/faceu/common/b/a;->xz()Ljava/lang/String;
move-result-object v2
invoke-virtual {v1, v0, v2}, Lorg/json/JSONObject;->put(Ljava/lang/String;Ljava/lang/Object;)Lorg/json/JSONObject;
.line 42
const-string v0, "android_id"
invoke-static {}, Lcom/lemon/faceu/common/b/a;->xw()Ljava/lang/String;
move-result-object v2
invoke-virtual {v1, v0, v2}, Lorg/json/JSONObject;->put(Ljava/lang/String;Ljava/lang/Object;)Lorg/json/JSONObject;
.line 43
const-string v0, "model"
sget-object v2, Landroid/os/Build;->MODEL:Ljava/lang/String;
invoke-virtual {v1, v0, v2}, Lorg/json/JSONObject;->put(Ljava/lang/String;Ljava/lang/Object;)Lorg/json/JSONObject;
.line 44
const-string v0, "core_count"
invoke-static {}, Lcom/lemon/faceu/common/b/a;->xA()I
move-result v2
invoke-virtual {v1, v0, v2}, Lorg/json/JSONObject;->put(Ljava/lang/String;I)Lorg/json/JSONObject;
.line 45
const-string v0, "wifi"
invoke-static {}, Lcom/lemon/faceu/common/b/a;->xu()Ljava/lang/String;
move-result-object v2
invoke-virtual {v1, v0, v2}, Lorg/json/JSONObject;->put(Ljava/lang/String;Ljava/lang/Object;)Lorg/json/JSONObject;
:try_end_0
.catch Lorg/json/JSONException; {:try_start_0 .. :try_end_0} :catch_0
.line 49
:goto_0
return-object v1
.line 46
:catch_0
move-exception v0
.line 47
const-string v2, "DeviceInfo"
new-instance v3, Ljava/lang/StringBuilder;
invoke-direct {v3}, Ljava/lang/StringBuilder;->()V
const-string v4, "jsonexception, "
invoke-virtual {v3, v4}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
move-result-object v3
invoke-virtual {v0}, Lorg/json/JSONException;->getMessage()Ljava/lang/String;
move-result-object v0
invoke-virtual {v3, v0}, Ljava/lang/StringBuilder;->append(Ljava/lang/String;)Ljava/lang/StringBuilder;
move-result-object v0
invoke-virtual {v0}, Ljava/lang/StringBuilder;->toString()Ljava/lang/String;
move-result-object v0
invoke-static {v2, v0}, Lcom/lemon/faceu/sdk/utils/c;->e(Ljava/lang/String;Ljava/lang/String;)V
goto :goto_0
.end method
我们能看到他获取了我们的cpu,radio,os_version(系统版本),imei,MODEL,cpu_count,mac地址。
看了半天代码,我们加入一些我们的代码,让程序自己把提交的信息打印出来吧。
const-string v0, "MartinHan--map"
invoke-virtual {v1}, Ljava/util/HashMap;->toString()Ljava/lang/String;
move-result-object v3
invoke-static {v0, v3}, Landroid/util/Log;->v(Ljava/lang/String;Ljava/lang/String;)I
const-string v3, "MartinHan---url"
invoke-static {v3, v2}, Landroid/util/Log;->v(Ljava/lang/String;Ljava/lang/String;)I
然后我们执行代码
apktool d faceu
cd faceu/disk
#签名 生成文件明为_signed.apk
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore "MartinHan.jks" -signedjar "_signed.apk" "faceu.apk" "111111" << EOF
111111
adb install _signed.apk
这样的流程走下来,我们的二次打包apk就安装到手机上啦,看看我们输入我们帐号,点击登录。会打印出log信息。
如下所示
03-13 14:17:15.269 10240-10240/com.lemon.faceu V/MartinHan--map: {account=159xxxxxxxx, deviceinfo={"android_id":"62fjdhu42d070400","wifi":"08:33:61:cc:b9:fc","model":"HUAWEI G630-U00","imei":"81338398767854654","iccid":"","cpu":"ARMv7 Processor rev 3 (v7l) ","radio":"203040,203040","imsi":"","core_count":4,"os_version":18}, model=HUAWEI G630-U00, pwd=4d259481d57ffc1c6b4b68cd73dbd301, councode=86, manufacture=HUAWEI, version=270540806}
03-13 14:17:15.269 10240-10240/com.lemon.faceu V/MartinHan---url: https://api2.faceu.mobi/faceu/v3/login.php
如上诉代码所示,我们在faceu登录一次,faceu会上传我们的很多个人信息
mac地址,手机型号,imei,cpu信息,radio,系统版本,国家代码,
并且找到了faceu登录的地址是https://api2.faceu.mobi/faceu/v3/login.php
以上就是我的所有思路,从问题开始,一直找代码,最后动态的打log实现在https加密前就让app自己吐出数据。
写在最后
其实我想不仅faceu,像是其他的厂商也会手机我们的个人信息,完成统计。并且通过大数据分析使用软件的人群,手机型号。
希望所有喜欢逆向的朋友们一起探讨,多多交流。
注:如有侵权,请联系我