问答
发起
提问
文章
攻防
活动
Toggle navigation
首页
(current)
问答
商城
实战攻防技术
漏洞分析与复现
NEW
活动
摸鱼办
搜索
登录
注册
某社交App协议分析之X-SIGN
移动安全
本文对某社交 App 进行协议分析,从抓包结束后,分别运用了静态分析,frida hook 和 so 层分析三种方式,最终复现了协议中 X-SIGN 的值生成的全过程。
某社交App协议分析之X-SIGN ----------------- ### 配置抓包环境 要进行协议分析,那就一定离不开抓包。 Android 抓包常常使用的工具是 Charles ,由于手机里面没有 Charles 的根证书,所以抓不到 HTTPS 的数据包。 Charles 主界面的菜单项中,选择 Help => SSL Proxying => Save Charles Root Certificate ,保存 Charles 根证书到本地,这里选择以 cer 的格式进行保存。 ![1.png](https://shs3.b.qianxin.com/attack_forum/2023/06/attach-0d01b5fece25e1546b1dd4f7ab8ef1d9bd889a40.png) android 系统证书都保存在 /system/etc/security/cacerts/ 目录下。 可以发现,系统证书的命名都是 证书的哈希值.0。 ![2.png](https://shs3.b.qianxin.com/attack_forum/2023/06/attach-577f93c038bdad4a08e75b9f599d7144dc92c3ce.png) 而导出的 Charles 根证书格式是 .cer 。 所以先用下面的命令计算出 Charles 根证书的哈希值。 ```php openssl x509 -inform DER -subject_hash_old -in 证书名 ``` ![3.png](https://shs3.b.qianxin.com/attack_forum/2023/06/attach-4a1924bf0d695e62d5b134c27e61a2d5674d911a.png) 然后将 Charles 根证书文件重新命名为 哈希值.0,根据计算的结果,这里将文件命名为 1b34899f.0。 最后将 1b34899f.0 导入到 /system/etc/security/cacerts/ 目录下即可。 ![4.png](https://shs3.b.qianxin.com/attack_forum/2023/06/attach-37bb7f00fecc1ce7ebe502fe2fbbbe7184942020.png) 此时手机依次打开 设置 => 安全 => 信任的凭据 => 系统,发现 Charles 根证书已经导入其中的。 ![5.png](https://shs3.b.qianxin.com/attack_forum/2023/06/attach-cbefab64dffa861a7d6238a4b724b0c119e302ea.png) 将 Charles 的 SSL Proxying Settings 配置好,Location 设置为 允许所有。 ![6.png](https://shs3.b.qianxin.com/attack_forum/2023/06/attach-d5a1e2eb25aa1c56a36206d82918c7b9e4b99d88.png) 本机 IP 地址是 192.168.0.103 ![7.png](https://shs3.b.qianxin.com/attack_forum/2023/06/attach-a227f3e84b18ead2b9a618b7dad669b8a6db33df.png) 手机设置好相应的代理,就可以进行抓包了。 ![8.png](https://shs3.b.qianxin.com/attack_forum/2023/06/attach-e85dc9f16e7d4d4d964e3d50b24fb57559b1d076.png) ### 抓取接口数据,静态分析X-SIGN字段算法 在登录界面输入账号密码 ![9.png](https://shs3.b.qianxin.com/attack_forum/2023/06/attach-028f258999931b8714615db438ff534a1a5e6297.png) 可抓到如下数据包,在下图中可看到请求头中的 X-SIGN 字段。 ![10.png](https://shs3.b.qianxin.com/attack_forum/2023/06/attach-8e009e51b143052c1f5721f158ffde937b55b9db.png) 下面就对 X-SIGN 字段值的形成进行分析。 将 APK 文件拖入 GDAE 进行反编译。 由于要分析的是 X-SIGN,于是搜索字符串 X-SIGN。 ![11.png](https://shs3.b.qianxin.com/attack_forum/2023/06/attach-049d9a5f18acaebec9208b6c6316a0b10e3a7041.png) 搜索到的结果有 3 个,其中第一个 c() 方法中的代码如下,并且 c() 方法里面还有 put code\_version、map\_id、X-KV ,这些都在请求头中出现过,于是只对 c() 方法进行分析。 ![12.png](https://shs3.b.qianxin.com/attack_forum/2023/06/attach-62b93a0eba15003ee4096f4783cd6425f5ef309a.png) X-SIGN 的数据是通过 this.a(uoe, tj, this.d) 放进去的。 ```java tj.put("X-SIGN", this.a(uoe, tj, this.d)); ``` 再对 uoe 和 tj 和 this.d 进行分析 uoe = uobyteArray1; uobyteArray1 的数据又是 uobyteArray 复制过来的,并且复制了 i 个。 数据的长度就是 i ,i 是通过 Coded.getInstance().aesEncode() 得出的,Coded.getInstance().aesEncode() 方法里面的参数,都在上面有定义。 tj = this.k。 ![13.png](https://shs3.b.qianxin.com/attack_forum/2023/06/attach-68be377f1a9e3ffd3c77ae8ce5258d9000f7e497.png) 下面再对 this.a(uoe, tj, this.d) 中的 a 方法进行分析。 ![14.png](https://shs3.b.qianxin.com/attack_forum/2023/06/attach-fa4aeaa549168c2f43dd444906f33036f13c8e35.png) a 方法中又调用了 Coded.getInstance().sign(uobyteArray, bytes) 方法。 ![15.png](https://shs3.b.qianxin.com/attack_forum/2023/06/attach-3c6fe7b14a1ee51cf95a37a61d5bbf062f6b95ba.png) sign 方法中调用了 sdbyecbu37x 函数。sdbyecbu37x 这是一个 native 函数。 然后又调用了 a.a() 方法 ,很明显 a.a() 方法是标准的 Base64 加密算法。 ![16.png](https://shs3.b.qianxin.com/attack_forum/2023/06/attach-c690fe6f5702abb26b93b867ff855d1cec8ade36.png) 由静态分析可知调用和传参关系。下面需要借助 firda 观察数据。 ### frida写hook 脚本分析数据 通过上面的静态分析可知,主要调用的有 aesEncode 、a 、sign 三个方法。 hook 是比较容易的,比较难的两个点在于 frida 无法输出 byte 数组并且 a 方法的第二个参数是 Map 数组需要遍历,这两个难点会在代码中给出注释。 完整的 hook 代码如下,由于不泄露隐私,对部分包名采取 xxx 命名。 ```js // 输出字节数组 function bytes2hexstr_2(arrBytes) { var str_hex = JSON.stringify(arrBytes); return str_hex; } function hook_aesEncode() { Java.perform(function () { var targetClass = 'com.xxxxxx.xxxx.util.jni.Coded'; var methodName = 'aesEncode'; var gclass = Java.use(targetClass); gclass[methodName].overload('[B', 'int', '[B', 'int', '[B').implementation = function (arg0, arg1, arg2, arg3, arg4) { console.log('\n[Hook aesEncode([B,int,[B,int,[B)]' + '\n\targ0 = ' + bytes2hexstr_2(arg0) + '\n\targ1 = ' + arg1 + '\n\targ2 = ' + bytes2hexstr_2(arg2) + '\n\targ3 = ' + arg3 + '\n\targ4 = ' + bytes2hexstr_2(arg4)); var i = this[methodName](arg0, arg1, arg2, arg3, arg4); console.log('\treturn ' + i); return i; } }) } function hook_a() { Java.perform(function () { var targetClass = 'com.xxxxxx.xxxxxxx.e'; var methodName = 'a'; var gclass = Java.use(targetClass); gclass[methodName].overload('[B', 'java.util.Map', 'java.lang.String').implementation = function (arg0, arg1, arg2) { console.log('\n[Hook a([B,java.util.Map,java.lang.String)]' + '\n\targ0 = ' + bytes2hexstr_2(arg0)); // 获取 iterator var keyset = arg1.keySet(); var it = keyset.iterator(); // 遍历 map while (it.hasNext()) { var keystr = it.next().toString(); // 获取 key var valuestr = arg1.get(keystr).toString(); // 通过 key 获取 value console.log('\targ1 = ' + keystr + " : " + valuestr) } console.log('\targ2 = ' + arg2) var i = this[methodName](arg0, arg1, arg2); console.log('\treturn ' + i); return i; } }) } function hook_sign() { Java.perform(function () { var targetClass = 'com.xxxxxx.xxxx.util.jni.Coded'; var methodName = 'sign'; var gclass = Java.use(targetClass); gclass[methodName].overload('[B', '[B').implementation = function (arg0, arg1) { console.log('\n[Hook sign([B,[B)]' + '\n\targ0 = ' + bytes2hexstr_2(arg0) + '\n\targ1 = ' + bytes2hexstr_2(arg1)); var i = this[methodName](arg0, arg1); console.log('\treturn ' + i); return i; } }) } function main() { hook_aesEncode() hook_a() hook_sign() } setImmediate(main) ``` hook aesEncode 方法得到的结果 ```php [Hook aesEncode([B,int,[B,int,[B)] arg0 = [123,34,100,112,112,34,58,34,97,51,57,53,53,55,101,100,97,48,53,48,57,102,56,48,50,56,102,50,56,52,50,102,50,49,51,101,101,99,97,52,34,44,34,100,101,118,105,99,101,95,116,121,112,101,34,58,34,97,110,100,114,111,105,100,34,44,34,66,97,115,101,66,97,110,100,86,101,114,115,105,111,110,34,58,34,77,80,83,83,46,65,84,46,50,46,48,46,99,52,46,55,45,48,48,48,55,48,45,56,57,57,56,95,71,69,78,95,80,65,67,75,45,50,46,49,55,57,51,56,55,46,49,46,50,49,52,54,54,54,46,49,34,44,34,115,99,114,101,101,110,34,58,34,55,50,48,120,49,50,56,48,34,44,34,105,115,82,111,111,116,34,58,34,49,34,44,34,117,116,100,105,100,34,58,34,48,48,48,48,48,48,48,48,34,44,34,112,104,111,110,101,95,110,101,116,87,111,114,107,34,58,34,48,34,44,34,67,112,117,73,110,102,111,34,58,34,48,45,55,34,44,34,109,97,114,107,101,116,95,115,111,117,114,99,101,34,58,34,49,52,34,44,34,98,105,110,100,83,111,117,114,99,101,34,58,34,98,105,110,100,95,115,111,117,114,99,101,95,110,101,119,95,108,111,103,105,110,34,44,34,114,111,109,34,58,34,55,46,49,46,50,34,44,34,101,116,121,112,101,34,58,34,50,34,44,34,111,97,105,100,34,58,34,34,44,34,97,110,100,114,111,105,100,73,100,34,58,34,55,101,54,51,98,50,51,53,100,98,51,50,98,48,52,57,34,44,34,105,109,101,105,34,58,34,56,54,48,54,55,54,57,49,57,51,49,51,51,53,57,34,44,34,104,119,34,58,34,55,48,54,50,51,52,100,52,55,98,55,55,51,100,56,55,100,99,53,56,56,99,97,56,97,55,49,48,101,48,49,49,34,44,34,101,109,117,34,58,34,48,50,57,102,49,56,49,100,54,101,55,98,97,49,56,56,56,56,53,99,55,56,52,54,50,54,50,51,99,51,55,97,34,44,34,111,115,118,101,114,115,105,111,110,95,105,110,116,34,58,34,50,53,34,44,34,118,101,114,115,105,111,110,34,58,34,55,48,55,53,34,44,34,109,97,110,117,102,97,99,116,117,114,101,114,34,58,34,79,110,101,80,108,117,115,34,44,34,97,112,107,115,105,103,110,34,58,34,52,102,51,97,53,51,49,99,97,102,102,51,101,51,55,99,50,55,56,54,53,57,99,99,55,56,98,102,97,101,99,99,34,44,34,112,104,111,110,101,95,116,121,112,101,34,58,34,71,83,77,34,44,34,97,99,99,34,58,34,49,48,46,48,34,44,34,105,109,115,105,34,58,34,50,52,53,101,102,52,56,51,51,57,97,50,56,102,98,99,102,53,102,57,52,51,98,97,57,53,100,55,54,57,56,98,34,44,34,112,97,115,115,119,111,114,100,34,58,34,50,53,102,57,101,55,57,52,51,50,51,98,52,53,51,56,56,53,102,53,49,56,49,102,49,98,54,50,52,100,48,98,34,44,34,115,101,110,115,111,114,78,97,109,101,115,34,58,34,71,49,36,84,49,36,76,49,36,65,49,36,77,49,36,68,48,36,87,48,36,80,48,36,81,101,48,36,118,98,48,36,48,36,52,56,52,50,48,50,52,57,48,100,100,56,56,97,57,52,56,100,51,97,101,53,53,55,99,52,50,54,51,55,102,101,34,44,34,83,101,114,105,97,108,78,117,109,98,101,114,34,58,34,57,49,57,51,48,51,51,49,34,44,34,103,97,112,112,115,34,58,34,49,34,44,34,98,117,105,108,100,110,117,109,98,101,114,34,58,34,73,78,50,48,50,48,58,55,46,49,46,50,92,47,50,48,49,55,49,49,51,48,46,51,55,54,50,50,57,34,44,34,109,109,117,105,100,34,58,34,34,44,34,109,97,99,34,58,34,57,56,58,52,51,58,50,56,58,52,100,58,57,100,58,48,99,34,44,34,95,117,105,100,95,34,58,34,98,99,99,54,97,97,98,100,49,57,101,48,53,50,100,52,54,53,56,53,49,98,53,57,50,57,98,100,102,50,100,54,34,44,34,99,117,114,114,101,110,116,95,119,105,102,105,34,58,34,98,56,58,98,54,58,98,99,58,57,54,58,99,56,58,54,52,34,44,34,110,101,116,119,111,114,107,95,99,108,97,115,115,34,58,34,119,105,102,105,34,44,34,82,65,77,83,105,122,101,34,58,34,54,49,48,54,49,54,48,34,44,34,75,101,114,110,101,108,86,101,114,115,105,111,110,34,58,34,76,105,110,117,120,32,118,101,114,115,105,111,110,32,52,46,49,52,46,50,53,51,45,97,110,100,114,111,105,100,43,32,40,99,106,119,64,109,118,45,100,101,118,49,41,32,40,103,99,99,32,118,101,114,115,105,111,110,32,52,46,57,32,50,48,49,53,48,49,50,51,32,40,112,114,101,114,101,108,101,97,115,101,41,32,40,71,67,67,41,44,32,71,78,85,32,103,111,108,100,32,40,71,78,85,32,66,105,110,117,116,105,108,115,32,50,46,50,53,46,53,49,46,50,48,49,52,49,49,49,55,41,32,49,46,49,49,41,32,35,56,49,57,32,83,77,80,32,70,114,105,32,65,112,114,32,49,52,32,48,57,58,51,56,58,49,51,32,67,83,84,32,50,48,50,51,34,44,34,77,97,99,73,110,102,111,34,58,34,57,56,58,52,51,58,50,56,58,52,100,58,57,100,58,48,99,34,44,34,108,110,103,34,58,34,49,50,54,46,54,53,50,48,50,49,54,54,54,54,54,54,54,56,34,44,34,95,110,101,116,95,34,58,34,119,105,102,105,34,44,34,114,111,117,116,101,114,95,109,97,99,34,58,34,98,56,58,98,54,58,98,99,58,57,54,58,99,56,58,54,52,34,44,34,95,117,105,100,84,121,112,101,34,58,34,105,109,101,105,34,44,34,83,101,114,105,97,108,110,111,34,58,34,57,49,57,51,48,51,51,49,34,44,34,95,105,105,100,34,58,34,52,49,97,51,48,55,48,57,53,49,56,97,102,49,98,50,48,101,50,54,52,52,48,54,55,55,54,101,57,100,48,56,34,44,34,97,99,99,111,117,110,116,34,58,34,49,51,55,48,49,54,54,48,54,54,54,34,44,34,117,105,100,34,58,34,98,99,99,54,97,97,98,100,49,57,101,48,53,50,100,52,54,53,56,53,49,98,53,57,50,57,98,100,102,50,100,54,34,44,34,66,111,111,116,83,101,114,105,97,108,110,111,34,58,34,34,44,34,108,97,116,34,58,34,52,53,46,55,53,55,50,50,56,51,51,51,51,51,51,51,50,34,44,34,109,111,100,101,108,34,58,34,73,78,50,48,50,48,34,125] arg1 = 1523 arg2 = [112,70,53,82,107,113,106,86,74,52,110,80,105,82,55,105,89,97,72,107,87,121,102,112,50,121,121,107,107,111,79,108,112,70,53,82,107,113,106,86,74,52,110,80,105,82,55,105] arg3 = 48 arg4 = [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] return 1543 ``` hook a 方法得到的结果 ```php [Hook a([B,java.util.Map,java.lang.String)] arg0 = [2,3,16,-123,73,-63,0,43,-20,34,27,-91,116,59,-24,-51,69,-49,-121,-119,-117,-75,-26,-30,52,-98,123,-7,28,72,-69,-24,-79,-84,-6,50,-32,64,-80,105,98,87,32,89,-90,-10,5,-101,-60,-93,107,18,-5,2,79,-44,32,12,126,63,-94,42,25,57,-48,35,108,28,-104,105,-118,-53,33,-87,-18,49,72,73,-29,-74,-26,122,-110,-2,-89,32,80,43,-127,86,-33,2,0,-43,64,-31,-55,102,111,89,40,-15,82,22,5,-7,-120,-30,-92,25,121,125,35,27,14,113,-54,-100,-108,-62,-29,25,33,-3,-6,-73,-17,-95,-77,74,26,26,126,-43,119,-80,84,-40,96,-74,80,-113,-125,113,3,-73,-61,111,103,-54,41,122,25,95,-70,-118,-5,95,93,6,98,102,5,126,-120,-121,-121,105,73,100,-74,-122,-11,74,34,-103,53,45,-59,-67,100,-48,111,-53,50,96,-109,-77,88,-54,69,98,-27,-31,-33,1,-92,114,122,-109,20,55,89,-97,8,-36,-61,-39,-10,116,-60,-75,79,-56,92,83,-47,64,57,-124,-86,22,111,112,-40,114,-47,-57,-38,-122,-123,119,127,119,-113,1,-70,-124,-78,-67,62,-48,-64,-49,52,-43,46,-109,24,-46,17,81,-1,122,102,33,-85,85,-79,108,49,25,63,-32,83,105,-108,-111,95,-46,-14,-97,-104,72,-25,-45,-100,4,-39,-108,51,31,-1,80,-106,-76,8,10,-16,32,89,37,-75,-55,-14,25,-98,-62,97,-84,-127,78,9,-56,35,-37,57,89,-107,-92,27,-127,-102,-114,27,-87,-20,-114,-120,-64,44,-30,43,-96,25,-112,65,118,-105,-57,18,126,-114,-33,65,-41,0,-113,99,61,127,111,104,53,-92,-43,-98,53,-72,-115,124,62,38,48,61,109,-58,-87,-24,-13,-27,43,-123,-69,-62,123,44,91,-56,53,76,95,-46,-39,98,24,-25,74,-20,71,-36,-10,103,-31,-2,-125,127,60,80,43,-52,59,-123,-21,68,103,-65,53,-60,-71,-13,-11,-60,94,-88,104,-26,-47,-112,-58,23,-3,-108,-11,24,-29,24,-112,-77,-39,-10,-100,109,-65,42,101,-85,16,-52,60,-44,-98,-36,-14,15,115,89,95,43,6,81,-6,51,51,-30,20,-17,-107,-128,-88,100,127,59,-102,-44,51,71,-33,-67,83,-55,-86,113,40,-42,19,26,57,-63,39,-91,-21,-30,-14,-93,8,42,33,59,-95,101,-52,36,98,92,-14,58,-121,-66,75,18,10,-68,75,1,18,91,-84,102,85,4,120,-60,126,58,53,0,-89,93,29,-62,53,85,121,-102,25,-26,69,-92,-117,105,20,0,-75,12,-3,117,125,-47,122,-17,-80,34,-115,-31,-88,49,-97,116,85,-48,-1,-6,-49,109,43,-116,-80,117,-117,-61,-42,124,36,82,-26,-124,33,93,-30,19,40,10,-44,35,-122,-32,-127,107,67,87,-27,-5,73,-53,-88,-106,83,47,-96,-119,-42,116,70,-57,94,-82,70,-128,7,-9,98,19,108,77,98,4,30,119,121,126,-72,23,-43,-50,-36,11,7,27,-57,5,-107,-67,-51,-83,-113,-125,-53,-34,-88,79,24,105,-123,-25,67,2,22,100,-26,59,-14,87,87,32,-35,89,126,44,124,126,116,89,-114,-89,120,26,-97,-96,85,-26,-27,-31,37,-8,96,-56,-78,43,71,3,-48,-116,52,-94,-97,92,-43,-68,-57,-58,-96,-126,-118,-76,-7,-67,19,19,28,-63,-89,-62,-75,32,61,60,19,-57,92,72,127,126,73,-73,47,12,121,-42,43,81,-26,123,43,-122,114,101,-59,-125,92,32,62,-43,-77,58,22,8,38,-100,23,-29,98,107,-32,-86,18,-73,-34,-84,17,28,120,96,-79,54,-111,-33,96,-12,93,-16,26,61,71,16,109,32,85,-94,35,-104,105,-42,22,-63,-74,90,13,-27,44,-126,127,61,-68,-4,-26,66,17,5,89,-112,-57,76,96,-121,17,48,77,78,-29,-89,-29,90,-97,125,95,-90,122,29,-91,111,-104,90,66,30,-41,-26,-42,-7,97,53,30,74,91,44,34,25,-105,127,-21,110,-76,-56,83,10,30,108,23,-64,120,-34,-97,-49,67,86,111,12,65,102,-45,70,-74,-26,-25,-85,-87,-29,-71,-21,104,-54,124,81,-47,-114,26,121,47,-45,23,67,-70,123,-1,-73,-74,-39,55,-5,48,30,-122,-88,31,37,-29,-126,54,21,-19,-67,-14,-80,90,82,-79,-85,26,-72,23,114,-70,58,-127,-6,-14,16,119,-126,-18,-36,42,72,75,-62,-106,-9,12,-11,93,81,-8,84,93,68,53,71,35,-73,103,-40,-20,76,-34,105,57,79,20,-117,-88,0,86,72,58,-67,29,85,-91,-80,55,104,45,-34,-4,78,65,-110,119,78,-35,-40,70,31,-43,-70,58,117,71,77,-3,-118,125,-104,-51,62,62,87,-23,-59,-9,-95,-87,-105,49,-68,93,-120,-112,-70,2,-24,105,-52,43,-106,-115,119,-102,-53,-10,-43,-123,-2,27,14,7,33,68,-100,31,-3,35,17,-89,38,113,-64,-7,-58,-44,-69,-68,-29,-27,-7,35,107,114,87,-89,63,85,106,-9,-23,-63,-15,24,-7,-69,38,52,-72,-106,-92,96,-112,-55,86,-112,-106,119,73,17,62,-46,102,-45,11,66,-19,90,-62,65,-34,68,-26,-23,-26,-14,104,90,69,11,97,-111,8,-122,77,-10,18,-12,-42,-93,31,-110,-85,15,50,-89,-111,-64,-125,-29,68,99,-51,118,-4,61,61,-13,67,-28,-52,-88,75,126,-120,-73,-90,103,-77,85,-36,-124,81,-100,-83,54,5,-72,-109,101,115,64,111,75,114,-44,-81,-103,-17,-25,77,47,25,-99,-112,119,-14,-66,76,16,124,55,126,109,-46,97,1,-50,115,6,87,51,-51,56,-49,4,6,7,49,61,82,16,90,47,-46,43,-77,9,99,-81,107,106,-7,-53,-4,65,33,-6,-51,102,94,107,-3,78,-80,60,-98,49,-38,27,127,-96,49,41,-30,-9,-124,41,121,-114,-117,-103,47,105,-29,61,-35,-21,78,-21,-9,54,-50,-103,17,-122,-19,12,50,119,-77,-71,-128,-85,21,-117,13,-52,-50,119,-14,92,107,98,-86,54,101,108,-105,-35,-87,3,-125,-65,80,-1,5,74,25,46,-50,-66,-54,-46,17,55,-30,109,-16,-47,20,17,-121,-124,-54,-59,-1,-9,-31,-80,26,30,-97,-69,-21,106,-72,-126,119,30,34,-37,26,17,122,-68,127,-78,33,-112,84,-117,70,86,-104,90,-120,-107,22,-107,-53,108,-87,-74,104,23,-82,106,-18,-69,29,-34,-120,51,13,112,80,35,114,-51,16,-90,-40,0,48,1,-95,-92,90,109,-111,-50,100,60,-85,94,121,-11,28,-128,65,-22,-90,50,68,-92,-87,-27,-69,65,44,-77,9,-127,-104,-4,-59,108,88,-47,-75,105,8,87,-83,-74,127,-37,93,48,30,-117,0,-19,53,-51,-35,-71,37,-123,82,-31,-80,-51,71,82,119,-71,53,17,-107,-108,-117,-83,38,-114,15,-44,58,40,45,-114,34,62,-73,6,-8,78,27,22,-19,39,89,-80,9,-28,-97,68,56,-38,60,67,-35,89,25,-46,-1,91,47,-37,-104,118,-66,51,81,-66,68,-92,46,25,-115,-59,-49,102,17,93,40,-103,-64,54,-113,-38,0,105,104,-112,103,-39,59,-70,-23,-44,127,71,39,-65,71,51,33,-106,-61,110,-43,98,97,93,-27,37,72,-92,-9,-62,103,20,12,-45,50,97,-27,-90,-115,78,-12,-127,109,99,77,93,25,-56,7,-24,-63,91,0,-96,-22,-37,-24,-13,-12,45,64,-112,-69,-87,-117,-57,75,-25,1,-124,-118,-114,-88,-72,-37,-83,74,48,-33,-75,116,34,-68,-75,79,-48,42,-70,67,-104,-12,74,88,52,-63,-87,62,86,-62,79,-100,117,-10,116,-85,-68,5] arg1 = X-LV : 1 arg1 = cookie : SESSIONID=E41A8316-2A41-3F78-B378-CC67F26F97AE_G arg1 = X-Trace-Id : A99628A6-C39C-4D4C-AD23-74F3EF15A244 arg1 = User-Agent : xxxxxxx/8.31.6 Android/7075 (IN2020; Android 7.1.2; Gapps 1; zh_CN; 14; OnePlus) arg1 = X-KV : cbdc9cdf arg1 = X-Span-Id : 0 arg1 = Accept-Language : zh-CN arg2 = pF5RkqjVJ4nPiR7iYaHkWyfp2yykkoOlpF5RkqjVJ4nPiR7i ``` hook sign 方法得到的结果 ```php [Hook sign([B,[B)] arg0 = [77,111,109,111,67,104,97,116,47,56,46,51,49,46,54,32,65,110,100,114,111,105,100,47,55,48,55,53,32,40,73,78,50,48,50,48,59,32,65,110,100,114,111,105,100,32,55,46,49,46,50,59,32,71,97,112,112,115,32,49,59,32,122,104,95,67,78,59,32,49,52,59,32,79,110,101,80,108,117,115,41,2,3,16,-123,73,-63,0,43,-20,34,27,-91,116,59,-24,-51,69,-49,-121,-119,-117,-75,-26,-30,52,-98,123,-7,28,72,-69,-24,-79,-84,-6,50,-32,64,-80,105,98,87,32,89,-90,-10,5,-101,-60,-93,107,18,-5,2,79,-44,32,12,126,63,-94,42,25,57,-48,35,108,28,-104,105,-118,-53,33,-87,-18,49,72,73,-29,-74,-26,122,-110,-2,-89,32,80,43,-127,86,-33,2,0,-43,64,-31,-55,102,111,89,40,-15,82,22,5,-7,-120,-30,-92,25,121,125,35,27,14,113,-54,-100,-108,-62,-29,25,33,-3,-6,-73,-17,-95,-77,74,26,26,126,-43,119,-80,84,-40,96,-74,80,-113,-125,113,3,-73,-61,111,103,-54,41,122,25,95,-70,-118,-5,95,93,6,98,102,5,126,-120,-121,-121,105,73,100,-74,-122,-11,74,34,-103,53,45,-59,-67,100,-48,111,-53,50,96,-109,-77,88,-54,69,98,-27,-31,-33,1,-92,114,122,-109,20,55,89,-97,8,-36,-61,-39,-10,116,-60,-75,79,-56,92,83,-47,64,57,-124,-86,22,111,112,-40,114,-47,-57,-38,-122,-123,119,127,119,-113,1,-70,-124,-78,-67,62,-48,-64,-49,52,-43,46,-109,24,-46,17,81,-1,122,102,33,-85,85,-79,108,49,25,63,-32,83,105,-108,-111,95,-46,-14,-97,-104,72,-25,-45,-100,4,-39,-108,51,31,-1,80,-106,-76,8,10,-16,32,89,37,-75,-55,-14,25,-98,-62,97,-84,-127,78,9,-56,35,-37,57,89,-107,-92,27,-127,-102,-114,27,-87,-20,-114,-120,-64,44,-30,43,-96,25,-112,65,118,-105,-57,18,126,-114,-33,65,-41,0,-113,99,61,127,111,104,53,-92,-43,-98,53,-72,-115,124,62,38,48,61,109,-58,-87,-24,-13,-27,43,-123,-69,-62,123,44,91,-56,53,76,95,-46,-39,98,24,-25,74,-20,71,-36,-10,103,-31,-2,-125,127,60,80,43,-52,59,-123,-21,68,103,-65,53,-60,-71,-13,-11,-60,94,-88,104,-26,-47,-112,-58,23,-3,-108,-11,24,-29,24,-112,-77,-39,-10,-100,109,-65,42,101,-85,16,-52,60,-44,-98,-36,-14,15,115,89,95,43,6,81,-6,51,51,-30,20,-17,-107,-128,-88,100,127,59,-102,-44,51,71,-33,-67,83,-55,-86,113,40,-42,19,26,57,-63,39,-91,-21,-30,-14,-93,8,42,33,59,-95,101,-52,36,98,92,-14,58,-121,-66,75,18,10,-68,75,1,18,91,-84,102,85,4,120,-60,126,58,53,0,-89,93,29,-62,53,85,121,-102,25,-26,69,-92,-117,105,20,0,-75,12,-3,117,125,-47,122,-17,-80,34,-115,-31,-88,49,-97,116,85,-48,-1,-6,-49,109,43,-116,-80,117,-117,-61,-42,124,36,82,-26,-124,33,93,-30,19,40,10,-44,35,-122,-32,-127,107,67,87,-27,-5,73,-53,-88,-106,83,47,-96,-119,-42,116,70,-57,94,-82,70,-128,7,-9,98,19,108,77,98,4,30,119,121,126,-72,23,-43,-50,-36,11,7,27,-57,5,-107,-67,-51,-83,-113,-125,-53,-34,-88,79,24,105,-123,-25,67,2,22,100,-26,59,-14,87,87,32,-35,89,126,44,124,126,116,89,-114,-89,120,26,-97,-96,85,-26,-27,-31,37,-8,96,-56,-78,43,71,3,-48,-116,52,-94,-97,92,-43,-68,-57,-58,-96,-126,-118,-76,-7,-67,19,19,28,-63,-89,-62,-75,32,61,60,19,-57,92,72,127,126,73,-73,47,12,121,-42,43,81,-26,123,43,-122,114,101,-59,-125,92,32,62,-43,-77,58,22,8,38,-100,23,-29,98,107,-32,-86,18,-73,-34,-84,17,28,120,96,-79,54,-111,-33,96,-12,93,-16,26,61,71,16,109,32,85,-94,35,-104,105,-42,22,-63,-74,90,13,-27,44,-126,127,61,-68,-4,-26,66,17,5,89,-112,-57,76,96,-121,17,48,77,78,-29,-89,-29,90,-97,125,95,-90,122,29,-91,111,-104,90,66,30,-41,-26,-42,-7,97,53,30,74,91,44,34,25,-105,127,-21,110,-76,-56,83,10,30,108,23,-64,120,-34,-97,-49,67,86,111,12,65,102,-45,70,-74,-26,-25,-85,-87,-29,-71,-21,104,-54,124,81,-47,-114,26,121,47,-45,23,67,-70,123,-1,-73,-74,-39,55,-5,48,30,-122,-88,31,37,-29,-126,54,21,-19,-67,-14,-80,90,82,-79,-85,26,-72,23,114,-70,58,-127,-6,-14,16,119,-126,-18,-36,42,72,75,-62,-106,-9,12,-11,93,81,-8,84,93,68,53,71,35,-73,103,-40,-20,76,-34,105,57,79,20,-117,-88,0,86,72,58,-67,29,85,-91,-80,55,104,45,-34,-4,78,65,-110,119,78,-35,-40,70,31,-43,-70,58,117,71,77,-3,-118,125,-104,-51,62,62,87,-23,-59,-9,-95,-87,-105,49,-68,93,-120,-112,-70,2,-24,105,-52,43,-106,-115,119,-102,-53,-10,-43,-123,-2,27,14,7,33,68,-100,31,-3,35,17,-89,38,113,-64,-7,-58,-44,-69,-68,-29,-27,-7,35,107,114,87,-89,63,85,106,-9,-23,-63,-15,24,-7,-69,38,52,-72,-106,-92,96,-112,-55,86,-112,-106,119,73,17,62,-46,102,-45,11,66,-19,90,-62,65,-34,68,-26,-23,-26,-14,104,90,69,11,97,-111,8,-122,77,-10,18,-12,-42,-93,31,-110,-85,15,50,-89,-111,-64,-125,-29,68,99,-51,118,-4,61,61,-13,67,-28,-52,-88,75,126,-120,-73,-90,103,-77,85,-36,-124,81,-100,-83,54,5,-72,-109,101,115,64,111,75,114,-44,-81,-103,-17,-25,77,47,25,-99,-112,119,-14,-66,76,16,124,55,126,109,-46,97,1,-50,115,6,87,51,-51,56,-49,4,6,7,49,61,82,16,90,47,-46,43,-77,9,99,-81,107,106,-7,-53,-4,65,33,-6,-51,102,94,107,-3,78,-80,60,-98,49,-38,27,127,-96,49,41,-30,-9,-124,41,121,-114,-117,-103,47,105,-29,61,-35,-21,78,-21,-9,54,-50,-103,17,-122,-19,12,50,119,-77,-71,-128,-85,21,-117,13,-52,-50,119,-14,92,107,98,-86,54,101,108,-105,-35,-87,3,-125,-65,80,-1,5,74,25,46,-50,-66,-54,-46,17,55,-30,109,-16,-47,20,17,-121,-124,-54,-59,-1,-9,-31,-80,26,30,-97,-69,-21,106,-72,-126,119,30,34,-37,26,17,122,-68,127,-78,33,-112,84,-117,70,86,-104,90,-120,-107,22,-107,-53,108,-87,-74,104,23,-82,106,-18,-69,29,-34,-120,51,13,112,80,35,114,-51,16,-90,-40,0,48,1,-95,-92,90,109,-111,-50,100,60,-85,94,121,-11,28,-128,65,-22,-90,50,68,-92,-87,-27,-69,65,44,-77,9,-127,-104,-4,-59,108,88,-47,-75,105,8,87,-83,-74,127,-37,93,48,30,-117,0,-19,53,-51,-35,-71,37,-123,82,-31,-80,-51,71,82,119,-71,53,17,-107,-108,-117,-83,38,-114,15,-44,58,40,45,-114,34,62,-73,6,-8,78,27,22,-19,39,89,-80,9,-28,-97,68,56,-38,60,67,-35,89,25,-46,-1,91,47,-37,-104,118,-66,51,81,-66,68,-92,46,25,-115,-59,-49,102,17,93,40,-103,-64,54,-113,-38,0,105,104,-112,103,-39,59,-70,-23,-44,127,71,39,-65,71,51,33,-106,-61,110,-43,98,97,93,-27,37,72,-92,-9,-62,103,20,12,-45,50,97,-27,-90,-115,78,-12,-127,109,99,77,93,25,-56,7,-24,-63,91,0,-96,-22,-37,-24,-13,-12,45,64,-112,-69,-87,-117,-57,75,-25,1,-124,-118,-114,-88,-72,-37,-83,74,48,-33,-75,116,34,-68,-75,79,-48,42,-70,67,-104,-12,74,88,52,-63,-87,62,86,-62,79,-100,117,-10,116,-85,-68,5] arg1 = [112,70,53,82,107,113,106,86,74,52,110,80,105,82,55,105,89,97,72,107,87,121,102,112,50,121,121,107,107,111,79,108,112,70,53,82,107,113,106,86,74,52,110,80,105,82,55,105] return gB0dO33VfWkQyOWE7++tv/EBrtc= return gB0dO33VfWkQyOWE7++tv/EBrtc= ``` 通过观察可知,a 方法 arg0 全部被包含在 sign 方法的 arg0 中。 ![17.png](https://shs3.b.qianxin.com/attack_forum/2023/06/attach-b37af6d98f93c4be3e3fe884cd165d69bb689f3e.png) 那剩下的部分是什么呢? 将剩下的部分,也就是 77 - 41 变成字符串。 ```java public class ByteToString { public static void main(String[] args) { byte[] a = {77,111,109,111,67,104,97,116,47,56,46,51,49,46,54,32,65,110,100,114,111,105,100,47,55,48,55,53,32,40,73,78,50,48,50,48,59,32,65,110,100,114,111,105,100,32,55,46,49,46,50,59,32,71,97,112,112,115,32,49,59,32,122,104,95,67,78,59,32,49,52,59,32,79,110,101,80,108,117,115,41}; String s = new String(a); System.out.println(s); } } ``` 运行后的结果,如果所示,其实就是 a 方法 arg1 的 User-Agent 的值变成了字节数组。 ![18.png](https://shs3.b.qianxin.com/attack_forum/2023/06/attach-103f123fe7c88d6786a0f68ce999e820a03facc6.png) sign 方法的 arg1 就是 a 方法的 arg2 变成字节数组。 ```java public class ByteToString { public static void main(String[] args) { byte[] a = {112,70,53,82,107,113,106,86,74,52,110,80,105,82,55,105,89,97,72,107,87,121,102,112,50,121,121,107,107,111,79,108,112,70,53,82,107,113,106,86,74,52,110,80,105,82,55,105}; String s = new String(a); System.out.println(s); } } ``` ![19.png](https://shs3.b.qianxin.com/attack_forum/2023/06/attach-cff443ea85b252e1f197824e9eea68db784c9b02.png) ### so层sha1加盐算法还原 上面的分析后,还差一个 so 层的 sdbyecbu37x 函数没有分析。 想要分析方法,就要先找到模块,而模块都会采用静态代码块的方式进行加载. 静态代码块中 ,都调用了 f.a.b() 方法 ![20.png](https://shs3.b.qianxin.com/attack_forum/2023/06/attach-91e15e82f562c76f0661741a0234c4fd98bde99b.png) 跟踪,发现 b() 方法中执行了 System.loadLibrary(p0) ,也就时加载了模块。 ![21.png](https://shs3.b.qianxin.com/attack_forum/2023/06/attach-fbe2ff35db4b04bfbdaa1965423fce49138fc700.png) 首先用 IDA 打开 coded\_jni 模块,再找到 sdbyecbu37x 函数,最后将第一个参数的类型变成 JNIEen\* 参数的名字变为 env。 ![22.png](https://shs3.b.qianxin.com/attack_forum/2023/06/attach-8467d6b1123c704b3701a5d0c98a4c147d33c08d.png) 经过分析可知,这里的 v11 就是 java 层 this.sdbyecbu37x(p0, p1, uobyteArray, len); 的 p0,v8 就是 p1,v10 就是 uobyteArray。 再继续跟踪 sign 函数。发现 sign 函数是粉色的,是个导入函数,而这个模块没有。 ![23.png](https://shs3.b.qianxin.com/attack_forum/2023/06/attach-2fe30b0728b0470804be856c3a91cbe6b92f9333.png) 将代码转为汇编模式,鼠标往上滑,发现导入的包。只有 libcoded.so 不是系统库,所以就 sign 函数就只能在 libcoded.so 中。 ![24.png](https://shs3.b.qianxin.com/attack_forum/2023/06/attach-1560d9fdbd83e5f9976c241d6304c312fb712e30.png) 用 IDA 打开 sign 函数。 ![25.png](https://shs3.b.qianxin.com/attack_forum/2023/06/attach-890db17f79d027d267be3696d0274bcc16580337.png) a4 就是 a1 的长度。 ptr = (char \*)malloc(size); qmemcpy(ptr, a1, a4); 是分配一个 a1 长度 +8 的空间,然后将 a1 的全部内容拷贝到 ptr 。 a2 是 dword 类型,word: 两个字节称为一个字,dword: 两个字称为一个双字,所以 dword 就是 4 个字节。 \*(*DWORD \*)&ptr\[a4\] = \*a2; \*(*DWORD \*)&ptr\[a4 + 4\] = v6; 这两个的意思就是将 a2 也就是 java 层 sign 方法的 arg1 参数的前 8 个字节拼接到 arg0 后面。 也就是 ```php {77,111,109,111,67,104,97,116,47,56,46,51,49,46,54,32,65,110,100,114,111,105,100,47,55,48,55,53,32,40,73,78,50,48,50,48,59,32,65,110,100,114,111,105,100,32,55,46,49,46,50,59,32,71,97,112,112,115,32,49,59,32,122,104,95,67,78,59,32,49,52,59,32,79,110,101,80,108,117,115,41,2,3,16,-123,73,-63,0,43,-20,34,27,-91,116,59,-24,-51,69,-49,-121,-119,-117,-75,-26,-30,52,-98,123,-7,28,72,-69,-24,-79,-84,-6,50,-32,64,-80,105,98,87,32,89,-90,-10,5,-101,-60,-93,107,18,-5,2,79,-44,32,12,126,63,-94,42,25,57,-48,35,108,28,-104,105,-118,-53,33,-87,-18,49,72,73,-29,-74,-26,122,-110,-2,-89,32,80,43,-127,86,-33,2,0,-43,64,-31,-55,102,111,89,40,-15,82,22,5,-7,-120,-30,-92,25,121,125,35,27,14,113,-54,-100,-108,-62,-29,25,33,-3,-6,-73,-17,-95,-77,74,26,26,126,-43,119,-80,84,-40,96,-74,80,-113,-125,113,3,-73,-61,111,103,-54,41,122,25,95,-70,-118,-5,95,93,6,98,102,5,126,-120,-121,-121,105,73,100,-74,-122,-11,74,34,-103,53,45,-59,-67,100,-48,111,-53,50,96,-109,-77,88,-54,69,98,-27,-31,-33,1,-92,114,122,-109,20,55,89,-97,8,-36,-61,-39,-10,116,-60,-75,79,-56,92,83,-47,64,57,-124,-86,22,111,112,-40,114,-47,-57,-38,-122,-123,119,127,119,-113,1,-70,-124,-78,-67,62,-48,-64,-49,52,-43,46,-109,24,-46,17,81,-1,122,102,33,-85,85,-79,108,49,25,63,-32,83,105,-108,-111,95,-46,-14,-97,-104,72,-25,-45,-100,4,-39,-108,51,31,-1,80,-106,-76,8,10,-16,32,89,37,-75,-55,-14,25,-98,-62,97,-84,-127,78,9,-56,35,-37,57,89,-107,-92,27,-127,-102,-114,27,-87,-20,-114,-120,-64,44,-30,43,-96,25,-112,65,118,-105,-57,18,126,-114,-33,65,-41,0,-113,99,61,127,111,104,53,-92,-43,-98,53,-72,-115,124,62,38,48,61,109,-58,-87,-24,-13,-27,43,-123,-69,-62,123,44,91,-56,53,76,95,-46,-39,98,24,-25,74,-20,71,-36,-10,103,-31,-2,-125,127,60,80,43,-52,59,-123,-21,68,103,-65,53,-60,-71,-13,-11,-60,94,-88,104,-26,-47,-112,-58,23,-3,-108,-11,24,-29,24,-112,-77,-39,-10,-100,109,-65,42,101,-85,16,-52,60,-44,-98,-36,-14,15,115,89,95,43,6,81,-6,51,51,-30,20,-17,-107,-128,-88,100,127,59,-102,-44,51,71,-33,-67,83,-55,-86,113,40,-42,19,26,57,-63,39,-91,-21,-30,-14,-93,8,42,33,59,-95,101,-52,36,98,92,-14,58,-121,-66,75,18,10,-68,75,1,18,91,-84,102,85,4,120,-60,126,58,53,0,-89,93,29,-62,53,85,121,-102,25,-26,69,-92,-117,105,20,0,-75,12,-3,117,125,-47,122,-17,-80,34,-115,-31,-88,49,-97,116,85,-48,-1,-6,-49,109,43,-116,-80,117,-117,-61,-42,124,36,82,-26,-124,33,93,-30,19,40,10,-44,35,-122,-32,-127,107,67,87,-27,-5,73,-53,-88,-106,83,47,-96,-119,-42,116,70,-57,94,-82,70,-128,7,-9,98,19,108,77,98,4,30,119,121,126,-72,23,-43,-50,-36,11,7,27,-57,5,-107,-67,-51,-83,-113,-125,-53,-34,-88,79,24,105,-123,-25,67,2,22,100,-26,59,-14,87,87,32,-35,89,126,44,124,126,116,89,-114,-89,120,26,-97,-96,85,-26,-27,-31,37,-8,96,-56,-78,43,71,3,-48,-116,52,-94,-97,92,-43,-68,-57,-58,-96,-126,-118,-76,-7,-67,19,19,28,-63,-89,-62,-75,32,61,60,19,-57,92,72,127,126,73,-73,47,12,121,-42,43,81,-26,123,43,-122,114,101,-59,-125,92,32,62,-43,-77,58,22,8,38,-100,23,-29,98,107,-32,-86,18,-73,-34,-84,17,28,120,96,-79,54,-111,-33,96,-12,93,-16,26,61,71,16,109,32,85,-94,35,-104,105,-42,22,-63,-74,90,13,-27,44,-126,127,61,-68,-4,-26,66,17,5,89,-112,-57,76,96,-121,17,48,77,78,-29,-89,-29,90,-97,125,95,-90,122,29,-91,111,-104,90,66,30,-41,-26,-42,-7,97,53,30,74,91,44,34,25,-105,127,-21,110,-76,-56,83,10,30,108,23,-64,120,-34,-97,-49,67,86,111,12,65,102,-45,70,-74,-26,-25,-85,-87,-29,-71,-21,104,-54,124,81,-47,-114,26,121,47,-45,23,67,-70,123,-1,-73,-74,-39,55,-5,48,30,-122,-88,31,37,-29,-126,54,21,-19,-67,-14,-80,90,82,-79,-85,26,-72,23,114,-70,58,-127,-6,-14,16,119,-126,-18,-36,42,72,75,-62,-106,-9,12,-11,93,81,-8,84,93,68,53,71,35,-73,103,-40,-20,76,-34,105,57,79,20,-117,-88,0,86,72,58,-67,29,85,-91,-80,55,104,45,-34,-4,78,65,-110,119,78,-35,-40,70,31,-43,-70,58,117,71,77,-3,-118,125,-104,-51,62,62,87,-23,-59,-9,-95,-87,-105,49,-68,93,-120,-112,-70,2,-24,105,-52,43,-106,-115,119,-102,-53,-10,-43,-123,-2,27,14,7,33,68,-100,31,-3,35,17,-89,38,113,-64,-7,-58,-44,-69,-68,-29,-27,-7,35,107,114,87,-89,63,85,106,-9,-23,-63,-15,24,-7,-69,38,52,-72,-106,-92,96,-112,-55,86,-112,-106,119,73,17,62,-46,102,-45,11,66,-19,90,-62,65,-34,68,-26,-23,-26,-14,104,90,69,11,97,-111,8,-122,77,-10,18,-12,-42,-93,31,-110,-85,15,50,-89,-111,-64,-125,-29,68,99,-51,118,-4,61,61,-13,67,-28,-52,-88,75,126,-120,-73,-90,103,-77,85,-36,-124,81,-100,-83,54,5,-72,-109,101,115,64,111,75,114,-44,-81,-103,-17,-25,77,47,25,-99,-112,119,-14,-66,76,16,124,55,126,109,-46,97,1,-50,115,6,87,51,-51,56,-49,4,6,7,49,61,82,16,90,47,-46,43,-77,9,99,-81,107,106,-7,-53,-4,65,33,-6,-51,102,94,107,-3,78,-80,60,-98,49,-38,27,127,-96,49,41,-30,-9,-124,41,121,-114,-117,-103,47,105,-29,61,-35,-21,78,-21,-9,54,-50,-103,17,-122,-19,12,50,119,-77,-71,-128,-85,21,-117,13,-52,-50,119,-14,92,107,98,-86,54,101,108,-105,-35,-87,3,-125,-65,80,-1,5,74,25,46,-50,-66,-54,-46,17,55,-30,109,-16,-47,20,17,-121,-124,-54,-59,-1,-9,-31,-80,26,30,-97,-69,-21,106,-72,-126,119,30,34,-37,26,17,122,-68,127,-78,33,-112,84,-117,70,86,-104,90,-120,-107,22,-107,-53,108,-87,-74,104,23,-82,106,-18,-69,29,-34,-120,51,13,112,80,35,114,-51,16,-90,-40,0,48,1,-95,-92,90,109,-111,-50,100,60,-85,94,121,-11,28,-128,65,-22,-90,50,68,-92,-87,-27,-69,65,44,-77,9,-127,-104,-4,-59,108,88,-47,-75,105,8,87,-83,-74,127,-37,93,48,30,-117,0,-19,53,-51,-35,-71,37,-123,82,-31,-80,-51,71,82,119,-71,53,17,-107,-108,-117,-83,38,-114,15,-44,58,40,45,-114,34,62,-73,6,-8,78,27,22,-19,39,89,-80,9,-28,-97,68,56,-38,60,67,-35,89,25,-46,-1,91,47,-37,-104,118,-66,51,81,-66,68,-92,46,25,-115,-59,-49,102,17,93,40,-103,-64,54,-113,-38,0,105,104,-112,103,-39,59,-70,-23,-44,127,71,39,-65,71,51,33,-106,-61,110,-43,98,97,93,-27,37,72,-92,-9,-62,103,20,12,-45,50,97,-27,-90,-115,78,-12,-127,109,99,77,93,25,-56,7,-24,-63,91,0,-96,-22,-37,-24,-13,-12,45,64,-112,-69,-87,-117,-57,75,-25,1,-124,-118,-114,-88,-72,-37,-83,74,48,-33,-75,116,34,-68,-75,79,-48,42,-70,67,-104,-12,74,88,52,-63,-87,62,86,-62,79,-100,117,-10,116,-85,-68,5,112,70,53,82,107,113,106,86} ``` 在下面 j\_xxxEnc\_sha1(ptr, a3, size); 函数就是调用了标准的 SHA1 加密,其中的盐就是 sign 方法 arg1 参数的前 8 个字节。 所以根据推理,sign 方法的参数 arg0 加上 arg1 的前 8 个字节,在进行 SHA1 运算,运算后的结果再进行 Base64 编码,就可以得到 X-SIGN 的值了。 编写代码进行验证: ```java import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.util.Base64; public class SHABase64 { public static void main(String[] args) throws NoSuchAlgorithmException { byte[] bArr = {77, 111, 109, 111, 67, 104, 97, 116, 47, 56, 46, 51, 49, 46, 54, 32, 65, 110, 100, 114, 111, 105, 100, 47, 55, 48, 55, 53, 32, 40, 73, 78, 50, 48, 50, 48, 59, 32, 65, 110, 100, 114, 111, 105, 100, 32, 55, 46, 49, 46, 50, 59, 32, 71, 97, 112, 112, 115, 32, 49, 59, 32, 122, 104, 95, 67, 78, 59, 32, 49, 52, 59, 32, 79, 110, 101, 80, 108, 117, 115, 41, 2, 3, 16, -123, 73, -63, 0, 43, -20, 34, 27, -91, 116, 59, -24, -51, 69, -49, -121, -119, -117, -75, -26, -30, 52, -98, 123, -7, 28, 72, -69, -24, -79, -84, -6, 50, -32, 64, -80, 105, 98, 87, 32, 89, -90, -10, 5, -101, -60, -93, 107, 18, -5, 2, 79, -44, 32, 12, 126, 63, -94, 42, 25, 57, -48, 35, 108, 28, -104, 105, -118, -53, 33, -87, -18, 49, 72, 73, -29, -74, -26, 122, -110, -2, -89, 32, 80, 43, -127, 86, -33, 2, 0, -43, 64, -31, -55, 102, 111, 89, 40, -15, 82, 22, 5, -7, -120, -30, -92, 25, 121, 125, 35, 27, 14, 113, -54, -100, -108, -62, -29, 25, 33, -3, -6, -73, -17, -95, -77, 74, 26, 26, 126, -43, 119, -80, 84, -40, 96, -74, 80, -113, -125, 113, 3, -73, -61, 111, 103, -54, 41, 122, 25, 95, -70, -118, -5, 95, 93, 6, 98, 102, 5, 126, -120, -121, -121, 105, 73, 100, -74, -122, -11, 74, 34, -103, 53, 45, -59, -67, 100, -48, 111, -53, 50, 96, -109, -77, 88, -54, 69, 98, -27, -31, -33, 1, -92, 114, 122, -109, 20, 55, 89, -97, 8, -36, -61, -39, -10, 116, -60, -75, 79, -56, 92, 83, -47, 64, 57, -124, -86, 22, 111, 112, -40, 114, -47, -57, -38, -122, -123, 119, 127, 119, -113, 1, -70, -124, -78, -67, 62, -48, -64, -49, 52, -43, 46, -109, 24, -46, 17, 81, -1, 122, 102, 33, -85, 85, -79, 108, 49, 25, 63, -32, 83, 105, -108, -111, 95, -46, -14, -97, -104, 72, -25, -45, -100, 4, -39, -108, 51, 31, -1, 80, -106, -76, 8, 10, -16, 32, 89, 37, -75, -55, -14, 25, -98, -62, 97, -84, -127, 78, 9, -56, 35, -37, 57, 89, -107, -92, 27, -127, -102, -114, 27, -87, -20, -114, -120, -64, 44, -30, 43, -96, 25, -112, 65, 118, -105, -57, 18, 126, -114, -33, 65, -41, 0, -113, 99, 61, 127, 111, 104, 53, -92, -43, -98, 53, -72, -115, 124, 62, 38, 48, 61, 109, -58, -87, -24, -13, -27, 43, -123, -69, -62, 123, 44, 91, -56, 53, 76, 95, -46, -39, 98, 24, -25, 74, -20, 71, -36, -10, 103, -31, -2, -125, 127, 60, 80, 43, -52, 59, -123, -21, 68, 103, -65, 53, -60, -71, -13, -11, -60, 94, -88, 104, -26, -47, -112, -58, 23, -3, -108, -11, 24, -29, 24, -112, -77, -39, -10, -100, 109, -65, 42, 101, -85, 16, -52, 60, -44, -98, -36, -14, 15, 115, 89, 95, 43, 6, 81, -6, 51, 51, -30, 20, -17, -107, -128, -88, 100, 127, 59, -102, -44, 51, 71, -33, -67, 83, -55, -86, 113, 40, -42, 19, 26, 57, -63, 39, -91, -21, -30, -14, -93, 8, 42, 33, 59, -95, 101, -52, 36, 98, 92, -14, 58, -121, -66, 75, 18, 10, -68, 75, 1, 18, 91, -84, 102, 85, 4, 120, -60, 126, 58, 53, 0, -89, 93, 29, -62, 53, 85, 121, -102, 25, -26, 69, -92, -117, 105, 20, 0, -75, 12, -3, 117, 125, -47, 122, -17, -80, 34, -115, -31, -88, 49, -97, 116, 85, -48, -1, -6, -49, 109, 43, -116, -80, 117, -117, -61, -42, 124, 36, 82, -26, -124, 33, 93, -30, 19, 40, 10, -44, 35, -122, -32, -127, 107, 67, 87, -27, -5, 73, -53, -88, -106, 83, 47, -96, -119, -42, 116, 70, -57, 94, -82, 70, -128, 7, -9, 98, 19, 108, 77, 98, 4, 30, 119, 121, 126, -72, 23, -43, -50, -36, 11, 7, 27, -57, 5, -107, -67, -51, -83, -113, -125, -53, -34, -88, 79, 24, 105, -123, -25, 67, 2, 22, 100, -26, 59, -14, 87, 87, 32, -35, 89, 126, 44, 124, 126, 116, 89, -114, -89, 120, 26, -97, -96, 85, -26, -27, -31, 37, -8, 96, -56, -78, 43, 71, 3, -48, -116, 52, -94, -97, 92, -43, -68, -57, -58, -96, -126, -118, -76, -7, -67, 19, 19, 28, -63, -89, -62, -75, 32, 61, 60, 19, -57, 92, 72, 127, 126, 73, -73, 47, 12, 121, -42, 43, 81, -26, 123, 43, -122, 114, 101, -59, -125, 92, 32, 62, -43, -77, 58, 22, 8, 38, -100, 23, -29, 98, 107, -32, -86, 18, -73, -34, -84, 17, 28, 120, 96, -79, 54, -111, -33, 96, -12, 93, -16, 26, 61, 71, 16, 109, 32, 85, -94, 35, -104, 105, -42, 22, -63, -74, 90, 13, -27, 44, -126, 127, 61, -68, -4, -26, 66, 17, 5, 89, -112, -57, 76, 96, -121, 17, 48, 77, 78, -29, -89, -29, 90, -97, 125, 95, -90, 122, 29, -91, 111, -104, 90, 66, 30, -41, -26, -42, -7, 97, 53, 30, 74, 91, 44, 34, 25, -105, 127, -21, 110, -76, -56, 83, 10, 30, 108, 23, -64, 120, -34, -97, -49, 67, 86, 111, 12, 65, 102, -45, 70, -74, -26, -25, -85, -87, -29, -71, -21, 104, -54, 124, 81, -47, -114, 26, 121, 47, -45, 23, 67, -70, 123, -1, -73, -74, -39, 55, -5, 48, 30, -122, -88, 31, 37, -29, -126, 54, 21, -19, -67, -14, -80, 90, 82, -79, -85, 26, -72, 23, 114, -70, 58, -127, -6, -14, 16, 119, -126, -18, -36, 42, 72, 75, -62, -106, -9, 12, -11, 93, 81, -8, 84, 93, 68, 53, 71, 35, -73, 103, -40, -20, 76, -34, 105, 57, 79, 20, -117, -88, 0, 86, 72, 58, -67, 29, 85, -91, -80, 55, 104, 45, -34, -4, 78, 65, -110, 119, 78, -35, -40, 70, 31, -43, -70, 58, 117, 71, 77, -3, -118, 125, -104, -51, 62, 62, 87, -23, -59, -9, -95, -87, -105, 49, -68, 93, -120, -112, -70, 2, -24, 105, -52, 43, -106, -115, 119, -102, -53, -10, -43, -123, -2, 27, 14, 7, 33, 68, -100, 31, -3, 35, 17, -89, 38, 113, -64, -7, -58, -44, -69, -68, -29, -27, -7, 35, 107, 114, 87, -89, 63, 85, 106, -9, -23, -63, -15, 24, -7, -69, 38, 52, -72, -106, -92, 96, -112, -55, 86, -112, -106, 119, 73, 17, 62, -46, 102, -45, 11, 66, -19, 90, -62, 65, -34, 68, -26, -23, -26, -14, 104, 90, 69, 11, 97, -111, 8, -122, 77, -10, 18, -12, -42, -93, 31, -110, -85, 15, 50, -89, -111, -64, -125, -29, 68, 99, -51, 118, -4, 61, 61, -13, 67, -28, -52, -88, 75, 126, -120, -73, -90, 103, -77, 85, -36, -124, 81, -100, -83, 54, 5, -72, -109, 101, 115, 64, 111, 75, 114, -44, -81, -103, -17, -25, 77, 47, 25, -99, -112, 119, -14, -66, 76, 16, 124, 55, 126, 109, -46, 97, 1, -50, 115, 6, 87, 51, -51, 56, -49, 4, 6, 7, 49, 61, 82, 16, 90, 47, -46, 43, -77, 9, 99, -81, 107, 106, -7, -53, -4, 65, 33, -6, -51, 102, 94, 107, -3, 78, -80, 60, -98, 49, -38, 27, 127, -96, 49, 41, -30, -9, -124, 41, 121, -114, -117, -103, 47, 105, -29, 61, -35, -21, 78, -21, -9, 54, -50, -103, 17, -122, -19, 12, 50, 119, -77, -71, -128, -85, 21, -117, 13, -52, -50, 119, -14, 92, 107, 98, -86, 54, 101, 108, -105, -35, -87, 3, -125, -65, 80, -1, 5, 74, 25, 46, -50, -66, -54, -46, 17, 55, -30, 109, -16, -47, 20, 17, -121, -124, -54, -59, -1, -9, -31, -80, 26, 30, -97, -69, -21, 106, -72, -126, 119, 30, 34, -37, 26, 17, 122, -68, 127, -78, 33, -112, 84, -117, 70, 86, -104, 90, -120, -107, 22, -107, -53, 108, -87, -74, 104, 23, -82, 106, -18, -69, 29, -34, -120, 51, 13, 112, 80, 35, 114, -51, 16, -90, -40, 0, 48, 1, -95, -92, 90, 109, -111, -50, 100, 60, -85, 94, 121, -11, 28, -128, 65, -22, -90, 50, 68, -92, -87, -27, -69, 65, 44, -77, 9, -127, -104, -4, -59, 108, 88, -47, -75, 105, 8, 87, -83, -74, 127, -37, 93, 48, 30, -117, 0, -19, 53, -51, -35, -71, 37, -123, 82, -31, -80, -51, 71, 82, 119, -71, 53, 17, -107, -108, -117, -83, 38, -114, 15, -44, 58, 40, 45, -114, 34, 62, -73, 6, -8, 78, 27, 22, -19, 39, 89, -80, 9, -28, -97, 68, 56, -38, 60, 67, -35, 89, 25, -46, -1, 91, 47, -37, -104, 118, -66, 51, 81, -66, 68, -92, 46, 25, -115, -59, -49, 102, 17, 93, 40, -103, -64, 54, -113, -38, 0, 105, 104, -112, 103, -39, 59, -70, -23, -44, 127, 71, 39, -65, 71, 51, 33, -106, -61, 110, -43, 98, 97, 93, -27, 37, 72, -92, -9, -62, 103, 20, 12, -45, 50, 97, -27, -90, -115, 78, -12, -127, 109, 99, 77, 93, 25, -56, 7, -24, -63, 91, 0, -96, -22, -37, -24, -13, -12, 45, 64, -112, -69, -87, -117, -57, 75, -25, 1, -124, -118, -114, -88, -72, -37, -83, 74, 48, -33, -75, 116, 34, -68, -75, 79, -48, 42, -70, 67, -104, -12, 74, 88, 52, -63, -87, 62, 86, -62, 79, -100, 117, -10, 116, -85, -68, 5, 112, 70, 53, 82, 107, 113, 106, 86}; MessageDigest sha = MessageDigest.getInstance("SHA"); byte[] digest = sha.digest(bArr); String s = Base64.getEncoder().encodeToString(digest); System.out.println(s); } } ``` 运行后得到的结果正是抓包中的 X-SIGN 的值 gB0dO33VfWkQyOWE7++tv/EBrtc= ![26.png](https://shs3.b.qianxin.com/attack_forum/2023/06/attach-8b244ed771d28e60c7aaa603337aab063541e3ec.png) ### 总结语 本文从配置抓包环境,到静态分析 APK,再到 frida hook 关键代码块,找出关键数据,最后到 so 层的分析,找出加密方式和加盐的地方。从而复现了 X-SIGN 的值一步步生成的过程。 逆向协议后,就可以通过 frida hook 某个方法然后 send 到 python 实现不接触 APP 或者少接触 APP 实现大批量的注册或登录等等一系列非常危险的行为。
发表于 2023-06-25 11:20:03
阅读 ( 5203 )
分类:
漏洞分析
0 推荐
收藏
0 条评论
请先
登录
后评论
bmstd
13 篇文章
×
发送私信
请先
登录
后发送私信
×
举报此文章
垃圾广告信息:
广告、推广、测试等内容
违规内容:
色情、暴力、血腥、敏感信息等内容
不友善内容:
人身攻击、挑衅辱骂、恶意行为
其他原因:
请补充说明
举报原因:
×
如果觉得我的文章对您有用,请随意打赏。你的支持将鼓励我继续创作!