最近学习安卓逆向,接触一下贝贝APP,了解该APP是做数据安全的,这篇文章主要介绍贝贝APP的签名参数_abr_、sign的HOOK过程,当然,其他的参数也是可以HOOK的。本文只用于学习交流,请勿他用。
环境:windows 10
设备:雷电模拟器,google pixel
HOOK框架:Xposed
插装工具:Frida
编译器:android studio
反编译工具:jadx
抓包工具:Charles
分析APP:贝贝apk(9.42.00_1190)
1.抓包分析数据包,将App安装到模拟器上,设置好模拟器上的VNP代理,打开Charles工具,在模拟器上进行操作,使App发起网络请求,然后在Charles上查看抓取到的数据包。
2.使用查壳工具对APP进程检测,查看APP是使用什么加壳软件进行的加壳的,如果有加壳,首选需要进行脱壳。当然大厂APP是很少进行加壳的。
3.使用jadx反编译APP,获取到相关的代码,但是反编译的代码也不是全部正确的,这个需要注意一下。
4.依据抓包获取到的关键信息,使用关键字段名,在jadx反编译好的代码中进行搜索,查找到可以代码。
5.编写JS代码,然后使用frida插装到模拟器内存或者是手机内存进行探测。
6.找到关键代码后,就需要借助xposed hook出出关键字段,开发插件将服务接出来,供爬虫代码进行调用。
1.抓包
列表页
:method GET :path /gateway/route?close_profile=0&client_info=%7B%22bd%22%3A%22yingyongbao%22%2C%22abd%22%3A%22019f089375%22%2C%22package%22%3A%22show%22%2C%22os%22%3A%227.1.2%22%2C%22screen%22%3A%22900x1600%22%2C%22dn%22%3A%22SM-G9750%22%2C%22version%22%3A%229.42.00%22%2C%22platform%22%3A%22Android%22%2C%22network%22%3A%22WiFi%22%2C%22app_name%22%3A%22beibei%22%2C%22model%22%3A%22SM-G9750%22%2C%22udid%22%3A%222761a2352060cdee%22%7D&method=beibei.item.search&_abr_=01b2703db5fe7439378a54aae04a434d26ee4ce03e5f7ed0b5&gender_age=0&sign=CC05DE7A3741285738F0CE372A88250A&filter_sellout=0&source=home&sort=hot&price_min=0&target=search_keyword&welfares=0&cat_ids=0&brand_ids=0&baby_info=&page=1&keyword=%E5%A5%BD%E5%A5%87&price_max=0&page_size=20×tamp=1602146485 :authority api.beibei.com :scheme https user-agent Beibei/9.42.00 (Android) x-client-target bb/search/item_search_keyword x-api-method beibei.item.search cache-control no-cache accept-encoding gzipQuery String
close_profile 0 client_info {"bd":"yingyongbao","abd":"019f089375","package":"show","os":"7.1.2","screen":"900x1600","dn":"SM-G9750","version":"9.42.00","platform":"Android","network":"WiFi","app_name":"beibei","model":"SM-G9750","udid":"2761a2352060cdee"} method beibei.item.search _abr_ 01b2703db5fe7439378a54aae04a434d26ee4ce03e5f7ed0b5 gender_age 0 sign CC05DE7A3741285738F0CE372A88250A filter_sellout 0 source home sort hot price_min 0 target search_keyword welfares 0 cat_ids 0 brand_ids 0 baby_info page 1 keyword 好奇 price_max 0 page_size 20 timestamp 1602146485
2.查壳
3.反编译
4.搜索关键字
在这里你搜索关键字,没有搜索到相关的代码,这时候就需要去搜网络请求中的一些关键字,然后在分析追踪到_abr_、sign生成的地方。这个签名字段是实时生成的,并没有在代码中写死,所以搜索是搜不到的。
5.插桩探测
[-->] boo: true [-->] result: _abr_01a7621004ede5bb121650744bbad1706737f200565f7ed74bbaby_infobrand_ids0cat_ids0client_info{"bd":"yingyongbao","abd":"019f089375","package":"show","os":"7.1.2","screen":"900x1600","dn":"SM-G9750","version":"9.42.00","platform":"Android","network":"WiFi","app_name":"beibei","model":"SM-G9750","udid":"2761a2352060cdee"}close_profile0filter_sellout0gender_age0keyword好奇methodbeibei.item.searchpage1page_size20price_max0price_min0sorthotsourcehometargetsearch_keywordtimestamp1602148171welfares0 [-->] boo: false [-->] result: close_profile=0&client_info=%7B%22bd%22%3A%22yingyongbao%22%2C%22abd%22%3A%22019f089375%22%2C%22package%22%3A%22show%22%2C%22os%22%3A%227.1.2%22%2C%22screen%22%3A%22900x1600%22%2C%22dn%22%3A%22SM-G9750%22%2C%22version%22%3A%229.42.00%22%2C%22platform%22%3A%22Android%22%2C%22network%22%3A%22WiFi%22%2C%22app_name%22%3A%22beibei%22%2C%22model%22%3A%22SM-G9750%22%2C%22udid%22%3A%222761a2352060cdee%22%7D&method=beibei.item.search&_abr_=01a7621004ede5bb121650744bbad1706737f200565f7ed74b&gender_age=0&sign=8FAAF1006364FB9D7A6B9C9F5B4BB7CE&filter_sellout=0&source=home&sort=hot&price_min=0&target=search_keyword&welfares=0&cat_ids=0&brand_ids=0&baby_info=&page=1&keyword=%E5%A5%BD%E5%A5%87&price_max=0&page_size=20×tamp=16021481716.编写xposed插件
使用Android studio编写插件。
当然,请求头中的其他参数也是可以获取的。
本文只用于学习交流,请勿他用。技术支持,扣扣:3165845957
