目标app
55uu5qCHYXBw77ya5bCB6Z2i5paw6Ze777yMYXBw54mI5pys77yaOC40LjA=
抓包
image.png
jadx搜索,定位参数生成位置
image.png
frida hook,查看传入参数
var SignManager = Java.use("cn.thecover.lib.common.manager.SignManager");
console.log("SignManager: ", SignManager)
SignManager.getSign.implementation = function (str,str1, str2) {
console.log("str: ", str)
console.log("str1: ", str1)
console.log("str2: ", str2)
var res = this.getSign(str,str1, str2)
console.log("result: ", res)
return res
}
image.png
unidbg 固定参数,查看是否有其他的变化
public void getSign() {
ArrayList<Object> args = new ArrayList<>(10);
args.add(vm.getJNIEnv());
args.add(0);
args.add(vm.addLocalObject(new StringObject(vm, "72446173-af9b-49d9-91f8-996cbba53937")));
args.add(vm.addLocalObject(new StringObject(vm, "")));
args.add(vm.addLocalObject(new StringObject(vm, "1672024045773")));
Number number = module.callFunction(emulator, "Java_cn_thecover_lib_common_manager_SignManager_getSign", args.toArray());
System.out.println(vm.getObject(number.intValue()).getValue().toString());
}
unbdig 补环境
image.png
image.png
通过jadx查看,可以知道此方法是获取app签名信息。
- 使用frida hook得到app签名信息
var LogShutDown = Java.use("cn.thecover.lib.common.utils.LogShutDown");
LogShutDown.getAppSign.implementation = function () {
var res = this.getAppSign()
console.log("getAppSign: ", res)
return res
}
image.png
- unidbg补环境
@Override
public DvmObject<?> callStaticObjectMethodV(BaseVM vm, DvmClass dvmClass, String signature, VaList vaList) {
if (signature.equals("cn/thecover/lib/common/utils/LogShutDown->getAppSign()Ljava/lang/String;")) {
return new StringObject(vm, "3A6BCA056DBA41048F26197A91C0613D");
}
return super.callStaticObjectMethodV(vm, dvmClass, signature, vaList);
}
image.png
运行成功
so层分析
-
第一步
image.png
F5 查看伪代码分析,通过java层反射,获取到appsign, 并进行md5加密
-
第二步
image.png
继续查看代码,可知对 token,时间戳,account 进行字符串拼接,然后进行sha1加密
-
第三步
image.png
将第一步和第二步加密后即结果进行字符串拼接,再次进行md5加密,可得到最后结果
python 代码实现
image.png
其结果于hook的到结果一样,至此,整个sign加密分析结束
