0x01 定位关键函数
取消勾选反混淆,否则影响关键函数定位
尝试搜索AES,DES,RSA,加密,encode,decode等关键字,也可以仔细跟进http等请求发起过程定位加解密函数
分析实现加密与解密的函数:
加密函数:传入了公钥以及需要加密的字节数组
解密函数:传入了私钥以及需要解密的字节数组
0x02 编写hook.js
function main() {
if (Java.available) {
console.log("*********** hook start ************");
Java.perform(function() {
var JniUtils = Java.use("com.gdtel.eshore.mss.lib.b.b");
JniUtils.a.overload("java.security.interfaces.RSAPrivateKey","[B").implementation=function(arg1,arg2){
console.log("*********** decodeByAES start ************");
var a =this.a(arg1,arg2);
var String = Java.use("java.lang.String")
var data = String.$new(a)
console.log("from data: " + data)
return a;
}
JniUtils.a.overload("java.security.interfaces.RSAPublicKey","[B").implementation=function(arg3,arg4){
console.log("*********** encodeByRSA start ************");
var b =this.a(arg3,arg4);
var String1 = Java.use("java.lang.String")
var data1 = String1.$new(arg4)
console.log("from data: " + data1)
return b;
});
}
function printTrace(){
console.log("****************** printTrace start ***********************");
var jAndroidLog = Java.use("android.util.Log");
var jException = Java.use("java.lang.Exception");
var threadef = Java.use('java.lang.Thread');
var threadinstance = threadef.$new();
var stack = threadinstance.currentThread().getStackTrace();
console.log("Full call stack:");
for(var i = 0; i < stack.length; ++i){
console.log(stack[i].toString());
}
console.log("****************** printTrace finish ***********************");
}
}
setImmediate(main)
0x03 run
frida -U -l demo.js xxx.xxx.xxx.xxx