这个样本没有加壳,直接拖到jadx就能看到代码,但是核心代码部分会加载错误,这个时候需要用配置打开jadx-gui --show-bad-code taobao.apk…就能加载到了,内存需要设定6G
以下仅为学习记录.拿来干啥后果自负
目前我的版本是 10.0.0
首先charles抓包
GET /gw/mtop.cybertron.follow.detail/3.0/?wua=FKr2_Qv%2B2mzyB7foR6q0PbmkWTFjmSiFIdQ7f%2BS2tZOV3XqRF2dX2zOHSBiGadkBsHmUydGy2cWJLDYFJW1JE99LaP%2BbTFlJTylI%2F1HdvOe8kyNcofducL7wJE24lrQ1vf3iFv5aJ%2B8XeEW6oqrcwaXE1V9Ufy4lsP7MBEkOJjdlGyzj7Q6HEDaPT%2B0jxv%2BUY0VxDBKQ5kp1AANwJVQ%2BP2dSrjoAQoAmib079LaB4UnIQfhuNlK4QCS3nqq5eCUVVOL14DV7r6%2B4gvjivbkdE3BKw93ILXPFe%2BnML6J67E%2FtILMfoM3YtD4FzPNQJSNMY6fVCRH5mJj4V6eBv8%2FyCraZIE8XPm%2FdJr6Q%2Bc6%2BevxDIshv95PphvBBQ9ETF1F%2Fe%2BA1akTSAjlxIV%2FVxjCaiFZy%2FDoVcMvaD%2FZPx0vo444mr91o%3D&data=%7B%22followedId%22%3A%22敏感信息%22%2C%22accountType%22%3A%220%22%2C%22type%22%3A%221%22%7D HTTP/1.1
x-sgext: JAJUIfgIOz15HwLJh6UYiiFlEWYUbQJiF2QSdxBlFHcQeBB4DGANZRZ4EXgReBF4EXgReBF4EXgRdxBiE2wWYhNlEmwCZEcyR2ASNRBtGWxFN0dtFXcQZRR3E2YCMkd3EWQRYQJmAmUCZgJlAmYCZgJlAmUCZRB3FXcTYQJtAmUCZQJkAmQCZAJU
x-social-attr: 3
x-sign: azYBCM003xAAKBrMDt9bQHvMIV2d%2BBrIFrabjg1W1eFHMwrMkNypAAAwCu%2BpXswyKXaQHMpU6OXJci6MuvlefLuMvFgayBrIGugayB
x-sid: 2aa533509d8e17d8fe3f1615e1e4f5ab
A-SLIDER-Q: appKey%3D21646297%26ver%3D1628761075653
x-uid: 敏感信息二
x-nettype: WIFI
x-pv: 6.3
x-disastergrd:
x-nq: WIFI
x-region-channel: CN
x-features: 1051
x-app-conf-v: 0
x-mini-wua: HHnB_tT6Q0gDblLFZtAIS5xoUOUsDSzfBO%2Bs3iDXmXGK%2BFsXh15fo8LCkVmEIfwNyanl5Y6KTHOOgQi7jkoJIrfjkK%2FqEwHNAK9Fnwme7S%2FKROQLXOv%2B8J1Pm%2FHkil%2Fd3A1bYWDqKSlzzvB4ENgEwUUaHseAQabXxT1vlulihicC6yC4%3D
content-type: application/x-www-form-urlencoded;charset=UTF-8
x-t: 1628762523
x-bx-version: 6.5.30
f-refer: mtop
x-extdata: openappkey%3DDEFAULT_AUTH
x-ttid: 1552981757354%40taobao_android_10.0.0
x-app-ver: 10.0.0
x-c-traceid: YKpv7Gdb8ZQDAGH3eulrdvV71628762523187057616603
a-orange-dq: appKey=21646297&appVersion=10.0.0&clientAppIndexVersion=1120210812174700337
x-ua: Mozilla%2F5.0+%28Linux%3B+U%3B+Android+11%3B+zh-CN%3B+KB2000+Build%2FRP1A.201005.001%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Version%2F4.0+Chrome%2F69.0.3497.100+UWS%2F3.22.1.130+Mobile+Safari%2F537.36+AliApp%28TB%2F10.0.0%29+UCBS%2F2.11.1.1+TTID%2F1552981757354%40taobao_android_10.0.0+WindVane%2F8.5.0
x-umt: NSAAkHBLPPj2wAJ7ORAFp9s9yfvKXZWS
x-utdid: YKpv7Gdb8ZQDAGH3eulrdvV7
c-launch-info: 3,0,1628762523187,1628762176150,1
x-appkey: 21646297
x-page-url: about%3Ablank
x-page-name: com.alibaba.triver.container.TriverMainActivity
x-devid: 4yvwe9o3H23GwGeWt3j1HjeSIZ15db-YPGmvH-gPggbY49Ji5LBhmbIqox1H2Wec
user-agent: MTOPSDK%2F3.1.1.7+%28Android%3B11%3BOnePlus%3BKB2000%29
Host: guide-acs.m.taobao.com
Accept-Encoding: gzip
Connection: Keep-Alive
x-sign x-sgext x-mini-wua 比较像加密的几个参数,在jadx搜
这边jadx需要配置两个东西,
- –show-bad-code
- 内存设置6g+
对比之下就找到了mtopsdk.mtop.protocol.builder.impl.InnerProtocolParamBuilderImpl的buildParams方法,但是看代码会发现返回值不一定包含加密参数,但是
innerProtocolParamBuilderImpl.buildExtParams(aVar, hashMap2);
这个方法的hashMap2一定包含加密参数
先objection验证一下
android hooking watch class mtopsd
k.mtop.protocol.builder.impl.InnerProtocolParamBuilderImpl
随便点一下确定有经过这里
在写脚本验证下返回参数
function hookbuildParams() {
Java.perform(function () {
var InnerProtocolParamBuilderImpl = Java.use('mtopsdk.mtop.protocol.builder.impl.InnerProtocolParamBuilderImpl');
InnerProtocolParamBuilderImpl.buildParams.implementation = function (a) {
var res = this.buildParams(a);
printHashMap(res);
return res;
}
})
}
function printHashMap(params_hm) {
var HashMap=Java.use('java.util.HashMap');
var args_map=Java.cast(params_hm,HashMap);
console.log(args_map.toString());
}
返回值中貌似包含了我们想要的
{x-sgext=JAL17jep9Jy2vs1oSATXK+7E3sfbzM3H3MDXwM3D1tbf2d/Zw8bCw8LFwsXCxcLFwsXCxcLFwsXNxNjH1sLYxtbG2Nbek4iT2sKPxNfN1pGNk9fBzcLf1tzDzZOI1t7F3sDNx83EzcTNxM3EzcfNxM3EzcPNx82QzcHNxc3FzcXNxc3FzfU=, nq=null, data={}, pv=6.3, sign=azYBCM003xAAKEjSTlm03ofETC2cmEjYRKbJnl9Gh/EbikjRT9z7F8e0SP/7SUiCNWuUR/R9kYFrYnyc6OkMbOmc7kgY2EjYSOhI2E, deviceId=4yvwe9o3H23GwGeWt3j1HjeSIZ15db-YPGmvH-gPggbY49Ji5LBhmbIqox1H2Wec, sid=2aa533509d8e17d8fe3f1615e1e4f5ab, uid=2953779730, x-features=27, x-app-conf-v=0, x-mini-wua=HHnB_seIrg0gK42HG+2BnkdCKB3/qFuBB8lSqkopKWZB26nBFTeNRjBPyRgV3od+EaglifZwuG8SSOCsShl2rKSjNmvJ3Z3XIZ6M2R18bKKOOR7ZxDge2jVK2GYBoJ5A4IKRGp+m/oEg6WkQ7gYuYR1g+kcsdtqIv6JKJo/gmwhdep68=, appKey=21646297, api=mtop.taobao.edgecomputer.query, umt=NSAAkHBLPPj2wAJ7ORAFp9s9yfvKXZWS, f-refer=mtop, utdid=YKpv7Gdb8ZQDAGH3eulrdvV7, netType=WIFI, x-app-ver=10.0.0, extdata=openappkey=DEFAULT_AUTH, x-c-traceid=YKpv7Gdb8ZQDAGH3eulrdvV716287641733490454122595, ttid=1552981757354@taobao_android_10.0.0, t=1628764173, v=1.0, x-page-url=http://h5.m.taobao.com/weex/viewpage.htm, x-page-name=com.taobao.weex.WXActivity, user-agent=MTOPSDK/3.1.1.7 (Android;11;OnePlus;KB2000)}
有x-sgext x-mini-wua,x-sign没有,但是仔细看一下代码和对比抓包请求,sign就是x-sign.所以我们只要好好分析这堆东西就可以出来结果了
然后根据代码分析,具体追踪流程如下
- String str17 = a4.get(“x-sgext”);
- HashMap<String, String> a4 = nxp.a(hashMap4, hashMap5, str4, str5, z2, str8); -> nxp nxp = this.mtopConfig.sign;//但是nxp是一个interface,所以要找实现类(其实搜索党直接搜implements nxp就能找到)
- public volatile nxp sign;
- nxp nxp = mtopConfig.sign;
if (nxp == null) {
nxp = new nxq();
}
以上可得知继承关系为nxq->nxo->nxp,所以我们hook nxq.a(hashMap4, hashMap5, str4, str5, z2, str8)
然后到这个
function hookNxq() {
Java.perform(function () {
var nxq = Java.use('tb.nxq');
nxq.a.overload('java.util.HashMap', 'java.util.HashMap', 'java.lang.String', 'java.lang.String', 'boolean', 'java.lang.String').implementation = function (hashMap4, hashMap5, str4, str5, z2, str8) {
var res = this.a(hashMap4, hashMap5, str4, str5, z2, str8);
printHashMap(hashMap4);
printHashMap(hashMap5);
console.log("---------------------------------------");
return res;
}
})
}
在一堆请求中,找到跟初次触发的数据匹配的
hashmap4
{data={"cookie":"sm4=;hng=","device":"phone","url":"https://pages.tmall.com/wow/a/act/tmall/dailygroup/772/wupr?spm=a215bq.14368636.8121807670.1&wh_pid=daily-214884&juId=10004258851818"}, deviceId=5yvwe9o3H2敏感字眼eSIZ15db-YPGmvH-gPggbY49Ji5LBhmbIqox1H2Wec, sid=5aa533509d8e1758fe3f1615e1e4f5ab, uid=敏感字眼, x-features=27, appKey=21646297, api=mtop.tmall.kangaroo.core.service.route.pagerecommendservice, utdid=YKpv7Gdb8ZQDAGH3eulrdvV7, extdata=openappkey=DEFAULT_AUTH, ttid=1552981757354@taobao_android_10.0.0, t=1628833728, v=1.0}
hashmap5
{pageId=http://pages.tmall.com/wow/a/act/tmall/dailygroup/772/wupr, pageName=com.taobao.browser.BrowserActivity}
那我们把数据格式化之后再丢进去看看出来的数据对不对得上请求~
需要补一下
private IUnifiedSecurityComponent f = null;
这个对象
this.f = (IUnifiedSecurityComponent) SecurityGuardManager.getInstance(mtopConfig.context).getInterface(IUnifiedSecurityComponent.class);
if (this.f != null) {
this.f.init(hashMap2);
} else if (TBSdkLog.isLogEnable(TBSdkLog.LogEnable.InfoEnable)) {
TBSdkLog.e("mtopsdk.InnerSignImpl", c() + " [initMiddleTier]init sign failed");
}
在隔壁b方法会看到自动补全的,但是a不会,那我们手动补一下
搞着搞着发现,IUnifiedSecurityComponent的实现类哪里去了,这时候应该想到dex的动态加载
- hook:dalvik.system.PathClassLoader/dalvik.system.DexClassLoader
- 遍历类的加载器enumerateClassLoaders
- 会发现加载的是.so后缀的,把她们dump下来丢到010发现是apk…解压发现里面居然有dex…
搞着搞着颓废了下次再弄吧