记一次学习过程,需求解密"sign"字段 得到其算法
- com.sichuanol.cbgc 川报观察
- so层 算法
- md5
1. 需解密对象
- sign 字段
2. 搜索sign
- 定位到 java 关键函数
3. hook java层
- hook 关键函数
- 主动调用
4. firda hook so
- v30 是 MD5Digest 的返回值
- get32MD5String v30 的传给了29 下面还直接输出出来了 都是系统函数 直接上 as 上看看
- 最后 hook下 MD5Digest
- 结果一致 收工
5. hook.js代码
console.log("--------------------");
console.log("com.sichuanol.cbgc"); // 川报观察
console.log("start...");
// hook_java();
hook_so();
console.log("end...");
console.log("--------------------");
function showStacks() {
console.log(Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Exception").$new()));
}
function hook_java() {
Java.perform(function () {
var SignManager = Java.use("com.sichuanol.cbgc.util.SignManager");
SignManager.getSign.implementation = function (a, b, c) {
//showStacks();
console.log("getSign param1: ", a);
console.log("getSign param2: ", b);
console.log("getSign param3: ", c);
var retval = this.getSign(a, b, c);
console.log("getSign retval: ", retval);
return retval;
}
});
}
function call_java() {
Java.perform(function () {
var SignManager = Java.use("com.sichuanol.cbgc.util.SignManager");
var sign = SignManager.getSign('', '', '1621015071963');
console.log("call_java sign: ", sign);
});
}
function hook_so() {
var MD5Digest = Module.findExportByName("libwtf.so", '_Z9MD5DigestPKcmPc');
Interceptor.attach(MD5Digest, {
onEnter: function (args) {
console.log("MD5Digest onEnter args[0]: hexdump \n", hexdump(args[0]));
console.log("MD5Digest onEnter args[0]: readCString ", ptr(args[0]).readCString());
console.log("MD5Digest onEnter args[1]: toInt32 ", ptr(args[1]).toInt32());
this.arg2 = args[2];
},
onLeave: function (retval) {
// console.log("MD5Digest onLeave retval: ", (retval)); // 无返回值
console.log("MD5Digest onLeave this.arg2: \n", hexdump(this.arg2, { length: 16 }));
}
});
var get32MD5String = Module.findExportByName("libwtf.so", '_Z14get32MD5StringPcS_');
Interceptor.attach(get32MD5String, {
onEnter: function (args) {
console.log("get32MD5String onEnter args[0]: hexdump \n", hexdump(args[0])); // 前32 位字符串
this.arg0 = args[0];
this.arg1 = args[1];
},
onLeave: function (retval) {
// console.log("MD5Digest onLeave retval: ", (retval)); // 无返回值
console.log("get32MD5String onLeave this.arg1: hexdump \n", hexdump(this.arg1)); // 前32 位字符串
console.log("get32MD5String onLeave this.arg1: readCString ", ptr(this.arg1).readCString());
// console.log("MD5Digest onLeave this.arg2: \n", hexdump(this.arg1, { length: 32 }));
}
});
}