前言
1.Unidbg项目地址:https://github.com/zhkl0228/unidbg
2.第八题与第九题解法完全一样,这里以第九题为例
APK分析
首先抓包,发现token是加密的,抓包不是本文的关键,跳过。然后使用jadx打开apk,搜索【“token”】,仅有一处
点进去查找用例,可以发现是【Encrypt.encrypt】的方法进行加密
继续点进去,发现调用了native的encrypt方法进行加密的
其中的参数就是定值【/api/movie】
Unidbg调用
接下来使用Unidbg调用这个so文件来生成token,把【libnative.so】从从apk中拉出来,放到Unidbg项目的根目录的so目录下
在com.bytedance.frameworks.core.encrypt目录下创建一个ScrapeCenter09的类【类名随意】,下面是调用的代码
package com.bytedance.frameworks.core.encrypt;
import com.github.unidbg.AndroidEmulator;
import com.github.unidbg.Module;
import com.github.unidbg.linux.android.AndroidEmulatorBuilder;
import com.github.unidbg.linux.android.AndroidResolver;
import com.github.unidbg.linux.android.dvm.DalvikModule;
import com.github.unidbg.linux.android.dvm.DvmClass;
import com.github.unidbg.linux.android.dvm.StringObject;
import com.github.unidbg.linux.android.dvm.VM;
import com.github.unidbg.memory.Memory;
import net.dongliu.requests.Requests;
import java.io.File;
import java.io.IOException;
public class ScrapeCenter09 {
private final AndroidEmulator emulator;
private final VM vm;
private final Module module;
private final DvmClass TTEncryptUtils;
public ScrapeCenter09(boolean logging) {
emulator = AndroidEmulatorBuilder.for32Bit().setProcessName(null).build();
final Memory memory = emulator.getMemory();
memory.setLibraryResolver(new AndroidResolver(23));
vm = emulator.createDalvikVM(null);
vm.setVerbose(logging);
DalvikModule dm = vm.loadLibrary(new File("so/libnative.so"), false);
dm.callJNI_OnLoad(emulator);
module = dm.getModule();
TTEncryptUtils = vm.resolveClass("com/goldze/mvvmhabit/utils/NativeUtils");
}
public void destroy() throws IOException {
emulator.close();
}
public static void main(String[] args) throws Exception {
ScrapeCenter09 test = new ScrapeCenter09(true);
test.ttEncrypt();
test.destroy();
}
public void ttEncrypt() {
StringObject encryptdata = TTEncryptUtils.callStaticJniMethodObject(emulator,
"encrypt(Ljava/util/List;)Ljava/lang/String;",
vm.addLocalObject(new StringObject(vm, "/api/movie"))
);
String token = encryptdata.getValue();
String url = "https://app9.scrape.center/api/movie/?offset=0&limit=10&token="+token;
String response = Requests.get(url).timeout(10000).send().readToText();
System.out.println(response);
}
}
运行查看结果
计算正常,并请求内容成功