Kuan App X-App-Token reverse analysis (latest version 10.5.3)

Kuan X-App-Token reverse analysis

It is only used for research and learning. It is forbidden to apply relevant technologies to improper ways. For example, if it infringes on privacy or rights, please contact me to delete it immediately

1, Foreword

I have nothing to do. Today, let's analyze the difficulties of data capture of ku'an App. If there is no foundation, this article may not be suitable for you. I suggest you read one to seven of my other articles on Android reverse first. If you look back, this article will be a little less confused, because there are a lot of things that have been talked about before. They won't be talked about in detail here, so you can use them directly.

2, Prepare

An Android mobile phone. Simulator is not recommended. There will be many problems
Kuan App(10.5.3)
FDex2 (shelling)
Xposed (Hook)
charles (packet capture software \ whatever you can use)
Jadx (analysis apk package)
IDA (static and dynamic debugging so file)
Frida (Hook)

3, App analysis

1. Grab bag
url: https://api.coolapk.com/v6/main/indexV8?page=2&firstLaunch=0&installTime=1606745738002&lastItem=13988
headers: 
User-Agent	Dalvik/2.1.0 (Linux; U; Android 6.0.1; Nexus 6P Build/MMB29M) (#Build; google; Nexus 6P; MMB29M; 6.0.1) +CoolMarket/10.5.3-2009271
X-Sdk-Int	23
X-App-Id	com.coolapk.market
X-App-Token	c1c8fbb158ddf11f698ee7e545f5ea2b34de7eef-8400-3300-8922-a1a34e7b9b4f0x5fc50882
X-App-Version	10.5.3
X-App-Code	2009271
X-Api-Version	10
X-App-Device	QZDIzVHel5EI7UGbn92bnByOpV2dhVHSgszQyoTMzoDM2oTQCpDMwoDNyAyOsxWduByO2ADO4kjNxIDM2gjN3YDOgsDZiBTYykzYkZDNlBzY0ITZ
X-Dark-Mode	0
Accept-Encoding	gzip 

Make multiple requests and compare the header parameters. According to the comparison, it is found that only X-App-Token changes every request. Therefore, we need to reverse analyze the parameter X-App-Token to see how it is generated.

2. Check for shells

Decompile apk

apktool d Package name

Check the so file under lib to confirm what reinforcement is, Android reverse (IV) -- reverse analysis of a force broadcast App signature (shelling) This article written before has how to confirm what reinforcement is and how to shell

This App is Le reinforcement. We shelled it through FDex2

-rw-r--r--  1 ***  staff    54272 12  1 10:55 com.coolapk.market54272.dex
-rw-r--r--  1 ***  staff  6732492 12  1 10:56 com.coolapk.market6732492.dex
-rw-r--r--  1 ***  staff  8247132 12  1 10:56 com.coolapk.market8247132.dex
-rw-r--r--  1 ***  staff  8946968 12  1 10:56 com.coolapk.market8946968.dex
-rw-r--r--  1 ***  staff  9082720 12  1 10:56 com.coolapk.market9082720.dex

This is the DEX file we shelled out through FDex2. Here is a trick. We can give priority to the larger files, which are generally what we want. Here is com coolapk. market9082720. dex

4, X-App-Token analysis

1. jadx analyzes the apk package and locates the X-App-Token location

After shelling, open the shelled DEX file com through jadx coolapk. market9082720. dex
Global search for the X-App-Token we want to locate

Look up to see how as came from

Track the getAS method and right-click to find the getAS method. You will find that you can't find it, and the global search can't find it. We guess that this function may not be in this DEX file. We open other DEX files and find that this function is in com coolapk. market8247132. In dex file

You can see this method in the so file. The so file name is libnative lib So, we find this file in the Lib directory and use IDA for static debugging

2. IDA+Frida analysis libnative lib So file

Use IDA to open libnative lib So file, find the getAS method in function name

The getAS method cannot be found in IDA because it is registered manually, JNI_ You can see the similar method getAuthString loaded in onload. This is the getAS method. Click in and convert the assembly into C code through F5


For general reverse analysis, we need to look from the back to the front. We can see that return v17 is the X-App-Token we want. When we analyze this file, we don't write the specific analysis. It's very troublesome. If we can understand the C code, we can naturally analyze it and explain the general cracking logic
a. You can see two encryption b64 and md5 in the file
b. Print the encrypted string through Frida Hook b64 encryption
c. Go back to IDA static analysis to find out how this string is spliced
d. The splicing of this token is probably as follows

arg1 = "token://com.coolapk.market/c67ef5943784d09750dcfbb31020f0ab? "# fixed string

arg2 = "" # Timestamp MD5

arg3 = "34de7eef-8400-3300-8922-a1a34e7b9b4f" # device_id

arg4 = "com.coolapk.market" # Fixed string

b64_res = b64(arg1 + arg2 + "$" + arg3 + "&" + arg4) # String splicing for b64 encryption

md5_res = md5(b64_res)                               # Then do md5 encryption

token = md5_res + device_id + Hexadecimal timestamp

5, Code verification

Here is the code directly

import requests
import hashlib
import base64
import time

device_id = "34de7eef-8400-3300-8922-a1a34e7b9b4f"

ctime = int(time.time())
md5_timestamp = hashlib.new('md5', str(ctime).encode()).hexdigest()

arg1 = "token://com.coolapk.market/c67ef5943784d09750dcfbb31020f0ab?" + md5_timestamp + "$" + device_id + "&com.coolapk.market"

md5_str = hashlib.new('md5', base64.b64encode(arg1.encode())).hexdigest()

token = md5_str + device_id + str(hex(ctime))

print(token)
headers = {"X-App-Token": token,
           "X-App-Version": "10.5.3",
           "User-Agent": "Dalvik/2.1.0 (Linux; U; Android 6.0.1; Nexus 6P Build/MMB29M) (#Build; google; Nexus 6P; MMB29M; 6.0.1) +CoolMarket/10.5.3-2009271",
           "X-Api-Version": "10",
           "X-App-Device": "QZDIzVHel5EI7UGbn92bnByOpV2dhVHSgszQyoTMzoDM2oTQCpDMwoDNyAyOsxWduByO2ADO4kjNxIDM2gjN3YDOgsDZiBTYykzYkZDNlBzY0ITZ",
           "Accept-Encoding": "gzip",
           "X-Dark-Mode": "0",
           "X-Requested-With": "XMLHttpRequest",
           "X-App-Code": "2009271",
           "X-App-Id": "com.coolapk.market"
           }

url = "https://api.coolapk.com/v6/main/indexV8?page=2&firstLaunch=0&installTime=%s&lastItem=13988" % ctime

r = requests.get(url, headers=headers, verify=False)

print(r.text)

result:

You can see that the request succeeded

6, Summary

This App is not difficult because the encrypted location is easy to find. There is no need to do any special operations. You can locate the location directly by conducting a global search. If you think this article is helpful to you, please praise and pay attention to it. It will be updated in the future.








Be able to sit on the bench, endure loneliness and keep your original heart!

Tags: Python Android Python crawler

Posted by gkwhitworth on Thu, 05 May 2022 02:44:14 +0300