Recently, I learned about Android reverse, contacted the APP of TB system, and learned that the APP of large manufacturers is for data security. This article mainly introduces the HOOK process of the signature parameter x-sign of a treasure live APP. Of course, other parameters can also be HOOK. This article is only for learning and communication, please do not use it for other purposes.
1, Environmental tools
Environment: windows 10
Equipment: Lightning simulator, google pixel
HOOK framework: Xposed
Cartridge tool: Frida
Compiler: android studio
Decompile tool: jadx
Bag grabbing tool: Charles
Analysis APP: apk (COM. * * * *. Live_1.8.6_50. apk)
2, Process steps
1. Capture and analyze the data packets, install the App on the simulator, set the VNP agent on the simulator, open the Charles tool, operate on the simulator, make the App initiate a network request, and then view the captured data packets on Charles.
2. Use the shell checking tool to check the APP process and check what shell adding software is used to shell the APP. If there is shell adding, it is preferred to shell it out. Of course, large manufacturers rarely shell apps.
3. Use jadx to decompile the APP and get the relevant code, but the decompiled code is not all correct. Please pay attention to this.
4. According to the key information obtained from the packet capture, use the key field name to search the code decompiled by jadx and find the code.
5. Write JS code, and then use frida to insert it into simulator memory or mobile phone memory for detection.
6. After finding the key code, you need to show the key fields with the help of xposed hook, and the development plug-in will connect the service for the crawler code to call.
3, Process display
1. Bag grabbing
GET /gw/mtop.***.livex.vcore.hot.ranking.list.query/2.0/?data=%7B%22focusId%22%3A%220%22%2C%22enterPage%22%3A%22hot_search%22%7D HTTP/1.1 x-m-biz-live-bizcode TAOBAO x-features 27 x-sgext JAHfTfKqFp8VS17V%2Fyrwrw%3D%3D user-agent MTOPSDK%2F3.1.1.7+%28Android%3B7.1.2%3Bsamsung%3BSM-G9750%29 x-ttid 10005533%40***live_android_1.8.6 cache-control no-cache a-orange-q appKey=25443018&appVersion=1.8.6&clientAppIndexVersion=1120200928112400415&clientVersionIndexVersion=0 x-appkey 25443018 x-region-channel CN x-mini-wua HHnB_yY%2BVTP4ONzYAS0JZCZH1kxay0eLuo3X2qtBIE5jr6lZvRAnJJ1G8cadrB8RwL24tN8%2Fh9ghtDlb6k5cAwiNaOKX0mD9%2BFADwgxmVeVcmxYJ8M7DGxIGdoBk2pTZYdROi x-c-traceid XzFAo6l4I0QDAEtkomuzYMMg1601521245154002312720 content-type application/x-www-form-urlencoded;charset=UTF-8 x-app-conf-v 0 x-app-ver 1.8.6 x-bx-version 6.4.17 x-pv 6.3 x-t 1601521245 f-refer mtop Cookie unb=2677236496; sn=; lgc=; cookie17=UU6m2Eeo2kZhAw%3D%3D; dnk=; munb=2677236496; cookie2=1da9677cd5d8067a25887efad5399035; tracknick=; ti=; sg=x6e; _l_g_=Ug%3D%3D; _nk_=minizqx; cookie1=U7HzARmj%2B0xuestjyOv43ck2AoCzwROfdIWJFcYSstg%3D; imewweoriw=3%2FxErrexaa2iG0nL9nQkVq6vWzZ2RYFXo60Fqs9r6Y0%3D; WAPFDFDTGFG=%2B4cMKKP%2B8PI%2BMesd%2Bk5vda3o; _w_tb_nick=minizqx; uc3=nk2=DlkyfSB%2Bjw%3D%3D&vt3=F8dCufBEpQar8u2TO3M%3D&id2=UU6m2Eeo2kZhAw%3D%3D&lg2=W5iHLLyFOGW7aA%3D%3D; uc1=existShop=false&cookie14=Uoe0bHJmGwo4lQ%3D%3D&cookie21=W5iHLLyFfX5Xzx7qNYvXUg%3D%3D&cookie15=V32FPkk%2Fw0dUvg%3D%3D; csg=2de8b6f3; t=305ec04f6cebe219662be638fa62aaf9; sgcookie=W100Cx89pixouHdsov7UuolWf0KF4SCZSW%2BghMbGvElGjMjGInUE8ule6s0vwKHP7bE2u%2FV4huIYCVL69Y4Nb609lp%2FZmI%2FnGoxACSa43mcyatM%3D; skt=2c65e2ca24dd1fde; uc4=nk4=0%40DDxxrcvliaXBeEHW%2FzgIyiWv&id4=0%40U2xrdV%2F5ZuJ17PCSrvw8g3giR4gj; _cc_=VT5L2FSpdA%3D%3D; _tb_token_=ed17ebbe55356; ockeqeudmj=mQRlQ%2FY%3D x-sid 1da9677cd5d8067a25887efad5399035 x-disastergrd x-utdid XzFAo6l4I0QDAEtkomuzYMMg x-umt duJLkp5LOjp9tjV04l0sWVWVGrYsNTP%2B x-devid At0LQnkeo_YpGZF88TSoTGUnqnqNWXm7ezbTK8JEkoHr x-sign azSdY1002xAAEKX7IpQqlaakQWgkgKXwpHpjVVSKm5h2mnFJOuQWX51LpqfoKidOysB%2BZ%2B1EviEW%2BmG09cHhh3fHdGCl0KXwpdCl8K x-uid 2677236496 Host acs.m.***.com Accept-Encoding gzip Connection Keep-Alive
2. Check shell
I didn't shell because I can see the code using jadx GUI. If I can't see the code, I may need to shell.
3. Decompile
4. Search keywords
5. Pile insertion detection
[-->] result :K[x-mini-wua]-->V[HHnB_Ai0JzNjvjpyeSUtZj9lfxHyKwYN4U/I42Jr28lnGLg6QzMU54H22mQJZEjR5reJmg7dSfgV2tJSCFQR/DtiSyTdKpLKJPO8OXuo9Lapqe1cuwdLTn9bb8sjz+HbjQ0xT] [-->] result :K[x-sgext]-->V[JAEPhzh63E/fm5QFNfo6fw==] [-->] result :K[x-umt]-->V[duJLkp5LOjp9tjV04l0sWVWVGrYsNTP+] [-->] result: {x-sign=azSdY1002xAAHrGTXJ0perBksC3AfrGesBR3O0Dkj/Zi9GUnLooCMYklssn8RDMg3q5qCfkqqk8ClHXa4a/16WOpYA6xjrGesY6xnr, wua=, x-mini-wua=HHnB_Ai0JzNjvjpyeSUtZj9lfxHyKwYN4U/I42Jr28lnGLg6QzMU54H22mQJZEjR5reJmg7dSfgV2tJSCFQR/DtiSyTdKpLKJPO8OXuo9Lapqe1cuwdLTn9bb8sjz+HbjQ0xT, x-sgext=JAEPhzh63E/fm5QFNfo6fw==, x-umt=duJLkp5LOjp9tjV04l0sWVWVGrYsNTP+}
6. Write xposed plug-in
Write plug-ins using Android studio.
4, Analysis and display
{"x-sign":"azSdY1002xAAGTOrG3oat7W3Cl5CuTOpOyrE7MLTDcHmpOcYgQ2AAK2s8P5+RHf/cTJX5G3EEiBQo/ftY5h33uGe4jkzuTOpM7kzqT","wua":"","x-mini-wua":"HHnB_x95u54gos/jSNsGcF2zvx+yhl8pchUZ/Z7Xke/2HlZZdYjvuuG4H4jZhhr2aUlre8xns7pYnMgr4nHcGSE4p7drYGE+VsuI73+L06luyPp+D/9Nod8fTnfNH4GHkXxzL","x-sgext":"JAFB9aifQ1zyfnYYZQ/y0w\u003d\u003d","x-umt":"XoVLH9JLOu1p1DV04lJL9VD9L4Y4mjV7"}
{"x-sign":"azSdY1002xAAHec7oUg/rsBTX3gmfec9774QeBZH2VUyMDOMVZlUlHk4JGqq0KNrpaaDcLlQxrSENyN5twyjSjUKNq33Hec95x3nPe","wua":"","x-mini-wua":"HHnB_kaq8xeRHJGYkxmlj4Tj7s+AE/ucCilsewjWaBR/V0/e5uhqJcgn26+5kTJBZBgPOHv8CYjmtQ1LAoR856xrcK+29ZT5HnUkMRMgvTm4H2pjm5GkpKhRHgo3VBGdhzvYa","x-sgext":"JAHZbzIH2cRo5uyA/5doSw\u003d\u003d","x-umt":"XoVLH9JLOu1p1DV04lJL9VD9L4Y4mjV7"}
Of course, other parameters in the request header can also be obtained.
This article is only for learning and communication, please do not use it for other purposes. Technical support, buckle: 3165845957