Recently, I learned about Android reverse, contacted the APP of TB system, and learned that the APP of large manufacturers is for data security. This article mainly introduces the HOOK process of the signature parameter x-sign of a treasure live APP. Of course, other parameters can also be HOOK. This article is only for learning and communication, please do not use it for other purposes.

1, Environmental tools

Environment: windows 10

Equipment: Lightning simulator, google pixel

HOOK framework: Xposed

Cartridge tool: Frida

Compiler: android studio

Decompile tool: jadx

Bag grabbing tool: Charles

Analysis APP: apk (COM. * * * *. Live_1.8.6_50. apk)

2, Process steps

1. Capture and analyze the data packets, install the App on the simulator, set the VNP agent on the simulator, open the Charles tool, operate on the simulator, make the App initiate a network request, and then view the captured data packets on Charles.

2. Use the shell checking tool to check the APP process and check what shell adding software is used to shell the APP. If there is shell adding, it is preferred to shell it out. Of course, large manufacturers rarely shell apps.

3. Use jadx to decompile the APP and get the relevant code, but the decompiled code is not all correct. Please pay attention to this.

4. According to the key information obtained from the packet capture, use the key field name to search the code decompiled by jadx and find the code.

5. Write JS code, and then use frida to insert it into simulator memory or mobile phone memory for detection.

6. After finding the key code, you need to show the key fields with the help of xposed hook, and the development plug-in will connect the service for the crawler code to call.

3, Process display

1. Bag grabbing

	GET /gw/mtop.***.livex.vcore.hot.ranking.list.query/2.0/?data=%7B%22focusId%22%3A%220%22%2C%22enterPage%22%3A%22hot_search%22%7D HTTP/1.1
x-m-biz-live-bizcode	TAOBAO
x-features	27
x-sgext	JAHfTfKqFp8VS17V%2Fyrwrw%3D%3D
user-agent	MTOPSDK%2F3.1.1.7+%28Android%3B7.1.2%3Bsamsung%3BSM-G9750%29
x-ttid	10005533%40***live_android_1.8.6
cache-control	no-cache
a-orange-q	appKey=25443018&appVersion=1.8.6&clientAppIndexVersion=1120200928112400415&clientVersionIndexVersion=0
x-appkey	25443018
x-region-channel	CN
x-mini-wua	HHnB_yY%2BVTP4ONzYAS0JZCZH1kxay0eLuo3X2qtBIE5jr6lZvRAnJJ1G8cadrB8RwL24tN8%2Fh9ghtDlb6k5cAwiNaOKX0mD9%2BFADwgxmVeVcmxYJ8M7DGxIGdoBk2pTZYdROi
x-c-traceid	XzFAo6l4I0QDAEtkomuzYMMg1601521245154002312720
content-type	application/x-www-form-urlencoded;charset=UTF-8
x-app-conf-v	0
x-app-ver	1.8.6
x-bx-version	6.4.17
x-pv	6.3
x-t	1601521245
f-refer	mtop
Cookie	unb=2677236496; sn=; lgc=; cookie17=UU6m2Eeo2kZhAw%3D%3D; dnk=; munb=2677236496; cookie2=1da9677cd5d8067a25887efad5399035; tracknick=; ti=; sg=x6e; _l_g_=Ug%3D%3D; _nk_=minizqx; cookie1=U7HzARmj%2B0xuestjyOv43ck2AoCzwROfdIWJFcYSstg%3D; imewweoriw=3%2FxErrexaa2iG0nL9nQkVq6vWzZ2RYFXo60Fqs9r6Y0%3D; WAPFDFDTGFG=%2B4cMKKP%2B8PI%2BMesd%2Bk5vda3o; _w_tb_nick=minizqx; uc3=nk2=DlkyfSB%2Bjw%3D%3D&vt3=F8dCufBEpQar8u2TO3M%3D&id2=UU6m2Eeo2kZhAw%3D%3D&lg2=W5iHLLyFOGW7aA%3D%3D; uc1=existShop=false&cookie14=Uoe0bHJmGwo4lQ%3D%3D&cookie21=W5iHLLyFfX5Xzx7qNYvXUg%3D%3D&cookie15=V32FPkk%2Fw0dUvg%3D%3D; csg=2de8b6f3; t=305ec04f6cebe219662be638fa62aaf9; sgcookie=W100Cx89pixouHdsov7UuolWf0KF4SCZSW%2BghMbGvElGjMjGInUE8ule6s0vwKHP7bE2u%2FV4huIYCVL69Y4Nb609lp%2FZmI%2FnGoxACSa43mcyatM%3D; skt=2c65e2ca24dd1fde; uc4=nk4=0%40DDxxrcvliaXBeEHW%2FzgIyiWv&id4=0%40U2xrdV%2F5ZuJ17PCSrvw8g3giR4gj; _cc_=VT5L2FSpdA%3D%3D; _tb_token_=ed17ebbe55356; ockeqeudmj=mQRlQ%2FY%3D
x-sid	1da9677cd5d8067a25887efad5399035
x-disastergrd	
x-utdid	XzFAo6l4I0QDAEtkomuzYMMg
x-umt	duJLkp5LOjp9tjV04l0sWVWVGrYsNTP%2B
x-devid	At0LQnkeo_YpGZF88TSoTGUnqnqNWXm7ezbTK8JEkoHr
x-sign	azSdY1002xAAEKX7IpQqlaakQWgkgKXwpHpjVVSKm5h2mnFJOuQWX51LpqfoKidOysB%2BZ%2B1EviEW%2BmG09cHhh3fHdGCl0KXwpdCl8K
x-uid	2677236496
Host	acs.m.***.com
Accept-Encoding	gzip
Connection	Keep-Alive

 2. Check shell

I didn't shell because I can see the code using jadx GUI. If I can't see the code, I may need to shell.

3. Decompile

4. Search keywords

5. Pile insertion detection

[-->]    result :K[x-mini-wua]-->V[HHnB_Ai0JzNjvjpyeSUtZj9lfxHyKwYN4U/I42Jr28lnGLg6QzMU54H22mQJZEjR5reJmg7dSfgV2tJSCFQR/DtiSyTdKpLKJPO8OXuo9Lapqe1cuwdLTn9bb8sjz+HbjQ0xT]
[-->]    result :K[x-sgext]-->V[JAEPhzh63E/fm5QFNfo6fw==]
[-->]    result :K[x-umt]-->V[duJLkp5LOjp9tjV04l0sWVWVGrYsNTP+]
[-->]     result:  {x-sign=azSdY1002xAAHrGTXJ0perBksC3AfrGesBR3O0Dkj/Zi9GUnLooCMYklssn8RDMg3q5qCfkqqk8ClHXa4a/16WOpYA6xjrGesY6xnr, wua=, x-mini-wua=HHnB_Ai0JzNjvjpyeSUtZj9lfxHyKwYN4U/I42Jr28lnGLg6QzMU54H22mQJZEjR5reJmg7dSfgV2tJSCFQR/DtiSyTdKpLKJPO8OXuo9Lapqe1cuwdLTn9bb8sjz+HbjQ0xT, x-sgext=JAEPhzh63E/fm5QFNfo6fw==, x-umt=duJLkp5LOjp9tjV04l0sWVWVGrYsNTP+}

6. Write xposed plug-in

Write plug-ins using Android studio.

4, Analysis and display

{"x-sign":"azSdY1002xAAGTOrG3oat7W3Cl5CuTOpOyrE7MLTDcHmpOcYgQ2AAK2s8P5+RHf/cTJX5G3EEiBQo/ftY5h33uGe4jkzuTOpM7kzqT","wua":"","x-mini-wua":"HHnB_x95u54gos/jSNsGcF2zvx+yhl8pchUZ/Z7Xke/2HlZZdYjvuuG4H4jZhhr2aUlre8xns7pYnMgr4nHcGSE4p7drYGE+VsuI73+L06luyPp+D/9Nod8fTnfNH4GHkXxzL","x-sgext":"JAFB9aifQ1zyfnYYZQ/y0w\u003d\u003d","x-umt":"XoVLH9JLOu1p1DV04lJL9VD9L4Y4mjV7"}

{"x-sign":"azSdY1002xAAHec7oUg/rsBTX3gmfec9774QeBZH2VUyMDOMVZlUlHk4JGqq0KNrpaaDcLlQxrSENyN5twyjSjUKNq33Hec95x3nPe","wua":"","x-mini-wua":"HHnB_kaq8xeRHJGYkxmlj4Tj7s+AE/ucCilsewjWaBR/V0/e5uhqJcgn26+5kTJBZBgPOHv8CYjmtQ1LAoR856xrcK+29ZT5HnUkMRMgvTm4H2pjm5GkpKhRHgo3VBGdhzvYa","x-sgext":"JAHZbzIH2cRo5uyA/5doSw\u003d\u003d","x-umt":"XoVLH9JLOu1p1DV04lJL9VD9L4Y4mjV7"}

Of course, other parameters in the request header can also be obtained.

This article is only for learning and communication, please do not use it for other purposes. Technical support, buckle: 3165845957