Lazy loaded image
安卓逆向
某k新闻类APP sign
字数 637阅读时长≈ 2 分钟
2022-1-19
2024-7-5
7
type
status
date
slug
summary
tags
category
icon
password

一、抓包

POST请求,url和header里面都携带一个sign,url中的sign猜测可能是根据From表单进行的加密,修改参数,显示签名错误,header里面可能是根据时间戳进行的加密。
notion image

二、Header中的sign

1、Java层分析

首先分析header中的sign,搜索 "sign",Hook一下,对照抓包找一下,二三都很像挨个试一下。
notion image
*** entered com.android36kr.a.d.e.intercept
arg[0]: [object Object] => "<instance: okhttp3.Interceptor$Chain, $className: okhttp3.internal.http.RealInterceptorChain>"
java.lang.Throwable
        at com.android36kr.a.d.e.intercept(Native Method)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
        at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:257)
        at okhttp3.RealCall.execute(RealCall.java:93)
        at retrofit2.OkHttpCall.execute(OkHttpCall.java:174)
        at retrofit2.adapter.rxjava.RxJavaCallAdapterFactory$RequestArbiter.request(RxJavaCallAdapterFactory.java:171)
        at rx.internal.operators.OperatorSubscribeOn$1$1$1.request(OperatorSubscribeOn.java:80)
        at rx.Subscriber.setProducer(Subscriber.java:211)
        at rx.internal.operators.OperatorSubscribeOn$1$1.setProducer(OperatorSubscribeOn.java:76)
        at rx.internal.operators.OnSubscribeMap$MapSubscriber.setProducer(OnSubscribeMap.java:102)
        at rx.internal.operators.OnSubscribeMap$MapSubscriber.setProducer(OnSubscribeMap.java:102)
        at rx.internal.operators.OnSubscribeMap$MapSubscriber.setProducer(OnSubscribeMap.java:102)
        at rx.Subscriber.setProducer(Subscriber.java:205)
        at retrofit2.adapter.rxjava.RxJavaCallAdapterFactory$CallOnSubscribe.call(RxJavaCallAdapterFactory.java:152)
        at retrofit2.adapter.rxjava.RxJavaCallAdapterFactory$CallOnSubscribe.call(RxJavaCallAdapterFactory.java:138)
        at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:48)
        at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
        at rx.Observable.unsafeSubscribe(Observable.java:10200)
        at rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:48)
        at rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:33)
        at rx.Observable.unsafeSubscribe(Observable.java:10200)
        at rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:48)
        at rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:33)
        at rx.Observable.unsafeSubscribe(Observable.java:10200)
        at rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:48)
        at rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:33)
        at rx.Observable.unsafeSubscribe(Observable.java:10200)
        at rx.internal.operators.OperatorSubscribeOn$1.call(OperatorSubscribeOn.java:94)
        at rx.internal.schedulers.CachedThreadScheduler$EventLoopWorker$1.call(CachedThreadScheduler.java:228)
        at rx.internal.schedulers.ScheduledAction.run(ScheduledAction.java:55)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:462)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:301)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
        at java.lang.Thread.run(Thread.java:919)

retval: Response{protocol=h2, code=200, message=, url=https://gateway.36kr.com/api/mis/nav/home/subnav/flow?sign=ebb4df16ad675e551171475c588e1548} => "<instance: okhttp3.Response>"
*** exiting com.android36kr.a.d.e.intercept
notion image
notion image
Hook下入参和出参。
*** entered com.android36kr.app.utils.EncryptUtils.sign
arg[0]: 1642493408 => "1642493408"
retval: a4420dafd3d603546474cfe67e95c352 => "a4420dafd3d603546474cfe67e95c352"
*** exiting com.android36kr.app.utils.EncryptUtils.sign

2、So层分析

静态方法
notion image
然后hook一下j_decode返回的是49g@EPf&3AMt9X98@K8%,出参结果是字符串加时间戳做的md5。
notion image
Frida脚本
function callSign_adress() {
    Java.perform(function () {
        var str_name_so = "liben.so"; //要hook的so名


        var n_addr_func_offset = 0x3588 ;         //要hook的函数在函数里面的偏移
        var n_addr_so = Module.findBaseAddress(str_name_so);
        var n_addr_func = parseInt(n_addr_so, 16) + n_addr_func_offset;

        var ptr_func = new NativePointer(n_addr_func);

        console.log("func addr is:" + ptr_func);

        Interceptor.attach(ptr_func, {
            //在hook函数之前执行的语句e
            onEnter: function (args) {
                // console.log("enter:" + Java.vm.getEnv().getStringUtfChars(args[1], null).readCString())
                console.log("enter args0:" + args[0])
                // console.log("enter args0:" + args[1])
                console.log("enter:" + Memory.readCString(args[0]))

            },
            //在hook函数之后执行的语句
            onLeave: function (retval) {
                console.log("leave:" + retval)
                console.log("leave:" + Memory.readCString(retval))

            }
        });
    });

}
func addr is:0xba563588
enter args0:0xba5722dc
enter:1<bE@Uc#6DHq<]<=EN=
leave:0xdacc2280
leave:49g@EPf&3AMt9X98@K8%
notion image

三、Url中的sign

1、Java层分析

搜索 ?sign=,结果只有三个,直接全部hook一下最后确定是com.android36kr.a.d.c.a.a.d,参数二是From表单中的数据。
notion image
notion image
*** entered com.android36kr.a.d.c.a.a.d
arg[0]: Request{method=POST, url=https://gateway.36kr.com/api/mis/nav/home/subnav/flow?siteId=1&platformId=1&subnavId=6&subnavType=1&subnavNick=9&pageSize=20&pageEvent=0&pageCallback=eyJmaXJzdElkIjo0NTA3NTE1NzMwLCJsYXN0SWQiOjM1Nzc1MTIyNTEsImZpcnN0Q3JlYXRlVGltZSI6MTY0MjQ5NzAwMDAwMCwibGFzdENyZWF0ZVRpbWUiOjE2NDI0OTcwMDAwMDB9&homeCallback=xxxxxxxxxxx, tags={}} => "<instance: okhttp3.Request>"
arg[1]: {"adid":"0816c4c266744c9a","app":"36kr","device_brand":"google","device_density":560,"device_height":2712,"device_id":"0816c4c266744c9a","device_model":"Pixel 2 XL","device_oaid":"","device_orientation":0,"device_width":1440,"ip":"61.135.152.188","isp":"","network":"wifi","os_version":"10","param":{"homeCallback":"xxxxxxxxxxx","pageCallback":"eyJmaXJzdElkIjo0NTA3NTE1NzMwLCJsYXN0SWQiOjM1Nzc1MTIyNTEsImZpcnN0Q3JlYXRlVGltZSI6MTY0MjQ5NzAwMDAwMCwibGFzdENyZWF0ZVRpbWUiOjE2NDI0OTcwMDAwMDB9","pageEvent":"0","pageSize":"20","platformId":"1","siteId":"1","subnavId":"6","subnavNick":"9","subnavType":"1"},"partner_id":"android","partner_version":"9.4.2","request_id":"","timestamp":1642497397704,"timestamp_period":"300","user_agent_ad":"Mozilla/5.0 (Linux; Android 10; Pixel 2 XL Build/QQ3A.200805.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/74.0.3729.186 Mobile Safari/537.36"} 

retval: Request{method=POST, url=https://gateway.36kr.com/api/mis/nav/home/subnav/flow?sign=6a86126f4b8fa0538493d06d5ce4f128, tags={}} => "<instance: okhttp3.Request>"
*** exiting com.android36kr.a.d.c.a.a.d
notion image

2、So层分析

j_j_EncryptMD5str猜测是MD5,传进去吃字符串是From表单+"OooCsekkuOZOHZChPO5-WQ",验证一下,和猜想一样。
notion image
notion image

四、设备参数

notion image
notion image
安卓逆向深似海,从此开发是路人,还是要多做多学,逆的多了,也就顺手了。欢迎关注我的公众号,一起讨论爬虫安卓逆向知识。
  • 本文章仅供学习交流,切勿用于非法通途,如有侵犯贵司请及时联系删除
 
上一篇
某f新闻类APP sn
下一篇
某b社交类APP gsid
评论
Loading...
目录