A car information App returns data decrypted

A, goals,

To prevent data interception, some apps encrypt the returned data, such as this one:

The content section is the ciphertext. We’re going to do it today.

Second, the steps

Jadx search content”

The return value is json, so it must parse the ciphertext before decrypting it, so let’s search for “content” and see if we can find anything:

Not happy, the result is a little too much, this is not easy to do…

hooker

Today I’m going to introduce a new toy from a big guy

Github.com/CreditTone/…

Hooker is a reverse toolkit based on a Frida implementation. Provide a unified script package management mode for reverse developers, pass-through scripts, automatic generation of hook scripts, memory roaming detection of activities and services and other arbitrary objects.

B: That sounds cool.

Follow the instructions to configure it

Git clone https://github.com/CreditTone/hooker.git CD hooker PIP install - r requirements. TXT / / install dependenciesCopy the code

Then start the App and run./hooker

All the current process names are listed. If they are not listed, frida-server may not be started

Type in the name of the app package we want to analyze, com.yxxxx.axxxxx, and you’ll be taken to the interactive console, which offers a few interesting features that we won’t be using today.

Ex Exit the interactive console.

Hooker generated some auxiliary scripts for us and we went into the com.yxxxx.axxxxx folder

fenfeiMac:com.yxxxx.axxxxx feifei$ ls
activity_events.js	log
android_ui.js		object_store.js
attach			objection
click.js		spawn
edit_text.js		spider.py
hook_RN.js		ssl_log.js
hooking			text_view.js
just_trust_me.js	url.js
keystore_dump.js	xinit
kill			xinitdeploy
Copy the code

The helper command text_view.js is used here.

Why is that?

Read the author’s note first

Keep track of the TextView’s setText and getText to get the real Class of the TextView. Generally, the setText stack information brings out the business-layer data Model processing logic, which is further analyzed into the business-layer data bean wrapper class.

Ciphertext data is always decrypted to be displayed in plain text, we print out the stack when the plain text is displayed, can’t we analyze its decryption process?

Summon Jadx

As the name implies, it should be this one. Encryptutils.o000000o

Automatically generate hook code

This is where hooker’s other cool feature comes in: automatically generating Hook JS code

Let’s go back to our interactive console. How do I get back? Exit the current command and enter the./hooker command again in the parent directory.)

fenfeiMac:com.yxxx.axxx fenfei$ cd ..
feifenMac:hooker fenfei$ ./hooker
  PID  Name                                     Identifier                                      
-----  ---------------------------------------  ------------------------------------------------
 2505  ANT HAL Service                          com.dsi.ant.server                              
17295  Analytics                                com.miui.analytics                              
17166  Android Services Library                 android.ext.services   
......

Enter the need to attach package.
: com.yxxx.axxx           
It's com.yxxx.axxx that you have attached app.
--------------------------------------------------
Please enter e, s, j, c or ex command.
a: Discovering activities.
b: Discovering services.
c: Discovering object. eg:'c {objectId}'
d: Object2Explain. eg:'d {objectId}'
v: Discovering view. eg:'v {viewId}'
e: Determines whether a class exists. eg:'e android.app.Application'
s: Discovering classes by a class'regex. eg:'s com.tencent.mm.Message.*'
t: Discovering offspring classes by a class'name. eg:'t com.tencent.mm.BasicActivity'
j: Generating hooked js. eg:'j okhttp3.Request$Builder:build'
k: Generating hooked the string generation js with a keyword. eg:'k {YourKeyword}'
l: Generating hooked the param generation js with a param keyword. eg:'l {YourKeyword}'
m: Discovering so module.
: j com.bxxx.libcommon.tools.Encrypt -o com.bxxx.libcommon.tools.Encrypt.js
Hooking js code have generated. Path is com.yxxx.axxx/com.bxxx.libcommon.tools.Encrypt.js.
Copy the code

Ok, then enter the com.yxxxx.axxxxx folder, run the JS

fenfeiNewMac:hooker feifei$ cd com.yxxx.axxx
feifeiMac:com.yxxx.axxx fenifei$ ./hooking com.bxxx.libcommon.tools.Encrypt.js
Copy the code

The results are in

Third, summary

Big guys build a lot of interesting wheels, and if you’re good at using them, you can get twice the result with half the effort. Hooker has a lot of interesting features to explore.

My hero should have a feeling of pulling down a few, take life as a trip, a lot of things actually don’t matter, look at some light — Lu Xun

TIP: The purpose of this article is only one is learning more backward techniques and train of thought, if anyone use this technology to get illegal commercial interests the legal liabilities are their operators, and the author and it doesn’t matter, this paper involves the knowledge of code project can go to my friends to fly star come undone, welcome to join star learn together to explore technology knowledge. Questions can be added to me WX: Fenfei331 discussion.

Wechat public account: Fenfei security, the latest technology dry goods real-time push