A, goals,

Jiaxuan long sentence cloud: BMW carved car fragrance full road. From then on the beautiful car became the standard. This boss li has not talked about a few mm, and began to prepare to change the car.

Today our target is an automotive community App V8.0.1.

Second, the steps

Out of a shell

Boss Li said that this App is very boring, seems to be a shell of an enterprise version, even Xcube does not work, debugging can not.

We don’t care if he tugs or not, we take the shell off with BlackDex.

BlackDex indicates that the unshell is successful, but there is only one dex file in the corresponding directory, which is obviously wrong

Fortunately, we have a backup plan. FDex2 is said to be good, too. Let’s go.

Sadly, FDex2 says it won’t support my phone. The reason is that my system version is too high Android 10.

I mean, we still have a lot of phones. At that time, I applied to Boss Li to buy one from Android 4 to Android 10 for testing purposes.

First, I found an Android 8.1. It also happens to have BlackDex on this machine. Give it a try.

Does undressing have something to do with the system? Note to all of you: You have both high and low versions of Android, and you can use whichever one you want

Grab a bag

If you count signature, it’s still 32 bits.

Anyway, just do some searching

This map. put is too bare.

I think it’s the sign.

On Frida

var utilCls = Java.use("com.alibaba.sdk.android.oss.common.utils.OSSUtils");
utilCls.sign.implementation = function(a,b,c){
    console.log(TAG + "a = " + a);
    console.log(TAG + "b = " + b);
    console.log(TAG + "c = " + c);
    var rc = this.sign(a,b,c);
    console.log(TAG + "sign = " + rc);
    return rc;
}
Copy the code

Running.

Hluda-server-15.xx is an App that can run on your phone.

Sadly, the wood reacted. It’s not scientific.

Take a closer look at Signature and Signature’s silly confusion. I can’t believe I made such a stupid mistake. Don’t let Boss Li know, or it will be the end of the year, he will take this as a reason not to raise my salary.

Ignore case. Search again. This time there are only two results, but neither of them looks good.

This is where you need to find your friends. Search for another seemingly rare parameter from the same request packet. This time we’re looking at nonce

This looks like a good place to be.

Check it out. We see dear MD5. Hook it without hesitation.

var utilsExCls =  Java.use("com.aliyun.common.utils.MD5Util");
utilsExCls.getMD5.implementation = function(a){
    console.log(TAG + "a = " + a);
    var rc = this.getMD5(a);
    console.log(TAG + "Md5 sign = " + rc);
    return rc;			
}
Copy the code

I got him this time

Md5 sign = 35c40cb2b0fcf2a61ad316be7e912370
Copy the code

You can call it a day.

Returns data encryption and decryption

According to the result of packet capture, both the request packet and the result contain a set of encrypted data starting with SD =. It looks like data from a detail page.

How do you locate it? Let’s first analyze the characteristics. This set of data has three characteristics:

1. Sd = beginning

2. Data starts with a capital M

3, == end, that is most likely Base64

Start with Base64

var Base64Class = Java.use("android.util.Base64"); Base64Class.encodeToString.overload("[B", "int").implementation = function(a,b){ var rc = this.encodeToString(a,b);  console.log(">>> Base64 " + rc); return rc; }Copy the code

Ran, sadly, to no avail. (Base64 may be done in the SO layer or simply implement Base64 algorithm)

So let’s do it the other way around, search for sd equals or sd.

The CheckCodeUtils class is easily located

var CheckCodeUtils = Java.use("com.cloudy.lxxxlxxxbang.model.request.retrofit2.CheckCodeUtils");
var encrypt = CheckCodeUtils.encrypt.implementation = function (paramString, paramInt) {
    console.log(TAG + 'aaa encrypt paramString:' + paramString);
    console.log(TAG + 'aaa encrypt paramInt:' + paramInt);
    var result = this.encrypt(paramString, paramInt);
    console.log(TAG + 'aaa encrypt result:' + result);
    return result;
}

var decrypt = CheckCodeUtils.decrypt.implementation = function (paramString) {
    console.log(TAG + 'aaa decrypt paramString:' + paramString);
    var result = this.decrypt(paramString);
    console.log(TAG + 'aaa decrypt result:' + result);
    return result;
}
Copy the code

Perfect. No screenshots.

Third, summary

If you can’t find key strings, consider looking for their friends.

Reverse analysis is a practical course, there is no definite method. Don’t get caught up in details and don’t try to find out if the method is orthodox. As long as we can catch mice.

In the next class, let’s use unidBG to run this algorithm. And try to restore it.

Although the dust of gold is precious, it falls into a shadow

TIP: The purpose of this article is only one is learning more backward techniques and train of thought, if anyone use this technology to get illegal commercial interests the legal liabilities are their operators, and the author and it doesn’t matter, this paper involves the knowledge of code project can go to my friends to fly star come undone, welcome to join star learn together to explore technology knowledge. Have a problem can add me WX: FENfei331 discussion.

Wechat public account: Fenfei safety, the latest technology dry goods real-time push