A, goals,
Boss Li: Fenfei, recently I want to next song, now listen to the song software are so stubborn, the package can not catch?
Fenfei: There are too many reasons for not catching the bag. Let’s use the elimination method to analyze it.
- A music App 10.8.4
Second, the steps
Screening protocols
Boss Li also mixed with us for so many periods, so the basic rule out the problem of packet capture environment.
Another possibility would be the QUIC protocol used by a hand or the SPDY protocol used by a fish.
Do a search for “quic” on Jadx, or if you can’t find it, just try quic
There are six results, so it looks like we were right, one by one, and the third one should be a little tricky.
Looks like a protocol name is being passed in.
The Objection
Don’t bother to write code for future objects. Use batch Hook to verify object positioning. Then write JS for future objects.
objection -g com.kxxou.android explore -P ~/.objection/plugins
android hooking watch class 'com.kxxou.common.network.netgate.o'
Copy the codeThe result is good, the class function is called when the main page is refreshed, although without the a(Ljava/lang/String;) we just analyzed. I, but it is possible that this function will only be called once at startup.
(agent) [559860] Called com.kxxou.common.network.netgate.o.a(int, java.lang.String, java.lang.String)
(agent) [559860] Called com.kxxou.common.network.netgate.o.a(java.lang.String, java.lang.String, java.lang.String)
(agent) [559860] Called com.kxxou.common.network.netgate.o.a(int, java.lang.String, java.lang.String)
Copy the codeThen we can write JS to analyze slowly.
An embarrassing story
I was about to analyze it when I discovered an embarrassing thing. I can catch the bag…
Maybe the App automatically decided to use HTTP instead of QUIC when it started.
According to rule Number one: The boss can’t be wrong. We didn’t hesitate to tell Boss Li that we were done and we could catch the bag. Manual dog head.
Signature analysis
Click on a random comment on a new song.
Our target today is this signature
I counted 32 bits on my fingers, which has the potential of MD5.
Jadx search for “Signature”
The hashmap.put should be the focus.
Click through to see the familiar MD5.
Continue tracking the entire class here
objection -g com.kxxou.android explore -P ~/.objection/plugins
android hooking watch class 'com.kxxou.common.utils.ba'
Copy the codeIt turns out that all three functions a, B, and C are executed.
(agent) [641383] Called com.kxxou.common.utils.ba.a(byte)
(agent) [641383] Called com.kxxou.common.utils.ba.a(byte)
(agent) [641383] Called com.kxxou.common.utils.ba.a(byte)
(agent) [641383] Called com.kxxou.common.utils.ba.b(java.lang.String)
(agent) [641383] Called com.kxxou.common.utils.ba.c([B)
Copy the codeSo let’s print all three of these functions in batch
Got it. If you zoom in, signature is calculated by the B function.
I’m ready to write JS
var signatureCls = Java.use('com.kxxou.common.utils.ba');
signatureCls.b.overload('java.lang.String').implementation = function(a){
var retval = this.b(a);
console.log(">>> signature inStr = " + a);
console.log(" >>> signature rc= " + retval);
return retval;
}
Copy the codeWrap it up.
Third, summary
There is also a sign algorithm in the App, you can practice
More accumulation of industry dynamics, the agreement, we still learn from each other, pure original or less.
Sometimes you have to believe in luck, you may wake up and suddenly you can catch a bag.
TIP: The purpose of this article is only one is learning more backward techniques and train of thought, if anyone use this technology to get illegal commercial interests the legal liabilities are their operators, and the author and it doesn’t matter, this paper involves the knowledge of code project can go to my friends to fly star come undone, welcome to join star learn together to explore technology knowledge. Have a problem can add me WX: FENfei331 discussion.
Wechat public account: Fenfei safety, the latest technology dry goods real-time push