篇幅有限
完整内容及源码关注公众号:ReverseCode,发送 冲
apk放入jadx-1.2.0中很明显被奇虎360加固了
image-20210727192532494
使用PKiD再次确认
image-20210727192630567
脱壳
环境
安卓8.1+fs128arm64+pyenv local 3.8.2
adb install 摩托邦4.8.0.2021070601.apk
FRIDA-DEXDump
对于完整的 dex,采用暴力搜索 DEX.035 即可找到。而对于抹头的 dex,通过匹配一些特征来找到。FRIDA-DEXDump纯粹的利用特征从内存中检索已经加载的 DEX 文件,而不需要拦截任何的函数得到一些结构体,并从中获取 DEX 的内存地址或其他相关信息。
git clone https://github.com/hluwa/FRIDA-DEXDump.git 支持搜索没有文件头的 DEX 文件
python main.py 前台运行需要脱壳的app,将dump下的dex放到jadx-1.2.0中反编译
image-20210727192238333
FART
在设置中找到需要脱壳的应用配置sdcard存储空间权限,否则只能存到var savepath = "/data/data/com.motoband";首先拷贝fart.so和fart64.so到/data/app目录下(权限不足就先放到/data/local/tmp再转移目录),并使用chmod 777 设置好权限
frida_fart_reflection.js
用反射的方式实现的函数粒度的脱壳,与使用hook方式实现的方法不同,可以使用spawn和attach两种方式使用
调用dump(classname),传入要处理的类名,只完成对某一个类下的所有函数的CodeItem完成dump,效率更高,dump下来的类函数的所有CodeItem在含有类名的bin文件中
frida_fart_hook.js
使用hook的方式实现的函数粒度的脱壳,仅仅是对类中的所有函数进行了加载,但依然可以解决绝大多数的抽取保护,需要以spawn方式启动app,等待app进入Activity界面后,执行fart()函数即可
如果发现某个类中的函数的CodeItem没有dump下来,可以调用dump(classname),传入要处理的类名,完成对该类下的所有函数体的dump,dump下来的函数体会追加到bin文件当中
git clone https://github.com/hanbinglengyue/FART.git
frida -UF -l frida_fart_reflection.js
frida -U -f com.motoband -l frida_fart_reflection.js --no-pause
frida -U -f com.motoband -l frida_fart_hook.js --no-pause
mv dex /sdcard/com.motoband/ 在使用爱莫助手下载
image-20210727195632734
Youpk
仅限机型pixel 1代,效果最好,脱的裤衩都没了
7z x Youpk_sailfish.zip
adb reboot bootloader
cd sailfish-nzh54d && sh flash-all.sh
安装apk后在Settings-Apps-摩托邦-Permissions启动存储权限
adb shell "echo com.motoband >> /data/local/tmp/unpacker.config" 启动apk等待脱壳,每隔10秒将自动重新脱壳(已完全dump的dex将被忽略), 当日志打印unpack end时脱壳完成
adb pull /data/data/com.motoband/unpacker pull出dump文件, dump文件路径为 /data/data/包名/unpacker
java -jar dexfixer.jar /data/data/com.motoband/unpacker /data/data/com.motoband/output 调用修复工具 dexfixer.jar, 两个参数, 第一个为dump文件目录(必须为有效路径), 第二个为重组后的DEX目录(不存在将会创建)
adb install wifiadb.apk
adb tcpip 5555 免root执行tcpip调试模式
adb connect 172.20.103.254:5555
适用场景
- 整体加固
- 抽取:
- nop占坑型(类似某加密)
- naitve化, 在<clinit>中解密(类似早期阿里)
- goto解密型(类似新版某加密?najia)
AUPK
抓包
charles+postern
image-20210728113500752
SSL handshake with client failed: An unknown issue occurred processing the certificate (certificate_unknown)看起来做了证书绑定,使用r0capture开启dump证书也未dump下来,无法正常抓包
./fs1280arm64 启动frida,netstat -tnlp|grep 27042 查看占用端口
frida_ssl_logger
核心原理就是对SSL_read和SSL_write进行hook,得到其收发包的明文数据
python ssl_logger.py -U -f com.motoband
python ssl_logger.py -U -f com.motoband -p motoband.pcap 生成的pcap通过wireshark打开
image-20210728101147025
OkHttpLogger-Frida
由于所有使用的okhttp框架的App发出的请求都是通过RealCall.java发出的,那么我们可以hook此类拿到request和response,也可以缓存下来每一个请求的call对象,进行再次请求,所以选择了此处进行hook
adb push okhttpfind.dex /data/local/tmp
frida -U -l okhttp_poker.js -f com.motoband --no-pause 可追加 -o [output filepath]保存到文件
判断是否混淆,如果混淆需要修改okhttp_poker.js中的混淆后的变量
image-20210728102421848
开启抓包
image-20210728102752197
r0capture
./fs14216arm64
pyenv local 3.9.0
adb shell dumpsys activity activities 查看前台app包名
python r0capture.py -U -f com.motoband -v
python r0capture.py -U -f com.motoband -v -p motoband.pcap
python r0capture.py -U -f com.motoband -v >>motoband.txt
frida -U -f com.motoband -l script.js --no-pause -o motoband.txt
ctrl+shift+o获取请求与请求头
image-20210728111350099
ctrl+shift+o获取请求参数
image-20210728111453906
拼装到postman中
image-20210728111914921
image-20210728111831220
分析
通过Youpk脱下的dex一起放到jdax-1.2.0中,搜索seriesinfo
@POST("car/seriesinfo")
Observable<ResponseBody> motoInfo(@Body RequestBody requestBody);
查找用例位于com.motoband.core.manager.ChooseCarManager
public Observable<MotorbikeSeriesModel> requestMotorInfo(String str, int i) {
HashMap hashMap = new HashMap();
hashMap.put(IntentConstants.MODELID, str);
hashMap.put("source", Integer.valueOf(i));
return RetrofitHelper.getObjectObservable(((ChooseCarService) RetrofitHelper.getRetrofit().create(ChooseCarService.class)).motoInfo(RetrofitHelper.getRequestBody(hashMap)), MotorbikeSeriesModel.class).observeOn(AndroidSchedulers.mainThread()).doOnNext($$Lambda$ChooseCarManager$XcbjKQVeNSK4TPlk0mzi1vIv6Z0.INSTANCE);
}
显然getRequestBody就是生成众多加密参数的方法,位于com.motoband.core.http.RetrofitHelper
public static RequestBody getRequestBody(Map<String, Object> map) {
if (map == null) {
map = new HashMap<>();
}
long currentTimeMillis = System.currentTimeMillis();
map.put("token", UserInfo.getInstance().getToken());
map.put(MBRequestConstants.REQUEST_REQUESTID, CommonUtil.getRequestId(currentTimeMillis));
map.put(MBRequestConstants.REQUEST_CTYPE, "2");
map.put(MBRequestConstants.REQUEST_CVERSION, AppUtils.getAppVersionName());
map.put("citycode", UserInfo.getInstance().getCitycode());
if (!map.containsKey("userid")) {
map.put("userid", UserInfo.getInstance().getUserid());
}
if (!map.containsKey(MBRequestConstants.REQUEST_LONLAT)) {
map.put(MBRequestConstants.REQUEST_LONLAT, UserInfo.getInstance().getLonlatStr());
}
map.put(MBRequestConstants.REQUEST_PUSH_ID, JPushInterface.getRegistrationID(MBUtil.getContext()));
ArrayList<String> arrayList = new ArrayList();
for (String str : map.keySet()) {
if (map.get(str) == null) {
arrayList.add(str);
}
}
for (String str2 : arrayList) {
map.remove(str2);
}
String str3 = null;
try {
str3 = RSAUtil.rsaSign(EncryptUtils.encryptMD5ToString(RSAUtil.getSignContent(map)).toLowerCase(), Constants.CLIENT_PRIVATE_KEY);
} catch (Exception e) {
e.printStackTrace();
System.out.println(MBResponseCode.RSA_SIGN_ERROR);
}
map.put("sign", str3);
return RequestBody.create(MediaType.parse(HttpConstants.MediaType_Json), JSON.toJSONString(map));
}
多进程保护
由于摩托邦存在多进程保护,基于信号的发送和接收,实现相互的保护防止被动态攻击。简单的双进程保护就是从原进程再fork一个空进程出来,让逆向分析的时候附加到空进程中导致hook不上。
双进程进程保护主要功能: 1、保护父进程,ptrace所有线程,防止被附加、调试、暂停; 2、保护子进程,防止被暂停、异常退出;
objection附加双进程保护的app的时候报错,一般双进程保护,先把app关掉直接用spwan模式就能附加上。
查看frida源码和objection源码:
frida附加的顺序:spawn->resume->attach
objection附加的顺序:spawn->attach->resume
vim /root/.pyenv/versions/3.8.2/lib/python3.8/site-packages/objection/utils/agent.py 添加如下代码
debug_print('Resuming PID test `{pid}`'.format(pid=self.spawned_pid))
self.device.resume(self.spawned_pid)
image-20210728160806491
注释如下代码
#if not self.exports().ping():
# click.secho('Failed to ping the agent', fg='red')
# raise Exception('Failed to communicate with agent')
image-20210728160856891
实际就是把resume放到步骤的中间,如果不行的话适当加个sleep就能附加上了
内存漫游
objection -g com.motoband explore -P ~/.objection/plugins
android hooking search classes com.motoband.core.manager.ChooseCarManager 搜索类
android hooking list class_methods com.motoband.core.manager.ChooseCarManager 列出类方法
image-20210728150824474
plugin wallbreaker classdump com.motoband.core.http.RetrofitHelper 根据指定类dump类结构
plugin wallbreaker objectdump --fullname 0x3576 查看类的值
image-20210728165336743
plugin wallbreaker classsearch com.motoband.core.http.RetrofitHelper 搜索所有相关类
plugin wallbreaker objectsearch com.motoband.core.http.RetrofitHelper$1$1 搜索内存中指定类返回地址
plugin wallbreaker objectdump --fullname 0x2d9a 根据地址dump类所有方法
image-20210728164831881
android hooking watch class_method com.motoband.core.manager.ChooseCarManager.requestMotorInfo --dump-backtrace --dump-args --dump-return hook指定方法requestMotorInfo,打印参数返回值调用栈
image-20210728152259851
以上hook说明在requestMotorInfo中传入品牌型号3334后进入getRequestBody函数
jobs list 查看进程中的任务
jobs kill id 杀死hook任务
image-20210728152113382
参数分析
根据以上Jadx中的分析,App在请求car/seriesinfo时调用了RetrofitHelper.getRequestBody(hashMap)),在函数getRequestBody中对不同参数包括token,sign等进行了加密,并RequestBody.create(MediaType.parse(HttpConstants.MediaType_Json), JSON.toJSONString(map));最终将请求参数的HashMap转成JSONString作为create传递参数。
那么即可通过主动调用getRequestBody的同时hook函数RequestBody.create拿到第二个参数作为请求参数,由于headers中数据一致,加上请求url即可完成数据抓取。
function hook_RequestBody_create(){
Java.perform(function(){
Java.use("okhttp3.RequestBody").create.overload('okhttp3.MediaType', 'java.lang.String').implementation = function(mediaType,str){
var result = this.create(mediaType,str)
console.log("params====",str)
return result;
}
})
}
function Initiative_getRequestBody(){
Java.perform(function(){
var map = Java.use('java.util.HashMap').$new();
var StringClass = Java.use("java.lang.String");
map.put("modelid", StringClass.$new("3334"));
var RetrofitHelper = Java.use("com.motoband.core.http.RetrofitHelper");
RetrofitHelper.getRequestBody(map);
})
}
function main(){
console.log("Main")
hook_RequestBody_create();
}
setImmediate(main)
image-20210728175304412
以上完成绕过so层通过主动调用和hook的方式获取请求参数,接下来就是完成爬虫的具体逻辑。
抓包
通过python r0capture.py -U com.motoband -v -p moto.pcap抓包分析各个页面请求并使用python实现,headers可以通过请求头加引号.py自动生成
选车列表
headers = {
'Source': 'source',
'Date': 'Wed, 28 Jul 2021 10:42:37 GMT',
'Authorization': 'hmac id="AKIDKpo6me25b14nzcNefQeoqR95syh2ayx97s0g", algorithm="hmac-sha1", headers="date source", signature="LueIYYQhihnHza8ZIzzH3X1J6xM="',
'Content-Type': 'application/json; charset=utf-8',
'Content-Length': '396',
'Host': 'api.motuobang.com',
'Connection': 'Keep-Alive',
'Accept-Encoding': 'gzip',
'User-Agent': 'okhttp/3.14.9'
}
param_str = '{"jpushregistrationid":"18071adc03d4364a59f","ctype":"2","citycode":"0512","requestid":"10120210728184237309B6FABE44946F25C3","brandid":0,"sign":"Un9ld6EYErQmE2ab0CgGP4pbqGKz8taTYlT2d4vgJlR1e6N3vp2Ld/YHpZVHLAYQgdYxmHDPDmdPiapY/Irewg==","type":0,"cversion":"4.8.0.2021070601","userid":"53AEB07289854E91A74DA4718D86617F","token":"6A057F7AB0654DEBA3A9BAFE51A17D62","lonlat":"[120.670592,31.295319]"}'
data = requests.post('http://api.motuobang.com/release/car/brandinfo', data=param_str,
headers=headers).json()["data"]
brandlist = json.loads(data)["brandlist"]
品牌列表
headers = {
'Source': 'source',
'Date': 'Wed, 28 Jul 2021 11:02:48 GMT',
'Authorization': 'hmac id="AKIDKpo6me25b14nzcNefQeoqR95syh2ayx97s0g", algorithm="hmac-sha1", headers="date source", signature="xUe79aim7V1Nur4J8DfN9KSDU0Q="',
'Content-Type': 'application/json; charset=utf-8',
'Content-Length': '396',
'Host': 'api.motuobang.com',
'Connection': 'Keep-Alive',
'Accept-Encoding': 'gzip',
'User-Agent': 'okhttp/3.14.9'
}
param_str = '{"jpushregistrationid":"18071adc03d4364a59f","searchcar":"{\\"brandids\\":[28],\\"haveabs\\":0,\\"maxcc\\":0.0,\\"maxmaxpower\\":0.0,\\"maxprice\\":0,\\"maxsitheight\\":0,\\"maxxuhanglicheng\\":0,\\"maxzuigaochesu\\":0,\\"mincc\\":0.0,\\"minmaxpower\\":0.0,\\"minprice\\":0,\\"minsitheight\\":0,\\"minxuhanglicheng\\":0,\\"minzuigaochesu\\":0,\\"modelid\\":-1,\\"month\\":0,\\"pagenum\\":0,\\"pagesize\\":200,\\"searchtype\\":0,\\"source\\":0,\\"store\\":0,\\"year\\":0}","ctype":"2","citycode":"0512","requestid":"10120210728190247800B530F6E7211E0724","sign":"BeHwJ+uZ0BK7bR9z6Q4XifFqp0crBtwDouA3BxYYU7br2XQvwehJPrkfnn9MV/PezYqMawUZI6zEDiplwJ49ug==","cversion":"4.8.0.2021070601","userid":"53AEB07289854E91A74DA4718D86617F","token":"5100BF109300497C83A51614C58314FD","lonlat":"[120.67073,31.295348]"}'
data = requests.post('http://api.motuobang.com/release/car/searchv2', data=param_str,
headers=headers).json()["data"]
print(json.loads(data)["serieslist"])
品牌详情
headers = {
'Source': 'source',
'Date': 'Mon, 26 Jul 2021 05:47:06 GMT',
'Authorization': 'hmac id="AKIDKpo6me25b14nzcNefQeoqR95syh2ayx97s0g", algorithm="hmac-sha1", headers="date source", signature="jmwgtLvjj06A/M/TNcCqL72GRsk="',
'Content-Type': 'application/json; charset=utf-8 ',
'Content-Length': '403',
'Host': 'api.motuobang.com',
'Connection': 'Keep-Alive',
'Accept-Encoding': 'gzip',
'User-Agent': 'okhttp/3.14.'
}
param_str = '{"jpushregistrationid":"1104a89792736fd015f","lonlat":"[120.670593,31.295318]","ctype":"2","sign":"SJxFIJSEi7BwlnPLC/6j3RfyxsR2EEEC2uWGpfC3/MQl/8gSCS5GcqSbre/S3Jrrws+/LYQzGE08T+Gv+tIIAg==","source":0,"token":"89DFF7721007455D806E282F8195B0EF","requestid":"10120210726134706717A11599A619EBCF39","citycode":"0512","cversion":"4.8.0.2021070601","userid":"53AEB07289854E91A74DA4718D86617F","modelid":"3387"}'
data = requests.post('http://api.motuobang.com/release/car/seriesinfo', data=param_str,
headers=headers).json()["data"]
print(json.loads(data)["seriesinfo"])
frida rpc 数据传递
hook RequestBody.create
由于RequestBody.create(MediaType.parse(HttpConstants.MediaType_Json), JSON.toJSONString(map));,hook create即可拿到入参=请求头加密参数。
function hook_body_create(){
Java.perform(function(){
Java.use("okhttp3.RequestBody").create.overload('okhttp3.MediaType', 'java.lang.String').implementation = function(mediaType,str){
var result = this.create(mediaType,str)
send(str)
return result;
}
})
}
function main(){
console.log("Main")
hook_body_create();
}
setImmediate(main)
主动调用searchv2
查看选车列表时,搜索brandinfo
@POST("car/brandinfo")
Observable<ResponseBody> refreshBrandInfo(@Body RequestBody requestBody);
查找用例com.motoband.core.manager.MotoBrandManager
android hooking watch class com.motoband.core.manager.MotoBrandManager --dump-args --dump-backtrace --dump-return 将整个类hook,点击触发类实现
android hooking watch class_method com.motoband.core.manager.MotoBrandManager.requestBrandDetail --dump-args --dump-backtrace --dump-return hook触发的类方法并拿到参数为brandid
image-20210728211005543
查看品牌列表时,搜索searchv2
@POST("car/searchv2")
Observable<ResponseBody> searchNewMotoModelsV2(@Body RequestBody requestBody);
image-20210729084834395
查找用例时有多个方法中调用,不过只有两个类,接下来通过objection hook上这两个类中的所有方法,点击指定品牌,触发car/searchv2
android hooking watch class com.motoband.core.manager.ChooseCarManager --dump-args --dump-backtrace --dump-return
android hooking watch class_method com.motoband.core.manager.ChooseCarManager.brandSeries --dump-args --dump-backtrace --dump-return
image-20210729085320595
以上分析得知触发了com.motoband.core.manager.ChooseCarManager.brandSeries方法,传递第一个参数为brandid,结合jadx分析
public Observable<CarFilterSearchModel> brandSeries(String str, boolean z) {
HashMap hashMap = new HashMap();
hashMap.put("searchcar", SearchMotoFilterModel.toBrandSeriesJson(Integer.parseInt(str), z));
return RetrofitHelper.getObjectObservable(((ChooseCarService) RetrofitHelper.getRetrofit().create(ChooseCarService.class)).searchNewMotoModelsV2(RetrofitHelper.getRequestBody(hashMap)), CarFilterSearchModel.class).observeOn(AndroidSchedulers.mainThread());
}
拼接searchcar到map中,通过getRequestBody获取加密请求参数。接下来尝试hook SearchMotoFilterModel.toBrandSeriesJson 拿到入参,利用frida实现主动调用。
function hook_searchv2(id){
Java.perform(function(){
var search_map = Java.use('java.util.HashMap').$new();
var StringClass = Java.use("java.lang.String");
var IntegerClass = Java.use("java.lang.Integer");
var BooleanClass = Java.use("java.lang.Boolean");
var SearchMotoFilterModel = Java.use('com.motoband.core.model.SearchMotoFilterModel').$new();
// for brandinfo
// search_map.put("type", IntegerClass.$new(1));
// search_map.put("brandid", StringClass.$new(id));
search_map.put("searchcar",SearchMotoFilterModel.toBrandSeriesJson(id,false));
var RetrofitHelper = Java.use("com.motoband.core.http.RetrofitHelper");
RetrofitHelper.getRequestBody(search_map);
})
}
主动调用serials_info
查看品牌详情时,搜索seriesinfo
@POST("car/seriesinfo")
Observable<ResponseBody> motoInfo(@Body RequestBody requestBody);
查找用例
public Observable<MotorbikeSeriesModel> requestMotorInfo(String str, int i) {
HashMap hashMap = new HashMap();
hashMap.put(IntentConstants.MODELID, str);
hashMap.put("source", Integer.valueOf(i));
return RetrofitHelper.getObjectObservable(((ChooseCarService) RetrofitHelper.getRetrofit().create(ChooseCarService.class)).motoInfo(RetrofitHelper.getRequestBody(hashMap)), MotorbikeSeriesModel.class).observeOn(AndroidSchedulers.mainThread()).doOnNext($$Lambda$ChooseCarManager$XcbjKQVeNSK4TPlk0mzi1vIv6Z0.INSTANCE);
}
hook实现
function hook_seriesinfo(id){
Java.perform(function(){
var map = Java.use('java.util.HashMap').$new();
var StringClass = Java.use("java.lang.String");
map.put("modelid", StringClass.$new(id));
var RetrofitHelper = Java.use("com.motoband.core.http.RetrofitHelper");
RetrofitHelper.getRequestBody(map);
})
}
rpc调用
frida主动调用各个方法时,同时间hook RequestBody.create方法,拿到关键加密参数,rpc发送给python,完成爬虫数据拼装,实现数据抓取。
js
rpc.exports = {
hookseriesinfo: hook_seriesinfo,
hooksearchv2: hook_searchv2,
hookbodybreate: hook_body_create
}
python
device = frida.get_usb_device()
# pid = device.spawn(["com.motoband"])
# device.resume(pid)
# time.sleep(10)
session = device.attach("com.motoband")
with open("motoband.js") as f:
script = session.create_script(f.read())
script.on("message", my_message_handler)
script.load()
# request for brandinfo
headers = {
'Source': 'source',
'Date': 'Wed, 28 Jul 2021 10:42:37 GMT',
'Authorization': 'hmac id="AKIDKpo6me25b14nzcNefQeoqR95syh2ayx97s0g", algorithm="hmac-sha1", headers="date source", signature="LueIYYQhihnHza8ZIzzH3X1J6xM="',
'Content-Type': 'application/json;*/jg charset=utf-8',
'Content-Length': '396',
'Host': 'api.motuobang.com',
'Connection': 'Keep-Alive',
'Accept-Encoding': 'gzip',
'User-Agent': 'okhttp/3.14.9'
}
param_str = '{"jpushregistrationid":"18071adc03d4364a59f","ctype":"2","citycode":"0512","requestid":"10120210728184237309B6FABE44946F25C3","brandid":0,"sign":"Un9ld6EYErQmE2ab0CgGP4pbqGKz8taTYlT2d4vgJlR1e6N3vp2Ld/YHpZVHLAYQgdYxmHDPDmdPiapY/Irewg==","type":0,"cversion":"4.8.0.2021070601","userid":"53AEB07289854E91A74DA4718D86617F","token":"6A057F7AB0654DEBA3A9BAFE51A17D62","lonlat":"[120.670592,31.295319]"}'
data = requests.post('http://api.motuobang.com/release/car/brandinfo', data=param_str,headers=headers).json()["data"]
brandlist = json.loads(data)["brandlist"]
for brand in brandlist:
brandname = brand["name"]
brandid = str(brand["brandid"])
# 1.创建文件夹
# 2.request for searchv2
script.exports.hooksearchv2(brandid)
# print(name_model_dict)
# 3.request for seriesinfo
for (key,value) in name_model_dict.items():
# print(key+":"+str(value))
script.exports.hookseriesinfo(str(value))
# input()
image-20210729111227782
本文由博客群发一文多发等运营工具平台 OpenWrite 发布
网友评论