rpc就是Remote Procedure Call (远程过程调用), 用数据线连手机电脑, 启动爬*虫, hook自动调用so函数, 省的分析so天书了.
目标App:
WX20220307-170157@2x.png
获取民宿评论, 先抓包看看:
WX20220307-172801@2x.png
WX20220307-172813@2x.png
WX20220307-175736@2x.png
把抓到的请求格式化看看有啥加密参数:
WX20220307-171906@2x.png
headers里有几个, 先看看这个X-TJH, Jadx打开apk, 搜索, 很容易定位到这里:
WX20220307-172029.png
WX20220307-172300.png
先hook这个m19457a()方法, 看看这一堆参数是啥玩意:
import frida, sys
import os
jsCode2 = """
Java.perform(function () {
var q = Java.use('com.tujia.gundam.Gundam');
q.a.overload('java.lang.String','java.lang.String','java.lang.String','java.lang.String','int','long').implementation = function (a,b,c,d,e,f){
send("start");
send("a: "+a);
send("b: "+b);
send("c: "+c);
send("d: "+d);
send("e: "+e);
send("f: "+f);
var result = this.a(a,b,c,d,e,f);
send("result:"+result);
return result;
};
});
"""
os.system("adb forward tcp:27042 tcp:27042")
os.system("adb forward tcp:27043 tcp:27043")
#process = frida.get_remote_device().attach(18072)#19453
process = frida.get_remote_device().attach("com.tujia.hotel")
script = process.create_script(jsCode2)
script.on("message", message)
script.load()
sys.stdin.read()
看看结果, 输出好几轮, 说明调用了好多次, 我们hook同时抓包, 根据hook result和抓包的X-TJH, 一样的就是该请求用到的这一堆参数:
WX20220307-173756@2x.png
这次试试Frida-rpc直接调用so, 可能太长了, 参数d写进JS代码报错, 就拿出来当成变量吧
import frida
import os
import time
os.system("adb forward tcp:27042 tcp:27042")
os.system("adb forward tcp:27043 tcp:27043")
def on_message(message, data):
if message['type'] == 'send':
print(message['payload'])
elif message['type'] == 'error':
print(message['stack'])
hook_code = '''
rpc.exports = {
gettjh: function(d,ts){
var tjh = "";
var a = "https://client.tujia.com/bnbapp-node/app/comment/gethousecomments/bnb";
var b = "Mozilla/5.0 (Linux; Android 9; Pixel 3 XL Build/PQ3A.190801.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.99 Mobile Safari/537.36 tujia(hotel/271/271 mNet/wifi loc/zh_CN)";
var c = "LON=null;LAT=null;AX=null;OY=null;CID=-1;LAC=-1;UID=f93bc1c9-1ce1-3ea0-994f-27aa3b6ddf60;OSVersion=9;AppVersion=271_271;DevType=2;DevModel=Pixel 3 XL;Manufacturer=Google;;TJM=0;VersionName=8.46.0";
//var d = "{\"code\":null,\"parameter\":{\"commentTabType\":1,\"fold\":false,\"checkOutDate\":\"2022-03-08\",\"pageIndex\":0,\"abTests\":{\"T_login2_1012\":{\"s\":true,\"v\":\"C\"}},\"pageSize\":10,\"unitID\":6023866,\"checkInDate\":\"2022-03-07\",\"upath\":null},\"client\":{\"AX\":null,\"OY\":null,\"abTest\":{},\"abTests\":{},\"adTest\":{\"m1\":\"GOOGLE unknown\",\"m2\":\"c279ab15f1cba9b4f042f8dfdc8b5361\",\"m3\":\"armeabi-v7a\",\"m4\":\"armeabi\",\"m5\":\"100\",\"m6\":\"2\",\"m7\":\"4\"},\"api_level\":271,\"appFP\":\"qA/Ch2zqjORBz90YV34sUczZGutYWuLZeK8bsi1YTnqbV7XmpoUSASLAK8lOnQqPP0YVp/iSMuJDBHNOx26LNN3fNT+pxpl7hAvE7NakT9lKhTBDmz6kyvxt2YTdJ9qbpF1xRIdMgP+40UI6+1CJblxL0KBaqF2YR+Flk6mG/Gs5fiyXGv40rPDT9OrosyX8VCaCaowfS1qlskuDRKFUpnG7BjiIkJIiFERPAiMd7ramOJJdtYByZEzFiNd0gjcJ01IdCOqiEvvJVuIPJmRy7uapWo34ifCGId5LfYfH+yL/T86A6uW0oC+mJHwOLnP8HKN0q2Fu3rTcKZ+Prbs/dcBHaWJi1C1tHZFza2O+1gUQTgvg+Kq57BvE6IjEhveT\",\"appId\":\"com.tujia.hotel\",\"appVersion\":\"271_271\",\"appVersionUpdate\":\"rtag-20220216-163909-bingxuew_1\",\"batteryStatus\":\"discharging\",\"buildTag\":\"rtag-20220216-163909-bingxuew_1\",\"buildVersion\":\"8.46.0\",\"ccid\":\"517421XXXXXX5161963\",\"channelCode\":\"qq\",\"crnVersion\":\"265\",\"devModel\":\"Pixel 3 XL\",\"devToken\":\"\",\"devType\":2,\"dtt\":\"\",\"electricity\":\"60\",\"flutterPkgId\":\"457\",\"gps\":null,\"harmonyOS\":0,\"incognito\":0,\"kaTest\":{\"k1\":\"2_1_2\",\"k2\":\"crosshatch\",\"k3\":\"abfarm830\",\"k4\":\"PQ3A.190801.002\",\"k5\":\"google/crosshatch/crosshatch:9/PQ3A.190801.002/5670241:user/release-keys\",\"k6\":\"crosshatch\",\"k7\":\"PQ3A.190801.002\"},\"latitude\":null,\"locale\":\"zh-CN\",\"longitude\":null,\"networkType\":\"1\",\"osVersion\":\"9\",\"platform\":\"1\",\"salt\":\"OM4ADTIAcMmA4xYAMM4xWjcEYcjD1xYANA5xzAYMIAzzxAMNNAm3DAlcAAjD5AYMYA502DgQRUTji0NMYZ3xjmAQNMjTlzYONO5xTWQQURTj0iZNNZz2TmMQRRWjilNNZOkxWGJU\",\"screenInfo\":\"\",\"sessionId\":\"f93bc1c9-1ce1-3ea0-994f-27aa3b6ddf60_1646641849130\",\"tId\":\"2203XXXXX813988\",\"tbTest\":{\"j1\":\"unknown\",\"j2\":\"crosshatch\",\"j3\":\"Pixel 3 XL\",\"j4\":\"Google\",\"j5\":\"google\",\"j6\":\"b1c1-0.1-5578427\",\"j7\":\"crosshatch\",\"j8\":\"2.1.0 (ART)\"},\"traceid\":\"1646641960622_1646641872817_1646641854982\",\"uID\":\"f93bc1c9-1ce1-3ea0-994f-27aa3b6ddf60\",\"version\":\"271\",\"wifi\":null,\"wifimac\":\"G1SlhTlGePaEJcgo/sjLlhWAXKUye1Puz0zHtCF+/0Y=\"},\"psid\":\"04571780-1f63-43fe-86e8-ef94888d0453\",\"type\":null,\"user\":null,\"usid\":null}";
var e = 2205
Java.perform(
function(){
var x_tjh = Java.use('com.tujia.gundam.Gundam');
tjh = x_tjh.a(a,b,c,d,e,ts);
send(tjh);
}
)
return tjh;
}}
'''
d='''{"code":null,"parameter":{"commentTabType":1,"fold":false,"checkOutDate":"2022-03-08","pageIndex":0,"abTests":{"T_login2_1012":{"s":true,"v":"C"}},"pageSize":10,"unitID":6023866,"checkInDate":"2022-03-07","upath":null},"client":{"AX":null,"OY":null,"abTest":{},"abTests":{},"adTest":{"m1":"GOOGLE unknown","m2":"c279ab15f1cba9b4f042f8dfdc8b5361","m3":"armeabi-v7a","m4":"armeabi","m5":"100","m6":"2","m7":"4"},"api_level":271,"appFP":"qA/Ch2zqjORBz90YV34sUczZGutYWuLZeK8bsi1YTnqbV7XmpoUSASLAK8lOnQqPP0YVp/iSMuJDBHNOx26LNN3fNT+pxpl7hAvE7NakT9lKhTBDmz6kyvxt2YTdJ9qbpF1xRIdMgP+40UI6+1CJblxL0KBaqF2YR+Flk6mG/Gs5fiyXGv40rPDT9OrosyX8VCaCaowfS1qlskuDRKFUpnG7BjiIkJIiFERPAiMd7ramOJJdtYByZEzFiNd0gjcJ01IdCOqiEvvJVuIPJmRy7uapWo34ifCGId5LfYfH+yL/T86A6uW0oC+mJHwOLnP8HKN0q2Fu3rTcKZ+Prbs/dcBHaWJi1C1tHZFza2O+1gUQTgvg+Kq57BvE6IjEhveT","appId":"com.tujia.hotel","appVersion":"271_271","appVersionUpdate":"rtag-20220216-163909-bingxuew_1","batteryStatus":"discharging","buildTag":"rtag-20220216-163909-bingxuew_1","buildVersion":"8.46.0","ccid":"5174XXXXX61963","channelCode":"qq","crnVersion":"265","devModel":"Pixel 3 XL","devToken":"","devType":2,"dtt":"","electricity":"60","flutterPkgId":"457","gps":null,"harmonyOS":0,"incognito":0,"kaTest":{"k1":"2_1_2","k2":"crosshatch","k3":"abfarm830","k4":"PQ3A.190801.002","k5":"google/crosshatch/crosshatch:9/PQ3A.190801.002/5670241:user/release-keys","k6":"crosshatch","k7":"PQ3A.190801.002"},"latitude":null,"locale":"zh-CN","longitude":null,"networkType":"1","osVersion":"9","platform":"1","salt":"OM4ADTIAcMmA4xYAMM4xWjcEYcjD1xYANA5xzAYMIAzzxAMNNAm3DAlcAAjD5AYMYA502DgQRUTji0NMYZ3xjmAQNMjTlzYONO5xTWQQURTj0iZNNZz2TmMQRRWjilNNZOkxWGJU","screenInfo":"","sessionId":"f93bc1c9-1ce1-3ea0-994f-27aa3b6ddf60_1646641849130","tId":"22030XXXXXXX1813988","tbTest":{"j1":"unknown","j2":"crosshatch","j3":"Pixel 3 XL","j4":"Google","j5":"google","j6":"b1c1-0.1-5578427","j7":"crosshatch","j8":"2.1.0 (ART)"},"traceid":"1646641960622_1646641872817_1646641854982","uID":"f93bc1c9-1ce1-3ea0-994f-27aa3b6ddf60","version":"271","wifi":null,"wifimac":"G1SlhTlGePaEJcgo/sjLlhWAXKUye1Puz0zHtCF+/0Y="},"psid":"04571780-1f63-43fe-86e8-ef94888d0453","type":null,"user":null,"usid":null}'''
process = frida.get_usb_device().attach('com.tujia.hotel')
script = process.create_script(hook_code)
script.on('message', on_message)
# 注入rpc代码
script.load()
ts=int(time.time())
TJH=script.exports.gettjh(d,ts)
直接运行, 看看结果, 成功输出来了:
WX20220307-175048.png
注意到参数d里很多和headers的参数类似, 猜想应该是一一对应的, 下一步就是解决这些对应关系
网友评论