APP逆向案例---xxapp / 开普饭

步骤一

抓个包

其中m_d,m_e为加密参数

步骤二（已经看了是360加固我们脱壳一下）

# Author: hluwa <hluwa888@gmail.com># HomePage: https://github.com/hluwa# CreatedTime: 2020/1/7 20:57import hashlibimport osimport randomimport systry:    from shutil import get_terminal_size as get_terminal_sizeexcept:    try:        from backports.shutil_get_terminal_size import get_terminal_size as get_terminal_size    except:        passimport clickimport fridaimport loggingimport tracebacklogging.basicConfig(level=logging.INFO,                    format="%(asctime)s %(levelname)s %(message)s",                    datefmt='%m-%d/%H:%M:%S')banner = """----------------------------------------------------------------------------------------  ____________ ___________  ___        ______ _______   _______                           |  ___| ___ \_   _|  _  \/ _ \       |  _  \  ___\ \ / /  _  \                          | |_  | |_/ / | | | | | / /_\ \______| | | | |__  \ V /| | | |_   _ _ __ ___  _ __      |  _| |    /  | | | | | |  _  |______| | | |  __| /   \| | | | | | | '_ ` _ \| '_ \     | |   | |\ \ _| |_| |/ /| | | |      | |/ /| |___/ /^\ \ |/ /| |_| | | | | | | |_) |    \_|   \_| \_|\___/|___/ \_| |_/      |___/ \____/\/   \/___/  \__,_|_| |_| |_| .__/                                                                                  | |                                                                                     |_|                            https://github.com/hluwa/FRIDA-DEXDump                            ----------------------------------------------------------------------------------------"""md5 = lambda bs: hashlib.md5(bs).hexdigest()def show_banner():    try:        if get_terminal_size().columns >= len(banner.splitlines()[1]):            for line in banner.splitlines():                click.secho(line, fg=random.choice(['bright_red', 'bright_green', 'bright_blue', 'cyan', 'magenta']))    except:        passdef get_all_process(device, pkgname):    return [process for process in device.enumerate_processes() if pkgname in process.name]def search(api):    """    """    matches = api.scandex()    for info in matches:        click.secho("[DEXDump] Found: DexAddr={}, DexSize={}"                    .format(info['addr'], hex(info['size'])), fg='green')    return matchesdef dump(pkg_name, api, mds=None):    """    """    if mds is None:        mds = []    matches = api.scandex()    for info in matches:        try:            bs = api.memorydump(info['addr'], info['size'])            md = md5(bs)            if md in mds:                click.secho("[DEXDump]: Skip duplicate dex {}<{}>".format(info['addr'], md), fg="blue")                continue            mds.append(md)            if not os.path.exists("./" + pkg_name + "/"):                os.mkdir("./" + pkg_name + "/")            if bs[:4] != b"dex\n":                bs = b"dex\n035\x00" + bs[8:]            with open(pkg_name + "/" + info['addr'] + ".dex", 'wb') as out:                out.write(bs)            click.secho("[DEXDump]: DexSize={}, DexMd5={}, SavePath={}/{}/{}.dex"                        .format(hex(info['size']), md, os.getcwd(), pkg_name, info['addr']), fg='green')        except Exception as e:            click.secho("[Except] - {}: {}".format(e, info), bg='yellow')def stop_other(pid, processes):    try:        for process in processes:            if process.pid == pid:                os.system("adb shell \"su -c 'kill -18 {}'\"".format(process.pid))            else:                os.system("adb shell \"su -c 'kill -19 {}'\"".format(process.pid))    except:        passdef choose(pid=None, pkg=None, spawn=False, device=None):    if pid is None and pkg is None:        target = device.get_frontmost_application()        return target.pid, target.identifier    for process in device.enumerate_processes():        if (pid and process.pid == pid) or (pkg and process.name == pkg):            if not spawn:                return process.pid, process.name            else:                pkg = process.name                break    if pkg and spawn and device:        pid = device.spawn(pkg)        device.resume(pid)        return pid, pkg    raise Exception("Cannot found <{}> process".format(pid))if __name__ == "__main__":    show_banner()    try:        device = frida.get_usb_device()    except:        device = frida.get_remote_device()    if not device:        click.secho("[Except] - Unable to connect to device.", bg='red')        exit()    pid = -1    pname = ""    try:        pid, pname = choose(device=device)    except Exception as e:        click.secho("[Except] - Unable to inject into process: {} in \n{}".format(e, traceback.format_tb(            sys.exc_info()[2])[-1]), bg='red')        exit()    print(pname)    processes = get_all_process(device, pname)    mds = []    for process in processes:        logging.info("[DEXDump]: found target [{}] {}".format(process.pid, process.name))        stop_other(process.pid, processes)        session = device.attach(process.pid)        path = os.path.dirname(sys.argv[0])        path = path if path else "."        script = session.create_script(open(path + "/agent.js").read())        script.load()        dump(pname, script.exports, mds=mds)        script.unload()        session.detach()    exit()

步骤三(脱壳文件太多了我们合并一下dex)

#!/usr/bin/env python# -*- coding: utf-8 -*-# @Time : 2020/11/11 14:04 # @Author : ywyimport os, syspath = r'C:\Users\xxx\Desktop\appHOOK\com.zuiai.hh'# 文件夹目录files = os.listdir(path)  # 得到文件夹下的所有文件名称out_path =r'C:\Users\xxx\Desktop\appHOOK\22222'  #输出文件夹s = []for file in files:  # 遍历文件夹    if file.find("dex") > 0:  ## 查找dex 文件        sh = f'jadx -j 1 -r -d {out_path} {path}\\{file}'        print(sh)        os.system(sh)

步骤四(找hook方法)

怎么找这个参数呢全局搜索关键字瞬间定位到这里

步骤五(开始hook)

1.py

# -*- coding: utf-8 -*-import loggingimport fridaimport sys#adb shell dumpsys window w |findstr \/ |findstr name=  查看运行包名的logging.basicConfig(level=logging.DEBUG)def on_message(message, data):    if message['type'] == 'send':        print("[*] {0}".format(message['payload']))    else:        print(message)with open('hook.js', 'r', encoding='utf-8') as f:    sta = ''.join(f.readlines())rdev = frida.get_remote_device()session = rdev.attach("com.zuiai.hh")  #app包名print(session)script = session.create_script(sta)print(script)def show(message,data):    print(message)script.on("message",show)# 加载脚本script.load()sys.stdin.read()

hook.js

Java.perform(function () {     var AA = Java.use("com.yuyh.library.nets.encryption.RSAUtils");    AA.encryptedDataOnJava.overload('java.lang.String', 'java.lang.String').implementation = function (args1, args2, args3, args4, args5, args6) {        console.log(args1)        console.log(args2)        var args = this.encryptedDataOnJava(args1,args2)        console.log("RSA-加出参--", args)        return args    }        AA.decryptDataOnJava.overload('java.lang.String', 'java.lang.String').implementation = function (args1, args2, args3, args4, args5, args6) {        console.log(args1)        console.log(args2)        var args = this.decryptDataOnJava(args1,args2)        console.log("RSA-解出参--", args)        return args    }         var BB = Java.use("com.yuyh.library.nets.encryption.AesEncryptUtil");    BB.encrypt.overload('java.lang.String', 'java.lang.String').implementation = function (args1, args2, args3, args4, args5, args6) {        console.log(args1)        console.log(args2)        var args = this.encrypt(args1,args2)        console.log("AES-加出参--", args)        return args    }    BB.decrypt.overload('java.lang.String', 'java.lang.String').implementation = function (args1, args2, args3, args4, args5, args6) {        console.log(args1)        console.log(args2)        var args = this.decrypt(args1,args2)        console.log("AES-解出参--", args)        return args    }});

可以运行python代码,可以直接控制台运行frida -U com.zuiai.hh -l C:\Users\xxx\Desktop\appHOOK\hook.js

步骤六(运行看看效果)

步骤七(整理人家请求逻辑,python模拟)

这一步就没必要写了,很简单了,主要是给大家瞧瞧hook

APP逆向案例---xxapp

步骤一

步骤二（已经看了是360加固我们脱壳一下）

步骤三(脱壳文件太多了我们合并一下dex)

步骤四(找hook方法)

步骤五(开始hook)

步骤六(运行看看效果)

步骤七(整理人家请求逻辑,python模拟)

相关推荐