Readmeapp名称: 6L2m5p2l5LqG

版本号: My45MS4w

环境及工具:macos

objection

frida

加密分析

该app没有抓包限制, 直接charles就可以完整抓包:

url = "https://cdn.api.chelaile.net.cn/bus/line!encryptedLineDetail.action?"

params = {

"astate": "1",

"screenWidth": "1440",

"stats_act": "enter",

"sign": "tO1Sr78pIdUX538kzku2Jg==",

"cshow": "linedetail",

"nw": "WIFI",

"stats_referer": "searchResult",

"lineName": "103",

"language": "1",

"cityId": "045",

"AndroidID": "d136b11ee7404c41",

"mac": "48:db:50:8a:a5:4e",

"localIdCreateTime": "1597570055556",

"lineNo": "103路",

"phoneBrand": "google",

"gps_ts": "1597629672280",

"lchsrc": "icon",

"udid": "97784171-f4e9-4c8f-94cd-1c8f077f7ab9",

"system_push_open": "1",

"lat": "29.802732",

"deviceType": "Nexus 6P",

"geo_type": "gcj",

"push_open": "1",

"o1": "5356f9a6e5097ab9be1b79eefed1e5849ea3a6d9",

"sv": "8.1.0",

"cryptoSign": "684a9de1d38f99481e64758d3c4a549c",

"geo_lac": "49.0",

"lng": "121.479078",

"first_src": "app_wandoujia",

"screenHeight": "2476",

"userAgent": "Mozilla/5.0 (Linux; Android 8.1.0; Nexus 6P Build/OPM1.171019.011; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/61.0.3163.98 Mobile Safari/537.36",

"vc": "176",

"userId": "unknown",

"isNewLineDetail": "1",

"gpstype": "gcj",

"geo_lt": "2",

"paramsMakeUp": "is",

"s": "android",

"last_src": "app_wandoujia",

"geo_lng": "121.479078",

"geo_lat": "29.802732",

"v": "3.91.0",

"sstate": "3",

"wifi_open": "1",

"imei": "867686021846009",

"stats_order": "1-1",

"screenDensity": "3.5",

"timeStamp": "1597629788182",

"cryptoSignStr": "8b3141731b1739ec07107497b29c43d3",

"dns_error": "1",

}

headers = {

"User-Agent": "Dalvik/2.1.0 (Linux; U; Android 8.1.0; Nexus 6P Build/OPM1.171019.011)",

"Host": "cdn.api.chelaile.net.cn",

"Connection": "Keep-Alive",

"Accept-Encoding": "gzip",

}

经过测试, 有效的校验参数只有sign;

根据r0ysue的逻辑:

逆向永远要站在开发的思路上解决问题

逆向永远要比开发更底层

so, 任何一个开发都不想单独写个方法混淆字符串, 都是被逼无奈, 所以常规操作, 上来先搜字符串;

sign, "sign"的结果都太多了, 最后用的是url地址encryptedLineDetail定位到可以位置 ;

使用objection 监控第一个watch第一个a方法:

android hooking watch class_method dev.xesam.chelaile.sdk.k.b.a.d.a --dump-args --dump-return

手动触发请求, 结果如下:

返回的是一个object, 使用Wallbreaker打印对象的内容, 看看sign是否已经生成:

查找对应的object地址

plugin wallbreaker objectsearch dev.xesam.chelaile.sdk.f.y

打印对应的地址0x4386;

直接打印出sign的内容了,a()方法直接生成了sign;

分析一下a方法的生成逻辑:

该类的构造函数d(Context context, ppVar, z zVar)调用了o.a(this.f30583a), 返回的结果调用了getParams()方法, 跟进去看一下;

整个加密代码都找到了, getParams方法调用了a(), 并将结果赋值给了AppLinkConstants.SIGN也就是sign; a()调用了a(String str, String str2)进行加密, 参数为时间戳和字符串: "" + System.currentTimeMillis()和woqunimalegebi1234567890(真的很有素质) ;

用frida直接hook这个方法, 生成时间戳然后调用即可, 请求的时候带上一样的时间戳就可以保证正常请求了;

返回的response内容是加密的, 解密位置就在发送请求回调的位置:

最后于 2020-9-8 22:07

被lotus*编辑

，原因：