喜马拉雅
抓包:
POST /mobile/login/pwd/v3 HTTP/1.1
Cookie: 1&_device=android&fcecf4c4-5ddc-30e3-86b1-6e675f92bfd0&6.6.99;channel=and-f5;impl=com.ximalaya.ting.android;osversion=29;fp=009527657x2022q22564v0500000000000000000000000000000000000000;device_model=Pixel+XL;XUM=QE42JEHB;XIM=;c-oper=%E6%9C%AA%E7%9F%A5;net-mode=WIFI;freeFlowType=0;res=1440%2C2392;NSUP=;AID=52n4bNTYFO4=;manufacturer=Google;XD=Km5MvMFG0TCv2gAzymmOjL1acLKhlAOkHqJsffOT84GAJI1K4ln5xcFGWZnjYfeMk5vyC12sGMCUiENMEw1D7fKtCmETJMFUkL0s2DV2dYiVjyC6I/iOc5TKGQ20njzJ6g3a0ksn4ZytKIPzrR25MA==;umid=aib4168963b895aba807acd8ce2b1745cc;xm_grade=0;minorProtectionStatus=0;domain=.ximalaya.com;path=/;
Cookie2: $version=1
Accept: */*
user-agent: ting_6.6.99(Pixel+XL,Android29)
Content-Type: application/json; charset=utf-8
Content-Length: 555
Host: passport.ximalaya.com
Connection: Keep-Alive
Accept-Encoding: gzip
{"password":"ZF88tOtUILTSPOg7tzVxrA+kKcyVzIgCA0rr7rvMM05N3F3oNA91S+FiSD7UeuIeKIE7axHmzPlG\nhFg0RbACxhAQd6f9ZwoS9uOs+qHxLCv9dtj5vJDSbBMS50QNYX+BY8rbaxGTLvkDlpwaEXshuK+i\nJOkIGlndWpAie8rJX2s\u003d\n","fdsOtp":"6372903416645327812","signature":"1218760e588e8bd964f8bae7bd0754b6be32d7b9","nonce":"0-7ADF04EBBF9Bca0f3f65b34048e5c58fdc6cb041862847fabeed7e150080a1","account":"O/nwZPWcTTxoFxDTB7M7InysC6NmXe89IM3Vh9RC3whE2pOhHkrlSSzhynnEbI4ha9cy4/PamPo8\n9NExHolqlm8jdlKLwrH1F8Q75JfwCyLZOasO7bUvHBCXxOhG8Pzj22wAdLVTUB0N+xBOo45F7VT3\nEmSFH9YI2js013ldJQ0\u003d\n"}
自吐算法HOOK:
RSA/ECB/PKCS1Padding doFinal data Utf8: 16602020168
RSA/ECB/PKCS1Padding doFinal data Hex: 3136363032303230313638
RSA/ECB/PKCS1Padding doFinal data Base64: MTY2MDIwMjAxNjg=
RSA/ECB/PKCS1Padding doFinal result Hex: 3bf9f064f59c4d3c681710d307b33b227cac0ba3665def3d20cdd587d442df0844da93a11e4ae5492ce1ca79c46c8e216bd732e3f3da98fa3cf4d1311e896a966f2376528bc2b1f517c43be497f00b22d939ab0eedb52f1c1097c4e846f0fce3db6c0074b553501d0dfb104ea38e45ed54f71264851fd608da3b34d7795d250d
RSA/ECB/PKCS1Padding doFinal result Base64: O/nwZPWcTTxoFxDTB7M7InysC6NmXe89IM3Vh9RC3whE2pOhHkrlSSzhynnEbI4ha9cy4/PamPo89NExHolqlm8jdlKLwrH1F8Q75JfwCyLZOasO7bUvHBCXxOhG8Pzj22wAdLVTUB0N+xBOo45F7VT3EmSFH9YI2js013ldJQ0=
======================================================= 0 11
Cipher.init('int', 'java.security.Key') is called!
ECB/*�H��Padding init Key Utf8: 0��0
RSA/ECB/PKCS1Padding init Key Hex: 30819f300d06092a864886f70d010101050003818d00308189028181009585a4773abeecb949701d49762f2dfab9599ba19dfe1e1a2fa200e32e0444f426da528912d9ea8669515f6f1014c454e1343b97abf7c10fe49d520a6999c66b230e0730c3f802d136a892501ff2b13d699b5c7ecbbfef428ac36d3d83a5bd627f18746a7fdc774c12a38de2760a3b95c653c10d7eb7f84722976251f649556b0203010001
RSA/ECB/PKCS1Padding init Key Base64: MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVhaR3Or7suUlwHUl2Ly36uVmboZ3+HhovogDjLgRE9CbaUokS2eqGaVFfbxAUxFThNDuXq/fBD+SdUgppmcZrIw4HMMP4AtE2qJJQH/KxPWmbXH7Lv+9CisNtPYOlvWJ/GHRqf9x3TBKjjeJ2CjuVxlPBDX63+Ecil2JR9klVawIDAQAB
=======================================================
Cipher.init('int', 'java.security.Key', 'java.security.SecureRandom') is called!
Cipher.doFinal('[B', 'int', 'int') is called!
java.lang.Throwable
at javax.crypto.Cipher.doFinal(Native Method)
at com.ximalaya.ting.android.loginservice.LoginEncryptUtil.PDuxkguhSq(Native Method)
at com.ximalaya.ting.android.loginservice.LoginEncryptUtil.encryptByPublicKeyNative(SourceFile:43)
at com.ximalaya.ting.android.loginservice.LoginHelper.encryPsw(SourceFile:12)
at com.ximalaya.ting.android.loginservice.LoginRequest.loginByPsw(SourceFile:304)
at com.ximalaya.ting.android.loginservice.LoginService.login(SourceFile:92)
at com.ximalaya.ting.android.loginservice.LoginService.loginWithPswd(SourceFile:52)
at com.ximalaya.ting.android.login.fragment.BaseLoginFragment.doLoginWithXMLY(SourceFile:347)
at com.ximalaya.ting.android.login.fragment.LoginFragment.a(SourceFile:697)
at com.ximalaya.ting.android.login.fragment.n.run(SourceFile:1)
at org.aspectj.a.b.h.a(SourceFile:229)
at com.ximalaya.commonaspectj.f.b(SourceFile:85)
at com.ximalaya.commonaspectj.f.a(SourceFile:1)
at com.ximalaya.commonaspectj.f.a(SourceFile:24)
at com.ximalaya.ting.android.login.fragment.LoginFragment.onClick(SourceFile:587)
at android.view.View.performClick(View.java:7140)
at android.view.View.performClickInternal(View.java:7117)
at android.view.View.access$3500(View.java:801)
at android.view.View$PerformClick.run(View.java:27351)
at android.os.Handler.handleCallback(Handler.java:883)
at android.os.Handler.dispatchMessage(Handler.java:100)
at android.os.Looper.loop(Looper.java:214)
at com.ximalaya.ting.android.framework.c$1.run(SourceFile:107)
at android.os.Handler.handleCallback(Handler.java:883)
at android.os.Handler.dispatchMessage(Handler.java:100)
at android.os.Looper.loop(Looper.java:214)
at android.app.ActivityThread.main(ActivityThread.java:7356)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:492)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:930)
Cipher.init('int', 'java.security.Key') is called!
ECB/*�H��Padding init Key Utf8: 0��0
RSA/ECB/PKCS1Padding init Key Hex: 30819f300d06092a864886f70d010101050003818d00308189028181009585a4773abeecb949701d49762f2dfab9599ba19dfe1e1a2fa200e32e0444f426da528912d9ea8669515f6f1014c454e1343b97abf7c10fe49d520a6999c66b230e0730c3f802d136a892501ff2b13d699b5c7ecbbfef428ac36d3d83a5bd627f18746a7fdc774c12a38de2760a3b95c653c10d7eb7f84722976251f649556b0203010001
RSA/ECB/PKCS1Padding init Key Base64: MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVhaR3Or7suUlwHUl2Ly36uVmboZ3+HhovogDjLgRE9CbaUokS2eqGaVFfbxAUxFThNDuXq/fBD+SdUgppmcZrIw4HMMP4AtE2qJJQH/KxPWmbXH7Lv+9CisNtPYOlvWJ/GHRqf9x3TBKjjeJ2CjuVxlPBDX63+Ecil2JR9klVawIDAQAB
=======================================================
Cipher.init('int', 'java.security.Key', 'java.security.SecureRandom') is called!
Cipher.doFinal('[B', 'int', 'int') is called!
java.lang.Throwable
at javax.crypto.Cipher.doFinal(Native Method)
at com.ximalaya.ting.android.loginservice.LoginEncryptUtil.PDuxkguhSq(Native Method)
at com.ximalaya.ting.android.loginservice.LoginEncryptUtil.encryptByPublicKeyNative(SourceFile:43)
at com.ximalaya.ting.android.loginservice.LoginHelper.encryPsw(SourceFile:12)
at com.ximalaya.ting.android.loginservice.LoginRequest.loginByPsw(SourceFile:304)
at com.ximalaya.ting.android.loginservice.LoginService.login(SourceFile:92)
at com.ximalaya.ting.android.loginservice.LoginService.loginWithPswd(SourceFile:52)
at com.ximalaya.ting.android.login.fragment.BaseLoginFragment.doLoginWithXMLY(SourceFile:347)
at com.ximalaya.ting.android.login.fragment.LoginFragment.a(SourceFile:697)
at com.ximalaya.ting.android.login.fragment.n.run(SourceFile:1)
at org.aspectj.a.b.h.a(SourceFile:229)
at com.ximalaya.commonaspectj.f.b(SourceFile:85)
at com.ximalaya.commonaspectj.f.a(SourceFile:1)
at com.ximalaya.commonaspectj.f.a(SourceFile:24)
at com.ximalaya.ting.android.login.fragment.LoginFragment.onClick(SourceFile:587)
at android.view.View.performClick(View.java:7140)
at android.view.View.performClickInternal(View.java:7117)
at android.view.View.access$3500(View.java:801)
at android.view.View$PerformClick.run(View.java:27351)
at android.os.Handler.handleCallback(Handler.java:883)
at android.os.Handler.dispatchMessage(Handler.java:100)
at android.os.Looper.loop(Looper.java:214)
at com.ximalaya.ting.android.framework.c$1.run(SourceFile:107)
at android.os.Handler.handleCallback(Handler.java:883)
at android.os.Handler.dispatchMessage(Handler.java:100)
at android.os.Looper.loop(Looper.java:214)
at android.app.ActivityThread.main(ActivityThread.java:7356)
at java.lang.reflect.Method.invoke(Native Method)
at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:492)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:930)
RSA/ECB/PKCS1Padding doFinal data Utf8: password777
RSA/ECB/PKCS1Padding doFinal data Hex: 70617373776f7264373737
RSA/ECB/PKCS1Padding doFinal data Base64: cGFzc3dvcmQ3Nzc=
RSA/ECB/PKCS1Padding doFinal result Hex: 645f3cb4eb5420b4d23ce83bb73571ac0fa429cc95cc8802034aebeebbcc334e4ddc5de8340f754be162483ed47ae21e28813b6b11e6ccf94684583445b002c6101077a7fd670a12f6e3acfaa1f12c2bfd76d8f9bc90d26c1312e7440d617f8163cadb6b11932ef903969c1a117b21b8afa224e9081a59dd5a90227bcac95f6b
RSA/ECB/PKCS1Padding doFinal result Base64: ZF88tOtUILTSPOg7tzVxrA+kKcyVzIgCA0rr7rvMM05N3F3oNA91S+FiSD7UeuIeKIE7axHmzPlGhFg0RbACxhAQd6f9ZwoS9uOs+qHxLCv9dtj5vJDSbBMS50QNYX+BY8rbaxGTLvkDlpwaEXshuK+iJOkIGlndWpAie8rJX2s=
这里自吐了之后就可以看到,我们的数据其实是username+password都是通过RSA进行加密的,其中RSA的KEY是直接已知的了
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVhaR3Or7suUlwHUl2Ly36uVmboZ3+HhovogDjLgRE9CbaUokS2eqGaVFfbxAUxFThNDuXq/fBD+SdUgppmcZrIw4HMMP4AtE2qJJQH/KxPWmbXH7Lv+9CisNtPYOlvWJ/GHRqf9x3TBKjjeJ2CjuVxlPBDX63+Ecil2JR9klVawIDAQAB
我们通过函数定位可以直接去定位到对应的代码段
at com.ximalaya.ting.android.loginservice.LoginEncryptUtil.PDuxkguhSq(Native Method)
是一个Native的SO层的函数了
SO层逆向
函数的执行流,可以看得出来程序使用了OLLVM的混淆,然后再去看看对应从SO层传入Java层的Native函数,发现其实这里字符串也被加密了
那我们要怎么去查看对应传入的字符串是什么呢?
- 地址HOOK,直接利用so层的HOOK,HOOK地址,来实现我们的数据的得到
直接HOOK对应地址的值,然后进行输出,但是这样的结果就是,要去找到每一个地址的值来进行输出,工作量大
- JNI函数的HOOK
JNI函数HOOK插件jnitrace
https://github.com/chame1eon/jnitrace
使用方法:
-R <host>:<port>- 用于指定远程 Frida 服务器的网络位置。如果未指定 :,则默认使用 localhost:27042。
-m <spawn|attach>- 用于指定要使用的 Frida 附加机制。它可以是 spawn 或 attachment。Spawn 是默认和推荐的选项。
-b <fuzzy|accurate|none>- 用于控制回溯输出。默认情况下,jnitrace将在模式下运行回溯器accurate。可以使用此选项更改为fuzzy模式或使用该none选项停止回溯。有关差异的说明,请参阅 Frida 文档。
-i <regex>- 用于指定应跟踪的方法名称。这有助于减少特别大型 JNI 应用中的噪音。该选项可以多次提供。例如,-i Get -i RegisterNatives将仅包含名称中包含 Get 或 RegisterNatives 的 JNI 方法。
-e <regex>- 用于指定应在跟踪中忽略的方法名称。这有助于减少特别大型 JNI 应用中的噪音。该选项可以多次提供。例如,-e ^Find -e GetEnv将从结果中排除所有以 Find 开头或包含 GetEnv 的 JNI 方法名称。
-I <string>- 用于指定应跟踪的库的导出。这对于您只想跟踪少量方法的库很有用。jnitrace 认为导出的函数是任何可从 Java 端直接调用的函数,例如,包括使用 RegisterNatives 绑定的方法。该选项可以多次提供。例如, -I stringFromJNI -I nativeMethod([B)V可用于包含调用的库的导出Java_com_nativetest_MainActivity_stringFromJNI和使用 RegisterNames 绑定的方法,签名为nativeMethod([B)V。
-E <string>用于指定不应跟踪的库的导出。这对于您想要忽略一组繁忙的本机调用的库很有用。jnitrace 认为导出的函数是任何可从 Java 端直接调用的函数,例如,包括使用 RegisterNatives 绑定的方法。该选项可以多次提供。例如,-E JNI_OnLoad -E nativeMethod将从跟踪中排除JNI_OnLoad函数调用和任何名为 的方法nativeMethod。
-o path/output.json- 用于指定jnitrace存储所有跟踪数据的输出路径。信息以 JSON 格式存储,以便以后对跟踪数据进行后处理。
-p path/to/script.js- 提供的路径用于在jnitrace脚本加载之前将 Frida 脚本加载到目标进程中。这可用于在jnitrace启动之前击败反 Frida 或反调试代码。
-a path/to/script.js- 提供的路径用于在jnitrace加载后将 Frida 脚本加载到目标进程中。
--hide-data- 用于减少控制台中显示的输出量。此选项将隐藏显示为十六进制转储或字符串反引用的其他数据。
--ignore-env- 使用此选项将隐藏应用程序使用 JNIEnv 结构进行的所有调用。
--ignore-vm- 使用此选项将隐藏应用程序使用 JavaVM 结构进行的所有调用。
--aux <name=(string|bool|int)value>- 用于在生成应用程序时传递自定义参数。例如,--aux='uid=(int)10'将为用户 10 而不是默认用户 0 生成应用程序。
最常使用的命令,按照附加的方式来进行:
jnitrace -m attach -l liblogin_encrypt.so com.ximalaya.ting.android -o .\out.json
这个插件是对于JNI函数的HOOK,在SO层的HOOK中,so文件有可能会被混淆,导致关键函数混淆不清,不过在SO层的加密终究需要的是JNI函数将C/C++转为Java的数据类型,这时候就需要JNI函数的使用,我们直接去HOOK了JNI函数,也可以了解到大概的执行流程。
部分JSON的输出:
[
{
"struct": "JNIEnv",
"method": {
"name": "NewStringUTF",
"args": [
"JNIEnv*",
"char*"
],
"ret": "jstring"
},
"thread_id": 17066,
"timestamp": 1565,
"backtrace": [
{
"address": "0xbd1260df",
"module": {
"name": "liblogin_encrypt.so",
"base": "0xbd122000",
"size": 57344,
"path": "/data/app/com.ximalaya.ting.android-h0ODZtd-h4A7yO2l2eCojw==/lib/arm/liblogin_encrypt.so"
},
"symbol": {
"address": "0xbd1260df",
"name": "Java_com_ximalaya_ting_android_loginservice_LoginEncryptUtil_PDuxkguhSq+0x1a",
"moduleName": "liblogin_encrypt.so",
"fileName": "",
"lineNumber": 0
}
}
],
"args": [
{
"value": "0xf3889140"
},
{
"value": "0xbd12f870",
"data": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVhaR3Or7suUlwHUl2Ly36uVmboZ3+HhovogDjLgRE9CbaUokS2eqGaVFfbxAUxFThNDuXq/fBD+SdUgppmcZrIw4HMMP4AtE2qJJQH/KxPWmbXH7Lv+9CisNtPYOlvWJ/GHRqf9x3TBKjjeJ2CjuVxlPBDX63+Ecil2JR9klVawIDAQAB"
}
],
"ret": {
"value": "0x75"
},
"java_params": []
},
{
"struct": "JNIEnv",
"method": {
"name": "NewStringUTF",
"args": [
"JNIEnv*",
"char*"
],
"ret": "jstring"
},
"thread_id": 17066,
"timestamp": 1872,
"backtrace": [
{
"address": "0xbd122b93",
"module": {
"name": "liblogin_encrypt.so",
"base": "0xbd122000",
"size": 57344,
"path": "/data/app/com.ximalaya.ting.android-h0ODZtd-h4A7yO2l2eCojw==/lib/arm/liblogin_encrypt.so"
},
"symbol": {
"address": "0xbd122b93",
"name": "0xb93",
"moduleName": "liblogin_encrypt.so",
"fileName": "",
"lineNumber": 0
}
}
],
"args": [
{
"value": "0xf3889140"
},
{
"value": "0xbd12f055",
"data": "RSA"
}
],
"ret": {
"value": "0x89"
},
"java_params": []
},
{
"struct": "JNIEnv",
"method": {
"name": "FindClass",
"args": [
"JNIEnv*",
"char*"
],
"ret": "jclass"
},
"thread_id": 17066,
"timestamp": 1885,
"backtrace": [
{
"address": "0xbd122ba5",
"module": {
"name": "liblogin_encrypt.so",
"base": "0xbd122000",
"size": 57344,
"path": "/data/app/com.ximalaya.ting.android-h0ODZtd-h4A7yO2l2eCojw==/lib/arm/liblogin_encrypt.so"
},
"symbol": {
"address": "0xbd122ba5",
"name": "0xba5",
"moduleName": "liblogin_encrypt.so",
"fileName": "",
"lineNumber": 0
}
}
],
"args": [
{
"value": "0xf3889140"
},
{
"value": "0xbd12f060",
"data": "java/security/KeyFactory"
}
],
"ret": {
"value": "0x99",
"metadata": "java/security/KeyFactory"
},
"java_params": []
},
部分cmd输出:
/* TID 17812 */
1962 ms [+] JNIEnv->NewStringUTF
1962 ms |- JNIEnv* : 0xf3889140
1962 ms |- char* : 0xb61ea870
1962 ms |: MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVhaR3Or7suUlwHUl2Ly36uVmboZ3+HhovogDjLgRE9CbaUokS2eqGaVFfbxAUxFThNDuXq/fBD+SdUgppmcZrIw4HMMP4AtE2qJJQH/KxPWmbXH7Lv+9CisNtPYOlvWJ/GHRqf9x3TBKjjeJ2CjuVxlPBDX63+Ecil2JR9klVawIDAQAB
1962 ms |= jstring : 0x75
1962 ms ----------------------------------------------------------Backtrace----------------------------------------------------------
1962 ms |-> 0xb61e10df: Java_com_ximalaya_ting_android_loginservice_LoginEncryptUtil_PDuxkguhSq+0x1a (liblogin_encrypt.so:0xb61dd000)
/* TID 17812 */
2245 ms [+] JNIEnv->NewStringUTF
2245 ms |- JNIEnv* : 0xf3889140
2245 ms |- char* : 0xb61ea055
2245 ms |: RSA
2245 ms |= jstring : 0x89
2245 ms ---------------------------------Backtrace---------------------------------
2245 ms |-> 0xb61ddb93: liblogin_encrypt.so!0xb93 (liblogin_encrypt.so:0xb61dd000)
/* TID 17812 */
2254 ms [+] JNIEnv->FindClass
2254 ms |- JNIEnv* : 0xf3889140
2254 ms |- char* : 0xb61ea060
2254 ms |: java/security/KeyFactory
2254 ms |= jclass : 0x95 { java/security/KeyFactory }
2254 ms ---------------------------------Backtrace---------------------------------
2254 ms |-> 0xb61ddba5: liblogin_encrypt.so!0xba5 (liblogin_encrypt.so:0xb61dd000)
/* TID 17812 */
2263 ms [+] JNIEnv->GetStaticMethodID
2263 ms |- JNIEnv* : 0xf3889140
2263 ms |- jclass : 0x95 { java/security/KeyFactory }
2263 ms |- char* : 0xb61ea079
2263 ms |: getInstance
2263 ms |- char* : 0xb61ea090
2263 ms |: (Ljava/lang/String;)Ljava/security/KeyFactory;
2263 ms |= jmethodID : 0x7036fae8 { getInstance(Ljava/lang/String;)Ljava/security/KeyFactory; }
2263 ms ---------------------------------Backtrace---------------------------------
2263 ms |-> 0xb61ddbc1: liblogin_encrypt.so!0xbc1 (liblogin_encrypt.so:0xb61dd000)
/* TID 17812 */
2271 ms [+] JNIEnv->CallStaticObjectMethod
2271 ms |- JNIEnv* : 0xf3889140
2271 ms |- jclass : 0x95 { java/security/KeyFactory }
2271 ms |- jmethodID : 0x7036fae8 { getInstance(Ljava/lang/String;)Ljava/security/KeyFactory; }
2271 ms |: jstring : 0x89
2271 ms |= jobject : 0xa9 { java/security/KeyFactory }
2271 ms ---------------------------------Backtrace---------------------------------
2271 ms |-> 0xb61ddbd3: liblogin_encrypt.so!0xbd3 (liblogin_encrypt.so:0xb61dd000)
/* TID 17812 */
2281 ms [+] JNIEnv->ExceptionCheck
2281 ms |- JNIEnv* : 0xf3889140
2281 ms |= jboolean : 0 { false }
这里看来其实Cmd看着更顺眼。
这里其实可以直接去看到对应的使用的JNI函数,发现全是通过SO层的公钥去加密的数据的。
- so文件的dump
我们直接去被so文件在执行过程中的加密过程的so文件dump下来直接使用
function dump_so(so_name){
Java.perform(function () {
var currentApplication = Java.use("android.app.ActivityThread").currentApplication();
var dir = currentApplication.getApplicationContext().getFilesDir().getPath();//获取程序的路径比如:/data/data/com.example.myapp/files
console.log("[dir]:", dir);
var libso = Process.getModuleByName(so_name);//获取当前so程序的Module
console.log("[name]:", libso.name);
console.log("[base]:", libso.base);
console.log("[size]:", ptr(libso.size));
console.log("[path]:", libso.path);//输出相关信息
var file_path = dir + "/" + libso.name + "_" + libso.base + "_" + ptr(libso.size) + ".so";
var file_handle = new File(file_path, "wb");//在对应路径创建一个文件并获取句柄
if (file_handle && file_handle != null) {
Memory.protect(ptr(libso.base), libso.size, 'rwx');//修改当前SO对应dump内存的权限
var libso_buffer = ptr(libso.base).readByteArray(libso.size);//从libso.base读取libso.size的Byte
file_handle.write(libso_buffer);//写入
file_handle.flush();
file_handle.close();
console.log("[dump]:", file_path);// 举例:/data/data/com.example.myapp/files/libso.name_libso.base_ptr(libso.size).so
// /data/user/0/com.ximalaya.ting.android/files/liblogin_encrypt.so_0xbc504000_0xe000.so
}
});
}
dump_so("liblogin_encrypt.so");
SO修复
这里我直接使用的SOfixer来进行的SO文件的修复
sofixer -s soruce.so -o fix.so -m 0x0 -d
-s 待修復的so路徑
-o 修復後的so路徑
-m 內存dump的基地址(16位) 0xABC
-d 輸出debug信息
然后再进行ida分析就可以发现,其实就没有了字符串的加密了
Sign
sign是传入参数的SHA1的结果,是标准的SHA1的加密
标签:加密,java,ximalaya,APP,so,ms,OLLVM,android,com From: https://www.cnblogs.com/ovo-fisherman/p/18437998