最近学习安卓逆向,接触一下药监局APP,了解该APP是做数据安全的,这篇文章主要介绍药监局APP的签名参数tzRgz52a的HOOK过程,当然,其他的参数也是可以HOOK的。本文只用于学习交流,请勿他用。
一、环境工具
环境:windows 10
设备:雷电模拟器,google pixel
HOOK框架:Xposed
插装工具:Frida
编译器:android studio
反编译工具:jadx
抓包工具:Charles
分析APP:药监局apk(5.0.2
二、流程步骤
1.抓包分析数据包,将App安装到模拟器上,设置好模拟器上的VNP代理,打开Charles工具,在模拟器上进行操作,使App发起网络请求,然后在Charles上查看抓取到的数据包。
2.使用查壳工具对APP进程检测,查看APP是使用什么加壳软件进行的加壳的,如果有加壳,首选需要进行脱壳。当然大厂APP是很少进行加壳的。
3.使用jadx反编译APP,获取到相关的代码,但是反编译的代码也不是全部正确的,这个需要注意一下。
4.依据抓包获取到的关键信息,使用关键字段名,在jadx反编译好的代码中进行搜索,查找到可以代码。
5.编写JS代码,然后使用frida插装到模拟器内存或者是手机内存进行探测。
6.找到关键代码后,就需要借助xposed hook出出关键字段,开发插件将服务接出来,供爬虫代码进行调用。
三、过程展示
1.抓包
列表页
GET /datasearch/QueryList?tableId=25&searchF=Quick%20SearchK&pageIndex=1&pageSize=15 HTTP/1.1
Accept-Language zh-CN,zh;q=0.8
User-Agent Mozilla/5.0 (Linux; U; Android 7.1.2; zh-cn; SM-G9750 Build/N2G47O) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Connection close
Host mobile.nmpa.gov.cn
Accept-Encoding gzip
tzRgz52a BmxwOU2UhC12Dt-N50GA3kiMzcuhUL7Ldt5Z8nP30nWvVOUFqlbMhL8bov1sNpssiUISOPkVNI6lU5X2mshBt1vTVoiluMzUncKjP9v9OO-v54uR-HLAEAOrYV42WBp5FrTVvb_xAqAj8-wKWw45vWTggoX-aEqwi6J7yt8GMhc7deCHZOB6im18PG6wDiaK9f5zO8yM.saaDbYAfLVgzrtSceik5Rj8xLvYSIluX102B3238Z8NeFyz7PuanH8ux-tZELQ5RvMnQP9ZbHNkL_3KZsfpxcLpyx0KAyN6lAUCTAoa-PSQkJslc19TklAphLvbI6X0akwgP_V1rhVo8-3LumElWqsiyt6GGel9dOIQ6FP1AAtGAPUp4ggIzxVnexP91xnlGPALs0kPnrTz596oy8QM6kfUGl6Y71pk7sJVdPRKsBZWRvnLfR8P0ZE6-f03Hh8Xo1gKDDwEJhfDnl-2_WvcJrlPnfLY_T9O47SIfO0Xg0QBaZ2LEQCkRd_vynZh7jRiNJkTDdsDxYsEMtjCBrNZXWuZxku_0f4wLufZfNGWfxYVV-kzof_kOahjhr_N8Gn8t4nxPd7a-dnyyNuM64Tj_-8job8aFPZHzGgfGcq0mUqyVlLTD_OSDaWfyzE9SfAMSiMdR6ROhduzkLgP3eeMi9B6MLbaSaJgr0yDmwk0wJim3KpAmDc1rXp9uwyNO07Q30R
Connection close
Cache-Control no-cache详情页
GET /datasearch/QueryRecord?tableId=25&searchF=ID&searchK=108891 HTTP/1.1
Accept-Language zh-CN,zh;q=0.8
User-Agent Mozilla/5.0 (Linux; U; Android 7.1.2; zh-cn; SM-G9750 Build/N2G47O) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Connection close
Host mobile.nmpa.gov.cn
Accept-Encoding gzip
tzRgz52a BzkjBH5HuP45Qg-A83TN6xvZmphuHY0Yqg8M1aC63aJiIBHSdyoZuY1obi4fAcffvHVFBCxIAV9yH8K5zfuOg4iGIbvyhZmHapXwC2i2BB-i87hE-UYNRNBeLI75JOc8SeGIio_kNdNw1-jXJj78iJGttbK-nRdjv9W0lg1TZup0qrPUMBO9vz41CT9jQvnX2s8mB1lZ.fnAdUOs1xRPlS518mTXa6TkatGnwXkRPlzic841YEsXQs8DFCIPK67P53jXHvZwv7V0J4RQ5LrVrUt9z2fdJxDpbzAWiAUYfbyGQ6noK4TiRr8_3LRkspMXLuebVHU6uDNMZQmo3z8d01Nymn7o28BFYS6xuXg_Aoc71e7iLz5mUG4Sg2R1fWaqHFryTJdCw0auxe7sQGYSK5ClJPATN3GQNpeBIAI0a9Slqlv0gdk7gJPjVDHVi_bq25pFzuUwQvJSaV_FKK7JD2EOwPUe2pyFiY9RmRB7sXQQZFCza0x7pX7uoYjQK5EUFn9DAcP6pSs9DdmEBFqPLH8bQcaAE7rnsT2PtggYvEmuiyWpTgxoK1vCqaTe3niJna3vQ53yzflVlMnH7t9FIFaWageae7nUfYzjd6i-485iA71sbFpgTINYQqpGPmJKirb3eYPG_ZHJZArzDYxv9L0YAkZfLVa5zYISD0z0Czyi9zEymtgwG_7zSSWz505PTri42252545
Connection close
Cache-Control no-cache2.查壳
使用frida-dump进行脱壳
3.反编译
4.搜索关键字
在这里你搜索关键字,没有搜索到相关的代码,这时候就需要去搜网络请求中的一些关键字,然后在分析追踪到tzRgz52a生成的地方。这个签名字段是实时生成的,并没有在代码中写死,所以搜索是搜不到的。
5.插桩探测
[-->] result: tzRgz52a
[-->] result: BmxwOU2UhC12Dt-N50GA3kiMzcuhUL7Ldt5Z8nP30nWvVOUFqlbMhL8bov1sNpssiUISOPkVNI6lU5X2mshBt1vTVoiluMzUncKjP9v9OO-v54uR-HLAEAOrYV42WBp5FrTVvb_xAqAj8-wKWw45vWTggoX-aEqwi6J7yt8GMhc7deCHZOB6im18PG6wDiaK9f5zO8yM.salhGurqYYq3ORk_ykh0UnYyESx5D_eS0XHIUlmHSGivkRq5fC_Phe9DDdU9WXJXs8YPBK8t0E_0yyDPjuX36cDuBpZcrVoB9FlM2YktwqDfGteSrdtd7VvWjiL3lpLVxX73ugKz5X37kd1yKA3YLP8wLI-JE3visnBaLoL0vXRJLC2o9DptisZgJTU99GLea646iMD5A7E1llX--48y2eJafl71rkJM5r5e1Vadcr_0x5h0IUBDftGAkxuUcYGwYSVFhHnzsSFIVEbdCLlT9edO8pqD6-dO9yvHJbg6zN_UUSma3xuJnRDQuBTpnIThINAqd-3TWPsNIQuinwmMQqqJdf0htaDtOALPbBypo7QNx0rnO-R8vr-5RvFd-HLXJlYLkEntuCvpwMLB_sp2rOcimcI5gaJph1C8cBN5Y0ooXA2k16u7GjI6Nt1B_-6eCpeDcb-d6oBFAkb-SPJZ-9NFV_zIy2VuPrIcTfrSthab0aS_4o8mpawZI-R7P9MQNO
[-->] result: tzRgz52a
[-->] result: BrcbTZ7ZmH67Iy-S05LF8pnRehzmZQ2Qiy0E3sU85sBaATZKvqgRmQ3gta6xSuxxnZNXTUpASN1qZ0C7rxmGy6aYAtnqzReZshPoU4a4TT-a09zW-MQFJFTwDA97BGu0KwYAag_cFvFo3-bPBb90aBYlltC-fJvbn1O2dy3LRmh2ijHMETG1nr63UL1bInfP4k0eT3dR.xfnW2wSqDiMpeylqGKBpqcIvpIcK-1Kc5dMMIvsF_DNTDyWpJvZdiV84NqtSFJ-Xu0XCPTQr9BT7COXXwg_xG-xrMEMctq036XmdBizzO205DtCGQCVf2uptTzncDM9rUZP14psQ0n7dLQg95YnR2G4rQlOUx7hoR7PDEisBPy9SafmfBjj0Ow2z_ERIRUPXzxHwaAkT-KI_aNoXI1rWzKIdRccNPzGriBtG3sm4YzepCM5wZ2ID4gBXASNkAvi8fP03BpKWy9_N5eF68O1g0QQcF1JZAdbxlxA0z0qsDuCxWWiU0NLgNpBNMl4NUvSnaDXeEtFql5N6OHwcH8yWQ7zDfl6_fLPcP1fcJXSE9_uBbnqwoTHAl2QxPIlF0wsYw-ffMKrAJUIGY_l0Ff0EDB4vGgGVyOTzewqZOJRqO2hJROJFu9RYMGy56nIdwS6POPpwKH-0wsJye8l1iwj00JMVHHJlHq9fD6Oe1dBNpBaIKJqFkfXytHkuKoW7379W4U
[-->] result: tzRgz52a
[-->] result: BfqpHN5NaV45Wm-G83ZT6dbFsvnaNE0Ewm8S1gI63gPoOHNYjeuFaE1uho4lGillbNBLHIdOGB9eN8Q5flaUm4oMOhbenFsNgvDcI2o2HH-o87nK-AETXTHkRO75PUi8YkMOou_qTjTc1-pDPp78oPMzzhQ-tXjpb9C0rm1ZFav0wxVASHU9bf41IZ9pWbtD2y8sH1rF.ltWUaLmtRLbIzdaqlyrJiOMN08937_10PseVWVmRfDuVqTFOK3wjZ0-iekAHNobM5SOR7QN5dovz5HefAt-LThpSghkDiMIXtiYf9d56OWOlBy45Pdaet_g9BWm5hxGGd7mr-p-1ROEejBWlgALn-syu5gB7nV7ZNyLMV1we10XM3msXEsZKK5kNcmRHeDfuj9Yxh95VzFAhsYGnvtPpo_AK_QZsKMsvrU-CXGZFvP30b3vWNfe2S-t-f_QMvDpq5linCX3NJLqFjiJOXYl5CIxB7lj5yJr3MOkpLGfjK7nLqs6FgIy_Y5-PyHy0DXZB2t1S6wVarzXO7Ikc-KPPynsZbh5fUOS4l8Cwq_RyaceHJsJLEjPzsB6DCivcQ1-aMiigMhijp7H5xA1d6ar_sm-7CXUps4SyXjo3yTh_nPUGzh3dN_uvAF8_XZ6g5gfY72MpcJPPWtlP0juLEcN9h-RDyu_DrrrlIHcUlX7RwAuXhv-zb0tEg4PYwpG95G0G526.编写xposed插件
使用Android studio编写插件。
四、分析展示
BrxtTF-ZqaJgc7p3AgHU4aSc6AlVw8T_TmqYB_-RqqgsluIUDDAaQ73joLVzWHd8MvsuIfgy0Kguo3GR36E9bIzMM4mf6j7oiILfPzGVdJ4Z5wh3cS7CetNivWXQK2qFC32Z1mtxbC8EJhZhc5lnb-x7RVbEpn7eOJmpzzqricwKThfsMfNuXABeSHY0vxfT05YnJ94Eb1weV1VsyKD_Ssyte2MdcKPFB9qjwiGB3Tw09jf7-6b0Yo3e6LhSlXFDalsqBeJLPuJ7cZOMv78PAu_4MJz7EeMu9u_ygVwzCp5L5iY_emK8yj4Yuws8myij664lx4k4_Zt8uvrONLJQ_TOmAjv8Qj7GXCTmPCJacm2bdJpuxY5wFCuY45q9-u2Km0lREVGCnDfdICuKvwTrO06JIsBvg901C1mkBhU8ncHTUUNKCVi_vE2jiX-UDY2_lLSgoDaA2-FXUk8iEvNSZdFxxeCXHa9w-IY0VAnW08uTe0EjImYCZn8TyeBgxAeNlPlwC7hD6wGDAoZAX14XA0QGLdAYc_oVAt1AlCIyKjtRv6bAxKNho6_U7eEAC7dK7T4rqYBrA86YB1dcmbMWSwdfsjPdQ1X39ACLZ2NTUfvq4o8N3Y52NtDyujMdEdy4-kCqJ5wm_afyvUU2THWCIFMxQwNbcnwdxJw7oyEkWz5lTPM5CU7f6zP4R24V5S5
BqwsSE-YpzIfb6o2ZfGT3zRb5ZkUv7S_SlpXA_-QppfrktHTCCZzP62inKUyVGc7LurtHefx9Jftn2FQ25D8aHyLL3le5i6nhHKeOyFUcI3Y4vg2bR6BdsMhuVWPJ1pEB21Y0lswaB7DIgYgb4kma-w6QUaDom6dNIloyypqhbvJSgerLeMtWZAdRGX9uweZUTSpSz9TY0FSSn7lGvq3aBl-cq0tZGq2cScUyPiI3Y6JV4m_Dr83VhmpFXRQQ6F-3WZw6TKsmM5oVb7ZQ2JErYx5R4dh6rFXbSnUE-JxOkUEY-nws2gTfexEXc8V2UBtGkEDMlCcZRvJi87GHrsJf8x98UdJ8LewMx7n0SwPHfRRqk4bEGXyErSG5ww5ruP4UOvjo6tRR0xFOPOUHC25--FZOQKcdx0VLPT4d6uR2DtV1sapiZx0W8Kqq6ibpoZo-z2PXDITlLNPtxYjdRedM_JRe15_kQkgDH5PZxAn8CmR3SdsaNFtOEj7Gx76Kw1DtSN4tJoJkv0b01vwnleSYlC4doUMq82FwWXqa8V8cKEXbDg1oHsaSfGjm3N2MaUKS074oOwR_Z8MS3oor8tWB8_9nKNygVqPz4hRX1eQ2HZQSulJAaTMg-gscUE-4PwrJr3vcH5sKORJthlpdh5gTXKm16rE2_FOtX6-NLfHSe8Am8a_JIn7hIS80306362当然,请求头中的其他参数也是可以获取的。
本文只用于学习交流,请勿他用。技术支持,扣扣:3165845957