App Android reverse x-sign, x-sgext, x_mini_wua, x_umt encryption parameter analysis

Android reverse a fresh food platform app

This article is only for learning communication, not for commercial use

1. Background

The encryption version currently used by the Ali system is 6.3. Almost everyone has solved the 6.2 version. There are very few online materials for 6.3. Here we will talk about the decryption process of 6.3.

1. This set of encryption algorithms is commonly used by Ali, mainly with four encryption parameters: x-sign, x-sgext, x_mini_wua, and x_umt, which solves one of the apps, and other apps such as Tao X and Xian X are not much different Yes, just change the parameters, or replace the method name with a different method;
2. The method called by frida-rpc is used (it is very difficult to decrypt the encryption algorithm, and I did not do it);
3. This time I did it A fresh food platform app of the Ali department is only for learning and communication, and commercial use is prohibited

First of all, let's grab a package first. You can see that the encryption version is 6.3, and the encryption parameters are still the four common parameters.
Here we won't talk about the specific analysis of the request header. Go directly to reverse engineering

2. Reverse

1. Check shell

Needless to say, the first step, no matter what app, check the shell first, the shell check tool PKID basically meets the needs, we are lucky, HM did not do any packing measures, so we skip this step directly;

If you encounter packing, you can use several methods

Frida-Unpack
The principle of fida-unpack is to use the OpenMemory method in frida hook libart.so to get the address of the dex in the memory, calculate the size of the dex file, and export the dex from the memory. We can view the OpenMemory.js in the project The code in the file is clearer and intuitive to understand.

GitHub地址：https://github.com/GuoQiang1993/Frida-Apk-Unpack

Written by FRIDA-DEXDump
Huluwa, the unpacked dex file is saved in the same directory as main.py on the PC side, with the package name as the file name

GitHub地址：https://github.com/hluwa/FRIDA-DEXDump

Frida_dump
will search for the dex file and dump it, and save it in the data/data/packageName/files directory

GitHub地址：https://github.com/lasting-yang/frida_dump

Frida_Fart [recommended]
written by Han Bing, the Frida version of Fart, currently only available on andorid8. The Frida version of fart is a function-granular shelling implemented by using hooks. It only loads all the functions in the class. But it can still solve most of the extraction protection

GitHub地址：https://github.com/hanbinglengyue/FART

2. Decompile

Since the app does not take packing measures, let's get started with jadx directly.

It is recommended to use Android Killer, jadx, and JEB as decompilation tools here. When you fail to decompile, try other tools and you will find that the results are different. Never use just one tool;

3. Find the encryption method

1. Search x-sign globally in jadx.

We can easily find this getUnifiedSign function. After careful analysis of the function, we find that it is an interface. Then the class mtopsdk.security.InnerSignImpl where this function is located is the implementation class we are looking for.

Here is a small method to teach you. Right-click on the getUnifiedSign function in jadx and copy the frida code. If we find the function right, just hook it and you will know

Write a python program that calls js

import frida, sys


def on_message(message, data):
    if message['type'] == 'send':

        print("[*] {0}".format(message['payload']))

    else:

        print(message)


jscode = '''
Java.perform(function(){

/**  把该部分替换为刚刚复制的内容即可**、

}
)
    '''


process = frida.get_remote_device().attach('app的包名')

script = process.create_script(jscode)

script.on('message', on_message)

script.load()
sys.stdin.read()

Run the program and let's see the result

Very nice, we check the output after hooking, what parameters are passed in by this method, and what values ​​are output, it is clear at a glance, x-sign and other encrypted values ​​are in it, indicating that we have found the right method

4. Call method

Here we directly use the method actively called by rpc to obtain the encrypted value.
We have found the method, and we have also found the parameters passed in. Then it is no problem to use rpc to call it.
Directly upload the code

import frida


def on_message(message, data):
    if message['type'] == 'send':

        print("[*] {0}".format(message['payload']))

    else:

        print(message)
def start_hook():
	jscode = '''
	    rpc.exports = {
	        para: function(a,b,c,d,e,f) {
	            var ret = {};
	            Java.perform(function() {
	                Java.choose("mtopsdk.security.InnerSignImpl",{
	                onMatch: function(instance){
	                var a= "";
	                var b= "";
	                var c = ;
	                var d = ;
	                var e = ;
	                var f = ;
	                //这些都是传入的参数，具体传参内容根据实际修改
	                var res = instance.getUnifiedSign(a, b, c, d, e, f).toString();
	                
	                //console.log('getUnifiedSign ret value is ' + res);
	                ret["result"] = res;
	                                        },
	                onComplete: function(){
	                    //console.log('******js load over*****')
	                                        }
	                                        
	                                                                 })
	                                    })
	                                    return ret;
	                                                                            }
	            };
	        '''
	process = frida.get_remote_device().attach('')

    script = process.create_script(jscode)

    script.on('message', on_message)

    script.load()
    return script


result_hook = start_hook().exports.para() # 可传参进去

Now let's verify whether the rpc call is feasible
1. First execute the code of the rpc call, print out some of the parameters such as the timestamp, and the decrypted x-sign

2. At the same time, let's check the hook we mentioned in the previous part getUnifiedSign function, to check the results

Let's compare, the timestamp and x-sign values ​​are the same, indicating that the parameters passed in are normal, and the encrypted parameters can be output

5. Request data

In the previous step, the call of frida-rpc was implemented, and the next step is to write the code for requesting data.
There is nothing to say about this, just put in the request headers, call rpc, replace the encrypted parameters, and then directly request the request.

6. Results

Let's take a look at the result of the request!
The data in the app can be obtained normally, and we're done with the reverse engineering of this app. If you have any questions, please contact me.

Update the wua encryption algorithm on September 4th

Many people ask me how to obtain wua, or use our set of rpc to call actively. Among the parameters passed in, there is a z parameter, which needs to be added as a boolen value. When false is passed in, the wua encrypted parameters will not be returned as shown in the figure

When true is passed in, the wua encrypted parameter is returned.

If you have new questions, you can continue to contact me, thank you!