1. Goals
Boss Li: Fenfei, it is said that an e-commerce app has been upgraded and a 64-bit sign has been created. What's even better is that all the entries are encrypted!
Fenfei: It's so cool, pull it out and let's play.
v10.3.2
Two, steps
32-bit and 64-bit
We have mastered so many methods, how about searching for strings first? Or Hook first?
Zi once said: When you see a 32-bit signature, you think of MD5 and HmacSHA1, and when you see a 64-bit signature, you think of HmacSHA256.
Then first engage in java cryptography-related functions:
var secretKeySpec = Java.use('javax.crypto.spec.SecretKeySpec');
secretKeySpec.$init.overload('[B','java.lang.String').implementation = function (a,b) {
var result = this.$init(a, b);
console.log(">>> 算法名" + b);
return result;
}
// /*
var mac = Java.use('javax.crypto.Mac');
mac.getInstance.overload('java.lang.String').implementation = function (a) {
// showStacks();
var result = this.getInstance(a);
console.log("mac ======================================");
console.log("算法名:" + a);
return result;
}
mac.doFinal.overload('[B').implementation = function (a) {
// showStacks();
var result = this.doFinal(a);
console.log("mac ======================================");
console.log("doFinal参数:" + bytesToString(a));
console.log("doFinal结果(hex):" + bytesToHex(result));
console.log("doFinal结果(base):" + bytesToBase64(result));
// var stack = threadinstance.currentThread().getStackTrace();
// console.log("Full call stack:" + Where(stack));
return result;
}
// */
run.
TIP: Remember to refer to the previous article http://91fans.com.cn/post/ldqsignone/ to change the frida port number
Fortunately, it really is.
What is the key?
The difference between HmacSHA256 and md5 is that it passes a key. We try to find out this key.
first print the stack
Full call stack:dalvik.system.VMStack.getThreadStackTrace(Native Method)
java.lang.Thread.getStackTrace(Thread.java:1720)
javax.crypto.Mac.doFinal(Native Method)
com.jxxxxong.sdk.xxcrashreport.a.z.a(XXCrashReportFile:63)
com.jxxxxong.sdk.xxcrashreport.a.z.a(XXCrashReportFile:136)
com.jxxxxong.sdk.xxcrashreport.a.o.Ve(XXCrashReportFile:154)
com.jxxxxong.sdk.xxcrashreport.a.o.<init>(XXCrashReportFile:135)
com.jxxxxong.sdk.xxcrashreport.a.o.<init>(XXCrashReportFile:37)
com.jxxxxong.sdk.xxcrashreport.a.o$a.Vf(XXCrashReportFile:245)
com.jxxxxong.sdk.xxcrashreport.a.ai$a.run(XXCrashReportFile:133)
Originally, I wanted to find out the key directly from the static code, but I was dizzy after going around.
Forget it, add a Hook.
var getKeyCls = Java.use("com.jxxxxong.sdk.xxcrashreport.a.z");
getKeyCls.a.overload('[B', '[B').implementation = function(a,b){
var result = this.a(a,b);
var StrCls = Java.use('java.lang.String');
var keyStr = StrCls.$new(b);
var dataStr = StrCls.$new(a);
console.log(">>> dataStr=" + dataStr);
console.log(">>> key=" + keyStr);
console.log(">>> rc=" + result);
return result;
}
keep running down
check
The plaintext is there, the key is there, and the result is also there. We can check it out.
def main():
data = "yingyan&R4iSKKKKKKKKKK3Ckm6NCKyP4XpntPMcsmTiVIdoeOlPYBLNS1PK0O4e747X79c5P3zFQbh3LbJlFUCRaaIQTPKmipOYkJUu6OAqZT1xx6MMacwy/v5yxRvbdYAwdhXVCF7zmi+DHbQ16PPDpn/R9PPnPifGbirJeG9yKKKK&R4iSKKKKKKKKKBC0CtGnLKMgYWz/LGKKKK==&android&10.3.2&R4iSKKKKKKKKKOlFz0/FIGUKUpUcZGYKKKK=&R4iSKKKKKKKKKKlShOtDUJLIsFKLKA589d0AKKKK&uvReport&R4iSKKKKKKKKKNC0KKNrTV2rKqKKKK==&huawei&R4iSKKKKKKKKKNC0CJRGCtS3DKSK/BvloKuKKKK=&E1.1&1641614274084&R4iSKKKKKKKKKNDBjBK0JNG1DurECbE0iBGOKNhLaV4GKKKK".encode('utf-8')
# 890394FD47EB218CADB73B3FFF976CFE571AC255E1BD5F7AFE427CED13B52DBC
signature = hmac.new(appsecret, data, digestmod=sha256).hexdigest().upper()
print(signature)
Life is short, use Python quickly
Call it a day~ Let's take a break, let's do the encryption tomorrow.
3. Summary
Grabbed the package again and compared it. The signature in the &sign=xxx&sv=xxx mode still exists, and the algorithm with a high probability has not changed.
The previous version of 64-bit sign also exists, and the probability has not changed.
So, the boss is always right .
Dig down from where you stand, and you will surely find a clear spring.