foreword
I am coming again. Today's protagonist is a certain wave news APP
tool
- fiddler (packet capture tool)
- Drony (I am used to it, no need to fill in the proxy address and port in the phone settings..)
- jadx-gui (decompile app)
- Root environment (this is an alternative analysis, I need to use hook)
- e4a (java novice, can only use this to write xposed modules)
0x1 packet capture
Keyword breakpoints under fiddler sendsms(to save people’s SMS quota...)
Use 2 different post-opportunities to grab 2 packets and analyze different information.
| mobile | GAuth | SN-REQID |
|---|---|---|
| 15600000000 | newsapp:1629519735:5be3ae91fd334a78b91d893d0de7853b:46100b5f78fd8ad4163a10da7ce7f9bd9cc24953fadf732795b65544f91b553b | 162951973462938c4670a9754 |
| 15699999999 | newsapp:1629519762:483b210ec35f4e4090ab4ccc8f147ee2:1c7eacc96f5bbe42f6e0ccff425efadef0b82e28a17f71124304bb2bfad6dab4 | 162951976242538c4670a1271 |
After testing, the protocol header can be sent normally without SN-REQID, but it will fail without GAuth.
So next, analyze how the value of GAuth is obtained
0x2 analysis+hook
jadx-gui
Search "GAuth"
to open jadx, analyze app, search "GAuth", a total of 3 calls.
(Useless work) Look at the first call
Let's look at the first call first:
addRequestHeader("GAuth", HttpSignUtils.e("newsapp", serverTime, UUID.randomUUID().toString().replaceAll("\\-", "")));
Right click to jump to HttpSignUtils.e
HttpSignUtils.e
public static String e(String str, long j, String str2) {
if (SNTextUtils.f(str)) {
str = "newsapp";
}
return str + ":" + j + ":" + str2 + ":" + HttpSignHelper.financeSecretKey2(str2, j);
}
HttpSignHelper.financeSecretKey2
public static native String financeSecretKey2(String str, long j);
It turned out to be native, so the file needs to be analyzed. . Then my ability, I just gave up. .
Look at the second call
addRequestHeader("GAuth", HttpSignUtils.e(str, j, replaceAll));
/* 全文是下面这样的 */
public void addThirdAppSignHeader(String str, long j, boolean z) {
String replaceAll = UUID.randomUUID().toString().replaceAll("\\-", "");
if (z) {
addRequestHeader("GAuth", HttpSignUtils.e(str, j, replaceAll));/* 如果z为true */
} else {
addRequestHeader("GAuth", HttpSignUtils.d(str, j, replaceAll));/* 如果z为false */
}
addRequestHeader("User-Agent", ApiManager.f().e().p());
addRequestHeader("DeviceId", ApiManager.f().e().c());
}
We can set the parameter z of addThirdAppSignHeader to false through the hook of the xposed module, and let it execute the HttpSignUtils.d function
HttpSignUtils.d
it looks likestr:j:str2:g(str2 + j,a.get(str))
public static String d(String str, long j, String str2) {
if (SNTextUtils.f(str)) {
str = "newsapp";
}
StringBuilder sb = new StringBuilder();
sb.append(str);
sb.append(":");
sb.append(j);
sb.append(":");
sb.append(str2);
sb.append(":");
sb.append(g((str2 + j).getBytes(), a.get(str).getBytes()));
return sb.toString();
}
| str | j | str2 |
|---|---|---|
| This time it is 'newsapp' | ten-digit timestamp | randomUUID replaces '-' with '' |
| ‘newsapp’ | ten-digit timestamp | UUID.randomUUID().toString().replaceAll("\-", “”) |
a
This a.get(str) is to take out the value of 'newsapp' in the hashMap, which is f()
a = hashMap;
hashMap.put("newsapp", f());
This f() should also be obtained through so, and the technology is limited, so I won't analyze it. Start directly from the g encryption function, and hook out the plaintext and secret key.
g
HmacSHA256 encryption operation, bArr is the plaintext, bArr2 is the secret key
private static synchronized String g(byte[] bArr, byte[] bArr2) {
SecretKeySpec secretKeySpec = new SecretKeySpec(bArr2, "HmacSHA256");
Mac instance = Mac.getInstance("HmacSHA256");
instance.init(secretKeySpec);
return a(instance.doFinal(bArr));
}
Easy Android write hook g
XposedHelpers.findAndHookMethod("com.XXX.XXXX.HttpSignUtils", lpparam.classLoader, "g" , byte[].class , byte[].class , new XC_MethodHook() //g(byte[] bArr, byte[] bArr2) {
{
@Override
protected void beforeHookedMethod(MethodHookParam param) throws Throwable {
XposedBridge.log("某浪新闻 g【HmacSHA256加密】参数1--->> " + 转换操作.字节到文本((byte[])param.args[0],"utf-8"));
XposedBridge.log("某浪新闻 g【HmacSHA256加密】参数2--->> " + 转换操作.字节到文本((byte[])param.args[1],"utf-8"));
}
protected void afterHookedMethod(MethodHookParam param) throws Throwable {
XposedBridge.log("某浪新闻 g【HmacSHA256加密】结果--->> " + (String)param.getResult());
}
});
Get plaintext and secret key, encryption result
(PS: After many tests, the secret key is a fixed value. So you can directly write the constructor of the GAuth value)
(PS: After testing, the value of uuid can be any number, it does not affect)
0X3 Easy language simulation
0x4 Last suggestion
Add picture verification code or slider verification code to increase the difficulty of cracking