Article Directory
foreword
During the infiltration work, I have encountered a lot of Apps and applets. Some are simple and some are reinforced. However, I have also dug out a lot of high-risk ones. Bypass, blastable, storage leakage, sensitive information leakage, etc., but in these infiltration processes, powerful tools are required. Therefore, the following summarizes the commonly used tools when infiltrating Apps, applets and other mobile devices, so as to avoid the need to search for configurations from various materials next time when changing computers or environments.
Burpsuite capture problem
Since today's applications are gradually improving the version of Android applications, some applications are only compatible with Android 9 and are not compatible with Android 7. Therefore, at the beginning, you may find that the emulator can capture the browser package, but The situation where the App package cannot be caught. This is because Android 7 and above do not trust the certificate installed by the user by default, so you need to use adb to import the certificate into the system for installation. Take the Yeshen emulator Android 9 as an example.
- First generate a certificate from burpsuite and save it.
- The exported certificate is in DER format and needs to be converted into a certificate in PEM format. You can use the openssl that comes with Kali to convert directly, calculate the MD5 value of the certificate, and name the certificate as the MD5 value.
openssl x509 -inform DER -in cacert.der -out cacert.pem
openssl x509 -inform PEM -subject_hash_old -in cacert.pem
- Find the bin directory of the Yeshen simulator, use adb.exe to enter the following command to upload the certificate
adb.exe devices 查看运行中的设备
adb.exe push 9a5ba575.0 /sdcard/ 将证书推入到sdcard中
adb.exe shell 进入shell交互模式
mount -o remount,rw /system 重新挂载写入system
cp /sdcard/9a5ba575.0 /system/etc/security/cacerts/ 将证书复制到系统安全目录
chmod 644 /system/etc/security/cacerts/9a5ba575.0 赋予证书读写权限
reboot 重启
- Burpsuite starts monitoring and sets up a proxy server, where the IP address of this machine is 192.168.1.101.
- Packet captured successfully
LPosed+JustTrustMe Bypass SSL Pining
The above method is the easiest way to capture packets. If the other party's server has enabled the SSL Pinning mechanism, it may still be unable to capture the packet, because when we use the packet capture tool to capture packets, the packet capture tool intercepts the response returned by the server. When the content is resent to the client, the certificate used is not the original certificate of the server, but the packet capture tool itself. The original certificate of the packet capture tool is not the original certificate of the server set by the APP developer, so it constitutes a middleman The attack triggers the SSL Pinning mechanism and causes the connection to be interrupted, so we cannot directly capture the package. It may be no problem to use a mobile phone with a version lower than Android 7 here, but the App may not be compatible, so other solutions are required. You can use Lposed, that is, Xposed To bypass the basic framework, the following are the detailed steps.
- Install Magisk, here I installed Magisk-delta 25.2 version, the download address is as follows:
After downloading, directly drag Magisk into the Yeshen simulator, click to install locally, and you need to go over the wall to install online.
Click Install. After the installation is complete, ti's will prompt that a restart is required. Instead of restarting here, first turn off the root authority set by the Yeshen emulator, turn off and restart, and the Magisk installation will be completed.
After the installation is complete, open Magisk, click Settings in the upper right corner, and allow Zygisk to run.
- Install the Lposed framework. I downloaded the zygisk version. The download address is as follows:
Directly drag the downloaded zip package into the Yeshen emulator, then open Magisk, select the module, install it locally, and then select the Lposed installation package. After the loading is complete, restart.
- After restarting, enter the /data/adb/lspd directory, the manager.apk package will appear, click on it, and choose to install.
- If there is an error in parsing the package, just decompress the manager.apk from the Lposed framework and drag it directly into the emulator to succeed.
-
If it can be opened, the installation is successful.
-
Download the JustTrustMe module, drag it into the Yeshen emulator, and enable it in the Lposed module to successfully bypass SSL Pinning for packet capture.
insert image description here
Decompilation of applets
When infiltrating a small program, in addition to testing the function points of the small program, the best way is to decompile the small program and check the source code, especially when each data packet of the small program will submit the small program to the When signing the data at the end and submitting it together, you have to decompile the applet to find the signature algorithm to forge the data, which is equivalent to encrypting the front-end js.
- First of all, when you run the applet and use the functions of each applet, the package file of the applet is actually stored in your mobile phone storage. The file suffix is wxapkg, but there are main packages and subpackages. The difference, for example, the storage directory of my Night God emulator is in /data/data/com.tencent.mm/MicroMsg/e594472a09487567540796a08a51a24f/appbrand/pkg, the long section e594472a09487567540796a08a51a24f in the middle may be changed.
- Delete all these generated packages, revisit a small program, and go through all its pages, and you will find several new wxapkg packages. These packages are small program packages, just unpack them , Unpack using wxappUnpacker to unpack, requires node.js environment.
npm install
npm install esprima
npm install css-tree
npm install cssbeautify
npm install vm2
npm install uglify-es
npm install js-beautify
- First use UnpackMiniApp (small program package decryption).exe to check whether the mini program is encrypted.
- Then use wuWxapkg.js to unpack the main package of the applet. If there is an error in unpacking, the package may not be caused by the main package. Of course, an error will often be reported, but the code of the applet will also come out, and you can judge whether it is found. what you want.
- Although I also reported an error here, the decompiled small program is still complete.
APP shelling, reflection master, frida
The same is true for apps. If the java code of the app is reversed, I won’t talk about it. This can be searched online, or you can read my previous articles. The point is that the apps on the market will be confused and packed. Shells such as Security and Ali Security will hide a lot of code information and affect people's normal viewing. Therefore, you need to take off this shell to view the normal Java code of the app before the shell is added.
Regarding the scanning and decompilation of App here, there is also a good platform that can be used directly, and I often use it for decompilation. As for its vulnerability scanning, it does not have much effect, but it will put Activity, SERVICES, provides and All kinds of codes are listed, and the configuration of permission, XML configuration, etc. will be checked, and the degree of danger will be listed, which is also quite good.
The address is as follows:
reflection master
- First of all, you can use tools to detect shells to detect whether they are packed, such as AppMessage and other tools.
- The following two methods are provided for direct unpacking. The first is Reflection Master. Reflection Master is no longer supported in Android 9. Android 7 can still be used after installing the XPosed framework and Reflection Master.
First of all, search for Xposed directly in the game center to install and download it. After installation, restart it to succeed. Click to start. The author of Xposed has not gone in for maintenance, because there will be no more updates.
Then go to the Internet to find the apk file of Reflection Master, which is everywhere. As for the official website, I don’t know. Just be careful not to have a back door. Drag it into the APK, open Reflection Master, and it will prompt that the module is not activated, enter Xposed to start Just activate it.
Then open Reflect Master, select the application, select Open, there will be a five-pointed star, run each page once, there will be a lot of code acivity, just select to save.
Click on the five-pointed star, you can select the corresponding activity launcher at the top, click on the current activity, write out the Dex, then use the normal decompilation tool to decompile it into a jar package, and then use jd-gui to open it.
Frida
Reflection Master does not support Android 9, which means that if the application is not compatible with Android 7, it will not work, but frida is a good solution.
- First, you need to download the frida-server and frida-dexdump tools.
Frida-dexdump can be downloaded directly using python, or go to github to download:
pip3 install frida-dexdump
pip install frida-tools
pip install frida
Then check the installed frida version, here is 16.1.4, and then check the processor version of the corresponding Android emulator, and then go to github to download the corresponding Android server
Then use adbshell to drag the downloaded frida into the Yeshen simulator, and it can run successfully without reporting an error.
adb.exe push frida-portal-16.1.4-android-x86_64.xz /data/local/tmp
adb.exe shell
cd /data/local/tmp
chmod 755 frida-portal-16.1.4-android-x86_64.xz
./frida-portal-16.1.4-android-x86_64.xz
Then run the frida-hexdump command in Windows to view the running programs of the Android emulator.
You can use the following command to directly decompile the dumped running application or specify a certain package through the command.
frida-dexdump -FU
frida-dexdump -U -f com.app.pkgname
Summarize
Of course, there must be more than that about the mobile terminal. I will learn it when I encounter it later, and I will make it up. After all, the topic caused by the version change is an eternal topic.