Today, Xingyou asked for help with a sample similar to a pig-killing dish. This sample has the following points to overcome:
1. AndroidManifest.xml has been processed:
2. The character strings of the entire sample are encrypted, and the decryption method name is strongly obfuscated:
3. The resource file is also obfuscated:
4. The sample is pseudo-encrypted:
5. The sample cannot be installed (signature problem) :
Next, let's solve the two problems 2 and 5.
Samples cannot be installed
Let’s look at the sample installation and report an error, prompting a signature problem, let’s go directly to the Xposed module: Core Crack
The main functions of the core crack:
1. Allow downgrading and installing applications
2. Allow installation of apk with wrong signature
3. Allow overwriting installation with different signatures
Cons:
The current version only supports Android 10-12
Strong obfuscation method hook, string decryption
Next, let's hook this encryption method. For a simple hook, we can use objection directly:
The hook monitors this class, and you can see that there is only one method:
objection -g com.biaoqyun.tongchengaglao explore
android hooking watch class b6p.alur0e.fmjoi
We directly copied and hooked this method, reported an error, and could not find this method:
From this point of view, the method of directly hooking is obviously problematic, because it contains various characters. When parsing this method, frida cannot parse it normally due to garbled characters. This class, it seems that we can only think of other ways.
To save the country with curves, you can try to hook its upper layer to call ac, and print the corresponding parameters and return values. The parameters are the decrypted strings.
The result is as follows:
android hooking watch class_method com.g
aoyuan.mianshu.k.c.a --dump-args --dump-return
From the picture above, we can see that there is an RSA key, and some URLs returned.
The disadvantage of this is that you can only know the decrypted content of this piece of string, and the others cannot be located. In this way, the obfuscation method of hook is still needed.
Our boss provides a solution, you can hook the obfuscation method, and show the hooked results:
we can also search for the corresponding string in jadx according to the printed string and then continue to analyze the code
The hook code is as follows:
Java.perform(
function() {
var targetClass = "b6p.alur0e.fmjoi";
var hookCls = Java.use(targetClass);
var methods = hookCls.class.getDeclaredMethods();
var methodname = encodeURIComponent(methods[0].toString().replace(/^.*?\.([^\s\.\(\)]+)\(.*?$/, "$1"));//对字符串进行js自己编码
hookCls[decodeURIComponent(methodname)]//使用的时候再去解码
.implementation = function (x) {
console.log("参数:", x);
var result = this[decodeURIComponent(methodname)](x);
console.log("返回值:",result);
return result;
}
}
)