This article is for the purpose of exchanging experiences. If it infringes upon your interests, please contact us to delete it.
Tools: Xposed, justTrustMePlush, packetcapture, jadx, lightning simulator
Install the Xposed framework on the simulator and activate justTrustMePlush to bypass the APP certificate.
After that, the package can be captured normally, as shown below
A brief look at the parameters shows that the md5 value will change after repeated packet captures, so the md5 is likely to be a signature verification, at least the timestamp must be included in the calculation. If you want to log in successfully, you have to analyze how md5 is calculated.
Open jadx is a commonly used reverse tool for decompiling apk files to facilitate static analysis.
It seems that there should be no shell. I searched for the word md5 and found nothing.
This is really not the case, so you can suspect that it is packed. As for what kind of shell it is, you can use the shell check tool to check. If most of the characteristics of the shell are hidden, the pack check tool will not be able to find out.
Using the basics, I got a dex file. Query the md5 again and find that there are results. After some searching, I located the suspicious function.
From the above several strings, we can basically judge that it has a lot to do with the login package. Continue reading the source code and you will get to the following
This is the md5 algorithm: fixed value plus mobile phone number plus timestamp, perform md5
Communication QQ719232549, illegal use has nothing to do with me, this article is only used for Android reverse experience exchange