Reverse analysis of China Unicom Business Hall APP
APP version number 10.4
tool
- IDA
- FRIDA
- JEB
Packet capture analysis
Packet capture without protection
Shelling, shelling
After checking the tool, I learned that it uses Bangbang’s customized version of the shell.
- Frida Hook
frida -U -f com.sinovatech.unicom.ui -l 1.js --no-pause
After execution, the APP automatically exits, and the console appears.
According to the name of the following so, it is further confirmed that it uses Bangbang.
libDexHelper.so
What needs to be done next is to bypass Bang Bang ’s anti-Frida.
- Anti-Frida
function hook_pthread_create() {
console.log("libDexHelper.so --- " + Process.findModuleByName("libDexHelper.so").base)
Interceptor.attach(Module.findExportByName(null, "pthread_create"), {
onEnter(args) {
let func_addr = args[2]
console.log("The thread function address is " + func_addr)
// print_c_stack(this.context);
}
})
}
Determine the function offset position of pthread_create according to the above script
frida -U -f com.sinovatech.unicom.ui -l anti_frida.js --no-pause
- Shelling
frida -U -f com.sinovatech.unicom.ui -l dump_dex.js --no-pause
Successfully escaped! ! !
Just /data/data/com.sinovatech.unicom.ui/files/dump_dex_com.sinovatech.unicom.ui/
download the dex file in the directory to your computer and export it.
Decompile
Drag the dex file to jeb and export it.
Encryption parameters
- mobile
- password
After analysis, it was found that the encryption function is in RSACryptos
Just hook its input parameters and you're done! ! !