Reverse analysis of China Unicom Business Hall APP

Reverse analysis of China Unicom Business Hall APP

APP version number 10.4

tool

• IDA
• FRIDA
• JEB

Packet capture analysis

Packet capture without protection

Shelling, shelling

After checking the tool, I learned that it uses Bangbang’s customized version of the shell.

• Frida Hook

frida -U -f com.sinovatech.unicom.ui -l 1.js --no-pause

After execution, the APP automatically exits, and the console appears.

According to the name of the following so, it is further confirmed that it uses Bangbang.

libDexHelper.so

What needs to be done next is to bypass Bang Bang ’s anti-Frida.

• Anti-Frida

function hook_pthread_create() {
    
    
    console.log("libDexHelper.so --- " + Process.findModuleByName("libDexHelper.so").base)
    Interceptor.attach(Module.findExportByName(null, "pthread_create"), {
    
    
        onEnter(args) {
    
    
            let func_addr = args[2]
            console.log("The thread function address is " + func_addr)
            // print_c_stack(this.context);
        }
    })
}

Determine the function offset position of pthread_create according to the above script

frida -U -f com.sinovatech.unicom.ui -l anti_frida.js --no-pause

• Shelling
  

frida -U -f com.sinovatech.unicom.ui -l dump_dex.js --no-pause

Successfully escaped! ! !
Just /data/data/com.sinovatech.unicom.ui/files/dump_dex_com.sinovatech.unicom.ui/download the dex file in the directory to your computer and export it.

Decompile

Drag the dex file to jeb and export it.

Encryption parameters

• mobile
• password

After analysis, it was found that the encryption function is in RSACryptos

Just hook its input parameters and you're done! ! !