Configuration packet capture tool
Close Close capture Host Communications
Configuration:
Configure the phone side
Enter the wifi settings, press Network Advanced Options -> Manual proxy settings
Test whether the setup is successful, the phone casually capture application to see whether there is reaction
Open the capture target apk (Loving, login)
Encryption algorithm to find the target
Use AndroidKiller decompile
Use geb tool to view (you must configure the environment before using), geb open goal apk
The above analysis ctrl + f Find String
Skim java code decompiler
Ken can guess a string encryption function to follow up to see encryptString () call so found documents, browsing the entire code according to System.loadLibrary ( "jni") to determine the call so the file name is (lib + jni + so format) "jni".
Use IDA analysis
Export exports look after the analysis described encryptString interface () function naming rules
View IDA decompiled code, header files imported jni.h
The JNI interface exports the targeting function to modify parameters derived function after introduction, typically the first two parameters are fixed
Browse the entire function codes
Hidden type conversion, speculation is initialized, the follow up to see according to the code analysis, this function initializes the initial call, call again directly back key, then further analysis initAddr () function, jniStr is a string of initInflect () function analysis, corresponding parameter reset type, to obtain call java layer com.Reflect.func function. Use geb positioning View
String into hexadecimal, initInflect () of the input character string "/ key-i im lianai" + alien.
Code injection smali output
According with the above analysis, the java layer returns to the initial positioning of the encrypted code string local function reference view, this is only found at smali implantation is performed here, the insertion location codes Androidkill insertion position log will use packet smali copy the relevant smali files to the same folder, insert the code and compile run view the output.
Use ddm view the output (Note: static function parameters from the beginning p0, p1 dynamic function parameters from the beginning) Note: When using AndroidKill first save decompile
At this point the confirmation code analysis is the account password encryption function of the apk