apk analysis 1

Others 2019-06-09 02:43:27 views: null

Configuration packet capture tool

Close Close capture Host Communicationsimage001

image002

Configuration:

image003image004

Configure the phone side

Enter the wifi settings, press Network image005Advanced Options -> Manual proxy settings

image006Test whether the setup is successful, the phone casually capture application to see whether there is reactionimage007

Open the capture target apk (Loving, login)

image008image009image010

Encryption algorithm to find the target

Use AndroidKiller decompile

image011

Use geb tool to view (you must configure the environment before using), geb open goal apk

image012

The above analysis ctrl + f Find String

image013

Skim java code decompiler

image014Ken can guess a string encryption function to follow up image015to see encryptString () call so found documents, image016browsing the entire code image017according to System.loadLibrary ( "jni") to determine the call so the file name is (lib + jni + so format) "jni".

Use IDA analysis

Export exports look after the analysis described encryptString interface () function naming rulesimage018

View IDA decompiled code, header files imported jni.h

image019

The JNI interface exports the targeting function image020to modify parameters derived function after introduction, typically the first two parameters are fixed

image021 image022Browse the entire function codes

image023Hidden type conversion, image024speculation is initialized, the follow up to see image025according to the code analysis, this function initializes the initial call, call again directly back key, then further analysis initAddr () function, jniStr is image026a string of initInflect () function analysis, corresponding parameter reset type, to obtain image027call java layer com.Reflect.func function. Use geb positioning View

image028String into hexadecimal, initInflect () of the input character string "/ key-i im lianai" + alien.

Code injection smali output

According with the above analysis, the java layer returns to the initial positioning of the encrypted code string local image015[1]function reference view, this is only found at smali implantation is performed here, the insertion location codes Androidkill insertion position log will use packet smali copy the relevant smali files to the same folder, insert the code and compile run view the output.

Use ddm view the output (Note: static function parameters from the beginning p0, p1 dynamic function parameters from the beginning) Note: When using AndroidKill first save decompile

image029

At this point the confirmation code analysis is the account password encryption function of the apk

Guess you like

Origin www.cnblogs.com/heixiang/p/10992021.html
Recommended
Arc Browser for Windows 1.0 officially GA
A programmer born in the 1990s developed a video porting software and made over 7 million in less than a year. The ending was very punishing!
Ranking
1. Select Sort
Create a thread thread
3 press to play ball that reach 6
Programmation CUDA (4) : gestion de la mémoire
SpringBoot database connection pool Druid error
E Diudiu App redesign summary
4EVERLAND Hosting now supports SNS+IPFS
About HTTPS
[vue3+vite+ts+element-plu+sass] uses bug records in sass
Interpretation of HUAWEI CLOUD GaussDB (for Influx): Best Practice Data Modeling
Daily
More
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)

Code World

© 2018 codetd.com