APP逆向案例---xxapp

步驟一

抓個包

其中m_d,m_e爲加密參數

步驟二（已經看了是360加固我們脫殼一下）

# Author: hluwa <[email protected]>
# HomePage: https://github.com/hluwa
# CreatedTime: 2020/1/7 20:57
import hashlib
import os
import random
import sys

try:
    from shutil import get_terminal_size as get_terminal_size
except:
    try:
        from backports.shutil_get_terminal_size import get_terminal_size as get_terminal_size
    except:
        pass

import click
import frida
import logging
import traceback

logging.basicConfig(level=logging.INFO,
                    format="%(asctime)s %(levelname)s %(message)s",
                    datefmt='%m-%d/%H:%M:%S')

banner = """
----------------------------------------------------------------------------------------
  ____________ ___________  ___        ______ _______   _______                         
  |  ___| ___ \_   _|  _  \/ _ \       |  _  \  ___\ \ / /  _  \                        
  | |_  | |_/ / | | | | | / /_\ \______| | | | |__  \ V /| | | |_   _ _ __ ___  _ __    
  |  _| |    /  | | | | | |  _  |______| | | |  __| /   \| | | | | | | '_ ` _ \| '_ \   
  | |   | |\ \ _| |_| |/ /| | | |      | |/ /| |___/ /^\ \ |/ /| |_| | | | | | | |_) |  
  \_|   \_| \_|\___/|___/ \_| |_/      |___/ \____/\/   \/___/  \__,_|_| |_| |_| .__/   
                                                                               | |      
                                                                               |_|      
                      https://github.com/hluwa/FRIDA-DEXDump                            
----------------------------------------------------------------------------------------
"""

md5 = lambda bs: hashlib.md5(bs).hexdigest()


def show_banner():
    try:
        if get_terminal_size().columns >= len(banner.splitlines()[1]):
            for line in banner.splitlines():
                click.secho(line, fg=random.choice(['bright_red', 'bright_green', 'bright_blue', 'cyan', 'magenta']))
    except:
        pass


def get_all_process(device, pkgname):
    return [process for process in device.enumerate_processes() if pkgname in process.name]


def search(api):
    """
    """

    matches = api.scandex()
    for info in matches:
        click.secho("[DEXDump] Found: DexAddr={}, DexSize={}"
                    .format(info['addr'], hex(info['size'])), fg='green')
    return matches


def dump(pkg_name, api, mds=None):
    """
    """
    if mds is None:
        mds = []
    matches = api.scandex()
    for info in matches:
        try:
            bs = api.memorydump(info['addr'], info['size'])
            md = md5(bs)
            if md in mds:
                click.secho("[DEXDump]: Skip duplicate dex {}<{}>".format(info['addr'], md), fg="blue")
                continue
            mds.append(md)
            if not os.path.exists("./" + pkg_name + "/"):
                os.mkdir("./" + pkg_name + "/")
            if bs[:4] != b"dex\n":
                bs = b"dex\n035\x00" + bs[8:]
            with open(pkg_name + "/" + info['addr'] + ".dex", 'wb') as out:
                out.write(bs)
            click.secho("[DEXDump]: DexSize={}, DexMd5={}, SavePath={}/{}/{}.dex"
                        .format(hex(info['size']), md, os.getcwd(), pkg_name, info['addr']), fg='green')
        except Exception as e:
            click.secho("[Except] - {}: {}".format(e, info), bg='yellow')


def stop_other(pid, processes):
    try:
        for process in processes:
            if process.pid == pid:
                os.system("adb shell \"su -c 'kill -18 {}'\"".format(process.pid))
            else:
                os.system("adb shell \"su -c 'kill -19 {}'\"".format(process.pid))
    except:
        pass


def choose(pid=None, pkg=None, spawn=False, device=None):
    if pid is None and pkg is None:
        target = device.get_frontmost_application()
        return target.pid, target.identifier

    for process in device.enumerate_processes():
        if (pid and process.pid == pid) or (pkg and process.name == pkg):
            if not spawn:
                return process.pid, process.name
            else:
                pkg = process.name
                break

    if pkg and spawn and device:
        pid = device.spawn(pkg)
        device.resume(pid)
        return pid, pkg
    raise Exception("Cannot found <{}> process".format(pid))


if __name__ == "__main__":
    show_banner()

    try:
        device = frida.get_usb_device()
    except:
        device = frida.get_remote_device()

    if not device:
        click.secho("[Except] - Unable to connect to device.", bg='red')
        exit()

    pid = -1
    pname = ""
    try:
        pid, pname = choose(device=device)
    except Exception as e:
        click.secho("[Except] - Unable to inject into process: {} in \n{}".format(e, traceback.format_tb(
            sys.exc_info()[2])[-1]), bg='red')
        exit()
    print(pname)
    processes = get_all_process(device, pname)

    mds = []
    for process in processes:
        logging.info("[DEXDump]: found target [{}] {}".format(process.pid, process.name))
        stop_other(process.pid, processes)
        session = device.attach(process.pid)
        path = os.path.dirname(sys.argv[0])
        path = path if path else "."
        script = session.create_script(open(path + "/agent.js").read())
        script.load()
        dump(pname, script.exports, mds=mds)
        script.unload()
        session.detach()
    exit()

步驟三(脫殼文件太多了我們合併一下dex)

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Time : 2020/11/11 14:04 
# @Author : ywy
import os, sys

path = r'C:\Users\xxx\Desktop\appHOOK\com.zuiai.hh'# 文件夾目錄
files = os.listdir(path)  # 得到文件夾下的所有文件名稱
out_path =r'C:\Users\xxx\Desktop\appHOOK\22222'  #輸出文件夾
s = []
for file in files:  # 遍歷文件夾
    if file.find("dex") > 0:  ## 查找dex 文件
        sh = f'jadx -j 1 -r -d {out_path} {path}\\{file}'
        print(sh)
        os.system(sh)

步驟四(找hook方法)

怎麼找這個參數呢全局搜索關鍵字瞬間定位到這裏

步驟五(開始hook)

1.py

# -*- coding: utf-8 -*-
import logging
import frida
import sys
#adb shell dumpsys window w |findstr \/ |findstr name=  查看運行包名的


logging.basicConfig(level=logging.DEBUG)


def on_message(message, data):
    if message['type'] == 'send':
        print("[*] {0}".format(message['payload']))
    else:
        print(message)


with open('hook.js', 'r', encoding='utf-8') as f:
    sta = ''.join(f.readlines())

rdev = frida.get_remote_device()

session = rdev.attach("com.zuiai.hh")  #app包名
print(session)
script = session.create_script(sta)
print(script)
def show(message,data):
    print(message)
script.on("message",show)

# 加載腳本
script.load()
sys.stdin.read()

hook.js

Java.perform(function () {

     var AA = Java.use("com.yuyh.library.nets.encryption.RSAUtils");
    AA.encryptedDataOnJava.overload('java.lang.String', 'java.lang.String').implementation = function (args1, args2, args3, args4, args5, args6) {
        console.log(args1)
        console.log(args2)
        var args = this.encryptedDataOnJava(args1,args2)
        console.log("RSA-加出參--", args)
        return args
    }
        AA.decryptDataOnJava.overload('java.lang.String', 'java.lang.String').implementation = function (args1, args2, args3, args4, args5, args6) {
        console.log(args1)
        console.log(args2)
        var args = this.decryptDataOnJava(args1,args2)
        console.log("RSA-解出參--", args)
        return args
    }

         var BB = Java.use("com.yuyh.library.nets.encryption.AesEncryptUtil");
    BB.encrypt.overload('java.lang.String', 'java.lang.String').implementation = function (args1, args2, args3, args4, args5, args6) {
        console.log(args1)
        console.log(args2)
        var args = this.encrypt(args1,args2)
        console.log("AES-加出參--", args)
        return args
    }
    BB.decrypt.overload('java.lang.String', 'java.lang.String').implementation = function (args1, args2, args3, args4, args5, args6) {
        console.log(args1)
        console.log(args2)
        var args = this.decrypt(args1,args2)
        console.log("AES-解出參--", args)
        return args
    }

});

可以運行python代碼,可以直接控制檯運行frida -U com.zuiai.hh -l C:\Users\xxx\Desktop\appHOOK\hook.js

步驟六(運行看看效果)

步驟七(整理人家請求邏輯,python模擬)

這一步就沒必要寫了,很簡單了,主要是給大家瞧瞧hook